# Security & Privacy Policy

Most real-estate agency privacy policies are templated and unread. This one is not. We have written it the way we have because our clients give us the kind of information — proof of funds, family structure, ownership intent — where careless handling has actual consequences.

This document covers, in plain language: the legal framework we operate under for client data (the EU General Data Protection Regulation and the Spanish anti-money-laundering regime), the technical safeguards we apply to that data, the additional confidentiality structures we use for off-market listings, the communication channels available for clients who require enhanced privacy, and the procedure we follow if anything goes wrong. The contact point for any data-protection request is at the bottom of the page. The principles that motivate this approach are in the [philosophy manifesto](/muse-philosophy-manifesto).

## GDPR compliance

Muse Marbella is a data controller within the meaning of Regulation (EU) 2016/679 (General Data Protection Regulation, "GDPR"), as transposed and supplemented in Spain by Ley Orgánica 3/2018 (Protection of Personal Data and Guarantee of Digital Rights, "LOPDGDD"). The firm's data-protection registration is held with the Agencia Española de Protección de Datos (AEPD).

**Legal basis for processing.** The primary legal basis for processing client personal data is GDPR Article 6(1)(b) — performance of a contract — covering buyer mandates, seller mandates, advisory engagements and the work performed during transactions. Limited additional processing is conducted under Article 6(1)(c) (legal obligation) for the AML/KYC regime described below, and under Article 6(1)(f) (legitimate interest) for narrow purposes such as fraud prevention and the maintenance of standard transactional records after engagement close.

**Categories of data processed.** Client identification data (name, address, ID/passport details, NIE where applicable, contact data); financial data limited to the proof-of-funds, source-of-wealth and source-of-funds information required under AML rules; transactional data (properties viewed, offers made, mandates signed, completed transactions); and the communications history associated with the engagement. We do not process special-category data within the meaning of GDPR Article 9 except where directly relevant to a transaction (for example, where a client's accessibility needs influence property selection, and only with the client's explicit instruction).

**Data minimisation.** We collect the minimum information needed to perform the contract and satisfy our legal obligations. The two senior buyer's agents on our (/muse-team) are trained to push back on volunteered information that is not necessary — we have repeatedly declined to take in personal data offered by clients that we did not need for the engagement, on the principle that data we do not hold cannot be mishandled.

**Client rights under GDPR.** Clients have the rights set out in GDPR Articles 12-22, namely: right of access (Article 15), right to rectification (Article 16), right to erasure (Article 17, subject to the limits in 17(3) for legal obligations including the AML retention period), right to restriction of processing (Article 18), right to data portability (Article 20), and right to object (Article 21). Requests are processed within 30 calendar days as required by Article 12(3). Where a request cannot be fully complied with — typically because AML retention obligations under Spanish law override the right to erasure for a defined period — we explain the reasoning in writing and indicate when the data will become eligible for deletion.

**Retention periods.** Active mandate data is retained for the duration of the engagement plus six years thereafter, consistent with Spanish commercial-law obligations under the Código de Comercio (Article 30). AML-specific KYC data is retained for ten years after the end of the business relationship per Article 25 of Spanish Law 10/2010, as amended by Law 10/2023. Marketing communications data is retained only while the client remains on the relevant communications list and is purged within 30 days of opt-out.

**International transfers.** We do not export client personal data outside the European Economic Area as a routine matter. Where a specific engagement requires it — typically a coordination call with a non-EU tax advisor or a wealth manager — the transfer occurs under the standard contractual clauses adopted by the European Commission per GDPR Article 46(2)(c), and the client is notified in advance.

## Technical safeguards (PII handling)

The data-protection legal framework is only as good as the technical implementation underneath. Ours is summarised below.

**Encryption at rest.** Client data held in our primary database is encrypted at rest using AES-256 within the Hostinger Business hosting environment that hosts the firm's primary application stack. Database backups are similarly encrypted; backup keys are held separately from the database keys. The CMS database backing the website (musemarbella.es) is separate from the operational client-data system; the CMS does not store proof-of-funds documents, KYC records or transactional details.

