...

Portuguese
Knowledge
Base

Virtual Office Lisbon logo to open a company in Portugal for Expats

Privacy Policy - Table of Content

  1. PRIVACY POLICY: VIRTUAL OFFICE LISBON
  2. 1. Data Controller
  3. 2. Personal Data We Collect
  4. 3. Purpose of Processing
  5. 4. Legal Basis
  6. 5. Data Security
  7. 6. AML/KYC Compliance
  8. 7. No Data Sharing or Reselling
  9. 8. Recipients of Personal Data
  10. 9. Avoidance of International Transfers
  11. 10. Data Retention
  12. 11. Cookies and Third-Party Applications
  13. 12. Automated Decision-Making
  14. 13. Your Rights
  15. 14. Contact
  16. 15. Policy Updates
    1. Useful Links

PRIVACY POLICY: VIRTUAL OFFICE LISBON

Virtual Office Lisbon (“we”, “our”, “company”) is committed to the lawful, transparent, and secure processing of personal data. This Privacy Policy explains in detail how we collect, use, store, disclose, and protect personal information in accordance with Regulation (EU) 2016/679 (GDPR), Portuguese Data Protection Law (Lei 58/2019), and AML/KYC requirements (Lei 83/2017 and Lei 89/2021). By using our website or services, you acknowledge that you have read and understood this Privacy Policy.

1. Data Controller

The data controller responsible for processing your personal data is Virtual Office Lisbon, Lisbon, Portugal. Emails: info@virtualofficelisbon.com
privacy@virtualofficelisbon.com

2. Personal Data We Collect

We collect personal data necessary for providing virtual office, mail handling, and administrative services. This includes identity information, contact details, company information, billing and payment data, and verification documents required for AML/KYC practices. We also collect technical and usage data from our website, such as IP address, browser type, device information, pages visited, and cookies, to maintain security and optimize performance. Communication and support logs are also processed when you contact us.

3. Purpose of Processing

Your data is processed for delivering services, verifying identities under AML/KYC rules, managing contracts and billing, protecting against fraud, and ensuring secure operations. We use personal data to maintain the functionality and security of our website and to improve user experience. We do not process data for purposes incompatible with those described above.

4. Legal Basis

Your data is processed pursuant to the execution of a contract, the fulfillment of legal obligations (including anti-money laundering and identity verification laws), legitimate interest where appropriate, and, when applicable, your explicit consent.

We also rely on various GDPR legal bases: the execution of a contract, compliance with legal obligations, legitimate interests such as fraud prevention and system security, and your explicit consent where required.

5. Data Security

We maintain Encrypted & Secure Data systems with SSL encryption, secure servers, access control, and regular monitoring. Physical mail and documents are handled using Secure Mail Handling procedures to ensure confidentiality. All data is protected against unauthorized access, alteration, loss, or disclosure.

The transmission of information via the internet, email or text message is not completely secure. Although we will do our best to protect your personal information, we cannot guarantee the security of your information transmitted through websites or over email; any transmission is at your own risk. Once we have received your information, we will take appropriate technical and organizational measures to safeguard your personal information against loss, theft and unauthorized use, access or modification.

6. AML/KYC Compliance

We implement robust AML/KYC practices, including identity verification, document validation, beneficial ownership checks for corporate clients, and risk-based assessment. These measures help prevent fraud, financial crime, and misuse of services, ensuring regulatory compliance.

7. No Data Sharing or Reselling

We do not sell, trade, or commercially reuse personal data. Sharing occurs only when strictly necessary with service providers under confidentiality obligations or with regulatory authorities as legally required.

8. Recipients of Personal Data

Personal data may be shared with essential service providers, such as payment processors, identity verification services, accounting partners, IT and hosting providers, or legal authorities when mandated. All recipients operate under strict confidentiality and GDPR-compliant agreements.

9. Avoidance of International Transfers

If data is transferred outside the EU/EEA, it is done under GDPR-compliant safeguards, such as adequacy decisions or Standard Contractual Clauses, to maintain adequate protection.

10. Data Retention

Personal data is retained only as long as necessary to provide services, comply with legal obligations (including AML/KYC retention rules), and maintain business records following the Terms of Use of our services. Once the retention period expires, data is securely deleted or anonymised according to T.O.U.

