Privacy Policy

Yitaku Limited (referred to in this policy as "Yitaku", "we", "us", or "our") is the data controller responsible for processing your personal data. This privacy policy explains what personal data we collect, how we use it, who we share it with, and the rights you have over it.

Data controller details:

• Company name: Yitaku Limited
• Malta company registration number: C101893
• VAT number: MT29064524
• Contact email for data protection queries: info@yitaku.com
• Website: www.yitaku.com

We have not formally appointed a Data Protection Officer under Article 37 of the General Data Protection Regulation (GDPR), as we are not required to do so based on the scale and nature of our processing. The point of contact for all data protection matters is the email address above.

If you have any questions about this policy or how we process your personal data, please contact us at info@yitaku.com.

This privacy policy applies to your use of:

• The Yitaku website at www.yitaku.com
• The Yitaku mobile application (available on iOS and Android)
• The Yitaku seller portal at portal.yitaku.com
• Any other Yitaku-operated service that links to this policy

This policy does not apply to third-party websites, apps, or services that you may access through links on our platform. Those services have their own privacy policies, which we encourage you to read.

We collect personal data in three main ways: data you provide directly to us, data we collect automatically when you use our services, and data we receive from third parties.

When you create an account on the mobile app or seller portal, we collect:

• Your name (first name and surname)
• Your email address
• Your mobile phone number
• A password (stored securely and never visible to us in plain text)
• For seller, agent, and developer accounts on the portal: the role you identify with and details about the properties you list

When you publish a property listing on the seller portal, we collect property information and the contact details you choose to include on the listing. Some of this information (such as your name, surname, mobile number, and email associated with the listing) is shown to other users who enquire about the property, so they can contact you about it.

When you submit a contact form, enquire about a property, or request an insurance quote, we collect:

• Your name and surname
• Your email address
• Your mobile phone number
• The content of your message or enquiry

When you request an insurance quote through the app, we collect your name, surname, email, and mobile number, and pass these to the insurance provider you have selected so they can prepare and send you the quote.

When you make a subscription payment (currently applicable to certain seller portal subscription tiers), payment processing is handled by Stripe Payments Europe Ltd. We do not store your full payment card details on our systems. We receive limited transaction metadata (such as transaction ID, amount, and payment status) for our records.

When you subscribe to our newsletter or marketing communications, we collect your email address and any preferences you indicate.

When you use our website or mobile application, certain data is collected automatically:

• Device and browser information — IP address, browser type and version, operating system, device type and model, screen resolution, language preferences
• Usage information — pages visited, time spent on pages, links clicked, search queries within our platform, features used
• Location information — approximate location based on IP address (city or region level). The mobile app does not collect precise GPS location unless you explicitly grant permission for features that require it
• Cookies and similar technologies — see Section 6 below and our Cookie Policy for full details

For the mobile app specifically, we may also collect:

• A device identifier used by Firebase Cloud Messaging to deliver push notifications (if you opt in to push notifications)
• Crash and diagnostic data, which helps us identify and fix bugs

We do not receive personal data about you from third parties in the ordinary course of our business. Where we display property listings sourced from partners (for example, real estate agencies or other listing providers), we receive property metadata only — not personal data about the property owners or other parties associated with those listings.

If you sign in to our platform using a third-party authentication provider (such as Google Sign-In or Sign in with Apple), we receive the basic profile information that you authorise that provider to share with us — typically your name and email address.

Under GDPR, we must have a lawful basis for processing your personal data. We process your data on the following bases:

4.1 To provide our services to you (legal basis: performance of a contract)

When you create an account, publish a listing, or enquire about a property, we process your personal data because it is necessary to provide the service you have requested or to take steps you have requested before entering into a contract.

This includes:

• Creating and managing your account
• Allowing you to publish, edit, and remove your property listings
• Allowing buyers to contact you about your listings, and you to contact sellers about theirs
• Routing your insurance quote request to the provider you selected
• Processing subscription payments where applicable
• Providing customer support

4.2 To send you marketing communications (legal basis: consent)

We send marketing emails (such as newsletters, property recommendations, and platform updates) only with your consent, which you can withdraw at any time by clicking the unsubscribe link in any marketing email, or by contacting us at info@yitaku.com.

4.3 To improve our services (legal basis: legitimate interests)

We analyse anonymised and aggregated usage data to understand how people use our platform, identify problems, and improve features. Our legitimate interest is the operation and improvement of our business. We do not use this analysis to make automated decisions that have legal or similarly significant effects on you.

4.4 To comply with legal obligations (legal basis: legal obligation)

We process certain personal data because we are legally required to. This includes:

• Tax and accounting record-keeping requirements
• Responding to lawful requests from regulators, courts, or law enforcement
• Compliance with anti-money-laundering and counter-terrorism financing obligations, where applicable to specific transactions

4.5 To protect our platform and users (legal basis: legitimate interests)

We process personal data to detect and prevent fraud, abuse, security incidents, and other harmful activity on our platform. Our legitimate interest is maintaining a safe and trustworthy platform for all users.

We share your personal data only as described below. We do not sell your personal data to third parties.

When you enquire about a property listed on Yitaku, the contact details you provide in the enquiry (your name, surname, email, and mobile number) are shared with the seller, agent, or developer who listed that property, so they can respond to your enquiry. This applies to all listings on our platform, regardless of who supplied the listing originally.

When you publish a listing on Yitaku, the contact details you include on the listing are visible to users who enquire about it.

We use third-party service providers to operate our platform. These providers process personal data on our behalf and only in accordance with our instructions. Each is bound by a data processing agreement that complies with GDPR Article 28.

Where personal data is processed outside the European Economic Area (EEA), we rely on appropriate safeguards as required by GDPR Chapter V. See Section 8 below for details.

