Estateguru Privacy Rules

Privacy Rules

Effective as of 12/04/2024

Each company of the Estateguru group (collectively, “Estateguru” or “we”) recognizes the importance of the proper and adequate protection of personal data of natural persons. This Privacy Statement helps you to understand why and how we process your data. We explain how we collect and use as well as what we do to protect your data and what are your rights in relation to your personal data.

This Privacy Statement is applicable to you if you are our investor, a representative or related party to a legal entity investor or borrower, if you submit an information request on our website or contact us for any other purpose, if we have received your personal data from third parties, and if you visit our Portal at or any of its sub-pages.

1. Terms and definitions

Any capitalized terms used in this Privacy Statement which are not defined herein, follow the definitions provided in the Estateguru User Terms.

Personal data – any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Processing of personal data – any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Controller – the natural or legal entity, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

Joint Controller – two or more controllers who jointly determine the purposes and means of data processing. They have equal responsibilities for compliance with the obligations under the GDPR in ensuring the rights of the data subject are met, the data subjects are appropriately informed and there is designated contact point for data subjects.

Processor – a natural or legal entity, public authority, agency or other body which processes personal data on behalf of the controller.

Third party – a natural or legal entity, public authority, agency or body other than the data subject, controller, processor or persons who process personal data under the direct authority of the controller or processor.

Data subject – a person whose personal data is processed (e.g. an Investor who is a natural person, a visitor of our Portal at or any of its sub-pages, a representative, shareholder, ultimate beneficial owner or a contact person of a legal entity).

2. The categories of personal data we process

We collect the following personal data:

Identification data – first and last name, a national identification number (e.g. personal identification code, social security number) and/or date of birth, age, language, copy of an identification document with a photo (including the following data: date of issue and validity of the document,  gender, citizenship) and other data needed for a person’s identification (for a more specific description of data processing upon identification, please refer to the privacy terms of our identification service providers Veriff and Onfido;

Contact data – phone number, e-mail address, contact address;

Due diligence data – data which is necessary to take due diligence measures regarding creditworthiness, anti-money laundering, risk assessment and prevention of terrorism financing and to comply with international sanctions, including your residency data, area of activity, origin of funds and assets used in transactions, criminal records about any other person connected to the borrower and qualifications or connections to politically exposed persons;

Transaction data – data related to the financial transactions you make via the Portal, including data on invested and available funds, loan contracts, incoming and outgoing payments, debts etc. 

Bank account data – name of the account holder, account number, IBAN, Swift code (BIC) and the name of the bank;

User preferences of the Portal – data related to the preferences and settings defined by the Portal User;

Contract data – any contracts negotiated or concluded by the User via the Portal;

Loan guarantor data – identification and contact data of collateral provider, proof of assets (including data on mortgaged assets or other collateral) used in guaranteeing the loan; 

Portal data – data on the Portal visitors’ sessions, cookies, and IP addresses, time and number of log-ins, including log-ins via Facebook, LinkedIn or other third-party service provider;

Communication data – personal data related to any communication with you e.g. data from e-mails or chatbot conversations with Estateguru.  

3. Purpose and legal basis for processing personal data

Estateguru processes personal data under the following legal grounds. 

3.1 Data processing required for performance of a contract.

We are processing personal data when this is necessary for the performance of a contract concluded with you or for taking the necessary measures prior to signing of the contract.  

Purpose of processing

Personal data categories

Portal management, including User registration

Identification data, contact data, due diligence data, bank account data, transaction data, contract data and Portal data

Management of Loan Contracts on the Portal

Contract data, loan guarantor data

Processing payments via Portal

Bank account data


3.2. Processing to fulfil legal obligations of Estateguru

Legal obligations of processing include all personal data processing under relevant laws and regulations in all of our locations, for example the European Crowdfunding Regulation (Regulation (EU) 2020/1503) and other European and domestic financial sector regulations and accounting laws. These laws and regulations mandate the type of data collected and data retention periods. 

