Legal
Privacy Policy
Last updated: 6 May 2026
1. Data controller
This Privacy Policy applies to the processing of personal data carried out by Duax Labs, Unipessoal Lda. (“Duax”, “we”, “us”), a company registered under NIPC PT 517 000 000, with registered office at Rua de Sá da Bandeira, 4000-431 Porto, Portugal, registered at the Commercial Registry of Porto.
For any question regarding the processing of your personal data or the exercise of your rights, you can contact us at privacidade@duax.digital.
2. Personal data we collect
We collect only the data strictly necessary for the purposes described in this policy. Specifically:
- Contact form: name, email, company (optional), approximate budget and project description.
- Email communications: the content of the messages you send us and associated metadata (date, time, email address).
- Browsing data: IP address, device type, browser, pages visited, referrer and session duration, collected via cookies, as detailed in our Cookie Policy.
- Contractual data: name, billing address, tax number, professional contacts and financial information necessary to perform contracts.
3. Purposes and legal basis
We process your personal data on the following grounds set out in Regulation (EU) 2016/679 — the General Data Protection Regulation (“GDPR”):
- Performance of a contract (Art. 6(1)(b)) — to manage commercial proposals, service agreements, invoicing and collection.
- Compliance with legal obligations (Art. 6(1)(c)) — in particular in tax, accounting and anti-money-laundering matters.
- Legitimate interest (Art. 6(1)(f)) — to respond to business enquiries, keep the site secure and improve our services.
- Consent (Art. 6(1)(a)) — for non-essential cookies and marketing communications, revocable at any time.
4. Retention periods
We retain data only for as long as strictly necessary for the purposes for which it was collected:
- Unconverted contact enquiries: up to 12 months.
- Contractual and billing data: 10 years, as required by the Portuguese Commercial Code and tax legislation.
- Browsing data and analytics cookies: up to 13 months.
- Marketing communications: until consent is withdrawn or an objection request is made.
5. Recipients and processors
Your data may be shared with processors acting on our behalf under a data processing agreement (Art. 28 GDPR): hosting and cloud infrastructure providers, email tools, proposal-delivery platforms, invoicing system, certified accountant and, where applicable, web analytics services.
We do not sell or transfer your data to third parties for marketing purposes.
6. International transfers
Whenever our processors operate outside the European Economic Area, we ensure appropriate safeguards are in place, in particular adequacy decisions of the European Commission or standard contractual clauses (SCCs). You may request a copy of these mechanisms by contacting us.
7. Your rights
As a data subject, you have the following rights, which you may exercise at any time:
- Access to the data we hold about you.
- Rectification of inaccurate or incomplete data.
- Erasure (the “right to be forgotten”), in the cases provided for in the GDPR.
- Restriction of and objection to processing.
- Portability of the data you have provided to us.
- Withdrawal of consent, without affecting the lawfulness of prior processing.
To exercise these rights, write to privacidade@duax.digital. You may also lodge a complaint with the Portuguese Data Protection Authority (CNPD) at www.cnpd.pt.
8. Security
We implement appropriate technical and organisational measures to protect your data against unauthorised access, loss, alteration or destruction, including encryption in transit (TLS), access control on a least-privilege basis, audit logs and periodic reviews of our processors.
9. Changes to this policy
We may update this Privacy Policy to reflect legal changes or changes in our activity. The date of the last update appears at the top of the document. In the event of substantial changes, we will inform data subjects by email or through a notice on the site.