Privacy Policy 

Effective Date: July 1, 2025
Last Updated: June 30, 2025

Data Controller Information

Troja.al is the data controller responsible for your personal information when you use our property marketplace platform.

Contact Details:

Data Protection Officer: Due to the nature and scale of our processing activities, we have appointed a Data Protection Officer who can be contacted at [email protected].

EU Representative: For EU-related data protection matters, our representative can be contacted at [email protected].

Information We Collect

We collect and process personal information necessary to operate our property marketplace platform safely and effectively. Our data collection follows strict data minimization principles, collecting only information essential for our legitimate business purposes.

Personal Information Categories

Account Information:
  • Full name and contact details (email address, phone number)
  • Account credentials and authentication data
  • Profile preferences and settings
  • Communication preferences
Property-Related Information:
  • Property listing details and descriptions
  • Property photos and media (which you upload)
  • Search criteria and saved property preferences
  • Property inquiry and viewing history
  • Location data related to property searches
Transaction Information:
  • Payment information processed through Stripe (we do not store complete payment card details)
  • Premium service subscription details
  • Transaction history and billing records
Technical Information:
  • IP address and device identifiers
  • Browser type and operating system
  • Website usage data and analytics
  • Cookie data and similar tracking technologies
  • Log files and error reports
Social Login Information:
  • When you choose to register via Google or Facebook, we receive basic profile information as
  • permitted by your social media privacy settings
  • This includes name, email address, and profile picture (if you choose to share it)

How We Use Your Information

We process your personal information based on specific lawful bases as required by applicable data protection laws. Each processing purpose is supported by an appropriate legal foundation:

Core Platform Services (Legal Basis: Contract Performance)

We process your information to provide essential marketplace services:

  • Account Management: Creating and maintaining your user account
  • Property Listings: Displaying and managing property advertisements
  • Search and Matching: Providing relevant property search results
  • Communications: Facilitating contact between property seekers and advertisers
  • Customer Support: Responding to inquiries, resolving issues, and providing assistance
  • Payment Processing: Handling premium service transactions through our secure payment processor

Platform Security and Improvement (Legal Basis: Legitimate Interests)

We have legitimate business interests in maintaining a secure, efficient platform:

  • Fraud Prevention: Detecting and preventing fraudulent activities and security threats
  • Platform Safety: Monitoring for violations of our terms of service
  • Service Enhancement: Analyzing usage patterns to improve platform functionality
  • Technical Maintenance: Ensuring platform performance, troubleshooting, and security updates
  • Business Analytics: Understanding user behavior to enhance our services

Balancing Test: We have conducted legitimate interests assessments confirming that these processing activities are necessary for our business operations and do not override your privacy rights. You have the right to object to processing based on legitimate interests.

Marketing Communications and Targeting (Legal Basis: Consent or Legitimate Interests)

  • Service Communications: Sending important updates about your account or our services (legitimate interests)
  • Marketing Emails: Promotional communications about new features or relevant properties (consent required)
  • Newsletter: Property market insights and platform updates (consent required)
  • Marketing Targeting: We may use your information to provide targeted marketing and personalized property recommendations based on your search history, preferences, and platform usage

You can opt out of marketing communications and marketing targeting at any time by contacting us at [email protected].

Legal Compliance (Legal Basis: Legal Obligation)

We process information to comply with applicable laws:

  • Tax Obligations: Maintaining records for tax reporting purposes
  • Regulatory Requirements: Compliance with financial services and business regulations
  • Legal Requests: Responding to valid legal process, court orders, or regulatory investigations
  • Anti-Money Laundering: Compliance with relevant AML regulations where applicable

Data Sharing and Recipients

We maintain a strict policy of data minimization in our sharing practices. We only share personal information where necessary for legitimate business purposes and with appropriate safeguards.

Third-Party Service Providers

Stripe (Payment Processing):

  • Purpose: Processing premium service payments
  • Data Shared: Payment information, transaction details, and necessary identity verification data
  • Safeguards: Stripe is PCI DSS compliant and maintains robust security measures
  • Location: Stripe may process data in the United States under the US Data Privacy Framework

Google and Facebook (Social Login):

  • Purpose: Facilitating social media login options
  • Data Shared: Basic profile information as selected by you during the login process
  • Safeguards: Data sharing limited to minimum necessary information
  • Your Control: You control what information is shared through your social media privacy settings

Analytics and Performance Services:

  • Purpose: Website performance monitoring and user experience improvement
  • Data Shared: Aggregated, pseudonymized usage data
  • Safeguards: Data minimization and pseudonymization techniques applied

Property Market Participants

Property Advertisers and Agents:

  • Purpose: Facilitating property inquiries and viewings
  • Data Shared: Contact information when you initiate property inquiries
  • Legal Basis: Contract performance for marketplace services
  • Your Control: You choose when to share your contact information by making property inquiries

Legal and Regulatory Requirements

We may share information when required by law, including:

  • Court Orders: Valid legal process requiring disclosure
  • Regulatory Investigations: Cooperation with authorized government agencies
  • Law Enforcement: Where legally required for public safety or crime prevention

International Data Transfers

As an Albanian company serving users across multiple jurisdictions, we implement appropriate safeguards for international data transfers.

