// LEGAL

Privacy Policy

Last updated: 6 June 2026.

Who we are

Acta Security ("we", "us") is the data controller for personal data processed through this website and our client services. Address: Avenida da República, 1363, 4430-190 Vila Nova de Gaia, Portugal. Contact: hello@actasecurity.eu or via our contact form.

What we collect

• Contact form: your email, any name/organisation/subject you provide, your message, an anti-spam timestamp and a Cloudflare Turnstile token, and your IP address (for rate-limiting).
• Booking: if you book an assessment, the appointment is handled by meetergo; the details you enter there (name, email, chosen time) are processed by them on our behalf.
• Client portal: your email (for passwordless sign-in), optional phone number, the engagement details you submit, and any reports we deliver to you. Sign-in uses short-lived, signed cookies — no passwords are stored.
• Incident response (SimpleX): only what you choose to send us. SimpleX requires no phone number or account.
• Server logs: IP address and basic request metadata, used to operate and secure the site.

We do not use advertising, profiling or third-party analytics/tracking.

Why we process it (legal bases)

• Consent — when you contact us or request a booking.
• Contract — to scope and deliver engagements you order through the portal.
• Legitimate interests — to secure the website, prevent abuse/spam, and respond to enquiries.
• Legal obligation — where we are required to retain or disclose data by law.

Who processes data for us

We work with EU/EEA-resident providers wherever possible:

• Infomaniak (Switzerland/EU) — hosting, email and our SimpleX relays.
• Cloudflare — Turnstile bot-protection on the contact form.
• meetergo (Germany/EU) — appointment booking.
• Twilio — only if/when SMS sign-in is enabled (currently sign-in is email-only).

We never sell personal data. Where a provider may process data outside the EEA, it is done under appropriate safeguards (e.g. Standard Contractual Clauses).

How long we keep it

Enquiries are kept only as long as needed to respond and then deleted. Engagement records and delivered reports are retained for as long as necessary for the purposes described above (and any applicable legal obligations), then deleted. Portal accounts are kept until you ask us to close them.

Your rights

Under the GDPR you may request access, rectification, erasure, restriction, portability, or object to processing, and you may withdraw consent at any time. To exercise these, contact hello@actasecurity.eu. You also have the right to lodge a complaint with the Portuguese data protection authority (CNPD) or your local EU supervisory authority.

How we protect it

EU-resident infrastructure, encryption in transit (HTTPS), access-controlled report storage, passwordless authentication, and least-privilege access. See our Cookie Policy for cookie details.

Changes & contact

We may update this policy; the "last updated" date will change. Questions: hello@actasecurity.eu or the contact form.