Privacy Policy
Last updated: February 2026
Introduction
This Privacy Policy describes how Jônata Guimarães, Attorney at Law (hereinafter "Data Controller"), collects, uses, stores and protects the personal data of users of this website and legal services, in compliance with the General Data Protection Regulation (GDPR - EU Regulation 2016/679), Portuguese Law No. 58/2019 of August 8 (which ensures GDPR implementation in Portugal), Law No. 41/2004 (privacy in electronic communications) and the Portuguese Bar Association Statute (Law No. 145/2015).
1. Data Controller
- Name
- Jônata Guimarães
- Profession
- Attorney at Law
- Professional License
- OA No. 64089L (Portuguese Bar Association)
- Professional Address
- Av. Casal Ribeiro 15, 4.º-B, 1000-090 Lisbon, Portugal
- [email protected]
- Phone
- (+351) 912 899 235
2. Data Processing Map
The following table details all personal data processing activities:
| Activity/Channel | Purpose | Data Collected | Legal Basis (GDPR) | Recipients | Retention Period |
|---|---|---|---|---|---|
| Contact Form | Respond to information requests and initial screening | Name, email, phone (optional), message | Art. 6(1)(b) - Pre-contractual steps at data subject's request | Manus (hosting), Formspree (form processing) | Non-converted inquiries: 6 months; Clients: mandate duration + 5 years |
| Consultation Scheduling | Booking and management of legal consultations | Name, email, phone, area of interest, availability | Art. 6(1)(b) - Contract performance or pre-contractual steps | Manus (hosting and database) | Unrealized consultations: 3 months; Clients: mandate duration + 5 years |
| Quick communication and scheduling | Phone number, name, exchanged messages | Art. 6(1)(b) - Pre-contractual steps | Meta Platforms Ireland Ltd. (WhatsApp) | Non-converted conversations: 6 months; Clients: mandate duration + 5 years | |
| Legal Services Provision | Mandate execution and legal representation | Identification data, case documents, communications | Art. 6(1)(b) - Contract performance | Courts, registries, public entities (as necessary) | Mandate duration + 20 years (deontological obligation) |
| Billing and Accounting | Invoice issuance and tax compliance | Name, tax ID, billing address | Art. 6(1)(c) - Legal obligation | Tax Authority, certified accountant | 10 years (tax obligation) |
| Free Tools (Calculators) | Provide informative estimates | User-entered data (not permanently stored) | Art. 6(1)(a) - Implied consent through use | Manus (hosting) | Browser session only |
| Newsletter/Content | Send legal articles and updates | Art. 6(1)(a) - Consent | Manus (hosting) | Until subscription cancellation | |
| Analytics and Logs | Website usage analysis and security | IP address (anonymized), browser type, pages visited, timestamps | Art. 6(1)(f) - Legitimate interest (security and service improvement) | Manus Analytics (internal) | Security logs: 12 months; Analytics: 26 months |
3. International Transfers
Your data may be transferred to countries outside the European Economic Area (EEA) when we use third-party services. In such cases, we ensure adequate safeguards exist:
- Meta Platforms (WhatsApp): Transfers to the USA under the EU-US Data Privacy Framework
- Manus: Servers located in the European Union
- CDN (Cloudflare): Standard Contractual Clauses approved by the European Commission
4. Mandatory Data Provision
Providing personal data is voluntary but necessary for:
- Contact form
- Without name and email, we cannot respond to your request
- Consultation scheduling
- Without contact details, we cannot confirm the booking
- Service provision
- Without identification data and documents, we cannot execute the mandate
- Billing
- Without tax ID, we cannot issue an invoice (legal obligation)
5. Data Subject Rights
Under the GDPR, you have the following rights:
Access (Art. 15)
Obtain confirmation that your data is processed and access it
Rectification (Art. 16)
Correct inaccurate data or complete incomplete data
Erasure (Art. 17)
Request data deletion, except where legal retention obligations apply
Restriction (Art. 18)
Restrict processing in certain circumstances
Portability (Art. 20)
Receive data in a structured, commonly used format
Objection (Art. 21)
Object to processing based on legitimate interest or direct marketing
Withdraw consent
When processing is based on consent, you may withdraw it at any time
To exercise these rights, send a request by email to [email protected], identifying yourself and specifying the right you wish to exercise. We will respond within 30 days.
6. Security Measures
We implement appropriate technical and organizational measures to protect your data:
Technical Measures
- ✓SSL/TLS encryption for all communications
- ✓Secure authentication with JWT tokens
- ✓HTTP security headers (HSTS, CSP, X-Frame-Options)
- ✓Rate limiting and protection against automated attacks
- ✓hCaptcha for human verification in forms
- ✓Regular encrypted backups
Organizational Measures
- ✓Professional secrecy (Art. 92 of the Bar Statute)
- ✓Data access restricted to when necessary
- ✓Continuous data protection training
- ✓Security incident response procedures
7. Sub-processors
The following service providers (sub-processors) may access personal data in the course of their technical functions, under contracts ensuring GDPR compliance:
| Sub-processor | Function | Data Accessed | Location | Safeguards |
|---|---|---|---|---|
| Manus (Butterfly Effect PTE) | Web hosting, database and authentication | All website data (forms, sessions, messages) | EU (Singapore — HQ) | Standard Contractual Clauses (SCCs) |
| Cloudflare, Inc. | CDN, DDoS protection and DNS | IP address, HTTP headers | USA / Global | EU-US Data Privacy Framework |
| hCaptcha (Intuition Machines) | Anti-bot verification in forms | IP address, browser fingerprint | USA | Standard Contractual Clauses (SCCs) |
| Google LLC (Analytics) | Web traffic analysis (consent required) | IP address (anonymized), browsing data | USA | EU-US Data Privacy Framework |
| Umami (self-hosted via Manus) | Privacy-focused website analytics (consent required) | Aggregated browsing data (no personal data) | EU | No personal data transfer |
| Meta Platforms (WhatsApp) | Client communication channel | Phone number, messages | USA | EU-US Data Privacy Framework |
8. Supervisory Authority
Without prejudice to any other remedy, you have the right to lodge a complaint with the competent supervisory authority:
National Data Protection Commission (CNPD)
- Morada:
- Av. D. Carlos I, 134 - 1.º, 1200-651 Lisbon
- Telefone:
- (+351) 213 928 400
- E-mail:
- [email protected]
- Website:
- www.cnpd.pt
9. Policy Changes
This policy may be updated periodically. Any significant changes will be communicated through the website. We recommend regularly consulting this page.
10. Data Protection Contact
For any questions regarding the processing of your personal data or to exercise your rights, contact:
Subject: Personal Data Protection