Transfer Mechanisms

UK Transfers:
  • Safeguard: UK International Data Transfer Agreement (IDTA) or EU Standard Contractual Clauses with UK Addendum
  • Assessment: We conduct Transfer Risk Assessments to ensure adequate protection
EU Transfers:
  • Safeguard: EU Standard Contractual Clauses where adequacy decisions do not apply
  • Monitoring: Ongoing assessment of transfer adequacy and additional safeguards
US Transfers (Stripe):
  • Safeguard: US Data Privacy Framework adequacy decision for certified organizations
  • Verification: We verify our service providers’ certification status

Your Rights Regarding Transfers

You have the right to: 
  • Receive information about transfers affecting your data
  • Object to transfers that do not have adequate safeguards
  • Request copies of relevant safeguards (such as Standard Contractual Clauses)

Data Retention

We retain personal information only as long as necessary for the purposes for which it was collected or as required by applicable law.

Retention Periods

Active Account Data:
  • User Accounts: Retained while your account remains active plus 2 years after account closure
  • Property Listings: Retained for 1 year after listing expiration for historical reference
  • Communications: Customer support communications retained for 3 years
Transaction Data:
  • Payment Records: Retained for 7 years to comply with tax and financial regulations
  • Premium Service Data: Retained for the duration of service plus 2 years
Technical Data:
  • Analytics Data: Pseudonymized data retained for 2 years for service improvement
  • Log Files: Security and performance logs retained for 1 year
  • Cookie Data: As specified in our Cookie Policy (maximum 2 years)
Marketing Data:
  • Marketing Communications: Until you unsubscribe or withdraw consent
  • Preference Data: Maintained to honor your communication preferences indefinitely

Automatic Deletion

We implement automated deletion procedures to ensure data is not retained beyond necessary periods. You will receive advance notice before any significant data retention policy changes.

Your Rights

You have comprehensive rights regarding your personal information under applicable data protection laws, including GDPR, UK GDPR, and Albanian Law No. 124/2024.

Information Rights

Right to Information: You have the right to receive clear information about how we process your personal data (fulfilled through this privacy policy).

Right of Access: You can request a copy of the personal information we hold about you, including:

  • Categories of data processed
  • Purposes of processing and legal bases
  • Recipients of your data
  • Retention periods
  • Your rights and how to exercise them
Data Control Rights

Right to Rectification: You can request correction of inaccurate or incomplete personal information.

Right to Erasure (“Right to be Forgotten”): You can request deletion of your personal information where:

  • It’s no longer necessary for the original purpose
  • You withdraw consent (where consent is the legal basis)
  • You object to processing based on legitimate interests
  • The data has been unlawfully processed
  • Legal obligations require erasure

Right to Restrict Processing: You can request limitation of processing in specific circumstances, such as while we verify data accuracy or assess your objection to processing.

Right to Data Portability: For data processed based on consent or contract, you can request:

  • Your data in a structured, commonly used, machine-readable format
  • Direct transmission to another service provider where technically feasible

Objection Rights

  • Right to Object: You have the right to object to processing based on legitimate interests, including:
  • Direct Marketing: Absolute right to opt out of marketing communications and targeting
  • Profiling: Right to object to automated decision-making affecting you
  • Other Processing: Right to object to other legitimate interests processing

Exercising Your Rights

How to Make Requests:
  • Email[email protected]
  • Postal Mail: [Business Address], Albania
  • Online Form: Available through your account settings

Response Timeframes:

  • Standard Response: Within 1 month of request
  • Complex Requests: Up to 3 months with advance notice
  • Identity Verification: We may request identification to verify your identity

No Cost: First requests are processed free of charge. Reasonable fees may apply for manifestly unfounded or excessive requests.

Cookies and Tracking Technologies

We use cookies and similar technologies to provide and improve our services. Detailed information about our cookie usage is available in our separate Cookie Policy.

Cookie Categories

Essential Cookies:
  • Account Authentication: Maintaining your login session
  • Security: Protecting against fraud and security threats
  • Functionality: Remembering your preferences and settings
Analytics Cookies:
  • Usage Analysis: Understanding how users interact with our platform
  • Performance Monitoring: Identifying and resolving technical issues
  • Service Improvement: Enhancing user experience based on usage patterns
Marketing Cookies:
  • Targeted Advertising: Showing relevant property advertisements
  • Campaign Measurement: Measuring effectiveness of marketing efforts
  • Social Media Integration: Enabling social sharing features

Your Cookie Choices

Consent Management: You can manage your cookie preferences through our cookie banner and
preference center.

Browser Settings: You can control cookies through your browser settings, though this may affect
platform functionality.

Opt-Out: You can opt out of analytics cookies while maintaining essential functionality.