**Encryption in transit.** All client-facing web traffic terminates at Cloudflare with TLS 1.3 (Let's Encrypt certificate, automatic renewal). Internal network traffic between the application stack and the database uses encrypted connections. Email transit is encrypted via STARTTLS where the receiving server supports it; clients sending us highly sensitive documents are routed to a secure document-upload channel rather than email, on request.

**Access controls.** Client records are accessible only to the assigned engagement team plus the founder. Junior administrative staff have no access to financial or AML records. Audit logs of record access are retained for 24 months. Multi-factor authentication is mandatory for all team members accessing client systems.

**No third-party data sharing without explicit consent.** Client data is not shared with any third party — including the abogados, tax advisors, gestorías and other professional partners we work with regularly — without the client's specific written authorisation for that specific transfer. The instruction can be limited in scope ("share the title deed only, not the proof of funds") and revoked at any time. This is more restrictive than the legal minimum under GDPR and reflects the explicit principle in the [philosophy manifesto](/muse-philosophy-manifesto).

**No marketing-tracker integration.** The website does not run Facebook Pixel, Google Ads conversion tracking or comparable marketing trackers. Basic Google Analytics is configured with IP anonymisation and without cross-site tracking; clients can opt out via the cookie banner. Detail in the cookies section below.

## AML / KYC compliance

Spain implements the EU 5th Anti-Money Laundering Directive (Directive (EU) 2018/843) through Law 10/2010 of 28 April 2010, as amended most recently by Law 10/2023 of 27 March 2023. Real-estate agents are designated obligated parties under Article 2 of Law 10/2010, which means we are required to perform customer due diligence ("CDD"), including identity verification, on parties to certain transactions, and to report suspicious activity to the Servicio Ejecutivo de la Comisión de Prevención del Blanqueo de Capitales (SEPBLAC).

We conduct these checks honestly and as proportionately as the framework allows. The process for a typical buyer is below.

**Trigger threshold.** Full CDD applies to buyer-side mandates for transactions above €100,000 (Article 7 of Law 10/2010 and SEPBLAC implementing guidance), and to seller-side mandates for any transaction. Simplified CDD applies below the threshold under the conditions specified in the law.

**Identity verification.** Government-issued photo ID (passport or national ID card) plus the NIE (Foreigner Identification Number, if not already held the client can obtain it through a Spanish consulate or through our [gestoría introduction](/pricing-transparency)). For legal entities, the corporate ID, beneficial-ownership confirmation, and authorisation of the individual representing the entity.

**Source of funds.** A short written statement of the source of funds for the specific transaction, plus documentary support — typically a bank statement, sale-of-asset evidence, or a wealth-manager confirmation letter — corresponding to the magnitude of the transaction. For larger transactions or for funds originating from higher-risk jurisdictions on the EU list, enhanced due diligence applies under Article 11 of the law.

**Politically exposed persons.** Where the buyer (or the buyer's beneficial owner, immediate family, or close associates) is classified as a Politically Exposed Person under Article 14 of Law 10/2010, enhanced due diligence and senior-management approval apply. The founder reviews every such case.

**Sanctions screening.** Standard screening against the EU consolidated sanctions list and the UN sanctions list before any transaction proceeds.

**Honest framing of the process.** We explain the AML requirements at first contact, before they become a surprise. The process is real friction — particularly for non-Spanish residents unfamiliar with the regime — and clients are entitled to know what they are signing up for. We have never withdrawn from a transaction where the AML process simply took longer than the buyer expected; we have withdrawn from transactions where the AML evidence raised concerns we could not resolve, in line with our legal obligations.

## Off-market listing privacy

Off-market listings carry confidentiality structures beyond the standard data-protection framework. The structures exist to protect vendors who have specific reasons — divorce proceedings, succession matters, business confidentiality, personal preference — for not being publicly identified as sellers.

