Privacy Policy – Costa Finance Group

1. Identity of the data controller

Costa Finance Group S.L. (hereinafter: “CFG”), established in Spain, is the data controller for the processing of personal data.

CFG processes personal data in accordance with the General Data Protection Regulation (EU) 2016/679 (GDPR) and the Spanish LOPDGDD 3/2018.

Contact:

Calle Vendeja 40
29001 Malaga
info@costafinancegroup.com
+34 650 70 99 80

2. Categories of personal data

CFG may process the following data:

• Identification data (name, date of birth)
• Contact details (telephone, email, address)
• Financial data (income, assets, liabilities)
• Company data
• Technical data (IP address, browser, website behaviour)

3. Purposes and legal bases (matrix)

CFG processes personal data only on the basis of specific purposes and corresponding legal bases:

Where CFG relies on legitimate interest, this interest is explicitly balanced against the privacy rights of data subjects.

4. Recipients of personal data

CFG shares personal data only with parties that are necessary for the performance of its services.

This includes categories such as:

• Banks and mortgage providers
• Private financiers and investors
• Appraisers
• Notaries
• Lawyers and legal advisers
• Compliance and financial advisers
• Real estate professionals
• IT, hosting, CRM and email service providers

CFG does not publish a public list of partners.

If data is shared with a specific external party that acts as an independent data controller, CFG will inform the data subject of this before or, at the latest, at the time of the transfer.

5. International transfers

If personal data is processed outside the European Economic Area (EEA), CFG ensures appropriate safeguards, such as:

• EU Standard Contractual Clauses (SCCs)
• Adequacy decisions of the European Commission

6. Retention periods

CFG applies specific retention periods:

• Leads without follow-up: maximum 12 months
• Active files: for the duration of the file + 5 years
• Closed files: 5–10 years (depending on liability)
• Tax data: at least 7 years (legally required)
• Log and website data: maximum 12 months

After these periods, data will be deleted or — where legally required — blocked (bloqueo de datos) and retained solely for legal purposes.

7. Profiling and automated decision-making

CFG may use data for:

• Lead scoring
• Analysis of behaviour and preferences
• Selection of financing options
• Risk assessment

CFG does not make decisions based solely on automated processing that have legal effects without appropriate safeguards.

8. Source of the data

If personal data has not been obtained directly from the data subject, CFG may receive it via:

• Partners
• Public registers
• External data sources

9. Rights of data subjects

Data subjects have the right to:

• Access
• Rectification
• Erasure
• Restriction of processing
• Objection
• Data portability

Requests can be submitted via: info@costafinancegroup.com

In addition, you have the right to lodge a complaint with:

Agencia Española de Protección de Datos (AEPD)

10. Withdrawal of consent

Where processing is based on consent, consent may be withdrawn at any time.

11. Security

CFG takes appropriate technical and organisational measures to protect personal data against loss, misuse and unauthorised access.

12. Minors

CFG does not process personal data of minors without the consent of a parent or legal representative.

13. Cookies

CFG uses cookies and tracking technologies.

Non-essential cookies are placed only after explicit consent.

14. Changes

CFG reserves the right to amend this privacy policy.

The most current version is always available on the website.