SodaBrothersBack to home

Privacy Policy

Last updated: February 2026

1. Who We Are

SodaBrothers AS (“SodaBrothers”, “we”, “us”) operates a pan-European buy-to-let (BTL) mortgage platform for professional landlords and corporate borrowers. We are the data controller responsible for your personal data. You can reach us at info@sodabrothers.eu.

2. Data We Collect

We collect the following categories of personal data:

  • Identity data: full name, date of birth, nationality, tax identification number (NIF/NIE)
  • Contact data: email address, phone number, postal address
  • Financial data: income details, existing mortgage/debt information, bank account details (IBAN)
  • Property data: property addresses, valuations, rental income, cadastral references
  • KYC/AML data: identity documents, proof of address, verification results via our KYC provider (Sumsub)
  • Technical data: IP address, browser type, device information, cookies
  • Usage data: pages visited, time on site, interaction patterns

3. Legal Basis for Processing

We process your data under the following legal bases (GDPR Art. 6):

  • Contractual necessity: to assess your mortgage application, generate quotes, and service your loan
  • Legal obligation: AML/KYC compliance, tax reporting, regulatory requirements (Spanish Law 10/2010 on anti-money laundering)
  • Legitimate interest: fraud prevention, platform security, internal analytics, improving our services
  • Consent: marketing communications and optional cookies (you may withdraw consent at any time)

4. How We Use Your Data

  • Assessing mortgage applications and creditworthiness
  • Generating and delivering mortgage quotes
  • Performing identity verification and anti-money laundering checks
  • Servicing active loans (payment processing, statements, communications)
  • Complying with legal and regulatory obligations
  • Communicating with you about your application or account
  • Improving our platform and detecting fraud

5. Data Sharing

We may share your personal data with:

  • KYC/AML providers: Sumsub (identity verification)
  • Payment processors: for SEPA direct debit and fund transfers
  • Notaries: as required for Spanish mortgage deed execution
  • Regulatory authorities: when required by law (Banco de España, SEPBLAC, tax authorities)
  • Warehouse lenders & institutional investors: anonymised or pseudonymised loan data for funding and securitization
  • Cloud infrastructure: Supabase (database), Vercel (hosting) — all EU-hosted or with adequate safeguards

We do not sell your personal data to third parties.

6. International Transfers

Your data is primarily stored within the European Economic Area (EEA). Where we use service providers outside the EEA, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the European Commission.

7. Data Retention

  • Quotes: 12 months from creation
  • Applications (not approved): 3 years from decision
  • Active loans: duration of the loan plus 10 years (legal obligation)
  • KYC data: 10 years after end of business relationship (AML requirement)
  • Marketing data: until you withdraw consent

8. Your Rights (GDPR)

Under the General Data Protection Regulation, you have the right to:

  • Access your personal data (Art. 15)
  • Rectify inaccurate data (Art. 16)
  • Erase your data where legally permitted (Art. 17)
  • Restrict processing (Art. 18)
  • Data portability — receive your data in a structured format (Art. 20)
  • Object to processing based on legitimate interest (Art. 21)
  • Withdraw consent at any time for consent-based processing

To exercise any of these rights, contact us at info@sodabrothers.eu. We will respond within 30 days.

9. Cookies

We use essential cookies for authentication and session management. Analytics cookies are only placed with your consent. You can manage cookie preferences through your browser settings.

10. Security

We implement appropriate technical and organisational measures to protect your data, including encryption in transit (TLS), encrypted storage, access controls, and regular security reviews. For more details, see our risk statement.

11. Complaints

If you believe your data protection rights have been violated, you have the right to lodge a complaint with the Spanish Data Protection Agency (AEPD) at www.aepd.es, or with your local supervisory authority.

12. Changes to This Policy

We may update this privacy policy from time to time. Material changes will be communicated via email or a prominent notice on our platform. The “last updated” date at the top reflects the latest revision.