Skip to content
Legal

Privacy Policy

Last updated: April 2026

1. Introduction and Data Controller

Alteum, operated by Cheryx S.R.L., legal identification number 3-102-XXXXXX, domiciled in San Jose, Costa Rica ("we", "the platform", "the controller"), is committed to protecting the privacy of all its users. This policy describes how we collect, use, store, share, and protect personal information when you use our real estate portal (alteumcr.com) and associated services, including communication via WhatsApp.

We comply with Costa Rica's Law on the Protection of Individuals with Regard to the Processing of Their Personal Data (Law 8968) and its regulations (Executive Decree 37554-JP). Our databases are registered with the Agency for the Protection of the Inhabitants' Data (PRODHAB) in accordance with Article 13 of said law. We additionally adopt principles from the European Union's General Data Protection Regulation (GDPR) and Brazil's General Data Protection Law (LGPD) as best practice standards.

This policy applies to all platform users: visitors, buyers, investors, property owners, tenants, associated agents (operators), maintenance providers, and any person who interacts with our services.

General purpose of the databases: to manage real estate brokerage, property administration, client communications, commission calculations, and compliance with legal and tax obligations.

2. Data We Collect

2.1 Visitors and buyers

  • Contact forms: name, email address, phone number, message, property of interest
  • Prospect registration: name, email, search criteria (property type, location, budget)
  • Favorites and comparisons: stored locally in your browser, not on our servers

2.2 Property owners

  • Personal data: full name, national ID or identification number, email, phone, address
  • Property data: location, features, photos, legal documents, property registration number
  • Contractual data: exclusivity agreement, sale/rental conditions, minimum price
  • Financial data: bank account for deposits (when property management applies)

2.3 Tenants and lessees

  • Application data: name, national ID, email, phone, employment, references
  • Background verification: background check results (with express consent)
  • Contract data: lease terms, deposit, expiration date
  • Communications: maintenance requests, inquiries, payment receipts sent via WhatsApp
  • Surveys: satisfaction survey responses (NPS)

2.4 Associated agents (operators)

  • Registration: name, email, phone, profile photo, professional biography, languages, specialties
  • Operator data: national ID, date of birth, physical address, bank account
  • Performance data: transactions, accumulated GCI, level, badges, satisfaction score
  • Mentorship data: assigned mentor, start date, mentee progress
  • Sessions: login history, devices, IP address
  • Profile photo: original image and AI-retouched options

2.5 Maintenance providers

  • Registration: name or business name, phone, email, specialty, coverage area
  • History: quotes, completed work, rating

2.6 Automatically collected data (all users)

  • Browsing: pages visited, time on page, searches, image gallery interactions
  • Device: type, operating system, browser, screen resolution
  • Approximate location: truncated IP (last octets anonymized), browser language
  • Analytics: aggregated conversion funnel data (impressions, visits, gallery, contact)

2.7 Data requirement (Art. 5, Law 8968)

Depending on the type of relationship with the platform, some data is mandatory and some is optional:

  • Contact forms: name and email or phone are mandatory to respond to your inquiry. The message is mandatory. Failure to provide this data prevents the agent from contacting you.
  • Agent registration: name, national ID, email, phone, and contract signature are mandatory. Failure to provide them prevents registration as an associated agent. Profile photo and biography are optional but recommended.
  • Property owners: identification data, property data, and contract signature are mandatory to list the property. Failure to provide them prevents publication.
  • Tenants: identification and employment data are mandatory for the application. Background verification requires separate express consent; refusal may result in application rejection by the property owner.
  • Prospects: email is mandatory to receive alerts. You may cancel at any time.

2.8 Sensitive data (Art. 9, Law 8968)

Alteum does not collect or process sensitive data as defined by Article 9 of Law 8968: racial or ethnic origin, political opinions, religious or spiritual beliefs, trade union membership, health data, sexual orientation, socioeconomic data, or biometric or genetic data. If we inadvertently receive sensitive data (for example, in a WhatsApp message), it will be deleted from our records.

