1. General conditions
3. The processing of the Data is governed by the General Data Protection Regulation (GDPR) — Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016.
4. Technical and organisational security measures have been implemented to protect the Data against involuntary or illegal deletion, update, loss, and non-authorised disclosure or access.
5. The Service includes hyperlinks to websites the Provider is not responsible for. Such websites are governed by their respective privacy policies.
6. The interpretation of the Policy is exclusive to the Provider who reserves the right to change it at any time. Significant changes shall be communicated to the Protocooperator through the Service or their email before entering into force. If the Protocooperator does not agree with such changes, they must log in to the Service and proceed with removing their Account.
7. The Provider only processes the Data as described herein, except when the Data is necessary for:
- Purpose related to the one that originally dictated their collection;
- Processing, negotiation or compliance with a contract established with the Protocooperator;
- Compliance with legal obligations or orders from governmental, judicial or police authorities;
- Reasoning, legal rights protection or defence in case of legal actions;
- Preventing abuse and other illegal activities;
- Purposes of automatic recording.
8. The Provider does not sell the Data.
9. The Protocooperator agrees to receive information deemed essential through the Service and their email.
10. The Protocooperator accepts that the only legally-binding version of the Policy is the one written in Portuguese and that any translations to other languages are merely informative.
11. The information included in the Policy may become out of date or incomplete over time. The Provider will use their human and technical resources in order to try to keep the Policy up to date and complete.
2. Third parties
The Service depends on services provided by the following entities with whom the Provider has taken measures aimed at guaranteeing that they respect and protect the Data:
|AT — Portuguese Tax and Customs Authority||Invoice issuance|
3. Data collection
When submitting the Data, the Protocooperator provides them voluntarily and consents to their processing.
The Data are collected through the following means:
|Email; password; name (partial or full); digital signature; full name and civil ID number (ID) included in the digital signature||Sign-up functionality|
|Tax identification number (TIN); payment data: cardholder name, card number, card expiration date, card code, date/time, amount||Credit top-up functionality|
|User preferences (e.g. language, time zone)||Account customisation functionality|
|Assets||Profile editing functionality|
|Conversations between Protocooperators||Mail functionality|
|Essential communication||Mail functionality, email|
|Protocooperator-to-Provider contact||Contact functionality, email|
|Navigation data: date/time, IP address, browser, operating system||Access to web resource (web page, image, etc.)|
4. Data processing purposes
The collected Data allow the Service to be provided under normal operation and according to its characteristics and functionality:
|Authentication; essential communication; Protocooperator-to-Provider contact|
|Name||Name identification; authentication|
|Digital signature||Name and citizenship validation|
|Full name||Name validation|
|ID||Prevention of duplicate Accounts; authentication|
|TIN||Issuance of invoice with TIN|
|Payment data||Credit top-up; fraud prevention and detection|
|User preferences||User experience|
|Assets||Discovery of Protocooperators with the aim of protocooperating|
|Conversations between Protocooperators||Communication with the aim of protocooperating|
|Essential communication||Notification of essential information|
|Protocooperator-to-Provider contact||Query handling, problem-solving, etc.|
|Navigation data||Systems security; fraud prevention and detection|
|Invoices||Accounting control; tax compliance|
5. Data processing lawfulness
The collected Data are processed according to the following lawfulness bases:
|Email; password; name; digital signature; full name; ID; TIN; payment data; user preferences; assets; conversations between Protocooperators; essential communication; Protocooperator-to-Provider contact||Performance of the Contract|
|Navigation data||Systems security according to recital 49 of the GDPR; performance of the Contract|
Navigation data are not subject to individual analysis, unless security incidents occur, in which case they may be reported to the competent authorities. Thus, it is considered that there is no risk of Protocooperators' privacy intrusion and that therefore the Provider's legitimate interests are not overridden by the Protocooperators' rights and freedoms referred to in Article 6 (1)(f) of the GDPR.
Stripe uses navigation data as a fraud prevention and detection mechanism, in compliance with applicable laws.
6. Data retention
The Data are stored for as long as is strictly necessary to fulfil their processing purposes or the exercise of the Protocooperator's right to object or to erasure, or until withdrawal of consent. The Data is then deleted or anonymised, unless the storage period turns out to be insufficient, or a legal obligation or authorisation exists.
|Email; password; name; ID; user preferences||Until Account deletion|
|Digital signature; full name||Until name and citizenship validation|
|TIN||Until Account deletion or the end of the legally required storage period for TIN-issued invoices, whichever occurs farthest in the future|
|Payment data||Until the end of the legally required period|
|Assets||Until their or Account deletion|
|Conversations between Protocooperators||60 days after the date of the conversation's latest message|
|Essential communication||Via the Service: 60 days after being read by the Protocooperator; via email: 60 days after being sent|
|Protocooperator-to-Provider contact||Until 60 days after the issue in question is solved|
|Navigation data||Protocoop: Until 180 days; Stripe: until the end of the legally required period|
7. Data accessThe Data are accessed only by the Protocooperator, except:
|Name; assets; conversations between Protocooperators||Other Protocooperators|
The following Data are transmitted to third parties:
|TIN||To AT upon invoice issuance|
|Payment data; navigation data||To Stripe upon payment|
8. Protocooperator rights
1. Under the terms of the GDPR and other applicable legislation, the Protocooperator has the right of access and to rectification, erasure and portability of the Data, and to restriction, object and withdrawal of consent to their processing.
2. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
3. Once logged in, the Protocooperator may exercise their rights through the Service.
4. The answer to Protocooperator's requests to exercise their rights shall be provided free of charge. Where requests are manifestly unfounded, excessive or unjustifiably reiterated, the Provider may either charge a reasonable administrative fee or refuse to act on the request.
5. The answer to Protocooperator's requests shall be provided within one month of receipt of the request. Such period may be extended by two further months where necessary, taking into account the complexity and number of the requests.
6. The Protocooperator has the right to lodge a complaint about the processing of the Data with the Portuguese Data Protection Authority (CNPD).
9. Aggregate information
1. The Data may be used for the purposes of aggregate statistical analysis where no connection to individual Protocooperators is established.
2. Aggregate information is anonymous, thus devoid of personal identification or private information.
3. Aggregate analysis may allow detecting usage patterns, based on which the Service can be improved.
4. Aggregate information may be disclosed to third-parties or publicly.
Last update: 01/01/2020