PT
Home
Legal

Privacy policy

Last updated: 2026-05-22

This Privacy Policy describes how Enbiente — Energia e Ambiente, Lda. (hereinafter "Enbiente") processes personal data collected through the enbia website. Processing complies with Regulation (EU) 2016/679 (General Data Protection Regulation, "GDPR") and with Portuguese Law 58/2019 of 8 August, the national implementing legislation.

1. Data controller

The controller of personal data collected through this site is:

  • Entity: Enbiente — Energia e Ambiente, Lda.
  • Registered office: Rua Santa Isabel, Lote 2, Cave, Repeses, 3500-726 Viseu, Portugal
  • NIPC: PT516571516
  • Email: [email protected]
  • Phone: +351 232 099 900

No Data Protection Officer (DPO) has been designated, as the processing does not meet the requirements of Article 37 GDPR. All data-protection matters should be addressed to the email above.

2. Data collected

We only collect data you voluntarily provide through the contact form:

  • Name — to address you appropriately in our reply.
  • Company — to contextualise the request.
  • Email — for reply and subsequent communication.
  • Phone — alternative contact channel.
  • Message (optional) — free text you choose to share.

In addition, the server may log technical information for short periods — IP address and user-agent — for security purposes and prevention of form abuse (per-origin rate limiting).

For aggregate traffic analytics we use Umami, a cookieless analytics service that does not collect personal data nor allow individual identification of the visitor.

3. Purposes of processing

The data is used exclusively to:

  1. Reply to your contact request.
  2. Evaluate a potential service proposal and keep you informed during the commercial phase.
  3. Maintain a minimal history of commercial interactions for the relevant period.
  4. Comply with applicable legal obligations, notably accounting and tax obligations whenever applicable to an established contractual relationship.

We do not use your data for automated marketing, profiling, behavioural advertising, solely automated decisions producing legal effects, or for any purposes other than those listed above.

4. Legal basis

The processing of your personal data relies on the following legal grounds:

  • Consent (Article 6(1)(a) GDPR) — provided by submitting the form with the consent checkbox enabled. You may withdraw consent at any time, without affecting the lawfulness of processing carried out before withdrawal.
  • Performance of a contract or pre-contractual steps (Article 6(1)(b) GDPR) — when your request evolves into the negotiation or execution of a service proposal.
  • Compliance with a legal obligation (Article 6(1)(c) GDPR) — notably to satisfy accounting, tax and invoicing obligations applicable to executed contracts.
  • Legitimate interest (Article 6(1)(f) GDPR) — for minimal technical security and form-abuse-prevention logs (e.g. per-origin rate limiting), and for limited retention of communication records to the extent strictly necessary for the defence of legal rights.

Providing the data is voluntary. Without the minimum required data (name, company, email and phone) we cannot reply to or follow up on your request.

5. Recipients and processors

Your data is accessed by:

  • The Enbiente team responsible for commercial contact, qualification of the request, and any subsequent implementation.
  • Enbiente's internal middleware, which receives the submission from the site and records it in the company's CRM. This system is operated by Enbiente on its own infrastructure, under its direct control.
  • A transactional email provider contracted to deliver operational notifications to the team when a new request is received. This provider acts as a processor within the meaning of Article 28 GDPR, under a contract imposing the confidentiality and security duties required by the Regulation.

We do not sell, rent, or transfer your data to third parties for commercial purposes. In the event of a legal obligation to disclose to competent authorities, only what is strictly required by the applicable judicial or administrative order will be provided.

6. International transfers

Your personal data is processed within the European Economic Area (EEA). We do not carry out transfers to third countries. Should this policy change, we will ensure that any transfer is covered by one of the appropriate safeguards set out in Chapter V GDPR (notably an adequacy decision or standard contractual clauses), and this document will be updated accordingly.

7. Retention period

  • Requests without commercial follow-up: data is deleted or anonymised 24 months after the last contact, unless a legal basis justifies longer retention.
  • Requests with an established contractual relationship: data is retained for as long as necessary to fulfil the obligations arising from the contract and, after its termination, for the periods required by law — notably 10 years for accounting and tax purposes (Article 123(6) of the Portuguese Corporate Income Tax Code and Article 52(1) of the Portuguese VAT Code).
  • Technical security logs: retained for the period strictly necessary for the purpose that justifies them, generally not exceeding 12 months.

Once the applicable periods elapse, data is securely deleted or irreversibly anonymised.

8. Your rights

Under the GDPR, you have the right, at any time, to:

  • Access the personal data we process about you (Article 15).
  • Request rectification of inaccurate or outdated data (Article 16).
  • Request erasure of the data (right to be forgotten, Article 17), in the cases permitted by law.
  • Restrict processing (Article 18).
  • Request portability of the data you have provided to us, in a structured, commonly used format (Article 20).
  • Object to processing based on legitimate interest (Article 21).
  • Withdraw consent at any time, without affecting the lawfulness of processing carried out before withdrawal (Article 7(3)).

To exercise any of these rights, contact us in writing at [email protected], specifying the right you wish to exercise. We will reply within a maximum of 30 days, extendable by up to two further months for particularly complex requests, with reasons given. For security purposes, we may request additional information to verify your identity before processing the request.

9. Right to lodge a complaint

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with the competent supervisory authority in Portugal:

  • Comissão Nacional de Proteção de Dados (CNPD)
  • Av. D. Carlos I, 134, 1.º — 1200-651 Lisbon, Portugal
  • Phone: +351 213 928 400
  • Email: [email protected]
  • Site: cnpd.pt

We nonetheless encourage you to contact Enbiente first to attempt an amicable resolution before any formal complaint.

10. Cookies and local storage

This site does not use identification, tracking or marketing cookies.

To support the user's theme preference (light/dark), a single key is stored in the browser's Local Storage (enbia-theme). This key is strictly functional, contains no personal data, and is never transmitted to the server; it can be removed at any time through the browser's settings.

Aggregate traffic analytics, when active, are provided by Umami, which operates without cookies and without the ability to individually identify the visitor.

11. Security

Enbiente adopts technical and organisational measures appropriate to the state of the art and to the risk associated with the processing, in order to ensure the confidentiality, integrity and availability of your data — notably:

  • Fully encrypted communication between your browser and the site (HTTPS / TLS).
  • Authenticated transmission between the site and the internal middleware, using a time-window rolling key.
  • Security headers applied to every response (HSTS, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy).
  • Access controls on the CRM and internal systems on a need-to-know basis.
  • Logging and periodic review of access and anomalous submission attempts.

No security measure guarantees absolute protection. In the event of a personal data breach involving a high risk to your rights and freedoms, Enbiente will fulfil the notification obligations to the CNPD and communication obligations to data subjects set out in Articles 33 and 34 GDPR.

12. Automated decisions and profiling

We do not take any solely automated decisions, including profiling, that produce legal effects concerning you or similarly significantly affect you, within the meaning of Article 22 GDPR.

13. Minors

The site is intended for professional contacts. We do not knowingly collect data from minors under 16. If you become aware that data of a minor has been provided without the consent of their legal representatives, please contact us so that we may proceed to its deletion.

14. Changes to this policy

This policy may be updated to reflect legal, regulatory or operational changes. The version in force is always the one published on this page; the last-updated date shown at the top is the authoritative reference. Material changes will be signalled visibly before they take effect.