Privacy Policy
This Privacy Policy explains how MyCasa ("we", "our", "us") collects, uses, and protects personal data when you use our Service. We process data in accordance with the EU General Data Protection Regulation (GDPR) and Portuguese data protection law.
1. Data We Collect
1.1 Account data
When you create an account, we collect your email address and, if you provide it, your name. This is used to authenticate you and communicate with you about the Service.
1.2 Property and journey data
Data you enter about properties you are tracking, purchase stages, tasks, notes and preferences. This is stored solely to provide the Service to you.
1.3 Documents
Files you upload to document storage, such as passports, NIF documents, bank statements, contracts and certificates. Files are stored on EU infrastructure and are used only to provide the Service.
1.4 Usage data
Page views and feature usage, where collected, are used to understand which features are useful and to improve the Service. We do not sell usage data or use it for third-party advertising.
1.5 Payment data
Payment processing is handled by Stripe. We receive only billing metadata such as a Stripe customer ID, subscription status and plan; we do not receive or store your full card number.
1.6 Waitlist and launch-update data
If you join a waitlist or newsletter form, we collect your email address and basic technical metadata (such as IP address and user agent) to manage launch updates, prevent abuse and maintain a record of consent. You can unsubscribe from marketing updates at any time.
2. Legal Basis for Processing
- Contract performance: account data, property data, journey data and documents necessary to provide the Service.
- Legitimate interests: product analytics, security logging, fraud prevention and service improvement.
- Legal obligation: retention of billing records as required by applicable accounting and tax law.
3. Data Sharing
We do not sell your personal data. We share data only with service providers needed to operate MyCasa:
- Stripe: payment processing.
- Resend: transactional email such as magic links and reminders.
- Fly.io: hosting infrastructure in the EU.
If you contact a professional through the professionals directory, your contact details are shared with that professional with your explicit consent at the time of submission.
4. Data Retention
- Account data: retained while your account is active, then deleted within 30 days of account deletion unless we must keep limited records by law.
- Documents: retained until you delete them or delete your account.
- Billing records: retained as required by applicable accounting and tax law.
- Professional enquiries: retained as correspondence with the selected professional and MyCasa support for a limited period, unless you ask us to delete or anonymise them where legally possible.
- Waitlist/newsletter entries: retained until you unsubscribe or ask us to delete them.
- Security logs: retained for a limited period to protect the Service.
5. Your Rights (GDPR)
Under GDPR, you have the right to:
- Access: request a copy of your personal data.
- Rectification: correct inaccurate data.
- Erasure: request deletion of your data ("right to be forgotten").
- Portability: export your data in machine-readable format.
- Objection: object to processing based on legitimate interests.
- Restriction: restrict processing in certain circumstances.
To exercise these rights, email privacy@mycasapt.com. We will respond within 30 days.
6. Cookies and Local Storage
We use a session cookie for authentication and local storage for app preferences such as onboarding state and selected property. We do not use third-party advertising cookies. Any analytics will be privacy-conscious and will not be used to sell or broker your data.
7. Security
We use HTTPS for data in transit and EU-hosted infrastructure for application data. We follow security practices including signed sessions, rate limiting on authentication endpoints and restricted access to production systems.
8. International Transfers
MyCasa is hosted in the EU. If a processor ever requires a transfer outside the EU/EEA, we will rely on appropriate safeguards such as adequacy decisions or Standard Contractual Clauses.
9. Changes to This Policy
We will notify you of material changes by email or in-app notice where appropriate. The current version is always available at mycasapt.com/legal/privacy.
10. Contact and DPA
Data protection enquiries: privacy@mycasapt.com
You also have the right to lodge a complaint with the Portuguese supervisory authority, CNPD (cnpd.pt).