Privacy Policy
DataRoad — IT Services and Consulting Last updated: May 2026
1. Introduction and Commitment
DataRoad is a Portuguese managed IT services provider (MSP) that serves domestic and international organizations with high standards for quality, security, and operational continuity.
For DataRoad, the protection of personal data is a fundamental principle and an integral part of our value proposition. As a provider specializing in cybersecurity and critical infrastructure, we are committed to handling the personal data entrusted to us with the highest level of rigor, transparency, and security.
This Privacy Policy (hereinafter the “Policy”) describes, in accordance with Regulation (EU) 2016/679 (General Data Protection Regulation — GDPR) and Law No. 58/2019 of August 8, how DataRoad collects, uses, stores, and protects the personal data of the data subjects with whom it interacts.
2. Identification of the Data Controller
Company Name: DATAROAD IT SERVICES AND CONSULTING LDA Trade Name: DataRoad Headquarters: Avenida dos Moinhos No. 12 B, 2610-119 Alfragide (Quinta Grande), Portugal Tax ID: 513368078 Registered with the Lisbon Commercial Registry under No.: 513368078
Phone: +351 211 459 950
General email: sales@dataroad.pt
Data Protection Officer (DPO) email: [DPO@DATAROAD.PT]
DataRoad acts as the DataControllerwith respect to the personal data it collects directly—namely through the Website, contact forms, business processes, and human resources management.
When providing services to clients that involve the processing of personal data held by them (for example, in the context of IT support, monitoring, or infrastructure management contracts), DataRoad acts as aprocessor, in accordance with Article 28 of the GDPR, and this relationship is governed by a specific data processing agreement(DPA).
3. Relevant Definitions
For the purposes of this Policy, the following definitions apply:
- Personal data: any information relating to an identified or identifiable natural person (data subject);
- Processing: any operation performed on personal data (collection, recording, organization, storage, use, disclosure, erasure, etc.);
- Data controller: the entity that determines the purposes and means of processing;
- Subcontractor: an entity that processes personal data on behalf of the data controller;
- Data subject: the natural person to whom the personal data relates.
4. Principles Guiding Our Treatment
DataRoad’s processing of personal data is governed by the following principles, as set forth in Article 5 of the GDPR:
- Lawfulness, fairness, and transparency: we process data in a lawful, fair, and transparent manner with respect to the data subject;
- Purpose limitation: We collect data for specific, explicit, and legitimate purposes;
- Data minimization: we process only the data strictly necessary for each purpose;
- Accuracy: We keep our data accurate and up to date;
- Retention period: We retain data only for as long as necessary to fulfill the purposes in question;
- Integrity and confidentiality: we protect data through appropriate technical and organizational measures;
- Accountability: We are accountable for adhering to these principles and demonstrate this through documented evidence.
5. Categories of Personal Data Processed
Depending on the nature of the relationship with the data subject, DataRoad may process the following categories of personal data:
5.1. Website Visitors
- Technical identification data: IP address, browser type, operating system, language, screen resolution;
- Browsing data: pages visited, time spent on the site, traffic source (referrer);
- Cookies and similar identifiers (see Cookie Policy).
5.2. Requests for information or a commercial proposal
- First and last name;
- Company/organization represented and position (if applicable);
- Email and phone number;
- Message content or description of the need;
- Any other information that the user voluntarily includes in their message.
5.3. Customers
- Identification information for the company and its legal representatives;
- Business and technical contact information (name, title, email, phone number);
- Billing information (Tax ID, business address, terms and conditions);
- History of communications, proposals, contracts, and invoices;
- Technical data on users and systems in connection with the provision of services (see section 5.6);
- History of support tickets, technical interventions, and reports.
5.4. Suppliers and partners
- Identification information for the entity and its representatives;
- Business contact information;
- Billing information;
- Transaction and communication history.
5.5. Job seekers
- Information contained in the resume and cover letter;
- Professional and academic background, and references;
- Contact information;
- Other information voluntarily provided by the applicant.
