ClaimPack
Privacy

Privacy notice

Last updated: 2026-05-04. We follow the General Data Protection Regulation (Regulation (EU) 2016/679, "RGPD") and the Portuguese Lei 58/2019. This notice tells you what we collect, why, how long we keep it, and what you can do about it.

1 · Who we are

ClaimPack is operated by Oskar Zabik, sole trader (trabalhador independente) based in Portugal. The operator is the controller (responsável pelo tratamento) of the personal data described below.

Contact for data-protection matters: privacy@claimpack.pt. We answer within the RGPD-mandated 30 days, usually much sooner.

We have not appointed a Data Protection Officer (DPO). Under RGPD art. 37 a DPO is mandatory only where (i) processing is carried out by a public authority, (ii) the core activities consist of large-scale, regular and systematic monitoring, or (iii) the core activities consist of large-scale processing of special-category data. None of those apply to ClaimPack at this stage.

2 · What personal data we collect

2.1 · Data you provide directly

  • Account data: email address, first name. Used for authentication and case ownership.
  • Case data: facts of your renovation dispute — dates, amounts, descriptions of defects, free-text notes you write.
  • Documents and media you upload: WhatsApp exports, photos, videos, bank-transfer receipts, quotes, contracts, invoices. We preserve original file metadata (EXIF) and compute a SHA-256 hash on upload as part of evidence integrity.
  • Identification of third parties (your contractor): the contractor's name, NIF/NIPC (Portuguese tax ID), registered office, contact details, alvará or registration number, and other identifying information necessary to construct the case file. This is third-party personal/business data — see §3.

2.2 · Data we collect automatically

  • Technical access logs (IP address, user-agent, request timestamps), retained for security and abuse-prevention purposes.
  • Privacy-friendly product analytics (e.g. Plausible) that do not set cookies or track individuals across sites.
  • Funnel state in your browser localStorage while you complete the diagnostic (cleared on request or when you complete the funnel).

2.3 · What we do NOT collect

  • We do not use third-party advertising trackers on the diagnostic flow or the product. We may use them on marketing pages with consent, where applicable.
  • We do not collect special-category data (RGPD art. 9) unless you choose to upload it (e.g. health-related photos). We treat any such data with extra care and only on the basis of your explicit consent.
  • We do not collect biometric data, financial account credentials, or payment-card numbers (payments go via our processor — see §6).

3 · Lawful bases (RGPD art. 6)

  • Performance of contract — art. 6(1)(b): processing of your account and case data to deliver the diagnostic, workspace, free firm message and (if purchased) the case-pack output you have requested.
  • Legitimate interests — art. 6(1)(f): processing of contractor identification and other third-party data necessary to construct your case file and to validate IMPIC alvará / NIF status against public Portuguese registries. Our legitimate-interest assessment (LIA) considers (i) the necessity of this processing for the service we deliver to you, (ii) the limited and case-bound nature of the processing, (iii) the public availability of the registry data, and (iv) the reasonable expectations of contractors operating professionally in Portugal that defects and disputes will be documented. We rely on the exception in art. 14(5)(b) to not notify the contractor where notification would be impossible or disproportionate, or would prejudice anticipated litigation between you and them.
  • Legal obligation — art. 6(1)(c): tax-related data retention obliged by Portuguese tax law (where applicable to invoices we issue or our processor issues on our behalf).
  • Consent — art. 6(1)(a): optional marketing emails (you can withdraw at any time without affecting other processing).

4 · Data retention

  • Active accounts: while your account is open we retain your case data indefinitely so you can return to it. Civil disputes in Portugal can run for years (CC art. 309 sets a 20-year general prescription window) — your evidence stays available the whole time.
  • Account deletion is user-initiated: we do not auto-delete. To remove your data, sign in to app.claimpack.pt/account and click Pause and request deletion. Your account is paused immediately (sign-in blocked, no further processing), and we permanently remove all your data within 30 days. To undo within those 30 days, email privacy@claimpack.pt.
  • Tax-mandated records: where applicable, minimal invoice metadata may be retained for the period required by Portuguese tax law (typically 10 years per AT). When payments are processed by Polar (Merchant of Record), Polar — not ClaimPack — is the party retaining tax records.
  • Technical logs: retained 90 days for security and abuse-prevention purposes, then deleted or aggregated.
  • Diagnostic leads (no signup): if you complete the diagnostic but never finish signup, the lead record (your email + funnel answers) is retained 24 hours and then deleted.

