Privacy Policy

Zaminor B.V. (i.o.) ("Zaminor", "we", "us", or "our"), registered in the Netherlands, is the data controller responsible for your personal data within the meaning of Article 4(7) of the General Data Protection Regulation (EU) 2016/679 ("GDPR").

We are committed to protecting your privacy and ensuring that your personal information is handled in accordance with the GDPR, the Dutch Uitvoeringswet Algemene Verordening Gegevensbescherming ("UAVG"), and all other applicable data protection legislation.

This Privacy Policy explains how we collect, use, store, share, and protect your personal data when you use our platform, website, mobile application, and mediation services (collectively, the "Services"). This policy applies to all personal data processed in connection with our Services, whether collected directly from you or obtained from third-party sources.

By accessing or using Zaminor, you acknowledge that you have read and understand this policy. This policy does not create any contractual or other legal rights on behalf of any party. For contractual obligations, please refer to our Terms and Conditions.

For any questions regarding the processing of your personal data or the exercise of your rights under applicable data protection law, you may contact us:

**Privacy contact** Email: hello@zaminor.com Postal address: Zaminor B.V. (i.o.), Attn: Privacy contact, Netherlands

You also have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens), Bezuidenhoutseweg 30, 2594 AV Den Haag, Netherlands (autoriteitpersoonsgegevens.nl).

We collect and process the following categories of personal data, depending on how you interact with our Services:

**3.1 Account data.** When you create an account, we collect: full name, email address, telephone number, date of birth, nationality, and residential address. This data is necessary to establish and maintain your user account and to provide our core mediation services.

**3.2 Identity verification data.** To verify your identity and ensure the safety of all parties involved, we collect: copies of government-issued identification documents (passport, national ID card, or residence permit), selfie photographs for liveness verification, proof of address documents (utility bills, bank statements, or official correspondence not older than 3 months), source of funds documentation (income statements, employment contracts, tax returns, investment records, gift declarations), and estimated net worth declarations.

**3.3 Burgerservicenummer (BSN).** For Dutch residents, we collect the Burgerservicenummer (BSN) as part of identity verification. The BSN is processed for identity verification purposes as permitted under Dutch law, in conjunction with Article 53(3) of the Algemene wet inzake rijksbelastingen (AWR). The BSN is encrypted at the column level in our database using pgcrypto and is never used for any purpose other than statutory identification obligations. Processing of the BSN is permitted under Article 46 of the UAVG, which allows processing where required by law.

**3.4 Financial profile data.** To perform mortgage pre-check calculations and financial assessments, we collect: gross and net income details, employment information and history, monthly expenses and existing financial obligations, savings and investment portfolio summaries, existing mortgage or loan details, bank account information and transaction history (via PSD2 open banking connection through Enable Banking or manual upload), and credit history summaries where voluntarily provided.

**3.5 Property preference data.** As part of our matching service, we collect: search criteria (location, property type, budget range, size requirements), saved and favorited properties, property viewing history, market preferences (Spain, Dubai, or both), and appointment requests.

**3.6 Communication data.** We collect records of: messages exchanged through our platform messaging system, email correspondence with our team, call recordings with advisors (with prior notification and consent where required), support tickets and their resolution history, and document exchanges related to property transactions.

**3.7 Technical and usage data.** We automatically collect: IP address (anonymized for analytics), browser type, version, and language settings, device type, operating system, and screen resolution, pages visited, clickstream data, and session duration, referral source and search queries, error logs and performance data, and authentication events and security logs.

**3.8 Biometric data (temporary).** During liveness verification as part of identity checks, our identity verification provider (Sumsub) processes facial biometric data. This data is used solely for the purpose of verifying that the person presenting an identity document is the same person depicted on that document. Biometric templates are deleted immediately upon completion of the verification check. Zaminor does not store biometric templates. The legal basis for this processing is your explicit consent (Article 9(2)(a) GDPR) for the processing of biometric data as a special category.

