Privacy Policy

1. Information we collect

• Account information. The email address and password you provide at signup, and any profile details you choose to add. We never store or have access to your plaintext password.
• Customer content. Information you upload about your clients, cases, documents, and deadlines while using the Service.
• Usage and technical data. Logs and metadata generated as you use the Service (timestamps, IP address, browser/user-agent, basic interaction events) used to operate and secure the product.
• Communications. Emails or messages you send to us (e.g., support requests, feedback).
• Billing information (when paid plans launch). Handled by our payment processor; we receive only the metadata needed to manage your subscription.

2. Two roles: controller and processor

EasyReloc processes personal data in two distinct capacities:

As a controller, when we process the personal data of our direct users (relocation agents and agency staff who hold accounts with us) — for example, account credentials, billing information, and usage data. This Privacy Policy describes that processing.

As a processor, when our users upload personal data of their own clients and case subjects (such as expat individuals and family members) into the Service. In that capacity, our user is the data controller and we process the data on their behalf, under their instructions, as set out in the Data Processing Terms in our Terms of Service.

If you are an end client of one of our users (i.e., your relocation agent uses EasyReloc to manage your case) and have questions about how your data is used, please contact your relocation agent directly. We will support them in responding to your request.

3. How we use information and our legal basis

Under the GDPR, we must have a lawful basis for each purpose for which we process your personal data. The table below summarizes our processing activities:

4. How we share information

We don't sell personal data and we don't share it for advertising. We share information only in these limited circumstances:

With service providers (processors) who help us operate the Service, under written contracts that require them to protect your data and process it only on our instructions:

• Hosting and infrastructure
• Database services
• Transactional email delivery
• Privacy-friendly, cookieless web analytics (Umami) for aggregate usage statistics
• Customer support chat (Crisp) — used to provide in-app help; may set first-party cookies on your browser
• Payment processing (when paid plans launch)

A current list of our sub-processors is available on request — contact support.

With authorities or third parties when required by law, valid legal process, or to protect the rights, safety, or property of EasyReloc, our users, or others.

In connection with a corporate transaction such as a merger, acquisition, or sale of assets, in which case we will notify you in advance and ensure the receiving party honors this Privacy Policy.

5. Data retention

We retain different categories of data for different periods:

• Account data (email, hashed password, profile): for the lifetime of your account, plus 30 days after account closure to allow recovery.
• Customer content (data you upload about your clients): for the lifetime of your account, plus a 30-day export window after termination, after which it is deleted from active systems within 30 days. Backup copies may persist for up to 90 days due to standard backup rotation, after which they are overwritten.
• Operational and security logs (IP addresses, request logs, authentication events): up to 12 months.
• Billing and tax records: up to 6 years after the relevant transaction, as required by Spanish tax law.
• Communications with our support team: up to 24 months after the conversation closes.

Where we are required to retain data longer (e.g., due to a legal hold or ongoing dispute), we will do so only for the duration of that obligation and only the data necessary.

6. Security

We apply industry-standard practices to protect your data, including:

• Encryption in transit for data exchanged between your browser and our servers, and between our internal services.
• Encryption at rest for sensitive data stored in our infrastructure.
• Secure password handling: we never store or have access to your plaintext password.
• Secure session management to keep you signed in safely.
• Access controls limiting which of our personnel can access production systems, and only on a need-to-know basis.
• Regular review of our security practices, dependencies, and infrastructure.

No system is perfectly secure. In the unlikely event of a personal data breach affecting your data, we will notify you and the relevant supervisory authority without undue delay and, where required by GDPR, within 72 hours of becoming aware of the breach.

7. Your rights

Under the GDPR and Spanish data protection law, you have the following rights regarding your personal data:

• Access: request a copy of the personal data we hold about you.
• Rectification: ask us to correct inaccurate or incomplete data.
• Erasure ("right to be forgotten"): ask us to delete your personal data, subject to legal exceptions.
• Restriction: ask us to limit how we use your data.
• Portability: receive your data in a structured, commonly used, machine-readable format.
• Objection: object to processing based on legitimate interests.
• Withdraw consent: where processing is based on consent, you may withdraw it at any time.
• Lodge a complaint with a supervisory authority (see "Complaints" below).

To exercise any of these rights, contact support. We will respond within one month, as required by GDPR. We may need to verify your identity before responding, to protect your data.

Complaints. If you believe we have not handled your personal data in accordance with applicable law, you have the right to lodge a complaint with the Spanish Data Protection Agency (Agencia Española de Protección de Datos, www.aepd.es) or the supervisory authority of your country of residence. We'd appreciate the opportunity to address your concerns directly first.

End clients of our users: if your data has been uploaded by a relocation agent who uses our Service, please contact that agent first, as they are the data controller responsible for your data.

8. Cookies and similar technologies

We use a single, strictly necessary session cookie to keep you signed in. It is HTTP-only and secure, and contains no personal data beyond what is needed to identify your session.

Because this cookie is strictly necessary for the Service to function (you cannot use the Service without being logged in), it is exempt from the consent requirement under Article 22.2 of Spanish Law 34/2002 (LSSI-CE) and the ePrivacy Directive.

For analytics we use Umami, a privacy-friendly service that does not set cookies and does not collect personal data — it generates anonymized, aggregate page-view statistics.

For customer support we use Crisp, a chat platform. Crisp is our primary support entrypoint, so it loads on every visit so that you can reach us. Crisp may set first-party cookies on your browser to maintain your conversation context and recognize you across visits. These are non-advertising cookies used solely for chat functionality.

We do not use advertising cookies or third-party tracking cookies for marketing or cross-site tracking purposes.

9. International transfers

EasyReloc primarily processes data within the European Union. Some of our service providers may process data in the United States or other countries outside the European Economic Area.

Where we transfer personal data outside the EEA to a country not covered by an adequacy decision from the European Commission, we use the European Commission's Standard Contractual Clauses or other valid transfer mechanisms to ensure your data receives an equivalent level of protection. Where applicable, we also rely on certifications under the EU-U.S. Data Privacy Framework.

You can request more information about the specific safeguards in place for international transfers by contacting support.

10. Children's data

The Service is intended for use by adults acting in a professional capacity. We do not knowingly collect personal data directly from children under 16. If you become aware that a child has provided us with personal data, please contact support and we will take steps to delete it.

Note: as a processor, we may process personal data of children that our users upload as part of their case files (e.g., information about minor children of expat families). That processing is governed by our user's privacy obligations as the controller of that data.

11. Automated decision-making and profiling

We do not use your personal data for automated decision-making that produces legal or similarly significant effects on you, and we do not use it for profiling.

12. What we don't do

We don't sell, rent, or share your data for marketing purposes. We don't use advertising cookies or track you across the web. We don't use your customer content to train AI models. We don't access your data except as needed to operate, secure, or support the Service, or where required by law.

13. Marketing communications

We may occasionally send you product updates, tips, or news about EasyReloc. We will only do so based on your consent or, where permitted by law, on the basis of an existing customer relationship. You can unsubscribe at any time using the link in any marketing email or by contacting support.

14. Changes to this policy

We may update this Privacy Policy as the Service evolves. Material changes will be communicated by email or in-product notice before they take effect. The "Last updated" date at the top of this page reflects the most recent revision.

15. Contact

Questions about this policy or your data? Contact support.