Privacy Policy
How we process your personal data
1. Data controller and contact information
Pursuant to Article 13 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter the "GDPR"), Regular & Integral, Lda, holder of the commercial brand VentoFix, informs you that it is the controller of the personal data collected through the ventofix.pt website.
| Company name | Regular & Integral, Lda |
| NIF / NIPC | 515 988 561 |
| Share capital | β¬ 120.000 |
| Registered office | Portugal (Lisbon) |
| Privacy email | info@ventofix.pt |
| Telephone | +351 913 068 775 |
Data Protection Officer (DPO): Regular & Integral, Lda is not required to appoint a DPO under Article 37 of the GDPR and Article 10 of Law no. 58/2019 (the provision of HVAC services does not constitute large-scale processing of special categories of data, nor large-scale systematic monitoring). For any matter relating to data protection, you may contact us directly at info@ventofix.pt.
2. Scope of application and processing principles
This policy applies to all personal data processed by Regular & Integral, Lda in the context of operating the ventofix.pt website and providing its services, in compliance with the GDPR and Law no. 58/2019 of 8 August (the law implementing the GDPR in Portugal).
The processing of personal data is governed by the principles established in Article 5 of the GDPR:
- Lawfulness, fairness and transparency β data is processed lawfully, fairly and in a transparent manner in relation to the data subject
- Purpose limitation β data is collected for specified, explicit and legitimate purposes and is not processed in a manner incompatible with those purposes
- Data minimisation β only data that is adequate, relevant and limited to what is necessary for the intended purposes is collected
- Accuracy β data is kept accurate and up to date; inaccurate data is rectified or erased
- Storage limitation β data is kept only for the period necessary for the stated purposes
- Integrity and confidentiality β processing ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage
- Accountability (Article 5(2) GDPR) β the controller is responsible for, and able to demonstrate compliance with, these principles
3. Categories of personal data processed and their source
Personal data is obtained directly from the data subject, voluntarily, through the website forms, by telephone or by email. We do not collect data from third-party sources, public databases or social networks.
- Identification data: full name
- Contact data: telephone number; email address (optional field in the forms)
- Location data: locality/region for the purpose of verifying the coverage area and providing the service
- Request description data: type of service requested and additional information provided voluntarily by the data subject
- Billing and contract performance data: installation address, bank details (for payments), technical installation information (only after a contract has been concluded)
- Technical browsing data: IP address (anonymised), browser type, pages visited and duration of the visit β collected through cookies (see the Cookie Policy)
Special categories of data (Article 9 GDPR): We do not collect or process any special categories of personal data (health data, racial or ethnic origin, political opinions, religious beliefs, biometric data, genetic data, data concerning sex life or sexual orientation, data relating to criminal offences).
Children's data: Our services are not intended for persons under 16 years of age. We do not knowingly collect data from minors. If we become aware that a minor's data has been provided to us without parental consent, we will erase it immediately.
4. Purposes of processing and the corresponding legal basis
Each processing operation is based on a distinct and appropriate legal basis, pursuant to Article 6 of the GDPR:
| Purpose of processing | Legal basis (Art. 6 GDPR) | Retention |
|---|---|---|
| Responding to quote requests and pre-contractual information | Art. 6(1)(b) β pre-contractual steps at the request of the data subject | 6 months after the last contact (if no contract comes into existence) |
| Performance of the service contract (installation, maintenance, repair, HVAC) | Art. 6(1)(b) β performance of a contract to which the data subject is party | Duration of the contract + 3 years (warranty period) |
| Compliance with tax and accounting obligations (invoicing, records) | Art. 6(1)(c) β legal obligation [CIVA, Art. 36(2); Commercial Code, Art. 40(1)] | 10 years (legal obligation to retain tax records) |
| Compliance with legal obligations regarding after-sales warranties | Art. 6(1)(c) β legal obligation [DL no. 84/2021] | 3 years after completion of the service |
| Sending commercial communications and newsletters (only with express opt-in) | Art. 6(1)(a) β the data subject's free, specific, informed and unambiguous consent | Until consent is withdrawn |
| Statistical analysis of website usage (analytics cookies, where consented) | Art. 6(1)(a) β consent [required by the ePrivacy Directive, Art. 5(3); confirmed by the CJEU in the Planet49 judgment, C-673/17] | As per the Cookie Policy |
| Defence of rights in disputes or judicial/administrative proceedings | Art. 6(1)(f) β legitimate interest: the establishment or defence of rights in legal proceedings | For the period necessary to resolve the dispute |
In cases where processing is based on legitimate interest (Article 6(1)(f)), a balancing test has been carried out which confirmed that the legitimate interest pursued is not overridden by the interests, fundamental rights and freedoms of the data subjects. The data subject may request information about this assessment at any time.
