← Back to Home
Privacy Policy
Last updated: June 9, 2026 (v2.1 — full iOS app data footprint for App Store review)
This policy applies to both the Kasap website (kasap.es) and the Kasap mobile app for iOS. If something only applies to the app or only to the waitlist, we say so explicitly.
1. Who we are
Kasap is a real estate discovery service connecting buyers and renters with verified real estate professionals in Spain. The data controller is KASAP APP, S.L. (CIF B26648170), a company registered in the Mercantile Registry of Valencia, Spain, with registered office at C/ Torn de l'Hospital 31, Valencia, operating under the Kasap brand.
If you have a privacy question or want to exercise your rights, write to contact@kasap.io. We respond to requests within 30 days.
2. What data we collect
We collect only what we need to operate the service.
Waitlist (website)
- Email address — to notify you when Kasap launches and respond to support questions
- Timestamp — when you joined the waitlist
- Browser language — stored only in your browser's local storage so we can show the right localization next visit
Mobile app account
- Email address — to authenticate your account, send transactional notifications, and respond to support
- Display name — shown to other users when you message or are messaged
- Role — buyer/renter or real estate professional, chosen during onboarding
- Authentication identifiers — a Firebase user ID (UID); if you sign in with Apple or Google, a token from those providers (we never receive or store your Apple/Google password). Sign in with Apple credentials are stored securely in the iOS Keychain on your device.
Profile data (optional, app)
- Profile photo — only if you choose to upload one
- City and languages you speak — to localize your experience and help you connect with relevant professionals
- Bio, brokerage, license number, phone, website, service areas — only if you are a real estate professional and choose to provide them
- Agent presentation materials — photos or videos a professional uploads to present themselves, if applicable
- Buyer preferences — city, budget range, property type, bedroom count
Content you create (app)
- Listings — property photos, videos, descriptions, prices, and addresses that real estate professionals publish to the app
- Posts — content you publish to the in-app Discover feed
- Chat messages — direct conversations between buyers and real estate professionals
Interactions (app)
- Likes — properties you mark as favourites
- Follows — professionals or accounts you choose to follow
- Matches — mutual connections formed between you and other users
We use these interactions to power social discovery — surfacing listings, professionals, and connections that fit your activity.
Device & usage data (app)
- FCM token and device identifiers — used by Firebase Cloud Messaging to deliver push notifications (new messages, follows, and matches) you have consented to
- Device and app information — device model, iOS version, and app version, collected with crash and performance reports
- Usage / product-interaction events — actions such as viewing a listing, liking, following, opening a listing detail, or sending a message, collected via Firebase (Google) Analytics to understand how the app is used and improve it. These events are associated with your pseudonymous Firebase user ID (UID) and are used only by Kasap; they are never used for advertising or shared for cross-app tracking.
- Crash reports — collected via Firebase Crashlytics (stack traces, device model, OS and app version), associated with your Firebase UID so we can reproduce and fix issues affecting your account
- Performance metrics — collected via Firebase Performance Monitoring (latency, frame rate, network success)
What we do not collect
- We do not collect IDFA / advertising identifiers
- We do not track you across other apps or websites
- We do not sell your personal data to anyone
- We do not use your data for advertising
- We do not collect your precise or approximate location (the app does not use location services)
- We do not access your contacts, calendar, health, or financial data
Device permissions the app requests
- Photo library — only when you choose to upload a profile photo or listing media. We access only the photos and videos you explicitly select; we never read your full library.
- Notifications — only if you opt in, so we can deliver push notifications for messages, follows, and matches.
3. Why we process this data (legal bases under GDPR Article 6)
- Authenticate your account and provide service features — Performance of contract (Art. 6(1)(b))
- Send transactional and marketing notifications you opted into — Consent (Art. 6(1)(a)), withdrawable in app Settings
- Diagnose crashes and performance issues using anonymized data — Legitimate interest (Art. 6(1)(f))
- Comply with Spanish tax, consumer-protection, and anti-fraud law — Legal obligation (Art. 6(1)(c))
4. Who we share data with
Kasap shares your data only with the following sub-processors, each bound by a Data Processing Agreement (DPA):
- Google Firebase (Ireland / EU primary; some services replicate to USA) — authentication, database (Firestore), media storage, push notifications (Cloud Messaging), usage analytics (Google Analytics for Firebase), crash reporting (Crashlytics), and performance monitoring. Receives: account data, profile data, app content, interactions, FCM token, usage events, crash and performance data. See firebase.google.com/support/privacy.
- Apple Inc. (USA) — Sign in with Apple, Apple Push Notification service (APNs), and App Store Connect crash diagnostics. Receives: authentication token, FCM token, notification payload, crash data.
- Airtable (USA) — waitlist email storage only. Receives: waitlist email + timestamp.
Cross-border transfers: Some processors transfer data to the United States. These transfers are protected by Standard Contractual Clauses (SCCs) approved by the European Commission, plus supplementary technical measures (encryption in transit and at rest).
5. How long we keep your data
- Active app account: for the lifetime of your account.
- Deleted app account: removed from active systems within 30 days; backups purged within 90 days.
- Chat messages: retained as long as both parties have an account; deleted with the account.
- Crash and performance metrics: anonymized at collection and retained up to 12 months.
- Waitlist email: retained until product launch or you request deletion, whichever comes first.
6. Your rights (GDPR / LOPDGDD)
Under the EU General Data Protection Regulation (GDPR) and the Spanish Organic Law on Personal Data Protection (LOPDGDD), you have the right to:
- Access — request a copy of your personal data
- Rectification — correct inaccurate data
- Erasure — request deletion ("right to be forgotten"). In the app: Settings → Delete Account. From the waitlist: email contact@kasap.io.
- Restriction — limit how we process your data
- Portability — receive your data in a machine-readable format
- Object — object to processing based on legitimate interest
- Withdraw consent — at any time, without affecting processing prior to the withdrawal
You also have the right to lodge a complaint with the Spanish Data Protection Agency (Agencia Española de Protección de Datos, AEPD): https://www.aepd.es.
7. Children
Kasap is not directed to children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, write to contact@kasap.io and we will delete it.
8. Security
We use industry-standard security measures:
- TLS 1.2+ for all network communication
- Encryption at rest for stored data (Firebase default)
- Firebase App Check to prevent unauthorized API access
- Two-factor authentication available on all administrative accounts
No system is 100% secure. In the event of a personal-data breach, we will notify the AEPD within 72 hours of becoming aware of the breach (GDPR Art. 33) and will notify affected users when required by GDPR Art. 34.
9. Cookies and local storage
The website uses browser local storage only to remember your language preference. No tracking cookies are used. This data never leaves your device. The mobile app stores authentication tokens and user preferences locally on your device using iOS Keychain and standard secure storage.
10. Changes to this policy
We may update this policy. Material changes will be announced in the app and via email at least 30 days before they take effect. The current version is always available at https://kasap.es/legal/privacy-policy.
11. Contact
Privacy questions, GDPR requests, or anything else:
Email: contact@kasap.io