We process your personal data only where we have a valid legal basis under Article 6(1) GDPR. The following table sets out our processing activities, their purposes, and the applicable legal basis:

**4.1 Contract performance -- Article 6(1)(b) GDPR.** Purposes: creating and managing your user account; providing property matching and search functionality; performing mortgage pre-check calculations and financial assessments; facilitating communication between you and brokers; managing property transaction cases and document exchange; processing mediation fee payments; providing customer support. This basis applies because processing is necessary to perform our contractual obligations to you under the Terms and Conditions and, where applicable, the Mediation Agreement.

**4.2 Legal obligation -- Article 6(1)(c) GDPR.** Purposes: fulfilling obligations under Dutch law including tax record keeping (AWR Article 52); conducting identity verification; processing BSN for identification purposes (AWR Article 53(3)); maintaining fiscal records for 7 years (AWR Article 52); and responding to lawful requests from authorities, including the Dutch Tax Authority (Belastingdienst) and law enforcement when required by court order. This legal basis cannot be overridden by a data subject's right to erasure or objection during the statutory retention periods.

**4.3 Legitimate interest -- Article 6(1)(f) GDPR.** Purposes: fraud prevention and detection; platform security, abuse prevention, and unauthorized access detection; aggregated analytics for service improvement (using anonymized data); maintaining audit trails for operational integrity; network and information security; defending legal claims. We have conducted a legitimate interest assessment (LIA) for each of these purposes and concluded that our interests do not override your fundamental rights and freedoms. You may request a copy of our LIA via hello@zaminor.com.

**4.4 Consent -- Article 6(1)(a) GDPR.** Purposes: sending marketing communications and newsletters; placing non-essential cookies (analytics, marketing); sharing property preferences with selected third-party partners for promotional purposes; processing biometric data for liveness verification (Article 9(2)(a) GDPR as a special category). You may withdraw consent at any time by contacting us at hello@zaminor.com, using the unsubscribe link in marketing emails, or adjusting your cookie preferences. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal.

**4.5 Vital interest -- Article 6(1)(d) GDPR.** In exceptional circumstances, we may process personal data to protect the vital interests of a data subject or another natural person. This basis is only invoked in genuine emergencies.

**4.6 Special categories of data.** Biometric data (facial images for liveness verification) constitutes a special category under Article 9 GDPR. We process this data on the basis of your explicit consent (Article 9(2)(a) GDPR).

We use your personal data for the following specific purposes:

**Service delivery:** Providing and maintaining our real estate mediation services, including account management, property matching, mortgage pre-checks, broker coordination, transaction support, and document management.

**Identity verification:** Verifying your identity as part of our client onboarding process for the safety of all parties; maintaining records as required by Dutch law.

**Financial assessment:** Analyzing your financial profile using our mortgage pre-check algorithm to determine indicative borrowing capacity for Spanish and Dubai property markets; generating scenario comparisons; providing cost estimates for property transactions.

**Communication:** Facilitating secure messaging between you, our team, and contracted brokers; sending service-related notifications (transaction updates, document requests, KYC status changes, appointment reminders); responding to support inquiries.

**Platform improvement:** Analyzing aggregated and anonymized usage patterns to improve platform functionality, user experience, and service quality; conducting A/B testing; identifying and resolving technical issues.

**Security:** Detecting and preventing unauthorized access and other security threats; maintaining system integrity.

**Marketing (consent-based only):** Sending newsletters, property alerts matching your preferences, market updates, and promotional offers -- only with your explicit prior consent.

In accordance with Articles 13(2)(f), 14(2)(g), and 22 GDPR, we inform you of the following automated decision-making processes:

**6.1 Mortgage pre-check algorithm.** We use an automated algorithm to calculate your indicative borrowing capacity based on your financial profile data (income, expenses, existing obligations, savings) and market-specific lending rules (Spanish non-resident LTV max 70%, Dubai non-resident LTV max 65%, applicable stress buffers). This algorithm does not produce legally binding decisions. The results are indicative only and do not constitute a mortgage offer, financial advice, or a guarantee of financing. The logic involves standard debt-to-income ratio calculations, loan-to-value assessments, and stress-tested affordability checks based on publicly available market rules.