5. Recipients of the data β processors and third-party recipients
Personal data may be disclosed to the following categories of recipient, strictly to the extent necessary and on an appropriate legal basis:
- Processor β Netlify, Inc. (2325 3rd Street, Suite 296, San Francisco, CA 94107, USA): web hosting platform and processing of form submissions. Regular & Integral, Lda has entered into a Data Processing Agreement (DPA) with Netlify in compliance with Article 28 of the GDPR. See section 6 on international transfers.
- Internal staff and technicians of Regular & Integral, Lda, subject to contractual confidentiality obligations and with access limited to what is necessary to carry out their duties (the "need-to-know" principle).
- Certified accountant (TOC): for compliance with tax and accounting obligations, under a processing agreement with GDPR clauses. Access limited to strictly necessary billing data.
- Public authorities and regulatory bodies: the Tax and Customs Authority, the CNPD (the Portuguese Data Protection Authority) or other competent authorities, where required by a legal obligation or court order. Regular & Integral, Lda will notify the data subject, whenever legally possible, before making any such disclosure.
Express declaration: Regular & Integral, Lda does not sell, rent, transfer for consideration or share for commercial purposes any data subjects' personal data with third parties. It does not carry out processing for third-party marketing purposes.
6. Transfers of personal data to third countries
Data submitted through the website forms is processed by Netlify, Inc., a company based in the United States of America. This transfer is carried out on the basis of the European Commission's Adequacy Decision regarding the EUβU.S. Data Privacy Framework (Implementing Decision (EU) 2023/1795 of 10 July 2023), which recognises an adequate level of protection for organisations certified under this framework.
Netlify's certification under the Data Privacy Framework can be verified in the official register: www.dataprivacyframework.gov.
Should the Adequacy Decision cease to have effect, the transfer will be subject to the Standard Contractual Clauses adopted by the European Commission (Implementing Decision (EU) 2021/914), ensuring equivalent protection. The data subject may request a copy of the applicable safeguards at info@ventofix.pt.
We do not carry out any other transfers of personal data to third countries outside the EEA.
7. Data retention periods
Personal data is kept only for the period strictly necessary for the purposes that justified its collection, in observance of the storage limitation principle (Article 5(1)(e) of the GDPR). The retention periods have been set on the basis of applicable legal obligations and limitation periods:
| Data category | Retention period | Basis |
|---|---|---|
| Quote requests not converted into a contract | 6 months after the last contact | Purpose exhausted after refusal/no response |
| Contract performance data (active client) | Duration of the contract + 3 years | Legal warranty period DL 84/2021; general limitation period under the Civil Code |
| Billing documents (invoices, receipts, contracts) | 10 years | Legal obligation β CIVA Art. 36(2); Commercial Code Art. 40(1) |
| Commercial communications (newsletters, opt-in) | Until consent is withdrawn | Consent revocable at any time |
| Cookie consent records | 3 years | Demonstration of GDPR compliance (Art. 5(2)) |
| Technical server logs (IP addresses) | 90 days | Systems security; exhaustion of the purpose |
Once the applicable retention period has elapsed, personal data is securely and irreversibly erased or anonymised so as not to allow any identification of the data subject.
8. Rights of data subjects
The GDPR grants the data subject a set of rights that may be exercised, free of charge, in relation to the processing of their personal data. The exercise of these rights is not subject to any special formality β simply send an identified request to info@ventofix.pt. We will respond within a maximum of one month (this period may be extended by a further two months in cases of particular complexity, with notification to the data subject β Article 12(3) GDPR).