11. Cookies and Third-Party Applications

Our website uses cookies for essential functionality, security, and performance analytics. Users can manage cookie preferences via browser settings or our website’s cookie tools. No personal data is sold or shared for marketing purposes.

Hosting

Virtual Office Lisbon uses third-party service providers, including Newfold Digital (Hostgator), to host our website and related applications. These providers may process personal data, such as user interactions with the website, to ensure service functionality, security, and reliable hosting.

All data processed by these providers is handled in accordance with GDPR requirements. Virtual Office Lisbon remains the data controller and ensures that our hosting partners implement strict technical and organizational measures to protect personal data.

For more details on how Newfold Digital handles data under GDPR, please refer to their official addendum:
https://www.newfold.com/privacy-center/addendum-ch-gdpr

Social-Media

Social -Media We maintain publicly accessible profiles on Facebook, Instagram, Xing and Linkedin. However, no data is transferred from our website to these, as the integration takes place via a link to the respective social media. However, we would like to point out that social networks generally analyze your user behavior in detail. Visiting our social media pages triggers numerous data protection-relevant processing operations. If you are logged into your social media account and visit our presence there, the operator can assign this visit to your user account. However, your personal data may also be processed if you are not logged in or do not have an account with the respective portal - for example, data may be collected via cookies that are stored on your device or by recording your IP address.

Various Google services

Legal basis for data processing for Google services The legal basis is stated in the respective applications. If the application in question uses cookies, your consent (Art. 6 Para. 1a) GDPR) is the legal basis, provided that you have given it in the Cookie Consent Tool. In addition, the data processing is based on our legitimate interest in accordance with Art. 6 Para. 1 f) GDPR, which is further explained in the respective application. When using Google tools, the data is usually transferred by Google to the USA, a third country within the meaning of the GDPR. This is permitted on the basis of the agreements between the EU and the USA, the EU-US Data Privacy Framework. Google is certified accordingly. Google has also Standard contractual clauses according to Art. 46, paragraphs 2 and 3 of the GDPR. Both the Data Privacy Framework and the standard contractual clauses ensure that your data complies with European data protection standards, even if it is processed in third countries. You can find Google's own data protection information at https://policies.google.com/privacy

Google Analytics

We use the analysis tool Google Analytics on our website. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (hereinafter: Google Analytics). The tool uses cookies for tracking purposes, which are stored on your computer. When you visit our website, personal data such as your IP address and your user behavior are transferred to Google Ireland Limited. This enables us to analyze the use of the website and the surfing behavior of site visitors. We use the service to optimize our online offering and to track whether third parties attack our website. This processing is based on the legal basis of legitimate interest. With the help of this information, we can take effective measures that also serve to protect your data. Google stores the data relevant for web tracking anonymously for as long as it is necessary to fulfill the booked web service. You can prevent the processing of personal data or the forwarding to Google by deactivating the execution of script code in your browser or activating the "Do Not Track" setting. You can also prevent Google from collecting and processing data by downloading and installing the browser plug-in available at http://tools.google.com/dlpage/gaoptout

Google reCaptcha

reCaptcha tool to prevent misuse and spam through input. reCaptcha is offered by Google Ireland Limited, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland. reCaptcha is used to check whether an entry is made by a natural person or automated. To ensure that the entry is made by a human and not by an automated bot, the IP address of the device used, the browser used, the data of the website visit or entry and the operating system are transmitted to Google. This may also involve transmission to Google servers in the USA. The use of reCaptcha on our website serves our legitimate interest in preventing spam and preventing harmful attacks on our site.

