Privacy Policy

1. Data Controller

Pro Digital Key
Rua Professor Doutor Egas Moniz, 100
3860-078 Avanca · Estarreja · Aveiro · Portugal
NIF: PT226673219
Email: [email protected]
Phone: +351 928 268 011

2. Data Collected

We collect personal data voluntarily provided through the forms on our website, including:

• ✓ Full name
• ✓ Email address
• ✓ Phone number
• ✓ Company name
• ✓ Business information shared voluntarily

We do not collect payment data directly — these are handled by certified payment processors (Stripe, etc.).

3. Purpose of Data Processing

Your data is used exclusively to:

• ✓ Respond to contact and diagnostic requests
• ✓ Send requested commercial proposals
• ✓ Newsletter (only with explicit consent)
• ✓ Compliance with legal obligations

We do not sell, rent or share your data with third parties for commercial purposes.

4. Legal Basis

The processing of your data is based on your explicit consent (Art. 6(1)(a) of the GDPR) and/or on the legitimate interest of Pro Digital Key in providing the requested services (Art. 6(1)(f) of the GDPR).

5. Data Retention Period

Data is retained for the period necessary to provide the services and for any legally mandated period. Contact data without an active commercial relationship is deleted after 2 years.

6. Your Rights (GDPR)

You have the right to:

• ✓ Access — know what data we hold about you
• ✓ Rectification — correct inaccurate data
• ✓ Erasure — request deletion of your data ("right to be forgotten")
• ✓ Objection — object to processing for marketing purposes
• ✓ Portability — receive your data in a machine-readable format
• ✓ Lodge a complaint — with the CNPD (Comissão Nacional de Proteção de Dados — Portuguese Data Protection Authority)

To exercise these rights, contact: [email protected]

7. Cookies

Our website uses essential technical cookies required for the page to function. We do not use third-party tracking cookies for advertising purposes without your consent.

8. Data Security

We apply appropriate technical and organisational measures to protect your personal data against unauthorised access, loss or destruction, including HTTPS encryption and restricted access controls.

9. Changes to This Policy

We reserve the right to update this policy. Significant changes will be communicated by email to our clients. The date of the last update is indicated at the top of this page.

10. Sub-processors and International Transfers

In order to deliver our services, Pro Digital Key engages specialised sub-processors — third parties that process personal data on our behalf and under our instructions, pursuant to data processing agreements (DPAs) entered into under Article 28 of the GDPR. Where processing involves the transfer of personal data outside the European Economic Area (EEA), we rely on one of the safeguards set out in Chapter V of the GDPR (Articles 44 to 49): a European Commission adequacy decision, the Standard Contractual Clauses (SCCs — Decision 2021/914), or, where applicable, the EU-US Data Privacy Framework (DPF).

Current list of sub-processors that may process your data:

• ✓ Anthropic, PBC — Content analysis and generation via the Claude API (newsletter authoring assistance). Location: United States. Transfer basis: SCCs + EU-US DPF.
• ✓ Twilio Inc. — Transactional SMS delivery. Location: United States. Transfer basis: SCCs + DPA + EU-US DPF.
• ✓ Amazon Web Services EMEA SARL — Transactional email delivery (SES). Location: Ireland (EU/EEA). Transfer basis: not applicable (within the EEA).
• ✓ Emailit LTD — Email fallback delivery. Location: United Kingdom. Transfer basis: EU–UK adequacy decision (2021).
• ✓ Google Ireland Limited (Google Workspace) — Business mailbox and commercial communications. Location: Ireland (EU/EEA), with possible processing by group entities in the United States. Transfer basis: SCCs + EU-US DPF.
• ✓ Contabo GmbH — Application server hosting (VPS). Location: Germany (EU/EEA). Transfer basis: not applicable.
• ✓ pCloud AG — Encrypted off-site backups. Location: Switzerland. Transfer basis: Adequacy Decision 2000/518/EC.
• ✓ Google Ireland Limited (Google Drive) — Encrypted off-site backups (secondary destination). Location: Ireland (EU/EEA), with possible processing in the United States. Transfer basis: SCCs + EU-US DPF.
• ✓ Amazon Web Services EMEA SARL (S3) — Encrypted off-site backups (tertiary destination). Location: Ireland (EU/EEA). Transfer basis: not applicable.

