Privacy Policy

URBANPAY SL ("UrbanPay", "we", "us", or "our"), registered at C/ Velázquez 31, 6º Dcha, 28001 Madrid, Spain, is a technology company providing payment middleware infrastructure for real estate investment platforms, including club deal operators and crowdfunding platforms regulated under the European Crowdfunding Service Providers (ECSP) framework.

Depending on the context, UrbanPay acts in the following capacities under the GDPR:

• Data Controller: when processing personal data of our direct clients (platform operators), prospective clients, and our own employees and contractors — we determine the purposes and means of processing.
• Data Processor: when processing personal data of end investors and users on behalf of our client platforms — we act under the documented instructions of those platforms, who are the data controllers. In this capacity, our processing is governed by a Data Processing Agreement (DPA) with each client platform.

This Privacy Policy applies primarily to our role as data controller. Where we act as data processor, the applicable privacy policy is that of the relevant client platform.

1a. Information you provide directly

• Personal identification data: full name, email address, phone number, date of birth, nationality.
• Business information: company name, registration number, tax ID, registered address.
• Financial data: bank account details (IBAN), transaction history, payment amounts.
• KYC/AML verification data: government-issued identity documents, proof of address, selfie/biometric verification images, and results from our verification partners. Please see Section 3b regarding the specific legal basis for this category of data.

1b. Technical data collected automatically

• IP address, browser type, device information, and usage analytics.
• Session data and platform interaction logs for security and fraud prevention purposes.

We use the information we collect to:

• Provide, maintain, and improve our payment processing and escrow services.
• Verify identity and comply with KYC/AML regulations under applicable EU law.
• Process transactions, disbursements, and settlements.
• Communicate with you about your account, transactions, and support requests.
• Detect and prevent fraud, unauthorised access, and other illegal activities.
• Comply with applicable laws, regulations, and legal obligations.
• Manage our client relationships and contractual obligations with platform operators.

3a. Standard personal data (Article 6 GDPR)

We process standard personal data on the following bases:

• Contractual necessity (Art. 6(1)(b)): to perform our services as agreed with client platforms and their users.
• Legal obligation (Art. 6(1)(c)): to comply with financial regulations including PSD2, EU AML Directives (AMLD4, AMLD5, AMLD6), and ECSP Regulation (EU) 2020/1503.
• Legitimate interest (Art. 6(1)(f)): to improve our services, prevent fraud, ensure platform security, and manage our business relationships.
• Consent (Art. 6(1)(a)): where you have explicitly opted in, such as for marketing communications. You may withdraw consent at any time.

3b. Special category data — biometric and identity data (Article 9 GDPR)

The processing of identity documents and biometric verification data (including selfie images used for liveness checks) for KYC/AML purposes constitutes processing of special category data under GDPR Article 9. We process this data on the following basis:

• Legal obligation (Art. 9(2)(b)): processing is necessary for compliance with EU Anti-Money Laundering Directives and related obligations to which UrbanPay and its client platforms are subject.

This processing is carried out exclusively through our certified KYC/AML sub-processor (see Section 4) acting under documented instructions.

4a. Client platforms — controller/processor relationship

Client platforms (real estate club deal operators, crowdfunding platforms) that use UrbanPay's services act as data controllers for their end investors and users. UrbanPay processes such data as a data processor under a Data Processing Agreement (DPA). If you are an end investor and wish to exercise your data rights, you should contact the platform through which you invested. UrbanPay will assist client platforms in fulfilling such requests as required by the applicable DPA.

4b. Sub-processors and third-party partners

We may share your information with the following categories of recipients:

• KYC/AML sub-processor: We use a certified identity verification sub-processor to process identity documents, biometric data, and verification results on our behalf under a sub-processing agreement. Data processed by this sub-processor may be stored on servers within the EEA and, where applicable, subject to appropriate transfer safeguards.
• Banking and payment partners: to facilitate payment initiation, open banking connectivity, and transaction processing.
• Document signing providers: to generate and execute investment contracts electronically.
• Cloud infrastructure: we use EU-based cloud infrastructure for secure hosting and data storage, certified to SOC 2 Type II and ISO 27001 standards. UrbanPay SL does not independently hold these certifications.
• Regulatory authorities: when required by applicable law, court order, or regulatory obligation.

