Privacy Policy
Last updated: February 2026
MOONSHIP OÜ (operating as leiakv) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, share, and protect your personal data when you use our real estate platform. We process personal data in accordance with the European Union General Data Protection Regulation (GDPR) and the Estonian Personal Data Protection Act.
1. Data Controller
The data controller responsible for your personal data is:
MOONSHIP OÜ
Registry Code: 14963506
Address: Pajusaare tee, Peetri alevik, 75312, Estonia
Email: [email protected]
For data protection inquiries, please contact us at the email address above.
2. Personal Data We Collect
We collect and process the following categories of personal data:
Identity and Contact Data
Full name, email address, phone number, profile photo (optional).
Account Data
Login credentials (password stored securely hashed), account preferences, language settings, saved searches, and favorites.
Listing Data
Property descriptions, addresses, prices, photos, videos, floor plans, and any information you include in your listings.
Transaction Data
Payment history, invoices, purchased services, and billing information (payment card details are processed by our payment providers, not stored by us).
Communication Data
Messages sent through the platform, inquiry forms, support requests, and email correspondence.
Technical Data
IP address, browser type and version, device information, operating system, time zone, geographic location (country/city level), referral sources, and page interaction data.
Usage Data
Pages visited, search queries, listing views, click patterns, session duration, and feature usage.
Data Sources
- Information you provide directly (registration, listings, messages).
- Information collected automatically (cookies, analytics).
- Information from third parties (authentication providers if you sign in via Google, Facebook, etc.).
3. Legal Basis for Processing
We process your personal data based on the following legal grounds under GDPR Article 6:
Contractual Necessity (Article 6(1)(b))
Creating and managing your account, publishing and displaying your listings, facilitating communication between users, processing payments for services.
Legal Obligation (Article 6(1)(c))
Retaining financial records for accounting and tax purposes (7 years under Estonian law), responding to lawful requests from authorities, complying with anti-money laundering regulations.
Legitimate Interest (Article 6(1)(f))
Preventing fraud and ensuring platform security, analyzing usage to improve our services, sending service-related notifications, direct marketing to existing customers (with easy opt-out).
Consent (Article 6(1)(a))
Sending marketing newsletters, setting analytics and marketing cookies, sharing data with advertising partners.
Where processing is based on consent, you may withdraw your consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.
4. How We Use Your Data
We use your personal data for the following purposes:
- Providing platform services: displaying listings, enabling searches, facilitating user communication, and processing transactions.
- Managing your account: authentication, preferences, saved searches, and favorites.
- Communicating with you: responding to inquiries, sending service notifications, and E-Agent alerts for new listings.
- Improving our platform: analyzing usage patterns, identifying issues, and developing new features.
- Ensuring security: detecting fraud, preventing abuse, and protecting user accounts.
- Meeting legal obligations: maintaining records, reporting to authorities, and responding to legal requests.
- Marketing (with consent): sending newsletters, promotional offers, and personalized recommendations.
- Listing promotion and distribution: sharing published listing content (including photos, descriptions, and property details) on partner platforms, social media channels, and Facebook groups to increase listing visibility and reach potential buyers or tenants.
5. Data Sharing and Third Parties
We may share your personal data with the following categories of recipients:
Infrastructure Providers
Google Cloud Platform / Firebase (hosting, database, authentication, analytics). Data is stored in EU data centers (europe-west4 region in Finland). Google is a data processor bound by Data Processing Agreements and Standard Contractual Clauses.
Payment Processors
The controller transmits the personal data necessary for the execution of payments to the authorized processor, Maksekeskus AS (registry code 12268475), a licensed payment institution. Maksekeskus handles your payment information directly and is PCI-DSS compliant. We do not store your credit card details. You can review Maksekeskus AS privacy policy at https://maksekeskus.ee/privacy-policy.
Analytics Services
Google Analytics and Firebase Analytics (with your consent) to understand how our platform is used. IP addresses are anonymized, and data is retained for up to 14 months.
Marketing Partners
With your consent, we may share anonymized or pseudonymized data with advertising partners (such as Google Ads) for remarketing purposes.
Content Distribution Platforms
Published listing content (photos, descriptions, prices, and property details) may be distributed to partner real estate platforms, social media channels (including Facebook pages and groups), and other online marketplaces to maximize listing exposure. This distribution is based on the content license granted under our Terms of Service (Section 6). No personal contact information is shared publicly beyond what you include in your listing. You may request removal of your listing from external platforms at any time by deleting or deactivating the listing.
Professional Services
Legal advisors, accountants, and auditors as necessary for business operations and compliance.
Legal Authorities
Police, courts, tax authorities, and other government bodies when required by law or to protect our legal rights.
We do not sell your personal data to data brokers or other third parties.
International Data Transfers
Your data may be transferred to countries outside the European Economic Area (EEA) through our use of Google services. Such transfers are protected by Standard Contractual Clauses approved by the European Commission. You may request a copy of these safeguards by contacting us.
6. Cookies and Tracking Technologies
We use cookies and similar technologies to enhance your experience, analyze usage, and provide personalized services.
What Are Cookies?
Cookies are small text files stored on your device when you visit websites. They help websites remember your preferences and understand how you use them. Cookies may be 'first-party' (set by us) or 'third-party' (set by our partners).
Types of Cookies We Use
Strictly Necessary Cookies (Always Active)
Essential for the platform to function. They enable core features like authentication, security, and remembering your consent preferences. These cannot be disabled.
Authentication tokens, session management, security tokens, consent settings.
Analytics Cookies (Requires Consent)
Help us understand how visitors use our platform by collecting anonymous information. We use this to improve our services.
Google Analytics 4, Firebase Analytics.
Page views, session duration, bounce rate, geographic location (country/city), device type, traffic sources.
