Privacy Policy

Cyprus Properties ("we", "us", "our") respects your privacy and processes personal data in accordance with Regulation (EU) 2016/679 (the General Data Protection Regulation, or "GDPR"), the EU ePrivacy Directive as transposed into Cypriot law, and any other applicable law of the Republic of Cyprus. This policy is written in plain English with the formal precision the subject requires; if anything is unclear, please contact us.

1. Who we are — the data controller

The data controller for personal data processed via this website is:

Cyprus Properties Ltd
Registered in the Republic of Cyprus
Registered office: [placeholder address — Limassol, Cyprus]
Company registration number: [placeholder]
Email: privacy@cyprus-properties.eu

The above email address is the single point of contact for any privacy or data-protection query, including all rights requests described in Section 8.

2. What we collect

2.1 Data you give us through lead forms

When you submit a lead-capture form on the Site, we collect the data you choose to share. The exact fields depend on the form but typically include:

Identification: name, email address, and phone number (including country code).
Free-text message: whatever you write in the message field.
Optional context: nationality, country of residence, budget range, timeframe, preferred language, the project or unit you are enquiring about, and any preferences you choose to share.
Consent state: a timestamp recording that you ticked the consent box and accepted this Privacy Policy at the moment of submission.

2.2 Data we collect automatically

Cookies and similar technologies — only the strictly necessary ones until you give consent through our cookie banner. See Section 9.
Server logs — IP address, user-agent string, the URL requested, the referrer URL, and the timestamp of each request. Used for security, abuse detection, and aggregate diagnostics. Retained 30 days.
Analytics — only after you opt in. We use Google Analytics 4 with IP anonymisation enabled.
Error monitoring — Sentry collects information about errors that occur in the browser or on the server. We configure Sentry to scrub personally identifiable information before transmission.

2.3 What we do not collect

We do not collect special-category personal data (health, political opinion, religious or philosophical belief, biometric data, etc.). Please do not include such information in lead-form free-text fields.
We do not use the Site to collect financial account details, payment cards, or copies of identity documents. Any document required for a sales contract or PR application is exchanged directly between you and the developer's lawyer, never through us.

3. Legal basis for processing

We rely on the following lawful bases under Article 6 GDPR:

Consent — Art. 6(1)(a) GDPR. For analytics cookies, marketing communications, and for the initial submission of a lead form (you tick the consent box). Consent can be withdrawn at any time without affecting the lawfulness of any prior processing.
Legitimate interest — Art. 6(1)(f) GDPR. For responding to your inquiry once submitted, forwarding the lead to the relevant developer where you have asked to be put in touch with them, fraud and abuse prevention on the Site, and basic service security.
Legal obligation — Art. 6(1)(c) GDPR. Where we are required to retain records for tax, anti-money-laundering, or other regulatory reasons.

4. How we use the data

Responding to your inquiry. Reading what you wrote, replying by email, phone, or WhatsApp, and preparing any shortlist or document you requested.
Connecting you with a developer. When the form is attached to a specific project, or when you ask us to arrange a developer meeting, we forward the lead to the developer (or their lawyer or sales representative) of that project. From that moment, the developer becomes an independent data controller of the data we have handed over.
Transactional email. Sending the auto-reply confirmation when you submit a form, and sending any follow-up emails you have asked us to send. Delivered via Resend.
Internal CRM. Recording the lead and our communication history in our CRM (Pipedrive), so we can keep track of who has been contacted and who is waiting for a reply.
Analytics. Understanding which pages, projects, and content are useful, so we can improve the Site. Done in aggregate, with IP anonymisation, only after you opt in.
Abuse prevention. Detecting and blocking bot submissions, brute-force attempts, scraping, and other malicious traffic.
Legal compliance. Maintaining the records we are legally obliged to keep (tax, AML, regulatory).

5. Who we share data with

We share personal data only with the categories of recipients listed below. Every processor is bound by a written data-processing agreement and (where the recipient is outside the European Economic Area) appropriate transfer safeguards.

5.1 Developers and their representatives

Cypriot developers whose projects appear on the Site, and the lawyers or sales representatives appointed by them. When we hand a lead over, the developer becomes an independent data controller in their own right and is responsible for their further processing under their own privacy policy.

5.2 Our data processors

Make.com — automation platform that routes form submissions from the Site to Pipedrive, email, and our internal notification channels. Data processor. Hosted in the United States; transfers covered by EU Standard Contractual Clauses.
Pipedrive — CRM that stores leads and our communication history. Data processor. Hosted partly in the United States; transfers covered by Standard Contractual Clauses and supplementary measures.
Resend — transactional email delivery (auto-reply, internal notifications, follow-ups). Data processor. United States; Standard Contractual Clauses.
Google LLC — Google Maps (interactive map widgets), Google reCAPTCHA (bot protection on forms), Google Analytics 4 (only after consent, with IP anonymisation). United States; Standard Contractual Clauses.
Sentry — error monitoring with PII scrubbing enabled. Data processor. United States; Standard Contractual Clauses.
Our hosting and infrastructure providers — EU-region cloud infrastructure, database hosting, object storage (S3-compatible), and CDN. Strictly data processors. Hosted in the European Union.