5 · Your rights (RGPD arts. 15–22)

  • Access: get a copy of the personal data we hold about you.
  • Rectification: have inaccurate data corrected.
  • Erasure ("right to be forgotten"): have your data deleted, subject to legal-retention obligations.
  • Restriction: limit how we use your data.
  • Portability: receive your case data in a structured, commonly-used machine-readable format (we will provide JSON).
  • Object: object to processing based on legitimate interests.
  • Withdraw consent: at any time, where processing is based on consent.
  • Lodge a complaint: with the Comissão Nacional de Proteção de Dados (CNPD) if you believe your rights have been violated.

To exercise any right, email privacy@claimpack.pt or use the in-product data-export tool.

6 · Processors and recipients

We use the following processors. They process personal data on our behalf, under data-processing agreements (DPAs) compliant with RGPD art. 28.

  • Neon — managed Postgres database (data stored in EU regions)
  • Cloudflare R2 — file storage (S3-compatible; EU regions where supported)
  • Hetzner (via Dokploy) — application hosting in EU
  • Netlify — frontend hosting and CDN
  • Resend — transactional email delivery
  • Polar (Polar Software Inc., DBA Polar.sh) — Merchant of Record for payments. Polar handles invoice issuance and EU VAT compliance on our behalf.
  • Plausible Analytics — privacy-friendly, cookieless analytics (data stored in EU)
  • AI providers — OpenAI / Google / Mistral (specific provider locked after Milestone 0). We send only the specific case excerpts needed for prose generation; we do not enable provider data-retention for training.

We do not sell your personal data to third parties. We do not share your data with contractors, law firms, insurers, or other third parties except (a) with the processors listed above, (b) where you explicitly request it (e.g. handoff to a partner Portuguese lawyer), or (c) where required by Portuguese law.

7 · International transfers

Where any processor processes data outside the EEA, we rely on the European Commission's adequacy decisions (where applicable) or Standard Contractual Clauses (SCCs) under RGPD art. 46(2)(c), with supplementary measures where needed (encryption in transit and at rest).

8 · Security

We apply technical and organisational measures appropriate to the risk (RGPD art. 32):

  • Encryption at rest (database, object storage) and in transit (TLS 1.3)
  • Role-based access controls and audit logs
  • Strict separation between user data and ML/AI training datasets — we do not use your data to train models
  • Regular dependency and security reviews
  • 72-hour breach-notification procedure (RGPD art. 33), reporting to CNPD as required

9 · Cookies

We use a single technical cookie for authenticated sessions (HttpOnly, Secure, SameSite=Lax). We do not use advertising cookies on the diagnostic flow or the product. Marketing pages may use a Meta pixel for conversion tracking when you have given consent; the consent banner will appear on first visit.

10 · Third-party data we process

To produce your case file we process identifying information about your contractor — name, NIF/NIPC, registered office, IMPIC alvará number, etc. We rely on the legitimate-interest basis described in §3. We rely on the art. 14(5)(b) exception to not notify the contractor at the point of collection because it would prejudice anticipated litigation between you and them.

If you ask us to remove a contractor's data, we can — but doing so may make your case file unsendable. We will explain trade-offs and act on your instruction.

11 · Children

ClaimPack is not directed at minors. We do not knowingly collect personal data from anyone under 16 (Lei 58/2019 art. 16, raising the RGPD baseline of 16). If you believe a minor has provided us data, contact us and we will delete it.

12 · Changes to this notice

We will notify you by email (and update the "Last updated" date above) when we make material changes. Minor clarifications may be made without notification.