Privacy Policy
This Privacy Policy explains how Greystone B.V., operating under the Victaura brand (hereinafter, "Victaura", "we", "us"), collects, uses, retains and shares your personal data when you visit victaura.com (the "Site"), submit a form, or otherwise interact with us. We process personal data in accordance with the EU General Data Protection Regulation 2016/679 ("GDPR") and the Dutch Implementation Act (UAVG). If you have any questions about this Policy, please write to [email protected].
Data Controller
The data controller is Greystone B.V., a Dutch private limited liability company (besloten vennootschap met beperkte aansprakelijkheid) incorporated in the Netherlands, operating under the Victaura brand. Statutory registration details (Chamber of Commerce / KvK number, VAT identification number, statutory director and registered office) are available on request to data subjects exercising their rights and to qualified investors. The primary contact for data protection matters is [email protected].
We have assessed our processing activities and determined that appointment of a Data Protection Officer is not required under Article 37 GDPR, as our core activities do not consist of processing operations which, by virtue of their nature, scope or purposes, require regular and systematic monitoring of data subjects on a large scale.
What Personal Data We Collect
We collect the following categories of personal data:
(i) Data you provide directly through our contact form: name, surname, email address, optional message.
(ii) Data you provide through our investor enquiry form: name, surname, email address, location, investor profile, area of interest, ticket range, optional message, GDPR consent record (gdprConsent), and, where you opt in, marketing consent record (marketingConsent).
(iii) Data automatically collected via your browser: IP address, user-agent string, and locale preference stored through the technical cookie NEXT_LOCALE.
(iv) Data we receive from third-party service providers we engage to deliver the Site and our communications.
Purposes and Legal Bases of Processing
We process your data for the following purposes and on the following legal bases under Article 6 GDPR:
(a) Responding to general enquiries submitted via our contact form: legal basis is Article 6(1)(f) GDPR, our legitimate interest in responding to persons who contact us voluntarily. We have balanced this interest against your rights and determined it does not override them, given the limited categories of data and the clear expectation of a response when submitting a contact form.
(b) Processing investor enquiry forms and assessing investor suitability: legal basis is Article 6(1)(b) GDPR, processing necessary for the performance of steps taken at your request prior to entering into a contract.
(c) Assessing investor suitability for our value-add real estate opportunities, including segmentation by profile, area of interest and ticket range: legal basis is Article 6(1)(f) GDPR, our legitimate interest in evaluating qualified investor fit before sharing confidential investor materials. Your interests and fundamental rights have been balanced and do not override this legitimate interest given the narrow purpose and limited categories of data involved.
(d) Sending you informational communications about Victaura projects and investment opportunities when you have opted in: legal basis is Article 6(1)(a) GDPR, your explicit consent, which you can withdraw at any time by writing to [email protected] or using the unsubscribe link in our communications.
(e) Complying with anti-money laundering and counter-terrorist financing obligations applicable to us where required (including, where applicable, the Dutch Wet ter voorkoming van witwassen en financieren van terrorisme, "Wwft", and EU Directives 2015/849, 2018/843 and 2024/1640): legal basis is Article 6(1)(c) GDPR, compliance with a legal obligation.
(f) Maintaining the integrity, security and availability of the Site: legal basis is Article 6(1)(f) GDPR, our legitimate interest in operating a secure service.
(g) Maintaining a consent audit trail: when you submit a form, we record a timestamped log of the consent you gave (timestamp, hashed IP, user-agent, Privacy Policy version, language, consent flags, and form type). Legal basis is Article 6(1)(c) GDPR (accountability obligation under Article 5(2) GDPR) and Article 6(1)(f) GDPR (our legitimate interest in demonstrating compliance).
How Long We Retain Your Data
Contact and enquiry data: retained for 24 months from your last form submission or email exchange, after which the data is either deleted or anonymised, unless a contractual relationship has been initiated, in which case retention follows the contract lifecycle.
Investor qualification data: retained for the duration of our pre-contractual assessment plus 24 months from your last form submission or email exchange, then deleted or anonymised.
KYC and AML records (where collected): retained for 5 years from the end of the business relationship or the date of the occasional transaction, in accordance with applicable Wwft and AMLD obligations.
Consent audit trail records: retained for 3 years from the date of submission, for accountability purposes.
Technical and security logs: retained for up to 12 months for the purposes of operational integrity and abuse prevention.
Server-side rate-limiting state for the contact and investor forms: retained in volatile memory for the duration of each 60-second rolling window only.
Sub-Processors and Recipients
We rely on a limited set of carefully selected sub-processors to deliver our Site and communications. Each sub-processor is bound by a data processing agreement that contractually requires them to process personal data only on our documented instructions.