**NDAs.** Every off-market listing carries a mutual NDA between Muse and any prospective buyer, signed before the dossier is shared. The standard NDA is one page; we use a longer bespoke NDA for the most sensitive vendor situations.

**Proof of funds before viewing.** Off-market viewings require proof of funds and ID verification on file before the viewing is scheduled. This is more restrictive than the public-market practice and is explicit in our [list your property page](/list-your-property) so vendors understand the standard.

**Vendor-imposed restrictions.** Some vendors require additional restrictions — photographs not to be shared outside the office, viewings only by named buyers (not their advisors), no mention of the property to other agencies. We honour all such restrictions in writing and document them in the seller's mandate. The [Off-Market Specialist on the team](/muse-team) maintains the operational map of who-can-know-what for every active off-market listing.

**Physical binders, not digital sharing.** The most sensitive off-market dossiers are kept in physical binders at the [headquarters office](/offices) and never digitised. Buyers see them in person, take notes, and proceed without ever receiving a file they could forward or accidentally share.

## Communication channels

Standard client communication runs over email (encrypted in transit), WhatsApp (encrypted end-to-end by the platform), and phone. For clients with enhanced privacy requirements we offer two additional channels.

**Signal.** End-to-end encrypted with no metadata retention on Signal's servers. Available on request — typically used by clients in higher-profile public roles, by clients in jurisdictions where regular communications may be monitored, or by clients with specific operational-security requirements. The two senior buyer's agents and the founder maintain Signal accounts for client use.

**In-person at the office.** For the most sensitive conversations, the [Marbella headquarters office](/offices) has two soundproofed rooms used for confidential briefings. No recording. No third-party staff present unless the client requests it. We can also host a three-way encrypted video call to a remote advisor in either of these rooms.

**No chatbot.** We do not operate AI-generated first-touch replies on the website or messaging channels. Every initial response is written by a named team member. This is partly an operational decision (chatbots produce poor first impressions in our market) and partly a privacy decision (chatbot interactions train on input data in ways that are not always transparent).

## Cookies and tracking

The musemarbella.es website operates a deliberately minimal cookie and tracking footprint.

- **Strictly necessary cookies.** Session ID and CSRF protection only. No consent required (GDPR Recital 32 carve-out).
- **Analytics (optional).** Google Analytics with IP anonymisation enabled and cross-site tracking disabled. Opt-in via the cookie banner; declining has no functional impact on the site.
- **No marketing trackers.** No Facebook Pixel, no Google Ads conversion tag, no LinkedIn Insight Tag, no third-party advertising cookies. Where we run advertising campaigns (rarely), we measure them at the campaign-platform side rather than instrumenting our own site for the purpose.
- **No third-party content embeds.** Where we embed external content (the occasional YouTube video), we use the privacy-enhanced embed mode that does not set cookies until the viewer plays the video.

The full cookie list is in the cookie banner footer link.

## Data breach procedure

In the event of a personal-data breach that is likely to result in risk to the rights and freedoms of clients, we will notify the Agencia Española de Protección de Datos (AEPD) within 72 hours of becoming aware of the breach, as required by GDPR Article 33. Affected clients are notified directly without undue delay when the breach is likely to result in high risk to their rights and freedoms, per GDPR Article 34.

Our internal breach-response procedure is:

1. **Containment.** Initial assessment and containment within four hours of detection, led by the founder.
2. **Scope assessment.** Identification of affected records, affected clients, and probable cause within 24 hours.
3. **Regulator notification.** AEPD notification within 72 hours where required.
4. **Client notification.** Affected client notification within 72 hours where required, in writing, with a description of the breach, its likely consequences, and the measures being taken.
5. **Post-incident review.** Written post-mortem within 30 days, with specific procedural changes documented.

We have not had a notifiable breach since the firm was founded in 2018. The procedure above exists so that if one ever happens, the response is fast and structured rather than improvised.