We do not sell your personal data. All sub-processors and third-party partners are contractually bound to protect your data and comply with applicable data protection laws.

We retain your personal data for as long as necessary to provide our services and fulfil our legal obligations. Specific retention periods include:

• Financial transaction records: minimum 5 years from the date of the transaction, as required by EU Anti-Money Laundering Directives.
• KYC/AML verification records: minimum 5 years following the end of the business relationship, in accordance with AMLD requirements.
• Contract and correspondence records: retained for the duration of the contractual relationship plus a minimum of 6 years in accordance with applicable statute of limitations.
• Account and operational data: retained for the duration of your active account plus up to 2 years following account closure, unless a longer period is required by law.

You may request deletion of your account data at any time by contacting [email protected]. Deletion requests are subject to our legal retention obligations, which may prevent full erasure of certain categories of data.

We implement appropriate technical and organisational measures to protect your personal data against accidental or unlawful destruction, loss, alteration, or unauthorised disclosure. Our security measures include:

• End-to-end encryption for data in transit (TLS 1.2+) and at rest (AES-256).
• Hosting on certified EU-based cloud infrastructure (SOC 2 Type II and ISO 27001).
• Multi-factor authentication and role-based access controls for all internal systems.
• Regular security reviews and access log monitoring.
• Data minimisation — we only process data that is necessary for the stated purpose.

Note: UrbanPay SL does not independently hold SOC 2 or ISO 27001 certifications. References to these certifications relate to the EU-based cloud infrastructure on which our services are hosted.

Under the General Data Protection Regulation and applicable Spanish data protection law (Ley Orgánica 3/2018, LOPDGDD), you have the following rights:

• Access (Art. 15): request a copy of the personal data we hold about you.
• Rectification (Art. 16): request correction of inaccurate or incomplete data.
• Erasure (Art. 17): request deletion of your data ("right to be forgotten"), subject to legal retention obligations.
• Restriction (Art. 18): request that we limit how we process your data in certain circumstances.
• Portability (Art. 20): receive your data in a structured, commonly used, machine-readable format.
• Objection (Art. 21): object to processing based on our legitimate interests.
• Withdraw consent: where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days. If you are an end investor whose data is processed on behalf of a client platform, please contact that platform directly — we will assist them in responding to your request.

We use cookies and similar technologies to operate our platform. In accordance with GDPR and Spain's Ley 34/2002 de Servicios de la Sociedad de la Información (LSSI), we distinguish between:

• Essential cookies: strictly necessary for the platform to function. These do not require your consent.
• Analytics cookies: used to understand usage patterns and improve our services. These require your prior consent.

We do not use cookies for advertising or third-party tracking purposes. You can manage your cookie preferences through the cookie banner on our website or through your browser settings. Withdrawing consent for analytics cookies does not affect essential functionality.

Your personal data is primarily processed within the European Economic Area (EEA). Where data is transferred to countries outside the EEA (for example, in connection with certain sub-processors), we ensure appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission (Decision 2021/914).
• Transfer Impact Assessments (TIAs) where required.
• Verification that sub-processors implement equivalent technical and organisational security measures.

For data processed by our KYC/AML sub-processor, please contact us at [email protected] for details of their data transfer mechanisms and server locations.

UrbanPay SL does not currently meet the criteria for mandatory appointment of a Data Protection Officer (DPO) under GDPR Article 37, as we do not carry out large-scale systematic monitoring of individuals or large-scale processing of special category data as our core activity.

For all data protection queries and rights requests, please contact our designated privacy contact:

We may update this Privacy Policy from time to time to reflect changes in our services, legal obligations, or data processing practices. We will notify you of material changes as follows:

• For material changes that affect your rights or introduce new processing purposes: at least 30 days' advance notice via email and prominent notice on our website.
• For minor clarifications or non-material updates: by posting the updated policy on our website with a revised 'Last updated' date.

Continued use of our services after the effective date of any changes constitutes acceptance of the updated policy. If you do not agree with the changes, you may close your account by contacting [email protected].