Privacy Statement Tesoro CRM
Scope of this statement
This privacy statement describes how Codificamos S.L. (“Tesoro”, “we”) as controller processes personal data of the users of Tesoro CRM (employees of real estate agencies who hold an account) and of persons who contact us.
Important distinction: the data that a real estate agent enters into the CRM themselves about their own clients (buyers, sellers, owners, portal users) is processed by us as a processor on behalf of the agent. This statement does not apply to that data; instead, the data processing agreement (DPA) between the agent and Codificamos applies; for that data the agent is the controller.
1. Controller
Codificamos S.L., CIF B02641900, Calle Meliso 10, 03739, Jávea, Alicante, Spain. Registro Mercantil de Alicante, Tomo 4329, Folio 65, Hoja A-171807. Privacy contact: privacy@tesorohq.io.
2. Which personal data we process (of account holders)
- Account & identity: name, business email address, phone number, job title, language, profile photo.
- Company details: company name, address, tax number (VAT/NIF), billing details.
- Login & security: password (hashed), authentication tokens, IP addresses, login timestamps.
- Payment data: handled via our payment provider (Stripe); we do not store full card details.
- Support and communication data: correspondence you conduct with us.
- Usage data: technical logs and usage statistics of the Service.
3. Purposes and legal bases (art. 6 GDPR)
| Purpose | Data | Legal basis |
|---|---|---|
| Providing and managing the account/the Service | account, identity, login | art. 6(1)(b) contract |
| Billing and payments | company, tax and payment data | 6(1)(b) contract + 6(1)(c) legal (tax) obligation |
| Support and communication about the Service | contact, support data | 6(1)(b) / 6(1)(f) legitimate interest |
| Security, fraud prevention, error monitoring, improvement | login, IP, logs | 6(1)(f) legitimate interest (a secure, working service) |
| Marketing / product updates (where applicable) | name, email | 6(1)(a) consent (opt-in; revocable) |
| Complying with legal obligations | relevant data | 6(1)(c) |
4. Sub-processors / recipients
We do not sell personal data. We engage the following service providers for our own processing activities as controller:
| Service provider | Function | Location | Mechanism |
|---|---|---|---|
| Stripe | payment/billing processing | US | EU-US DPF + SCCs |
| Mailgun (Sinch) | transactional email (account, support) | EU | within the EEA |
| MongoDB Atlas | storage of account data | EU (Madrid) | within the EEA |
| Cloudflare | hosting / CDN | EU/Cloudflare | DPF |
| Hetzner | EU hosting (self-hosted components) | EU (Germany) | within the EEA |
| GlitchTip (self-hosted) | error monitoring | EU (Germany) | within the EEA |
(For the processing of the agent’s end-client data, a separate sub-processor list applies in the DPA.)
5. International transfers
Your data is in principle processed within the EEA. For service providers with a US parent company (such as Stripe, Cloudflare and Mailgun/Sinch), insofar as incidental access may take place, the EU-US Data Privacy Framework and/or standard contractual clauses (SCCs) apply. A copy of the safeguards is available on request.
6. Retention periods
- Account data: for the duration of the agreement and 12 months thereafter.
- Billing/tax data: statutory retention period (Spain: typically 6 years).
- Technical logs / IP: 90 days.
- Error monitoring: 90 days.
7. Your rights (GDPR)
You have the right to access, rectification, erasure, restriction, portability and objection, and the right to withdraw consent previously given (without retroactive effect). Requests via privacy@tesorohq.io.
You also have the right to lodge a complaint with the supervisory authority. In Spain this is the Agencia Española de Protección de Datos (AEPD), C/ Jorge Juan 6, 28001 Madrid, www.aepd.es. You may also complain to the supervisory authority in your own EU country of residence.
8. Cookies
The application uses exclusively functional/strictly necessary cookies (session/authentication, language preference).
9. Officer & automated decision-making
- DPO: a data protection officer is not legally required for these processing activities; questions can be directed to privacy@tesorohq.io.
- Automated decision-making: we do not make decisions with legal effect based solely on automated processing. The AI feature of the Service is limited to translating/rewriting real estate texts (see the AI governance annex).
10. Changes
This statement always applies in its current, published version, which applies to the processing. We reserve the right to amend the content. In case of significant changes we will inform you via the Service or by email. The current version always bears a date.
11. Applicable law & contact
Spanish law. Questions or requests: privacy@tesorohq.io — Codificamos S.L., Calle Meliso 10, 03739, Jávea, Alicante, Spain.