Privacy Policy
Last updated: 6 April 2026
Baobab Investment & Consultancy S.L. ("we", "us", "VestaLinks") operates the website vestalinks.com. This privacy policy explains how we collect, use, and protect your personal data in accordance with the General Data Protection Regulation (GDPR) and Spanish data protection law (LOPDGDD).
1. Data Controller
Baobab Investment & Consultancy S.L.
Calle Sierra de Cazorla 2, Local 4
29602 Marbella, Spain
Email: [email protected]
2. What Data We Collect
| Data | When | Purpose |
|---|---|---|
| Name, email, phone | Contact form submission | Respond to your property enquiry |
| Email address | Account registration / sign-in | Authenticate your account, save favorites |
| Chat messages | AI property search | Provide property recommendations |
| IP address | Every page visit | Security, rate limiting, abuse prevention |
| Property favorites | When you save a property | Remember your saved properties |
3. Legal Basis
- Legitimate interest (Art. 6(1)(f) GDPR) — processing enquiries, providing property search, website security.
- Contract performance (Art. 6(1)(b) GDPR) — providing the services you request (account, favorites, property recommendations).
4. How We Use Your Data
- Respond to your property enquiries via email
- Forward enquiries to the relevant property agent
- Provide AI-powered property search and recommendations
- Maintain your account and saved favorites
- Prevent abuse and ensure website security
5. Third-Party Services
| Service | Purpose | Data shared |
|---|---|---|
| Google Gemini AI | AI property search chat | Chat messages (no personal identifiers) |
| Follow Up Boss CRM | Lead management | Name, email, phone from contact form |
| Plausible Analytics | Privacy-friendly website analytics | No personal data (cookieless, no tracking) |
| Google OAuth | Optional sign-in | Email, name (only if you choose Google sign-in) |
We do not sell your data to third parties. We do not use advertising trackers or profiling cookies.
6. Cookies
We use only functional cookies that are strictly necessary for the website to work:
| Cookie | Purpose | Duration |
|---|---|---|
| session | Keep you logged in, remember language preference | Browser session |
We do not use tracking cookies, advertising cookies, or third-party analytics cookies. Plausible Analytics is fully cookieless.
7. Data Retention
- Contact form submissions: 2 years, then automatically deleted
- Chat conversations: 1 year, then automatically deleted
- Account data: Until you request deletion
- Server logs: 30 days
8. Your Rights (GDPR)
You have the right to:
- Access your personal data
- Rectify inaccurate data
- Delete your data ("right to be forgotten")
- Restrict processing of your data
- Data portability — receive your data in a machine-readable format
- Object to processing based on legitimate interest
- Withdraw consent at any time (where processing is based on consent)
To exercise any of these rights, email us at [email protected]. We will respond within 30 days.
9. Data Security
We protect your data with:
- HTTPS encryption on all pages (TLS 1.2+)
- Passwords stored as salted hashes (never in plain text)
- Rate limiting on forms and API endpoints
- CSRF protection on all forms
- Access restricted to authorized personnel only
10. International Transfers
Your data is processed on servers located in Germany (EU). AI chat messages are processed by Google Gemini (Google Ireland Limited, EU). No data is transferred outside the EU/EEA without adequate safeguards.
11. Supervisory Authority
If you believe we are processing your data unlawfully, you have the right to lodge a complaint with the Spanish Data Protection Authority (AEPD) at www.aepd.es.
12. Changes to This Policy
We may update this policy from time to time. The "last updated" date at the top of this page indicates when the policy was last revised.