Personal Data Protection (GDPR)
In this platform, Monreal & Meadow provides technology services for chat management and commercial automation for property developments. This page provides supplementary privacy information about Monreal & Meadow's role as technology provider. The privacy notice of the real estate developer linked to each development remains the primary privacy information for that specific commercial relationship.
1. Roles of the parties
For commercial chats linked to each development:
- The real estate developer responsible for the relevant development acts as the Data Controller.
- Monreal & Meadow acts as the Data Processor (or sub-processor, where applicable), on behalf of the real estate developer.
This means the real estate developer decides the purposes and means of processing, and Monreal & Meadow processes personal data in line with the real estate developer's instructions and the applicable data processing agreement. If you are unsure which real estate developer is responsible for a conversation, you may contact gdpr@monreal.net and we will help route the request.
2. Dedicated WhatsApp channel
The platform uses dedicated WhatsApp numbers provisioned through Twilio for bot-assisted conversations. These numbers are assigned to the relevant real estate developer for use with this platform and are intended exclusively for conversations with the bot and related commercial follow-up inside the application.
The platform is not designed to ingest, mirror, monitor, or intercept conversations that take place on the real estate developer's own ordinary WhatsApp Business numbers outside this dedicated bot channel. This separation helps ensure that Monreal & Meadow processes only the conversations routed through the platform, not the developer's wider WhatsApp Business communications.
The relevant real estate developer may access the conversations generated through these dedicated numbers inside the application, subject to role-based access controls, confidentiality obligations, and the retention periods described in this notice.
3. Categories of personal data processed
We may process the following categories:
- Identification and contact data (for example, telephone number; and, where applicable, name and email address).
- Communication content (text, transcribed audio, and messaging metadata).
- Commercial preferences, housing needs, and property interests provided or inferred from the conversation, such as the developments, homes, or documents the user asked about.
- Technical and operational data (logs, delivery statuses, and message identifiers).
4. Processing purposes
Personal data is processed in order to:
- Handle enquiries and commercial conversations for each development.
- Send information about properties, documentation, and commercial follow-up.
- Give the user and the real estate developer better context about the conversation, including which properties or documents were relevant to the user's enquiry.
- Operate the channel technically (message delivery, security, traceability, and support).
5. WhatsApp messaging rules
WhatsApp Business messaging is subject to Meta's platform rules. When an end user sends a WhatsApp message to a real estate developer through this platform, a customer service window opens for 24 hours after the most recent inbound message from that user. During that window, the platform may send free-form replies that are relevant to the user's enquiry and the commercial conversation.
After that 24-hour window closes, the platform does not currently send free-form WhatsApp messages to the user. If out-of-window follow-up is enabled in the future, it must use a WhatsApp template approved by Meta and configured through the messaging provider, and may only be used where the real estate developer has the appropriate lawful basis, user opt-in where required, and a valid instruction for that specific follow-up.
This means that the platform is intended for user-initiated conversations and compliant follow-up, not for unrestricted outbound messaging. Users may ask the relevant real estate developer to stop WhatsApp follow-up or exercise their data protection rights using the contact routes described below.
6. Lawful basis
The lawful basis is determined by the real estate developer acting as Data Controller in its own privacy information (typically pre-contractual steps, legitimate interests, and/or consent, depending on the case).
The lawful basis applicable to each processing activity is set out in the real estate developer's own privacy notice provided to prospective buyers, typically at the point of first contact.
7. Service providers and sub-processors used
To provide the service, we use the following providers. Not every provider acts in the same legal role: some process personal data under a Data Processing Addendum, while others are limited external services used only for a specific technical function.
- Twilio (WhatsApp channel and messaging): Data Protection Addendum, sub-processors.
- OpenAI (AI assistance and audio transcription): engaged under a signed Data Processing Addendum. API data is not used for model training by default. For Responses API and Chat Completions requests, OpenAI's default abuse-monitoring logs may retain customer content for up to 30 days unless an approved retention-control configuration or a legal/safety exception applies. Audio transcription requests are subject to the retention controls published for the transcription endpoint. See OpenAI Data Processing Addendum and OpenAI API data controls.
- Vercel (serverless hosting and Vercel Blob file storage): Data Processing Addendum.
- Adobe PDF Services (PDF text extraction): Data Processing Addendum information.
