Legal
Privacy Policy
Last updated: 4 June 2026
This Privacy Policy explains how Starter.pt collects, uses and protects personal data in connection with this website, enquiries, client projects, technical support, AI integrations, managed infrastructure and related services. It is written for clarity and applies unless a signed agreement, statement of work or data processing agreement says otherwise.
1. Controller and contact details
The controller for the processing described in this policy is Starter.pt, Portugal.
Privacy requests should be sent to [email protected].
2. Personal data we may process
Depending on the context, we may process:
- name, job title, company name and contact details;
- messages, briefs, support tickets and project communications;
- information received through an agency partner when Starter.pt works white-label or under the agency's client relationship;
- billing details, tax details and payment records where applicable;
- technical information needed to provide services, such as domains, IP addresses, temporary credentials, server access details, logs, diagnostics, backups, snapshots, repository details and deployment information;
- data, prompts, outputs, context snippets or workflow records processed through AI integrations when this is part of an agreed project scope;
- security findings, audit notes and remediation records;
- website usage and security logs generated by hosting, server or CDN infrastructure;
- any other personal data voluntarily provided through email, forms, meetings or agreed project tools.
3. Purposes, legal bases and retention
| Processing activity | Purpose | Legal basis | Typical retention |
|---|---|---|---|
| Contact forms and enquiries | Receive messages through the website form or email, reply to requests, qualify needs and propose next steps. | Pre-contractual steps and legitimate interests. | Up to 12 months after the last interaction, unless a client relationship starts. |
| White-label agency work | Support an agency's client project, usually under the agency's instructions and communication path. | Contract performance, legitimate interests and, where applicable, processor obligations. | For the duration of the agency relationship, then as needed for handover, records, disputes and continuity. |
| Client projects and support | Deliver web programming, AI automation integration, security consultancy, managed VPS, dedicated server, maintenance and support services. | Contract performance and legitimate interests. | For the duration of the relationship, then as needed for records, disputes and continuity. |
| Billing and accounting | Issue invoices, manage payments and comply with tax/accounting obligations. | Legal obligation and contract performance. | For the legally required retention period. |
| Server, security and access logs | Protect systems, investigate incidents, prevent abuse and maintain service reliability. | Legitimate interests and, where applicable, legal obligation. | Usually 6 to 12 months, unless needed for an incident, dispute or legal requirement. |
| Marketing communications | Send updates only where this has been requested or is otherwise lawful. | Consent or legitimate interests, depending on the context. | Until consent is withdrawn, opt-out is requested or the contact becomes inactive. |
4. Service delivery and client data
During technical work, Starter.pt may access client systems, databases, repositories, logs, hosting panels, third-party tools or production data. Where Starter.pt processes personal data on behalf of a client, the client is normally the controller and Starter.pt acts as a processor. In that case, processing is carried out under the client's documented instructions and, when appropriate, a data processing agreement.
5. Sharing with third parties
Personal data may be shared with suppliers only where needed to operate the website, deliver services, manage communication, provide hosting, integrate agreed AI/API workflows or comply with legal duties. These suppliers may include hosting providers, email providers, accounting tools, project tools, infrastructure providers, AI/API providers and professional advisers. Starter.pt does not sell personal data.
Contact form messages are sent by email using SMTP infrastructure and may be processed by email and hosting providers involved in message delivery. Where Starter.pt works through an agency, relevant project data may also be shared with that agency for the purpose of delivering the agreed work.
The contact form uses Cloudflare Turnstile to reduce spam and automated abuse. Cloudflare may process technical request data needed to verify the challenge, such as browser, device, IP address and interaction signals. This is used for security and abuse prevention, not by Starter.pt for advertising profiling.
6. International transfers
Some suppliers or client-selected tools may process data outside the European Economic Area. Where this happens, Starter.pt relies on appropriate safeguards, such as adequacy decisions, Standard Contractual Clauses or other lawful transfer mechanisms where required.
7. Security measures
Starter.pt applies proportionate technical and organisational measures intended to protect personal data, including access control, secure communication, credential hygiene, least-privilege access, backups where agreed, patching and monitoring appropriate to the service. No system can be guaranteed to be fully secure, but reasonable measures are used to reduce risk.
8. Cookies and website technologies
This website may use Google Tag Manager and analytics tags only after the relevant optional consent category has been accepted. Technical cookies or similar storage may be used by hosting, CDN, form security or anti-abuse infrastructure where strictly necessary. More detail is available in the Cookie Policy.
9. Your rights
Subject to legal conditions, you may request access, rectification, erasure, restriction, portability and objection. Where processing is based on consent, you may withdraw that consent at any time without affecting processing already carried out lawfully.
To exercise rights, contact [email protected]. A response will be provided within the legally required timeframe. Identity verification may be requested where necessary.
10. Complaints
You may lodge a complaint with the Portuguese supervisory authority, the Comissão Nacional de Proteção de Dados (CNPD), at www.cnpd.pt.
11. Changes to this policy
This policy may be updated to reflect changes in services, legal requirements or operational practices. The latest version will be published on this page.