Last updated: August 13, 2025

1. IDENTIFICATION OF THE DATA CONTROLLER

Data controller:

• Name: João Mateus
• NIF: 203336003
• Address: Rua 5 de Outubro, No. 15, 7630-452 São Luís, Portugal
• E-mail: geral@tocaagravar.pt
• Website: https://tocaagravar.pt

2. SCOPE AND PURPOSE

This Privacy Policy applies to the processing of personal data collected through the website https://tocaagravar.pt and describes how we collect, use, store, and protect your personal data in accordance with the General Data Protection Regulation (GDPR – EU Regulation 2016/679) and Law No. 58/2019 of August 8.

3. PERSONAL DATA COLLECTED

3.1 Browsing data

• IP address
• Browser type and version
• Operating system
• Pages viewed and time spent on site
• Reference data (source website)
• Date and time of access

3.2 Data provided voluntarily

• Full name
• Email address
• Phone number
• Messages sent via contact forms
• Other data provided in communications

3.3 Cookies and similar technologies

Our website uses cookies and other tracking technologies. For more information, please see our Cookie Policy.

4. PURPOSES OF PROCESSING AND LEGAL BASIS

4.1 Purposes

Your personal data is processed for the following purposes:

a) Provision of services and customer service

• Response to requests for information
• Provision of requested services
• Technical support and assistance

b) Communication

• Sending replies to contacts
• Communications related to our services
• Information about updates or changes

c) Website analysis and improvement

• Statistical analysis of usage
• Optimizing the user experience
• Improvement of our services

d) Compliance with legal obligations

• Archive of records for tax purposes
• Compliance with regulatory requirements

4.2 Legal basis

The processing of your personal data is based on:

• Consent (Article 6(1)(a) of the GDPR): For promotional communications and use of non-essential cookies
• Contract performance (Article 6(1)(b) of the GDPR): For the provision of requested services
• Legitimate interest (Article 6(1)(f) of the GDPR): For analysis of website usage and improvement of services
• Compliance with legal obligation (Article 6(1)(c) of the GDPR): For archiving legal records

5. DATA RECIPIENTS

Your personal data may be shared with:

5.1 Service providers

• Web hosting providers
• Web analytics services (such as Google Analytics)
• Email service providers
• Other technical providers necessary for the functioning of the website

5.2 Competent authorities

When legally required or to protect legitimate rights.

We do not sell, rent, or give your personal data to third parties for commercial purposes.

6. INTERNATIONAL TRANSFERS

Some of our service providers may be located outside the European Economic Area (EEA). In such cases, we ensure that:

• There are adequacy decisions by the European Commission
• Appropriate safeguards are applied (standard contractual clauses)
• Appropriate technical and organizational measures are implemented.

7. RETENTION PERIOD

Your personal data is retained for the period necessary to fulfill the purposes for which it was collected:

• Contact details: Up to 3 years after last contact
• Browsing data: Up to 25 months
• Contractual data: In accordance with legal archiving obligations (usually 10 years)
• Data based on consent: Until consent is withdrawn

8. RIGHTS OF THE DATA SUBJECT

You have the following rights regarding your personal data:

8.1 Right of access

You may request information about the personal data we hold about you.

8.2 Right of rectification

You may request the correction of incorrect or incomplete personal data.

8.3 Right to erasure (“right to be forgotten”)

You may request the deletion of your personal data in certain circumstances.

8.4 Right to restriction of processing

You may request the restriction of the processing of your personal data.

8.5 Right to data portability

You may request the transfer of your personal data to another data controller.

8.6 Right to object

You may object to the processing of your personal data based on legitimate interest.

8.7 Right to withdraw consent

When treatment is based on consent, you can withdraw it at any time.

8.8 How to exercise your rights

To exercise any of these rights, please contact us via:

• E-mail: geral@tocaagravar.pt
• Postal address: Rua 5 de Outubro, n°15, 7630-452 São Luís, Portugal

We will respond to your request within one month.

9. DATA SECURITY

We have implemented appropriate technical and organizational measures to protect your personal data against:

• Accidental or unlawful destruction
• Loss, alteration, disclosure, or unauthorized access
• Any form of unlawful treatment

These measures include:

• Encryption of data in transit and at rest
• Access control and authentication
• Regular security audits
• Staff training on data protection

10. PERSONAL DATA BREACHES

In the event of a personal data breach that poses a high risk to your rights and freedoms, we will notify you within 72 hours of becoming aware of the breach, as required by the GDPR.

11. RIGHT TO COMPLAIN

You have the right to lodge a complaint with the competent supervisory authority:

National Data Protection Commission (CNPD)

• Address: Av. D. Carlos I, 134, 1st floor, 1200-651 Lisbon
• Telephones: +351 213 928 400
• E-mail: geral@cnpd.pt
• Website: www.cnpd.pt

12. CHANGES TO THE PRIVACY POLICY

We reserve the right to change this Privacy Policy at any time. Changes will be posted on this page with the date of the last update. We recommend that you check this page regularly to stay informed about any changes.

13. CONTACT

For questions related to this Privacy Policy or the processing of personal data:

João Mateus

• E-mail: geral@tocaagravar.pt
• Address: Rua 5 de Outubro, No. 15, 7630-452 São Luís, Portugal