Effective as of 14.09.2021

Each company of the Estateguru Holding OÜ (collectively, "EstateGuru" or “we”) recognizes the importance of the proper and adequate protection of personal data of natural persons. This privacy policy helps you to understand why and how we process your data. We explain how we collect and use as well as what we do to protect your data and what are your rights in relation to your personal data.


This privacy policy is applicable to you if you are our investor, a representative or related party to a legal entity investor or borrower, if you submit an information request in our website or contact us for any other purpose, if we have received your personal data from third parties, and if you visit our websites:


1. Terms and definitions

Personal data – means any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

Processing of personal data – means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

Controller –  means the natural or legal entity, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

Joint-controller – two or more controllers who jointly determine the purposes and means of data processing. They have equal responsibilities for compliance with the obligations under the GDPR in ensuring the rights of the data subject are met, the data subjects are appropriately informed and there is designated contact point for data subjects.

Processor – means a natural or legal entity, public authority, agency or other body which processes personal data on behalf of the controller;

Third party – means a natural or legal entity, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;

Data subject – a person whose personal data is processed (e.g. client who is a natural person, website user or a contact person of a legal entity client).

Investor – a person who through our platform invests in pre-vetted, short-term, property-backed loans in Europe. 

Investor data –natural person who has registered as user on the platform. When an investor is a legal entity, then the personal data is the name, ID number, date of birth, and contact data of a natural person related to that legal entity.

Borrower – a legal entity receiving finance to their real estate development project. 

Borrower data - personal data of natural persons related to the borrower, including but not limited to the contact person, the managers and the beneficial owners of the borrower and any natural persons providing collateral for securing the financing transaction concluded with the borrower. Borrower data also includes loan guarantors data, who can be a legal (company) or a natural person. We ask for loan guarantors to make investments more secure for our investors

User – EstateGuru’s investor or borrower. When investor or borrower is a legal entity, then contact data of natural person of that legal entity.

2. The controller 

EstateGuru can be a controller, joint-controller or processor in various personal data processes. 

EstateGuru OÜ is the controller for all investor and borrower data, for all data you have registered on our website, for all data we obtain through public registers or internet, for our supplier or partner personal data and for the data of website visitors.

EstateGuru OÜ (registry code: 12558919)

Tartu mnt 2 

Tallinn 10145



We are joint-controller with Lemonway SAS in the payment processing for loans and investors based in Finland , Germany and Lithunia.

Lemonway SAS (registry code: 500 486 915)

8 rue de Sentier

Paris 75002



3. Contact data of DPO

We have a DPO overseeing data protection at group level. If you have any questions regarding this privacy policy or our processing of personal data or have requests regarding your personal data, please contact us at:


4. What type of personal data do we process?

We collect directly following personal data:

Identification data – first and last name, personal code and/or date of birth, age, language and profession; 

Contact data –phone number, e-mail address, home address;

Authentication data – personal ID number and type, date of issue and validity of an identification document with a photo, gender and citizenship;

Compliance data – to apply know your customer, anti-money laundering and prevention of terrorism financing principles we conduct background checks when you join us and monitor your transactions once you are our client. The data we check, includes  but is not limited to your residency data, profession, origin of funds used in transactions, qualifications or connections to politically exposed persons, and whether or not you are subject to international financial sanctions;

Transactions data – financial transactions made via the portal, user’s preferences of transaction profile types and user’s automatic lending placement settings;

Contract data – any contracts concluded by the user via the portal;

Bank account data – for natural persons account holder, account number, IBAN, Swift, name of the bank;

Payment services data – for natural persons name, surname, e-mail, date of birth, country of residence, nationality, proof of residence, copy of identification document and IP address used for registration, payer or recipient.

Loan guarantor data – identification and contact data, bank account data, proof of assets used in guaranteeing the loan. 

Usage data – time and number of log-ins, including log-ins via Facebook, LinkedIn or other third-party service provider and log-in token.

Internet data – data on website visitors’ sessions, cookies, log data and IP addresses.


5. Purpose of processing and lawful base when processing your personal data?

EstateGuru processes personal data to ensure performance of a contract, to comply with legal obligations, out of legitimate interest, or with data subject’s consent.


5.1 Data processing required for performance of a contract.

Data processing is necessary for performance of a contract concluded with you or for taking measures required prior to signing of the contract.  

Purpose of processing

Personal data categories


identification data, contact data, authentication data, compliance data, bank account data, transactions data, contract data, usage data and internet data

Borrowing (legal entity)

identification data, contact data, authentication data, compliance data, bank account data, usage and internet data

Registering on the platform

Identification data, contact data, Compliance data

Commencing investments

Bank account data

5.2. Processing to fulfil legal obligations of EstateGuru

Legal obligations of processing include all personal data processing under relevant laws and regulations in all of our locations for example European financial sector regulations, accounting law or crowdfunding regulations. These laws and regulations mandate the type of data collected and data retention periods. 

