If you use imotrack, the person legally responsible for your data is Theo Christopher Belnou, operating under the imotrack trade name. Contact details for data-protection purposes:

Holder	Theo Christopher Belnou
NIF	Y8506543F
Address	Carrer de Francesc Sempere, 4, Valencia (Spain)
Privacy contact (GDPR)	[email protected]
Trade name	imotrack

This Privacy Policy governs all processing of personal data through imotrack.com and the application. It applies both to owners registered as users and to data of tenants, guarantors and other third parties that users enter into the platform.

imotrack is designed for private property owners (natural persons with one or more properties). It is not designed for use by minors under 18.

This Policy is drafted under Regulation (EU) 2016/679 (GDPR) and Spanish Organic Law 3/2018 on Personal Data Protection and Digital Rights Guarantee (LOPDGDD).

3.1. Your data as a platform user

When you register and use imotrack, we process the following data:

• First name, last name and email, to create and manage your account.
• Password, stored as an irreversible hash: even we cannot read it in plain text.
• Usage data: access logs, operation history and configuration preferences.
• Tax-residence profile you select yourself, to generate the supporting reports for your tax return.
• Portfolio size, which you optionally provide when requesting beta access.

Legal basis: performance of the service contract you accept on registration (art. 6.1.b GDPR). For tax data, your legitimate interest in keeping your information organised for filing (art. 6.1.f GDPR). We make clear that imotrack is not a tax adviser, it only organises your information.

We also send automatic email notifications about contract expiry and unpaid rent, based on the preferences you configure inside the platform. Legal basis: performance of the contract (art. 6.1.b GDPR).

We keep this data while your account is active and, after closure, for the periods required by law: as a rule 5 years for contract-related actions (art. 1964 Spanish Civil Code); 6 years for data with economic or accounting content (art. 30 Spanish Commercial Code).

3.2. Data of your tenants and guarantors

As a landlord, you enter into imotrack data of your tenants, guarantors and other third parties linked to your contracts. This may include:

• Identification: first name, last name, DNI/NIE/passport, nationality.
• Contact: postal address, email, phone.
• Economic data: bank account, agreed rent, deposits and guarantees.
• Scanned documentation: images of ID documents, passports and invoices.

Scanned documents are kept for 24 months after the linked lease ends. After that, they are deleted automatically unless you activate manual retention from settings. You can request earlier deletion at any time by writing to [email protected].

3.3. AI processing

imotrack uses AI to automatically extract and structure information from documents you upload: ID documents (DNI, NIE, passports), lease contracts, invoices, receipts, payment proofs, bank statements, credit offers and amortisation tables, among others. This processing is performed by AWS Bedrock, deployed in the eu-central-1 region (Frankfurt, Germany), using Anthropic models. Everything within EU infrastructure.

imotrack also generates indicative market-value estimates for properties from public cadastral data and user-provided information, processed via AI. These estimates are informational and do not constitute an official appraisal. Data processed by AI is not used to train models. Legal basis: performance of the service contract (art. 6.1.b GDPR).

3.4. Web analytics and advertising

We use analytics and advertising tools to understand how the platform is used and measure campaign performance. These tools are only activated if you give consent through the cookie banner. Those we use or plan to use shortly are Google Analytics 4 (with anonymised IP), Google Ads and Meta Pixel with Meta Conversions API (CAPI).

Legal basis: your consent (art. 6.1.a GDPR). You can withdraw that consent at any time through the "Manage cookies" link in the footer.

To provide the service, imotrack works with the following providers, acting as processors or sub-processors:

Provider	Role	Location	Purpose
Hostinger International Ltd.	Processor	Netherlands (EU)	Server hosting the data
Supabase Inc.	Processor	Frankfurt (EU)	Managed PostgreSQL database (all user data)
Amazon Web Services EMEA SARL	Processor	Frankfurt (EU)	AI processing via AWS Bedrock, eu-central-1 region
Anthropic, PBC	AWS sub-processor	EU infrastructure via AWS	AI models operated by AWS Bedrock
Google LLC	Processor	EEA (Standard Contractual Clauses)	Google Analytics 4 and Google Ads, only with your consent
Meta Platforms Ireland Ltd.	Processor	Ireland (EU)	Meta Pixel and Meta CAPI, only with your consent

All processing takes place within the European Economic Area. When any provider transfers data outside the EEA, it does so under Standard Contractual Clauses adopted by the European Commission (art. 46.2.c GDPR). The data-processing agreement with Amazon Web Services has been formalised through AWS Artifact.

imotrack generates reports and exports to help you prepare your real-estate income tax return. The current version covers these profiles:

• Spanish tax residents: Modelo 100, IRPF.
• Non-residents with tax residence in the EU or EEA: Modelo 210, 19% rate.
• Non-residents outside the EU/EEA: Modelo 210, general 24% rate, without expense deductions.

imotrack also manages data for holiday and seasonal lets, which are governed by rules different from Spanish Law 29/1994 on Urban Leases: regional tourism regulations apply to holiday lets, and the Spanish Civil Code applies to seasonal lets. Each user is responsible for knowing and complying with the rules applicable to their type of lease.

