Back to Home
Data Protection

GDPR Policy

Last updated: April 2025

01

Our Commitment to GDPR

DEVLOU is fully committed to compliance with the General Data Protection Regulation (EU) 2016/679 (GDPR) and Portuguese Law 58/2019. As a cybersecurity company, we treat data protection as a technical and ethical imperative, not merely a compliance exercise.

02

Data Controller

DEVLOU — Desenvolvimento e Consultadoria, Lda. acts as data controller for personal data processed in connection with this website and our consulting services. Contact: geral@devlou.pt

03

Data Processing Activities

  • Client Management: processing of client contact and billing data to manage contractual relationships.
  • Service Delivery: processing of client data necessary to deliver contracted AI and cybersecurity services.
  • Website Analytics: anonymised traffic analytics to improve our website performance.
  • Marketing Communications: personalised updates and case studies (with explicit consent only).
  • Legal Compliance: processing required to meet fiscal, regulatory, and legal obligations.
04

Legal Bases

  • Article 6(1)(b) — Contract: processing necessary for the performance of our service contracts.
  • Article 6(1)(c) — Legal obligation: processing required by Portuguese tax and commercial law.
  • Article 6(1)(f) — Legitimate interests: improving services and communicating with prospects.
  • Article 6(1)(a) — Consent: marketing communications and non-essential cookies.
05

Data Subject Rights

  • Right of access (Art. 15): request a copy of your personal data and processing information.
  • Right to rectification (Art. 16): correct inaccurate or incomplete personal data.
  • Right to erasure (Art. 17): delete your data where no legal basis for retention exists.
  • Right to restriction (Art. 18): limit processing while a dispute is being resolved.
  • Right to data portability (Art. 20): receive your data in a structured, interoperable format.
  • Right to object (Art. 21): object to processing based on legitimate interests or direct marketing.
  • Rights related to automated decision-making (Art. 22): we do not make solely automated decisions with legal effect.
06

Security Measures

  • Encryption of personal data at rest and in transit using industry-standard protocols.
  • Access controls with principle of least privilege and multi-factor authentication.
  • Regular security assessments and penetration testing of our own infrastructure.
  • Staff training on data protection and security awareness.
  • Data breach response procedures with 72-hour notification capability.
07

International Transfers

Where personal data is transferred outside the European Economic Area, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission, or reliance on an adequacy decision.

08

Data Retention Schedule

  • Website enquiries: 3 years from last contact.
  • Client contracts and billing data: 10 years (Portuguese commercial law requirement).
  • Security incident logs: 1 year.
  • Marketing consent records: until consent is withdrawn plus 2 years.
09

Supervisory Authority

The competent supervisory authority for DEVLOU is the Comissão Nacional de Proteção de Dados (CNPD), Av. D. Carlos I, 134, 1200-651 Lisboa, Portugal. Website: www.cnpd.pt

Questions or Requests

For any enquiries regarding this policy or to exercise your rights, contact us at:

geral@devlou.pt