5.6. End users of clients (in the context of IT service provision)
When DataRoad provides IT management services to its clients, it may access the personal data of end users (employees or users of those clients), specifically:
- Account identifiers (user, corporate email, username);
- Authentication data (tokens, certificates—not plaintext passwords);
- Technical logs for equipment, networks, and applications;
- Configuration data for managed personal and professional devices;
- IP addresses, technical geolocation data, and monitoring data.
In these situations, DataRoad acts exclusively as a processor, processing data on behalf of and in accordance with the client’s documented instructions, under a specific data processing agreement (DPA), in accordance with Article 28 of the GDPR.
6. Purposes and Legal Basis for Processing
| Purpose | Data Categories | Legal Basis |
|---|---|---|
| Statistical Analysis and Website Improvement | Browsing data, cookies | Consent (Article 6(1)(a)) |
| Response to contact requests and business proposals | Identification and contact information | Pre-contractual measures (Art. 6, para. 1, subpara. b) |
| Customer Relationship Management | Customer data and communications | Performance of the contract (Art. 6, § 1, subpar. b) |
| Invoicing and compliance with tax obligations | Billing information | Legal obligation (Article 6(1)(c)) |
| Provision of managed IT services | Technical and end-user data | Performance of the contract + DPA (Art. 28) |
| Supplier and Partner Management | Identification and contact information | Performance of the contract (Art. 6, § 1, subpar. b) |
| Recruitment and Selection | Candidate information | Pre-contractual measures (Art. 6, para. 1, subpara. b) |
| Sending marketing communications | Email, name | Consent (Article 6(1)(a)) |
| Compliance with legal and regulatory obligations | As required by law | Legal obligation (Article 6(1)(c)) |
| Defense of rights in judicial or administrative proceedings | As needed | Legitimate interest (Article 6(1)(f)) |
| Information security and fraud prevention | Logs, technical data | Legitimate interest (Article 6(1)(f)) |
7. Data Source
Most of the data processed is provided directly by the data subjects (through the Website, commercial communications, or in connection with the performance of contracts).
In addition, DataRoad may collect personal data from:
- Public sources: business registries, corporate websites, professional social media platforms (such as LinkedIn) — for the purpose of B2B business development;
- Customers: when they entrust us with end-users’ personal data for the purpose of providing services;
- Technology partners and manufacturers: through certification programs, partnerships, and distribution channels.
8. Recipients and Subcontractors
DataRoad may disclose personal data to the following categories of recipients, solely to the extent necessary for the purposes described:
8.1. Internal recipients
- DataRoad employees, on a need-to-know basis and subject to confidentiality obligations.
8.2. Subcontractors
DataRoad works with qualified service providers to support its operations, specifically in the following areas:
- Communication and productivity platforms (Microsoft 365, Google Workspace);
- Ticket management and helpdesk platforms (namely the website
helpdesk.dataroad.pt); - RMM (Remote Monitoring & Management) tools for IT infrastructure management;
- 24/7 monitoring and alarm systems;
- Cloud backup and storage solutions;
- Hosting and cloud infrastructure services;
- Web analytics and digital marketing platforms (such as Google Analytics);
- Accounting, billing, and legal consulting services;
- Telecommunications and postal service providers.
All subcontractors are selected based on criteria of quality, security, and compliance with the GDPR, and are bound by a written contract to uphold confidentiality and data protection obligations, in accordance with Article 28 of the GDPR.
8.3. Other recipients
- Public and judicial authorities, when required by law or court order;
- External auditors and consultants, in strict compliance with their duties;
- Insurance companies, where applicable to claims or professional liability.
DataRoad does not sell, rent, or share personal data with third parties for commercial purposes.
9. International Data Transfers
9.1. Whenever possible, DataRoad prioritizes the processing of personal data on servers located within the European Economic Area (EEA).
9.2. Some of the technological tools used (namely services provided by Microsoft, Google, or other global providers) may involve data transfers to countries outside the EEA, specifically to the United States.
