Skip to content
Legal

Privacy Policy

Last updated: June 2026  ·  Effective immediately

Rocks Investments (“we”, “our”, “us”) operates the website rocksinvestments.com. This Privacy Policy explains what personal data we collect, why we collect it, how we use it, and your rights as a data subject. We are registered real estate brokers (CRECI-SC 8761-J) operating under Brazilian law.

We comply with Brazil’s Lei Geral de Proteção de Dados (LGPD — Law 13.709/2018), the European Union’s General Data Protection Regulation (GDPR) for residents of the EU and EEA, and the California Consumer Privacy Act (CCPA) for California residents.

1. Data Controller

The data controller responsible for your personal information is:

Rocks Investments

CRECI-SC 8761-J

Santa Catarina, Brazil

Email: info@rocksinvestments.com

Website: rocksinvestments.com

For all data-related enquiries — including access requests, correction, deletion, or complaints — please contact us at the email address above. We aim to respond within 30 days.

2. Data We Collect and Why

2.1 Contact and Lead Data

When you submit an enquiry form or engage with our WhatsApp/messaging integrations, we collect:

  • Full name
  • Phone number (WhatsApp, Telegram, or WeChat)
  • Email address
  • Property interest, budget range, and location preferences (if provided)
  • Free-text message or requirements

Legal basis (LGPD / GDPR): Legitimate interest in responding to your enquiry; pre-contractual steps at your request. Where we send marketing follow-ups, we rely on your consent or legitimate interest, which you may withdraw at any time.

2.2 Session and Behavioural Data

When you visit our site, we automatically collect anonymised session data to understand how visitors use the site and to improve our property recommendations. This includes:

  • A session identifier (per browser tab, cleared when you close the tab)
  • Browser language and timezone (from browser APIs — no IP geolocation)
  • Device type (mobile / tablet / desktop — derived from user-agent string)
  • The page or URL you came from (referrer)
  • UTM parameters from marketing campaigns (if present in the URL)
  • Pages viewed, properties clicked, time spent, and form interactions

Legal basis (LGPD / GDPR): Legitimate interest in improving our service. No names, emails, or phone numbers are linked to session data unless you submit an enquiry form.

2.3 Persistent Visitor Identifier (Consent Required)

With your explicit consent (“Accept All” on the consent banner), we store a randomly-generated identifier in your browser’s localStorage that persists across visits. This lets us understand return visitor behaviour and personalise content. This identifier contains no personal information — it is a random UUID.

Legal basis (LGPD / GDPR): Consent. You may withdraw consent at any time via our Cookie Policy page.

2.4 Email Engagement Data

If we send you email communications, we use Resend to deliver them. Resend may track whether the email was opened or links were clicked. This data is used solely to assess the effectiveness of our communications and ensure delivery.

3. Browser Storage (Local & Session Storage)

We do not set HTTP cookies for tracking. Instead, we use the browser’s built-in localStorage and sessionStorage APIs. Under GDPR’s ePrivacy Directive, these are treated equivalently to cookies for consent purposes.

For a full breakdown of every storage key we use, visit our Cookie & Storage Policy.

4. Third-Party Data Processors

We share data with the following processors who act on our behalf under appropriate data processing agreements:

Processor Purpose Data Shared Location
Supabase Database & API All lead and session data United States (AWS us-east-1)
Vercel Hosting & Web Analytics Anonymised page view data United States / Global CDN
Cloudflare R2 Media storage (property images) No personal data Global CDN
Resend Transactional email Name, email address United States
Anthropic AI content generation (internal) No personal data sent United States
WhatsApp / Meta Messaging Phone number (when you initiate chat) Global

For EU/EEA residents, transfers to processors in the United States are conducted under the EU–US Data Privacy Framework or Standard Contractual Clauses (SCCs) where applicable. You may request details of specific transfer mechanisms by contacting us.

5. Data Retention

  • Lead / contact data: Retained for up to 3 years from last contact, or until you request deletion, whichever comes first.
  • Session and analytics data: Retained for 12 months, then deleted or anonymised.
  • Email engagement logs: Retained for 12 months.
  • Persistent visitor identifier (localStorage): Stored in your browser until you clear your storage or withdraw consent. No server-side expiry — it is removed from our servers when you request deletion.

6. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

Under LGPD (Brazil)

  • Access: Request a copy of your personal data.
  • Correction: Request correction of inaccurate data.
  • Anonymisation or Deletion: Request anonymisation or deletion of unnecessary data.
  • Portability: Request transfer of your data to another service provider.
  • Revocation of Consent: Withdraw consent at any time.
  • Information: Request information on third parties with whom your data has been shared.

Under GDPR (EU / EEA residents)

  • Access (Art. 15): Obtain a copy of your data.
  • Rectification (Art. 16): Correct inaccurate data.
  • Erasure (Art. 17): “Right to be forgotten” where applicable.
  • Restriction (Art. 18): Limit processing in certain circumstances.
  • Portability (Art. 20): Receive your data in a machine-readable format.
  • Object (Art. 21): Object to processing based on legitimate interest.
  • Withdraw consent (Art. 7): At any time, without affecting prior processing.

To exercise any of these rights, email us at info@rocksinvestments.com with the subject line “Data Request”. We will respond within 30 days. EU residents also have the right to lodge a complaint with their national supervisory authority (e.g., the German DPA — Datenschutzbehörde; the Portuguese CNPD).

7. Children’s Privacy

Our website is not directed at children under 18. We do not knowingly collect personal data from minors. If you believe we have inadvertently collected such data, please contact us immediately and we will delete it promptly.

8. Security

We implement industry-standard technical and organisational measures to protect your data, including encrypted storage (Supabase / PostgreSQL with TLS in transit), role-based access control, and row-level security policies. No method of transmission over the internet is 100% secure; we cannot guarantee absolute security but are committed to protecting your data.

9. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the “Last updated” date at the top of this page. Continued use of our website after changes constitutes acceptance of the updated policy. We encourage you to review this page periodically.

10. Contact Us

For any questions about this Privacy Policy or to exercise your data rights, please contact:

Rocks Investments — Data Privacy

Email: info@rocksinvestments.com

Subject line: “Data Request” or “Privacy Enquiry”

Cookie & Storage Policy → Terms of Service → Investment Disclaimer →