HomePrivacy Policy

Privacy Policy

As of: May 2026

1. Controller and Contact

The controller within the meaning of the General Data Protection Regulation (GDPR) and other national data protection laws is:

Keyless Real Estate GmbH
Vogelsanger Weg 157, 40470 Düsseldorf, Germany
Registered in the commercial register of the Düsseldorf Local Court under HRB 107024
Managing Director: Aylin Kutlu
Phone: +49 172 4582899
Email: info@keylessrealestate.com

A statutorily required Data Protection Officer is currently not appointed (§ 38 of the German Federal Data Protection Act – BDSG in conjunction with Art. 37 GDPR). For data protection enquiries, please contact us using the contact details above.

2. Definitions, Applicable Law

This Privacy Policy uses the terms defined in the GDPR (in particular “personal data”, “processing”, “controller”, “processor”, “consent”). Unless expressly stated otherwise, the definitions in Art. 4 GDPR apply.

The processing of personal data is based on the GDPR, the German Federal Data Protection Act (BDSG) and the German Act on Data Protection and the Protection of Privacy in Telecommunications and Telemedia (TTDSG).

3. Legal Bases of Processing

Where we obtain consent from the data subject for processing operations involving personal data, Art. 6(1)(a) GDPR serves as the legal basis.

For the processing of personal data necessary to perform a contract or to take steps prior to entering into a contract, Art. 6(1)(b) GDPR serves as the legal basis.

Where processing is necessary to fulfil a legal obligation (e.g. tax and commercial-law retention obligations, the German Money Laundering Act), Art. 6(1)(c) GDPR serves as the legal basis.

Where processing is necessary to protect a legitimate interest of our company or a third party, and where the interests, fundamental rights, and freedoms of the data subject do not override the former interest, Art. 6(1)(f) GDPR serves as the legal basis.

For the storage of or access to information on the user’s terminal device through cookies and similar technologies, § 25 TTDSG serves as the additional legal basis (consent, unless strictly necessary).

4. Retention Period, Erasure

Personal data is erased or blocked as soon as the purpose of storage ceases to apply. Longer storage may occur if provided for by European or national legislation to which we are subject (in particular retention periods under § 257 of the German Commercial Code – HGB of six years and § 147 of the German Fiscal Code – AO of ten years). Blocking or erasure also takes place when a legally prescribed retention period expires, unless further storage is necessary for the conclusion or performance of a contract.

5. Provision of the Website & Server Log Files

Each time our website is accessed, our system automatically collects data and information from the computer system of the accessing device. The following data is collected:

  • IP address of the user (truncated where possible)
  • date and time of access
  • URL accessed and HTTP status code
  • volume of data transferred
  • referrer URL (previously visited page)
  • browser used, browser version, and operating system

This data is stored in the log files of our hosting provider. This data is not merged with other personal data of the user.

Legal basis: Art. 6(1)(f) GDPR. Our legitimate interest lies in the technically error-free operation, security (defence against attacks), and optimisation of our website.

Retention period: Log files are stored for a maximum of 30 days and are then deleted or anonymised.

6. Hosting

Our website is hosted by an external service provider. The provider is GoDaddy.com, LLC / Host Europe GmbH or an affiliated group company (“secureserver.net” / “wpaas_v2”). Personal data collected on this website is stored on the host’s servers. This may include, among other things, IP addresses, contact requests, metadata and communications data, contract data, contact data, names, website access data, and other data generated through a website.

Legal basis: Art. 6(1)(b) GDPR (performance of contract) and Art. 6(1)(f) GDPR (legitimate interest in a secure and efficient provision of our online offering).

A data processing agreement pursuant to Art. 28 GDPR has been concluded with the host.

Note on hosting telemetry: The hosting provider GoDaddy additionally loads performance scripts in the footer of the website (img1.wsimg.com/signals/js/clients/scc-c2/scc-c2.min.js and tccl-tti.min.js) which collect anonymised load-time and click-telemetry data to operate and improve the hosting platform. These scripts are not actively deployed by us but are part of the platform; opting out is possible via your browser’s cookie settings or common tracking blockers.

7. Contact (Form, Email, Phone)

If you contact us via the contact form (the “Contact Form 7” plugin), by email or by phone, the data you provide (name, email address, phone number, requested property type, message) will be stored by us for the purpose of processing your enquiry and in the event of follow-up questions.

Legal basis: for enquiries with a contractual context, Art. 6(1)(b) GDPR; for other enquiries, Art. 6(1)(f) GDPR (legitimate interest in processing contact requests).

Retention period: until your request has been finally processed and no commercial or tax-law retention obligations apply.

