Valora Spain
Privacy notice

What we keep, what we don't.

Last updated May 2026. The short version: we only collect what we need to advise you on a property, we don't sell it, and we delete it when the deal closes or you ask.

Who we are

Valora Spain ("we", "us") is a buyer's-agency operated by Nathan, based in Los Cristianos, Tenerife. We act on behalf of buyers — not sellers, not estate agencies. Contact: nathan@globaltenerife.com.

What we collect

  • Account: email address + password (hashed), any name you provide.
  • Buyer profile: the criteria you enter during onboarding — budget, timeline, regions, property type. You fill these in; we don't infer anything you haven't told us.
  • Deal documents: whatever you upload during a deal (passport copy, property deed, etc.). Stored encrypted on Supabase Storage.
  • Communication: messages you send us through the portal, email, or WhatsApp; conversations we have with you on the website chat. We thread these to your profile so we can hold context across channels.
  • Property activity: which properties you've requested reports on, which you've added to a shortlist, which you've discussed with us. We use this to make better recommendations and to remember what we've already covered.
  • Technical: IP address + browser user-agent on each request, so we can keep the service secure. Not linked to your profile for any other purpose.

What we don't collect from you (but do analyse)

For property analysis, we read public listings on Idealista, Kyero, and similar portals — and the public Spanish land registry, official transaction statistics, heritage register, and council planning data. None of that is data you give us; it's already public. We process it so you don't have to.

When that processing produces an analysis (a fair-value read, a cross-check, a walkthrough scoring), we store the result against the property — not against you. You only see the results we generated for you.

On-site visits & recordings

When we walk a property on your behalf using the on-site assistant, we may record the conversation with the agent or owner. This is treated as our internal note-taking, not as material we share. The audio is transcribed for our records and then deleted; only the structured notes derived from it persist. We don't share recordings or verbatim transcripts with you, the agent, the owner, or anyone else. Spanish law permits recording of conversations you're a participant in (one-party consent); we follow that rule and don't pass recordings to third parties.

AI processing

To produce reports, draft replies, and surface relevant properties, we use language and embedding models from third-party providers (currently OpenRouter, Anthropic, and OpenAI). What we send them:
  • Public property data (descriptions, photos, registry/transaction figures).
  • Aggregated context from your buyer profile and property activity — so the AI can produce relevant suggestions. Where possible, names and contact details are not included.
  • Your messages to us, when we use AI to draft a reply (the draft is never sent automatically — Nathan reviews it).
We don't use your data to train any third-party model. The providers we use have contractual no-training clauses on API traffic.

Why we collect it

Legal basis under GDPR Art. 6:
  • Contract performance (Art. 6(1)(b)) — account, profile, documents, messages are needed to deliver buyer-advisory services you've contracted us for.
  • Legitimate interest (Art. 6(1)(f)) — IP + user-agent logging for security and abuse prevention.
  • Legal obligation (Art. 6(1)(c)) — some records (invoices, AML checks) we're required by Spanish law to retain, regardless of your deletion request, for up to 10 years.

Who we share it with

  • Supabase — our database and auth provider (servers in the EU).
  • Vercel — hosts the website (EU region).
  • OpenRouter / Anthropic / OpenAI — language and embedding model providers for analysis and reply-drafting. See the AI processing section above for what we send.
  • Resend — email delivery (outbound) and email reception (inbound, when configured). Servers in the EU.
  • Bright Data — fetches public listing pages on our behalf when requested. We pass URLs, not your data.
  • WhatsApp Business / SendSeven — when you message us on WhatsApp, the message and our reply pass through Meta or our messaging broker. Standard WhatsApp privacy applies.
  • Pinecone — when our AI assistant uses retrieval against an indexed knowledge base, queries pass through Pinecone. We don't index your personal information; the knowledge base contains public property data and our own published content.
  • Your solicitor, notary, bank — only with your explicit instruction, on a specific deal.
We never sell or rent your data. We don't use third-party advertising trackers.

How long we keep it

  • Account + profile: while your account is active, plus 12 months after you ask us to delete it.
  • Deal documents: 10 years after deal close, to meet Spanish tax + notary retention rules.
  • Chat history with us: 3 years after last message, then purged.
  • Server access logs: 90 days, then rotated out.

Your rights

Under GDPR you can ask us to:
  • See everything we hold about you (SAR)
  • Correct anything that's wrong
  • Delete your account and data — we'll honour this except where law requires us to retain (see above)
  • Export your data to a portable file
  • Object to or restrict processing
Send any request to nathan@globaltenerife.com. We respond within 30 days. If you're unhappy with our response, you can complain to the Spanish data protection authority (AEPD).

Changes to this notice

If we change how we handle data, we update this page and email everyone with an active account before the change takes effect.
← Back home·Terms of service →
Privacy notice · Valora Spain