14 Privacy & terms
Version1.2
Last updatedMay 15, 2026
Next reviewMay 15, 2027

How we
handle your data.

We handle your data with the same care we apply to real estate — honestly, transparently, and without fine print. This document explains what we do.

01Who are we?

Atlanticasa BV is responsible for the processing of personal data as described in this privacy policy.

Our Dutch office is located at Boerenverdriet 20, 4613 AK Bergen op Zoom. 

For privacy questions our data protection officer is reachable via hallo@atlanticasa.com.

02What data do we process?

Depending on how you contact us, we process the following categories of personal data:

Category
Examples
Identity data
First and last name, date of birth, NIF, BSN (only for notarial acts)
Contact data
Email, phone number, home address
Preference data
Preferred region, budget, property type, timeline
Financial data
Income, assets, financing situation (only if relevant)
Communication data
Email exchanges, meeting notes, form input
Usage data
Anonymised: page visits, measured via Plausible Analytics

03Why do we process it?

  • To handle your request — send an information pack, schedule a call, answer questions
  • To guide you through the purchase process — pre-selection, viewings, legal, notarial
  • To comply with legal obligations — Wwft, tax, NHR/IFICI procedures
  • To improve our services — anonymised analysis of what works
  • To inform you about relevant updates — only if you have consented
No mailing list, no retargetingWe do not send marketing emails unless you have explicitly subscribed to the search agent or monthly market brief. We do not do retargeting, and your data is never resold.

04Legal basis

Under the GDPR (and in Portugal the RGPD) we process your data on one of the following bases:

  • Performance of an agreement if you are a client in a purchase process
  • Preparation of an agreement for the initial call and orientation phase
  • Consent for subscription to the search agent or market brief
  • Legal obligation for the Wwft, tax reporting, archiving duty
  • Legitimate interest for anonymised service improvement

05Retention periods

We do not keep your data longer than necessary:

Type
Period
Enquiry form without follow-up
12 months, then deleted
Client file (active engagement)
Duration of engagement + 1 year
Client file (completed)
7 years (tax archive)
Wwft identification
5 years after end of relationship
Marketing consent
Until withdrawal + 12 months
Plausible Analytics
Anonymised, no personal data

06With whom do we share your data?

Only when necessary, and always under a processor agreement:

  • Notaries, lawyers and banks — only during an active purchase, at your request
  • Cal.com for calendar scheduling (EU servers)
  • Fastmail our email provider (NL/EU servers)
  • Plausible Analytics anonymised usage statistics (DE servers)
  • HelloSign for digital signatures (EU servers)

We never share data with advertising networks, data brokers or social media platforms for marketing purposes.

07Your rights

Under the GDPR you have the right to:

  • Access the data we keep about you
  • Correction if data is inaccurate
  • Erasure if the retention period has expired or you withdraw consent
  • Restriction of processing
  • Objection to processing based on legitimate interest
  • Data portability — receive your data in a common format
  • Complain to the Autoriteit Persoonsgegevens (NL) or CNPD (PT)

Email hallo@atlanticasa.com — we respond within 30 days, usually within a week.

08Cookies & tracking

We deliberately keep it minimal: no tracking cookies, no advertising cookies, no social media plugins that leak data.

What we do use:

  • Functional cookies — for example to remember your language preference or saved properties. No consent required.
  • Plausible Analytics — privacy-friendly, cookie-less web statistics. No personal data, no IP storage, GDPR-compliant out of the box.

09Security

We take your data seriously. Concretely:

  • TLS 1.3 encryption across the entire site (A+ rating on SSL Labs)
  • Encrypted backups, rotated daily, stored in EU data centres
  • Access to client files only for specifically designated staff, with 2FA
  • Periodic security audit by an external agency
  • A data breach protocol — notification to AP within 72 hours where applicable

10Changes to this policy

For material changes we send a notice to existing clients and log the change here in a changelog. The current version is always on this page. Earlier versions are available on request.

11Questions or complaints?

We are approachable, and we respond:

Not satisfied with our answer? You can always turn to the supervisory authority: Autoriteit Persoonsgegevens (autoriteitpersoonsgegevens.nl) or, in Portugal, the Comissão Nacional de Proteção de Dados (cnpd.pt).