Back to CasamigoLast updated: 2026-05-27

Privacy Policy

Casamigo AS ("Casamigo", "we", "us") operates the Casamigo mobile application and website that connect homeowners in Spain with independent service providers ("the Service"). This policy explains what personal data we collect, why, and your rights under the EU General Data Protection Regulation (GDPR) and Spanish Organic Law 3/2018 on Data Protection (LOPDGDD).

1. Who is the data controller

Casamigo AS, Norway (company number pending), is the data controller for the personal data processed through the Service. You can reach our privacy team at privacy@casamigo.app.

2. Data we collect

Provided by you

  • Account: name, email, phone number, password (hashed), role (homeowner or provider), language preference.
  • Profile: avatar, bio, address (homeowners) or service area (providers), skills, portfolio photos.
  • For providers: NIF / tax identifier, autónomo status, insurance information, bank details (handled by Stripe — see §5).
  • For Verifactu providers: digital signing certificate and notarised power of attorney (apoderamiento) — stored encrypted in Supabase Vault (EU region), used to sign and submit invoices to the Spanish Tax Authority (AEAT) on the provider's behalf.
  • For providers with mandatory liability insurance: insurance certificate (PDF/image) with insurer name, policy number, coverage, start/expiry date, and policyholder NIF.
  • Job content: job descriptions, photos you upload, price you pay or receive, messages you send.
  • Identity verification documents (providers): uploaded via Stripe Identity.

Collected automatically

  • Device data: operating system, app version, device model, language, time zone.
  • Usage data: screens viewed, actions taken, crash logs.
  • Location data: approximate location (city) always; precise GPS only during job check-in, with your consent on the device.
  • Photo GPS metadata: before/after job photos include coordinates and timestamp; this is stored with the booking record.

From third parties

  • Stripe: payment confirmation, payout status, identity-verification result.
  • Google / Apple: your name and email if you sign in with those accounts.

3. Why we use your data (purposes and legal basis)

  • Providing the Service (contract, Art. 6(1)(b) GDPR): creating accounts, matching jobs to providers, processing payments, facilitating chat, handling disputes.
  • Identity verification and fraud prevention (legal obligation + legitimate interest, Art. 6(1)(c), (f)): checking NIF, verifying provider identity via Stripe, blocking banned accounts from re-registering.
  • Verifactu compliance (legal obligation, Art. 6(1)(c) GDPR + Royal Decree 1007/2023): when a provider issues an invoice through Casamigo, we sign and transmit the invoice data (provider and customer NIF, invoice number, date, amount, VAT, IRPF withholding) to the Spanish Tax Authority (AEAT) using the provider's digital certificate (power of attorney). AEAT is the legal recipient, not a processor.
  • Liability insurance verification (contract + legal obligation, Art. 6(1)(b), (c)): for regulated categories (electrical, plumbing, HVAC, construction), Spanish law requires liability insurance. We store and verify the certificate to satisfy this obligation and to allow the provider to bid.
  • Tax reporting under DAC7 (legal obligation, Art. 6(1)(c)): Stripe reports provider earnings to EU tax authorities on our behalf, as required by Council Directive (EU) 2021/514. We additionally generate and retain an aggregated annual DAC7 report.
  • Aggregated accounting (legitimate interest + legal obligation, Art. 6(1)(c), (f)): we export daily aggregated financial summaries (account totals only, no user identifiers) to our accounting system Fiken AS (Norway).
  • Technical error tracking (legitimate interest, Art. 6(1)(f)): error traces and crashes are sent to Sentry GmbH (Germany) for diagnostics. Configured to not auto-attach email/IP and to scrub sensitive payloads server-side.
  • Usage analytics (consent, Art. 6(1)(a)): only if you opt in, Firebase Analytics records aggregated usage events (screen views, actions). You can withdraw consent at any time from Settings.
  • Customer support and safety (legitimate interest, Art. 6(1)(f)): reviewing reported users, handling complaints, enforcing our Terms.
  • Marketing communications (consent, Art. 6(1)(a)): only if you opt in. You can withdraw consent at any time from the app.

4. Who sees your data

Service providers you are matched with see your name, profile photo, job description, and approximate location before you accept a bid. Your full address is shared only with the provider whose bid you accept. Other homeowners and providers never see your private details.

