Data protection
Privacy Policy
Last updated: July 2026
This policy explains how Lovelyparallel, Lda, trading as « Business Portugal », collects, uses and protects your personal data when you use the website and its forms, in accordance with the General Data Protection Regulation (GDPR, EU Regulation 2016/679) and Portuguese Law No. 58/2019.
Data controller
The controller of your personal data is:
- Legal name
- Lovelyparallel, Lda (trading as « Business Portugal »)
- Legal form
- Sociedade por Quotas (Lda) under Portuguese law
- Tax ID (NIF / NIPC)
- 518354750
- Office
- Lisbon, Portugal (full address not published at the publisher's request; available upon legitimate request, in particular when you exercise your rights)
- Manager / Publication director
- Audrey Marques
- Contact email (data protection)
- audrey.marques@portugal-business.com
- Phone
- +351 937 424 708 (Monday-Friday, 9 a.m.-7 p.m., Lisbon time)
No Data Protection Officer (DPO) has been appointed, as this is not mandatory given the activity; any question regarding your data may be sent to the email above.
What data we collect and where it comes from
We only collect data that is strictly necessary for the purposes described below. Depending on how you use the site, this may include:
| Data category | Examples | Source |
|---|---|---|
| Identification and contact data | First name, last name, email address, phone number (optional) | You, via the contact / qualification form |
| Project data | Project type (e.g. company formation), country of residence, desired timeline, free-text message | You, via the qualification form |
| Appointment data | Name, email, booked slot, time zone, answers to booking questions | You, via Calendly |
| Communication data | Content of exchanged emails, open/click status of transactional emails | You + the Brevo email tool |
| Audience measurement data | Page views, traffic source, device type, country, aggregated and non-identifying | Automatic collection via Plausible (cookieless) |
We do not collect special categories of data (« sensitive data ») through the site, nor detailed tax data: detailed discussions about your situation take place during the consultation or through a direct channel, never via the public forms.
Purposes, legal bases and retention periods
For each processing activity, we set out the purpose, the legal basis (Article 6 GDPR) and the retention period.
3.1Contact / qualification form
- Purpose :
- receive and handle your request, qualify your project, follow up and prepare a possible first free consultation.
- Tools / recipients :
- email notification sent via Brevo (transactional email); request stored in a Supabase database (table « leads », protected by Row Level Security).
- Legal basis :
- pre-contractual steps taken at your request (Art. 6(1)(b) GDPR) for the fields needed to handle the request; consent (Art. 6(1)(a)) for optional fields and any later commercial outreach.
- Retention period :
- 3 years from your last contact if no relationship materialises. After that, data is deleted or anonymised.
3.2Appointment booking
- Purpose :
- organise and confirm your consultation slot.
- Tool / recipient :
- Calendly.
- Legal basis :
- pre-contractual steps at your request (Art. 6(1)(b) GDPR).
- Retention period :
- booking data is kept by Calendly for the duration of the relationship and then, where relevant, merged into the prospect record (3-year period, see 3.1). Obsolete appointments are purged regularly.
3.3Email communication
- Purpose :
- correspond with you, answer your questions, follow up on your case and, where relevant, send you information about our services.
- Tool / recipient :
- Brevo.
- Legal basis :
- performance of pre-contractual steps / contract (Art. 6(1)(b)) for handling your request; legitimate interest (Art. 6(1)(f)) for commercial follow-up of an existing prospect/client; consent (Art. 6(1)(a)) for any newsletter or marketing you subscribed to. You may withdraw consent or unsubscribe at any time (unsubscribe link in every email, or request to the contact email).
- Retention period :
- for the duration of the relationship, then 3 years after the last contact for prospects; for email marketing, consent is kept until withdrawn and for a maximum of 3 years after the last active contact.
3.4Audience measurement
- Purpose :
- understand how the site is used and improve it.
- Tool / recipient :
- Plausible Analytics, cookieless and without collecting directly identifying personal data (aggregated statistics).