2.9 Data we do NOT collect

  • Credit or debit card data (we do not process online payments)
  • Biometric data (fingerprints, facial recognition)
  • Credit history (background checks are performed by authorized third parties)
  • Information about minors
  • Health data

3. How We Use Your Data

3.1 Service operation

  • Connect buyers and tenants with agents and properties
  • Manage the sale, rental, and property administration process
  • Process tenant applications and background checks
  • Calculate and distribute commissions among associated agents
  • Manage contracts, electronic signatures, and legal documentation
  • Administer maintenance requests and coordinate providers

3.2 Communications

  • Notifications of new leads and prospects to agents
  • Property alerts to registered prospects
  • Rent payment reminders to tenants
  • Automated lead and post-visit follow-up
  • Account, contract, and transaction confirmations
  • Service updates and changes to terms/policies

3.3 Artificial intelligence

  • Automatic classification of WhatsApp inquiries
  • Generation of SEO-optimized property descriptions
  • Photo retouching for properties and agents
  • Calculation of compatibility scores (matching) between prospects and properties
  • Detection of demand patterns and acquisition opportunities
  • Sentiment analysis in conversations (aggregated data)

3.4 Metrics and analysis

  • Performance metrics for agents: visits, leads, conversion, satisfaction
  • Market reports and demand patterns (aggregated and anonymous data)
  • Portal improvement: experience, performance, and feature optimization

3.5 Security and compliance

  • Fraud detection and prevention
  • Prevention of unauthorized access
  • Activity audit and regulatory compliance
  • KYC (Know Your Customer) verifications per SUGEF regulations when applicable

We do not sell your personal data to third parties. We never have and we never will.

4. Data Sharing

We share personal data only in these cases:

4.1 Between platform users

  • Buyer/Prospect → Agent: when you submit a contact form or initiate communication, your data is shared with the responsible agent
  • Tenant → Property owner: application data and background check results for approval
  • Tenant → Provider: property address and problem description for approved repairs
  • Agent → Agent: coverage information in shared transactions between agents

4.2 Technology service providers

  • Hosting and CDN: server infrastructure and content distribution
  • S3 Storage: property photographs and documents (encrypted at rest)
  • Transactional email: sending notifications and alerts
  • WhatsApp Business API: client communication via messaging
  • AI Services: natural language processing and image retouching
  • Web analytics: aggregated and anonymous usage data

All providers process data solely according to our instructions and are subject to confidentiality agreements.

4.3 Legal obligation

When required by Costa Rican law, a court order, or a request from a competent regulatory authority (SUGEF, Ministry of Finance).

5. WhatsApp Communications

By communicating with Alteum through WhatsApp, you agree that:

  • Your messages are processed by artificial intelligence agents to classify your inquiry and provide a response
  • Conversation history is stored for service continuity and auditing
  • Documents sent (photos, PDFs) are stored on our secure servers
  • Confidential information (minimum prices, other clients' data) will never be disclosed by AI agents
  • You may request human assistance at any time
  • Automatic reminders (rent, follow-up) are part of the service

6. Cookies and Local Storage

  • Strictly necessary: authentication (JWT), language preferences, session. No consent required.
  • Functional: favorites (localStorage), light/dark theme, search preferences, onboarding status
  • Analytics: aggregated data on portal usage. Only activated with explicit consent.
  • Service Worker: local cache for partial offline functionality and push notifications. Only caches same-origin content.

We do not use marketing cookies, third-party advertising, or cross-site tracking.

7. Data Security

We implement the following measures:

  • Transport: HTTPS encryption (TLS 1.3) on all communications
  • Passwords: stored with bcrypt (cost factor of 12 or greater, never in plain text)
  • Authentication: JWT tokens with short expiration, refresh tokens in Redis, anti brute-force protection with temporary lockout
  • Sensitive data: minimum prices protected with 5 security layers (pre-LLM, prompt, post-LLM, backend, DB)
  • PII: national IDs filtered from AI prompts, audit logs without direct emails/phones/IPs
  • Chat: sanitized messages (HTML strip), rate limiting, private DMs
  • CSP: Content Security Policy restricting allowed origins for scripts, styles, and connections
  • Audit: complete logging of access, modifications, and critical actions
  • Backups: daily backups with 30-day retention
  • 2FA: two-factor authentication available with trusted devices