5. Processors and recipients

We rely on the following processors, all bound by data processing agreements (DPAs):

  • Supabase Inc. (USA, with EU regions — Frankfurt) — database, auth, storage (including the insurance-certificate bucket), Vault (encrypted-at-rest digital certificates for apoderamiento), realtime. Standard Contractual Clauses apply.
  • Stripe Payments Europe Ltd. (Ireland) — payments, payouts, identity verification, DAC7 tax reporting. Stripe is an independent controller for the data it receives.
  • Fiken AS (Norway — EEA country with adequacy decision) — accounting system. Receives only aggregated daily financial totals per account, with no user identifiers, NIFs, or personal data.
  • Sentry GmbH (Germany — EU) — error and crash tracking. Configured to not auto-attach email/IP; sensitive payloads scrubbed server-side.
  • Google LLC (Firebase Cloud Messaging) (USA/EU) — transactional push notifications.
  • Google LLC (Firebase Analytics) (USA/EU) — anonymous, aggregated usage analytics, active only after explicit in-app consent.
  • Google LLC (Cloud Translation API) (USA/EU) — automatic translation of chat messages and job descriptions. Only the text content is sent to Google; no user identifiers are included.
  • Google LLC (Maps Platform & Places API) (USA/EU) — map rendering, address search, and geocoding. When you search or pick an address, your query and the resulting coordinates are sent to Google.
  • Resend Inc. (USA) — transactional emails (verification, password reset).
  • Apple Inc., Google LLC — app distribution, optional sign-in.
  • Vercel Inc. (USA/EU) — website hosting.

In addition, the following legal recipients are public authorities to which we are legally required to transmit data (not processors):

  • Agencia Estatal de Administración Tributaria (AEAT, Spain) — recipient of Verifactu submissions (provider and customer NIF, invoice data) under Royal Decree 1007/2023, and DAC7 reports.

6. International transfers

Some processors operate servers outside the EEA. Transfers are protected by the EU-US Data Privacy Framework (Stripe, Google, Vercel, Resend) and/or Standard Contractual Clauses adopted by the European Commission. Transfers to Norway (Fiken) rely on the EEA adequacy decision.

7. How long we keep data

  • Active account data: for as long as your account exists.
  • Deleted accounts: most personal data is deleted or anonymised within 30 days.
  • Transaction records and Verifactu invoices: retained for 6 years to comply with the Spanish Commercial Code (Art. 30) and General Tax Law (Art. 70).
  • Annual DAC7 reports: retained 6 years under Spanish tax law and Directive (EU) 2021/514.
  • Liability-insurance certificates: until 90 days after the policy becomes inactive or expired; policyholder NIF is anonymised on expiry.
  • Digital apoderamiento certificates: automatically deleted on certificate expiry or revocation.
  • GPS coordinates in booking photos: automatically nulled after 2 years.
  • Dispute evidence (photos, chat): retained 2 years after dispute closure.
  • Error traces (Sentry): 90 days (product default).
  • Analytics events (Firebase): 14 months (configured to minimum).
  • Backups: purged within 90 days.

8. Your rights

Under GDPR you have the right to:

  • Access the personal data we hold about you.
  • Rectify inaccurate data.
  • Erase your data (subject to legal retention duties).
  • Restrict or object to certain processing.
  • Receive your data in a portable format ("Download my data" in the app).
  • Withdraw consent at any time.
  • Lodge a complaint with the Spanish Data Protection Agency (AEPD, www.aepd.es) or your local authority.

Exercise these rights by emailing privacy@casamigo.appor using the "Download my data" and "Delete Account" options in the app.

9. Account deletion

You can delete your account from your profile in the app. This anonymises your profile immediately. Some data is retained to comply with legal obligations (Verifactu invoices, DAC7 tax records) or to protect the other party's rights during an open dispute.

10. Children

The Service is not intended for users under 18. We verify age at registration using a date-of-birth picker (enforced at the database layer). We do not knowingly collect data from minors.

11. Security

Passwords are hashed. Traffic is encrypted with TLS. Payment card data never touches our servers — it is handled directly by Stripe. Row-level security rules restrict database access to the owner of each record. Digital certificates are stored in Supabase Vault with AES-256 encryption.

12. Cookies and tracking

The website uses only strictly necessary cookies (session, language preference). The mobile app uses a device identifier for push notifications. We do not use advertising trackers.

13. Changes to this policy

Material changes will be announced in the app and by email. The "Last updated" date at the top reflects the most recent revision.

14. Contact

Questions about privacy? Email privacy@casamigo.app.