Purpose of processing

Personal data categories

Accounting, processing payments to Borrowers, Investors and to vendors

Identification data, contact data, transaction data, bank account data

Fulfilling the requirements of applicable domestic laws in the countries where Estateguru operates and EU legislation

Identification and due diligence data (e.g in Latvia criminal record)

Keeping the records as required by the Regulation (EU) 2020/1503 on European crowdfunding service providers for business

All the records related to Estateguru services and transactions

Handling complaints and inquiries from data subjects

Depends on each individual case


3.3. Data processing based on Estateguru’s legitimate interest

A legitimate interest means that data processing is necessary for our business purposes. We process personal data based on our legitimate interest only if we have conducted a balance test to measure the impact of the processing on your privacy and data protection rights. You have a right to receive additional information about our or third-party legitimate interest and to object to the personal data processing. If you object to the processing of your personal data under our legitimate interests, we shall no longer process the personal data for that purpose unless we demonstrate compelling legitimate grounds for the processing. When you

personal data shall no longer be processed for such purposes.

Purpose of processing

Personal data categories

Sending User communications like newsletters, loan portfolio information, information on service updates and requests for User feedback to improve our services

Contact data, Portal data and contract data

User profiling (see below)*

Contact data, due diligence data, Portal data and contract data

Performing solvency and creditworthiness assessment on Borrowers, including the related natural persons

Contact data, due diligence data

Due diligence checks of Users

Identification data, contact data and due diligence data (i.e criminal records in Estonia and Lithuania)

*User profiling

We use different data processing technologies to process your data using mathematical analysis, statistics or other methods that enable us to create investor profiles, establish probabilities and intermediate to you suitable investment opportunities. The information received gives us an opportunity to evaluate and predict your preferences in investment and offer to you the investment options matching your expectations. We might also need to profile our Users when performing risk assessment or for anti-money laundering purposes.  

3.4. Data processing based on your consent

When processing personal data with consent as a lawful basis, we limit the use of your data to those processing activities you have consented to. You can take back your consent at any given time and as easily as it was given.

Purpose of processing

Personal data categories

Marketing communications

Contact data

Cookies (except for necessary cookies) 

Portal data


You have a right to withdraw your consent at any time by contacting us at: and we will delete the data we are processing based on your consent, unless we also need the personal data for processing activities conducted under other legal bases. 

4. The sources of personal data

We collect your personal data from the following sources: 

  • Directly from you;

  • Third parties such as public registers (e.g real estate register, building register, business register);

  • Identity verification service providers;

  • Solvency and credit information service providers.

Please note that if you provide Estateguru any personal data of third persons (e.g. when disclosing the data of a collateral provider), it is your responsibility to make sure you have the right to do so (for example you have the data subject’s consent). 

5. Managing access and disclosures of personal data by Estateguru

Internally, we need to share personal data about our Users between different Estateguru entities for administrative and marketing purposes, and to the extent it is needed to provide and develop the services. Inside our organisation your personal data is accessible only to those Estateguru employees who need the data to perform their work duties (on so-called need-to-know basis). 

Outside Estateguru, in a manner strictly limited by necessity and pursuant to the purposes, Estateguru may transfer data to the following categories of third party service providers such as: IT maintenance service, server housing, e-mail service, website administration, audit, legal counseling.

Estateguru also needs to disclose your personal data to third persons who are independent controllers in the following situations:

  • if legally obliged, your data shall be disclosed to public authorities and institutions (e.g. police, courts, data protection supervisory authorities);

  • banks, payment or e-money institutions providing payment transfer services to whom we transfer personal data related to payments to fulfil the agreement concluded between you and us or to apply prevention of money laundering and terrorism financing measures;

  • in exceptional cases, we might have to disclose certain limited amount of personal data to any entity who provides or intends to provide financing to Estateguru (including by giving a loan or purchasing any type of debt instrument) or is involved in the relevant process as an intermediary or advisor; 

  • for debt collection purposes to the courts, bailiffs and debt collection service providers. 