- Right of access (Art. 15): to obtain confirmation as to whether or not your data is being processed and, if so, to obtain a copy of the data processed and information on the purposes, categories, recipients, retention periods and available rights
- Right to rectification (Art. 16): to obtain, without undue delay, the rectification of inaccurate personal data or the completion of incomplete data
- Right to erasure / "right to be forgotten" (Art. 17): to obtain the erasure of your data where: it is no longer necessary for the purposes for which it was collected; you withdraw consent; you object to the processing and there are no overriding legitimate interests; the data has been unlawfully processed. This right does not apply where processing is necessary for compliance with a legal obligation or for the purposes of defending rights in legal proceedings
- Right to restriction of processing (Art. 18): to obtain the restriction of processing where you contest the accuracy of the data, where the processing is unlawful but you oppose erasure, or where the controller no longer needs the data but you require it for the establishment, exercise or defence of a right
- Right to data portability (Art. 20): to receive the data you have provided in a structured, commonly used and machine-readable format, and the right to transmit it to another controller β this applies only to processing based on consent or the performance of a contract and carried out by automated means
- Right to object (Art. 21): to object, at any time, to processing based on legitimate interest (Art. 6(1)(f)), in which case the controller must cease processing unless it demonstrates compelling legitimate grounds that override the interests of the data subject. In matters of direct marketing, the right to object is absolute and unconditional
- Right not to be subject to automated decisions (Art. 22): not to be subject to decisions taken solely on the basis of automated processing, including profiling, that produce legal effects or significantly affect you in a similar way β we expressly declare that we do not carry out any processing of this kind
- Right to withdraw consent (Art. 7(3)): to withdraw consent at any time, without affecting the lawfulness of processing carried out on the basis of consent previously given. Withdrawal must be as easy as giving consent
The controller may, pursuant to Article 12(6) of the GDPR, request additional information necessary to confirm the identity of the requester, where there are reasonable doubts as to the identity of the person making the request.
9. Right to lodge a complaint with the supervisory authority
Without prejudice to any other administrative or judicial remedy, the data subject has the right to lodge a complaint with the competent supervisory authority, pursuant to Article 77 of the GDPR, in particular if they consider that the processing of their data infringes the GDPR:
ComissΓ£o Nacional de ProteΓ§Γ£o de Dados (CNPD) β the national supervisory authority competent for Portugal
- Website: www.cnpd.pt
- Email: geral@cnpd.pt
- Address: Av. D. Carlos I, 134 β 1.ΒΊ, 1200-651 Lisboa
- Telephone: +351 213 928 400
The exercise of the right to complain to the CNPD does not affect recourse to the courts, namely the right to an effective judicial remedy against the controller or the processor (Article 79 GDPR) and the right to compensation for damage caused by an infringement of the GDPR (Article 82 GDPR).
10. Data security and breach notification
Regular & Integral, Lda implements appropriate technical and organisational measures, pursuant to Article 25 (data protection by design and by default) and Article 32 of the GDPR, to ensure a level of security appropriate to the risk, including:
- Encrypted data transmission via the HTTPS/TLS protocol in all web communications
- Restricted access to personal data based on the "need-to-know" principle
- Processing agreements with GDPR clauses with all processors
- Staff training on data protection and confidentiality obligations
- Periodic assessment of the adequacy of the security measures implemented
Personal data breaches: In the event of a personal data breach likely to result in a risk to the rights and freedoms of data subjects, Regular & Integral, Lda will notify the CNPD within 72 hours of becoming aware of the breach, pursuant to Article 33 of the GDPR. Where such a breach is likely to result in a high risk to the rights and freedoms of data subjects, they will be notified without undue delay, pursuant to Article 34 of the GDPR.
11. Cookies and similar technologies
The ventofix.pt website uses cookies and similar technologies. Detailed information about the cookies used, their purposes, the legal basis for their processing, the retention periods and how to manage your preferences is set out in our Cookie Policy, which forms an integral part of this Privacy Policy.
12. Record of processing activities
Regular & Integral, Lda maintains an internal record of processing activities pursuant to Article 30 of the GDPR, available for consultation by the CNPD whenever requested.
13. Changes to this policy
This Privacy Policy may be updated to reflect legislative changes, decisions of the supervisory authorities or changes in data processing practices. The "last updated" date at the top of the document identifies the version in force. In the event of materially significant changes affecting the rights of data subjects, a prominent notice will be published on the website and, wherever possible, the data subjects whose data we process will be notified directly. Continued use of the website after changes are published implies awareness of them.
14. Contact for privacy matters
To exercise your rights, raise questions or obtain clarification about the processing of your personal data, please contact:
π§ info@ventofix.pt β please state in the subject line: "Data Protection β access, rectification or erasure"
π +351 913 068 775 (business days, 09:00β18:00)
π’ Regular & Integral, Lda Β· NIF 515 988 561 Β· Lisbon, Portugal