Privacy Policy

DRAFT — not yet legally reviewed

Last updated: April 2026 · Controller: Casa Software

This Privacy Policy explains how Casa ("we," "our," "us") collects, uses, and protects personal data when you use our Service. We process data in accordance with the EU General Data Protection Regulation (GDPR) and Portuguese data protection law.

1. Data We Collect

1.1 Account data

When you create an account: email address, name (optional). This data is used to authenticate you and communicate with you about the Service.

1.2 Property and journey data

Data you enter about properties you're tracking, purchase stages, tasks, and notes. This is stored solely to provide the Service to you.

1.3 Documents

Files you upload to the document vault. Files are stored encrypted on EU servers. We do not read or share your documents.

1.4 Usage data

Page views and feature usage (anonymised, no personal tracking). We use this to understand which features are most useful.

1.5 Payment data

Payment processing is handled by Stripe. We receive only a Stripe customer ID and subscription not your full card number.

status

2. Legal Basis for Processing

Contract performance: account data, property data, necessary to provide the Service.
Legitimate interests: anonymised usage analytics to improve the Service.
Legal obligation: retention of billing records as required by Portuguese accounting law.

3. Data Sharing

We do not sell your personal data. We share data only with:

Stripestrong>
Resendstrong>
Fly.iostrong>

If you contact a professional through the professionals directory, your contact details are shared with that professional with your explicit consent at the time of submission.

4. Data Retention

Account data: retained while your account is active. Deleted within 30 days of account deletion.

Documents: retained until you delete them or delete your account.

Billing records: retained for 7 years per Portuguese accounting law requirements.

Anonymised analytics: retained indefinitely.

5. Your Rights (GDPR)

Under GDPR, you have the right to:

Accessstrong>
Rectificationstrong>
Erasurestrong>
Portabilitystrong>
Objectionstrong>
Restrictionstrong>

To exercise these rights, email privacy@mycasa.pt. We will respond within 30 days.

6. Cookies

We use a single session cookie for authentication (set by better-auth). We do not use tracking cookies or third-party advertising cookies. The session cookie is strictly necessary for the Service to function.

7. Security

We use HTTPS for all data in transit. Data at rest is stored on encrypted Fly.io volumes. We follow security best practices including password hashing (bcrypt), signed session tokens, and rate limiting on authentication endpoints. We do not store plaintext passwords.

8. International Transfers

Data is stored in EU regions only (Fly.io Frankfurt). No international transfers to non-adequate countries.

9. Changes to This Policy

We will notify you of material changes via email with at least 14 days' notice. The current version is always available at casa.pt/legal/privacy.

10. Contact and DPA

Data Protection enquiries: privacy@mycasa.pt
You also have the right to lodge a complaint with the Portuguese supervisory authority, CNPD (cnpd.pt).