Contents
Data Controller Identity
The data controller responsible for your personal data is:
BlueWave IT
Av. 25 de Abril 6, 8500-511 Portimão, Algarve, Portugal
Email: privacy@bluewaveit.pt
Website: bluewaveit.pt
BlueWave IT is registered as a data controller under Portuguese law and operates in full compliance with Regulation (EU) 2016/679 (GDPR), Lei n.º 58/2019 (Portuguese GDPR implementation law), and Lei n.º 93/2021 (general whistleblower and data transparency provisions).
Personal Data We Collect
We collect personal data in the following contexts:
| Category | Data types | Source |
|---|---|---|
| Contact & enquiry data | Name, company name, email address, phone number, message content, service interest | Contact form, email, phone calls |
| Client account data | Business name, billing address, NIF/NIPC, contact persons, contract details | Directly from clients at onboarding |
| Service delivery data | Device information, system logs, IP addresses, usernames, support ticket content | Managed systems, helpdesk platform |
| Technical data | Browser type, IP address, pages visited, time on site, referral source | Website analytics, server logs |
| Communication records | Email correspondence, support tickets, call notes | Direct communications |
Special categories: We do not intentionally collect special-category personal data (Article 9 GDPR) such as health, biometric, or racial data. If any such data is inadvertently included in support communications, it will be deleted promptly.
Legal Basis for Processing
We rely on the following legal bases under Article 6 GDPR for each processing activity:
| Processing activity | Legal basis |
|---|---|
| Responding to contact form enquiries | Legitimate interest (Art. 6(1)(f)) |
| Delivering managed IT services to clients | Contract performance (Art. 6(1)(b)) |
| Issuing invoices and maintaining accounts | Legal obligation (Art. 6(1)(c)) |
| Security monitoring and incident response | Legitimate interest (Art. 6(1)(f)) |
| Sending service communications & updates | Contract performance (Art. 6(1)(b)) |
| Marketing emails (if opted in) | Consent (Art. 6(1)(a)) |
| Website analytics | Legitimate interest (Art. 6(1)(f)) |
| Compliance with Portuguese tax law | Legal obligation (Art. 6(1)(c)) |
Where we rely on legitimate interests, we have conducted a balancing test and concluded that our interests do not override your fundamental rights. You have the right to object to processing based on legitimate interests at any time.
How We Use Your Data
We use your personal data strictly for the following purposes:
Service delivery: To provide, operate, and support our managed IT services — including helpdesk support, monitoring, patch management, backup verification, network management, and cloud administration.
Communication: To respond to enquiries, send service updates, notify you of incidents, and provide technical guidance.
Billing and finance: To issue invoices, process payments, and comply with Portuguese tax and accounting obligations (Código do IVA, Decreto-Lei n.º 197/2012).
Security: To protect the security of your IT environment and our own systems, detect threats, investigate incidents, and maintain audit trails.
Legal compliance: To comply with applicable laws, respond to lawful requests from competent authorities, and enforce our contractual terms.
Improvement: To improve our services, processes, and website using anonymised or aggregated data where possible.
We do not use your personal data for automated decision-making or profiling that produces legal or similarly significant effects (Article 22 GDPR).
Data Sharing & Third Parties
We do not sell, rent, or trade your personal data. We share data only in the following circumstances:
| Recipient | Purpose | Safeguards |
|---|---|---|
| IT platform providers (e.g. Microsoft 365, RMM tooling) | Service delivery infrastructure | Data processing agreements (DPAs); EU/EEA or adequacy-covered data centres |
| Cloud backup providers | Offsite data protection for clients | DPAs; encrypted storage; EU-located infrastructure |
| Accounting software (e.g. invoicing SaaS) | Financial record-keeping | DPA; EU data residency where possible |
| Netlify (form submissions) | Contact form handling | DPA; EU-US Data Privacy Framework |
| Competent authorities | Legal obligation or lawful order | Only to the extent legally required |
All third-party service providers acting as data processors are required to sign a Data Processing Agreement (DPA) under Article 28 GDPR, contractually obligating them to process data only on our documented instructions and to implement appropriate technical and organisational security measures.
International Data Transfers
We primarily process and store data within the European Economic Area (EEA). Where data is transferred to third countries, we ensure adequate safeguards are in place under Chapter V GDPR, including:
Adequacy decisions: Transfers to countries with a European Commission adequacy decision (e.g. UK, Switzerland).
Standard Contractual Clauses (SCCs): We use the EU Commission's updated SCCs (Commission Implementing Decision (EU) 2021/914) where no adequacy decision exists.
EU-US Data Privacy Framework: For transfers to certified US organisations.
You may request a copy of the specific safeguards in place for any transfer by contacting us at privacy@bluewaveit.pt.
