Privacy Policy

In this policy we provide you with information about how Atelier de Software collects and processes your personal data obtained through the use of the website ermera.pt and the Ermera platform, in accordance with the rules of Regulation (EU) 2016/679 of 27 April 2016 (General Data Protection Regulation) and Law No. 58/2019 of 8 August.

It is important that you read this privacy policy so that you are fully aware of how we are using your data and why.

---

1. Controller of your personal data

The entity responsible for processing personal data provided on the website ermera.pt and on the Ermera platform is the company Atelier de Software by Pina dos Santos, Lda., registered office at Rua da Esperanca, No. 17, store C, 2735-473 Cacem, and office at Rua Amilcar Cabral No. 7, Floor 2 - Room 4, 2735-534 Agualva-Cacem, registered under the single registration and tax number 516 156 870, operating under the brand Ermera.

---

2. How to contact Atelier de Software

If you have any questions about the processing of personal data or wish to exercise your rights in this area, you can contact us by email at hello@ermera.pt or by letter sent to the office of Atelier de Software, at Rua Amilcar Cabral No. 7, Floor 2 - Room 4, 2735-534 Agualva-Cacem.

---

3. Personal data processed by Atelier de Software

The personal data referred to in this privacy policy is the information about you that we obtain when you access and browse our site or use the Ermera platform, which allows us to identify you directly or indirectly.

We may collect, use, store and transfer different types of personal data about you, which we have grouped as follows:

Waitlist

When you sign up for the waitlist through the form available on the site, we store your email to inform you about the launch of the Ermera platform and related product news. The legal basis for processing this data is your consent.

Registration and user account

When you create an account on the Ermera platform, we collect your name, email, company name and contact information necessary for the provision of the service. The legal basis for processing this data is the performance of the service agreement.

Billing and payment data

To process payments and manage subscriptions, we collect billing data such as name or company name, tax identification number (NIF), billing address and payment method. Payments are processed by third parties (Stripe, SIBS, IfThenPay) acting as independent controllers for payment data processing. Ermera does not store complete credit or debit card data.

Your customers' data (sub-processing)

When you use the Ermera platform to manage your customers' subscriptions, Ermera acts as a sub-processor of your customers' personal data, on your behalf and under your instruction. This data may include your customers' name, email, NIF and subscription and payment history. The controller of this data is the platform user (your company), with Ermera being the sub-processor under Article 28 of the GDPR.

Platform usage data

We collect data about how you use the platform, including features used, actions performed and revenue metrics generated by your usage. This data is used to improve the service and provide technical support. The legal basis is our legitimate interest in improving the platform.

Cookies

Ermera uses a single strictly necessary session cookie to keep your session active, protect against CSRF, remember your chosen language, and track aggregated first-party analytics. We do not use advertising or third-party tracking cookies. See our Cookie Policy for full details.

---

4. Retention period of your personal data

The data we collect will be processed for the period strictly necessary to fulfill the purposes for which it was obtained. When the maximum period is reached, your personal data will be anonymized or securely deleted.

The most relevant periods are as follows:

4.1. Waitlist — Your data will be kept until the platform launch and for a maximum period of 6 months after that launch, unless you choose to create an account.

4.2. User account — Your data will be kept while your account is active. After account closure, data will be deleted within 30 days, without prejudice to applicable legal retention obligations (namely for tax purposes).

4.3. Billing data — Billing data will be retained for the legal periods required by Portuguese tax legislation (currently 10 years).

4.4. Your customers' data — Your customers' data will be deleted within 30 days after your account closure, unless legal obligations require otherwise.

4.5. Cookies — We will process your data for a maximum period of 2 years, during which cookies may remain active.

---

5. Recipients of personal data

The personal data we process may be accessed by Atelier de Software employees responsible for platform management and by entities subcontracted by us, namely:

• Payment processors (Stripe, SIBS, IfThenPay) for transaction processing
• Certified invoicing software (Moloni) for issuing invoices and receipts, by user instruction
• Technology infrastructure providers (hosting, databases, transactional email)
• Site traffic analysis tool providers

These entities act on our behalf and under our responsibility and supervision, except for payment processors which act as independent controllers within the scope of their own regulatory obligations.

---

6. Data transfers outside the European Union

Your data will be processed primarily in Portugal and Europe. When data transfers are made outside the European Union, namely to the United States of America (in the case of services such as Stripe), these transfers are carried out under adequacy mechanisms recognized by the European Commission or standard contractual clauses.

---

7. Security measures that protect your data

Atelier de Software uses physical, technological and organizational security measures to protect personal data against unauthorized destruction, loss, alteration, disclosure or access.

Among these measures, we highlight the following:

7.1. The entire site and platform use encrypted HTTPS/SSL connection;

7.2. Payment data is handled exclusively by certified payment processors and is never stored in our systems;

7.3. Access to the platform is protected by authentication and data is segregated by user account;

7.4. We monitor access to prevent, detect and stop unauthorized access;

7.5. The number of people with access to personal data is restricted and limited to the stated purposes;

7.6. We require subcontracted partners and suppliers who process personal data to maintain adequate security levels.

---

8. Rights of the data subject

Depending on the purpose and legal basis of the processing of your data, you may exercise the following rights:

8.1. Access, update or correct inaccurate data we hold about you;

8.2. Ask us to delete your personal data when it is no longer necessary for the purposes for which it was collected or when we no longer have a legal basis to process it;

8.3. Ask us to cancel or limit the use of your data when it may not be accurate or may no longer be necessary for the original processing purpose;

8.4. When data is processed based on your consent, you have the right to withdraw it at any time;

8.5. In cases where the legal basis for data processing is consent or a contract, you may request portability of the personal data you provided to us, in a structured, commonly used and machine-readable format;

8.6. When data is processed based on our legitimate interest, you may object to the processing of your data;

8.7. You also have the right to lodge a complaint with the Portuguese Data Protection Authority (CNPD), by email at geral@cnpd.pt or through the forms available at https://www.cnpd.pt/.

To exercise any of these rights, contact us at hello@ermera.pt.

---

9. Changes to the privacy policy

This Privacy Policy is regularly updated and may be changed without prior notice. To stay up to date, we recommend that you consult it regularly. The last revision dates from April 2026.