Privacy Policy

The Porto Digital Association, hereinafter referred to as APD, is an association that, in the exercise of its activities, is guided by transparency and security in the processing of personal data. The privacy and security of the data you entrust to us are a priority for us.

APD is a private, non-profit association. It was created in 2004 and is owned by the Porto City Council, the University of Porto, and Porto Metro. Its objective is to promote Information and Communication Technology (ICT) projects in the city of Porto and its metropolitan area.

APD respects and values ​​the privacy of all those who interact with us, which is why we only collect and use personal data when strictly necessary and in a manner consistent with our legal rights and obligations.

From an analytical perspective, the APD, within the framework of this platform, uses the Matomo platform to analyze general trends regarding website usage. To this end, the Matomo platform collects only anonymized information.

Please read this Privacy Policy carefully and ensure you understand it.

APD, as the Controller of Personal Data of users of this website, has prepared and adopted this Privacy Policy, which explains how users' personal data is collected and processed.

This Privacy Policy explains how we use your personal data: how it is collected; how it is stored; and how it is processed. It also explains your rights under Data Protection Law.

Personal data is defined by the General Data Protection Regulation (GDPR) and Law No. 58/2019, of August 8 (collectively understood as, “Data Protection Legislation”) as “information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier”.

Personal data is, in simple terms, any information about you that allows you to be identified. Personal data includes obvious information, such as your name and contact details, but also less obvious information, such as location data, electronic coordinates, and other identifiers.

The personal data we collect and process depends on the context of your interactions with the website, with the APD and the APD with you.

It is necessary to process some of your personal data. This processing is only carried out when essential to fulfill legal or contractual obligations, when the company has legitimate interests, or with your consent. In any case, we guarantee that only the data strictly necessary for each purpose will be processed, for the appropriate period of time, and we will keep you informed at all times.

In the following table, we describe how we use your personal data and the respective legal grounds that allow us to do so:

We will only use your personal data for the purposes for which it was originally collected. If the APD wishes to process your personal data for purposes other than those for which it was initially collected, the APD will validate whether such purpose is compatible with the initial purpose of the processing. If the APD uses your personal data for a purpose unrelated to, or incompatible with, the purpose(s) for which it was originally collected, we will inform you and explain the appropriate legal basis.

In certain cases, we may be required to collect and process your data, in particular for the purposes of investigating, reporting and detecting crime, as well as to ensure compliance with applicable legislation.

With regard to retention periods, we inform you that we will keep the collected data only for the period necessary and reasonable within the scope of the purpose(s) for which we collected it, after which it will be duly deleted.

We will not retain your personal data for longer than necessary, given the reason(s) for which it was collected in the first instance. However, we advise that retention periods may be longer when necessary to comply with a legal obligation to which the APD is responsible.

When processing is based on consent, we will retain the data for the period stipulated for that purpose. After that, the data will be deleted or, alternatively, we will collect new consent.

Data is stored in various locations, including on the Organization's systems and other computer systems (including the email system).

We will only store your personal data within the European Economic Area (EEA). The EEA comprises all Member States (MS) of the European Union (EU), plus Norway, Iceland, and Liechtenstein. This means your personal data will be fully protected under the GDPR and/or equivalent legal standards.

The security of your personal data is essential to us. Therefore, to protect your data, we take a series of relevant measures, such as:

Limit access to your personal data to employees, service providers and other third parties, making them aware of the fact that they are subject to confidentiality duties and ensuring that such circumstances actually occur;

Adopt procedures to deal with the occurrence of possible data breaches (i.e., accidental or unlawful destruction; loss; alteration; unauthorized disclosure; or mere access to your personal data), including notifying you, to which we are legally obliged;

We will not share any of your personal data with third parties for any purpose, except in the following situations:

When necessary for the fulfillment of contractual obligations (e.g.: provision of certain services, in terms of maintenance, technical support or website hosting, which may have access to some of the personal data, in particular, the data necessary for the contracted purposes);

When necessary to comply with legal obligations (e.g., investigations, inquiries and judicial and/or administrative proceedings or of a similar nature, provided that duly ordered by court order);

When we have obtained your consent to do so.

In order to protect your personal data (access, use or disclosure), in the face of unauthorized access, illegality, accidental loss or destruction, we will use a set of security technologies and procedures considered duly adequate.

