Privacy Policy

1. Who we are

Indigo Leap, Lda ("Indigo", "we", "us") is the controller of personal data processed under this notice.

Legal Name
Indigo Leap, Lda

Registered Office
Rua Actor Vasco Santana n.º 20, 1500-020 Lisboa, Portugal

Privacy contact
[email protected]

This privacy notice applies to personal data we collect through:

- Our website at https://indigo.pt
- Direct interactions with prospects, clients, partners, and suppliers
- Marketing and recruitment activities

For personal data we process on behalf of clients in the course of delivery work, the relevant Data Processing Agreement governs the processing.

2. Data Protection Officer

Indigo has assessed its obligations under Article 37 GDPR and concluded that designation of a Data Protection Officer is not required. Indigo is not a public authority, and its core activities do not consist of regular and systematic large-scale monitoring of data subjects, nor of large-scale processing of special category data.

For all matters relating to personal data, please contact us at [email protected].

3. Personal data we collect

We collect personal data that you voluntarily provide when you contact us, request information, attend an event, apply for a role, or interact with our website.

The categories of personal data we may collect include:

Identification and contact data
Indigo Leap, Ldname, email, phone number, company, role

Professional data
CV, work history, technical skills (when applying for a role or being introduced as a contractor)

Commercial data
Records of meetings, proposals, and contracts

Technical data
IP address, device and browser characteristics, language, referring URLs (when you visit our website)

We do not knowingly collect special categories of personal data through our website.

4. How we use your personal data

We process your personal data only where one or more of the lawful bases in Article 6 GDPR applies:

Responding to enquiries and managing the commercial relationship
Lawful basis -> Contract / Legitimate interest

Sending marketing communications about our services
Lawful basis -> Consent / Legitimate interest

Recruiting candidates and managing applications
Lawful basis -> Consent / Pre-contractual measures

Complying with legal, tax, and accounting obligations
Lawful basis -> Legal obligation

Securing our website and detecting fraud
Lawful basis -> Legitimate interest

Improving our services and website analytics
Lawful basis -> Legitimate interest

You can withdraw consent at any time by contacting [email protected]. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

5. Sharing your personal data

We do not sell, rent, or trade your personal data. We share it only:

-  With service providers who process data on our behalf - cloud hosting, email, CRM, analytics, accounting - under written Data Processing Agreements.
-  With clients and partners where you are introduced as a candidate or contractor and only with your consent.
-  Where legally required - to comply with court orders, regulatory requests, or applicable law.
-  Where necessary to protect our rights or the safety of others.
-  With your explicit consent for any other purpose.

A list of our principal sub-processors is available on request from [email protected].

6. International transfers

Personal data is processed primarily in the European Economic Area (EEA). Where transfers outside the EEA are necessary - typically through cloud service providers - we rely on:

-  An adequacy decision of the European Commission, or
-  The European Commission's Standard Contractual Clauses, with supplementary measures where required.

7. How long we keep your personal data

We retain personal data only for as long as necessary for the purposes described in this notice or as required by law.

Marketing leads and prospects
2 years from last interaction, or until you object.

Recruitment candidates
2 years from last contact, with consent.

Client and partner records
Duration of the engagement plus 5 years.

Tax and accounting records
10 years (statutory minimum, Portugal).

Website analytics
26 months.

When the retention period ends, we delete or anonymise the data.

8. Your rights

Under the GDPR you have the following rights in relation to your personal data:

Access
Obtain a copy of the personal data we hold about you.

Rectification
Correct inaccurate or incomplete personal data.

Erasure
Have your personal data deleted, in certain circumstances.

Restriction
Limit how we process your personal data, in certain circumstances.

Portability
Receive your personal data in a portable format and transmit it to another controller.

Objection
Object to processing based on legitimate interest or for direct marketing.

No automated decisions
Not be subject to decisions based solely on automated processing that produce legal or similarly significant effects.

Withdraw consent
Withdraw consent at any time, where processing is based on consent.

Lodge a complaint
Lodge a complaint with the Comissão Nacional de Proteção de Dados (CNPD) at https://www.cnpd.pt

To exercise any of these rights, contact us at [email protected]. We will respond within one calendar month, with up to two further months for complex requests, in accordance with Article 12(3) GDPR.

9. How we keep your personal data secure

We implement technical and organisational measures appropriate to the risk, including:

-  Access controls and least-privilege principles.
-  Encryption of data in transit and at rest, where appropriate.
-  Regular security awareness training for our team.
-  Written agreements with all sub-processors.
-  Incident response procedures including notification of personal data breaches to the CNPD within 72 hours where required by Article 33 GDPR.

No system is completely secure, but we work continuously to protect the personal data entrusted to us.

10. Cookies and analytics

Our website uses cookies and similar technologies to operate the site and to understand how visitors use it. You can manage cookie preferences through your browser settings. Where required, we ask for your consent before placing non-essential cookies.

11. Updates to this notice

We may update this notice from time to time. The current version is always available on our website with the issue date. Material changes will be communicated where we have your contact details.

12. Contact

For any matter relating to this notice or your personal data:

By email: [email protected]
By post: Indigo Leap, Lda — Rua Actor Vasco Santana n.º 20, 1500-020 Lisboa, Portugal

You also have the right to lodge a complaint with the Comissão Nacional de Proteção de Dados (CNPD):

-  Website: https://www.cnpd.pt
-  Address: Av. D. Carlos I, 134 - 1.º, 1200-651 Lisboa, Portugal

Legal framework

This notice is published under:

-  Regulation (EU) 2016/679 (GDPR)
-  Lei n.º 58/2019 (Portuguese GDPR implementation)
-  Lei n.º 41/2004 (privacy in electronic communications)

Internal Indigo procedures supporting this notice are documented in the Data Protection Policy