9.3. In such situations, DataRoad ensures that transfers are carried out based on appropriate safeguards as provided for in Article 46 of the GDPR, namely:
- European Commission adequacy decisions (including the EU-US Data Privacy Framework);
- Standard Contractual Clauses (SCCs) approved by the European Commission;
- Binding corporate rules (BCR), where applicable.
9.4. Data subjects may request detailed information about the transfers applicable to their case by contacting the DPO.
10. Retention Periods
DataRoad retains personal data only for as long as necessary to fulfill the purposes for which it was collected, in accordance with the following criteria:
| Data Category | Shelf Life |
|---|---|
| Website visitor data (logs, analytics) | Up to 26 months (Google Analytics 4 — default setting) |
| Contact requests without a commercial follow-up | 12 months |
| Quotation data | 5 years after the proposal was issued |
| Customer data (active account) | Throughout the term of the contract |
| Contract and billing information | 10 years (tax obligations — Article 123 of the CIRC) |
| Support tickets and technical reports | 5 years after closure |
| Data on unsuccessful applicants | 12 months (with consent), unless withdrawn |
| Marketing data (newsletter) | Until consent is withdrawn |
| Electronic communications (emails) | 5 years |
| Security and access logs | 12 months (as a general rule) or as required by law |
Once the applicable retention periods have expired, the data is securely and irreversibly deleted or anonymized, unless retention is required for legal reasons or to defend rights in legal proceedings.
11. Safety Measures
As an MSP specializing in cybersecurity, DataRoad implements robust technical and organizational measures to protect personal data against unauthorized access, loss, destruction, or accidental disclosure, including:
Technical measures
- Data encryption in transit (TLS 1.3) and at rest (AES-256);
- Multi-factor authentication (MFA) on all critical systems;
- Access control based on the principle of least privilege;
- Network segmentation and next-generation firewalls;
- Redundant backups that are tested regularly;
- 24/7 continuous monitoring of security events (SIEM/SOC);
- Systematic updates and patching of systems and applications;
- Vulnerability management through periodic audits;
- Anti-malware and EDR on all endpoints.
Organizational measures
- A documented internal data protection policy that is reviewed on a regular basis;
- Ongoing training for employees in data protection and cybersecurity;
- Non-disclosure agreements (NDAs) with employees and contractors;
- Incident response plan and procedure for notifying the CNPD within 72 hours;
- Data Protection Impact Assessments (DPIAs) where applicable;
- Updated Treatment Activity Log (TAL);
- Periodic internal and external audits.
12. Rights of Data Subjects
As the data subject, you have the following rights, guaranteed by the GDPR:
| Law | Description |
|---|---|
| Access | Obtain confirmation of what personal data we process about you and access that data |
| Correction | Request correction of inaccurate or outdated information |
| Erasure (“right to be forgotten”) | Request the erasure of your data, in the cases provided for in the GDPR |
| Limitation | Request a temporary suspension of the processing of your data |
| Opposition | Object to the processing of your data, particularly for marketing purposes |
| Portability | Receive your data in a structured and machine-readable format, or request that it be transferred to another controller |
| Withdraw consent | At any time, without affecting the lawfulness of the processing carried out prior to that |
| Not being subject to automated decisions | Including the creation of profiles, except where otherwise required by law |
| Complaint | File a complaint with the competent supervisory authority |
12.1. How to exercise your rights
You can exercise your rights by contacting us via:
- Email: [DPO@DATAROAD.PT]
- Mailing Address: Avenida dos Moinhos No. 12 B, 2610-119 Alfragide, Portugal
To ensure security and prevent the unauthorized disclosure of data, we may ask you to provide additional information to verify your identity.
DataRoad will respond to your request within 30 days, which may be extended by an additional two months in the event of complex or high-volume requests; you will be notified in such cases.
