Privacy Policy

1. General conditions

1. Capitalised terms not defined herein have their meaning assigned in the Terms of Use.

2. Protocooperator's personal data (Data) privacy protection is a fundamental commitment of the Provider who is responsible for operating the Service and collecting and processing such Data, as described in this Privacy Policy (Policy).

3. The processing of the Data is governed by the General Data Protection Regulation (GDPR) — Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016.

4. Technical and organisational security measures have been implemented to protect the Data against involuntary or illegal deletion, update, loss, and non-authorised disclosure or access.

5. The Service includes hyperlinks to websites the Provider is not responsible for. Such websites are governed by their respective privacy policies.

6. The interpretation of the Policy is exclusive to the Provider who reserves the right to change it at any time. Significant changes shall be communicated to the Protocooperator through the Service or their email before entering into force. If the Protocooperator does not agree with such changes, they must log in to the Service and proceed with removing their Account.

7. The Provider only processes the Data as described herein, except when the Data is necessary for:

8. The Provider does not sell the Data.

9. The Protocooperator agrees to receive information deemed essential through the Service and their email.

10. The Protocooperator accepts that the only legally-binding version of the Policy is the one written in Portuguese and that any translations to other languages are merely informative.

11. The information included in the Policy may become out of date or incomplete over time. The Provider will use their human and technical resources in order to try to keep the Policy up to date and complete.

2. Third parties

The Service depends on services provided by the following entities with whom the Provider has taken measures aimed at guaranteeing that they respect and protect the Data:

Entity Service
PTisp Web hosting
Stripe Payment solutions
AT — Portuguese Tax and Customs Authority Invoice issuance

3. Data collection

When submitting the Data, the Protocooperator provides them voluntarily and consents to their processing.

The Data are collected through the following means:

Data Means
Email; password; name (partial or full); digital signature; full name and civil ID number (ID) included in the digital signature Sign-up functionality
Tax identification number (TIN); payment data: cardholder name, card number, card expiration date, card code, date/time, amount Credit top-up functionality
User preferences (e.g. language, time zone) Account customisation functionality
Assets Profile editing functionality
Conversations between Protocooperators Mail functionality
Essential communication Mail functionality, email
Protocooperator-to-Provider contact Contact functionality, email
Navigation data: date/time, IP address, browser, operating system Access to web resource (web page, image, etc.)

4. Data processing purposes

The collected Data allow the Service to be provided under normal operation and according to its characteristics and functionality:

Data Purposes
Email Authentication; essential communication; Protocooperator-to-Provider contact
Password Authentication
Name Name identification; authentication
Digital signature Name and citizenship validation
Full name Name validation
ID Prevention of duplicate Accounts; authentication
TIN Issuance of invoice with TIN
Payment data Credit top-up; fraud prevention and detection
User preferences User experience
Assets Discovery of Protocooperators with the aim of protocooperating
Conversations between Protocooperators Communication with the aim of protocooperating
Essential communication Notification of essential information
Protocooperator-to-Provider contact Query handling, problem-solving, etc.
Navigation data Systems security; fraud prevention and detection
Invoices Accounting control; tax compliance

5. Data processing lawfulness

The collected Data are processed according to the following lawfulness bases:

Data Lawfulness basis
Email; password; name; digital signature; full name; ID; TIN; payment data; user preferences; assets; conversations between Protocooperators; essential communication; Protocooperator-to-Provider contact Performance of the Contract
Navigation data Systems security according to recital 49 of the GDPR; performance of the Contract

Navigation data are not subject to individual analysis, unless security incidents occur, in which case they may be reported to the competent authorities. Thus, it is considered that there is no risk of Protocooperators' privacy intrusion and that therefore the Provider's legitimate interests are not overridden by the Protocooperators' rights and freedoms referred to in Article 6 (1)(f) of the GDPR.

Stripe uses navigation data as a fraud prevention and detection mechanism, in compliance with applicable laws.

6. Data retention

The Data are stored for as long as is strictly necessary to fulfil their processing purposes or the exercise of the Protocooperator's right to object or to erasure, or until withdrawal of consent. The Data is then deleted or anonymised, unless the storage period turns out to be insufficient, or a legal obligation or authorisation exists.

Data Storage period
Email; password; name; ID; user preferences Until Account deletion
Digital signature; full name Until name and citizenship validation
TIN Until Account deletion or the end of the legally required storage period for TIN-issued invoices, whichever occurs farthest in the future
Payment data Until the end of the legally required period
Assets Until their or Account deletion
Conversations between Protocooperators 60 days after the date of the conversation's latest message
Essential communication Via the Service: 60 days after being read by the Protocooperator; via email: 60 days after being sent
Protocooperator-to-Provider contact Until 60 days after the issue in question is solved
Navigation data Protocoop: Until 180 days; Stripe: until the end of the legally required period

7. Data access

The Data are accessed only by the Protocooperator, except:
Data Access
Name; assets; conversations between Protocooperators Other Protocooperators
Protocooperator-to-Provider contact Provider

The following Data are transmitted to third parties:

Data Transmission
TIN To AT upon invoice issuance
Payment data; navigation data To Stripe upon payment

8. Protocooperator rights

1. Under the terms of the GDPR and other applicable legislation, the Protocooperator has the right of access and to rectification, erasure and portability of the Data, and to restriction, object and withdrawal of consent to their processing.

2. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

3. Once logged in, the Protocooperator may exercise their rights through the Service.

4. The answer to Protocooperator's requests to exercise their rights shall be provided free of charge. Where requests are manifestly unfounded, excessive or unjustifiably reiterated, the Provider may either charge a reasonable administrative fee or refuse to act on the request.

5. The answer to Protocooperator's requests shall be provided within one month of receipt of the request. Such period may be extended by two further months where necessary, taking into account the complexity and number of the requests.

6. The Protocooperator has the right to lodge a complaint about the processing of the Data with the Portuguese Data Protection Authority (CNPD).

9. Aggregate information

1. The Data may be used for the purposes of aggregate statistical analysis where no connection to individual Protocooperators is established.

2. Aggregate information is anonymous, thus devoid of personal identification or private information.

3. Aggregate analysis may allow detecting usage patterns, based on which the Service can be improved.

4. Aggregate information may be disclosed to third-parties or publicly.

Last update: 01/01/2020