Privacy Policy

1. Who We Are

CastleEx ("we", "us", "our") operates a real estate marketplace at castleex.com connecting property buyers, agents, developers, and homeowners. We are the data controller for personal data processed through the platform.

For all data-related enquiries, contact us at support@castleex.com.

2. Applicable Law

CastleEx operates primarily in the United Arab Emirates and complies with applicable data protection legislation, including:

• UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (PDPL) — the primary data protection law governing our operations in the UAE. This law establishes your rights regarding access, correction, deletion, and objection to processing of your personal data.
• EU General Data Protection Regulation (GDPR) — to the extent we process personal data of individuals in the European Economic Area. Where GDPR applies, we rely on the following lawful bases: contractual necessity (account creation, transaction processing), legitimate interests (fraud prevention, platform security), consent (WhatsApp notifications, marketing), and legal obligation (KYC, financial record-keeping).
• Applicable financial regulations — including anti-money laundering (AML) and Know Your Customer (KYC) requirements that govern identity verification for real estate transactions in the UAE.

3. Data We Collect

Account data

Name, email address, phone number, WhatsApp number, country, and profile picture, collected when you register.

Professional data

For agents and agencies: real estate licence number, agency name, and areas of specialisation. This data is used to display verified credentials on listings and profiles.

Identity verification (KYC) documents

Identity documents (such as passports or national ID cards) submitted by agents applying for Verified or International badges. These documents are sensitive personal data under UAE PDPL and GDPR. They are reviewed only by authorised CastleEx admin staff, stored with strict access controls, not shared publicly or with third parties, and retained only as long as necessary to maintain the verification record or as required by applicable AML/KYC regulations.

Property data

Listings you create, including descriptions, pricing, images, location coordinates, and floor plans.

PDF brochures

When a property or development brochure is downloaded, we record a unique verification code, the document type, and a snapshot of the listing at download time. Agent identity is never included in this record. Verification codes are retained indefinitely to support document authenticity checks.

Transaction and financial data

Offer amounts, viewing requests, commission records, and payment references processed through our payment providers. We do not store full card numbers or bank account details — these are handled directly by our payment processors. Transaction records are retained for a minimum of five years as required by UAE financial regulations.

Affiliate data

If you join our affiliate programme, we store your referral code and referral activity for commission calculation purposes.

Communications

Enquiries submitted through contact forms and messages between platform users.

Usage data

Pages visited, browser type, and IP address collected automatically for security and performance purposes. This data is anonymised for analytics.

4. How We Use Your Data

• To create and manage your account (contractual necessity)
• To display property listings and match buyers with agents (contractual necessity)
• To process viewing requests, offers, and transactions (contractual necessity)
• To verify agent credentials and display trust badges (legitimate interest / legal obligation)
• To send transactional emails — account approval, viewing confirmations, offer updates (contractual necessity)
• To send WhatsApp notifications where you have explicitly opted in (consent)
• To generate and verify PDF property brochures (contractual necessity)
• To process affiliate referrals and commission payouts (contractual necessity)
• To detect and prevent fraud, bots, and unauthorised access (legitimate interest)
• To comply with AML, KYC, and financial reporting obligations (legal obligation)
• To improve the platform through anonymised usage analysis (legitimate interest)

We do not sell your personal data to third parties.

5. Payment Processing

Payments on CastleEx are processed by Paystack and Flutterwave, which are PCI-DSS compliant payment processors. When you make or receive a payment:

• Card details and bank information are entered directly into the payment processor's secure environment and are not stored by CastleEx.
• We receive a payment reference, transaction status, and amount confirmation.
• Commission settlement records are retained for a minimum of five years in compliance with UAE financial regulations.
• Paystack and Flutterwave may conduct their own identity checks as required by their regulatory obligations.

For details on how these processors handle your data, see the Paystack Privacy Policy and the Flutterwave Privacy Policy.

6. Third-Party Services

We use the following services to operate the platform. Each processes data only as necessary to provide their respective service.

7. Data Retention

• Account data — retained for as long as your account is active. Deleted within 30 days of an account deletion request, subject to legal retention obligations.
• KYC documents — retained for the duration required by applicable AML regulations, which may extend beyond account closure.
• Transaction and financial records — retained for a minimum of five years as required by UAE financial regulations.
• PDF brochure verification codes — retained indefinitely to support document authenticity checks.
• Usage and analytics data — anonymised and retained for platform improvement purposes.

8. Your Rights

Under UAE PDPL and, where applicable, GDPR, you have the right to:

• Access — request a copy of the personal data we hold about you
• Correction — request correction of inaccurate or incomplete data
• Deletion — request deletion of your account and associated personal data, subject to legal retention obligations
• Objection — object to processing based on legitimate interests
• Restriction — request that we restrict processing of your data in certain circumstances
• Portability — receive your data in a structured, machine-readable format (where GDPR applies)
• Withdraw consent — withdraw consent for WhatsApp notifications or any consent-based processing at any time, without affecting the lawfulness of prior processing

To exercise any of these rights, email support@castleex.com. We will respond within 30 days. If you are an EU resident and are unsatisfied with our response, you have the right to lodge a complaint with your local data protection authority.

9. Security

We implement industry-standard security measures including encrypted connections (HTTPS/TLS), row-level database security, role-based access controls, and encrypted storage for sensitive data. KYC identity documents are accessible only to authorised admin staff. No method of transmission over the internet is 100% secure; we take all reasonable steps to protect your data but cannot guarantee absolute security.

10. International Data Transfers

Some of our third-party service providers (including Supabase, Vercel, and Resend) may process data outside the UAE. Where this occurs, we ensure that appropriate safeguards are in place, including standard contractual clauses or reliance on providers with applicable adequacy certifications.

11. Children

CastleEx is not intended for users under 18. We do not knowingly collect personal data from minors. If you believe a minor has registered, please contact us at support@castleex.com and we will delete the account promptly.

12. Changes to This Policy

We may update this policy from time to time to reflect changes in our practices or applicable law. Changes will be posted on this page with an updated date. For material changes, we will notify registered users by email. Continued use of the platform after changes are posted constitutes acceptance of the revised policy.

13. Contact

For any privacy-related questions or to exercise your rights: support@castleex.com