Personal data protection policy

1. Purpose

This Personal Data Protection Policy aims to inform you of the principles, procedures and responsibilities of the CAIXA SEGURA platform, provided by JAVALI - Administração e Desenvolvimento de Sistemas Informáticos, Lda., with regard to the collection, processing, storage and deletion of personal data, in accordance with the General Data Protection Regulation (GDPR - Regulation (EU) 2016/679) and applicable national legislation.

2. Scope of application

This policy applies to all personal data processed in the context of the provision of the CAIXA SEGURA service, including:

  • Administrative user data
  • Reporter data (anonymous or identified)
  • Data submitted in the content of reports and messages
  • Data generated by the use of the platform

3. Responsibilities

  • The Client is the Data Controller of the personal data processed in its instance of the platform.
  • Javali acts as a Subcontractor, under the terms of Article 28 of the GDPR, providing infrastructure, security, support and maintenance services.

4. Processing principles

All personal data is processed in accordance with the following principles:

  • Lawfulness, fairness and transparency
  • Purpose limitation
  • Data minimisation
  • Accuracy
  • Limitation of storage
  • Integrity and confidentiality
  • Demonstrable responsibility

5. Categories of data processed

The platform may process, among others:

  • Identifying data: name, e-mail, telephone (where applicable)
  • Data provided in reports: descriptions, attachments, recordings
  • Activity logs: date/time of access and technical logs

6. Purposes of processing

  • Operationalisation of the reporting channel in accordance with Law 93/2021
  • Management of users, permissions and reporting processes
  • Guarantee of security, stability and compliance of the platform
  • Compliance with legal or contractual obligations

7. Subcontracting and transfers

Javali may use subcontractors to provide technical services (e.g. hosting, email), ensuring that they:

  • Comply with the legal requirements of the GDPR
  • Operate within the European Economic Area or, if not, with adequate guarantees of protection

8. Security and confidentiality

JAVALI implements technical and organisational measures to:

  • Protect data against unauthorised access or misuse
  • Ensure data integrity, availability and confidentiality
  • Ensure traceability and access control

9. Data retention and deletion

Personal data will be retained for as long as necessary for the purposes indicated above, or in accordance with applicable legal obligations. At the end of this period, the data will be securely deleted. As a rule, deletion takes place within 3 months of the end of the subscription.

10. Rights of data subjects

Data subjects may exercise the following rights under the terms of the law:

  • Access to personal data
  • Rectification or updating of data
  • Deletion of data ("right to be forgotten")
  • Limitation or opposition to processing
  • Portability of data (where applicable)

The exercise of rights should be addressed to the subscribing Client, who is responsible for the platform instance. JAVALI can also be contacted via dpo@javali.pt.

11. Complaints

Data subjects have the right to lodge a complaint with the National Data Protection Commission (CNPD) via www.cnpd.pt.

12. Policy updates

This policy may be updated whenever necessary for legal or operational reasons. The latest versions will be made available to subscribing Customers.

Last update: 29 September 2025