We conclude a data sharing agreement with our partners to ensure secure processing of personal data. These contracts oblige the other parties to: 

  • take appropriate measures to ensure confidentiality and security of the personal and 

  • process personal data in compliance with legal requirements and the agreement.

6. Transfer to third countries

A third country is a country other than the EU member state, EEA country or a country that doesn’t have a European Commission adequacy decision. 

We do not store or transfer your data outside the European Economic Area or to third countries which the European Commission does not consider as having an adequate level of protection of personal data, except for cases described herein. If necessary, the transfer will only take place if we have a legal basis for it, in particular if we have concluded an agreement with the recipient which meets the requirements established in GDPR for the transfer of personal data outside the EEA and have applied other relevant measures to ensure the security of the transfer.

Estateguru is using the services of one of our affiliates, EstateGuru Technology LLC in Armenia for IT and technological support services. In the course of providing these services, some employees of EstateGuru Technology LLC may have access to your personal data. We are making sure your data is processed according to the high standards of GDPR by keeping in place a data processing agreement and the Standard Contractual Clauses, to implement appropriate technical and organisational measures and ensure that your rights are protected. 

7. Data retention periods

Your personal data is retained for as long as required by legal requirements applicable in the relevant country of operations, or until the purpose of processing is fulfilled. Below are some examples of data retention periods:

Retention period


Until withdrawal of consent for processing based on consent

We delete the data that we process solely under your consent immediately after you withdraw the consent.

5 years

The data we collect when applying measures for the prevention of money laundering and terrorism financing

7 years

All accounting base documents such as, base documents for transaction conducted via our platform (loan agreements, repayment schedules, invoices).

3 years (after expiry or termination of contract)

Identification data and contact data to protect us against potential claims or to file a claim for protecting ourselves and our own rights


8.  Security of your personal data

Estateguru applies necessary legal, organisational, physical and technical security measures to protect your personal data, as specified in dedicated internal rules of Estateguru. Some examples of the measures we use:

Physical measures – the offices are locked and paper-based documents containing personal data are stored in locked cabinets. 

Technical measures – computers are password protected and encrypted as necessary; firewalls and antivirus programmes are in use; backups are done regularly; all IT system users are assigned roles and profiles.

Organisational measures – data protection, information security and access management policy; regular employee training, confidentiality requirements for employees.

9. Your rights concerning your personal data

You have the right to receive information what data we process about you and receive a copy of the personal data we hold about you. 

You have the right to request deletion of your personal data. Please keep in mind that we cannot delete any data that we process to fulfill contractual or legal obligation. 

You have the right to object to or restrict the processing of your personal data.

You have the right to data portability which means that if technologically possible we can forward your data in a digital format to other similar service.

We always make sure that a person requesting information about themselves or submitting any other data subject request is identified and is entitled to exercise the above-mentioned data subject’s rights. For this reason, you may have to prove your identity or right to make the request.

If you have any queries about how we process your data please contact us at:

10. Data controller and contact information

Estateguru OÜ is the Controller for all Investor and Borrower data you have registered on the Portal, for our supplier or partner personal data and for the data of our Portal visitors.

Estateguru OÜ (registry code: 12558919)

Tartu mnt 2 

Tallinn 10145


We are a joint controller with Lemonway SAS in the processing of the payments related to loans granted via Estateguru Portal. 

Lemonway SAS (registry code: 500 486 915)

8 rue de Sentier

Paris 75002


Our Armenian entity, EstateGuru Technology LLC, acts as a data processor when providing IT services to other entities of Estateguru.  

11. Contact data of DPO

We have a Data Protection Officer (DPO) overseeing data protection at Estateguru group level. If you have any questions regarding this Privacy Statement or our processing of personal data, please contact us at:

12. The right to submit a complaint to the data protection supervisory authority

In case you consider your privacy and data protection rights breached you have the right to lodge a complaint to a data protection regulator at locations where we operate. 


