// PRIVACY
Privacy
Last updated: 17 May 2026
HALYXA is a paid media studio operated by Tiago Mascarenhas, sole trader, registered in Portugal. This page explains what personal data the site collects, the legal basis for collecting it, who processes it on my behalf, how long it is kept, and how to exercise your rights under the EU General Data Protection Regulation (GDPR) and the Portuguese Lei n.º 58/2019.
If you read one section, read "Your rights" near the bottom. Everything above it explains what triggers those rights.
1. Controller
The data controller for halyxa.com is:
Tiago Mascarenhas, empresário em nome individual Address: [TBD — sole-trader registration in progress] NIF (Portuguese tax number): [TBD] Email: privacy@halyxa.com
I operate HALYXA solo. There is no separate data protection officer because the scale of processing does not trigger the GDPR Article 37 appointment threshold. Privacy questions reach me directly at the email above.
2. Scope
This policy covers personal data processed through halyxa.com and its subdomains. It does not cover data processed under a signed engagement contract with a client, which is governed by that contract and a separate data processing agreement (DPA) executed alongside it.
3. What data is collected, and why
3.1 Apply form submissions
When you submit the form at /apply, the following fields are processed:
- Full name
- Work email address
- Company name
- Monthly advertising spend range (selected from a dropdown)
- Message body (free text you write)
- IP address (captured server-side for abuse prevention)
- Submission timestamp
Purpose. To evaluate whether your inquiry is a fit for HALYXA's services and to respond to it.
Legal basis. Article 6(1)(b) GDPR — taking steps at your request prior to entering a contract — combined with Article 6(1)(f) GDPR (legitimate interest in responding to a business inquiry you initiated). The IP address is processed under Article 6(1)(f) for security and rate limiting.
Consequence of not providing it. The form cannot be submitted without name, email, company, spend range, and message. Without these I cannot assess fit or reply. There is no obligation to submit the form — direct email at the address in section 1 is an alternative.
3.2 Server logs
When you load any page, Cloudflare (the hosting and edge network) records request metadata: IP address, user agent string, requested URL, referrer, response status, and timestamp. These logs are used for routing, caching, DDoS mitigation, and bot filtering.
Legal basis. Article 6(1)(f) GDPR — legitimate interest in operating a secure website. Retention is governed by Cloudflare's policy (typically 30 days for raw logs).
3.3 Product analytics
If you accept analytics cookies via the consent banner, PostHog (EU region, hosted in Frankfurt) records:
- Pages visited and time spent
- Clicks on tracked elements (CTAs, navigation, form interactions)
- Browser type, device type, screen size
- No source IP (PostHog is configured to drop the source IP before storage via the
ip: falseclient flag) - A pseudonymous device identifier
Purpose. To understand which pages are read, where users drop off, and which sections of the site need rework.
Legal basis. Article 6(1)(a) GDPR — consent. You can withdraw consent at any time through the cookie controls (see /cookies) or by clearing site data in your browser. No analytics events are recorded before consent and none are recorded after withdrawal.
3.4 Error monitoring
Sentry (EU region) captures unhandled JavaScript errors and server-side exceptions. An error report typically contains: the page URL where the error occurred, the browser type, a stack trace, and limited request context (no form values, no cookies, no authorization headers — these are stripped by a server-side redactor before transmission).
Legal basis. Article 6(1)(f) GDPR — legitimate interest in maintaining a functional, debuggable production site. Error data does not identify individuals in normal operation. If a stack trace incidentally contains an identifier, it is purged within 90 days.
3.5 What is not collected
- No marketing pixels (no Meta Pixel, no LinkedIn Insight Tag, no Google Ads tag, no TikTok Pixel)
- No third-party advertising cookies
- No cross-site tracking
- No fingerprinting
- No data brokers or enrichment services
- No automated decision-making or profiling that produces legal or similarly significant effects (GDPR Article 22)
4. Processors
The following third parties process personal data on my behalf under written data processing agreements. Each is listed with the data category, purpose, location, and transfer mechanism.
| Processor | Data | Purpose | Region | Transfer mechanism |
|---|---|---|---|---|
| Cloudflare | Request logs, IP | Hosting, DNS, edge security | Global (EU edge) | SCCs + DPA |
| Resend | Name, email, message | Transactional email delivery | US | SCCs + DPA |
| Slack | Submission summary | Internal lead notification | US | SCCs + DPA |
| HubSpot | Form data | CRM, follow-up management | US (EU data residency configured where available) | SCCs + DPA |
| Sanity | Submission record | Content backend, submission archive | EU | DPA |
| Upstash | IP address only | Rate limit cache (1-hour TTL, then deleted) | EU | DPA |
| PostHog | Analytics events | Product analytics (consent-gated) | EU (Frankfurt) | DPA |
| Sentry | Error reports | Error monitoring | EU | DPA |
EU-based processors are used wherever a comparable EU option exists. Where US processors are used, transfers occur under the European Commission's Standard Contractual Clauses (SCCs, 2021/914) and, where applicable, the EU-US Data Privacy Framework certification of the processor.
