Stonify
Request a demo

Privacy Policy

Last updated Draft, pending legal review

DRAFT for legal review. This is a working draft prepared from GDPR (Articles 13/14) and Portuguese Law no. 58/2019 requirements. It is not legal advice and must be validated and completed by a qualified lawyer before publication. Every [PLACEHOLDER] needs a real value. See the accompanying questions document.

Last updated: [DATE]

Who we are

Stonify ([PLACEHOLDER: full registered company name and legal form, e.g. "Stonify, Lda."]) is the controller responsible for the personal data described in this policy.

  • Registered address: Parque Tecnológico de Óbidos, sala 3, [PLACEHOLDER: postal code, Óbidos, Portugal]
  • Company registration number (NIPC): [PLACEHOLDER]
  • Email: info@stonify.net
  • [PLACEHOLDER: Data Protection Officer contact, if one has been appointed. A DPO is not mandatory for Stonify unless its core activities involve large-scale regular monitoring or large-scale processing of special-category data; confirm with your lawyer whether one is required. If not appointed, remove this line.]

This policy explains what personal data we collect, why, the legal basis for processing it, how long we keep it, who we share it with, and the rights you have over your data.

What data we collect, and why

We collect personal data in the following situations.

When you contact us through the website. Our contact form collects your name, company, email address, and the message you send us, along with whether your enquiry is a demo request or a general question. We use this to respond to you, arrange a demo, and follow up about Stonify's products. The legal basis is our legitimate interest in responding to enquiries and pursuing business contacts (Article 6(1)(f) GDPR), and, where your enquiry concerns entering into a business relationship, taking steps at your request prior to a contract (Article 6(1)(b) GDPR).

When you use the website. We process limited technical data necessary to deliver and secure the site. Our forms are protected by Cloudflare Turnstile, which assesses whether a request is automated; this may process technical signals from your browser. [PLACEHOLDER: confirm with your lawyer and Cloudflare's documentation exactly what Turnstile processes and on what basis; Turnstile is privacy-oriented and typically relies on legitimate interest in preventing abuse, Article 6(1)(f).] We also process server and security data (such as IP address and request metadata) through our hosting and infrastructure provider for security and to operate the site, on the basis of our legitimate interest in keeping the service available and secure (Article 6(1)(f) GDPR).

[PLACEHOLDER: Analytics. If you use any website analytics (e.g. a privacy-focused analytics tool, or none), describe it here, including whether it sets cookies and the legal basis. If you use no analytics, state that plainly. Do not leave this unanswered.]

[PLACEHOLDER: Newsletter. Not currently offered. If/when you add newsletter signup, describe the data collected (email), the basis (consent, Article 6(1)(a)), and how to unsubscribe. Remove until launched.]

We do not knowingly collect special categories of personal data through the website, and we do not collect data from children. In Portugal, the minimum age to consent to information-society services is 13 (Article 16, Law no. 58/2019); our site and products are directed at businesses, not children.

Who we share data with

We share personal data only with service providers who process it on our behalf (processors), under contracts that require them to protect it, and only as needed to operate our service.

  • Cloudflare — bot protection (Turnstile), and [PLACEHOLDER: confirm other Cloudflare services in use, e.g. CDN, Workers, hosting]. Your form submission is processed through a Cloudflare Worker and stored in a database we control. [PLACEHOLDER: name the database/hosting provider and its location.]
  • [PLACEHOLDER: Hosting / infrastructure provider] — hosting the website and storing data.
  • [PLACEHOLDER: Email provider] — if form submissions or correspondence are routed to an email or CRM system, name it.
  • [PLACEHOLDER: any other processors — analytics, scheduling tools used to arrange demos, etc.]

We do not sell personal data. We do not share it for third-party advertising.

[PLACEHOLDER: list each processor explicitly. Regulators in 2026 expect specific identification of recipients, not generic categories. Your lawyer should confirm this list is complete and that data-processing agreements are in place with each.]

International data transfers

Some of our providers may process data outside the European Economic Area. [PLACEHOLDER: confirm whether any processor (e.g. Cloudflare) transfers data outside the EEA, and on what safeguard — Standard Contractual Clauses, an adequacy decision, etc. If all processing is within the EEA, state that instead. 2026 enforcement specifically scrutinises transfer disclosures, so this must be accurate.]

How long we keep your data

We keep personal data only as long as necessary for the purposes described.

  • Contact and demo-request data: [PLACEHOLDER: retention period, e.g. "for as long as needed to handle your enquiry and any resulting business relationship, and up to [X] months/years afterwards," then deleted or anonymised.]
  • Security and server logs: [PLACEHOLDER: retention period.]

[PLACEHOLDER: set concrete retention periods with your lawyer. "As long as necessary" alone is not sufficient under the transparency obligations the EDPB is prioritising in 2026.]

Your rights

Under the GDPR and Law no. 58/2019, you have the right to: access your personal data; have inaccurate data corrected; have your data erased; restrict or object to processing; data portability; and, where processing is based on consent, to withdraw that consent at any time without affecting the lawfulness of processing before withdrawal.

To exercise any of these rights, contact us at info@stonify.net. We will respond within the timeframes required by law (generally one month).

You also have the right to lodge a complaint with the Portuguese supervisory authority:

Comissão Nacional de Proteção de Dados (CNPD)
[PLACEHOLDER: confirm current CNPD address and contact from cnpd.pt — Av. D. Carlos I, 134, 1.º, 1200-651 Lisboa is the historically listed address; verify it is current.]
Website: www.cnpd.pt

Cookies

Our use of cookies and similar technologies is described in our Cookie Policy.

Changes to this policy

We may update this policy. When we do, we will revise the "last updated" date above. [PLACEHOLDER: confirm with your lawyer whether material changes require active notice to existing contacts.]

Contact

Questions about this policy or your data: info@stonify.net, or write to us at Parque Tecnológico de Óbidos, sala 3, [PLACEHOLDER: postal code], Óbidos, Portugal.