Privacy Policy

1. Controller

The data controller for personal data processed in connection with the TaxPortugal service is Robertino Martinez, with registered address at Oasis Mar, Lote 2, Portimao, Portugal, taxpayer number 314033521. You can contact us at contact@taxportugal.com.

No Data Protection Officer is appointed because the Operator does not meet the criteria of Article 37 GDPR. For any data-protection question or rights request, please use the contact email above.

2. Personal data we process

Account data: your email address, your name (if provided by Google during sign-in), and authentication metadata (sign-in time, IP address, user-agent, magic-link issuance and consumption).

Profile data: an optional self-declared tax profile (residency status, tax regime, dependents flag, NHR/IFICI status, working language, locale). We do not collect your taxpayer number (NIF), bank-account number (IBAN), monetary amounts, or personal documents, and the system instructs the agent not to write such information into long-term memory.

Conversation data: the questions, messages, and metadata you submit to the agent, the agent's responses, and any notes the agent saves during a thread to maintain context within that thread. Conversations are stored in plain text and tied to your account.

Billing-state data: subscription tier, status, billing cycle, last-payment timestamp, plan quotas, and a Stripe customer identifier. Card details and full payment data are processed exclusively by Stripe; the Operator does not receive or store them.

Technical data: standard server logs (IP address, request path, status code, timestamp) generated by the hosting provider, used for security and abuse prevention.

3. Purposes and lawful bases

We process your personal data to: (a) create and authenticate your account, deliver the Service, and respond to your questions — lawful basis: performance of a contract with you (Art. 6(1)(b) GDPR); (b) process payments, manage subscriptions, and handle billing disputes — lawful basis: performance of a contract (Art. 6(1)(b)) and compliance with our legal obligations under Portuguese tax and commercial law (Art. 6(1)(c)); (c) maintain security, prevent abuse, detect fraud, and enforce our Terms — lawful basis: our legitimate interest in operating a secure service (Art. 6(1)(f)); (d) communicate transactional information (sign-in links, billing receipts, service notices) — lawful basis: performance of a contract; (e) comply with legal obligations including responding to lawful requests from authorities — lawful basis: legal obligation (Art. 6(1)(c)).

We do not use your data for marketing emails or behavioural advertising and we do not sell your data.

4. Recipients and sub-processors

We rely on the following sub-processors to operate the Service. Each is bound by a data-processing agreement and processes your data only on documented instructions from us.

Anthropic, PBC (United States) — generates the AI responses; receives the conversation messages submitted to the agent and any system-prompt context required to answer them.

Cohere, Inc. (United States / Canada) — generates embeddings of the legal corpus only. Cohere does not receive your conversations or profile data.

Stripe Payments Europe, Limited (Ireland) — processes subscription payments; receives the payment details you provide at checkout and your email address. The Operator does not receive your card data.

Resend, Inc. (United States) — delivers magic-link and transactional emails; receives your email address and the email body.

Railway Corp. (United States, EU/Frankfurt region) — provides application hosting and managed Postgres in the European Union; processes all data stored by the Service at rest.

Google Ireland Limited (Ireland) — provides Google sign-in (OAuth); receives a sign-in request initiated by you and returns your basic profile (email, name, profile-picture URL).

Google Ireland Limited / Google LLC — operates Google Ads conversion measurement. When you arrive at the Service from a Google Ads campaign and consent to advertising cookies via the banner, Google receives a conversion event including the purchase amount and currency, the Stripe Checkout Session identifier, and a SHA-256 hash of your email address ("Enhanced Conversions"). If you refuse, no conversion data is sent to Google.

Google Ireland Limited / Google LLC — operates Google Analytics 4 for site-audience analytics. When you consent to analytics cookies via the banner, Google receives standard page-view, device, and referrer signals; no email, no name, and no Stripe identifier are transmitted. Google Ireland Limited is the EU controller; some data may be onward-transferred to Google LLC (United States) under Standard Contractual Clauses and, where applicable, the EU–US Data Privacy Framework.

Meta Platforms Ireland Limited (Ireland) — operates Meta Pixel and the Meta Conversions API for Facebook and Instagram ad-campaign attribution and optimisation. When you consent to advertising cookies via the banner, your browser sets the Meta `_fbp` and (after an ad click) `_fbc` first-party cookies, and on a completed purchase our server transmits a "Purchase" event including the purchase amount and currency, the Stripe Checkout Session identifier, your IP address, your user-agent, the `_fbp` and `_fbc` values, a SHA-256 hash of your email address, and a SHA-256 hash of your internal user identifier. If you refuse, no Pixel cookies are set and no server-side event is transmitted. Meta Platforms Ireland is the EU controller; some data may be onward-transferred to Meta Platforms, Inc. (United States) under Standard Contractual Clauses and, where applicable, the EU–US Data Privacy Framework.

A current list of sub-processors is available on request from contact@taxportugal.com.

5. International data transfers

Some sub-processors are established outside the European Economic Area, in particular in the United States. Where personal data is transferred outside the EEA, we rely on the European Commission's Standard Contractual Clauses (Decision 2021/914) and, where applicable, on the EU–US Data Privacy Framework adequacy decision, together with supplementary technical and organisational measures.

Application data at rest is hosted in the European Union (Railway, Frankfurt region). Conversation content sent to Anthropic and email content sent to Resend may be processed on infrastructure located in the United States. You can request a copy of the relevant transfer mechanism by writing to contact@taxportugal.com.

6. AI processing and model training

The Service uses third-party AI models (currently Anthropic's Claude family) to generate responses. We do not authorise the use of your conversations or other personal data to train, fine-tune, or improve any AI model, and we operate under the API-grade commercial terms of those providers.