**6.2 Your rights regarding automated decisions.** No decision with legal or similarly significant effects on you is made solely on the basis of automated processing. All automated outcomes described above are subject to human review. You have the right to: (a) obtain human intervention in any automated assessment; (b) express your point of view regarding any automated outcome; (c) contest any decision influenced by automated processing. To exercise these rights, contact us at hello@zaminor.com.

Zaminor uses artificial intelligence systems in several parts of the platform. In compliance with Regulation (EU) 2024/1689 (the EU AI Act), we disclose the following AI uses and your rights as a user.

**Identity verification (high-risk AI system).** Our identity verification provider Sumsub uses AI for document recognition, liveness detection, and biometric face matching during the KYC flow. Under Article 6 and Annex III of the AI Act, this constitutes a high-risk AI system. Every AI-flagged result is reviewed by a human compliance officer before any decision affects your account. You have the right under Article 26(11) of the AI Act and Article 22 GDPR to request human review of any KYC decision involving AI.

**AI assistant (limited-risk, transparency obligation).** Our customer-facing assistant Donna is an AI system built on third-party large language models (Anthropic Claude). Under Article 50(1) of the AI Act, Donna discloses its AI nature at the start of every conversation and displays a persistent AI badge. You can ask to be connected to a human broker at any time. Donna is intended to provide information; it does not give financial, legal, or tax advice and its responses are not binding on Zaminor. Additional internal review agents operate only within our content pipeline and do not interact with you directly; their output reaches you only through Donna or via content that has been reviewed and published by our editorial team.

**AI-assisted content (Article 50(2) editorial exception).** Some blog posts, glossary entries, market guides, and property descriptions on our platform are drafted with AI assistance and reviewed by our editorial team prior to publication. Editorial responsibility is held by Milad Ahmadi. Where Zaminor relies on the editorial exception under Article 50(2) subparagraph 4 of the AI Act, this is documented in the article metadata.

**No prohibited AI practices.** Zaminor does not use AI for any of the practices prohibited under Article 5 of the AI Act, including subliminal manipulation, exploitation of vulnerabilities, social scoring, real-time biometric identification in public spaces, predictive policing, emotion recognition in the workplace, or untargeted facial image scraping.

**Your AI rights.** You have the right to: (a) be informed when you are interacting with an AI system; (b) request human review of any AI-involved decision affecting you; (c) object to fully automated decision-making under Article 22 GDPR; (d) lodge a complaint with the Dutch market surveillance authority (Autoriteit Persoonsgegevens for AI involving personal data; Rijksinspectie Digitale Infrastructuur for other AI matters once designated).

We share your personal data only when necessary for the purposes described in this policy and with appropriate legal safeguards. We do not sell your personal data to third parties. The following categories of recipients may receive your data:

**7.1 Identity verification provider (Sumsub).** Sumsub B.V. processes identity verification data (ID document scans, selfie images, liveness check data) as a data processor on our behalf under a Data Processing Agreement (DPA). Processing is limited to identity verification and liveness checks. Sumsub processes data within the EU/EEA but may use sub-processors outside the EEA, protected by Standard Contractual Clauses (SCCs) and supplementary measures.

**7.2 Real estate brokers.** When you express interest in a specific property or request broker mediation, we share relevant data (name, contact details, property preferences, financial capacity summary) with licensed local brokers in Spain and/or Dubai. Brokers in Spain operate under the GDPR directly. Brokers in Dubai receive data protected by SCCs. Data sharing with brokers is based on contract performance (Article 6(1)(b) GDPR) and you are notified before any data is shared.

**7.3 Property data provider (Casafari).** Casafari provides property listing data to our platform through their API. We receive property data from Casafari; we do not share your personal data with Casafari. Casafari operates as an independent controller for any data they collect through their own services.

**7.4 Payment processor (Stripe).** Stripe Payments Europe, Ltd. (Ireland) processes payment data (name, email, payment card or iDEAL bank details) for mediation fee transactions. Stripe acts as an independent controller for payment processing under their own privacy policy and as a processor for certain data under our DPA. Stripe is certified under the EU-US Data Privacy Framework.

