Privacy Policy
Last updated: 2026-04-15
Buvivo("we", "us") respects your privacy. This policy explains what personal data we collect when you use buvivo.com, why we collect it, and the rights you have over that data under the EU General Data Protection Regulation (GDPR) and Spain's Organic Law 3/2018 on the Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD).
1. Data controller
- Name: Lerudi Consulting S.L.
- Address: Calle Pozos de Sierrezuela 32, 29650 Mijas, Malaga, Spain
- Tax ID: B93515062
- Contact: privacy@buvivo.com
2. What data we collect
We only collect the personal data we need to operate the service. Depending on how you use Buvivo, this may include:
- Account data: email address, password (stored as a salted hash by our authentication provider), full name, optional phone number, avatar, locale, role (customer or agent).
- Profile data (agents): agency name, biography.
- Request data (customers): the property criteria you publish (type, budget, locations, features) and the associated messages you send to agents.
- Listing data (agents): property details and photos you upload.
- Messaging data: the content of messages exchanged between customers and agents through the platform, including read receipts.
- Technical data: IP address (processed only to protect the service), device, browser and approximate country, collected via cookies when you consent (see our Cookie Policy).
3. Why we process it and on what legal basis
| Purpose | Legal basis (GDPR Art. 6) |
|---|---|
| Creating and operating your account | Performance of a contract (Art. 6(1)(b)) |
| Publishing your request or listing and enabling messaging | Performance of a contract (Art. 6(1)(b)) |
| Sending service-related emails (password resets, notices) | Performance of a contract (Art. 6(1)(b)) |
| Preventing fraud, abuse and protecting the service | Legitimate interests (Art. 6(1)(f)) |
| Analytics cookies | Your consent (Art. 6(1)(a)) |
| Complying with tax and accounting obligations | Legal obligation (Art. 6(1)(c)) |
4. Who we share it with
We do not sell your personal data. We share it only with processors that operate the service on our behalf, under data-processing agreements compliant with GDPR Art. 28:
- Supabase — database, authentication, file storage. Data processed in the EU (Frankfurt region).
- Vercel — hosting and CDN. Data may be processed in the EU and, in limited circumstances, the United States under Standard Contractual Clauses and the EU-US Data Privacy Framework.
- Vercel Analytics — aggregated analytics (only when you consent). No personal identifiers are sent.
When a customer messages an agent, or vice versa, the parties can see each other's profile (full name, avatar, agency name) and the messages they exchange — that is the service.
5. International transfers
Data is primarily processed in the European Union. Where transfers to third countries occur (e.g. to Vercel infrastructure in the US), we rely on the European Commission's adequacy decision for the US (Data Privacy Framework) and on Standard Contractual Clauses as appropriate.
6. How long we keep it
- Account data: for as long as your account is active, plus up to 30 days after deletion, after which it is permanently erased.
- Messages: kept for the life of the account; backed up for up to 30 days after deletion.
- Invoices and tax records: 6 years, per Spanish commercial-code requirements.
- Analytics events: aggregated, 12 months.
7. Your rights
Under the GDPR you have the right to:
- Access the personal data we hold about you (Art. 15)
- Have inaccurate data corrected (Art. 16)
- Have your data erased ("right to be forgotten") (Art. 17)
- Restrict processing (Art. 18)
- Data portability — receive your data in a machine-readable format (Art. 20)
- Object to processing based on legitimate interests (Art. 21)
- Withdraw consent at any time, without affecting the lawfulness of prior processing (Art. 7(3))
- Not be subject to solely automated decision-making with legal effects (Art. 22). We do not make such decisions.
To exercise any of these rights, email us at privacy@buvivo.com. We will respond within 30 days.
If you believe we have mishandled your data, you have the right to complain to the Spanish supervisory authority:
- Agencia Española de Protección de Datos (AEPD)
https://www.aepd.es
8. Security
We apply industry-standard technical and organisational measures: encrypted data in transit (TLS) and at rest, strict row-level security on our database, hashed passwords, least-privilege access for staff, and regular backups. No system is perfectly secure, so if you become aware of a security issue, contact us immediately at hello@buvivo.com.
9. Children
Buvivo is not intended for users under 18. We do not knowingly collect personal data from minors.
10. Changes to this policy
We may update this policy to reflect changes to the service or the law. We will update the "Last updated" date above and, for material changes, notify registered users by email.