Legal Identity: This policy applies to Flatstudio, LDA (NIF: 514168030), headquartered at Rua Francisco Pedro Curado N.º 10 – Loja C, 1170-139 Lisboa, Portugal. When we say "we" or "Flatstudio," we are referring to this legal entity.
Our Role (GDPR): In legal terms, we act as the Data Controller for website visitors and job applicants. However, when working on client projects, we act strictly as a Data Processor, operating under your specific instructions and NDA protections.
1. Data Collection & Purpose
We believe in minimizing data "noise." We only collect information that has a clear purpose.
- Contact Forms: When you contact us, we collect your name, email, and project details based on Legitimate Interest to evaluate our potential partnership.
- Hiring: When you apply for a job, we review your professional history (CV, Portfolio).
- Technical Logs: We collect pseudonymized technical identifiers (like IP addresses and device types). These are strictly used for security monitoring and debugging interface performance, not for user profiling.
Cookie Logic
We distinguish between two types of cookies:
- Essential (System Integrity): Mandatory for the website to function (e.g., security tokens). These do not require consent.
- Analytics (Performance): Used to understand navigation flow. We process these only with your explicit consent our Cookie Banner. You can withdraw this consent at any time in your browser settings.
2. Our Infrastructure (The Stack)
In the modern web, data lives in the cloud. We do not just "use" tools; we legally bind them. Each vendor listed below acts as a Sub-processor and has signed a Data Processing Agreement (DPA) with us to ensure GDPR compliance:
- Website & Hosting: Webflow (AWS infrastructure). All traffic is secured via SSL.
- CRM & Hiring: Notion. Protected by mandatory 2FA and restricted access.
- Production & Design: Figma, Framer, Webflow, Linear/Jira.
- Internal Comms: Google Workspace (Email), Slack (Project Chat).
- Communication Protocols: Before an NDA is signed, we are flexible (Telegram, Zoom). Once a contract is signed, sensitive work moves to Slack for auditability.
3. Security, NDAs & Business Confidentiality
We treat security as an engineering discipline. Since we work with high-sensitivity data (Fintech, SaaS), our protocols go beyond standard GDPR requirements.
- The "Iron-Clad" NDA: Every person touching your project—whether a core team member or a specialized contractor—signs a strict Non-Disclosure Agreement (NDA) and Non-Solicitation Agreement.
- Strict Covenant: Instead of empty promises, we enforce strict contractual prohibitions against using your data for personal goals or sharing it with third parties. Any breach of this protocol results in immediate legal action and termination.
- Protection of Strategic Assets: We pledge to shield your strategic information (business strategies, pricing models). These are processed solely to deliver your product and are logically isolated from other clients.
- Technical Measures: We enforce Two-Factor Authentication (2FA) on all accounts and use Role-Based Access Control (RBAC) to limit data exposure.
4. Third-Party Access & Government Requests
We do not share your personal information with marketers. We may, from time to time, allow limited access to external consultants (e.g., a specialized DevOps engineer) strictly for performing specific tasks. We only work with partners whose privacy policies align with ours.
Government Requests: We value your privacy above bureaucratic overreach. We will refuse government and law enforcement requests for data if we believe a request is too broad or unrelated to its stated purpose. We will only cooperate if compelled by a strict legal process (court order) to prevent illegal activity or protect public safety. We are designers, not informants.
5. Data Retention Lifecycle
We believe data should have an expiration date. We keep information only as long as it provides value or meets legal requirements:
- Client Project Data: Retained for 5 years after project completion. This allows us to assist you if you lose your source files or need a "rollback" years later.
- Candidate CVs: Retained for 5 years in our Talent Pool. If we don't hire you today, we might want to call you for a perfect role tomorrow.
- Marketing Leads: Retained for 18 months of inactivity.
- Financial Records: Invoices are kept for 10 years to comply with mandatory Portuguese tax laws.
6. International Transfers
Since tools like Figma and Google are US-based, some data processing occurs outside the EEA. We legitimize these transfers through Standard Contractual Clauses (SCCs) and the EU-US Data Privacy Framework, ensuring your data remains protected by European standards regardless of server location.
7. Your Rights (GDPR)
Since we operate out of Lisbon, you are protected by the GDPR. You remain the owner of your data. You have the right to access the personal information we hold about you, correct any mistakes, or exercise your "Right to Erasure"—essentially asking us to delete everything we know about you (except for tax records). You do not need a lawyer to exercise these rights; a simple email is enough.
8. Contact Us
If you have questions about this policy or want to exercise your rights, please contact us directly. We prefer human conversation over legal formality.