Authenticated access is managed through a JWT token valid for 30 days from last access. After that period of inactivity, the session closes automatically and you need to log in again. Your password is stored as an irreversible hash. Not even the imotrack team can see it.

The platform lets the account holder (administrator) invite other users (collaborators) to manage the portfolio together. The administrator is responsible for ensuring collaborators know and accept this Policy before accessing the account. Legal basis: performance of the contract (art. 6.1.b GDPR).

We apply the technical and organisational measures required by art. 32 GDPR, including:

• HTTPS/TLS encryption in transit for all communications.
• Passwords stored with an irreversible hash (bcrypt or equivalent).
• Daily automatic server backups.
• Server access restricted to SSH-key authentication.
• AI processing on ISO 27001 certified infrastructure (AWS Bedrock, Frankfurt).

As an imotrack user and as a person whose data is processed through the platform, you have the following rights under GDPR (arts. 15 to 22) and LOPDGDD (arts. 12 to 18):

Right	What it covers
Access (art. 15 GDPR)	Know what data we hold about you and get a copy.
Rectification (art. 16 GDPR)	Correct inaccurate or incomplete data.
Erasure (art. 17 GDPR)	Ask us to delete your data when it is no longer needed for the purpose it was collected.
Restriction (art. 18 GDPR)	Ask us to suspend processing in certain circumstances.
Portability (art. 20 GDPR)	Receive your data in a reusable format to take to another platform.
Objection (art. 21 GDPR)	Object to processing based on legitimate interest.
Withdrawal of consent (art. 7.3 GDPR)	Withdraw at any time a consent you have given, without affecting what we did before.

You can exercise the rights of access, portability, rectification and erasure directly from the "Privacy and your data" section under Account > Privacy inside the platform, without needing to send any email.

For any other rights exercise, write to [email protected] with a copy of your ID document. We answer within one month (art. 12.3 GDPR), which can be extended to three months if the request is complex.

If you consider that we have not handled your data properly, you can lodge a complaint with the Spanish Data Protection Agency (AEPD), calle Jorge Juan, 6, 28001 Madrid: www.aepd.es.

We use our own and third-party cookies. Technical cookies are necessary for the platform to work and do not require your consent. Analytics and marketing cookies are only installed if you accept them through the banner. The full cookie table and details are in the Cookie Policy, available in the footer.

Cookie / ID	Provider	Type	Duration	Purpose	Legal basis
access_token (JWT)	imotrack	Technical	30 days	Keeps your session active.	Performance of contract. No consent required (art. 22.2 LSSI-CE).
_ga, _ga_[ID], _gid	Google LLC (GA4)	Analytics	up to 2 years	Usage statistics with anonymised IP.	Consent (art. 6.1.a GDPR).
_gcl_au / _gcl_aw	Google LLC (Google Ads)	Marketing	90 days	Google Ads campaign conversions.	Consent (art. 6.1.a GDPR).
_fbp, _fbc	Meta Platforms Ireland	Marketing	90 days	Facebook and Instagram campaign conversions.	Consent (art. 6.1.a GDPR).
Meta CAPI (server-side)	Meta Platforms Ireland	Server marketing	No local cookie	Server-side conversion events. Only active if you accept marketing.	Consent via banner.

The following features are on our roadmap. We include them in this Policy so the legal basis is established from the start and we do not have to rewrite the text when we activate them.

11.1. Lease contracts

imotrack will be able to generate draft contracts from templates adapted to Spanish Law 29/1994 on Urban Leases (LAU). These are working drafts: they do not replace legal judgement. Responsibility for the final contract belongs to the landlord.

11.2. Electronic signature

Advanced (AES) or qualified (QES) electronic signature may be integrated under Regulation (EU) 910/2014 (eIDAS). The signature provider will be added to the sub-processor list at that time.

11.3. AI savings suggestions

With your explicit consent, we may analyse the utility invoices you already have in imotrack to offer comparisons and optimisation suggestions. This is a different purpose from tax management and will require independent consent.

11.4. Tenant communications

You will be able to send communications to your tenants from the platform: receipts, reminders, notices. imotrack acts as the technical sender; the sender for all purposes remains you. The tenant can object to receiving these communications at any time.

11.5. Provider marketplace

You will be able to access providers of utilities, insurance and other services from the platform. If imotrack receives a commission for that intermediation, we will inform you clearly and visibly before you use that feature.

11.6. Sign-in with Google (OAuth)

imotrack plans to add the option of signing in with a Google account (OAuth 2.0). When this feature is active, imotrack will receive the following data from Google: email address, name and profile photo (if public). This data will be used solely to create and manage your account. Google LLC already appears as sub-processor in the table in section 4 for analytics and advertising; when OAuth authentication is activated, a specific line will be added for this service. Legal basis: performance of the contract (art. 6.1.b GDPR).

imotrack is not directed at minors under 18 and we do not knowingly collect data from minors. If we become aware that data of a minor has been processed without the consent of their legal representatives, we delete it immediately.

We will update this Policy when our tools, applicable rules or the service itself change. We will notify you at least 15 days before any significant change takes effect, unless urgent for security or legal reasons.

If you later incorporate a company and the data controller becomes a legal entity, only the identification data in section 1 will need updating: the rest of the document does not change.