- Legal basis :
- legitimate interest (Art. 6(1)(f) GDPR) in privacy-friendly audience measurement. As it is cookieless and non-identifying, no prior consent is required.
- Retention period :
- aggregated statistics kept for 24 months; no identifiable individual data is stored.
3.5Cookie consent management
- Purpose :
- collect, record and respect your cookie/tracker choices.
- Tool :
- in-house consent banner, aligned with CNIL recommendations and the CNPD position.
- Legal basis :
- legal obligation (Art. 6(1)(c) GDPR, in connection with Article 5(3) of the ePrivacy Directive) to keep proof of consent.
- Retention period :
- your choice is kept for a maximum of 6 months, after which consent is requested again.
3.6Accounting and legal obligations
- Purpose :
- comply with our accounting, tax and legal obligations once you become a client.
- Legal basis :
- legal obligation (Art. 6(1)(c) GDPR).
- Retention period :
- according to the statutory periods applicable in Portugal (generally 10 years for accounting records).
Recipients and processors
Your data is processed by Lovelyparallel, Lda and by the following processors, acting on our instructions and bound by a data processing agreement (DPA):
| Processor | Role | Main processing location |
|---|---|---|
| Brevo (Sendinblue SAS) | Transactional emails and communication tracking | European Union (France) |
| Supabase | Database hosting the « leads » table (with RLS) | European Union (Frankfurt) |
| Calendly | Appointment booking | United States (see §5) |
| Plausible Analytics | Cookieless audience measurement | European Union |
| Vercel Inc. | Website hosting (edge infrastructure) | European Union |
With your consent and solely to handle your request, certain information may be shared with a specialised partner from our network (e.g. accountant, tax adviser, partner bank, recruitment partner). These partners act as separate controllers and apply their own privacy policy.
We do not sell your data and do not share it with any third party for advertising purposes.
Transfers outside the European Union
Some of our providers may process data outside the European Union, in particular:
- Calendly (a company established in the United States).
Where a transfer outside the EU takes place, it is governed by appropriate safeguards within the meaning of Chapter V GDPR, primarily the European Commission's Standard Contractual Clauses (SCCs) and, where applicable, the provider's certification under the EU-US Data Privacy Framework. A copy of the applicable safeguards may be requested at the contact address in §1.
Your rights
Under the GDPR, you have the following rights over your data at any time:
- Right of access to your data and a copy of it.
- Right to rectification of inaccurate or incomplete data.
- Right to erasure (« right to be forgotten ») in the cases provided by law.
- Right to restriction of processing.
- Right to object, in particular to processing based on legitimate interest and to direct marketing.
- Right to data portability: receive the data you provided in a structured, machine-readable format.
- Right to withdraw consent at any time, without affecting the lawfulness of processing carried out before withdrawal.
- Right to set instructions regarding the fate of your data after your death.
How to exercise your rights: send your request by email to audrey.marques@portugal-business.com, stating your request. We may ask for proof of identity in case of reasonable doubt. We respond within one month (extendable by two months for complex requests).
Complaint to a supervisory authority: if you believe your rights are not respected, you may lodge a complaint with the lead authority, the CNPD, Comissão Nacional de Proteção de Dados (Portugal, www.cnpd.pt), and, if you reside in France, with the CNIL, Commission Nationale de l'Informatique et des Libertés (www.cnil.fr).
Data security
We implement appropriate technical and organisational measures to protect your data, including:
- encryption of communications (HTTPS/TLS) between your browser and the site;
- Row Level Security (RLS) on the Supabase database, restricting access to authorised people and services only;
- restricted access to data on a need-to-know basis;
- regular backups and access logging;
- use of processors offering GDPR-compliance guarantees.
In the event of a data breach likely to result in a high risk to your rights, we will notify the CNPD and, where applicable, the affected individuals, as required by the GDPR.
Changes to this policy
We may update this policy to reflect legal or technical changes. Any material change will be flagged on this page, and the last-updated date at the top of the document will be revised.