Privacy Policy

This Privacy Policy explains how Nexwinds Solutions Lda. ("Nexwinds", "we", "us") collects and uses personal data when you use our website, contact us, purchase or use our services, and use our SaaS products.

We are based in Portugal and comply with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and applicable Portuguese and EU law.

If you are located in the United Kingdom, the UK GDPR and UK data protection laws may also apply where relevant.

Depending on the context, we act as a controller (for example, website, sales, billing, and support) and/or as a processor (for example, for Customer Content you upload to certain SaaS products).

The data controller is Nexwinds Solutions Lda.

Tax ID (NIF): PT518356248.

For privacy questions or requests, contact us at hello@nexwinds.com. If you contact us by phone or WhatsApp, we may process your contact details and the content of your communications to respond.

If you have concerns, you can also complain to your data protection authority. In Portugal, the authority is the CNPD.

Depending on how you interact with us, we may collect the following categories of personal data:

We do not intentionally collect special categories of personal data unless you voluntarily provide it and there is a lawful basis to process it.

Our Services are not directed to children and we do not knowingly collect personal data from anyone under 18. If you believe a child has provided us personal data, contact hello@nexwinds.com.

We process personal data for the purposes below, based on one or more lawful bases under GDPR:

Depending on the context, Nexwinds may act as a data controller and/or a data processor.

• Controller: for personal data of visitors, prospects, and customers (for example, website data, account administration data, billing data, and support communications).
• Processor (or sub-processor): in some SaaS contexts, for personal data a customer uploads or makes available, where the customer determines the purposes and means of processing.

Where we act as a processor, the customer is typically the controller and is responsible for informing data subjects; we process data under the customer’s instructions and applicable agreements.

We may share personal data with third-party service providers that help us run our business and deliver Services.

• Examples: hosting and infrastructure; databases; email delivery; customer support tools; security services; payment and accounting providers (where applicable).
• Data may be stored locally and/or in the cloud, depending on the Service and configuration.
• We select providers with GDPR compliance and security assurances appropriate to the data processed.
• A list of subprocessors that may be used for our website, professional services, and SaaS products is available on our Subprocessors page.

Where our service providers (or their sub-processors) transfer personal data outside the European Economic Area (EEA) (and, where relevant, outside the UK), we ensure appropriate safeguards are in place in accordance with applicable data protection law.

• Adequacy decisions (where applicable).
• Standard Contractual Clauses (SCCs) and, where appropriate, supplementary measures.
• Other lawful transfer mechanisms permitted under GDPR.

We implement organizational and technical measures designed to protect personal data.

• Access controls and least-privilege permissions.
• Multi-factor authentication where feasible.
• Security monitoring and operational controls.
• Backups and recovery processes designed to reduce risk (scope varies by Service).

We monitor our Services and may become aware of incidents via automated notifications, third parties, and/or customers.

While we do not provide 24/7 support, we aim to respond as quickly as reasonably possible.

If we become aware of a personal data breach that requires notification under applicable law, we will notify the relevant parties as required.

We retain personal data only for as long as necessary for the purposes described in this policy.

• Business needs: providing Services, resolving disputes, and enforcing agreements.
• Legal obligations: compliance with tax/accounting retention requirements and other applicable obligations.
• Rights management: documentation of the exercise of data subject rights under GDPR where necessary.
• Examples: invoices and accounting records may be kept for up to 10 years; technical logs are typically kept for a shorter period and then deleted or anonymized.

When retention is no longer required, we delete or anonymize data, or securely store it and isolate it from further processing where deletion is not possible (for example, in backups until those backups are rotated).

Subject to applicable law, you have the following rights:

• Access, rectification, erasure, restriction, objection, and data portability.
• Withdraw consent at any time where processing is based on consent (without affecting the lawfulness of processing before withdrawal).
• Lodge a complaint with your local supervisory authority; in Portugal, this is the Comissão Nacional de Proteção de Dados (CNPD).

To exercise your rights, contact hello@nexwinds.com.

We use cookies and similar technologies (for example, local storage) to operate the website. Where required by law, we only place non-essential cookies (for example, analytics) after consent.

For more information, including how to manage cookie preferences where available, see our Cookie Policy.

We may update this Privacy Policy to reflect changes in our Services, processing activities, or legal requirements.

• The updated version will be published on this page with an updated "Last updated" date.
• If changes are material, we may provide additional notice where appropriate.