This privacy policy applies to the website adricosta.com (the "site") and to engagements with Adriana da Costa, independent tax advisor. It describes how personal data is collected, used, stored, and protected. It follows the EU General Data Protection Regulation (Regulation 2016/679, "GDPR") and Portuguese Law 58/2019.
I am committed to protecting your privacy and handling your information in an open and transparent manner. This policy explains what data I collect, why, and what rights you have over it.
1. Data controller
The controller responsible for processing your personal data is Adriana da Costa, independent practitioner, NIF [TBD: taxpayer ID to confirm], contactable at finance@adricosta.com.
2. Categories of personal data
I may collect and process the following categories of personal data.
- Identification and contact data. Name, email address, telephone number, and any details you provide when you book a call or send me a message.
- Engagement data. Where you become a client, the financial, tax, and personal information needed to deliver the engagement, including data on assets, residency, and tax history relevant to the work.
- Technical and usage data. Anonymised aggregate data on how the site is used (pages visited, time on page, country-level traffic), gathered through a privacy-friendly analytics tool that does not use cookies and does not track individual users.
3. Purposes of processing
I process your personal data for the following purposes.
- To respond to enquiries and arrange discovery calls or consultations.
- To deliver any engagement you have contracted, including the preparation, communication, and delivery of written advice and supporting documents.
- To comply with legal, accounting, and tax-record retention obligations under Portuguese law.
- To understand how the site is used and improve its content and structure.
4. Legal basis
The legal basis for processing varies according to purpose.
- Performance of a contract (Article 6(1)(b) GDPR) for the delivery of engagements you contract.
- Legitimate interest (Article 6(1)(f) GDPR) for handling general enquiries and aggregate analytics.
- Legal obligation (Article 6(1)(c) GDPR) for the retention of accounting and tax records.
- Consent (Article 6(1)(a) GDPR) where you have explicitly opted in to a specific use of your data.
5. Recipients of data
Your data may be shared with carefully selected third-party service providers that support the operation of this website and the delivery of engagements. These include providers of booking and scheduling, payment processing, hosting infrastructure, professional email, and similar operational services. Each is bound by a written data processing agreement that meets GDPR requirements and may only process your data on documented instructions.
I do not sell, rent, or otherwise transfer your personal data for commercial purposes.
Where legally required, your data may be disclosed to the Portuguese tax authority (Autoridade Tributária), the supervisory authority (CNPD), or to courts and other public bodies, exclusively within the limits of what is mandatory under Portuguese law.
6. International transfers
Some service providers may be established outside the European Economic Area, in particular in the United States. Where that is the case, I rely on the safeguards permitted under Articles 44 to 49 GDPR, including the European Commission's Standard Contractual Clauses (Implementing Decision (EU) 2021/914), and on any applicable adequacy decision in force, to ensure that your data continues to receive an equivalent level of protection.
7. Retention
Engagement records are retained for ten years from the end of the relevant tax year, in line with Portuguese accounting and tax law. Non-engagement enquiry data is deleted within twelve months unless you become a client. Aggregate analytics data is retained for a maximum of twenty-four months.
8. Your rights
Under the GDPR you have the right to:
- Access your personal data and obtain a copy.
- Request rectification of inaccurate or incomplete data.
- Request erasure of your data, subject to legal retention obligations.
- Request restriction of processing.
- Object to processing carried out on the basis of legitimate interest.
- Request portability of data you provided to me.
- Withdraw consent at any time, where consent is the legal basis.
- Lodge a complaint with the Portuguese supervisory authority, the Comissão Nacional de Proteção de Dados (CNPD), or with the supervisory authority of the Member State of your habitual residence or of the place of the alleged infringement, at cnpd.pt.
9. Security
I implement appropriate technical and organisational measures to protect your personal data against unauthorised access, accidental loss, alteration, or disclosure. These include access controls, encryption in transit, and use of reputable service providers that maintain industry-recognised security standards.
10. Data Protection Officer
No Data Protection Officer has been designated under Article 37 GDPR, because the conditions that make such designation mandatory are not met. You may direct any data protection matter to the contact provided above.
11. Changes to this policy
This policy may be updated from time to time. The version in force is always the version published on this page, dated above. Material changes will be communicated by a notice on the site or by email where appropriate.
12. Contact
To exercise any of the rights described above, or for any other question concerning the processing of your personal data, please write to finance@adricosta.com. I respond within thirty days.