Privacy Policy
Your privacy and data security are our top priorities
Last updated: Sunday, December 21, 2025
1. Introduction
e-Security EvoLegacy AI BIO Solutions, Lda. (hereinafter 'e-Security.BIO', 'we', 'us', 'our') is committed to protecting the privacy and security of the personal data of our users. This Privacy Policy describes how we collect, use, store, and protect personal and biometric data collected through our cybersecurity and digital trust platform.
Please read this policy carefully. Access to and use of the e-Security.BIO platform constitutes acceptance of the terms described in this document.
2. Legal Compliance
This Privacy Policy complies with:
- General Data Protection Regulation (GDPR) — Regulation (EU) 2016/679
- Personal Data Protection Law (PDPL) — Law No. 58/2019, of August 8 (Portugal)
- General Personal Data Protection Law (LGPD) — Law No. 13,709/2018 (Brazil)
- eIDAS 2.0 Regulation — Regulation (EU) 910/2014 and subsequent amendments
- ISO/IEC 27001 — Information Security Standard
3. Data Controller
Company Name: e-Security EvoLegacy AI BIO Solutions, Lda.
Headquarters: Leiria, Portugal
Email: frederico.laffitte@e-security.bio
Phone: +351 964 608 960
Website: https://e-security.bio
DPO Email: dpo@e-security.bio
4. Personal Data Collected
4.1 Identification Data
- Full name
- Email address
- Phone number
- Postal address
- Tax identification (NIF/VAT)
- Identity documents (when necessary for validation)
4.2 Biometric Data
- Facial recognition data (image capture for authentication)
- Fingerprints (when applicable)
- Multi-factor authentication data (TOTP, device biometrics)
- Digital signature patterns and user behavior
Important Note: Biometric data collection is performed only with explicit consent and for specific purposes described in section 5.
4.3 Document and Communication Data
- Documents uploaded for validation (contracts, certificates, etc.)
- Email content for integrity verification
- Document metadata (author, timestamp, digital signature)
- Logs of signing and verification transactions
4.4 Usage and System Data
- IP address
- Browser type and version
- Device type and operating system
- Pages visited and time spent
- Clicks and interactions with the platform
- Authentication and session logs
4.5 Payment Data
- Credit/debit card information (processed by certified intermediaries, never stored)
- Transaction history and billing information
- Subscription and plan details
5. Processing Purposes
5.1 Service Delivery
- Execute user authentication and authorization
- Generate and validate biometric digital signatures (e-BIO.MailSign, e-BIO.DocSign, e-BIO.Verify)
- Process requests for integrity and authenticity verification of documents
- Maintain transaction and audit records (chain-of-custody)
- Generate authentication and integrity certificates
5.2 Security and Fraud Prevention
- Detect and prevent fraudulent activities
- Protect against business email compromise (BEC), phishing and forgery
- Validate origin and integrity of communications and documents
- Monitor unauthorized access
- Comply with legal information security obligations
5.3 Service Improvement
- Analyze usage patterns (anonymously when possible)
- Test new features and optimize the platform
- Investigate and resolve technical errors
- Train AI models for improved fraud detection (with anonymized data)
5.4 Legal and Regulatory Compliance
- Comply with tax, labor and social security obligations
- Respond to legal requests from judicial authorities
- Maintain compliance records with GDPR, LGPD and ISO 27001
- Document and preserve evidence of transactions
5.5 Marketing and Communication (with Consent)
- Send updates about new services and features
- Communicate news about security and data protection
- Invite to webinars, events and pilot participation (opt-in only)
- Customer support communications
6. Legal Basis for Processing
We use the following legal bases for processing personal data:
| Legal Basis | Application |
|---|---|
| Consent (Art. 6.1.a GDPR) | Biometric data, marketing, advanced analytics |
| Contract Performance (Art. 6.1.b GDPR) | Service delivery, payment processing |
| Legal Obligation (Art. 6.1.c GDPR) | Tax compliance, compliance, audits |
| Legitimate Interests (Art. 6.1.f GDPR) | Security, fraud detection, service improvement |
| Special Category (Art. 9 GDPR) | Biometric data for unique identification and informed consent |
7. Data Retention
7.1 Standard Retention Periods
- Authentication data: 30 days (login logs)
- Transaction records: 7 years (legal compliance and audit)
- Biometric data: As per consent — maximum 3 years or until consent withdrawal
- Validated documents: As per client policy — minimum 1 year, maximum per legal requirements
- Payment data: Not retained (processed and discarded by certified intermediaries)
- Cookie/analytics data: 12 months or as per user configuration
7.2 Data Deletion
After retention periods end, data is:
- Permanently deleted (with destruction certificate)
- Anonymized (for statistical analysis)
- Archived in compliance with legal requirements
8. Data Sharing with Third Parties
8.1 We Do Not Sell Personal Data
We do not sell, rent, or transfer personal data to third parties for commercial reasons.
