Legal

Privacy Policy

This policy explains how Salvus collects, uses and protects personal data, in line with the General Data Protection Regulation (GDPR).

1. Data controller

For customer account data (registration, billing, support), Salvus is the data controller. For the data the customer enters into the platform about their workers, Salvus acts as a processor.

2. Data we process

We process identification and contact data, billing data and service usage data. On behalf of customers, the platform may process workers' health data (special category, Article 9 of the GDPR), such as fitness certificates and occupational medicine exams.

3. Purposes and legal bases

We process data to provide the service, manage the contractual relationship, comply with legal obligations and improve the platform. Legal bases include performance of the contract, compliance with legal obligations and legitimate interest.

4. Health data

Health data is processed solely on behalf of and under the instructions of the customer, with reinforced measures of minimisation, role-based access control and encryption. Salvus does not use this data for its own purposes.

5. Security

We apply encryption at rest and in transit, access control, audit logs, strong authentication and backups. The infrastructure and data reside in the European Union.

6. Sub-processors

We rely on the following sub-processors: Supabase (EU region, database and auth), Resend (EU SCC, transactional email including operational health data in SST reports), and Vercel (EU SCC, application hosting). When AI features are enabled, Anthropic or OpenAI may process structural SST context data under Standard Contractual Clauses; individual health records are never sent to AI providers. All sub-processors are bound by contractual data protection obligations equivalent to the GDPR.

7. Retention

We retain data for the duration of the contract and for the periods required by law. After those periods, data is securely deleted or anonymised.

8. Data subject rights

Data subjects may exercise the rights of access, rectification, erasure, restriction, portability and objection. Where Salvus acts as a processor, we forward requests to the responsible customer.

9. Contact and complaints

To exercise rights or raise questions, contact info@salvus.pt. You also have the right to lodge a complaint with the Portuguese Data Protection Authority (CNPD).

10. Cookies and tracking technologies

We use strictly necessary cookies (authentication session, preferences) and, with your consent, analytics cookies (Vercel Analytics, Google Analytics 4). Your choice is stored locally and can be changed at any time. For full details, see our Cookie Policy at salvus.pt/cookies.

Privacy Policy | Salvus