**7.5 Hosting and infrastructure.** Our platform backend is hosted on Render.com (Render Services, Inc.) using their EU region (Frankfurt, Germany). Application data, including encrypted databases, is stored within the EU. Render is certified under the EU-US Data Privacy Framework and ISO/IEC 27001:2022, and we have executed a DPA with Render. Authentication is handled by Laravel Sanctum with encrypted token-based sessions. Database hosting is provided by Render.com (PostgreSQL, Frankfurt data centre, EU region).

**7.6 Mortgage partners and financial institutions.** When you request a formal mortgage application (beyond the indicative pre-check), we share financial profile data with mortgage providers in the relevant jurisdiction. This sharing requires your explicit, informed consent and is governed by a separate Mediation Agreement.

**7.7 Legal advisors, notaries, and escrow agents.** Relevant case data may be shared with notaries, legal counsel, and escrow agents in the Netherlands, Spain, or Dubai to facilitate property transactions. This sharing is based on contract performance and occurs within the scope of your active transaction.

**7.8 Regulatory and judicial authorities.** We may disclose personal data to the Dutch Tax Authority (Belastingdienst) as required by law, and to law enforcement when required by court order. We may also disclose data to the Autoriteit Persoonsgegevens (Dutch DPA) upon lawful request, and to other EU/EEA regulatory authorities with competent jurisdiction.

**7.9 Analytics providers.** Umami (self-hosted, EU) is used for aggregated, anonymized usage analytics. Umami is a privacy-first, cookieless analytics solution that does not process personal data or create individual user profiles. No consent is required for Umami analytics. See our Cookie Policy for details.

As a cross-border real estate mediation platform operating across the Netherlands, Spain, and Dubai, certain transfers of personal data outside the European Economic Area (EEA) are necessary. We ensure that all such transfers comply with Chapter V of the GDPR (Articles 44-49).

**8.1 Transfers within the EEA.** The majority of your data is processed within the EEA. Our primary hosting (Render.com Frankfurt) and core operations are EU-based. Transfers to Spain-based brokers do not require additional safeguards as Spain is within the EEA.

**8.2 Transfers to the United States.** Certain sub-processors (Stripe, Render parent entity) are US-based companies. These transfers are protected by: (a) the EU-US Data Privacy Framework (DPF) adequacy decision of 10 July 2023, where the recipient is DPF-certified (Render and Stripe are DPF-certified); and (b) Standard Contractual Clauses (SCCs) approved by European Commission Implementing Decision (EU) 2021/914, maintained as a supplementary safeguard alongside DPF certification. We note that the DPF adequacy decision was upheld by the General Court in September 2025; however, an appeal has been filed before the Court of Justice of the EU (CJEU) by NOYB in October 2025. Should the DPF be invalidated, our SCCs and supplementary technical measures (encryption in transit and at rest, pseudonymization) will serve as the primary transfer mechanism.

**8.3 Transfers to the United Arab Emirates (Dubai).** When you engage with the Dubai property market, relevant transaction data is shared with Dubai-based brokers and local service providers. The UAE does not have an EU adequacy decision. All transfers are protected by: (a) Standard Contractual Clauses (SCCs) executed with each Dubai-based recipient; (b) supplementary technical measures including end-to-end encryption of data in transit, AES-256 encryption at rest, and data minimization (only data strictly necessary for the transaction is transferred); and (c) a Transfer Impact Assessment (TIA) conducted for each data flow to the UAE, evaluating the legal framework, government access risks, and effectiveness of supplementary measures.

**8.4 Transfer Impact Assessments.** We conduct and maintain Transfer Impact Assessments (TIAs) for all cross-border data flows outside the EEA, in accordance with EDPB Recommendations 01/2020. TIAs are reviewed annually or when there is a material change in the legal framework of the recipient country. Copies of our TIAs are available upon request via hello@zaminor.com.

