Auto Porto – Privacy Policy

01

Data Controller

Who is responsible for your personal data

The data controller responsible for personal data collected through the Auto Porto platform is Auto Porto, a company registered in Portugal and operating the marketplace at auto-porto.com.

For any data protection enquiry or to exercise your rights, contact our team at contact@auto-porto.com. We will respond within 30 calendar days.

02

Data We Collect

Categories of personal information processed by Auto Porto

Identity data

First name, last name, username or similar identifier used on the platform.

Contact data

Email address, phone number, billing address and delivery address.

Transaction data

Details of products purchased or sold, order history, invoices and payment status.

Technical data

IP address, browser type, device information, operating system, time zone and cookies.

Usage data

Pages visited, search queries, click behaviour, time spent on pages and referral source.

Marketing preferences

Your opt-in or opt-out choices for email newsletters and promotional communications.

03

How We Use Your Data

Purposes for which personal data is processed

Creating and managing your user account and profile.
Processing, fulfilling and tracking your orders.
Sending order confirmations, invoices, shipping updates and customer support responses.
Verifying seller identity and compliance at registration and during account review.
Improving the platform's performance, search relevance and user experience through analytics.
Detecting and preventing fraud, abuse and other illegal activity.
Sending promotional emails and newsletters where you have given explicit consent.
Complying with tax, accounting and other legal and regulatory obligations.

04

Legal Basis for Processing

The GDPR grounds on which we rely

Contract performance

Processing necessary to fulfil your purchase order, manage your account or respond to your requests.

Legitimate interests

Fraud prevention, platform security, improving our services and communicating about related products you may find useful.

Legal obligation

Compliance with tax law, consumer protection regulations, law enforcement requests and other statutory duties.

Consent

Marketing emails, newsletters and non-essential cookies — only where you have actively opted in. You may withdraw consent at any time.

05

Data Sharing

Who we share your data with and why

We do not sell your personal data. Data is shared only where strictly necessary to provide the service or comply with the law.

Sellers — receive your name, delivery address and order details necessary to fulfil your purchase.
Payment providers — Stripe and equivalent processors receive transaction data to process payments securely.
Logistics partners — carriers and delivery services receive the shipping information required to deliver your order.
Analytics providers — aggregated, anonymised usage data is shared with analytics tools to improve the platform.
Authorities — data may be disclosed to competent authorities when required by law, court order or to protect rights and safety.

06

Cookies

How we use cookies and tracking technologies

We use cookies and similar technologies to operate the platform, remember your preferences, maintain your session and analyse traffic patterns. Cookies are small text files stored on your device by your browser.

Essential cookies — required for the platform to function (session, cart, login). Cannot be disabled.
Preference cookies — remember your language, currency and display settings.
Analytics cookies — collect anonymised data on how visitors use the site to help us improve it.
Marketing cookies — track your browsing to show you relevant advertisements. Only set with your consent.

You can manage or revoke cookie preferences at any time through the cookie banner or your browser settings. Disabling non-essential cookies will not affect your ability to browse or purchase on the platform.

07

Data Retention

How long we keep your personal data

We retain personal data only for as long as is necessary to fulfil the purposes described in this policy or as required by applicable law.

Transaction records — retained for 7 years for tax and legal compliance.
Account data — kept for the duration of your account plus 3 years after closure.
Marketing data — retained until you withdraw consent or unsubscribe.
Technical logs — typically retained for up to 12 months for security monitoring.

When data is no longer required it is securely deleted or anonymised so that it can no longer be linked to any individual.

08

Your Rights Under GDPR

How to exercise control over your personal data

Right of access

Request a copy of all personal data we hold about you (data subject access request).

Right to rectification

Ask us to correct any inaccurate or incomplete information we hold about you.

Right to erasure

Request deletion of your data ("right to be forgotten") where no legal obligation requires us to keep it.

Right to restriction

Ask us to pause processing of your data in certain circumstances while a dispute is resolved.

Right to portability

Receive your data in a structured, commonly used and machine-readable format to transfer to another provider.

Right to object

Object to processing based on legitimate interests or for direct marketing purposes at any time.

Withdraw consent

Revoke any consent you have given (e.g. for marketing) at any time without affecting prior lawful processing.

To exercise any right, contact us at contact@auto-porto.com. You also have the right to lodge a complaint with your national supervisory authority (e.g. CNPD in Portugal, CNIL in France, ICO in the UK).

09

Data Security

Measures we take to protect your information

We implement appropriate technical and organisational security measures to protect your personal data against unauthorised access, accidental loss, destruction or disclosure. These measures include:

SSL/TLS encryption on all data transmitted between your browser and our servers.
PCI-DSS compliant payment processing — we never store full card details.
Access controls ensuring that only authorised personnel can access personal data.
Regular security audits and vulnerability assessments of our infrastructure.
Secure data centres with physical access controls and environmental protections.

Despite these measures, no internet transmission is 100% secure. In the unlikely event of a data breach that poses a risk to your rights and freedoms, we will notify you and the competent supervisory authority within 72 hours as required by the GDPR.

10

International Data Transfers

Transfers outside the European Economic Area

Some of our third-party service providers (e.g. payment processors, analytics tools) may process data outside the European Economic Area (EEA). Where such transfers occur, we ensure that adequate protections are in place through:

Standard Contractual Clauses (SCCs) approved by the European Commission.
Transfers to countries that benefit from an EU adequacy decision.
Binding Corporate Rules where applicable within corporate groups.

11

Amendments

How this policy may be updated

We may update this Privacy Policy periodically to reflect changes in our practices, technology or legal obligations. The date at the top of the page indicates the most recent revision.

For material changes, we will notify you by email or via a prominent notice on the platform at least 14 days before the changes take effect. Continued use of the platform after that date constitutes acceptance of the updated policy.