Privacy Policy

Imigrar Portugal, headquartered in Lisbon, Portugal, is the controller of your personal data under the General Data Protection Regulation (GDPR — EU Regulation 2016/679). Data Protection Officer (DPO) contact: dpo@portalimigracao.pt

We collect the following personal data: Account data: • Full name, email address, password (encrypted) • Profile photo (optional) • Nationality and country of residence Service request data: • Identification documents (passport, ID/citizen card) • NIF (when applicable), address, date of birth • Supporting documents (contracts, proofs) Payment data: • Processed exclusively by Stripe. We do not store card data. Technical data: • IP address, browser type, operating system • Pages visited, session time and duration

We process your data for the following purposes: • Performance of the service contract (Art. 6(1)(b) GDPR) — Processing of NIF, NISS, SNS, IRS and AIMA requests — Communications about request status • Legal obligations (Art. 6(1)(c) GDPR) — Issuing invoices and complying with tax obligations • Legitimate interests (Art. 6(1)(f) GDPR) — Platform security and fraud prevention — Service improvements (anonymized data) • Consent (Art. 6(1)(a) GDPR) — Sending marketing communications (you may withdraw at any time) — Non-essential cookies

We keep your data for the time necessary for the indicated purposes: • Account data: while the account is active + 1 year after deletion • Request and document data: 5 years (legal tax obligation) • Billing data: 10 years (Commercial Code) • Session cookies: deleted when you close the browser • Analytics cookies: 13 months After the retention period, data is anonymized or securely deleted.

We share your data only in the following situations: Government authorities: • AT (Portuguese Tax Authority), Social Security, SPMS, AIMA — strictly for processing your requests Sub-processors (as data processors): • Stripe Payments Europe Ltd. — payment processing (EU servers) • Amazon Web Services EMEA SARL — file storage (S3, eu-west-1, Ireland) • Resend.com — transactional email delivery • Railway Corp — application hosting (EU servers) • Vercel Inc. — static content delivery (CDN) • Sentry GmbH — error monitoring All sub-processors are bound by data processing agreements under Art. 28 GDPR. We do not sell, rent, or share personal data for third-party marketing purposes.

Some of our processors operate outside the European Economic Area (EEA). In such cases, we ensure adequate protection through: • Standard Contractual Clauses approved by the European Commission • Adequacy decisions of the European Commission For more information, contact dpo@portalimigracao.pt.

Under GDPR, you have the following rights: • Access — obtain confirmation of whether we process your data and receive a copy • Rectification — correct inaccurate or incomplete data • Erasure ("right to be forgotten") — request deletion of your data • Restriction — restrict processing in certain circumstances • Portability — receive your data in a structured, machine-readable format • Objection — object to processing based on legitimate interests • Withdrawal of consent — at any time, without affecting prior lawful processing How to exercise your rights: Email dpo@portalimigracao.pt with the subject "GDPR Rights". We respond within 30 days. Complaints: You have the right to file a complaint with the Portuguese Data Protection Authority (CNPD) at www.cnpd.pt.

We implement technical and organisational measures to protect your data: • Encryption in transit (TLS 1.3) and at rest (AES-256) • Passwords hashed with PBKDF2-SHA256 (Django default) • HttpOnly and Secure session tokens • Access to data restricted to staff with a need-to-know • Periodic security audits • Security incident response plan In the event of a personal data breach posing a risk to your rights, we will notify the CNPD within 72 hours and the affected user, under Art. 33 and 34 GDPR.

We use the following types of cookies: Essential cookies (no consent required): • Authentication session (httpOnly, Secure) • Language preferences and CSRF Analytics cookies (consent required): • Audience measurement (anonymized data) Marketing cookies (consent required): • We do not currently use third-party marketing cookies You can manage your cookie preferences at any time via the cookie settings panel in the site footer.

We may update this Privacy Policy periodically. Significant changes will be notified by email and published on this page with the new revision date. We recommend that you review this page regularly.

Our services are intended exclusively for individuals aged 18 or older. We do not knowingly collect personal data from children under 16 without the consent of the holders of parental responsibility (Art. 8 GDPR). If you become aware that a child under 16 has provided us with personal data, please contact dpo@portalimigracao.pt so we can delete it.

We do not take fully automated decisions that produce legal effects on the user or otherwise significantly affect them, under Art. 22 GDPR. All requests submitted on the platform are reviewed by human staff before being filed with the official authorities. We do not perform profiling based on sensitive data.