The following sub-processors process personal data on our behalf under a Data Processing Agreement. We maintain an up-to-date register of sub-processors and will notify you of material changes at least 30 days in advance:

| Sub-processor | Purpose | Data processed | Location | Transfer mechanism | | --- | --- | --- | --- | --- | | Render Services, Inc. | Application hosting, database | All platform data | EU (Frankfurt) | SCCs | | Sumsub B.V. | Identity verification, liveness check | ID documents, selfies, biometric data (temporary) | EU (sub-processors may be outside EEA) | SCCs + supplementary measures | | Stripe Payments Europe, Ltd. | Payment processing (mediation fees) | Name, email, payment details | Ireland (EU); parent entity US | DPF + SCCs | | Umami (self-hosted) | Web analytics (anonymized) | Anonymized usage data (no personal data processed) | EU (Frankfurt) | Intra-EEA | | Enable Banking Oy | PSD2 open banking data aggregation | Bank account data, transaction history | Finland (EU) | Intra-EEA |

Changes to this sub-processor list will be communicated via email notification to registered users. If you object to a new sub-processor, you may terminate your account in accordance with Section 10 of our Terms and Conditions.

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by applicable law. The following retention periods apply:

**10.1 Identity verification data** (ID document copies, selfie verification results, proof of address, source of funds documents): **5 years** after the end of the business relationship or the date of the last transaction, whichever is later. Legal basis: Dutch law. This data cannot be deleted upon request during the statutory retention period.

**10.2 BSN (Burgerservicenummer):** **5 years** after the end of the business relationship. Legal basis: Dutch law in conjunction with AWR Article 53(3). Encrypted at the column level. Cannot be deleted upon request during the retention period.

**10.3 Financial profile data** (income records, bank statements, mortgage pre-check inputs and outputs): **5 years** after the end of the business relationship. Legal basis: Dutch law. Data used solely for mortgage pre-check purposes is deleted upon account closure.

**10.4 Transaction and fiscal records** (mediation fee invoices, payment records, transaction correspondence, VAT records): **7 years** from the end of the fiscal year in which the transaction occurred. Legal basis: AWR Article 52 (Dutch fiscal retention obligation). For records relating to immovable property specifically: **10 years** (AWR Article 52(4)).

**10.5 Account data** (name, email, phone, address, preferences): Duration of the active account **plus 2 years** after account closure or termination. The 2-year post-closure period serves to address any pending disputes, chargebacks, or legal claims. After 2 years, data is deleted unless a longer retention period applies under another category.

**10.6 Communication records** (platform messages, email correspondence, support tickets): **3 years** after the last interaction or account closure, whichever is later. Call recordings (where consent was given) are retained for 2 years.

**10.7 Marketing and consent data** (email preferences, consent records, newsletter subscription): Marketing preferences are deleted immediately upon withdrawal of consent. Consent records (proof that consent was given or withdrawn) are retained for **5 years** as evidence of compliance with GDPR Article 7(1).

**10.8 Usage and analytics data:** Anonymized within **26 months** of collection. Anonymized and aggregated data (which no longer constitutes personal data) may be retained indefinitely for statistical and research purposes.

**10.9 Biometric data** (liveness verification templates): Deleted **immediately** upon completion of the identity verification check. We do not store biometric templates. Sumsub, our identity verification provider, deletes biometric data in accordance with their DPA and retention policy.

**10.10 Security logs** (authentication events, access logs, audit trails): **2 years** from the date of the event, for security monitoring and incident investigation purposes.

After the applicable retention period expires, personal data is securely deleted using industry-standard methods (cryptographic erasure for encrypted data, secure overwrite for unencrypted data) or irreversibly anonymized. We conduct periodic data retention audits to ensure compliance with these schedules.

Under the GDPR and the UAVG, you have the following rights regarding your personal data. You may exercise these rights free of charge, subject to the limitations described below:

**11.1 Right of access (Article 15 GDPR).** You have the right to obtain confirmation as to whether your personal data is being processed and, if so, to receive a copy of that data together with information about the purposes of processing, the categories of data, the recipients, the retention periods, and the source of the data. We will provide the information in a commonly used electronic format (PDF or JSON) within 30 days of your request.

