PeopleWare CPS — Privacy Policy
Last updated: [PENDING: effective date]
This Privacy Policy explains how GeniusDiagram Unip Lda, a single-member private limited company incorporated under the laws of Portugal, with registered office at Rua 1.º de Dezembro, 47 - 3.º Dto., 2700-670 Amadora, Portugal and tax identification number PT515101290 ("GeniusDiagram", "we", "us"), trading under the brands "PeopleWare" and "PeopleWare CPS", processes personal data in connection with the PeopleWare CPS platform at https://pw-cps.com (the "Service").
1. Controller and Contact
1.1 GeniusDiagram Unip Lda is the controller of the personal data described in this Policy (i.e., data of our direct customers and their users, website visitors and contacts).
1.2 Privacy contact: privacy@pw-cps.com.
1.3 GeniusDiagram has not appointed a Data Protection Officer, as the appointment is not mandatory for our processing activities under Article 37 GDPR.
1.4 Two roles, two documents. Where we process personal data on behalf of our customers in providing the Service (e.g., tenant user accounts managed by the customer, pseudonymised order references sent by the customer's store plugins), we act as a processor, and that processing is governed by our Data Processing Agreement (DPA), not by this Policy.
2. Personal Data We Process
As a controller, we process the following categories of personal data about our direct customers and their representatives:
(a) Registration and account data — name, email address, company name, and answers to the onboarding questionnaire; (b) Billing data — invoicing details, tax identification, payment records; (c) Support data — communications with our support channels and related metadata; (d) Technical logs — IP addresses, authentication events, API usage and error logs generated by use of the Service.
End-customer data. The e-commerce plugins are designed so that no personal data of our customers' end customers (names, emails, addresses) is transmitted to the Service. Plugins send only: order reference, platform identifier, currency, completion timestamp and product configuration data. Order references are pseudonymised from our perspective — only the customer's own store can link them to identifiable persons.
3. Purposes and Legal Bases
| Purpose | Legal basis (Art. 6(1) GDPR) |
|---|---|
| Providing and administering accounts and the Service | (b) performance of a contract |
| Billing and invoicing | (b) contract; (c) legal obligation (tax/accounting) |
| Customer support | (b) contract; (f) legitimate interest |
| Security, abuse prevention, logging and monitoring | (f) legitimate interest (securing the Service) |
| Service communications (operational notices, price-change notices) | (b) contract; (f) legitimate interest |
| Compliance with legal obligations | (c) legal obligation |
| Marketing communications, if any | (a) consent or (f) legitimate interest with opt-out [LAWYER: confirm soft opt-in approach under ePrivacy/Portuguese Law 41/2004] |
4. Retention
(a) Account data — deleted 60 days after cancellation or termination of the account, except where longer retention is required by law (e.g., invoicing records retained for the statutory period under Portuguese tax law [LAWYER: confirm statutory retention period, typically 10 years]); (b) Technical logs and backups — retained for 30 days; (c) Support records — [PENDING: support records retention period].
5. Sharing and Recipients
5.1 We share personal data with sub-processors and service providers acting on our instructions, as listed in Annex III of the DPA (hosting, transactional email, error monitoring, AI services).
5.2 We may disclose data where required by law or to competent authorities, and in connection with corporate transactions, subject to appropriate safeguards.
5.3 We do not sell personal data.
6. International Transfers
(a) Hosting: OVH, datacenter located in France (EU) — no transfer outside the EU/EEA; (b) Transactional email: PeopleWare email infrastructure, servers in the EU; (c) AI services: Anthropic PBC (USA) — transfers safeguarded by the EU-US Data Privacy Framework and/or Standard Contractual Clauses; (d) Error tracking: GlitchTip (EU instance, eu.glitchtip.com) — event data processed in the EU, no third-country transfer. Verified 2026-06-15.
You may request a copy of the applicable transfer safeguards via privacy@pw-cps.com.
7. Your Rights
7.1 Subject to the conditions of the GDPR, you have the right to: access your personal data; rectify inaccurate data; erase data; restrict processing; data portability; object to processing based on legitimate interests; and withdraw consent at any time (without affecting prior processing).
7.2 To exercise your rights, contact privacy@pw-cps.com. We respond within one month, extendable as permitted by Article 12(3) GDPR.
7.3 You have the right to lodge a complaint with a supervisory authority, in particular the Portuguese supervisory authority: Comissão Nacional de Proteção de Dados (CNPD) — https://www.cnpd.pt.
8. Security
We apply appropriate technical and organisational measures, including TLS encryption in transit, hashed API keys, multi-tenant isolation, role-based access control, security monitoring (SIEM) and regular backups and patching. Further detail is provided in Annex II of the DPA.
9. Cookies and Analytics
9.1 Our use of cookies is described in the Cookie Policy. We currently use only essential cookies.
9.2 Analytics: we do not currently use analytics or tracking tools. We reserve the right to introduce analytics in the future, subject to adequate prior notice, any required consent, and an update to this Policy and the Cookie Policy.
10. Changes to this Policy
We may update this Policy from time to time. Material changes will be notified by email or in-app notice with adequate advance notice. The "Last updated" date indicates the current version.
11. Contact
GeniusDiagram Unip Lda Rua 1.º de Dezembro, 47 - 3.º Dto., 2700-670 Amadora, Portugal Email: privacy@pw-cps.com