In addition, we use components that do not qualify as external sub-processors because they do not involve the transfer of personal data to third parties: the MaxMind GeoLite2 database, which is downloaded and queried locally on our servers (no data is sent back to MaxMind), and the GlitchTip error-monitoring system, hosted on our own infrastructure.

Under Article 13(1)(f) of the GDPR, you have the right to be informed of these international transfers and, upon request, to obtain a copy of the safeguards in place. You may also exercise the right of objection under Article 21 of the GDPR in relation to processing by a specific sub-processor by contacting us at [email protected].

The list of sub-processors may be updated as our infrastructure evolves. We undertake to notify material changes by email to data subjects with an active relationship with us, with at least 14 days' notice, allowing the right of objection to be exercised before the change takes effect.

11. AI Chat Assistant

When you interact with our chat assistant in the bottom-right corner of the site, we collect and process the following data:

• ✓ Exchanged messages — text you type in the chat and the responses generated by the bot or sent by an operator.
• ✓ Profile data shared voluntarily — name, email, phone, company when you provide them in the conversation.
• ✓ Technical metadata — IP address, user-agent, source page, detected language, anonymous session identifier (UUID).

Automatic detection and masking of sensitive data: the system scans for patterns such as IBAN, credit-card numbers (with Luhn validation), tax IDs, ID cards, and API keys; when detected, they are replaced with markers before the conversation is stored. This masking is defensive — it may fail for atypical cases. We recommend you do not share sensitive data in the chat.

Legal basis: processing is based on Pro Digital Key's legitimate interest in providing support to website visitors (Art. 6(1)(f) GDPR). When the assistant explicitly asks you to leave an email for follow-up, the processing then relies on your consent (Art. 6(1)(a)).

Retention: conversation transcripts are automatically deleted 90 days after closure. You may request immediate erasure at any time via [email protected] or by exercising the rights described in section 6.

Chat-specific sub-processors:

• ✓ Ollama Inc. — bot response generation via open models hosted in a European region (eu-frankfurt). Location: EU/EEA. Transfer basis: not applicable.
• ✓ Anthropic, PBC — fallback when the primary model is unavailable. Location: United States. Transfer basis: SCCs + EU-US DPF.

Messages sent to the chat are transmitted in real time to one of these processors to generate the reply. No processor uses chat content to train its own models — this commitment is contractually secured in the respective DPAs.

Chat-specific rights: you can download a full transcript of your conversation at any time via the «Save conversation» button in the chat-widget header. To delete all past conversations associated with your email, exercise the right to erasure.

12. Audience Measurement (Traffic Analytics)

We use our own, self-hosted statistics system to understand how this website is used. By default it runs in anonymous, cookieless mode: we do not store your IP address (only your country, derived from a truncated address), we do not identify you individually, and we do not track you across visits. The lawful basis is our legitimate interest (Art. 6(1)(f) GDPR) in measuring and improving the site's performance. The data is retained for at most 13 months and is never shared with third parties. You may object at any time via [email protected].

Returning-visitor recognition (optional, consent only) — If you allow it in our cookie notice, we store an identifier in your browser to recognise repeat visits and improve your experience. This feature relies on your consent (Art. 6(1)(a) GDPR and Art. 5 of Portuguese Law 41/2004) and can be withdrawn at any time, without affecting your access to the site.

13. Company Identification (Business Visitors)

When a visit comes from a company network, we may identify the organisation (never the individual) from the IP address, by matching it against commercial business-intelligence databases, for B2B marketing and sales analysis. We do not identify individuals. Visits from residential or carrier networks are discarded. The lawful basis is our legitimate interest (Art. 6(1)(f) GDPR). You may object to this identification or request your organisation's exclusion via [email protected].