← Back to app  ·  Português
Z·ilom

Privacy Policy

Last updated: 22 April 2026 · Version 1.0

This is an English translation provided for convenience. The legally binding version is the Portuguese one. In case of any discrepancy between the two, the Portuguese version prevails.

This Policy explains how Z·ilom processes the personal data of users of the web application zilom.pt (the "App" or "Service"), in accordance with Regulation (EU) 2016/679 ("GDPR") and Portuguese Law no. 58/2019.

During the pre-launch period, the only personal data collected are the email and professional profile voluntarily provided to join the waitlist, processed under Sections 2.2, 3, 4, 7 and 10 of this Policy.

1. Data controller

Link Store, Lda, a Portuguese company, tax number (NIPC) 506721523, with registered office at Av. D. Francisco de Almeida, 6, 2710-561 Sintra, Portugal, is the entity responsible for processing personal data, contactable for data protection matters at info@zilom.pt.

2. What data we collect

2.1. Data entered in the calculator

The assumptions you enter (areas, prices, costs, etc.) are processed locally on your device. They are not sent to our servers nor associated with you, unless you choose to save the calculation to your account, export it, or generate a report — in which case that data is processed by the technical providers listed in Section 5.

2.2. Contact and account data

If you join the waitlist, create an account, buy a one-off report, subscribe to a plan or contact support, we collect:

2.3. Payment data

Credit card or other payment-method data is collected and processed exclusively by Easypay — Instituição de Pagamento, Lda, which acts as an independent controller of that data. We do not see or store card numbers. We receive only opaque identifiers (customer token, subscription reference).

2.4. Usage and analytics data

We collect aggregated statistics about App usage (pages visited, visit duration, country, device type) and product events (calculations performed, detail expansion, report requests) through PostHog in privacy-first mode. Servers are in the European Union. We do not use tracking cookies, we do not do cross-site tracking, and we do not build personal profiles for anonymous users. Data is kept in memory during the session and discarded when you close the App; it is not passed to other sites or advertising networks.

2.5. Technical data

IP address, server logs (access logs), user-agent information, used exclusively for security, technical diagnostics, fraud prevention and compliance with legal obligations.

3. Purposes and legal basis

PurposeDataLegal basis
Provision of the App serviceEmail, entered data when saved, account dataPerformance of the contract (Art. 6(1)(b) GDPR)
Management of the pre-launch waitlistEmail, professional profilePre-contractual steps at the data subject's request (Art. 6(1)(b) GDPR)
Authentication via magic link and OTP codeEmailPerformance of the contract
Payment of subscriptions and one-off purchasesPayment data, email, billing dataPerformance of the contract
Issuance of legal invoicesName, tax number, address, amount paidLegal obligation (VAT Code)
Trainee discountEmail on the trainee filePerformance of the contract / legitimate interest
Sending essential product communicationsEmailPerformance of the contract
Sending optional marketing communicationsEmailConsent (revocable at any time)
Aggregated analyticsAnonymous usage statisticsLegitimate interest (service improvement)
Security, abuse and fraud preventionIP, logs, technical metadataLegitimate interest
Consent for marketing is obtained through explicit, separate opt-in. We do not use the email provided for invoicing or support to send marketing communications without separate consent.

4. Retention periods

5. Recipients and processors

We use service providers acting as processors under Art. 28 GDPR, bound by a data processing agreement with guarantees equivalent to those required by the GDPR:

ProcessorPurposeData location
Supabase Inc.Database, authentication, PDF storageEuropean Union (Frankfurt, DE)
Vercel Inc.Web application hostingEU / USA (standard contractual clauses)
Easypay — Instituição de Pagamento, LdaPayment processingPortugal (EU)
Resend, Inc.Sending transactional emailsEU / USA (standard contractual clauses)
InvoiceXpress (Rauva)Invoice issuance certified by the Portuguese Tax AuthorityPortugal
OVHcloud (Zimbra Mail)Support and contact email for the domainFrance (EU)
PostHog Inc.Product analytics (aggregated events, no personal profiles for anonymous users)European Union (Frankfurt, DE)

We do not sell, rent or share personal data with third parties for third-party marketing purposes. Data may be disclosed to competent authorities when required by law.

6. International transfers

Some processors may process data outside the European Economic Area, in particular the United States. When this happens, we ensure appropriate safeguards under Chapter V of the GDPR: standard contractual clauses approved by the European Commission, certification of the processor under the EU-U.S. Data Privacy Framework, or equivalent measures.

7. Data subject rights

Under the GDPR, the user may exercise the following rights:

To exercise these rights, contact info@zilom.pt. We will respond within a maximum of 30 days (extendable by a further 60 days in complex cases, with notice of the reason).

You may also lodge a complaint with the Portuguese supervisory authority: Comissão Nacional de Proteção de Dados (CNPD)cnpd.pt.

8. Cookies and similar technologies

We use only strictly necessary cookies for the operation of the Service, in particular to keep the session active (HttpOnly, Secure, SameSite=Lax cookie) and user preferences (e.g. language). These cookies do not require consent under Art. 5(3) of the e-Privacy Directive.

We do not use tracking, advertising or personalised analytics cookies. For aggregated usage measurement we use PostHog in privacy-first mode (EU servers, no tracking cookies, no personal profiles for anonymous users — the app does not persist the identifier between sessions).

9. Security

We apply technical and organisational measures appropriate to the risk: encrypted HTTPS connections on all communications, encrypted storage at rest for sensitive data, passwordless authentication (magic link + OTP), a session policy limited to 30 days, role-based access control, audit logs, automatic backups, and periodic risk assessment.

10. Minors

The App is not intended for persons under 18. We do not knowingly collect data from minors. If we become aware that a minor has provided personal data, we will delete it immediately.

11. Automated decisions and profiling

We do not make decisions based solely on automated processing that produce legal or significant effects for the user. The calculations produced by the App are decision-support tools and the user always retains full control over the interpretation and use of the results.

12. Changes to this Policy

We may update this Policy to reflect legal, technical or functional changes. The version in force is the one published on this page, with the last-updated date shown at the top. Material changes will be communicated to users by email with reasonable notice.

13. Contact

For any question about the processing of your personal data: info@zilom.pt. For contractual, commercial or support matters not directly related to data protection, use info@zilom.pt.