8. Registration & User Account (Dashboard)

You have the option of registering on our Platform. In particular, the following data is collected:

  • username
  • email address
  • password (stored encrypted; not readable by us in plain text)
  • optional profile information (e.g. name, profile picture, phone number, address, occupation, short description)
  • listings, favourites list, saved searches, reviews
  • for the communications area: time of reading (to display the “new” marker) and list of folders/messages released to the user

Legal basis: Art. 6(1)(b) GDPR (performance of contract within the meaning of the platform terms of use).

Retention period: until the user account is deleted by the user or by us (e.g. due to prolonged inactivity).

9. Brokerage of Real Estate Transactions, Money Laundering Prevention

In the context of brokerage activities, we process personal data of the contractual parties (in particular contact, identification, and asset data) for the purpose of initiating and processing real estate transactions.

Where Keyless acts as an entity obligated under the German Money Laundering Act (GwG), we process the data required to identify the contractual partner and the beneficial owners (identification data, address, date of birth, and, where applicable, the source of funds).

Legal basis: Art. 6(1)(b) GDPR (contract); Art. 6(1)(c) GDPR in conjunction with §§ 10 et seq. GwG (legal obligation).

Retention period: pursuant to § 8 GwG, five years after the end of the business relationship; in addition, commercial- and tax-law retention periods (§ 257 HGB, § 147 AO) of up to ten years.

10. Recipients and Processors

Within Keyless, only those units that need access to your data to perform their duties will receive it. We also transfer data to:

  • hosting providers (see above)
  • IT service providers and plugin providers (see Section 12 below)
  • tax advisers, auditors, and lawyers (upon request in individual cases, Art. 6(1)(f) GDPR)
  • authorities and courts to the extent there is a legal obligation to provide information
  • contractual partners and partner agencies in the context of a specific real estate brokerage, where this is necessary for the initiation or performance of the contract and the customer has been informed or has consented

Written data processing agreements pursuant to Art. 28 GDPR are in place with processors.

11. Transfer of Data to Third Countries

In the context of our international brokerage activities (in particular Cyprus, Türkiye, UAE, Indonesia, Maldives, United Kingdom), as well as through the use of individual service providers, personal data may be transferred to countries outside the European Economic Area (third countries).

In such cases, we ensure an adequate level of data protection through:

  • adequacy decisions of the EU Commission (Art. 45 GDPR), where applicable (e.g. the United Kingdom, the EU-US Data Privacy Framework for certified US providers);
  • EU Standard Contractual Clauses (Art. 46 GDPR);
  • supplementary technical and organisational measures.

For brokerage to countries without an adequacy decision (e.g. Türkiye, Indonesia, Maldives), transfer takes place only insofar as this is necessary to perform the specific brokerage contract (Art. 49(1)(b) GDPR), and you will have been informed of this on a case-by-case basis.

12. Services Used, Cookies, and Third-Party Providers

12.1 Cookies

Our website uses cookies and comparable technologies (local storage). Cookies are small text files stored on your terminal device.

Technically necessary cookies (e.g. login session, language setting, security cookies) are used on the basis of § 25(2)(2) TTDSG and are essential for the operation of the website.

Other cookies (e.g. for reach measurement, convenience, personalisation, or set by third-party services) are only set with your express consent pursuant to § 25(1) TTDSG in conjunction with Art. 6(1)(a) GDPR. You may withdraw your consent at any time via the cookie settings.

12.2 Google Maps

We use the mapping service Google Maps provided by Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland; parent company: Google LLC, USA) to display locations and provide route planning. When you access a page with an embedded map, your IP address and possibly further data (browser data, location) are transmitted to Google and processed there.

Legal basis: Art. 6(1)(a) GDPR (consent via our cookie/consent banner) or Art. 6(1)(f) GDPR (legitimate interest in user-friendly location display).
Recipient: Google Ireland Limited, possibly Google LLC (USA).
Third-country transfer: EU-US Data Privacy Framework (adequacy decision).
More information: policies.google.com/privacy

12.3 Google Fonts

We embed fonts (“Google Fonts”) via the servers of Google Ireland Limited. When a page is accessed, your browser loads the required fonts from a Google server. In doing so, your IP address is transmitted to Google.

Legal basis: Art. 6(1)(f) GDPR (consistent display of fonts).
More information: policies.google.com/privacy

12.4 Weglot (Multilingual Support)

For the translation of content (German, English, Turkish), we use the service Weglot provided by Weglot SAS (138 avenue des Champs-Elysées, 75008 Paris, France). When a page is accessed, content and connection data are transmitted to Weglot; transmissions to sub-processors (e.g. translation APIs) may also take place.

Legal basis: Art. 6(1)(f) GDPR (multilingual provision of content).
More information: weglot.com/privacy

12.5 YouTube (Embedded Videos)

On individual pages, we embed videos from YouTube (Google Ireland Limited). When you access a page with a video, your browser establishes a connection to YouTube servers. We use, where possible, the “enhanced privacy mode” (no-cookie). Nevertheless, connection data (in particular your IP address) is transmitted to Google. For users logged into YouTube, Google may associate the behaviour with the personal account.