8.2 Authorized Sharing
Data may be shared only with:
| Third Party | Purpose | Legal Basis |
|---|---|---|
| Certified Data Processors | Cloud storage (AWS, Azure) with ISO 27001 certification | Processing Agreement (DPA) |
| Authentication Providers | MFA services and identity verification (e.g., Twilio, Auth0) | Processing Agreement |
| Legal Authorities | Compliance with judicial or regulatory orders | Legal Obligation (Art. 6.1.c GDPR) |
| External Auditors | Security audits and ISO 27001 compliance | Contractual Confidentiality |
| Business Partners | Pilot co-creation (with explicit consent) | Consent (Art. 6.1.a GDPR) |
8.3 Data Processors
All processors have signed Data Processing Agreements (DPA) in compliance with GDPR, Art. 28.
9. International Data Transfer
e-Security.BIO operates between Portugal and Brazil, with possible expansion to other territories.
9.1 International Transfers
- Within EU/EEA: Direct transfers (no additional restrictions)
- To Brazil: Using EU-Brazil adequacy agreement or Standard Contractual Clauses (SCCs)
- To other countries: Applying Adequate Transfer Mechanisms (Standard Contractual Clauses)
9.2 Protection Guarantees
- ISO 27001 certified processors
- DPA contracts with GDPR compliance clauses
- Impact assessment (DPIA) for critical transfers
10. User Rights
Every user has the following rights regarding their personal data:
10.1 Right of Access (Art. 15 GDPR)
You may request and obtain a copy of personal data we hold about you, in structured, commonly used and portable format.
10.2 Right to Rectification (Art. 16 GDPR)
You may correct or update inaccurate or incomplete data we hold about you.
10.3 Right to Erasure (Art. 17 GDPR)
You may request deletion of personal data under certain circumstances (e.g., consent withdrawn, data no longer necessary).
10.4 Right to Restrict Processing (Art. 18 GDPR)
You may request that we pause data processing while we verify accuracy or legality.
10.5 Right to Data Portability (Art. 20 GDPR)
You may obtain your data in portable format and transfer to another provider.
10.6 Right to Object (Art. 21 GDPR)
You may refuse processing based on legitimate interests or for marketing purposes.
10.7 Right to Lodge a Complaint (Art. 77 GDPR)
You may file a complaint with the National Data Protection Authority (CNPD) in Portugal or the competent authority in your country.
10.8 How to Exercise Rights
To exercise any of these rights, contact us:
- Email: dpo@e-security.bio
- Postal Address: Leiria, Portugal
- Phone: +351 964 608 960
We will respond within 30 days (extendable by 60 days if complex).
11. Informed Consent for Biometric Data
Biometric data such as facial recognition, fingerprints and signature patterns require explicit and informed consent.