No processor in this list is permitted to use your data for their own purposes, train models on it, or transfer it onward except as instructed.
5. Retention
| Data | Retention period | Trigger for deletion |
|---|---|---|
| Apply form submissions (Sanity, HubSpot) | 24 months from submission | Automatic purge job, or earlier on request |
| Active client records | Duration of engagement + 7 years | Portuguese commercial record-keeping obligation |
| Email correspondence | 24 months from last reply | Periodic mailbox cleanup |
| Server logs (Cloudflare) | ~30 days | Cloudflare retention policy |
| Analytics events (PostHog) | 12 months rolling | Automatic |
| Error reports (Sentry) | 90 days | Automatic |
| Rate limit IP cache (Upstash) | 1 hour | TTL expiry |
If an inquiry converts to a paid engagement, retention shifts to the longer period required by Portuguese tax and commercial law (Decreto-Lei n.º 28/2019 — 10 years for invoicing records; Código Comercial — 10 years for commercial correspondence). This applies only to data necessary to satisfy those obligations.
6. Your rights
You have the following rights under GDPR Articles 15-22:
- Access. A copy of the personal data I hold about you, in a readable format.
- Rectification. Correction of inaccurate or incomplete data.
- Erasure. Deletion of your data ("right to be forgotten"), subject to legal retention obligations.
- Restriction. A temporary freeze on processing while a complaint is investigated.
- Portability. Your data exported in a structured, machine-readable format (typically JSON or CSV).
- Objection. Stopping any processing based on legitimate interest, including the form data after initial response.
- Withdraw consent. For analytics, at any time, without affecting the lawfulness of processing before withdrawal.
- Not be subject to automated decisions. No automated decisions are made about you on this site, but the right exists regardless.
How to exercise these rights. Email privacy@halyxa.com with your name, the email address you used on the site, and the request. I will respond within 30 days (extendable by 60 days for complex requests, with notice). No fee unless requests are manifestly unfounded or excessive, in which case GDPR Article 12(5) applies.
Identity verification. For erasure or access requests I may ask one clarifying question (typically confirmation of the submission date or company name) to verify you are the data subject. I do not request government ID.
7. Complaints
If you believe your data has been mishandled, you have the right to lodge a complaint with the Portuguese supervisory authority:
Comissão Nacional de Proteção de Dados (CNPD) Av. D. Carlos I, 134 - 1.º 1200-651 Lisboa Portugal geral@cnpd.pt +351 213 928 400 cnpd.pt
You may also complain to the supervisory authority in your country of residence if it is in the EU/EEA.
I would prefer the chance to resolve any issue directly first, but the right to go straight to the regulator is yours and is not conditional on contacting me first.
8. International transfers
Some processors listed in section 4 are based in the United States. Transfers to the US occur under:
- Standard Contractual Clauses (SCCs) per Commission Decision 2021/914, executed with each US processor; and
- Where applicable, the processor's certification under the EU-US Data Privacy Framework (Resend, Slack, HubSpot all certified at time of writing).
The Schrems II ruling and its consequences are taken seriously. Where a transfer mechanism is invalidated, the processor is replaced or processing is reconfigured to keep data inside the EU.
9. Security
- All data in transit is encrypted via TLS 1.3.
- Production secrets are stored in encrypted environment variables, not in source code.
- Access to processor dashboards is protected by two-factor authentication.
- Form submissions are rate-limited at 5 per IP per hour to prevent enumeration and abuse.
- Source code is audited before deployment; dependencies are tracked for vulnerabilities.
No system is unbreakable. In the event of a personal data breach that risks your rights or freedoms, you will be notified without undue delay and within 72 hours of detection, per GDPR Article 33-34.
10. Children
HALYXA is a B2B service for business operators. The site is not directed at children under 16, no service is offered to children, and no data is knowingly collected from children. If you believe a child has submitted data, email privacy@halyxa.com and it will be deleted immediately.
11. Changes to this policy
If this policy changes:
- The "Last updated" date at the top moves.
- The previous version is archived and available on request.
- For material changes affecting existing contacts (new processors, expanded data categories, longer retention), affected contacts are emailed before the change takes effect.
Minor edits (typos, clarifications, formatting) are not announced.
12. Contact
For all privacy questions, rights requests, or complaints prior to contacting the regulator:
Response time: within 30 days, typically within 5 business days.