12.2. Complaint to the supervisory authority
Without prejudice to other administrative or judicial remedies, the data subject has the right to file a complaint with the National Data Protection Commission (CNPD):
- Website: https://www.cnpd.pt
- Address: Av. D. Carlos I, 134 — 1st Floor, 1200-651 Lisbon
- Phone: +351 213 928 400
- Email: geral@cnpd.pt
13. Automated Decisions and Profiling
DataRoad does not make decisions with legal or significant effects based solely on the automated processing of personal data, including profiling.
The automated systems used (such as technical monitoring tools, firewalls, and intrusion detection systems) operate based on technical parameters rather than personal profiles.
14. Cookies
The use of cookies on the Website is governed by our Cookie Policy, available at [LINK TO COOKIE POLICY], which forms an integral part of this Privacy Policy.
15. Processing of Minors’ Data
15.1. The DataRoad Website and services are not intended for individuals under the age of 18. We do not knowingly collect personal data from minors.
15.2. If we become aware that data regarding a minor has been collected without the consent of the parents or guardians, we will delete it immediately.
16. Personal Data Breaches
16.1. In the event of a personal data breach that could pose a risk to the rights and freedoms of data subjects, DataRoad will notify the CNPD within 72 hours of becoming aware of the breach, in accordance with Article 33 of the GDPR.
16.2. Where the breach is likely to result in a high risk, DataRoad will also notify the affected data subjects without undue delay, in accordance with Article 34 of the GDPR.
17. Data Protection Officer (DPO)
DataRoad has appointed a Data Protection Officer (DPO), who is responsible for monitoring compliance with the GDPR and serving as a point of contact for data subjects and the CNPD.
DPO Contact Information:
- Email: [DPO@DATAROAD.PT]
- Mailing Address: Data Protection Officer, Avenida dos Moinhos No. 12 B, 2610-119 Alfragide, Portugal
18. Changes to the Privacy Policy
18.1. DataRoad reserves the right to update this Policy whenever necessary, particularly in light of changes in legislation, case law, regulations, or industry best practices.
18.2. The updated version will be posted on the Website, along with the date of the last revision.
18.3. In the event of substantial changes, DataRoad will actively notify users through appropriate channels, such as email or a prominent notice on the Website.
19. Applicable Law
This Policy is governed, in particular, by the following laws and regulations:
- Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 (GDPR);
- Law No. 58/2019, of August 8, which ensures the implementation of the GDPR in the Portuguese legal system;
- Law No. 41/2004, of August 18 (Privacy in Electronic Communications);
- Decree-Law No. 7/2004, of January 7 (Electronic Commerce);
- Law No. 46/2018, of August 13 (Cybersecurity);
- Law No. 48/2024, of November 21 (Transposition of the NIS2 Directive);
- Guidelines from the CNPD and the European Data Protection Board (EDPB).
20. Contacts
If you have any questions regarding this Privacy Policy or the processing of your personal data:
DataRoad — IT Services and Consulting
Avenida dos Moinhos, No. 12 B 2610-119 Alfragide (Quinta Grande), Portugal
Phone: +351 211 459 950
General email: sales@dataroad.pt
DPO email: [DPO@DATAROAD.PT]
© 2026 DataRoad IT Services and Consulting. All rights reserved.
// Os nossos serviços informática
Enterprise IT Support
With real-world experience accumulated since 2015, DataRoad combines top-tier technical expertise, certifications from the industry’s leading manufacturers, and a dedicated team committed to ensuring that your company’s technology always works—without failures or surprises.
DataRoad is a company highly specialized in business IT, with over a decade of proven experience, a team certified by leading technology manufacturers, and a solid track record in network installation, IT security, and managed IT services.
Contact us now
Contact Form
Request a quote from DataRoad. We’ll take care of the rest with a quick and clear response tailored to your company’s needs.
Tell us what you need. IT support, network installation, cybersecurity, office relocation, or simply a second opinion on your IT infrastructure—we’re here to help.
Fill out the form and a specialist will contact you the same day.