Privacy Policy.

01 Who we are

Data Controller

The website nexustourismlab.org is operated by Nexus Lab, a brand of BAE Ventures (the legal entity controlling personal data collected through this site). For data-related enquiries, write to hello@nexustourismlab.org with the subject "Privacy".

02 What we collect

Data we collect

Two sources only:

1. Form submissions. When you request a free website audit or send any other enquiry through our forms, we collect: name, role, company, company size, country (if provided), website URL, work email, and the short text answer to "what would you most want to improve". We use this to prepare and send the report you've asked for.
2. Anonymous web analytics. We use Cloudflare Web Analytics, which collects aggregate, anonymous data: page views, top pages, country, device type, referrer. No cookies. No personal identifiers. No tracking across sites. This is why this site does not require a cookie banner.

03 Why we collect it

Lawful basis

For form submissions: performance of a contract at your request (Article 6(1)(b) GDPR) — you've asked us to send you a report or proposal, and we need your data to do that. For analytics: legitimate interest in understanding aggregate site usage (Article 6(1)(f) GDPR), with no impact on your rights given the cookieless, anonymous nature of the data.

04 Who sees it

Sharing & processors

We share data only with the third parties strictly required to operate the site:

• Formspree (formspree.io) — receives form submissions and forwards them to our inbox. Hosted in the United States; Standard Contractual Clauses apply.
• Cloudflare (cloudflare.com) — provides anonymous web analytics. EU servers.
• Email provider — when we reply to you, your email passes through standard SMTP infrastructure.

We do not sell, rent, or otherwise share your personal data with any marketing list, advertiser, or unrelated third party.

05 How long we keep it

Retention

Form submissions and the corresponding email exchanges are kept for as long as the conversation is active and for up to 24 months after the last contact, after which they are deleted. If we sign a paid engagement, contractual records are kept for the period required by Portuguese tax and commercial law (typically 10 years). Analytics data is aggregate-only and retained according to Cloudflare's policies; it cannot be tied back to you.

06 Your rights

Your rights under GDPR

You have the right to:

• Access the personal data we hold about you.
• Rectify any data that is incorrect.
• Delete your data ("right to be forgotten").
• Restrict or object to processing.
• Portability — receive your data in a common format.
• Withdraw consent at any time, where consent is the basis.
• Lodge a complaint with the Portuguese Data Protection Authority (CNPD) or your local supervisory authority.

To exercise any of these, write to hello@nexustourismlab.org with the subject "Privacy: [your request]". We respond within 30 days.

07 Cookies

Cookies & tracking

This site does not use tracking, advertising, or analytics cookies. We may set strictly necessary technical cookies if and when required for the site to function (e.g. anti-spam protection on forms). These do not require consent under EU law and are not used to track you.

If we ever add tracking that requires consent, we'll add a banner and update this policy.

08 Security

Security

Site served over HTTPS. Form submissions are transmitted encrypted. Our email providers use TLS for transport. We apply standard practices to protect data at rest and in transit, but no system is impenetrable; if we ever detect a breach affecting your data, we will notify you in line with GDPR requirements.

09 Changes

Changes to this policy

If we change anything material, we update the date at the top and, where appropriate, notify people whose data we hold. The current version is always live at this URL.