**11.2 Right to rectification (Article 16 GDPR).** You have the right to request correction of inaccurate personal data or completion of incomplete data without undue delay. For identity verification data, corrections may require submission of updated identity documents to maintain accuracy.

**11.3 Right to erasure (Article 17 GDPR).** You have the right to request deletion of your personal data when: (a) the data is no longer necessary for the purpose for which it was collected; (b) you withdraw consent and there is no other legal basis; (c) you object to processing and there are no overriding legitimate grounds; (d) the data has been unlawfully processed; or (e) erasure is required by law. **Important limitation:** We cannot erase identity verification data, BSN data, transaction records, or fiscal records during the statutory retention periods mandated by the AWR (Article 52) and other applicable Dutch law. If you request erasure during these periods, we will restrict processing to the minimum required by law and delete the data as soon as the retention period expires.

**11.4 Right to restriction of processing (Article 18 GDPR).** You have the right to request restriction of processing when: (a) you contest the accuracy of the data (during the verification period); (b) the processing is unlawful but you oppose erasure; (c) we no longer need the data but you require it for legal claims; or (d) you have objected to processing pending verification of our legitimate grounds.

**11.5 Right to data portability (Article 20 GDPR).** You have the right to receive the personal data you provided to us in a structured, commonly used, and machine-readable format (JSON or CSV), and to transmit that data to another controller without hindrance. This right applies to data processed on the basis of consent or contract performance and processed by automated means. Identity verification data processed under legal obligation is excluded from portability.

**11.6 Right to object (Article 21 GDPR).** You have the right to object to processing based on legitimate interests (Article 6(1)(f)) at any time, on grounds relating to your particular situation. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests. You have an absolute right to object to processing for direct marketing purposes at any time, without needing to provide a reason.

**11.7 Right to withdraw consent (Article 7(3) GDPR).** Where processing is based on consent, you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

**11.8 Right not to be subject to automated decision-making (Article 22 GDPR).** You have the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects. As described in Section 6, all our automated processes are subject to human oversight. You may request human intervention, express your point of view, and contest any automated outcome.

**11.9 Right to lodge a complaint.** You have the right to lodge a complaint with the Autoriteit Persoonsgegevens (Dutch Data Protection Authority) if you believe that the processing of your personal data infringes the GDPR or UAVG. Contact: Autoriteit Persoonsgegevens, Bezuidenhoutseweg 30, 2594 AV Den Haag, Netherlands (autoriteitpersoonsgegevens.nl).

**Exercising your rights.** To exercise any of these rights, contact us at hello@zaminor.com or write to Zaminor B.V. (i.o.), Attn: Privacy, Netherlands. We will verify your identity before processing any request. We will respond within 30 days. If your request is complex or we receive a large number of requests, we may extend this period by up to 60 additional days (90 days total), and we will inform you of any extension within the initial 30-day period. Requests are free of charge unless manifestly unfounded or excessive (Article 12(5) GDPR).

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 GDPR. Our security measures include:

**Technical measures:** TLS 1.3 encryption for all data in transit; AES-256 encryption at rest for all stored data; column-level encryption using pgcrypto for highly sensitive PII (BSN, bank account numbers, ID document storage URLs, selfie URLs); secure key management with key rotation; role-based access control (RBAC) with principle of least privilege; multi-factor authentication (MFA) for all staff and administrative access; Web Application Firewall (WAF) and DDoS protection; automated vulnerability scanning and regular penetration testing; secure software development lifecycle (SSDLC) with security code reviews.

**Organizational measures:** Data Protection Impact Assessments (DPIAs) for high-risk processing activities (identity verification processing, cross-border transfers, automated decision-making); staff data protection training and confidentiality agreements; clear desk and clear screen policies for staff handling personal data; vendor security assessments and DPA reviews for all sub-processors; incident response procedures aligned with GDPR Article 33/34 notification requirements; regular internal and external security audits; access logging and monitoring with anomaly detection; documented data classification and handling procedures.