Google Ads and Remarketing

We use the service Google Ads with Google Remarketing on our website. Provider is Google Ireland Limited, Gordon House, Barrow Street, 4 Dublin, Ireland. With Google Ads we can place advertisements on other websites. We can specify parameters as to which advertisements should be shown to which group of people we define. The advertisements usually lead to our website. The Google Ads Remarketing function is used also accesses remarketing target groups of the Google Analytics service and displays individualized, target group-oriented advertising that leads to our website when clicked on, which is geared to the page visitors and their behavior. In order to be able to measure the success and remuneration of Google Ads advertisements, when our website is accessed via an ad, Google measures the success of the advertising measure. The data provided by Google Ads is used to analyze and improve marketing measures. Data on the advertising interests of page visitors, interactions with advertising in relation to our website, data on access to our website by page visitors who have clicked on a Google Ads ad, data on Google Analytics remarketing target groups under previously defined individual advertising preferences of the page users, data on the end devices used, IP address and browser are processed. When using Google Ads on our website, Google may transmit and process information from other Google services in order to provide background services for improving and customizing Google advertising. For this purpose, data may also be processed by other Google services such as Google APIs, Google Cloud, Google Ads, Google Analytics, Google Tag Manager, Google Marketing Platform and Google Fonts in accordance with the Google Privacy Policy under Google's own data protection responsibility. The legal basis for the processing of personal data is your consent, provided that you have given this via the cookie consent tool . In addition, the use of the tool is in our legitimate interest in a targeted and optimized website and generally targeted marketing campaigns.

Google Tag Manager

We use the Google Tag Manager service from Google Ireland Ltd., Gordon House, Barrow Street, 4 Dublin, Ireland, on our website. The service offers the possibility of centrally controlling other web tools and tracking programs using "tags" . Cookies are stored and analyzed on your computer for this purpose. The data is processed by the Google Tag Manager, in particular merged and stored. When you use our website, data such as your IP address and user activities are transferred to Google if you have consented in the Cookie Consent banner. IP anonymization of the source code ensures that the IP address is anonymized by Google Tag Manager before transmission. With Tag Manager, measured values from different service providers (Google and third-party providers) can be linked and evaluated on the basis of so-called tag management. The use of the tool is in our legitimate interest to bundle and track web activities in order to be able to target our activities, especially marketing activities. Google Fonts Our website uses GoogleFonts from Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA to display the font. Google Fonts are so-called web fonts . These are provided by Google (https://www.google.com/webfonts/). They are stored locally on our own servers, so no data is transferred to Google.

Hubspot

We use services from Hubspot , a digital marketing tool, on our website. The service provider is Hub Spot Inc., 25 First Street, 2nd Floor Cambridge, MA, USA. The use of Hubspot 's services is based on our legitimate interest in targeted, efficient digital marketing and the use of appropriate tools. When using the applications, data is also transferred to the USA. This is permitted on the basis of the agreement between the EU and the USA, the EU-US Data Privacy Framework. Hubspot is certified accordingly. Hubspot also has standard contractual clauses in accordance with Art. 46, Paragraphs 2 and 3 of the GDPR, which also contain the necessary regulations for order processing. Both the Data Privacy Framework and the standard contractual clauses ( https://legal.hubspot.com/dpa) ensure that your data complies with European data protection standards, even if it is processed in third countries. Information on Hubspot 's own data protection can be found at https://legal.hubspot.com/de/privacy-po-licy?tid=331710151756

Newsletter

We use Hubspot to send our newsletter. In this respect, we refer to the information on Hubspot. You can revoke your consent to the storage of data and its use for sending newsletters at any time, e.g. via the unsubscribe link in the newsletter.

Contact form and emails to us

The data you enter in the contact form will be processed to process your request; we will not pass on the data and will delete it if it is no longer required. The data entered in the contact form is processed on the basis of your consent (Art. 6 Para. 1a) GDPR) and to fulfill pre-contractual measures (Art. 6 Para. 1b) GDPR). You have the right to withdraw your consent at any time without giving reasons. The above also applies to e-mails that you send to us at the e-mail address provided on our website and to the personal data contained in them. The contact forms on our website are connected to Hubspot. In this respect, we refer to the above comments on Hubspot.

Contact by phone

If you contact us by telephone using one of the numbers provided on the website, your telephone number will be displayed in full on our devices if you have activated the telephone number transfer. It will also be stored in our telephone system as an incoming call with the respective call duration; the stored data can only be viewed by a small, specified group of people and is regularly deleted. The storage is based on the legitimate interest, which serves to check the cost efficiency of our communication structure.

Data protection for applications

If you send us application documents via our website or by email, we will process the personal data for the purpose of processing the application process. If no employment contract is concluded between you and us, we will delete the application documents six months after notification of the rejection decision, provided that no other legitimate interests conflict with deletion. Such a legitimate interest is, for example, the burden of proof in proceedings under the General Equal Treatment Act (AGG). If an employment contract is concluded, we will process the personal data to carry out the employment relationship; you will then be informed again separately when the contract is concluded in accordance with Art. 13 GDPR.

