Sustainable Living
Last updated · May 2026

Privacy Policy

How Sustainable Living collects, uses, and protects your information.

Introduction

Sustainable Living ("we", "our", or "us") is committed to protecting your privacy. This Privacy Policy explains what personal data we process when you use sustainableliving.pt, on what legal basis, with whom we share it, and how long we keep it. It is written to comply with the EU General Data Protection Regulation (Regulation 2016/679, "GDPR") and Portuguese Law n.º 58/2019.

Data controller

The data controller responsible for processing your personal data is:

Sustainable Living
Rua José Estevão 2
8300-165 Silves, Portugal
Email: info@sustainableliving.pt

What we process and on what legal basis

We only process the categories of personal data we actually need, and always on a defined legal basis under Article 6 GDPR:

  • Contact-form submissions (name, email, phone, message, the project you wrote about): processed on the basis of your consent (Art. 6(1)(a) GDPR), captured via the explicit checkbox you tick before sending.
  • Public catalogue listings (project information, profile information, role, expertise, photos): processed on the basis of legitimate interest (Art. 6(1)(f) GDPR) to build a discoverable directory of regenerative work in Portugal. People and projects are added only through the enrichment pipeline that the controller curates; everyone has a permanent right to opt out (see "Your rights" below) and an opt-out hides the listing from every public page.
  • Analytics (aggregate page-view counts, referrer, country, device class) via Plausible Analytics: processed on the basis of legitimate interest (Art. 6(1)(f)). Plausible is cookieless and does not collect any data that, on its own or combined, allows us to identify an individual visitor.
  • Security and abuse-prevention logs (IP address, user-agent, timestamp, response status) kept at the hosting layer: processed on the basis of legitimate interest (Art. 6(1)(f)) to keep the platform available and prevent abuse.

How we use this data

  • To reply to your contact-form message and, where applicable, to forward it to the project you wrote to.
  • To display public profile and project information in our catalogue and search.
  • To measure aggregate usage of the platform, so we know which sections are useful.
  • To keep the platform available, secure, and free from abuse.
  • To comply with legal obligations.

Sub-processors

We use a small set of service providers ("sub-processors") to operate the platform. Each one processes personal data on our instructions and under a data-processing agreement:

  • Vercel Inc. (United States) — hosting and edge delivery of the website. Transfer to the US is covered by Standard Contractual Clauses and the EU-US Data Privacy Framework.
  • Supabase, self-hosted on Railway (EU region) — database and file storage. Data stays inside the EEA.
  • Resend, Inc. (United States) — transactional email delivery for contact-form submissions. Transfer to the US is covered by Standard Contractual Clauses.
  • Plausible Analytics OÜ (Estonia, EU) — cookieless web analytics. Data stays inside the EEA; no transfer outside the EEA.

Information sharing

Beyond the sub-processors listed above, we share your personal data only when:

  • You make it public: any information that appears on your public profile or project page is, by definition, visible to anyone.
  • You write to a project: the message and your contact details are forwarded by email to that project's listed contact address so they can reply.
  • The law requires it: when we receive a binding request from a competent authority.
  • Business transfer: in the unlikely event of a merger, acquisition, or sale of assets, your data may transfer to the successor entity under the same terms as this policy.

We do not sell personal data, and we do not share data with advertising networks.

How long we keep data

  • Contact-form submissions (general and project-specific): kept for 24 months from the date of submission, then deleted. Earlier on request.
  • Profile and project listings: kept for as long as they are published, and removed when you opt out or request removal.
  • Server logs: kept at our hosting providers for short retention windows (typically 30–90 days), then rotated automatically.
  • Analytics data: aggregate counters only, with no personal data attached; retained for trend analysis.

Your rights

Under the GDPR you have the right to:

  • Access the personal data we hold about you
  • Rectify inaccurate or incomplete data
  • Erase your personal data ("right to be forgotten")
  • Restrict or object to processing
  • Data portability — receive your data in a structured, machine-readable format
  • Withdraw consent at any time, where processing is based on consent

To exercise any of these rights, email info@sustainableliving.pt. We will respond within 30 days (Article 12(3) GDPR) and may extend that by a further 60 days for complex requests, in which case we will tell you within the first 30 days.

If you believe we are not handling your data correctly, you have the right to lodge a complaint with the Portuguese supervisory authority: Comissão Nacional de Proteção de Dados (CNPD)cnpd.pt.

Cookies and tracking

We use as few cookies as possible. Specifically:

  • No advertising or tracking cookies. We do not run ad networks and we do not set third-party tracking cookies.
  • Analytics is cookieless. Plausible Analytics does not set cookies and does not use any persistent identifier — there is no banner to accept because there is nothing to consent to under ePrivacy Directive Art. 5(3).
  • Strictly necessary platform cookies from our hosting provider (Vercel) may be set to operate the site (e.g. for load balancing). These are exempt from the consent requirement under ePrivacy Art. 5(3).

Data security

We apply appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction, including: contact forms protected against automated submissions (same-origin enforcement, length limits, honeypot), unauthenticated POSTs require explicit consent, and access to the database is restricted to the controller. However, no method of transmission over the internet is fully secure.

Children's privacy

Our platform is not directed at children under 16. We do not knowingly collect personal data from children under 16. If you believe we hold such data, contact us and we will delete it.

Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be highlighted on this page and the "Last updated" date above will reflect the latest revision.

Contact

For any privacy-related question, or to exercise any of the rights above, contact us at info@sustainableliving.pt.