Privacy Policy

Launch Portugal, Lda.
Lisbon, Portugal
Email: privacy@launchportugal.com

We are the data controller for personal data collected through our website and services.

Information you provide: Name, email, phone, nationality, date of birth, passport data, proof of address, visa type, business plans, company name preferences, and payment information (processed by Stripe).

Information collected automatically: IP address, browser type, device information, pages visited, referral source, and interaction data (via PostHog, EU-hosted). Cookies are used with your explicit consent only.

Information from third parties: Authentication data from Clerk (if you sign in via Google or Apple).

Contract performance (Article 6(1)(b)): Processing your NIF application, company registration, and other services you purchased.

Legitimate interest (Article 6(1)(f)): Analytics to improve our service, fraud prevention, and security monitoring.

Consent (Article 6(1)(a)): Marketing communications, non-essential cookies, and newsletter.

Legal obligation (Article 6(1)(c)): Tax records retention (10 years per Portuguese law), anti-money laundering compliance.

We use your personal data to: deliver the services you purchased; communicate about your setup progress; send transactional emails (order confirmations, status updates, document requests); improve our website and services; comply with Portuguese law and EU regulations; prevent fraud and maintain security.

We will only send marketing communications if you have given explicit opt-in consent. You can withdraw this consent at any time.

We share your data only with processors necessary for service delivery:

Service providers: Clerk (authentication, EU), Supabase (database, EU), Stripe (payments, EU adequacy), Resend (email, EU sending), PostHog (analytics, EU), Cloudflare (CDN/security), Vercel (hosting).

Partners: Partner accountants and immigration lawyers who deliver parts of your service. They receive only the data necessary for their specific tasks and are bound by Data Processing Agreements.

We never sell your personal data. We do not share data with advertisers.

Active client data: Duration of service + 1 year, then deleted unless legally required.

Tax and accounting records: 10 years (required by Portuguese tax law, Article 123 CIRC).

Marketing data: Until you withdraw consent.

Passport and identity documents: Deleted within 30 days of NIF issuance or service completion, whichever comes first.

Analytics data: 26 months, then anonymized.

Under the General Data Protection Regulation, you have the right to:

Access (Article 15): Request a copy of your personal data.

Rectification (Article 16): Correct inaccurate data.

Erasure (Article 17): Request deletion of your data ("right to be forgotten"), subject to legal retention requirements.

Restriction (Article 18): Request restricted processing.

Portability (Article 20): Download your data in a machine-readable format. Available in your account settings.

Objection (Article 21): Object to processing based on legitimate interest.

Withdraw consent: At any time, without affecting prior lawful processing.

To exercise your rights, email privacy@launchportugal.com or use the self-serve options in your account settings. We respond within 30 days.

Necessary cookies: Session management, authentication, CSRF protection. Always active.

Analytics cookies: PostHog (EU-hosted). Only set with your explicit consent.

Marketing cookies: Conversion tracking. Only set with your explicit consent.

You can manage cookie preferences at any time via our cookie banner or account settings.

We implement appropriate technical and organizational measures including: encryption at rest (AES-256) and in transit (TLS 1.3); Row Level Security in our database; access logging and audit trails; regular security reviews; restricted access on a need-to-know basis; secure file upload with type and size validation.

Your data is primarily stored and processed within the European Union. Where data is transferred outside the EU (e.g., Cloudflare CDN nodes), we ensure adequate protection through EU adequacy decisions or Standard Contractual Clauses.

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the Portuguese Data Protection Authority (CNPD) within 72 hours and notify affected individuals without undue delay.

We may update this policy to reflect changes in our practices or legal requirements. We will notify you of material changes via email or in-app notification. Continued use of our services after changes constitutes acceptance.

Data Protection Officer: privacy@launchportugal.com

Supervisory Authority: Comissão Nacional de Proteção de Dados (CNPD), Rua de São Bento 148, 1200-821 Lisboa, Portugal — www.cnpd.pt