11.1 Consent Required
When using features involving biometrics, you:
- Understand the nature and use of biometric data
- Grant explicit permission for collection and processing
- May withdraw consent at any time
- Accept that withdrawal may affect access to features
11.2 Consent Withdrawal
To withdraw consent for biometric data:
- Access your account privacy settings
- Select 'Withdraw Biometric Consent'
- Confirm the action
- Data will be deleted within 30 days
12. Data Security
12.1 Technical Measures
- End-to-end encryption (TLS 1.3) for data in transit
- AES-256 encryption for data at rest
- Cryptographic hashing (SHA-256) for integrity validation
- Multi-factor authentication (MFA) mandatory
- Multispectral biometrics for access authentication
12.2 Organizational Measures
- Limited access — only authorized personnel with 'need-to-know'
- Role-based access control (RBAC)
- Security audits semi-annually (ISO 27001)
- Penetration testing annually
- Incident response plan (maximum 72 hours notification)
- Business continuity and disaster recovery plan
12.3 Certified Compliance
- ISO/IEC 27001 — Information Security Management System
- SOC 2 Type II — Audited compliance and security
- eIDAS 2.0 — Qualified electronic authentication
- GDPR Compliance — Periodic impact assessments (DPIA)
13. Cookies and Tracking Technologies
13.1 Types of Cookies Used
- Essential Cookies: Authentication, security, session maintenance
- Analytics Cookies: Google Analytics (anonymized) — to understand usage
- Marketing Cookies: Conversion tracking (with opt-in)
13.2 Consent and Management
- We request consent upon first access
- You can change preferences in Settings > Privacy > Manage Cookies
- Refusing non-essential cookies does not affect service functionality
14. Contact with Minors
The e-Security.BIO platform is intended for users aged 18 and older.
We do not intentionally collect data from minors. If we discover that we have collected data from a minor:
- We will delete that data immediately
- We will notify legal guardians
- We will take measures to prevent future collection
Parents/guardians can contact: dpo@e-security.bio
15. Security Breach Notification
In case of breach or suspected compromise of personal data:
15.1 Immediate Assessment (0-24 hours)
- We identify the extent of the breach
- We apply containment measures
- We initiate investigation process
15.2 Authority Notification (up to 72 hours)
- We notify CNPD (Portugal) or ANPD (Brazil) as applicable
- We provide description of breach, affected data and mitigation measures
15.3 User Notification (without undue delay)
- If high risk to rights and freedoms
- Via email, SMS or platform banner
- With protection recommendations
16. Policy Changes
e-Security.BIO may update this Privacy Policy periodically:
16.1 Change Notification
- Material changes will be communicated via email with 30 days notice
- Minor technical changes will be published on the website
- Continued use = acceptance of changes
17. Compliance & Audits
e-Security.BIO is subject to:
- Annual ISO 27001 audits
- Semi-annual GDPR/LGPD compliance assessments
- Penetration testing by independent third parties
- eIDAS 2.0 compliance reviews
18. Applicable Law and Jurisdiction
This Privacy Policy is governed by:
- Portuguese Law — regarding EU users
- Brazilian Law (LGPD) — regarding Brazilian users
- Jurisdiction — Competent Courts in Leiria, Portugal (EU) and São Paulo, Brazil (LGPD)
19. Contact & Complaints
19.1 Privacy Questions
Email: dpo@e-security.bio
Phone: +351 964 608 960
Address: Leiria, Portugal
Website: https://e-security.bio
19.2 Competent Authorities
- Portugal: National Data Protection Commission (CNPD) — www.cnpd.pt
- Brazil: National Personal Data Protection Authority (ANPD) — www.gov.br/anpd
19.3 Response Times
- Receipt confirmation: up to 3 business days
- Initial investigation: up to 30 days
- Complete resolution: up to 60 days (extendable)
20. Final Statement
This Privacy Policy reflects e-Security.BIO's commitment to protecting the privacy, security and rights of personal data of all users.
Our mission is simple:
From identity to integrity — from digital to physical — everything verified.
Security. Trust. Verification.