Privacy Policy
Last updated: 17 June 2026. Written to satisfy GDPR Articles 13–14.
1. Who we are
Portugeasy is operated by PUX Labs, Lda., Rua Gaivotas em Terra n.º 6, 6D, 1990-601 Lisboa, Portugal (the “controller”, “we”, “us”).
- Data Protection Officer: Alexandre Miguel Alves Fernandes — dpo@portugeasy.pt
- General contact: hello@portugeasy.pt
We help you prepare, store, check and organise the documents that Portuguese immigration processes (AIMA) require. We detect problems against published checklists — we do not decide your case, guarantee any outcome, or give legal advice.
2. The data we process
- Account data: your name, email, password (stored only as a secure argon2 hash), language preference, and sign-in timestamps.
- Your immigration documents and details — this is special-category, sensitive personal data: passports, birth/marriage certificates, criminal-record certificates, proof of means or accommodation, and the answers you give about your situation (e.g. relationship, housing). These can reveal your nationality, family life and, in the case of criminal-record certificates, data under Art. 10 GDPR.
- People you act for: if you manage a dependent's case (e.g. a minor in family reunification), the documents and details you provide about them, with evidence of your authority to do so.
- Access you grant: if you give a legal professional access to a case, the record of that grant (scope, expiry) and its revocation.
- Payment data: we use Stripe for payments. We receive a payment reference and amount; we never see or store your card number.
- Operational data: notifications, an action/consent audit log, and internal cost metering.
3. Why we process it, and our legal basis
| Purpose | Legal basis |
|---|---|
| Create and run your account and the service | Performance of our contract with you (Art. 6(1)(b)) |
| Store and process your immigration documents, run the checks, build your checklist | Your explicit consent (Art. 6(1)(a) and Art. 9(2)(a) for special-category data), given at registration |
| The AI document check (see §4), including sending the document to our AI provider | Your explicit consent (same as above), specifically covering the AI check and the international transfer |
| Give a professional access to your case | Your explicit consent — only when you grant it |
| Take payment and keep invoices | Contract (Art. 6(1)(b)) and legal obligation, e.g. tax law (Art. 6(1)(c)) |
| Keep the service secure, prevent abuse, keep an audit trail | Our legitimate interests (Art. 6(1)(f)) and legal obligations (Art. 6(1)(c)) |
You can withdraw consent at any time (see §8); withdrawing stops the related processing going forward, including disabling the AI check.
4. The AI document check
With your consent, when you upload a document we run an automated problem-detection check (does the image look like the right document type? is it legible? is anything expired?). To do this we send the document to our AI sub-processor, Anthropic, whose service operates outside the EU (United States). We protect this transfer with Standard Contractual Clauses and a data-processing agreement, and the data is processed under zero-retention and no-training terms: the document is not retained by the provider after the check and is never used to train models.
This check is decision support, not an automated decision about you: it only flags possible problems for you to act on, has no legal effect, and never certifies a document as valid. It is therefore not “automated decision-making” under Art. 22. You can decline the AI check and still use the service.
5. Who we share it with
We do not sell your data or use it for advertising. We use these processors:
| Processor | Purpose | Where |
|---|---|---|
| Amazon Web Services (S3, KMS) | Encrypted document storage | EU (Ireland, eu-west-1) |
| Amazon Web Services (SES) | Sending our emails | EU (eu-west-1) |
| Anthropic | The AI document check (§4) | Outside EU (US) — SCCs + DPA |
| Stripe | Card payments | EU/US — SCCs + DPA; card data never reaches us |
A legal professional sees a case only through an access grant you create, which you can revoke at any time. We are not AIMA and do not send your documents to AIMA — your submission pack is produced for you to file.
6. International transfers
Your documents are stored in the EU and encrypted. The only routine transfer outside the EU is to Anthropic (US) for the AI check, safeguarded by Standard Contractual Clauses. You can avoid this transfer entirely by declining the AI check.
7. How long we keep it
- We keep your data while your account is active.
- If a paid subscription lapses, a warning cascade begins; your account becomes read-only after ~180 days and is deleted after a further ~14 days — files erased, records removed, and the account reduced to an anonymous tombstone kept only for our audit trail.
- We will not delete data while a professional you authorised still has live access to a case (it is still needed and still yours).
- You can export everything at any time — even on a read-only account — and ask us to delete your account and documents sooner.
- Invoicing records are kept as long as tax law requires — currently 10 years under Portuguese law.
8. Your rights
You have the right to access, rectify, erase, restrict or object to processing, to data portability, and to withdraw consent at any time. To exercise them, use the in-app export, or contact dpo@portugeasy.pt. You also have the right to lodge a complaint with the CNPD (the Portuguese supervisory authority) — though we'd appreciate the chance to help first.
Providing your documents is necessary to use the service; without them we cannot prepare your immigration file.
9. Security
EU-region storage, encryption at rest with a per-file key, strict access controls (your data is reachable only by you and anyone you explicitly authorise), audited access, and secure password handling. No system is perfectly secure, but we design for least privilege and data minimisation.
10. Cookies
We use only essential cookies (your session and security/CSRF protection). We do not use advertising or third-party tracking cookies, and we do not currently use analytics. If we add privacy-friendly analytics we will update this policy and, where required, ask for your consent first.
11. Children
We process a minor's data only where you are their parent or legal guardian and provide evidence of your authority (e.g. family reunification), and we apply the same EU-region storage, encryption and least-privilege controls to their data as to anyone else's.
12. Changes
We may update this policy; we will post the new version here and, for material changes, notify you. Continued use after an update means you've seen the current version.
Contact: dpo@portugeasy.pt · PUX Labs, Lda., Rua Gaivotas em Terra n.º 6, 6D, 1990-601 Lisboa, Portugal.