Marketing Cookies (Requires Consent)
Used to track visitors across websites and deliver relevant advertisements. They help measure advertising effectiveness.
Google Ads (when enabled).
User interests, ad impressions, clicks, conversion events.
Specific Cookies Used
LocalStorage (First-Party)
- Authentication: Firebase authentication tokens to keep you logged in.
- Consent Preferences: Your cookie consent choices.
- User Settings: Language, display preferences.
- Search History: Recent property searches for quick access.
Google Analytics (Third-Party)
- _ga: Distinguishes users (expires after 2 years).
- _ga_*: Maintains session state (expires after 2 years).
- _gid: Distinguishes users (expires after 24 hours).
Managing Cookies
- Platform Settings: Click 'Manage Cookie Settings' in the footer to update your preferences at any time.
- Browser Settings: You can block or delete cookies through your browser settings (Chrome, Firefox, Safari, Edge all have privacy settings for this).
- Third-Party Opt-Out: Google Analytics Opt-out (tools.google.com/dlpage/gaoptout), Google Ad Settings (adssettings.google.com), Your Online Choices (youronlinechoices.com).
Cookie Consent
- For users in the European Economic Area, we obtain explicit consent before setting analytics and marketing cookies. You can accept all, reject all, or manage individual categories.
- We implement Google Consent Mode v2, which adjusts how Google services behave based on your consent choices.
- Refusing non-essential cookies will not prevent you from using the platform, but some features like personalized recommendations may be limited.
7. Your Rights Under GDPR
Under the General Data Protection Regulation, you have the following rights:
Right of Access (Article 15)
Request a copy of all personal data we hold about you, including information about purposes, recipients, and retention periods.
Right to Rectification (Article 16)
Request correction of inaccurate personal data or completion of incomplete data.
Right to Erasure (Article 17)
Request deletion of your personal data ('right to be forgotten'). Note: We may need to retain certain data for legal obligations (e.g., accounting records for 7 years).
Right to Restriction (Article 18)
Request limitation of processing while we verify accuracy of disputed data or assess our legitimate interests.
Right to Data Portability (Article 20)
Receive your personal data in a structured, commonly used, machine-readable format (e.g., JSON, CSV).
Right to Object (Article 21)
Object to processing based on legitimate interests. You have an absolute right to object to direct marketing at any time.
Right to Withdraw Consent
Withdraw consent for any processing based on consent at any time, without affecting the lawfulness of prior processing.
Right to Lodge a Complaint
File a complaint with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) if you believe your rights have been violated.
How to Exercise Your Rights
To exercise any of these rights, contact us at [email protected]. We will respond within one month (extendable by two additional months for complex requests). There is no fee for the first request.
Supervisory Authority
Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon)
Address: Tatari 39, 10134 Tallinn, Estonia
Phone: +372 627 4135
Email: [email protected]
Website: www.aki.ee
8. Data Retention
We retain your personal data only as long as necessary for the purposes described in this policy:
Account Data
Retained while your account is active. Deleted within 30 days of account deletion request, except for data subject to legal retention requirements.
Listing Data
Active listings: duration of publication. Deleted listings: removed within 30 days, archived versions may be retained for up to 12 months for dispute resolution.
Transaction and Financial Data
Retained for 7 years as required by Estonian accounting law.
Communications
Support tickets: 3 years after resolution. User-to-user messages: until account deletion or 2 years of inactivity.
Analytics Data
Retained for up to 14 months, then automatically deleted or anonymized.
Marketing Consent
Retained until you withdraw consent. Proof of consent retained for 3 years after withdrawal.
When retention periods expire, data is securely deleted or anonymized so that it can no longer be associated with you.
9. Data Security
We implement appropriate technical and organizational measures to protect your personal data:
Technical Measures
- Data encryption in transit (TLS 1.3) and at rest (AES-256).
- Secure authentication through Firebase Auth with optional multi-factor authentication.
- Cloud infrastructure with ISO 27001 certified data centers.
- 24/7 security monitoring and intrusion detection.
- Regular encrypted backups in geographically separate locations.
Organizational Measures
- Role-based access control (principle of least privilege).
- Staff training on data protection and security.
- Confidentiality agreements with employees and contractors.
- Data Processing Agreements with all third-party processors.
- Incident response plan for security breaches.
Data Breach Notification
In the event of a personal data breach that poses a risk to your rights, we will notify the Estonian Data Protection Inspectorate within 72 hours. If the breach poses a high risk to you, we will also notify you directly via email with details about the breach, its consequences, and measures taken.
10. Children's Privacy
Our platform is intended for users aged 18 and older who can enter into binding contracts. We do not knowingly collect personal data from children under 18. If you are a parent or guardian and believe your child has provided us with personal data, please contact us and we will delete it.
11. Automated Decision-Making
Our platform may use automated processing to personalize your experience, such as:
- Ranking search results based on relevance to your preferences.
- Recommending listings similar to ones you've viewed.
- Determining which new listings to include in E-Agent notifications.
These processes do not produce legal effects or significantly affect you. You may request information about the logic involved and, where applicable, request human intervention.
12. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or other factors. When we make significant changes, we will update the 'Last Updated' date at the top and notify you via email or a prominent notice on the platform. We encourage you to review this policy periodically. Your continued use of the platform after changes constitutes acceptance of the updated policy.
13. Contact Us
For questions, concerns, or requests regarding this Privacy Policy or our data practices:
MOONSHIP OÜ
Registry Code: 14963506
Address: Pajusaare tee, Peetri alevik, 75312, Estonia
Email: [email protected]
We aim to respond to all inquiries within 5 business days.
For data protection issues, you may also contact the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) at [email protected] or visit www.aki.ee