We never sell personal data and we do not share it with third parties for their own independent marketing.

6. International transfers

Our primary database and object storage are hosted in the European Union. Certain processors above are based in or operate from the United States. For every transfer outside the European Economic Area, we rely on:

The European Commission's Standard Contractual Clauses (Decision 2021/914) and, where applicable, the EU–U.S. Data Privacy Framework for processors certified under it.
Supplementary technical and organisational measures, such as encryption in transit, access controls, and PII scrubbing.
Ongoing transfer-impact assessments documented internally.

7. How long we keep data

Leads and related communication history: retained for a maximum of 7 years, reflecting standard accounting and commercial retention practice in Cyprus. You may request earlier deletion at any time, subject to legal retention obligations (see Section 8). Inactive leads are flagged for review and deletion every 12 months.
Cookies: a maximum of 12 months per cookie. The cookie-consent record itself is retained for 12 months so we can prove your consent on request.
Server logs: 30 days.
Operational backups: retained on a 90-day rolling cycle, after which individual records cannot be selectively retrieved or deleted. A deletion request takes effect immediately on live data; backups age out within 90 days.
Records we are legally required to keep (tax, AML, regulatory): for the statutory minimum period (typically 6 to 7 years for tax records).

8. Your rights under GDPR

As a data subject in the European Economic Area or the United Kingdom, you have the following rights:

Right of access (Art. 15 GDPR) — you can ask for a copy of the personal data we hold about you and the related processing information.
Right to rectification (Art. 16 GDPR) — you can ask us to correct data that is inaccurate or to complete data that is incomplete.
Right to erasure — "Right to be Forgotten" (Art. 17 GDPR) — you can ask us to delete your personal data, subject to legal retention obligations.
Right to restriction of processing (Art. 18 GDPR) — you can ask us to pause processing while a dispute or verification is resolved.
Right to data portability (Art. 20 GDPR) — you can ask to receive your data in a structured, commonly used, machine-readable format.
Right to object (Art. 21 GDPR) — you can object at any time to processing based on legitimate interest, and you can object at any time, with absolute effect, to processing for direct marketing.
Right to withdraw consent (Art. 7(3) GDPR) — where processing is based on consent, you can withdraw it at any time without affecting the lawfulness of prior processing.
Right not to be subject to a solely automated decision with legal or similarly significant effects (Art. 22 GDPR). We do not currently make any such decisions.

To exercise any of these rights, email privacy@cyprus-properties.eu. We respond within one month, as required by GDPR. If we need more time because the request is complex, we will tell you and explain why.

You also have the right to lodge a complaint with a supervisory authority. In Cyprus that is the Office of the Commissioner for Personal Data Protection (www.dataprotection.gov.cy). You may also lodge a complaint with the supervisory authority of your country of residence or country of work.

9. Cookies

A cookie is a small text file stored on your device when you visit a website. We classify cookies by purpose and load any non-essential cookie only after you give consent through our cookie banner. No third-party script that uses cookies is loaded before consent.

Strictly necessary cookies — always on. These include the admin session cookie (only relevant inside our authenticated admin portal), reCAPTCHA challenge cookies (security on lead forms), and the cookie-consent cookie itself (so we can remember your choice). They cannot be disabled without breaking the Site.
Analytics cookies — opt-in. Google Analytics 4 cookies (_ga, _ga_*) load only after you accept analytics in the banner. We use IP anonymisation.
Marketing / advertising cookies — none. We do not run retargeting, advertising pixels, or behavioural-advertising trackers on the Site in this phase of the project.

You can change your cookie preferences at any time via the "Cookie preferences" link in our footer, or by clearing cookies in your browser. Disabling analytics cookies does not affect your ability to use the Site.

10. Data security

Encryption in transit: TLS/HTTPS is enforced across the entire Site.
Encryption at rest: the database (PostgreSQL) and object storage (S3-compatible) are encrypted at rest.
Authentication: admin accounts use bcrypt-hashed passwords; admin sessions are JWT-based with HttpOnly cookies.
Bot protection: Google reCAPTCHA v3 on every public lead form.
Access controls: personal data is accessible inside our team on a need-to-know basis. Every admin action on personal data is logged.
Backups: automated, encrypted, EU-region; tested for restorability; aged out on a 90-day rolling cycle.

11. Children

The Site is not directed at children and we do not knowingly collect personal data from anyone under the age of 18. If you are a parent or guardian and believe your child has provided personal data to us, please contact us at privacy@cyprus-properties.eu and we will delete it.

12. Changes to this policy

We may revise this policy from time to time. The "Last reviewed" date at the top of the page reflects the most recent change. Where changes are material, we will communicate them through a banner on the Site and, where appropriate, by email to active leads.

13. Contact for data requests

For any data-protection query — including access, rectification, erasure, portability, objection, or complaint — write to privacy@cyprus-properties.eu.

By post: Cyprus Properties Ltd, [placeholder address], Limassol, Cyprus.