Privacy Policy

1. Data Controller

Auralenor, Unipessoal Lda., with registered office in Lisbon, Portugal ("Auralenor", "we", "us"), is the data controller responsible for the processing of your personal data in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and the Portuguese Data Protection Act (Lei n.º 58/2019).

For any privacy-related inquiries, please contact us at support@auralenor.com.

2. Data We Collect

We collect and process the following categories of personal data, strictly limited to what is necessary for the purposes described in this policy:

Client Data:

• Identification data: full name, business name, tax identification number (NIF), address
• Contact data: email address, telephone number
• Contractual data: contract duration, pricing terms, signature data, payment history
• Technical data: IP address, user agent, and timestamp collected at the time of contract signature for evidentiary purposes

Automatically Collected Data:

• Essential cookies required for site functionality and session management
• Analytics data (only with your explicit consent): page views, navigation patterns
• Server logs: IP addresses, request timestamps, error logs (retained for security purposes)

3. Legal Basis for Processing

We process your personal data exclusively on the following legal bases:

• Contract performance (Art. 6(1)(b) GDPR): processing necessary for the execution of our service agreement with you, including website creation, hosting, and payment processing
• Legal obligation (Art. 6(1)(c) GDPR): processing required by Portuguese tax law, commercial law, and data breach notification obligations
• Legitimate interest (Art. 6(1)(f) GDPR): fraud prevention, platform security, service improvement, and internal reporting — balanced against your fundamental rights
• Consent (Art. 6(1)(a) GDPR): analytics cookies and marketing communications (where applicable), which you may withdraw at any time

4. How We Use Your Data

• To deliver, maintain, and improve the services described in your service agreement
• To process payments and generate invoices
• To verify identity and prevent fraud during contract signing and account management
• To comply with applicable tax, accounting, and regulatory obligations under Portuguese law
• To enforce our contractual rights and non-compete provisions
• To communicate service updates, security notifications, and contractual notices

5. Third-Party Data Processors

We share your personal data only with carefully selected categories of third-party processors, each bound by Data Processing Agreements compliant with Article 28 GDPR:

• Cloud infrastructure providers: for database hosting, user authentication, and secure file storage, processing data within the European Union
• Payment processors: for secure payment processing and subscription management, PCI DSS Level 1 certified
• Email delivery services: for transactional email delivery including contract confirmations, service notifications, and system alerts

A complete list of authorized sub-processors, including their names, processing purposes, data locations, and applicable safeguards, is available in our Data Processing Agreement (Appendix A), accessible at auralenor.com/dpa.

We do not sell, rent, or otherwise commercially share your personal data with any third party. We do not engage in profiling or automated decision-making as defined by Article 22 GDPR. We do not share personal data with any entity beyond what is strictly necessary for service delivery.

5a. Security Measures

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include, but are not limited to:

• Encryption of all data in transit (TLS 1.2+) and at rest (AES-256)
• Role-based access controls with the principle of least privilege
• IP-based rate limiting on all API endpoints to prevent abuse
• Regular security assessments and monitoring of access events
• Automated daily backups with encryption and geographic redundancy

While we take all reasonable precautions to secure your data, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security but commit to promptly addressing any security incident.

5b. Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the Portuguese Data Protection Authority (CNPD) within 72 hours of becoming aware of the breach, as required by Article 33 GDPR. Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay, as required by Article 34 GDPR.

6. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes described in this policy, or as required by law:

• Active contract data: retained for the duration of the service agreement plus 5 years thereafter (Portuguese commercial record-keeping obligations)
• Tax and financial records: retained for 10 years as required by Portuguese tax law (Código do IRS, Art. 128)
• Contract signature evidence (IP, timestamp, signature image): retained indefinitely for legal evidentiary purposes or until deletion is requested and legally permissible

7. Your Rights

Under the GDPR and Portuguese law, you have the following rights regarding your personal data:

• Right of access (Art. 15): obtain confirmation of whether and how your data is processed
• Right to rectification (Art. 16): correct inaccurate or incomplete personal data
• Right to erasure (Art. 17): request deletion of your data, subject to legal retention obligations
• Right to data portability (Art. 20): receive your data in a structured, machine-readable format
• Right to restriction (Art. 18): restrict processing under specific circumstances
• Right to object (Art. 21): object to processing based on legitimate interest

To exercise any of these rights, contact support@auralenor.com. We will respond within 30 days. If you believe your rights have been violated, you have the right to lodge a complaint with the Portuguese Data Protection Authority (Comissão Nacional de Proteção de Dados — CNPD).

8. Cookies

We use strictly essential cookies required for site functionality (authentication, session management, language preference). These cookies do not require consent under ePrivacy Directive Article 5(3) as they are technically necessary.

Analytics cookies are only activated upon your explicit consent. You may manage your cookie preferences at any time through the cookie consent banner or by clearing your browser cookies.

9. International Data Transfers

Your data is primarily processed within the European Union. Where data is transferred to processors outside the EU/EEA, such transfers are protected by one or more of the following safeguards, each ensuring an equivalent level of data protection: EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), the EU-US Data Privacy Framework (where applicable), or Adequacy Decisions by the European Commission under Article 45 GDPR. Details of the specific safeguards applicable to each sub-processor are documented in our Data Processing Agreement (Appendix A) at auralenor.com/dpa.

10. Changes to This Policy

We reserve the right to update this Privacy Policy to reflect changes in our practices, legal requirements, or regulatory guidance. Material changes will be communicated via email or a prominent notice on our website. Continued use of our services after such notification constitutes acceptance of the revised policy.