## Contact for privacy requests

For data-protection requests (access, rectification, erasure, portability, restriction, objection), data-breach inquiries, or any other privacy-related contact, write to:

**Email:** privacy@musemarbella.es
**Postal:** Avenida Arias Maldonado, 2 · 29602 Marbella · Málaga · Spain (mark for the attention of "Data Protection")

Requests are acknowledged within five working days and substantively addressed within 30 calendar days as required by GDPR Article 12(3). Where we cannot fully comply with a request — typically because of overriding AML retention obligations — we explain the limit in writing.

If a privacy request is not handled to your satisfaction, you have the right to lodge a complaint with the Agencia Española de Protección de Datos (AEPD) — www.aepd.es — under GDPR Article 77.

## Frequently asked questions

**Do you share my data with the abogado or tax advisor you recommend?**
Not without your written authorisation, and the authorisation can be limited to specific documents and specific purposes. We have built the workflow to default to the most restrictive sharing setting; the authorisation step is explicit at the start of any professional-partner engagement. The full partnership framework is on [/professional-partnerships](/professional-partnerships).

**How long do you retain my data if I never become a client?**
Initial inquiry data (typically your name, contact details, and stated property interest) is retained for 12 months from last contact and then deleted unless you have requested ongoing inclusion in market communications. If you became a registered prospect and went through KYC but never transacted, the KYC data sits under the same ten-year AML retention rule as for completed transactions.

**Can I request that all my data be deleted at the end of an engagement?**
Yes, with the limits imposed by AML retention (ten years for transaction-related KYC records under Spanish Law 10/2010) and standard commercial-law retention (six years for transactional records under the Código de Comercio). Non-AML, non-commercial-record personal data — communications history, marketing-list inclusion, advisory-engagement notes — can be deleted on request as soon as the engagement formally closes.

**What about the off-market binders at the office? How is that data secured?**
Physical binders are stored in locked cabinets in the [headquarters office](/offices). Access is restricted to the senior team and the founder. Binders are reviewed monthly and updated; obsolete dossiers are shredded with a documented chain of custody. The vendor's identifying information is in many cases removed from the binder version of the dossier — only the building, sub-zone, parameters and photography are visible — and is held separately in encrypted form.

**Do I have to use my real name in initial communications?**
No. We are happy to take initial inquiries under a pseudonym or under a private-office or legal-entity reference. Real-name disclosure becomes necessary at KYC stage if you proceed to mandate, but for early conversations — including substantive briefings — pseudonymous engagement is supported and routine in our market.

## Where to go from here

The companion pages that together describe how we operate are [/pricing-transparency](/pricing-transparency), [/referral-program](/referral-program), [/professional-partnerships](/professional-partnerships), [/muse-team](/muse-team), and the founding principles at [/muse-philosophy-manifesto](/muse-philosophy-manifesto). For any conversation requiring enhanced privacy — by Signal, in person, or under bespoke NDA — the contact route is privacy@musemarbella.es or a scheduled in-person meeting at one of the two [Marbella offices](/offices). Buyers wanting a fuller picture of how AML and KYC interact with the standard purchase process should also read the [Muse Marbella buyer guide 2026](/buyer-guide-2026.html).



## Related Reading

- [Pricing Transparency — Every Fee We Charge | Muse Marbella](/pricing-transparency)
- [Client Referral Program — 1.5% Kickback or Charity | Muse Marbella](/referral-program)
- [Professional Partnerships for Lawyers and Family Offices | Muse Marbella](/professional-partnerships)
- [The Muse Team — Founder-Led Boutique Marbella RE | Muse Marbella](/muse-team)
- [Muse Marbella Philosophy & Founding Principles | Muse Marbella](/muse-philosophy-manifesto)
- [Visit Our Marbella Offices — Two Locations | Muse Marbella](/offices)
- [List Your Marbella Property With Muse](/list-your-property)
- [Muse Marbella Buyer Guide 2026](/buyer-guide-2026.html)