Privacy Policy

1. Who we are

CASITANA is operated by Forward Thinking, a company providing property management software for rental property owners in Europe. Our platform helps landlords track finances, bookings, documents and maintenance tasks for their rental properties.

For questions about this policy, contact us at: [email protected]

2. What data we collect

We collect only the data necessary to provide our service:

• Account data: your name, email address, and password (stored as a bcrypt hash — we never see your plain-text password).
• Property data: property names, addresses, financial transactions, booking records, and documents you upload.
• Payment data: billing is processed entirely by Stripe. We store only your Stripe customer ID and subscription status — never your card details.
• Usage data: server logs, page visits, and error reports for debugging and service improvement.
• Session cookies: a single session cookie to keep you logged in. It expires when you close your browser or log out.

3. How we use your data

• To provide, operate and maintain the CASITANA platform.
• To process payments via Stripe.
• To send transactional emails (account confirmation, password reset, subscription receipts).
• To provide customer support when you contact us.
• To improve our product based on aggregated, anonymised usage patterns.

We do not sell your data, share it with advertisers, or use it for any purpose other than operating and improving the service.

4. Legal basis (GDPR)

Under the General Data Protection Regulation (GDPR), we process your data on the following legal bases:

• Contract performance: to deliver the service you subscribed to.
• Legitimate interest: to maintain security, prevent fraud, and improve the platform.
• Legal obligation: to retain financial records as required by applicable law.
• Consent: for any marketing communications (which you may withdraw at any time).

5. Data sharing and third parties

We use the following third-party processors:

• Stripe — payment processing (privacy policy at stripe.com/privacy).
• Railway — cloud hosting and database infrastructure.
• Cloudflare R2 — file and document storage.
• Resend — transactional email delivery.
• Sentry (functional.sentry.io) — error monitoring and performance tracking to improve application reliability.
• Twilio Inc. — WhatsApp business messaging (phone numbers, message content).
• Meta Platforms (WhatsApp Business) — message delivery.
• SES Hospedajes (Spanish Ministry of Interior) — guest registration data as required by Royal Decree 933/2021.

All processors are contractually bound to protect your data and comply with GDPR.

6. Data retention

We retain different categories of data for specific periods based on legal requirements and operational necessity:

• Read notifications: 90 days
• Scheduled WhatsApp messages: 30 days after delivery
• Automation logs: 90 days
• Guest registration data (SES): 3 years, as required by Royal Decree 933/2021
• Audit logs: 1 year

Upon account deletion request, all personal data is permanently removed, except data that we are legally required to retain (e.g. guest registration records under Royal Decree 933/2021, financial records under Código de Comercio, Art. 30).

7. Cookies

We use only essential cookies required for the service to function:

• Session cookie: keeps you authenticated while you use the platform. No tracking.
• CSRF token: protects against cross-site request forgery attacks.
• Language preference cookie (casitana_locale) — stores your selected language for 1 year.

We do not use analytics cookies, advertising cookies, or any third-party tracking scripts.

8. Your rights (GDPR)

As an EU resident, you have the right to:

• Access: request a copy of your personal data.
• Rectification: correct inaccurate data.
• Erasure: request deletion of your account and data (“right to be forgotten”).
• Portability: receive your data in a machine-readable format.
• Objection: object to processing based on legitimate interest.
• Restriction: request that we limit how we use your data.

To exercise any of these rights, email [email protected]. We will respond within 30 days. You also have the right to lodge a complaint with your national data protection authority.

9. Security

We use industry-standard security measures including HTTPS encryption in transit, bcrypt password hashing, and isolated database access controls. No method of electronic storage is 100% secure; we work continuously to protect your data and will notify you promptly in the event of a breach.

10. Changes to this policy

We may update this policy when our practices change or when required by law. We will notify active users by email at least 14 days before material changes take effect. Continued use of the service after that date constitutes acceptance.