Privacy Policy
Last updated: April 2026
1. Data Controller
ObraXRAY (accessible at obraxray.com) is the controller for the personal data described here. This policy explains, in compliance with Regulation (EU) 2016/679 (GDPR) and Portuguese Law 58/2019, what data we process, from whom, on what legal basis, for how long, with whom we share it, and how you can exercise your rights. This policy applies both to users who use the platform and to indirect data subjects whose data is processed as part of the service (directors, administrators and shareholders of construction companies).
2. Scope and Data Subjects
We process data of two categories of subjects, under different regimes. (A) Users: people who register, search companies and purchase reports on the platform. The legal basis for this data is the performance of the service contract and consent for non-essential cookies and optional communications. (B) Indirect subjects: directors, administrators, shareholders and legal representatives of Portuguese construction companies whose data is contained in official public registries. These subjects do not register with us and their data is processed on the basis of legitimate interest (Art. 6(1)(f) GDPR), under a documented Legitimate Interest Assessment (LIA).
3. User Data
When you use the platform, we collect: account data (name and email provided at registration); payment data (processed directly by Stripe, we do not store card data); usage data (searches performed, reports purchased, pages visited); technical data (IP address, browser type, for security and rate limiting); and contact data (name, email, message when you use the contact form). We do not sell or transfer this data to third parties for marketing purposes, nor do we feed external AI models with it.
4. Data of Directors, Administrators and Shareholders
Within the scope of the risk assessment service, we process personal data of directors, administrators, shareholders and legal representatives of Portuguese construction companies. This data comes from Portuguese official public registries and includes: name, personal tax ID, company role, appointment and termination dates, associated companies, and history of insolvency proceedings, reorganisation plans, enforcement actions, edital citations, civil court proceedings, labour administrative sanctions, and inclusion in public debtor lists of the State. We do not process special categories of data (health, racial origin, political opinions, biometric data) nor data relating to criminal convictions. We do not extract personal address or date of birth, even when visible at the source. Because it is operationally impractical to contact each subject individually, under Art. 14(5)(b) GDPR, this information is provided through this public means. All subjects may exercise the rights set out in section 9.
5. Official Sources Consulted
Data on companies and their directors is collected exclusively from Portuguese official public sources: CITIUS (Ministry of Justice, insolvency proceedings, enforcement actions, edital citations and mass litigation, under the Code of Civil Procedure and the CIRE); Ministry of Justice Publications (publicacoes.mj.pt, under the Commercial Registry Code); IMPIC (public registry of construction licences, Law 41/2015); Tax Authority Public Debtor List (Art. 64(5)(a) of the General Tax Law (LGT)); Social Security Public Debtor List (by legal referral applicable to Social Security debtors); Working Conditions Authority (ACT, published labour sanctions); Base Portal (base.gov.pt, public contracts); and 197 Portuguese judicial courts (civil case distribution lists). Basic company registry data (legal name, CAE code, capital) is obtained via NIF.pt (private aggregator of public data). We do not use private sources, social networks, or data obtained by non-official means.
6. Legal Basis
Under Art. 6 GDPR: (a) performance of contract (Art. 6(1)(b)) for services provided to users, including payment processing and report delivery; (b) consent (Art. 6(1)(a)) for non-essential cookies, optional marketing communications and alerts, withdrawable at any time without affecting the lawfulness of prior processing; (c) legitimate interest (Art. 6(1)(f)) for processing of data of directors, administrators and shareholders from official public sources, for the purpose of protecting consumers in the construction market. This legitimate interest is documented in an internal Legitimate Interest Assessment (LIA), aligned with Recital 47 GDPR and Art. 60 of the Portuguese Constitution; (d) legal obligation (Art. 6(1)(c)) for compliance with applicable tax and accounting obligations.