- Prisma Postgres (managed PostgreSQL database infrastructure): Prisma Postgres documentation, Prisma privacy policy.
- Nominatim/OpenStreetMap (limited location geocoding, where applicable): no names, telephone numbers, contact details, message bodies, or user identity data are sent to this service; only non-identifying location strings needed for geocoding are used. See Nominatim usage policy, OpenStreetMap Foundation privacy policy.
8. Data location
- Database: Frankfurt (Germany).
- Blob storage: Frankfurt (Germany).
9. International transfers
Some service providers may process or access personal data from outside the EEA depending on the service, configuration, support route, or sub-processor involved. The main safeguards are:
- Twilio: Data Protection Addendum, Binding Corporate Rules, Data Privacy Framework, and/or SCCs as applicable.
- OpenAI: OpenAI Ireland Ltd. for EEA customer data, with SCCs or adequacy mechanisms for onward transfers where required.
- Vercel: Data Processing Addendum and SCCs or equivalent transfer mechanisms where required.
- Adobe: Data Processing Addendum and SCCs or equivalent transfer mechanisms where required.
- Prisma Postgres: Prisma privacy and contractual terms, including the transfer mechanisms applicable to the selected Prisma plan and region.
- Nominatim/OpenStreetMap: used only for limited geocoding without sending user identity or conversation content; where no controller-processor relationship applies, its own public-service privacy terms apply.
10. Retention periods
Conversation, contact, preference, and property-interest data is retained while the commercial enquiry remains active and, by default, for up to 24 months after the last meaningful interaction. This period reflects the usual length of real estate decision cycles while avoiding indefinite lead retention. The relevant real estate developer may instruct earlier deletion, anonymisation, or longer retention where a legal obligation or documented claim-preservation need applies.
Technical and operational logs are retained for a maximum of 12 months. User-sent media or audio, where stored, is kept only for as long as needed to process the conversation or support the service, and in any case no longer than 90 days unless a shorter provider retention period applies or a legal obligation requires otherwise. Sub-processors apply their own retention policies and contractual terms.
11. Automated decision-making and profiling
The platform does not assign lead scores and does not make solely automated decisions that produce legal or similarly significant effects for users. AI assistance is used to help answer questions, transcribe audio, and organise the conversation context. The platform may show the real estate developer information about the homes, documents, or developments that interested the user during the conversation, in a similar way to notes a human sales agent would keep after a commercial conversation.
12. Data subject rights
Rights of access, rectification, erasure, objection, restriction, and portability should be exercised with the real estate developer acting as Data Controller for the relevant development. Where processing is based on consent, users may withdraw that consent at any time. Requests will be addressed within one month of receipt, as required by Article 12 GDPR. Users also have the right to lodge a complaint with the competent data protection authority, including the Spanish Data Protection Authority (AEPD) where applicable.
If Monreal & Meadow receives a request directly, it will pass the request to the relevant real estate developer without undue delay and will assist in handling it according to the data processing agreement. If you do not know who to contact, you may write to gdpr@monreal.net.
13. Security
Technical and organisational measures are implemented in accordance with Article 32 GDPR to ensure an appropriate level of security. These include:
- Encryption in transit (TLS) for communications between users, the platform, and integrated sub-processors.
- Encryption at rest for stored data in systems under our control, and equivalent safeguards from infrastructure and sub-processors where contractually and technically supported (including Vercel in the Frankfurt region).
- Access controls: access to personal data is restricted to authorised personnel on a strict need-to-know basis.
- Plain-text access restrictions: Monreal & Meadow does not routinely access conversation content in plain text; any exceptional access is limited to what is strictly necessary to operate, secure, or support the service.
- Periodic review of sub-processor security measures and contractual commitments.
- Personal data breach handling: in accordance with Article 33(2) GDPR, Monreal & Meadow will notify the relevant Data Controller without undue delay after becoming aware of a personal data breach.
14. Support and resolution routes
If you have any privacy-related questions, you can first contact the real estate developer acting as Data Controller. For general privacy enquiries about this platform, you may also contact Monreal & Meadow at gdpr@monreal.net. The Spanish Data Protection Authority (AEPD) can be contacted at https://www.aepd.es
15. Updates
This information may be updated due to legal, technical, or provider-related changes.