Microsoft Advertising (formerly : Bing Tracking/Ads)

We use Microsoft Advertising, a service of Microsoft Corp., One Microsoft Way, Redmond, WA 98052-6399, USA. conversion tracking tool allows us to track your activities if you reach our website via an ad placed on Bing or Yahoo. This happens when a cookie is placed when you click on a corresponding ad. In particular, the number of users who clicked on an ad and reached a previously defined target page is recorded and analyzed. For example, we find out which ad users reached our site via, what they click on on our website and how long they stay on the website. If you have given your consent via the Cookie Consent tool, the legal basis for processing the data via the Microsoft Advertising application is your consent in accordance with Article 6 (1) sentence 1 a) GDPR. The use of the service is also based on our legitimate interest (Art. 6 Para. 1 Sentence 1f GDPR) in targeted, efficient digital marketing and the use of appropriate tools. When using the applications, data is also transferred to the USA. This is permitted on the basis of the agreement between the EU and the USA, the EU-US Data Privacy Framework. Microsoft is certified accordingly and also has standard contractual clauses in accordance with Art. 46 Para. 2 and 3 GDPR, which also contain the necessary regulations for order processing. Both the Data Privacy Framework and the standard contractual clauses ensure that your data complies with European data protection standards, even if it is processed in third countries. If you do not wish to participate in conversion tracking , you can deactivate it on the Microsoft website or deactivate, manage or delete all cookies in your browser.

Yoast SEO

We use the Yoast SEO plugin on our website to improve search engine optimization and website performance. The plugin may process certain user data, such as page interactions and usage analytics, to provide insights and optimize content.

Virtual Office Lisbon remains the data controller. Yoast SEO acts as a data processor and handles data in accordance with GDPR requirements. No personal data is sold or shared with third parties beyond what is necessary for plugin functionality.

For more information on how Yoast SEO processes data, please refer to their privacy page:
https://yoast.com/privacy-policy/

Wordfence

We use the Wordfence security plugin to protect our website against unauthorized access, malware, and other security threats. Wordfence may process certain user data, including IP addresses, login attempts, and interactions with the website, solely for security purposes.

Virtual Office Lisbon remains the data controller. Wordfence acts as a data processor and handles the data in compliance with GDPR requirements. No personal data is sold or shared beyond what is necessary to maintain website security.

For more information on how Wordfence processes data, please refer to their privacy page:
https://www.wordfence.com/privacy-policy/

12. Automated Decision-Making

We do not use automated decision-making or profiling that produces legal or significant effects on users, except for welcome messages.

13. Your Rights

Right to information (Art. 15 GDPR) You have the right to request information from us as to whether we process personal data concerning you and, if this is the case, you also have the right to request information on the following points:

▪ The purposes of processing
▪ The categories of personal data being processed
▪ The recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations
▪ Where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period
▪ The existence of a right to rectification or erasure of personal data concerning them or to restriction of processing by the controller or a right to object to such processing
▪ The existence of a right to lodge a complaint with a supervisory authority
▪ If the personal data are not collected from the data subject: all available information about the origin of the data
▪ The existence of automated decision-making, including profiling, referred to in Article 22 (1) and (4) GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and envisaged consequences of such processing for the data subject

Right to rectification (Art.16 GDPR)

You have the right to request that we correct any inaccurate personal data concerning you. You also have the right to request that incomplete personal data be completed, considering the purpose of the processing.

Right to erasure (so-called right to be forgotten; Art. 17 GDPR)

right to request that we erase your personal data if the following applies, and the processing of the personal data is not necessary:

▪ The personal data are no longer necessary for the purposes for which they were collected or otherwise processed.
▪ You have withdrawn your consent on which the processing is based and there is no other legal basis for the processing.
▪ You object to the processing pursuant to Art. 21 Para. 1 GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Art. 21 Para. 2 GDPR.
▪ The personal data were processed unlawfully.
▪ The erasure of personal data is necessary to fulfil a legal obligation under Union or Member State law to which we are subject
▪ The personal data was collected in relation to services offered by us in accordance with Art. 8 Para. 1 GDPR.