7. Processors and Transfers
Data may be processed by the following processors, bound by Data Processing Agreements (DPAs) under Art. 28 GDPR and exclusively for the purposes described: Supabase (database and authentication, EU servers); Vercel (web application hosting, European regions); Hetzner (VPS in Nuremberg, Germany, for scraping operations and director analysis); Stripe (payment processing, PCI DSS certified); Sentry (technical monitoring and error detection, pseudonymised data); and Resend (transactional emails, when applicable). We do not share data with third parties outside these purposes. Data is preferentially processed within the European Union. Any transfer outside the EEA will be protected by Standard Contractual Clauses (SCCs) approved by the European Commission or by adequacy decision.
8. Retention Period
User account data: while the account is active, plus 6 months after deletion for evidentiary reasons. Purchased reports: 90 days of online access to the contractor profile per purchase, report PDF kept while the account exists. Re-verification within 12 months (9.99 EUR) refreshes the data and grants another 90 days of online access. Payment and invoicing records: 10 years, under tax law obligation. Technical data and logs: up to 90 days. Contact form data: up to 24 months. Data collected from public sources (cache): between 3 and 30 days per source, according to operationally defined Time-To-Live (CITIUS 7 days, IMPIC 30 days, NIF.pt 14 days, debtor lists 3 days), re-consulted periodically to ensure freshness. Data of terminated directors: kept in historical archive while the company exists, given that termination of duties is itself relevant information for risk assessment (phoenix scheme detection), subject to reasoned objection as per section 9.
9. Rights of Data Subjects
Under Articles 15 to 22 GDPR, you have the following rights: access (obtain confirmation and a copy of your data); rectification (correct inaccurate or incomplete data); erasure (request deletion, assessed case by case when processing is based on legitimate interest); restriction (temporarily restrict processing); portability (receive your data in structured format, applicable only to data processed on the basis of consent or contract); and objection (Art. 21, object to processing based on legitimate interest on grounds relating to your particular situation). Registered users can exercise many of these rights directly from the account panel. Indirect subjects (directors, administrators, shareholders) may exercise their rights by contacting contact@obraxray.com, providing name, tax ID and nature of the request. We respond within a maximum of 30 days, extendable by 60 days in complex cases. Erasure or objection requests are assessed individually and, when denied, the refusal is reasoned in writing with indication of available means of complaint.
10. Supervisory Authority and Complaints
If you believe that the processing of your data violates the GDPR, you have the right to lodge a complaint with the Portuguese National Data Protection Commission (CNPD), the Portuguese supervisory authority, through www.cnpd.pt, without prejudice to judicial recourse. We ask that you contact us first so we may try to resolve the situation directly.
11. Security and Accountability
We implement technical and organisational measures proportional to the risk: encryption in transit (HTTPS/TLS 1.2+), secure authentication with Supabase Auth and optional 2FA, Row Level Security (RLS) at the database level, rate limiting and abuse protection, periodic backups, restricted access to service keys, active monitoring with Sentry, fail-closed policy for critical sources (if a source fails, the report indicates unavailability rather than presenting a falsely clean result). In compliance with the accountability principle (Art. 5(2) GDPR), we maintain internal documentation including Data Protection Impact Assessment (DPIA), Legitimate Interest Assessment (LIA), Record of Processing Activities (Art. 30 GDPR) and signed DPAs with processors. This documentation is available to CNPD in case of inspection.
12. Cookies
We use essential cookies for website operation (authentication, language preferences, session) and analytical cookies to understand usage and improve the platform. Analytical and third-party cookies (Google Analytics, PostHog) are only activated with your consent, which you can give or withdraw at any time through the consent banner. For details on each cookie, consult our Cookie Policy.
13. Changes to the Policy
This policy may be updated periodically to reflect operational, legal or security practice changes. Changes are published on this page with the update date. For substantial changes that affect rights or processing purposes, we notify registered users by email and, when applicable, highlight the change on the platform.
14. Contact
For privacy questions, exercise of rights, or requests relating to data processing, contact us through contact@obraxray.com. Identify yourself (name and, if applicable, tax ID), describe the request, and indicate the capacity in which you contact us (registered user, director/administrator/shareholder mentioned in a report, other). We respond within a maximum of 30 days.