**Pseudonymization:** Where technically feasible, we apply pseudonymization to reduce the risks of processing personal data. Internal analytics use pseudonymized or anonymized datasets. Production data is never used in test or development environments.

In the event of a personal data breach as defined in Article 4(12) GDPR, we follow a documented incident response procedure:

**Supervisory authority notification (Article 33 GDPR).** We will notify the Autoriteit Persoonsgegevens without undue delay and, where feasible, within 72 hours of becoming aware of a breach that is likely to result in a risk to the rights and freedoms of natural persons. The notification will include the nature of the breach, the categories and approximate number of data subjects and records affected, the likely consequences, and the measures taken or proposed to address the breach.

**Data subject notification (Article 34 GDPR).** If the breach is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay in clear and plain language, describing the nature of the breach, the likely consequences, the measures we have taken, and how you can mitigate potential adverse effects.

**Breach register.** We maintain a register of all personal data breaches, regardless of whether they meet the notification threshold, in accordance with Article 33(5) GDPR.

We use cookies and similar technologies on our platform. Our use of cookies is governed by the Dutch Telecommunicatiewet (Article 11.7a), which implements the ePrivacy Directive (2002/58/EC as amended by 2009/136/EC), and the GDPR for consent management.

For detailed information about the cookies we use, their purposes, retention periods, and how to manage your preferences, please see our Cookie Policy, accessible via the footer of every page on our platform.

Our Services are directed exclusively at individuals aged 18 and over. We do not knowingly collect or process personal data from children under the age of 18. The real estate mediation services we provide inherently require users to have legal capacity to enter into property transactions.

If we become aware that we have inadvertently collected personal data from a person under 18, we will take immediate steps to delete that data and terminate the associated account. If you believe that we have collected data from a minor, please contact us at hello@zaminor.com.

In accordance with Article 35 GDPR, we have conducted Data Protection Impact Assessments (DPIAs) for the following high-risk processing activities:

- Identity verification processing (including biometric liveness checks) - Automated financial profiling and mortgage pre-check calculations - Cross-border data transfers to the UAE (Dubai broker network) - PSD2 open banking data aggregation and financial analysis

DPIAs are reviewed and updated annually or whenever there is a significant change to the processing activity. Summaries of our DPIAs are available upon request via hello@zaminor.com.

We may update this Privacy Policy from time to time to reflect changes in our processing activities, applicable law, or regulatory guidance. We will not reduce your rights under this policy without your explicit consent.

**Material changes** (changes to legal bases, new categories of data, new recipients, changes to retention periods, or changes affecting your rights) will be communicated via email to your registered email address and via an in-platform notification at least 30 days before they take effect. The notification will clearly describe the changes and their impact.

**Non-material changes** (clarifications, formatting, updated contact details) may be made at any time, with the "Last Updated" date revised accordingly.

If you do not agree with a material change, you may exercise your right to erasure (subject to legal retention obligations) and terminate your account before the effective date of the change. Continued use of the Services after the effective date constitutes acceptance of the revised policy.

This Privacy Policy is governed by the laws of the Netherlands. Any disputes arising from or in connection with this policy shall be subject to the exclusive jurisdiction of the competent courts of The Hague, the Netherlands, without prejudice to your right to lodge a complaint with the Autoriteit Persoonsgegevens or to invoke the jurisdiction of the courts in your place of habitual residence if you are an EU consumer (Article 79(2) GDPR).

For any questions, concerns, or requests regarding this Privacy Policy or our data processing practices:

**Privacy contact** Email: hello@zaminor.com Postal: Zaminor B.V. (i.o.), Attn: Privacy, Netherlands

**General inquiries** Email: hello@zaminor.com Website: zaminor.com/contact

**Supervisory Authority** Autoriteit Persoonsgegevens Bezuidenhoutseweg 30, 2594 AV Den Haag, Netherlands Telephone: +31 70 888 8500 Website: autoriteitpersoonsgegevens.nl