Privacy Policy

This privacy policy describes how Buy&Rent processes your personal information when using our service. We are committed to protecting your privacy and being transparent about our practices.

The data controller is Buy&Rent, sole proprietor, 572 chemin du Viget, 30100 Alès, France (company currently being established). Contact: contact@buyandrent.fr.

In accordance with Article 6 of the GDPR, data processing is based on the following legal grounds:

• Performance of contract: processing necessary for providing the service (account creation, analyses, subscription management)
• Consent: performance cookies, marketing communications
• Legitimate interest: service improvement, security, fraud prevention
• Legal obligation: invoice retention (10 years), compliance with judicial requests

Buy&Rent collects the following data:

• Account data: name, email, phone, date of birth during registration
• Tax data: income, family situation to personalize analyses
• Analysis data: properties you analyze and their characteristics
• Usage data: preferences, settings, browsing history in the app

Your data is used to:

• Provide and improve our real estate analysis services
• Personalize tax calculations and recommendations
• Contact you regarding your account or our services
• Analyze service usage to improve it

Our site uses cookies necessary for the technical operation of the service (authentication, session). These cookies do not collect any data for tracking or advertising purposes. See our Cookies.

Your personal data is never sold to third parties. It may be shared with our technical subcontractors (hosting, payment) only as part of providing the service, in compliance with GDPR.

We use the following sub-processors to provide our services. Each is bound by a GDPR-compliant Data Processing Agreement (DPA):

• OVHcloud (OVH SAS), Server hosting (France/EU)
• Keycloak (self-hosted), Authentication and identity management
• Stripe Inc., Payment processing (PCI DSS certified)
• Cloudflare Turnstile, Anti-bot protection (no personal data transmitted)
• Elasticsearch (self-hosted), Internal search and indexing

Payment data is processed exclusively by Stripe and is never stored on our servers.

Some of our sub-processors are located outside the European Union. Stripe Inc. (United States) and Cloudflare Inc. (United States) process data as part of providing their services. These transfers are governed by Standard Contractual Clauses (SCCs) adopted by the European Commission, in accordance with Article 46 of the GDPR. Other sub-processors (OVHcloud, Keycloak, Elasticsearch) are hosted in France/EU.

We implement technical and organizational security measures to protect your data against unauthorized access, loss or alteration. Data is encrypted in transit (HTTPS/TLS 1.3) and sensitive tax data is encrypted at rest (AES-256-CBC). Passwords are never stored in plain text. Server access is restricted and monitored.

Under GDPR, you have the following rights:

• Right of access: obtain a copy of your data
• Right to rectification: correct inaccurate data
• Right to erasure: delete your account and data
• Right to portability: receive your data in a structured format
• Right to object: object to certain processing
• Right to restriction: temporarily restrict the processing of your data
• Right to lodge a complaint: file a complaint with the CNIL (French Data Protection Authority - www.cnil.fr) if you believe your data processing does not comply with regulations

To exercise these rights, contact us at the address below.

Retention periods are as follows: account data and analyses - as long as the account is active, then deleted within 30 days after closure; billing data - 10 years (accounting obligation, art. L123-22 French Commercial Code); connection logs - 12 months (legal obligation); performance cookies - 13 months maximum (CNIL recommendation).

The Buy&Rent service is intended for adults (18 years and older). We do not knowingly collect personal data from minors. If we learn that a minor has created an account, we will delete their data promptly.

Buy&Rent does not carry out any fully automated decision-making within the meaning of Article 22 of the GDPR. The scores, calculations and recommendations provided are decision-support tools and do not constitute automated decisions producing legal effects concerning you.

We reserve the right to modify this policy. Significant changes will be notified by email or via the app. We encourage you to regularly check this page.

For any questions regarding this privacy policy: contact@buyandrent.fr