We may share personal data with regulators, courts, law enforcement agencies, or other government authorities when required by law, or when necessary to protect our legal rights, the rights of our users, or the safety of the public.

If Yitaku is involved in a merger, acquisition, or sale of assets, your personal data may be transferred as part of that transaction. We will notify you before your personal data is transferred and becomes subject to a different privacy policy.

We use cookies and similar technologies on our website. A full breakdown of the cookies we use, what they do, and how long they last is available in our Cookie Policy.

By default, our website loads in a cookieless state. When you visit our website, you will be presented with a cookie consent banner where you can choose which cookies to accept. We do not load analytics or marketing cookies until you have given consent.

You can change your cookie preferences at any time by clicking the "Manage cookies" link in the footer of our website.

Most browsers also allow you to control cookies through their settings. Please note that disabling cookies may affect the functionality of our website.

We keep your personal data only for as long as we need it for the purposes set out in this policy, or as required by law.

• Account data — kept until you request deletion of your account. If you request deletion, we will delete or anonymise your personal data within a reasonable period, except where we are required by law to retain it.
• Property listings — listing data, including any associated personal data, is kept in our systems for as long as you maintain it on the platform, and remains in our systems after a listing is removed until you request deletion of your account or that data.
• Contact form and enquiry submissions — kept until the related enquiry or transaction is completed.
• Marketing email subscriptions — kept until you unsubscribe or request deletion.
• Transaction and payment records — kept for the period required by Maltese tax and accounting law (minimum of 10 years from the end of the relevant tax year).
• Analytics data — anonymised or aggregated analytics data may be kept indefinitely.

You can request deletion of your personal data at any time by contacting us at info@yitaku.com. We will respond to your request within the timeframes set by GDPR (generally one month).

Some of our service providers process personal data outside the European Economic Area (EEA), primarily in the United States. We rely on the following safeguards required by GDPR Chapter V:

• EU-U.S. Data Privacy Framework (DPF) — Where our service provider is certified under the EU-U.S. Data Privacy Framework, transfers are made on the basis of the European Commission's adequacy decision of 10 July 2023 (Decision (EU) 2023/1795). This applies to Google LLC and Vercel Inc., both of which are DPF-certified.
• Standard Contractual Clauses (SCCs) — Where a provider is not DPF-certified, we rely on the European Commission's Standard Contractual Clauses (Implementing Decision (EU) 2021/914) as the legal basis for the transfer. This applies to Sanity.io.
• Supplementary measures — Where appropriate, we apply additional safeguards such as encryption in transit and at rest, and access controls.

You can request a copy of the safeguards in place for any specific transfer by contacting us at info@yitaku.com.

Under the General Data Protection Regulation, you have the following rights in relation to your personal data:

• Right of access (Article 15) — You have the right to obtain confirmation of whether we process personal data about you, and if so, to receive a copy of that data.
• Right to rectification (Article 16) — You have the right to have inaccurate or incomplete personal data corrected.
• Right to erasure (Article 17), also known as the "right to be forgotten" — You have the right to request deletion of your personal data in certain circumstances.
• Right to restriction of processing (Article 18) — You have the right to request that we limit how we use your personal data in certain circumstances.
• Right to data portability (Article 20) — You have the right to receive your personal data in a structured, commonly used, machine-readable format, and to transmit it to another controller.
• Right to object (Article 21) — You have the right to object to certain types of processing, including processing based on legitimate interests and direct marketing.
• Rights related to automated decision-making (Article 22) — You have the right not to be subject to decisions based solely on automated processing that produce legal effects. We do not currently use automated decision- making in any way that has legal or similarly significant effects on you.

To exercise any of these rights, please contact us at info@yitaku.com. We will respond within the timeframes set by GDPR.

You also have the right to lodge a complaint with the Maltese data protection authority, the Office of the Information and Data Protection Commissioner (IDPC), if you believe we have not handled your personal data in accordance with the law:

• Website: www.idpc.gov.mt
• Email: idpc.info@idpc.org.mt
• Address: Level 2, Airways House, Triq il-Kbira, San Ġiljan STJ 1612, Malta

We have implemented appropriate technical and organisational measures to protect your personal data against unauthorised access, accidental loss, disclosure, or destruction. These measures include:

• Encryption of personal data in transit (HTTPS/TLS) and at rest
• Restricted access to personal data on a need-to-know basis
• Secure password storage using industry-standard hashing
• Regular review of our security practices and our service providers' security practices
• Vetting of all service providers we use for compliance with GDPR and adequate security standards

Despite our efforts, no security measure is perfect. If we become aware of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Office of the Information and Data Protection Commissioner within 72 hours and, where required, notify you directly without undue delay.

Our services are not directed to children under the age of 18. By creating an account or using our services, you confirm that you are at least 18 years old, or that you are the parent or guardian of a minor and consent to that minor's use of our services.

We do not knowingly collect personal data from anyone under 18. If we become aware that we have collected personal data from a person under 18 without proper parental consent, we will take steps to delete that data promptly. If you believe that a child under 18 has provided personal data to us, please contact us at info@yitaku.com.

We may update this privacy policy from time to time to reflect changes in our practices, our services, or applicable law. When we make material changes, we will:

• Update the "Last updated" date at the top of this policy
• Notify you by email or through a prominent notice on our platform where the changes are material

This policy supersedes any earlier versions. We encourage you to review the policy periodically to stay informed about how we protect your personal data.

For any questions about this privacy policy, or to exercise any of your rights, please contact us:

• Email: info@yitaku.com
• Website: www.yitaku.com
• Company: Yitaku Limited, registered in Malta with company number C101893

This privacy policy is effective from 25 May 2026.