Effective Date: November 17, 2025
Last Updated: November 17, 2025
Version: 1.1
ebba, Inc. ("ebba", "we", "us") provides a data-insights and analytics platform for real estate portfolio analysis. We are committed to protecting personal data and complying with the EU General Data Protection Regulation (GDPR) and the EU–U.S. Data Privacy Framework (DPF).
Entity: ebba, Inc.
Registered in: Delaware, United States
Email: privacy@ebba-ai.com
Website: https://www.ebba-ai.com
For GDPR purposes, ebba acts as a Data Processor on behalf of its EEA-based customers (Controllers).
Since ebba is incorporated outside the EEA, it has appointed an EU Representative under Article 27 GDPR:
EU Representative: L.v. Thiel, Lyvins
Email: ebba@lyvins.nl
ebba, Inc. complies with the EU–U.S. Data Privacy Framework (DPF) as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal data transferred from the European Union to the United States.
ebba, Inc. has certified that it adheres to the DPF Principles of notice, choice, accountability for onward transfer, security, data integrity, access, and recourse/enforcement/liability.
To learn more, visit https://www.dataprivacyframework.gov/
ebba, Inc. is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (FTC).
All customer production data is stored and processed exclusively within the European Economic Area (EEA).
Because ebba, Inc. is a U.S.-incorporated entity, any processing of personal data on behalf of our EEA-based customers constitutes a "data transfer" under the GDPR, regardless of where the data is physically located. We legitimize these transfers through our participation in the EU–U.S. Data Privacy Framework (DPF), which provides an adequacy mechanism recognized by the European Commission.
As an additional safeguard, all ebba, Inc. personnel with access to customer data are located within the EEA, and all data is hosted exclusively on EEA-based infrastructure.
ebba, Inc. does not rely on GDPR Article 49 derogations and instead relies exclusively on the EU–U.S. Data Privacy Framework and, where applicable, the 2021 Standard Contractual Clauses (SCCs).
We process limited personal data:
We do not process special categories of personal data.
Personal data is processed solely to deliver, maintain, and improve our services, provide support, and meet contractual obligations with customers.
Personal data is retained for the duration of the customer relationship and deleted or anonymized within 30 days following contract termination, unless longer retention is required by law.
Individuals in the EEA have rights of access, rectification, erasure, restriction, portability, and objection under GDPR.
Requests may be directed to privacy@ebba-ai.com or to our EU Representative.
We coordinate with the Controller to ensure such requests are properly fulfilled.
ebba implements strict security measures, including:
In compliance with the DPF, ebba, Inc. commits to resolving complaints about the collection or use of personal data.
EU individuals may contact us directly at privacy@ebba-ai.com.
Unresolved complaints may be referred to our independent recourse mechanism, the International Centre for Dispute Resolution (AAA/ICDR), at no cost.
Under certain conditions, individuals may invoke binding arbitration before the DPF Panel.
This independent recourse mechanism is provided at no cost to the individual.
We may update this Privacy Policy periodically. Any significant changes will be posted on our website with a new effective date.
If you have questions about this policy or wish to exercise your rights, please contact us first:
Data Protection Contact: privacy@ebba-ai.com
Because ebba, Inc. is established outside the EU, we have appointed an EU Representative pursuant to Article 27 GDPR:
EU Representative:
L.v. Thiel, Lyvins (ebba@lyvins.nl)