Sub-processors maintain their own published policies governing how they handle data submitted via their APIs. You should review the policies of Anthropic, Cohere, Stripe, Resend, Railway, and Google for the most current information about their handling and retention of data sent to them by us.

7. Retention

Account, profile, and conversation data are retained for as long as your account exists. When you delete your account, those records are removed in cascade (account, sessions, profile, conversations, notes); residual copies in operational backups are overwritten according to the rolling backup schedule of the hosting provider.

Billing records (invoices, subscription history, tax-relevant transaction records) are retained for ten (10) years from the relevant tax year, in accordance with Portuguese tax and commercial law (Código Comercial and Código do IRC).

Authentication logs and security-related technical logs are retained for up to twelve (12) months for fraud-prevention and incident-response purposes.

8. Your rights

Subject to the conditions set out in the GDPR, you have the right to: (a) access your personal data and obtain a copy (Art. 15); (b) request rectification of inaccurate data (Art. 16); (c) request erasure of your data (Art. 17), which you can exercise immediately by deleting your account; (d) request restriction of processing (Art. 18); (e) object to processing carried out on the basis of legitimate interest (Art. 21); (f) request data portability for data you provided and that we process by automated means under contract or consent (Art. 20); (g) where processing is based on consent, withdraw your consent at any time without affecting the lawfulness of processing carried out before withdrawal.

To exercise any of these rights, write to contact@taxportugal.com. We may ask you to verify your identity. We will respond within one month and, where the request is complex or numerous, may extend by a further two months with notice.

9. Right to lodge a complaint

You have the right to lodge a complaint with a data-protection supervisory authority. The competent authority in Portugal is the Comissão Nacional de Proteção de Dados (CNPD): https://www.cnpd.pt. You may also lodge a complaint with the supervisory authority of your habitual residence or place of work.

10. Security

We implement technical and organisational measures appropriate to the risks of processing, including TLS encryption in transit, encryption of credentials at rest, role-based access to production systems, hosting in the European Union, automatic backups by the hosting provider, and logging of administrative actions. No system is fully secure, and we cannot guarantee absolute security.

11. Cookies and similar technologies

We use strictly necessary cookies for authentication, session management, and CSRF protection. These cookies do not require consent under the ePrivacy regime as transposed in Portugal because they are essential to deliver the service you requested.

We also use Google Ads conversion measurement, which sets advertising cookies (the gtag.js library and `_gcl_*` cookies) on pages visited after you arrive from a Google Ads link, in order to measure paid-acquisition campaigns and to optimise our bidding. It runs under your consent, given through the cookie banner shown on first visit; you can refuse, in which case no advertising cookies are set on your browser and no identifying signal is sent to Google.

For Google Ads conversion measurement we may transmit a SHA-256 hash of your email address to Google ("Enhanced Conversions") so that Google can match your purchase to the original ad click even when third-party cookies are blocked. The hash is computed in your browser; the plain email is never transmitted and the hash is not stored by us.

We also use Google Analytics 4 for site-audience analytics. Under your consent, it sets the `_ga` and `_ga_<container>` first-party cookies on your browser to measure page views, sessions, devices, and referrers. We have not enabled Google Signals, advertising-feature integrations, or User-ID tracking; we transmit no personal identifiers (no email, no name, no Stripe identifier) to Google Analytics. If you refuse, no cookies are set on your browser; in that case Google receives only a cookieless modelled ping for aggregate traffic estimation.

We also use the Meta Pixel and Meta Conversions API for Facebook and Instagram ad-campaign attribution. The Pixel sets the `_fbp` first-party cookie on your browser; after a click on a Meta ad it also sets `_fbc`. On a completed purchase, in addition to the browser event our server transmits a duplicate "Purchase" event to Meta's Conversions API including the purchase amount and currency, the Stripe Checkout Session identifier, your IP address, your user-agent, the `_fbp` and `_fbc` cookie values, a SHA-256 hash of your email address, and a SHA-256 hash of your internal user identifier. Hashes are computed on our server before transmission; the plain email is not sent to Meta and the hashes are not stored by us. Both the browser Pixel and the server-side fire run under your consent — if you refuse, no Pixel cookies are set and no server event is transmitted. We do not use any third-party session-recording tool.

12. Children

The Service is not directed at children under eighteen (18) years of age. We do not knowingly collect personal data from children. If you become aware that a child has provided us with personal data, please contact contact@taxportugal.com so that we can delete it.

13. Special-category data and automated decisions

You should not submit special-category data (Art. 9 GDPR — health, racial or ethnic origin, political opinions, religious beliefs, biometric data, sex life or orientation) or data relating to criminal convictions to the Service. The Service is not designed to process such data and we have no lawful basis to process it.

The Service does not produce decisions that have legal or similarly significant effect on you within the meaning of Article 22 GDPR. Outputs of the Service are informational and do not constitute determinations of your tax position.

14. Data-breach notification

In the event of a personal-data breach likely to result in a risk to your rights and freedoms, we will notify the CNPD within 72 hours of becoming aware of it, in accordance with Article 33 GDPR. Where the breach is likely to result in a high risk to you, we will also notify you without undue delay in accordance with Article 34.

15. Account deletion

You can delete your account at any time from the profile page inside the Service. Deletion immediately revokes all sessions, removes the account record, your profile, your conversations, and the notes saved during your conversations, and cancels any active subscription. Backups containing residual data are rotated according to the hosting provider's policy and are overwritten over time. Billing records subject to legal retention obligations are kept for the periods described in section 7.

16. Changes to this Policy

We may update this Privacy Policy to reflect changes in the Service, our sub-processors, or applicable law. We will notify you of material changes by email or by a prominent notice in the Service before the changes take effect. The "Last updated" date at the top of this page indicates the version in force.

17. Contact

For any question or rights request, contact contact@taxportugal.com.