Our current sub-processors are:
Vercel Inc. (United States) — hosting and edge delivery of the Site. Transfer basis: EU-U.S. Data Privacy Framework (Vercel is self-certified under the DPF).
Cloudflare, Inc. (United States) — DNS, content delivery and DDoS protection. Transfer basis: Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914).
Resend (United States / Netherlands) — transactional email delivery. Transfer basis: Standard Contractual Clauses, supplemented by additional technical measures (TLS in transit, access controls, audit logging) in accordance with the EDPB recommendations post-Schrems II.
GitHub, Inc. (United States) — source-code repository hosting. Transfer basis: EU-U.S. Data Privacy Framework (GitHub is self-certified under the DPF). No end-user personal data is processed in the repository.
International Transfers
Some of our sub-processors are established outside the European Economic Area. Where personal data is transferred to a third country, we rely on the European Commission's Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914, "SCCs") or, where applicable, on an adequacy decision (including the EU-U.S. Data Privacy Framework where the recipient is self-certified under that framework).
We have assessed the level of protection afforded in each destination country in light of the Court of Justice of the European Union's ruling in Data Protection Commissioner v Facebook Ireland Ltd, Maximillian Schrems (C-311/18, "Schrems II"). Where the SCCs alone do not ensure an essentially equivalent level of protection, we apply supplementary technical measures, which may include encryption of data in transit and at rest, pseudonymisation, minimisation of data transferred, and contractual commitments to notify us of any government access requests before complying with them to the extent permitted by law.
A copy of the relevant transfer safeguards (SCCs or DPF certificate) is available on request at [email protected].
Your Rights
You have the following rights under the GDPR. You can exercise any of them by writing to [email protected].
Right to access (Article 15). You can ask us for a copy of the personal data we hold about you.
Right to rectification (Article 16). You can ask us to correct data that is inaccurate or incomplete.
Right to erasure (Article 17). You can ask us to delete your data in certain circumstances, for example when it is no longer needed for the purpose for which it was collected.
Right to restriction (Article 18). You can ask us to pause processing in certain circumstances, for example while we verify the accuracy of data you have contested.
Right to data portability (Article 20). Where processing is based on your consent or on a contract and is carried out by automated means, you can ask us to send your data to you or to another organisation in a structured, commonly used, machine-readable format.
Right to object (Article 21). You can object at any time to processing based on our legitimate interests. We will stop processing unless we can demonstrate compelling legitimate grounds that override your interests. You can also object at any time to processing of your data for direct marketing purposes.
Rights related to automated decision-making (Article 22). We do not make decisions about you solely by automated means that produce legal or similarly significant effects. If this changes, we will update this Policy and provide you with the right to request human review.
Right to withdraw consent (Article 7(3)). Where we rely on your consent, you can withdraw it at any time without affecting the lawfulness of processing carried out before the withdrawal.
We will respond within one month of receiving your request, as required by Article 12(3) GDPR. You also have the right to lodge a complaint with a supervisory authority. Our lead supervisory authority is the Autoriteit Persoonsgegevens (Netherlands), Postbus 93374, 2509 AJ Den Haag, autoriteitpersoonsgegevens.nl. You may also contact the Garante per la protezione dei dati personali (Italy) at garanteprivacy.it.
Security and Data Breach
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure and destruction, including HTTPS in transit, encryption at rest where supported by our sub-processors, server-side input validation, rate-limiting on form endpoints, and a strict Content Security Policy on the Site.
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Autoriteit Persoonsgegevens within 72 hours of becoming aware of the breach, as required by Article 33 GDPR. If the breach is likely to result in a high risk to your rights and freedoms, we will also notify you without undue delay, as required by Article 34 GDPR.
Consent Audit Trail
When you submit a form on the Site, we record a consent audit entry containing: the date and time of submission (UTC), a one-way hash of your IP address (we do not store your IP address in plain text), your browser user-agent, the version of this Privacy Policy in force at the time of submission, your selected language, whether you gave GDPR consent (gdprConsent), whether you gave marketing consent (marketingConsent), your investor classification confirmation (for the investor form), and the form type (contact or invest). This record enables us to demonstrate compliance with the GDPR accountability principle (Article 5(2) GDPR).
Changes to this Policy
We may update this Privacy Policy from time to time to reflect changes in our processing activities, in our sub-processors, or in applicable law. The "Last updated" date at the top of this page indicates the latest revision. Material changes will be made evident on the Site and, where appropriate, communicated to users with an active relationship.
Contact
For any privacy-related question, request or complaint, please contact us at [email protected]. Our registered postal address in the Netherlands is available on request.