Privacy Policy
Who We Are
Data Controller: Maison Rêves, Limassol, Cyprus
hello@maison-reves.com
Maison Rêves is a luxury construction consultancy providing client-side project management and construction monitoring services in Cyprus. We operate the website at maison-reves.com and a client portal at maison-reves.com/portal. As data controller we determine the purposes and means of processing your personal data.
We do not have a designated Data Protection Officer as we do not carry out large-scale systematic monitoring or process special categories of data at scale. Direct all privacy enquiries to hello@maison-reves.com.
Data We Collect
a) Contact form
- First and last name
- Email address
- Phone number (including country code)
- Project type and budget range
- Location (city and area in Cyprus)
- Free-text project description
b) Client portal
- Email address and password (authentication)
- Full name and phone number (profile)
- Profile photograph (optional, uploaded by you)
- Project communications (in-portal chat messages)
- Access logs (sign-in timestamps)
c) Technical data (automatic)
- IP address (Cloudflare bot protection)
- Browser type and version
- Device type and operating system
- Pages visited and session duration (analytics, consent only)
- Referring URL
We do not collect special categories of personal data (health, racial/ethnic origin, political opinions, religious beliefs, or biometric data) and we do not knowingly collect data from children under 16.
How We Use Your Data
| Purpose | Data Used | Legal Basis |
|---|---|---|
| Responding to contact form enquiries | Name, email, phone, project details | Legitimate interest / Pre-contractual steps |
| Delivering portal access and weekly reports | Email, name, project data, portal activity | Performance of a contract |
| Sending portal invitations and password resets | Email address | Performance of a contract |
| Sending report and message notifications | Email address | Performance of a contract |
| Bot protection via Turnstile captcha | IP address, browser fingerprint | Legitimate interest |
| Improving site performance (analytics) | Anonymised usage data | Consent |
| Legal and regulatory compliance | As required by applicable law | Legal obligation |
We do not use your data for automated decision-making or profiling that produces legal or similarly significant effects.
Legal Basis for Processing
Under Article 6 GDPR we rely on:
- Art. 6(1)(a) — Consent: For optional cookies (analytics, functional, marketing). Withdraw at any time via cookie preferences in the footer.
- Art. 6(1)(b) — Contract: For portal access, weekly reports, and client communications.
- Art. 6(1)(c) — Legal obligation: Where required by applicable law (tax, accounting, regulatory).
- Art. 6(1)(f) — Legitimate interests: Responding to enquiries, protecting systems from abuse, and improving our services — where our interests are not overridden by your rights.
Third-Party Services
We use the following processors. Where located outside the EEA, transfers are protected by Standard Contractual Clauses (SCCs) or the EU–US Data Privacy Framework (DPF).
| Service | Purpose | Data Shared | Location | Safeguard |
|---|---|---|---|---|
| Framer | Website hosting | Page visits, IP | USA | SCCs / DPF |
| Supabase | Database, auth, storage | Email, name, phone, project data, photos | EU (Frankfurt) | EU hosting — no transfer |
| Cloudflare | Bot protection, CDN | IP address, browser data | USA / Global | SCCs / DPF |
| EmailJS | Contact form delivery | Name, email, phone, project details | USA | SCCs |
| Resend | Transactional email | Email address, message content | USA | SCCs |
| Google Fonts | Typeface loading | IP address (font request) | USA / Global | SCCs / DPF |
We do not sell your data to any third party and do not share it with advertisers or data brokers.
Data Retention
| Data Type | Retention Period | Reason |
|---|---|---|
| Contact form enquiries | 3 years from last contact | Legitimate interest — potential client relationship |
| Client portal accounts | Engagement + 2 years | Contractual obligation and legal compliance |
| Weekly reports and project data | Engagement + 5 years | Professional records and potential disputes |
| Portal messages / chat logs | Engagement + 2 years | Record of project communications |
| Authentication logs | 90 days | Security monitoring |
| Cookie consent record | 12 months | Proof of consent under GDPR Art. 7 |
When data is no longer required it is securely deleted or anonymised. You may request earlier deletion — see Your Rights.
Your Rights Under GDPR
Under GDPR Articles 15–22 you have the right to:
- Access (Art. 15): Request a copy of your personal data and information about how we process it.
- Rectification (Art. 16): Request correction of inaccurate or incomplete data.
- Erasure / right to be forgotten (Art. 17): Request deletion where there is no overriding reason to continue processing.
- Restriction (Art. 18): Request we limit processing while a complaint or objection is being resolved.
- Data portability (Art. 20): Receive your data in a machine-readable format and transfer it to another controller.
- Object (Art. 21): Object to processing based on legitimate interests or for direct marketing — with immediate effect for marketing.
- Withdraw consent (Art. 7(3)): Withdraw consent at any time without affecting the lawfulness of prior processing.
- No automated decisions (Art. 22): Not be subject to purely automated decisions that significantly affect you. We do not carry out such processing.
To exercise any right, email hello@maison-reves.com. We will respond within 30 days (Art. 12 GDPR). No charge unless requests are manifestly unfounded or excessive.
To lodge a complaint with the supervisory authority in Cyprus:
- Commissioner for Personal Data Protection
- www.dataprotection.gov.cy
- commissioner@dataprotection.gov.cy
- Tel: +357 22818456
International Transfers
Some processors are located outside the EEA (primarily the USA). Transfers are protected by SCCs (Commission Decision 2021/914/EU) and/or the EU–US Data Privacy Framework adequacy decision (C(2023) 4745). Supabase stores portal data within the EU (AWS eu-central-1, Frankfurt) — no international transfer occurs for your primary project data.
Children's Privacy
Our services are for business and professional use only. We do not knowingly collect data from anyone under 16. Under Art. 8 GDPR and Cyprus Law 125(I)/2018, processing a child's data requires parental consent. If you believe we have inadvertently collected such data, contact us immediately at hello@maison-reves.com and we will delete it without undue delay.
Changes to This Policy
We may update this policy to reflect changes in our practices or legal obligations. Material changes will be indicated by an updated "Last updated" date and notified by email or portal notice where appropriate. If cookie practices change, the consent version number will increment and you will be re-asked to consent. Previous versions are available on request.
Contact & Data Controller
Maison Rêves
Limassol, Cyprus
We will acknowledge your request within 5 working days and respond fully within 30 days (Art. 12 GDPR). Where a request is complex we may extend by a further two months — we will inform you of any extension within the first 30 days.
Prepared in accordance with Regulation (EU) 2016/679 (GDPR), Cyprus Law 125(I)/2018, and the EU ePrivacy Directive 2002/58/EC. Effective from 25 June 2026.