Under Data Protection Legislation, you may request to exercise the following rights with the APD:

Right to information: the right to be informed about the collection and use of your personal data;

Right of Access: the right to obtain confirmation as to whether or not personal data concerning you are being processed and, if that is the case, the right to access your personal data;

Right to rectification: the right to have your personal data rectified if any of your personal data in our possession is inaccurate or incomplete;

Right to erasure: the right to request the deletion of your personal data, which we have in our possession, considering the legally established limitations;Right to erasure: the right to request the deletion of your personal data, which we have in our possession, considering the legally established limitations;

Right to limit the processing of your personal data;

Right to object: the right to object to the use of your personal data for a particular purpose or purposes;

The right to withdraw consent: This means that if we rely on your consent as the lawful basis for using your personal data, you are free to withdraw that consent at any time.

The right to data portability: this means that if you have provided us with personal data directly, and we are processing it, by automated means, with your consent or for the performance of a contract, you can ask us for a copy of that same personal data in order to reuse it with another service.

It is important that your personal data is kept accurate and up to date. If any of the personal data we hold about you changes, please keep us informed as long as we have this data. To do so, you can contact us through the platform or the contacts provided in this Policy.

If you have any complaints about our use of your personal data, you have the right to lodge a formal complaint with the supervisory authority for this purpose, the National Data Protection Commission (CNPD), at . More information about your rights can also be obtained from the CNPD at .

Our website may contain links to third-party websites, which may collect and process your personal data for their own purposes. The processing of personal data by the owners of these websites is their sole responsibility, and APD has no control over their practices and policies.

If you would like to obtain further information or clarifications related to this Privacy Policy and/or the Processing of your Personal Data, you can contact us as follows:

Email address: tiago.teles@portodigital.pt.

Phone number: 22 205 8412.

Postal address: Largo do Dr. Tito Fontes 15, 4000-538 Porto, Portugal

Data Protection Officer: dataprotection@portodigital.pt. 

Postal address: Largo do Dr. Tito Fontes 15, 4000-538 Porto, Portugal.

APD reserves the right to change this Privacy Policy at any time.

Any changes will be immediately posted on the website. Therefore, we recommend that you check this page regularly to stay up-to-date.

This Privacy Policy was last updated on October 17, 2025.

Consent: Free, specific, informed, and explicit expression of will by which the data subject agrees, by means of a statement or unequivocal affirmative action, to the processing of personal data concerning him or her.

Special data: Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as the processing of genetic data, biometric data to uniquely identify a person, data concerning health, or data concerning a person's sex life or sexual orientation.

Personal data: Information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an electronic identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

Health data: Personal data relating to the physical or mental health of a natural person, including the provision of health services, which reveal information about their health status.

Profiling: Any form of automated processing of personal data consisting of using such personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning their performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.

Recipient: A natural or legal person, public authority, agency, or other body to which personal data are disclosed, whether a third party or not. However, public authorities that may receive personal data in the framework of specific inquiries under Union or Member State law are not considered recipients; the processing of such data by such public authorities must comply with applicable data protection rules depending on the purposes of the processing.

Right to erasure: The right of the data subject, depending on the context, to obtain from the controller the erasure of his or her personal data without undue delay.

Right of access: The data subject's right to obtain confirmation from the controller as to whether or not personal data concerning them is being processed and, where applicable, the right to access their personal data and information about the processing.

Right to rectification: The data subject's right to obtain, without undue delay, the rectification of inaccurate personal data concerning them from the controller.

Data protection officer: A data privacy specialist who works independently to ensure that an entity complies with the policies and procedures established in the GDPR.

Restriction of processing: The insertion of a mark on personal data held in order to limit its processing in the future.

Data portability: The data subject's right to receive personal data concerning them that they have provided to a data controller in a structured, commonly used, and machine-readable format, and the right to transmit such data to another data controller without hindrance from the controller to whom the personal data was provided.

Privacy by design: The controller applies, both when defining the means of processing and during the processing itself, appropriate technical and organizational measures, such as pseudonymization, designed to effectively implement data protection principles, such as minimization, and to incorporate the necessary safeguards into the processing, in a manner that complies with the requirements of this Regulation and protects the rights of data subjects.

Pseudonymization: Processing of personal data that allows the identification of a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data cannot be attributed to an identified or identifiable natural person.

Controller: The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria applicable to its nomination may be