8. Your Rights

All users have the right to:

  • Access: request a copy of all your stored personal data
  • Rectification: correct inaccurate or incomplete data
  • Deletion: request deletion of your account and personal data ("right to be forgotten"). Published properties will be anonymized for historical integrity. Transaction records will be retained per tax requirements.
  • Portability: receive your data in a machine-readable format (JSON/CSV)
  • Objection: refuse the processing of your data for specific purposes
  • Revocation: withdraw your consent for analytics cookies, prospect alerts, or marketing communications at any time
  • Restriction: request that processing of your data be limited while a dispute is resolved

To exercise any of these rights, contact us. In accordance with Article 7 of Law 8968, we will resolve your request free of charge within a maximum period of five (5) business days. If you do not receive a response within that period, you may file a rights protection procedure with PRODHAB.

8.1 Specific rights for associated agents

In addition to general rights, agents may: download their transaction history, request a commission report, and access their performance metrics from the dashboard.

8.2 Specific rights for property owners

Property owners may request at any time: removal of their property from the platform, modification of marketing terms, and an activity report for their property (visits, leads, offers).

8.3 Specific rights for tenants

Tenants may request: a copy of their contract, payment history, maintenance request history, and post-contract data deletion (subject to legal retention).

9. Data Retention

  • Active accounts (agents): data retained while the account is active
  • Deleted accounts: personal data deleted within 30 days. Transaction records retained per tax requirements (5 years).
  • Leads and prospects: contact data retained 24 months from last interaction. Automatic disposal after 30 days of total inactivity.
  • Property owners: data retained during the contract period and 5 years thereafter (tax requirement)
  • Tenants: data retained during the contract and 24 months post-termination
  • Providers: data retained while active in the catalog
  • WhatsApp conversations: retained 24 months for service continuity
  • Audit logs: retained 12 months (legal requirement)
  • Analytics: anonymized data retained indefinitely
  • Signed contracts: retained 10 years (Costa Rican legal requirement)

10. Consent (Art. 5, Law 8968)

In accordance with Article 5 of Law 8968, the processing of your personal data requires your free, specific, informed, and unambiguous consent. You grant this consent:

  • Upon registration: by creating an account you accept this policy and the terms of use
  • Upon submitting forms: by completing and submitting a contact or application form
  • Upon communicating via WhatsApp: by initiating a conversation with our number
  • Upon signing contracts: contracts include specific data processing clauses

You may revoke your consent at any time through our contact form. Revocation does not affect the lawfulness of processing carried out prior to the revocation.

11. International Transfers (Art. 14, Law 8968)

Data may be processed on servers located outside of Costa Rica through our cloud infrastructure providers. In accordance with Article 14 of Law 8968:

  • International transfers are carried out only with your explicit authorization, granted upon accepting this policy
  • Recipient providers comply with protection standards equivalent to Law 8968
  • They are subject to data processing agreements that protect your information
  • Data is not transferred to countries that do not offer adequate levels of protection without additional safeguards

12. Minors

Alteum is not directed at individuals under 18 years of age. We do not intentionally collect data from minors. If we detect an account or registration from a minor, we will proceed to delete it and its associated data immediately.

13. Security Incident Notification

In the event of a security breach that compromises personal data, Alteum will:

  • Notify affected users within 72 hours of discovery
  • Inform the Agency for the Protection of the Inhabitants' Data (PRODHAB) as required by law
  • Detail: the nature of the incident, data affected, measures taken, and recommendations for the user

14. Changes to This Policy

We reserve the right to update this policy. Significant changes will be notified to registered users by email at least 15 days in advance. The "last updated" date at the beginning of this document reflects the current version.

15. Contact and Data Protection Authority

For inquiries about privacy or data protection:

  • Company: Cheryx S.R.L.
  • Portal: alteumcr.com
  • Location: San Jose, Costa Rica
  • Contact: contact form

If you believe your rights have not been adequately addressed, you may file a complaint with the Agency for the Protection of the Inhabitants' Data (PRODHAB) of Costa Rica: prodhab.go.cr