If the personal data was made public by us and we as the controller are obliged to delete the personal data pursuant to Art. 17 Para. 1 GDPR, we shall take appropriate measures, including technical ones, considering the available technology and the implementation costs, to inform other data controllers which process the published personal data that you have requested the deletion of all links to these personal data or of copies or replications of these personal data from these other data controllers, unless processing is required.

Right to restriction of processing (Art.18 GDPR)

that we restrict processing if one of the following conditions is met:

▪ You contest the accuracy of the personal data for a period enabling us to verify the accuracy of the personal data.
▪ The processing is unlawful, and you oppose the erasure of the personal data and request the restriction of the use of the personal data instead.
▪ We no longer need the personal data for the purposes of the processing, but you require it to assert, exercise or defend legal claims.
▪ You have objected to the processing pursuant to Art. 21 Para. 1 GDPR and it has not yet been determined whether our legitimate reasons outweigh your legitimate reasons.

If the processing of your personal data has been restricted in accordance with the above conditions, we may only process it - apart from storage - with your consent or for the establishment, exercise or defense of legal claims or to protect the rights of another natural or legal person or for reasons of important public interest of the Union or a member state. We will inform you before a restriction is lifted.

Right to object (Art. 21 GDPR)

You have the right to object at any time to the processing of personal data concerning you which is carried out based on Art. 6 (1) e or f GDPR (processing in the public interest or to safeguard a legitimate interest), for reasons related to your particular situation; this also applies to profiling based on these provisions. We will then no longer process the personal data unless we can prove compelling legitimate grounds for the processing which outweigh your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims. If personal data is processed to conduct direct advertising, you have the right to object at any time to the processing of personal data for the purposes of such advertising; this also applies to profiling insofar as it is related to such direct advertising.

Right of revocation (Article 7, paragraph 3 GDPR)

If you have given us your consent to process your personal data, you have the right to revoke this consent at any time without giving reasons. The legality of the data processing carried out up to the time of revocation remains unaffected by the revocation.

Automated decisions in individual cases including profiling

You have the right not to be subjected to a decision based solely on automated processing, including profiling , which produces legal effects concerning you or similarly significantly affects you, unless the decision is necessary for entering into or fulfilling a contract between you and us, or is permitted by Union or Member State law to which we are subject, and this law contains appropriate measures to safeguard your rights and freedoms as well as legitimate interests, or is made with your explicit consent. If the decision is necessary for entering into or fulfilling a contract between you and us, or is made with your explicit consent, we will take appropriate data protection measures to safeguard your rights and freedoms as well as legitimate interests, including at least Right to obtain our intervention, to present your own point of view and to contest the decision.

Right to data portability (Art. 20 GDPR)

You have the right to receive the personal data concerning you that you have made available to us in a structured, common and machine-readable format. You also have the right to transmit this data to another controller without hindrance from us, provided that the processing is based on consent in accordance with Art. 6 (1) (a) GDPR or Art. 9 (2) (a) GDPR or on a contract in accordance with Art. 6 (1) (b) GDPR and the processing is carried out using automated procedures. You have the right to request that we transmit the data directly to another controller, provided this is technically feasible and does not adversely affect the rights and freedoms of others.

Right to complain (Art. 77 GDPR)

Irrespective of other administrative or judicial remedies, you have the right to lodge a complaint with a supervisory authority if you believe that we are processing your personal data in violation of the GDPR. The supervisory authority may in particular be the one in the member state of your residence, your place of work or the place of the alleged violation. You can find an overview of the German supervisory authorities, for example, on the website of the Federal Commissioner for Data Protection.

14. Contact

For any questions or concerns regarding this Privacy Policy or your data, contact: Virtual Office Lisbon Lisbon, Portugal Email: privacy@virtualofficelisbon.com

15. Policy Updates

We may update this Privacy Policy to reflect legal, operational, or technical changes. The latest version will always be available on our website.

Useful Links

🇪🇺🇵🇹 Official Authority Sources

Proposes Links (URL)
GDPR Compliant Click Here
Encrypted & Secure Data Click Here
AML/KYC Practices Click Here
Secure Mail Handling Click Here
No Data Reselling Click Here
AICEP — “Doing Business in Portugal” Guide Click Here
ePortugal Portal Click Here
European e-Justice Portal Click Here
Back to Home Page
Seraphinite AcceleratorBannerText_Seraphinite Accelerator
Turns on site high speed to be attractive for people and search engines.