Privacy Policy

Digital Frontier Unipessoal LDA ("Digital Frontier," "we," "us," or "our") respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website, use our platform, or interact with our services (collectively, the "Services").

We are a data controller established in Portugal. The processing of personal data through our Services is subject to:

• General Data Protection Regulation (GDPR) — Regulation (EU) 2016/679.
• Portuguese data protection law — Law 58/2019, which implements the GDPR domestically.
• Digital Services Act (DSA) — Regulation (EU) 2022/2065, which governs our obligations as a hosting service provider.

As stated in our Terms of Service, Digital Frontier operates as an infrastructure and hosting provider. We do not provide crypto-asset services regulated under MiCA.

1. Data Controller

The data controller responsible for your personal data is:

• Digital Frontier Unipessoal LDA
• Registered in Cascais, Portugal
• Email: privacy@digitalfrontier.so

Our data protection contact can be reached at dpo@digitalfrontier.so. Where a Data Protection Officer has been formally appointed, they can be reached at the same address.

2. Information We Collect

2.1 Information You Provide

We collect personal information that you voluntarily provide to us when you:

• Register an account (name, email address, organization).
• Complete your profile (billing information, company details).
• Contact us via our contact form, email, or support channels.
• Subscribe to newsletters or communications.
• Provide payment information (processed by our payment providers; we do not store full card details).

When you submit a business or public-sector inquiry (for example, a sales, partnership, or government enquiry through our contact form), we record the inquiry and your contact details in our internal customer relationship management (CRM) system in order to manage and respond to your request and to maintain a record of our business relationship. Reports submitted to our legal, regulatory, or abuse channels are not added to the CRM; they are handled separately under our DSA compliance process and subject to the retention rules for those records. CRM records created from unconverted inquiries are anonymized after a defined retention period (see Section 7), and you may request erasure of your CRM record at any time (see Section 8).

2.2 Information Collected Automatically

When you access or use our Services, we may automatically collect:

• Device and usage data: IP address, browser type and version, operating system, device identifiers, screen resolution.
• Usage patterns: pages visited, time spent on pages, features used, deployment activity, API call patterns.
• Log data: server access logs, error logs, and performance metrics collected for security and operational purposes.
• Cookies and similar technologies: session cookies for authentication, analytics cookies (only with your consent), and functional cookies for preferences.

2.3 Information from Third Parties

We may receive information from third-party services you use to authenticate with our platform (e.g., GitHub, Google), subject to their respective privacy policies and your consent.

2.4 Identity Verification Data (KYC)

Where identity verification is required — for example, as part of setting up payments on your account, after you verify a payment card and before you can add funds or be charged — we use a third-party identity verification provider, Didit (operated by Markets Prolive 360, S.L.), to verify your identity. Through Didit's hosted flow you provide a government-issued identity document (e.g., passport, national ID card, or driving licence) and a facial image with a "liveness" check, and Didit screens the information against applicable sanctions and watchlist sources. The facial-matching and liveness analysis involves biometric data, a special category of personal data under Article 9 of the GDPR (see Section 4).

The biometric check is optional. If you prefer not to undergo the facial-matching and liveness analysis, you can ask us to verify your identity through a manual review of your identity document instead, by contacting support@digitalfrontier.so. The manual route reaches the same outcome — a verified account — without any biometric processing. You can therefore choose either the standard automated flow or the non-biometric alternative.

Didit processes the identity-document, facial/biometric, and screening data as our processor, and for certain limited purposes as an independent controller. That data is collected, held, and retained by Didit in accordance with Didit's privacy policy and its verification privacy notice. We do not receive or store your identity document or your biometric data. From a verification we receive and keep only: the verification status (such as not started, in progress, in review, approved, or declined), the identifier of the verification session, and the date of a successful verification.

3. How We Use Your Information

We use your personal data for the following purposes:

• Service delivery: To provide, maintain, and improve the Services, including account management, billing, and customer support.
• Security: To detect, prevent, and address fraud, unauthorized access, security incidents, and other illegal activities.
• Identity verification and abuse prevention (KYC): Where verification is required, to confirm the identity of an account holder before granting access to certain features (such as adding funds or other paid functions); to prevent fraud, sanctions evasion, and abuse of our infrastructure; and to enable lawful cooperation with competent authorities where our infrastructure is implicated in criminal activity.
• Legal compliance and authority cooperation: To comply with the DSA (including Articles 9, 10, 16, 17, 18), the EU terrorist content regulation, Portuguese cybercrime law (Law 109/2009), NIS2 incident reporting obligations (Decree-Law 125/2025), and other applicable legal obligations.
• Communication: To respond to your inquiries, send service notifications, and (with your consent) marketing communications.
• Relationship management: To manage and respond to business and public-sector inquiries, including recording them in our CRM system, tracking the progress of sales, partnership, and public-sector opportunities, and maintaining a record of our dealings with you.
• Analytics and improvement: To analyze usage patterns and improve our Services, conducted on anonymized or aggregated data wherever possible.

