Privacy policy

Data controller. Luís Miguel Pires, sole trader (Empresário em Nome Individual / ENI), Portuguese tax number (NIF) 259 580 007, professional address in Viana do Castelo, Portugal. Written contact: geral@margemx.com. No Data Protection Officer is appointed, as the operation does not meet the criteria of Article 37 GDPR.

Categories of personal data. Identification and contact data submitted in the diagnostic form (name, phone, email), professional information (company, sector, industry), free-text descriptions of operational problems written by the user, emails received at geral@margemx.com, and minimal technical data generated by browsing (IP address, user agent, server logs kept for the time strictly necessary for security and technical diagnostics).

Purposes and legal bases. Pre-contractual measures and contract performance under Article 6(1)(b) GDPR; legal obligations of tax and accounting record-keeping under Article 6(1)(c); site security and abuse prevention as legitimate interest under Article 6(1)(f); occasional commercial communications to existing clients about related services as legitimate interest, with the right to object at any time.

Processors and recipients. Data may be processed by providers such as Vercel (hosting), Supabase (operational database), Resend (email notifications), Cal.com (diagnostic scheduling), Telegram (internal operational notifications) and internal productivity tools. When the user writes a custom industry, only that text, without contact details, is sent to DeepSeek to generate common operational problems.

International transfers. Transfers to the United States (Vercel, Supabase, Resend, Cal.com or Telegram, where applicable) are based on the European Commission Standard Contractual Clauses and, where applicable, the EU-US Data Privacy Framework. Punctual transfers to DeepSeek are limited to non-personal industry names; we do not send contacts, messages or other identifiable data outside the EEA without adequate safeguards.

Retention. Diagnostic requests that do not lead to engagement are kept for up to 24 months unless deletion is requested earlier. Data of contracted clients is kept during the commercial relationship and for the legal periods applicable thereafter (10 years for tax and accounting documentation under the Portuguese Corporate and VAT codes). Server technical logs are typically kept for short periods (up to 30 days).

Data subject rights. You may exercise, free of charge, the rights of access, rectification, erasure, restriction, portability, objection and withdrawal of consent (without affecting the lawfulness of prior processing) by writing to geral@margemx.com. We will respond within 30 days.

Right to lodge a complaint. You have the right to lodge a complaint with the Portuguese supervisory authority CNPD (Comissão Nacional de Proteção de Dados, www.cnpd.pt), without prejudice to other administrative or judicial remedies.

Automated decisions. MargemX does not take decisions producing legal or similarly significant effects on users based solely on automated processing, including profiling. AI systems used in client projects comply with Regulation (EU) 2024/1689 (EU AI Act).

Security and breach notification. We apply technical and organisational measures appropriate to the risk (TLS, access control, need-to-know, periodic supplier review). Personal data breaches with risk to data subjects will be notified to CNPD within 72 hours under Article 33 GDPR.

Minors. Services target professionals and companies. We do not knowingly collect data from minors under 16; if you become aware of such collection, please contact us for immediate deletion.

Legal framework. This policy is governed by Regulation (EU) 2016/679 (GDPR), Portuguese Law 58/2019 (GDPR execution in Portugal) and Law 41/2004 (ePrivacy in Portugal). The current version is the one published on this page. The authoritative version is the Portuguese-language policy at margemx.com/privacidade.