Data Retention Periods
We retain personal data only for as long as necessary for the purposes described in this policy, or as required by law.
| Data type | Retention period | Basis |
|---|---|---|
| Client contract & billing data | 10 years from end of contract | Portuguese tax law (Art. 52 CIRC); AT requirements |
| Contact form / pre-sales enquiries | 2 years from last contact | Legitimate interest |
| Support tickets & helpdesk records | Duration of contract + 3 years | Contract performance; security audit |
| Security logs and monitoring data | 12 months | Legitimate interest; ENISA guidance |
| Website analytics | 26 months (anonymised after 6 months) | Legitimate interest |
| Marketing consent records | Until consent withdrawn + 3 years | Accountability obligation (Art. 5(2) GDPR) |
When data is no longer required, it is securely deleted or anonymised in accordance with our data retention and disposal procedure.
Your Rights Under GDPR
As a data subject under GDPR, you have the following rights. We will respond to all requests within 30 days (extendable to 90 days for complex requests, with notice).
Right of Access (Art. 15)
Request a copy of all personal data we hold about you, along with information on how it is processed.
Right to Rectification (Art. 16)
Request correction of any inaccurate or incomplete personal data we hold about you.
Right to Erasure (Art. 17)
Request deletion of your personal data where there is no legitimate reason for us to continue processing it.
Right to Restrict (Art. 18)
Request that we temporarily stop processing your data — for example while you contest its accuracy or our legal basis.
Right to Portability (Art. 20)
Receive your personal data in a structured, machine-readable format where processing is based on consent or contract.
Right to Object (Art. 21)
Object to processing based on legitimate interests or for direct marketing purposes. We will cease processing unless we demonstrate compelling legitimate grounds.
Right to Withdraw Consent (Art. 7(3))
Withdraw consent at any time where processing is based on consent. Withdrawal does not affect the lawfulness of prior processing.
Right to Lodge a Complaint (Art. 77)
Lodge a complaint with the Portuguese data protection authority, the CNPD (Comissão Nacional de Proteção de Dados).
To exercise any of these rights, submit a written request to privacy@bluewaveit.pt. We may ask you to verify your identity before processing the request. There is no charge for exercising your rights unless requests are manifestly unfounded or excessive.
Cookies & Tracking
Our website uses cookies and similar technologies in accordance with the ePrivacy Directive (2002/58/EC as amended by 2009/136/EC) and Portuguese Lei n.º 46/2012.
| Cookie type | Purpose | Consent required |
|---|---|---|
| Strictly necessary | Session management, security, form functionality | No — exempt under Art. 5(3) ePrivacy |
| Analytics | Understanding how visitors use the site (anonymised) | Yes — opt-in required |
| Preference | Remembering theme and language selection | No — functional necessity |
| Marketing | We do not currently use marketing or tracking cookies | N/A |
You can manage cookie preferences at any time through your browser settings. Blocking strictly necessary cookies may affect the functionality of the site. For detailed information on managing cookies, visit allaboutcookies.org.
Data Security
We implement appropriate technical and organisational security measures (Article 32 GDPR) to protect personal data against unauthorised access, disclosure, alteration, or destruction. These measures include:
Technical measures: Encrypted data transmission (TLS 1.2+), encrypted storage, multi-factor authentication on all administrative systems, endpoint protection, firewall management, access controls based on the principle of least privilege, and regular patching.
Organisational measures: Staff training on data protection, confidentiality obligations, data minimisation practices, documented incident response procedures, and regular security reviews.
Data breach notification: In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the CNPD within 72 hours (Article 33 GDPR) and affected individuals without undue delay where the risk is high (Article 34 GDPR).
Children's Data
Our services are directed exclusively at businesses and professionals. We do not knowingly collect personal data from individuals under the age of 16. If we become aware that we have inadvertently collected personal data from a minor, we will delete it promptly.
Under Portuguese law (Lei n.º 58/2019, Art. 16), the age of consent for information society services is 16 years. In the context of our B2B services, this provision is not applicable, but we maintain this standard as a matter of policy.
Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, services, or applicable law. We will notify you of material changes by:
Existing clients: Direct email notification at least 30 days before changes take effect.
Website visitors: A prominent notice on this page, with the updated effective date shown at the top.
Continued use of our services or website after the effective date of an update constitutes acceptance of the revised policy. We recommend reviewing this page periodically.
Archived versions of this policy are available on request.
Contact & Complaints
For any questions about this policy, to exercise your rights, or to report a concern, please contact us:
BlueWave IT — Data Privacy
We aim to respond to all privacy-related enquiries within 5 business days, and to fulfil all data subject requests within 30 days.
Supervisory authority: If you are not satisfied with our response to a privacy complaint, you have the right to lodge a complaint with the Portuguese data protection authority:
CNPD — Comissão Nacional de Proteção de Dados
Rua de São Bento, 148-3.º, 1200-821 Lisboa, Portugal
Website: cnpd.pt
Email: geral@cnpd.pt
Tel: +351 213 928 400