Privacy Policy (GDPR)

Last updated: 13 May 2026

1. Data controller

The controller of personal data collected on Capitalys is:

Name: Hugo De Moura Andrade Bastos

Status: Sole proprietor (Empresário em Nome Individual)

Address: Lisbon, 1350-010, Portugal

Email: hugo.demourabastos@capitalys.co

2. Data collected

During your use of the site, we collect the following data:

Data provided by you

Email (account creation, communication)
First and last name (personalisation, invoicing)
Language preferences (FR / EN)

Data generated by your activity

Account creation date
Payment date (if applicable)
Course progression (modules visited, modules completed)
Stripe session identifiers (transaction reference, amount paid)

Data collected automatically

IP address, browser type (Cloudflare server logs, for security purposes)

Banking data: we store no credit card data. Payments are processed directly by Stripe (PCI-DSS Level 1).

3. Purposes and legal bases

Creation and management of the user account — legal basis: contract performance
Payment processing — legal basis: contract performance
Tracking of progression in the Course — legal basis: contract performance
Response to support requests — legal basis: legitimate interest
Compliance with legal and accounting obligations — legal basis: legal obligation
Service security (server logs, fraud prevention) — legal basis: legitimate interest

4. Retention period

Account data: as long as the account is active
Payment data: 10 years (Portuguese accounting obligation)
Cloudflare server logs: 30 days
After account deletion: immediate deletion of personal data not linked to an accounting obligation

5. Subprocessors

Your data is processed by the following subprocessors:

Supabase Inc. (Singapore, servers in Ireland) — authentication, database
Stripe Payments Europe, Ltd. (Ireland) — payment processing
Cloudflare, Inc. (USA, DPF certified) — hosting, CDN, DNS
Microsoft 365 (Ireland) — professional email

All these subprocessors offer sufficient guarantees regarding data protection, either through location of servers within the EU, or through standard contractual clauses or DPF (Data Privacy Framework) certification.

6. Your rights

In accordance with the General Data Protection Regulation (GDPR), you have the following rights:

Right of access to your data
Right to rectification of your data
Right to erasure ("right to be forgotten")
Right to restrict processing
Right to portability of your data
Right to object to processing
Right to withdraw consent at any time

To exercise these rights, write to hugo.demourabastos@capitalys.co. A response will be provided within a maximum of one month.

7. Complaint

If you believe your rights are not being respected, you may file a complaint with the Portuguese National Commission for Data Protection (CNPD) — competent supervisory authority: https://www.cnpd.pt

8. Cookies

Capitalys uses only technical cookies necessary for site operation (session management, language memorisation). No advertising or third-party tracking cookies are used. No prior consent is required for these technical cookies.

9. Policy modification

This privacy policy may be updated. The date of the last update is indicated at the top of the page.

→ Legal Notice → Terms and Conditions of Sale