Privacy Policy

Last updated: April 2026

1. Information We Collect

We collect information you provide directly to us and information generated through your use of the platform.

  • Account Data: When you register, we collect your name, email address, phone number, role, and any documents required for verification (e.g., agent license, company registration).
  • Property Data: Homeowners and agents provide property details including address, photos, price, description, and ownership documents.
  • Payment Data: We collect transaction records, payment references, and payout details. Full card numbers are never stored — they are handled by our PCI-compliant payment processors.
  • Usage Data: We automatically collect information about how you interact with the platform including pages visited, search queries, properties viewed, and inquiry history.
  • Cookies: We use cookies and similar tracking technologies to maintain session state and improve your experience. See Section 4 for details.

2. How We Use Your Information

  • Service Delivery: To operate the platform, facilitate property inquiries, schedule viewings, process offers, and manage transactions.
  • Verification: To verify the identity and credentials of agents, developers, lawyers, and other regulated roles before granting platform access.
  • Communications: To send transactional emails including account approvals, inquiry notifications, offer updates, viewing confirmations, and payment receipts.
  • Analytics: To understand platform usage, improve features, measure performance, and generate aggregate statistics. Individual analytics data is never sold.
  • Security and Compliance: To detect fraud, prevent abuse, enforce our Terms of Service, and comply with applicable legal obligations.

3. Information Sharing

We do not sell, rent, or trade your personal information to third parties. We share data only with service providers necessary to operate the platform:

  • Supabase: Our database and authentication provider. All data is stored in Supabase with row-level security (RLS) policies enforced.
  • Paystack / Flutterwave / M-Pesa: Payment processors that handle card tokenization, mobile money, and transaction verification. They operate under their own privacy policies and PCI DSS compliance programs.
  • Resend / ProtonMail: Email delivery services used to send transactional notifications. Email content is transmitted securely via TLS.
  • Legal Requirements: We may disclose information if required by law, court order, or governmental authority, or to protect the rights, property, or safety of CastleEx, our users, or the public.

4. Cookies and Tracking

CastleEx uses the following types of cookies:

  • Session Cookies: Required for authentication. These store your login state and expire when you close your browser or your session token expires.
  • Preference Cookies: Store your preferences such as selected currency, language, and filter settings to improve your experience across visits.
  • Analytics Cookies: Used to understand how visitors interact with the platform (e.g., pages viewed, time spent, navigation paths). This data is aggregated and cannot identify you personally.

You can disable cookies in your browser settings, but doing so may affect the functionality of the platform, including your ability to stay logged in.

5. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

  • Access: Request a copy of the personal data we hold about you.
  • Correction: Request correction of inaccurate or incomplete data.
  • Deletion: Request deletion of your account and associated data, subject to legal retention requirements.
  • Portability: Request your data in a structured, machine-readable format.
  • Opt-Out: Unsubscribe from non-transactional marketing communications at any time via the unsubscribe link in any email.

To exercise these rights, contact us at privacy@castleex.com. We will respond within 30 days.

6. Data Retention

  • Active Accounts: Your data is retained for as long as your account remains active and for a reasonable period thereafter to support dispute resolution.
  • Deleted Accounts: Upon account deletion, your personal data is removed from production systems within 30 days. Aggregated, anonymised analytics data may be retained indefinitely.
  • Transaction Records: Financial records are retained for 7 years to comply with applicable tax and accounting regulations.
  • Audit Logs: Security and activity logs are retained for 90 days (read notifications) and 180 days (all activity), after which they are automatically purged.

7. Security

We implement industry-standard security measures to protect your information:

  • Encryption in Transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher.
  • Row-Level Security (RLS): Database access is governed by Supabase RLS policies that ensure users can only access data they are authorised to see.
  • HMAC-Signed Webhooks: All payment webhook communications are verified using HMAC-SHA256 signatures to prevent tampering and replay attacks.
  • Authentication: All authenticated API routes use server-side token verification. Session tokens are never trusted without server validation.

Despite these measures, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security of your data.

8. Contact

For privacy-related questions, requests, or concerns, please contact our Privacy Team at: privacy@castleex.com

CastleEx Real Estate Platform
Dubai, United Arab Emirates