Purposes of processing

Personal data categories

Compliance checks of borrowers

Contact data, identification data and compliance data

Accounting, payments to investors and to vendors

Identification data and contact data

Republic of Lithuania Law on Financial Institutions and The Finnish Crowdfunding Act

Identification and compliance data

Responding to public authorities’ and state institutions’ information requests

Contact data


5.3. Data processing based on EstateGuru’s legitimate interest

A legitimate interest means that data processing is necessary for our business purposes. We process personal data based on our legitimate interest only if we have conducted balance test to measure the impact of the processing on your privacy and data protection rights. You have a right to receive additional information about our or third-party legitimate interest and to object to the personal data processing. If you object to the processing of your personal data under our legitimate interests, we shall no longer process the personal data for that purpose unless we demonstrate compelling legitimate grounds for the processing. When you object to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.

Purpose of processing

Personal data categories

Investor updates of investment performance

Contact data, usage data and contract data

Investor profiling (see below)

Contact data, usage data, internet data and contract data

Suggesting investment targets to investors

Usage data and internet data

Borrower suggested loan guarantors to add additional security to a loan

Loan guarantor data

Investor profiling 

We use different data processing technologies to process your data using mathematical analysis, statistics or other methods enable us to create investor profiles, establish probabilities and match you with suitable investment opportunities. The information received gives us an opportunity to evaluate and predict your preferences in investment and offer to you the investment options matching your expectations. 


5.4. Data processing based on your consent

When processing personal data with consent as lawful basis we only process specifically what you have consented to. The consent is freely given, specific and informed. You can take back consent at any given time and as easily taken back as it was given.

Purpose of processing

Personal data categories


Contact data

Cookies (except for necessary cookies) 

Internet data

When you give consent you have a right to withdraw your consent at any time by contacting us at: and we will delete the data we are processing based on your consent unless we also need the personal data for personal data processing activities conducted under other legal bases. 

For more information about the use of cookies, please see also our Cookie Policy.


6. How to we collect your personal data?

We collect your personal data from the following sources: 

  • Directly from you;

  • Indirectly from third parties such as public authorities, identity verification service providers;

  • If you are a related person to our legal entity client (investor or borrower) such as a representative, a manager, an owner or a beneficial owner.


7. Who else processes your data in addition to EstateGuru?

Inside our organisation your personal data is accessible only to those EstateGuru employees who need the data to perform their work duties (on so-called need-to-know basis).  

Outside EstateGuru and strictly limited by necessity and pursuant to the purposes, EstateGuru may transfer data to following categories of data processors who process personal data in the course of providing services to us:  

  • service provides such as (not a complete list and subject to change): IT maintenance service provider, server housing, e-mail server provider, website administrator, auditor, lawyers, institutional investors (such as banks, property developers etc.);

  • if legally obliged, your data to public authorities and institutions (e.g. police, courts, alarm centre, Data Protection Inspectorate);

  • banks, payment or e-money institutions providing payment transfer services to whom we transfer personal data related to payments to fulfil the agreement concluded between you and us or to apply prevention of money laundering and terrorism financing measures.

We have concluded a data protection agreement with our partners and recruiting companies to ensure secure processing of personal data. These contracts oblige the other parties to: 

  • take appropriate measures to ensure confidentiality and security of the personal and 

  • process personal data in compliance with legal requirements and the agreement.

We do not store or transfer your data outside the European Economic Area or to countries which the European Commission considers to have an adequate level of protection of personal data, except for cases described in chapter 8. If necessary, the transfer will only take place if we have a legal basis for it, in particular if we have concluded an agreement with the recipient which meets the requirements established in GDPR for the transfer of personal data outside the EEA and have applied other relevant measures to ensure the security of the transfer.

To ensure your privacy rights are protected, EstateGuru abides by confidentiality principles and strictly limits disclosure of personal data.


8. Transfer to the third countries

A third country is a country other than the EU member state, EEA country or a country that doesn’t have European Commission adequacy decision. If you are our investor from Finland or Lithuania, we transfer your personal data to third countries to facilitate the payments. The payments are made via our joint-controller and their approved and vetted sub-processors.

9. How long do we retain your personal data?

Your personal data is retained for as long as required by legal requirements or until the purpose of processing is fulfilled. Below are some examples of data retention periods:

Retention period


Until withdrawal of consent for processing based on consent

We delete the data that we process solely under your consent immediately after you withdraw the consent.

5 years

The data we collect when applying measures for the prevention of money laundering and terrorism financing

7 years

All accounting base documents such as, base documents for transaction conducted via our platform (loan agreements, repayment schedules, invoices).

3 years (after expiry or termination of contract)

Identification data and contact data to protect us against potential claims or to file a claim for protecting ourselves and our own rights


10.  Security of your personal data

EstateGuru employs necessary legal, organisational, physical and technical security measures to protect your personal data. Some examples of the measures we use:

Physical measures – the offices are locked and paper-based documents containing personal data are stored in locked cabinets. 

