Maisonflex
Technology and structuring platform — not a regulated entity. All regulated activities are carried out by licensed partners.Regulatory perimeter →
Legal/Privacy policy

Privacy policy

Last updated: 10 June 2026

This document is a placeholder pending legal review. It does not constitute legal or regulatory advice.
ControllerController: [LOCAL ENTITY NAME] · Registered office: [REGISTERED ADDRESS]
Company number: [COMPANY NUMBER] · Data Protection Officer: [DPO CONTACT]
Supervisory authority (intended): [REGULATOR] · National DPA: see country annex.

1. Introduction

This Privacy Policy explains how Maisonflex collects, uses, shares and protects your personal data when you use our website, applications, simulators, customer dashboard and any related services (the "Platform"), and when you apply for or hold a Maisonflex product. It is issued under the EU General Data Protection Regulation 2016/679 ("GDPR") and equivalent national legislation in the country in which the relevant Local Entity is established.

2. Controller

The data controller is the Local Entity that operates the Platform in your country of residence and/or contracts with you. Examples of Local Entities (subject to authorisation): Maisonflex España, S.A. · Maisonflex France SAS · Maisonflex Deutschland GmbH · Maisonflex Italia S.p.A. · Maisonflex Portugal, S.A.

Where multiple Local Entities are involved (for example, marketing by the group entity and contracting by a country subsidiary), they act as joint controllers in respect of clearly identified processing activities, with a joint-controller arrangement available on request.

You can contact our Data Protection Officer at [DPO CONTACT].

3. Categories of personal data we process

  • Identification data: name, date of birth, nationality, national ID / passport number, photograph (KYC).
  • Contact data: postal address, email, phone number.
  • Household & financial data: marital status, dependants, income, expenses, employment, pension, other liabilities, bank statements.
  • Property data: address, type, size, ownership documents, mortgage status, energy performance certificate, valuation reports.
  • Product application data: simulator inputs, requested amount, purpose, preferences.
  • Account & usage data: login events, device identifiers, IP address, browser, pages viewed, interactions.
  • AML / sanctions data: politically-exposed-person ("PEP") status, sanctions-list matches, source of funds/wealth declarations.
  • Communications: emails, chat messages, call recordings (where notified), support tickets.
  • Special categories (only where strictly necessary and with appropriate safeguards): for example, health-related information where it affects affordability or vulnerability assessments.

4. Sources

We collect personal data from you directly; from public registers and official sources (land registries, commercial registers, sanctions lists); from credit reference agencies and credit bureaus in your country of residence; from service providers carrying out identity verification, anti-fraud checks and property valuations; from your bank where you consent to account-information sharing under PSD2 / open banking; and via cookies and similar technologies as described in our Cookies Policy.

5. Purposes and legal bases

PurposeLegal basis (GDPR Art. 6)
Providing and securing the PlatformLegitimate interest (Art. 6(1)(f))
Account creation and managementContract (Art. 6(1)(b))
Simulators and indicative figuresPre-contractual measures (Art. 6(1)(b))
Eligibility and creditworthiness assessmentLegal obligation & contract
KYC, AML, sanctions and fraud preventionLegal obligation (Art. 6(1)(c))
Entering into and performing a product agreementContract (Art. 6(1)(b))
Regulatory reporting and supervisionLegal obligation (Art. 6(1)(c))
Customer support and complaintsContract / legal obligation
Direct marketing of our own similar servicesLegitimate interest, with opt-out
Marketing requiring consent (e.g. third-party offers, cookies)Consent (Art. 6(1)(a))
Defending and bringing legal claimsLegitimate interest (Art. 6(1)(f))

Where we rely on legitimate interest, we have carried out a balancing test and you may request a summary at [DPO CONTACT].

6. Automated decision-making and profiling

Some eligibility and affordability assessments include automated decision-making within the meaning of GDPR Art. 22, including statistical scoring of repayment capacity and risk indicators. Where a decision with legal or similarly significant effects is taken solely on an automated basis, you have the right to obtain human intervention, express your point of view, and contest the decision. We do not use special-category data for automated decision-making except where strictly necessary, with explicit consent or another lawful basis under Art. 9 GDPR.

7. Recipients

We share personal data only with parties that have a clear need and an appropriate legal basis, including: other Maisonflex Local Entities and group companies (shared operations, risk management, consolidated supervision); service providers acting as processors on our instructions; credit reference agencies; banking, payment and notary partners required to execute or register a product; regulators, supervisory authorities, tax authorities and law-enforcement bodies where required by law; and professional advisors (auditors, lawyers) under confidentiality. We do not sell personal data.

8. International transfers

Personal data is primarily processed within the European Economic Area. Where data is transferred outside the EEA, we rely on an EU Commission adequacy decision, Standard Contractual Clauses with supplementary technical and organisational measures, or another mechanism permitted under Chapter V of GDPR. A copy of the relevant safeguards is available on request at [DPO CONTACT].

9. Retention

We keep personal data only for as long as necessary for the purposes set out above and to comply with statutory retention obligations:

  • Customer and transaction records: for the duration of the contract and a minimum of 10 years after termination, where required by AML / accounting law;
  • KYC documentation: typically 5–10 years after the end of the business relationship;
  • Marketing data: until you opt out and for a short reconciliation period thereafter;
  • Cookies / device data: as set out in the Cookies Policy;
  • Application data from declined or abandoned applications: typically 24 months, unless a longer period is required for fraud-prevention reasons.

10. Your rights

Subject to GDPR, you have the right to: access your data; rectify inaccurate or incomplete data; erase data ("right to be forgotten"); restrict processing; object to processing based on legitimate interest, including profiling and direct marketing; data portability; withdraw consent at any time; obtain human review of automated decisions (Art. 22); and lodge a complaint with the data-protection authority in your country of residence. To exercise any of these rights, contact [DPO CONTACT]. We will respond within one month, extendable by up to two further months for complex requests.

11. Security

We implement appropriate technical and organisational measures, including encryption in transit and at rest, role-based access controls, logging and monitoring, segregation of duties, secure software-development practices and regular penetration testing. If a personal-data breach is likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority and, where required, you, in accordance with Art. 33–34 GDPR.

12. Children

The Platform is not directed at, and not intended for, children under 18. We do not knowingly collect personal data from children.

13. Changes

We may update this policy from time to time. The current version is always available on the Platform with a clearly displayed effective date. Material changes will be notified to account-holders in advance.

14. Contact

[LOCAL ENTITY NAME]
[REGISTERED ADDRESS]
Data Protection Officer: [DPO CONTACT]
General: [CONTACT EMAIL]