Privacy Policy
Last updated · 5 May 2026
This Privacy Policy describes how SharkProp ([COMPANY NAME], NIF [COMPANY NIF], with registered office at [COMPANY ADDRESS]) collects, uses and protects the personal data of users accessing the platform and its services (the "Service").
This policy complies with the General Data Protection Regulation (GDPR - Regulation EU 2016/679) and with Portuguese Law no. 58/2019 of 8 August, which ensures its execution in Portugal.
1. Data controller
The controller of the personal data is [COMPANY NAME], with registered office at [COMPANY ADDRESS], NIF [COMPANY NIF]. For privacy-related questions, you can contact us at [email protected].
2. Data we collect
2.1. Data you provide directly
- Name, email, phone number (at registration and on your user profile).
- Brokerage data: NIF, AMI, address, contacts.
- Payment data (processed by Stripe - never stored on our servers).
- Content entered on the platform: leads, properties, offers, communications.
2.2. Data collected automatically
- IP address, device and browser type.
- Pages visited, actions taken, timestamps.
- Cookies essential for authentication and preferences (see Cookie Policy).
2.3. Third-party data
When you connect Meta Business integrations (WhatsApp Business API, Instagram, Facebook Lead Ads) or Google (Calendar), we receive leads, messages and metadata from those services via official OAuth. This data is processed by the rules of the respective provider and stored in your workspace.
3. Purposes of processing
- Providing the Service: managing your account, workspace, leads, properties and communications.
- Billing: charging subscriptions via Stripe.
- Product communications: relevant notifications about your use.
- Support: replying to help requests.
- Compliance with legal obligations: invoicing, tax, accounting.
- Product improvement: aggregated and anonymised analysis of usage.
4. Legal basis
We process your data under:
- Contract performance (Article 6(1)(b) of the GDPR).
- Compliance with legal obligation (Article 6(1)(c)).
- Consent (Article 6(1)(a)) for optional marketing communications.
- Legitimate interest (Article 6(1)(f)) for security and fraud prevention.
5. Sharing with third parties
We do not sell personal data. We share only with sub-processors necessary for the operation of the Service:
- Clerk - authentication (USA, Privacy Shield via SCCs).
- Convex - database and backend (EU-West).
- Stripe - payment processing (Ireland/EU).
- Resend - sending transactional emails.
- Others, depending on the integrations enabled by the customer.
6. International transfers
Most data is processed and stored in the European Union (EU-West region). Sub-processors outside the EU (e.g. Clerk) comply with Standard Contractual Clauses (SCCs) approved by the European Commission.
7. Retention period
- Account data: while the account is active.
- After cancellation: 90 days for reactivation, then deletion.
- Billing: 10 years (Portuguese legal obligation).
- Security logs: 6 months.
8. Data subject rights
You have the right to:
- Access your personal data.
- Request correction of incorrect data.
- Request erasure ("right to be forgotten").
- Request portability in a structured format.
- Object to processing or request restriction.
- Withdraw consent at any time.
To exercise any of these rights, send us an email at [email protected]. We reply within 30 days.
9. Complaints
If you consider that the processing of your data breaches the GDPR, you can file a complaint with the Portuguese Data Protection Authority (CNPD):
Av. D. Carlos I, 134, 1.º - 1200-651 Lisbon
www.cnpd.pt
10. Security
We implement adequate technical and organisational measures: encryption in transit (TLS 1.3) and at-rest, capability-based access control, audit log of administrative actions, and periodic token rotation. Even so, no system is 100% secure - in the event of a data breach, we will notify those affected within 72 hours as required by Article 33 of the GDPR.
11. Changes to this policy
We may update this policy periodically. Significant changes will be notified by email with at least 30 days' notice. The "Last updated" date at the top of this page reflects the version in force.