Privacy Policy

Privacy Policy

Last updated: 20^th Jan 2026

1. Legal Framework

This Privacy Policy is drafted in accordance with:

• Regulation (EU) 2016/679 (General Data Protection Regulation – GDPR), and
• Organic Law 3/2018, of 5 December, on the Protection of Personal Data and the Guarantee of Digital Rights (LOPDGDD).

2. Joint Data Controllers

Personal data collected through this website is jointly controlled by:

CHIORO ITG, S.L.U.
C/ Canarias, 37, Edificio CETIS, Torre 4, Pta. 4ª
07800 Ibiza, Illes Balears, Spain

and

FIVE Holdings DIFC Limited
Unit 208, Level 1, Gate Avenue – South Zone
Dubai International Financial Centre, Dubai, United Arab Emirates

Both entities jointly determine the purposes and means of processing personal data, particularly in relation to customer communications, apartment sales, and marketing activities.

3. Allocation of Responsibilities (Article 26 GDPR)

CHIORO ITG, S.L.U. acts as the primary point of contact for data subjects in the European Union.

Data subjects may exercise their rights against either joint controller, without prejudice to internal arrangements.

4. Data Protection Officer (DPO)

Contact details: lopd@pacha.com

‍

5. Categories of Personal Data Processed

Depending on the nature of your interaction, we may process the following categories of personal data:

5.1 Standard Personal Data

• Name and surname
• Email address
• Phone number
• Postal address
• Communication content

5.2 Identification & Legal Compliance Data

(Collected only where required)

• Passport copy
• National identity card
• Residency or visa information
• Tax identification number
• Nationality

This data is collected solely for:

• Apartment purchase procedures
• Legal, regulatory, and governmental requirements
• Notarial, land registry, and compliance obligations

5.3 Technical Data

• IP address
• Browser and device data
• Website usage analytics

6. Purposes and Legal Basis of Processing

Purpose

Legal Basis

Responding to enquiries

Art. 6(1)(b) GDPR

Apartment sales & purchase procedures

Art. 6(1)(b) GDPR

Compliance with legal & governmental obligations

Art. 6(1)(c) GDPR

Marketing communications

Art. 6(1)(a) GDPR – explicit consent

Website analytics

Art. 6(1)(a) GDPR

Security & fraud prevention

Art. 6(1)(f) GDPR

7. Marketing Communications

Marketing communications via email, WhatsApp, SMS, or phone calls are carried out only where explicit opt-in consent has been provided through an unticked checkbox.

Consent may be withdrawn at any time by sending an email at lopd@pacha.com.

8. Data Retention

• Enquiries & prospects: up to 12 months
• Apartment purchase records: as required by Spanish law
• Identification documents: only for legally mandated retention periods
• Marketing data: until consent withdrawal
• Logs & security data: up to 12 months

9. Data Recipients

Personal data may be disclosed to:

• Authorised personnel of the joint controllers
• Group teams in the UAE (marketing, IT, customer support)
• Notaries, land registries, banks
• Tax, immigration, and other public authorities
• Professional advisers (legal, compliance)

All disclosures are limited to what is strictly necessary.

10. International Access and Transfers

Data is hosted within the European Union.

Where access occurs from the UAE, appropriate safeguards under Articles 44–49 GDPR are applied, including Standard Contractual Clauses (SCCs) and additional safeguards.

11. Cookies

Essential cookies and Google Analytics cookies are used, with analytics cookies activated only after user consent via the cookie banner.

12. Data Subject Rights

You have the right to:

• Access
• Rectification
• Erasure
• Restriction
• Portability
• Objection
• Withdraw consent (where applicable)

Requests: lopd@pacha.com

13. Complaints

You may lodge a complaint with:

Spanish Data Protection Authority (AEPD)
https://www.aepd.es

14. Security Measures

Enhanced technical and organisational measures are applied to identification documents, including restricted access, encryption, secure storage, and confidentiality obligations.

15. Changes

This policy may be updated to reflect legal or operational changes. Data subjects will be notified of any material changes to this Privacy Policy.