Legal basis: Art. 6(1)(a) GDPR (consent) or Art. 6(1)(f) GDPR (legitimate interest in attractive multimedia presentation).
More information: policies.google.com/privacy

12.6 Elementor / Accessibility Widget (ea11y)

The website is partly built with the WordPress builder Elementor and Elementor Pro by Elementor Ltd. (HaArba’a Towers, Tel Aviv, Israel). We also use the “ea11y” accessibility widget, which provides font-size, contrast, and screen-reader functions for barrier-free browsing. The widget loads its library from cdn.elementor.com/a11y/widget.js. No personal data is actively processed in connection with this; technical connection data may, however, be transmitted to the servers of Elementor Ltd.

Legal basis: Art. 6(1)(f) GDPR (technical provision and accessibility of the website).
More information: elementor.com/about/privacy

12.7 Social Networks (Hyperlinks)

In the footer of our website, you will find links to our profiles on TikTok, Instagram, and YouTube. These are simple hyperlinks (no “social plugin”, no embedded like buttons). Data is not transmitted to the respective providers until you actively click on the corresponding link. For data processing on the linked sites, the respective provider is responsible.

12.8 EWWW Image Optimizer (Lazy Loading)

We use the “EWWW Image Optimizer” plugin to optimise and lazy-load images. The plugin operates exclusively on the server side and does not transmit any personal user data to external servers.

12.9 Providers from the Hosting Ecosystem

As outlined under Section 6, our hosting provider loads its own telemetry scripts for platform monitoring. The party responsible for these scripts is GoDaddy.com, LLC, or an affiliated group company. More information is available at godaddy.com/legal/agreements/privacy-policy.

13. Newsletter

If you sign up to receive a newsletter, we process your email address and any additional voluntarily provided data in order to send you regular information about real estate offers and investments.

Sign-up uses the double-opt-in procedure: after sign-up, you will receive an email containing a confirmation link. Your address will not be added to the distribution list until you click on the link.

Legal basis: Art. 6(1)(a) GDPR (consent).
Withdrawal: You may unsubscribe from the newsletter at any time via the unsubscribe link contained in every newsletter email, or by sending a message to info@keylessrealestate.com.

14. Job Applications

Applications you send us by email or post will be processed exclusively for the purpose of carrying out the application procedure. The data will be deleted no later than six months after the procedure ends, unless further statutory retention obligations apply or you have expressly consented to longer storage for inclusion in a talent pool.

Legal basis: § 26 BDSG; Art. 6(1)(b) GDPR (pre-contractual measures); where applicable, Art. 6(1)(a) GDPR for voluntary inclusion in a talent pool.

15. Your Rights as a Data Subject

Where your personal data is processed by us, you have the following rights:

  • Access to data stored about you and to its processing (Art. 15 GDPR)
  • Rectification of inaccurate data (Art. 16 GDPR)
  • Erasure of data (“right to be forgotten”, Art. 17 GDPR)
  • Restriction of processing (Art. 18 GDPR)
  • Data portability, where processing is based on consent or contract and is automated (Art. 20 GDPR)
  • Objection to processing based on a legitimate interest (Art. 21 GDPR)
  • Withdrawal of consent with effect for the future (Art. 7(3) GDPR)
  • Complaint to a supervisory authority (Art. 77 GDPR). The competent authority for us is:
    The State Commissioner for Data Protection and Freedom of Information of North Rhine-Westphalia, Kavalleriestr. 2–4, 40213 Düsseldorf, Germany, ldi.nrw.de

16. Individual Right to Object

Where personal data is processed on the basis of Art. 6(1)(f) GDPR, you have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you (Art. 21(1) GDPR). In such case, we will no longer process your data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights, and freedoms, or the processing serves to establish, exercise, or defend legal claims.

17. Automated Decision-Making / Profiling

Automated decision-making, including profiling within the meaning of Art. 22 GDPR, does not take place.

18. Data Security

We take appropriate technical and organisational measures to protect your data against accidental or intentional manipulation, partial or complete loss, destruction, or unauthorised access by third parties. The transfer of your data between your browser and our website takes place via an encrypted SSL/TLS connection (recognisable by the padlock icon in your browser’s address bar).

19. Changes to this Privacy Policy

We reserve the right to adapt this Privacy Policy to ensure that it continues to meet current legal requirements or to reflect changes to our services. The version of the Privacy Policy published on this page at the time of your subsequent visit will then apply.

Turn your dream home into reality while optimizing your investment strategies for sustainable value growth.

Contact Seller
images
images
You need a house

Looking for your dream home? Share your preferences with us, and we'll present exclusive proposals that meet your expectations.

Contact Seller
Sell your house

Are you selling your house? We connect you with a wide range of potential buyers who are searching for their new home.

Sell Property
Copyright © 2026 Keyless Real Estate.
Compare