Technical measures – computers are password protected and encrypted as necessary; firewalls and antivirus programmes are in use; backups are done regularly; all IT system users are assigned roles and profiles.

Organisational means – data protection, information security and access management policy; regular employee training, confidentiality requirements for employees.


11. Your rights concerning your personal data

11.1  You have the right to receive information what data we process about you. To receive a copy of what personal data we hold about you contact us on the e-mail below.

We have a legal obligation to make sure that a person requesting information about themselves is indeed the person who has the right to receive the data. For this reason, you may have to prove your identity or right to request the data.

11.2 You have the right to request deletion of your personal data. Please keep in mind that we cannot delete any data that we process to fulfil contractual or legal obligation. 

11.3 You have the right to object to or restrict the processing of your personal data.

11.4 You have the right to data portability which means that if technologically possible we can forward your data in a digital format to other similar service.

To exercise the any of the abovementioned rights contact us at the contact data given in the point 3 of the Policy.


12. The right to submit a complaint to the Data Protection Inspectorate

In case you consider your privacy and data protection rights breached you have the right to lodge a complaint to a Data Protection regulator at locations where we operate. 


13. Changes to the privacy policy

Personal privacy is important to EstateGuru and we update this privacy policy regularly. The version published on our website is always the latest version.


14. Cookies

A cookie is a small piece of data or message that is sent from an organisation's web server to your web browser and is then stored on your hard drive. Cookies can't read data off your hard drive or cookie files created by other sites, and do not damage your system.

However, you can reset your browser so as to refuse any cookie or to alert you to when a cookie is being sent. Web browsers allow you to control cookies stored on your hard drive through the web browser settings. To find out more about cookies, including what cookies have been set and how to manage and delete them, visit

If you choose not to accept our cookies, some of the features of our site may not work as well as we intend.








This cookie is used to a profile based on user's interest and display personalized ads to the users.

6 months



This cookie is set by Facebook to deliver advertisement when they are on Facebook or a digital platform powered by Facebook advertising after visiting this website.

3 months



This cookie is a browser ID cookie set by Linked share Buttons and ad tags.

2 years



This cookie is used by Google Analytics to understand user interaction with the website.

3 months



This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the website is doing. The data collected including the number visitors, the source where they have come from, and the pages visited in an anonymous form.

1 day



This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.

2 years



This is set by Hotjar to identify a new user’s first session. It stores a true/false value, indicating whether this was the first time Hotjar saw this user. It is used by Recording filters to identify new user sessions.

30 minutes



This cookie is set by Hubspot and is used for tracking visitors. It contains the domain, utk, initial timestamp (first visit), last timestamp (last visit), current timestamp (this visit), and session number (increments for each subsequent session).

1 year 24 days



This cookie is used by HubSpot to keep track of the visitors to the website. This cookie is passed to Hubspot on form submission and used when deduplicating contacts.

1 year 24 days



The cookie is used by Google and is used for Google Single Sign On.

7978 years 6 months 21 days 19 minutes



This cookie is used to store the language preferences of a user to serve up content in that stored language the next time user visit the website.




This cookie is set by LinkedIn. The purpose of the cookie is to enable LinkedIn functionalities on the page.

2 years



This cookie is set by LinkedIn and used for routing.

1 day



This cookie is used to store the language preferences of a user to serve up content in that stored language the next time user visit the website.




This cookie is set by HubSpot. The purpose of the cookie is to keep track of sessions. This is used to determine if HubSpot should increment the session number and timestamps in the __hstc cookie. It contains the domain, viewCount (increments each pageView in a session), and session start timestamp.

30 minutes



This cookie is native to PHP applications. The cookie is used to store and identify a users' unique session ID for the purpose of managing user session on the website. The cookie is a session cookies and is deleted when all the browser windows are closed.




This cookie is set by Hubspot. According to their documentation, whenever HubSpot changes the session cookie, this cookie is also set to determine if the visitor has restarted their browser. If this cookie does not exist when HubSpot manages cookies, it is considered a new session.




This cookie is set by the provider Infoniqa engage, used for webforms in a website. The cookie stores the language for the application process.

10 years



No description

2 years 8 months 26 days



No description

1 minute



No description

2 years



This cookie is set by Hotjar. This cookie is set when the customer first lands on a page with the Hotjar script. It is used to persist the random user ID, unique to that site on the browser. This ensures that behavior in subsequent visits to the same site will be attributed to the same user ID.

1 year



Linkedin - Used to track visitors on multiple websites, in order to present relevant advertisement based on the visitor's preferences.

1 month



No description

1 month



No description

2 years



No description

2 minutes



No description

30 minutes



This cookie is used to determine a user's inclusion in an experiment and the expiry of experiments a user has been included in.

2 months 2 days