13. Changes to the Privacy Statement

Personal privacy is important to Estateguru and we update this Privacy Statement regularly. The version published on our website is always the latest version.

14. Cookies

A cookie is a small piece of data or message that is sent from an organisation’s web server to your web browser and is then stored on your hard drive. Cookies cannot read data off your hard drive or cookie files created by other sites, and do not damage your system.

However, you can reset your browser to refuse any cookie or to alert you to when a cookie is being sent. Web browsers allow you to control cookies stored on your hard drive through the web browser settings. To find out more about cookies, including what cookies have been set and how to manage and delete them, visit

If you choose not to accept our cookies, some of the features of our site may not work as well as we intend.








This cookie is used to a profile based on user’s interest and display personalized ads to the users.

6 months



This cookie is set by Facebook to deliver advertisement when they are on Facebook or a digital platform powered by Facebook advertising after visiting this website.

3 months



This cookie is a browser ID cookie set by Linked share Buttons and ad tags.

2 years



This cookie is used by Google Analytics to understand user interaction with the website.

3 months



This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the website is doing. The data collected including the number visitors, the source where they have come from, and the pages visited in an anonymous form.

1 day



This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site’s analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.

2 years



This is set by Hotjar to identify a new user’s first session. It stores a true/false value, indicating whether this was the first time Hotjar saw this user. It is used by Recording filters to identify new user sessions.

30 minutes



This cookie is set by Hubspot and is used for tracking visitors. It contains the domain, utk, initial timestamp (first visit), last timestamp (last visit), current timestamp (this visit), and session number (increments for each subsequent session).

1 year 24 days



This cookie is used by HubSpot to keep track of the visitors to the website. This cookie is passed to Hubspot on form submission and used when deduplicating contacts.

1 year 24 days



The cookie is used by Google and is used for Google Single Sign On.

7978 years 6 months 21 days 19 minutes



This cookie is used to store the language preferences of a user to serve up content in that stored language the next time user visit the website.




This cookie is set by LinkedIn. The purpose of the cookie is to enable LinkedIn functionalities on the page.

2 years



This cookie is set by LinkedIn and used for routing.

1 day



This cookie is used to store the language preferences of a user to serve up content in that stored language the next time user visit the website.




This cookie is set by HubSpot. The purpose of the cookie is to keep track of sessions. This is used to determine if HubSpot should increment the session number and timestamps in the __hstc cookie. It contains the domain, viewCount (increments each pageView in a session), and session start timestamp.

30 minutes



This cookie is native to PHP applications. The cookie is used to store and identify a users’ unique session ID for the purpose of managing user session on the website. The cookie is a session cookies and is deleted when all the browser windows are closed.




This cookie is set by Hubspot. According to their documentation, whenever HubSpot changes the session cookie, this cookie is also set to determine if the visitor has restarted their browser. If this cookie does not exist when HubSpot manages cookies, it is considered a new session.




This cookie is set by the provider Infoniqa engage, used for webforms in a website. The cookie stores the language for the application process.

10 years



No description

2 years 8 months 26 days



No description

1 minute



No description

2 years



This cookie is set by Hotjar. This cookie is set when the customer first lands on a page with the Hotjar script. It is used to persist the random user ID, unique to that site on the browser. This ensures that behavior in subsequent visits to the same site will be attributed to the same user ID.

1 year



Linkedin – Used to track visitors on multiple websites, in order to present relevant advertisement based on the visitor’s preferences.

1 month



No description

1 month



No description

2 years



No description

2 minutes



No description

30 minutes



This cookie is used to determine a user’s inclusion in an experiment and the expiry of experiments a user has been included in.

2 months 2 days

Privacy Rules

English (PDF)

Explore our Knowledge Hub