CasaConnect
CasaConnect

GDPR

GDPR compliance summary for CasaConnect.

GDPR & AI Governance Framework: CasaConnect

Document Status: Final (2026 Launch Version)

Parent Entity: Thinkable Holdings Inc. (Delaware, USA)

1. Governance & Corporate Identity

CasaConnect is a trade name of Thinkable Holdings Inc. We operate under a "Privacy by Design" mandate, ensuring that all AI-driven automation for the Spanish real estate market complies with:

  • EU GDPR (Regulation 2016/679)
  • Spanish LOPDGDD (Organic Law 3/2018)
  • EU AI Act 2024/2026 (Transparency and Risk requirements)

2. Representation in the European Union (Art. 27)

Because Thinkable Holdings Inc. is established in Delaware but processes the data of Spanish residents, we have appointed a formal representative in Spain to act as a point of contact for the AEPD and local data subjects.

  • Appointed EU Representative: [Insert Name of EU Rep Service, e.g., European Data Rep SL]
  • Jurisdiction: Madrid, Spain
  • Role: Pursuant to Art. 27 GDPR, our representative is authorized to be addressed in addition to, or instead of, Thinkable Holdings Inc. on all issues related to data processing.

3. The "AI Transparency" Logic (EU AI Act & Art. 13 GDPR)

In compliance with the EU AI Act (2026) and Article 13 of the GDPR, we provide full disclosure regarding the automated systems used:

  • Algorithmic Disclosure: We use Large Language Models (LLMs) to qualify leads based on intent, budget, and location.
  • No High-Risk Automated Decisions: Our AI does not make decisions that produce legal effects (e.g., credit scoring or rental rejection). It produces a Qualification Score and summary for the Agency’s review.
  • The "Human-in-the-Loop" Requirement: Our technical architecture prevents the AI from signing contracts or making binding offers. All final real estate actions must be triggered by a verified human user of the Agency.

4. International Data Transfers & Sovereignty

To bridge the "Delaware Gap," we utilize a tiered sovereignty approach:

  1. EU-U.S. Data Privacy Framework (DPF): Thinkable Holdings Inc. is self-certified under the DPF. This allows for the "adequate" transfer of account data and processing flows to the US.
  2. Data Residency: All Lead Data and conversation history are stored at rest within the AWS eu-central-1 (Frankfurt) region.
  3. Transient Processing: For AI qualification, data may be processed by US-based APIs (e.g., OpenAI/Anthropic). These flows are protected by Zero Data Retention (ZDR) agreements, ensuring Spanish citizen data is never used to train foundational AI models.

5. Spanish Digital Rights (ARCO-POL+)

Beyond standard GDPR rights, we provide specific tools for Spanish "Digital Rights" (LOPDGDD):

  • Right to Human Intervention: Leads can trigger a "Bypass AI" command at any time to speak with a human agent.
  • Right to Erasure (ARCO): We provide a one-click "Right to be Forgotten" toggle in the Agency dashboard to delete lead records across WhatsApp logs and databases.
  • Right to Disconnection: The platform supports business-hour muting to comply with Spanish labor laws regarding digital disconnection.

6. Security & Technical Oversight

  • Encryption: TLS 1.3 for data in motion and AES-256 for data at rest.
  • Auditability: We maintain a ROPA (Record of Processing Activities) for every client, documenting the data lifecycle from Meta Lead Ad to AI Qualification.
  • Breach Protocol: In the event of a data incident, Thinkable will notify the Controller (the Agency) within 48 hours, facilitating their mandatory 72-hour report to the AEPD.