4. Legal Basis for Processing (GDPR Article 6(1))

We process your personal data only when we have a lawful basis to do so:

• Consent (Art. 6(1)(a)): When you have given explicit consent, e.g., for marketing communications or non-essential cookies.
• Contract performance (Art. 6(1)(b)): When processing is necessary to perform our contract with you or to take steps prior to entering into it, e.g., providing the Services, account management, billing, and, where required, the identity verification needed to access certain features.
• Legal obligation (Art. 6(1)(c)): When processing is necessary to comply with a legal obligation, including the prohibition on making funds or economic resources available to persons subject to EU and UN sanctions, DSA disclosure orders, terrorist content removal obligations, tax and accounting law, NIS2 incident reporting, and Law 109/2009 evidence preservation. We are not a regulated anti-money-laundering "obliged entity," and we do not rely on a statutory customer-due-diligence duty as the basis for our verification programme.
• Legitimate interests (Art. 6(1)(f)): When necessary for our legitimate interests, e.g., identity verification, the sanctions and watchlist screening we carry out to satisfy ourselves that we are not dealing with a sanctioned person, security monitoring, fraud prevention, abuse prevention, protecting our infrastructure from criminal misuse, managing and responding to business and public-sector inquiries (including the CRM records described above), and service improvement — always subject to a balancing test against your rights and freedoms. This basis is used narrowly and is documented per processing activity, including a documented legitimate-interest assessment for our CRM record-keeping.
• Vital interests (Art. 6(1)(d)): In rare cases, to protect the vital interests of you or another natural person.

Special categories of data (GDPR Article 9). Our identity verification involves biometric data — the facial-matching and liveness analysis used to confirm that you match your identity document, carried out within Didit's verification flow (see Section 2.4). We rely on your explicit consent under Article 9(2)(a) GDPR for this biometric processing, which you give at the start of the verification flow, before the biometric check begins. Because we offer a non-biometric alternative — a manual review of your identity document (see Section 2.4) — undergoing the biometric check is a genuine choice rather than a condition of using the protected features, so your consent is freely given. You may withdraw your consent at any time, without affecting the lawfulness of processing carried out before withdrawal; if you withdraw it or decline the biometric check, we can still verify you through the manual alternative. We keep the lawful basis for this special-category processing under review and will update this Policy if we adopt a different basis.

5. Sharing of Personal Data

We do not sell, rent, or license your personal data to third parties for their own marketing purposes. We may share your personal data only in the following circumstances:

• Service providers: With trusted third-party processors who act on our instructions under data processing agreements to help us deliver the Services (e.g., payment processors, cloud infrastructure providers, analytics tools).
• Identity verification provider: With Didit (Markets Prolive 360, S.L.), our identity verification (KYC) provider, which processes the identity-document, biometric, and screening data described in Section 2.4 to perform identity verification and sanctions and watchlist screening. Didit acts as our processor and, for certain limited purposes, as an independent controller; its processing is governed by Didit's privacy policy.
• Competent authorities — DSA orders: In response to valid orders under DSA Articles 9 and 10, we disclose only information already in our possession and within our control. We collect personal data for the purposes set out in this Policy — including identity verification and abuse prevention — and not for the purpose of routine or bulk transmission to authorities; disclosure to authorities occurs only in response to valid legal process or where the law otherwise permits.
• Legal requirements: When required by law, regulation, legal process, or enforceable governmental request from competent Portuguese or EU authorities, including orders under Law 109/2009 and the terrorist content regulation.
• Safety and security: To protect against fraud, security threats, or illegal activity, or to protect the rights, property, or safety of Digital Frontier, our customers, or the public.
• Corporate transactions: In connection with a merger, acquisition, or sale of assets, we will notify you before your personal data becomes subject to a different privacy policy.

6. International Data Transfers

Our primary infrastructure is located within the European Union (Portugal). When your data is processed on our Portuguese edge infrastructure, it remains within the EEA.

When you deploy workloads to third-party cloud providers through our platform (e.g., GCP, Azure, AWS), those providers' data processing locations apply. We ensure that any transfer of personal data outside the EEA is made with appropriate safeguards, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission.
• Adequacy decisions by the European Commission.
• Your explicit consent, where applicable.

Identity verification is performed through Didit. Any identity-verification data processed outside the EEA is subject to the transfer safeguards described in Didit's privacy policy.

