Privacy Policy

Last updated: 18 June 2026

ℹ️ A review by an accountant/lawyer is recommended before final publication.

This policy explains how VistaCriativa collects, uses and protects the personal data of visitors to this site and of its clients, in accordance with the General Data Protection Regulation (GDPR — Regulation (EU) 2016/679) and applicable Portuguese law.

1. Data controller

VistaCriativa, trading name of Erica Frade Antunes, NIF 232025649, Portugal.
Privacy contact: info@vistacriativa.com.

2. What data we collect

Contact details you send us via the form or by WhatsApp/email: name, email, phone and the message content.
Billing and payment data, when you become a client: billing details and the data needed for payment. Card data is processed directly by Stripe — we do not store card numbers.
Technical and usage data: aggregated visit statistics, collected with a self-hosted (first-party) analytics tool, with no third-party tracking cookies.
End-customer messages: when we operate an AI assistant for a client, we process the messages exchanged on that channel only to operate the service, on the client's instructions (the client being the controller of that data).

3. Purposes and legal basis

Purpose	Legal basis (GDPR art. 6)
Respond to enquiries and proposals	Pre-contractual steps / legitimate interest
Provide the contracted service	Performance of a contract
Billing and compliance with tax obligations	Legal obligation
Visit statistics and site improvement	Legitimate interest

4. Processors and partners

We use providers that process data on our behalf, only for the purposes above and with appropriate contractual safeguards:

Google — Google Calendar API, when a client connects its account for appointment management;
Stripe — payment processing;
Meta / WhatsApp Business Platform — messaging channel;
Artificial-intelligence model providers — generating the assistant's replies;
Server hosting and email service.

Some of these providers may process data outside the European Economic Area; in those cases we ensure a valid transfer mechanism (e.g. standard contractual clauses). An up-to-date list of processors is available on request.

When a client explicitly connects its Google account, we access the https://www.googleapis.com/auth/calendar scope (plus openid and email) solely to read free/busy availability and to create, update or cancel the events corresponding to bookings made through the assistant. We store only an encrypted refresh token and the connected account's email; we do not copy or retain calendar contents. The client can disconnect at any time, or revoke access at myaccount.google.com/permissions.

Limited Use disclosure. VistaCriativa's use and transfer of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. We do not use Google user data for advertising, we do not sell it, we do not transfer it to third parties except as needed to provide the requested feature or as required by law, and we do not use it to train generalized AI/ML models.

WhatsApp Business Platform data (Meta). When a client connects its WhatsApp Business Account through Meta Embedded Signup, we receive and process Meta Platform Data strictly to operate the assistant for that client: from inbound messages (whatsapp_business_messaging) — the end-customer's number and profile name, the message content, id and timestamp, and the receiving phone-number id; and from account management (whatsapp_business_management) — the WhatsApp Business Account id, the phone-number id and display number, and message-template metadata. This data is isolated per client, the access token is encrypted at rest, and it is shared only with Meta (to deliver replies) and our AI model provider (to generate the reply). It is never sold, used for advertising, or used to train generalized AI models, and is deleted on the client's request or at the end of service.

5. Data retention

We keep data only for as long as necessary: lead contacts for 24 months, and billing documents for the legal period applicable in Portugal (currently 10 years). End-customer messages are deleted at the client's request or at the end of the service.

6. Your rights

You may at any time exercise the rights of access, rectification, erasure, restriction, objection and portability, and withdraw consents, by contacting info@vistacriativa.com. You also have the right to lodge a complaint with the supervisory authority — in Portugal, the National Data Protection Commission (CNPD), www.cnpd.pt.

7. Cookies

This site uses no advertising or third-party tracking cookies. Visit analytics are first-party and aggregated.

8. Changes

This policy may be updated. The date of the last revision appears at the top of this page.