Privacy Policy
Last updated: 2026-04-12
The Spanish version of this document prevails in case of discrepancy.
1. Data controller
Theo Christopher BELNOU (autónomo / sole trader)
Tax ID (NIF): Y8506543F
Address: Carrer de Francesc Sempere, 4, Puerta 24, 46006 Valencia, Spain
Email: info@imotrack.com
2. Data we collect
We collect the following personal data:
- Account data: first name, last name, email, password (encrypted), preferred language, tax country.
- Tenant data: first name, last name, email, phone, ID number (DNI/NIE/passport). Entered by the landlord user.
- Guarantor data: first name, last name, email, phone, ID number.
- Documents: rental contracts (PDF), invoices, property photos uploaded by the user.
- Financial data: rent amounts, expenses, mortgages, payments received. We do not collect bank or card details.
- Technical data: IP address, user agent, audit logs (GDPR Art. 30).
- Beta signup data: email, name, portfolio size (optional), message (optional).
3. Purposes and legal basis
| Purpose | Legal basis (GDPR Art. 6) |
|---|---|
| Service delivery (property management, contracts, payments) | Performance of contract (Art. 6.1.b) |
| Contract expiry and payment alerts | Performance of contract (Art. 6.1.b) |
| Tax report generation (Modelo 100/210) | Performance of contract (Art. 6.1.b) |
| AI-powered data extraction (contracts, invoices) | Performance of contract (Art. 6.1.b) |
| Website analytics via Google Analytics | Consent (Art. 6.1.a) |
| Records of processing activities (ROPA) | Legal obligation (Art. 6.1.c, Art. 30 GDPR) |
| Financial data retention (6 years) | Legal obligation (Art. 6.1.c, Spanish tax law) |
4. Subprocessors
| Provider | Service | Data location | Safeguards |
|---|---|---|---|
| Supabase Inc. | PostgreSQL database | AWS eu-central-1 (Frankfurt, Germany) | Standard Contractual Clauses (SCCs) |
| Amazon Web Services (Bedrock) | AI processing (document extraction) | eu-central-1 (Frankfurt, Germany) | EU data residency, no US transfer |
| Hostinger International Ltd. | VPS server (web application) | Lithuania / Netherlands (EU) | EU infrastructure |
| Google LLC (Analytics) | Web analytics (consent-only) | EU (data residency setting) | Prior user consent, anonymize_ip enabled |
| Google LLC (Gmail SMTP) | Transactional email delivery | Global | SCCs, email metadata only |
No personal data is transferred outside the EEA except email metadata via Gmail SMTP, covered by EU Standard Contractual Clauses.
5. International transfers
All application data (database, files, AI processing) resides within the European Union (Frankfurt, Germany). No personal data is transferred to third countries except:
- Gmail SMTP: transactional emails (contract alerts, password reset) are sent through Google servers. Only email metadata is transferred. Google adheres to the EU-US Data Privacy Framework and SCCs apply.
6. Retention periods
- Account data: retained while the account is active. After deletion request: 7-day grace period then irreversible anonymization.
- Financial data (rents, expenses, payments): 6 years after the last transaction (Spanish tax obligation).
- Audit logs: per the audited data category (1 year for operational data, 6 years for fiscally relevant data).
- Beta signup data: until public launch or upon deletion request.
- Uploaded documents (PDFs, photos): retained while account is active. Deleted with the account.
7. Your rights
Under GDPR and LOPDGDD, you have the right to:
- Access: obtain a copy of your personal data.
- Rectification: correct inaccurate data.
- Erasure: request deletion of your account and data (subject to legal retention obligations).
- Portability: receive your data in a structured format (ZIP with JSON/CSV).
- Objection and restriction: object to or restrict processing in certain circumstances.
- Withdraw consent: withdraw consent for analytics cookies at any time.
You can exercise these rights from Account > Privacy in the application, or by emailing info@imotrack.com.
You have the right to lodge a complaint with the Spanish Data Protection Agency (AEPD) — www.aepd.es.
8. Security
- Passwords encrypted with bcrypt (never stored in plain text).
- HTTPS with TLS certificate (Let's Encrypt).
- Per-user data isolation (each landlord only sees their own data).
- Row-Level Security (RLS) enabled in PostgreSQL as an additional defense layer.
- Audit logs per GDPR Art. 30.
- Daily database backups (Supabase).
9. Minors
imotrack is not intended for minors under 14 years of age (LOPDGDD Art. 7). Registration requires confirming you are at least 14 years old.
10. Changes
We reserve the right to update this policy. Any material changes will be notified by email to registered users at least 15 days in advance.