7. Data Retention

We retain your personal data only for as long as necessary:

• Account data: For the duration of your account, and up to 90 days after termination for transition purposes.
• Billing records: As required by Portuguese tax and accounting law (typically 10 years).
• Identity verification (KYC) records: We retain the verification status, the verification session identifier, and the date of a successful verification for the duration of your account. We do not store your identity document or your biometric data; that data is held by Didit, our verification provider, under Didit's own retention policy. You can ask us to delete the verification records we hold, subject to the legal-retention and ongoing-investigation exceptions noted below.
• Server logs: Up to 12 months for security and operational purposes, unless required longer for an ongoing investigation or under a Law 109/2009 preservation order.
• Marketing consents: Until you withdraw your consent.
• Legal holds: Data subject to legal process, DSA orders, terrorist content orders, or regulatory investigation will be retained as required by law.
• Content moderation records: As required for DSA transparency reporting and Article 17 statement-of-reasons obligations.

Our retention practices follow GDPR data minimization: we collect only data that is actually necessary for service provision and security, and we avoid gratuitous overcollection.

8. Your Rights Under GDPR

As a data subject within the European Union, you have the following rights:

• Right of access (Art. 15): You may request a copy of the personal data we hold about you.
• Right to rectification (Art. 16): You may request correction of inaccurate or incomplete personal data.
• Right to erasure (Art. 17): You may request deletion of your personal data, subject to legal retention obligations (e.g., tax law, evidence preservation, DSA reporting).
• Right to restriction (Art. 18): You may request that we restrict processing of your personal data in certain circumstances.
• Right to data portability (Art. 20): You may request to receive your personal data in a structured, commonly used, machine-readable format.
• Right to object (Art. 21): You may object to processing based on legitimate interests or for direct marketing purposes.
• Right to withdraw consent (Art. 7): Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of processing prior to withdrawal.
• Right to lodge a complaint: You have the right to lodge a complaint with the Comissão Nacional de Proteção de Dados (CNPD) (www.cnpd.pt), the Portuguese supervisory authority designated under Law 58/2019, or with any other supervisory authority in the EU member state of your habitual residence.

To exercise any of these rights, please contact us at privacy@digitalfrontier.so. We will respond to your request within 30 days, as required by the GDPR.

9. Cookies and Tracking Technologies

We use the following categories of cookies:

• Essential cookies: Required for the functioning of the Platform (authentication, session management, security). These cannot be disabled.
• Functional cookies: Remember your preferences and settings. These are optional and require your consent.
• Analytics cookies: Help us understand how users interact with our website and platform (e.g., page views, feature usage). These require your consent and are based on anonymized data.

You can manage your cookie preferences at any time through your browser settings. Disabling cookies may affect the functionality of certain features.

10. Security

We implement appropriate technical and organizational measures to protect your personal data, including:

• Encryption of data in transit (TLS 1.2+) and at rest (AES-256).
• Access controls and authentication mechanisms.
• Regular security assessments and vulnerability scanning.
• Data protection impact assessments (DPIAs) for high-risk processing operations, including our biometric identity verification, in accordance with Article 35 GDPR.
• Employee training on data protection and security practices.
• Incident response procedures in compliance with GDPR breach notification requirements (72-hour notification to CNPD) and, where applicable, NIS2 incident reporting under Decree-Law 125/2025, under the supervision of the competent Portuguese cybersecurity authorities, including CNCS where applicable.

While we take reasonable measures to protect your data, no system is completely secure. You are responsible for maintaining the confidentiality of your account credentials.

11. Children's Privacy

Our Services are not directed to individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have inadvertently collected personal data from a child under 18, we will take steps to delete such information promptly.

12. Automated Decision-Making

We do not use fully automated decision-making or profiling that produces legal effects or similarly significantly affects you without a route to human involvement. Our identity verification uses automated checks (document authentication, facial matching, liveness detection, and sanctions and watchlist screening) carried out through Didit, and some verifications are referred for manual review. If your verification is declined, you may try again, and you may contact us at privacy@digitalfrontier.so to request human review of the outcome and to make representations about it; we will review and respond in accordance with your data-protection rights. Other automated processes (e.g., abuse detection, resource allocation) likewise include human oversight.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

• Posting the updated policy on this page with a revised "Last updated" date.
• Sending an email notification for significant changes.
• Displaying a prominent notice on the Platform.

We encourage you to review this Privacy Policy periodically.

14. Contact Information and Supervisory Authority

For any questions or concerns about this Privacy Policy or our data practices:

• Privacy inquiries: privacy@digitalfrontier.so
• Data Protection Officer: dpo@digitalfrontier.so
• Legal inquiries: legal@digitalfrontier.so
• Postal: Digital Frontier Unipessoal LDA, Cascais, Portugal

Portuguese supervisory authority: Comissão Nacional de Proteção de Dados (CNPD), www.cnpd.pt — designated under Law 58/2019.

DSA authority: ANACOM — designated as Portugal's Digital Services Coordinator under Decree-Law 20-B/2024.