Data Security

We implement comprehensive technical and organizational measures to protect your personal
information against unauthorized access, alteration, disclosure, or destruction

Security Measures

Technical Safeguards:
  • Encryption: Data encrypted in transit and at rest using industry-standard protocols
  • Access Controls: Role-based access restrictions and authentication systems
  • Network Security: Firewall protection and intrusion detection systems
  • Regular Updates: Continuous security patches and system updates

Organizational Measures:

  • Staff Training: Regular data protection and security awareness training
  • Access Policies: Strict policies governing employee access to personal data
  • Incident Response: Comprehensive procedures for security incident management
  • Vendor Management: Due diligence and contractual requirements for third-party processors

Payment Security:

  • All payment processing is handled by Stripe, a PCI DSS Level 1 certified payment processor
  • We do not store complete payment card information on our systems
  • Payment data is tokenized and encrypted using industry-leading security standards

Data Breach Response

In the unlikely event of a data breach that may affect your rights and freedoms:

  • Supervisory Authority Notification: We will notify relevant authorities within 72 hours
  • User Notification: You will be informed without undue delay if the breach presents high risk
  • Remedial Action: We will take immediate steps to contain the breach and prevent further unauthorized access
  • Investigation: We will conduct thorough investigations and implement additional safeguards as necessary

Marketing Communications

We respect your communication preferences and provide clear controls over marketing messages.

Types of Communications

Service Communications (Legitimate Interests):
  • Account notifications and security alerts
  • Important platform updates and changes
  • Customer service responses and support
  • Legal and compliance notifications
Marketing Communications (Consent Required):
  • Property alerts and recommendations
  • Platform feature announcements
  • Market insights and research reports
  • Special offers and premium service promotions

Managing Your Preferences

Email Marketing:
  • Opt-In: We obtain explicit consent before sending marketing emails
  • Unsubscribe: Contact us at [email protected] to unsubscribe from marketing communications
  • Granular Control: You can select specific types of marketing communications by contacting us
  • Account Settings: Manage all communication preferences through your account
SMS Marketing:
  • Prior Consent: SMS marketing requires explicit opt-in consent
  • Easy Opt-Out: Reply STOP to any marketing SMS to unsubscribe or contact [email protected]
  • Frequency Control: You control the frequency of SMS notifications

Age Restrictions and Children’s Privacy

Our services are not intended for children under 16 years of age, and we do not knowingly collect personal information from children.

Age Verification

Account Creation: Users must confirm they are 16 or older to create accounts Parental Consent: Users under 16 require verifiable parental consent Content Restrictions: Age-appropriate content and communication safeguards

If We Learn of Child Data Collection

  • If we discover we have collected information from a child under 16 without proper consent:
  • We will promptly delete the information
  • We will notify parents/guardians where contact information is available
  • We will implement additional safeguards to prevent future unauthorized collection

Changes to This Privacy Policy

We may update this privacy policy periodically to reflect changes in our practices, services, or applicable laws.

Notification of Changes

Material Changes:
  • Email Notification: Registered users will receive email updates about significant changes
  • Website Notice: Prominent notices will be displayed on our platform
  • Advance Notice: We provide reasonable advance notice before changes take effect
Minor Updates:
  • Effective Date: Updated effective date displayed at the top of this policy
  • Change Log: Summary of modifications available upon request
  • Regular Review: We recommend reviewing this policy periodically

Continued Use

Your continued use of our services after policy changes constitutes acceptance of the updated terms. If you disagree with changes, you may close your account and cease using our services.

Complaints and Supervisory Authorities

You have the right to lodge complaints about our data processing practices with relevant supervisory authorities.

Supervisory Authority Contacts

Albania:
  • Information and Data Protection Commissioner (IDPC)
  • Address: Rr. “Abdi Toptani”, Nd. 5, Postal Code 1001, Tirana, Albania
  • Phone: +355 42 23 7200
  • Email: [email protected]
European Union:

Contact information for your local data protection authority available at: ec.europa.eu/justice/dataprotection/bodies/authorities/index_en.htm

United Kingdom:
  • Information Commissioner’s Office (ICO)
  • Website: ico.org.uk
  • Phone: 0303 123 1113

Internal Complaint Handling

Our Commitment:
  • Prompt Response: We acknowledge complaints within 3 business days
  • Thorough Investigation: Comprehensive review of all privacy complaints
  • Resolution Reporting: Clear communication of investigation outcomes
  • Corrective Action: Implementation of necessary improvements
How to File Complaints:
  • Email[email protected]
  • Subject Line: “Privacy Complaint”
  • Details: Please provide specific information about your concerns

Contact Information

For questions, concerns, or requests regarding this privacy policy or our data processing practices:

All Privacy Inquiries: [email protected]
General Inquiries: [email protected]

Postal Address:
Troja.al Privacy Team
[Business Address]
Albania

Response Commitment: We respond to privacy inquiries within 5 business days and fulfill data subject requests within the timeframes required by applicable law.


This privacy policy is designed to comply with the Albanian Law No. 124/2024 “On the Protection of Personal Data,” the EU General Data Protection Regulation (GDPR), the UK General Data Protection Regulation (UK GDPR), the UK Data Protection Act 2018, and other applicable privacy laws. The policy
provides maximum legal protection while ensuring transparency and user rights protection.

Compare listings

Compare