Privacy Policy - Darkmoon Innovations

Darkmoon Innovations Lda
Last updated: 09-04-2026
Version: 1.0

Your privacy matters to us. This Policy explains what personal data we collect, why we collect it, how we use it, and what rights you have over it. We’ve written it in plain language because we believe you deserve to understand exactly what happens to your data.

1. Introduction and Purpose

1.1 Who We Are. This Privacy Policy is issued by Darkmoon Innovations Lda, a company incorporated in Portugal, with registered office at Praça do Marquês de Pombal 14, 1250-162 Lisbon, Portugal (“Darkmoon“, “we“, “us“, or “our“).

We provide IT consulting, software development, nearshore staffing solutions, AI automation, and related technology services. We operate from three locations: Lisbon (Portugal), Madrid (Spain), and Bahia (Brazil).

1.2 Scope. This Policy applies to all personal data we process in relation to:

visitors to our website at https://www.darkmooninnovations.com and any associated subdomains (“Website“);
clients, prospects, and their representatives who interact with us in connection with our Services;
candidates who apply for positions at Darkmoon;
partners, suppliers, and subcontractors;
any other individual whose personal data we process in the course of our business activities.

1.3 Applicable Law. We comply with:

The General Data Protection Regulation (EU) 2016/679 (“GDPR“) — applicable to our operations in Portugal and Spain and to the processing of personal data of individuals located in the EEA;
The Brazilian General Data Protection Law (Lei Geral de Proteção de Dados Pessoais — LGPD), Law No. 13,709/2018 — applicable to our operations in Brazil and to the processing of data of individuals located in Brazil;
The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA) — applicable where we process personal data of California residents;
Any other applicable national data protection laws.

1.4 Controller. For the purposes of the GDPR, Darkmoon Innovations Lda is the data controller of your personal data. For the purposes of the LGPD, Darkmoon Innovations Lda is the controlador of your personal data.

2. Personal Data We Collect

We collect and process the following categories of personal data, depending on how you interact with us:

2.1 Identity and Contact Data

Full name
Job title and professional role
Company name and company registration details
Email address (business and/or personal)
Phone number (mobile and/or landline)
Postal address (billing and/or correspondence)
LinkedIn and other professional profile URLs (when provided)

2.2 Business and Commercial Data

Information about your organisation, industry, and technology needs
Details of products or services requested
Purchase history and transaction records
Contract and SoW details
Communication records (emails, meeting notes, CRM entries)

2.3 Financial Data

Bank account details (for payment purposes — stored and handled with strict access controls)
Payment transaction records and invoice history
VAT/tax identification numbers
Credit and payment status

2.4 Technical and Usage Data

IP address and approximate geolocation derived from IP
Browser type and version, operating system
Device type and unique device identifiers
Pages visited on our Website, time of visit, duration of session
Referring URLs (how you arrived at our Website)
Interaction data (clicks, scroll depth, form completions)
Log files and error reports

2.5 Cookie and Tracking Data

First-party and third-party cookie identifiers
Analytics identifiers (e.g., Google Analytics Client ID)
Advertising and conversion tracking identifiers (where applicable)
Cookie consent preferences
(See Section 7 for full cookie details)

2.6 Communications Data

Messages submitted via our contact form
Email and written correspondence with our team
Records of calls and video meetings (with prior consent where required)
Feedback and survey responses

2.7 Candidate / Recruitment Data

CV/résumé, cover letter, and portfolio materials
Employment history, qualifications, and skills
References and reference contact details
Results of technical assessments or interviews
Work permit and right-to-work documentation (where required by law)
Nationality and relevant personal details for immigration/mobility purposes

2.8 Special Categories of Data

We do not intentionally collect special categories of personal data (such as health data, racial or ethnic origin, religious beliefs, biometric data, or sexual orientation). We ask that you do not share such data with us unless strictly necessary and expressly requested by us in writing. Where processing of special category data is required (e.g., in the context of international mobility/visa applications), we will obtain explicit consent and implement additional safeguards.

2.9 Data About Children

Our Website and Services are directed exclusively at professionals and businesses. We do not knowingly collect personal data from individuals under 18 years of age. See Section 11 for our full policy on minors.

3. How We Collect Personal Data

We collect your personal data through the following means:

3.1 Directly from You

When you complete our contact form or booking form on the Website
When you email, call, or otherwise communicate with us
When you sign a contract, proposal, or SoW
When you submit your CV or apply for a job
When you attend our events or webinars
When you respond to surveys or provide feedback

3.2 Automatically Through Your Use of Our Website

Through cookies, web beacons, pixels, and similar tracking technologies
Through server log files and analytics platforms (Google Analytics, etc.)
Through session recording tools (where implemented and disclosed via cookie consent)

3.3 From Third Parties

From professional networks such as LinkedIn, where you have made your profile public or interacted with our content
From our clients, where you are a representative or contact of an organisation engaging our Services
From recruitment platforms and talent agencies (for candidate data)
From publicly available business directories and company registries
From referrals by mutual contacts or partners

3.4 Generated by Our Business Operations

Meeting notes, project documentation, and CRM records created by our team in the course of delivering Services
Performance data and deliverable-related documentation

4. Purposes of Processing and Legal Bases

The table below sets out the purposes for which we process your personal data, together with the legal basis under the GDPR and the applicable basis under the LGPD.

#	Purpose	Legal Basis (GDPR)	Legal Basis (LGPD)
1	Responding to enquiries and pre-sales communications	Legitimate interests (Art. 6(1)(f)) — pursuing business opportunities	Legitimate interest (Art. 7, X)
2	Preparing, negotiating, and executing contracts and SoWs	Performance of a contract (Art. 6(1)(b))	Execution of contract (Art. 7, V)
3	Delivering our IT consulting, development, and managed services	Performance of a contract (Art. 6(1)(b))	Execution of contract (Art. 7, V)
4	Processing invoices and payments	Performance of a contract / Legal obligation (Art. 6(1)(b)/(c))	Legal obligation / Contract (Art. 7, II / V)
5	Compliance with legal, regulatory, and tax obligations	Legal obligation (Art. 6(1)(c))	Legal obligation (Art. 7, II)
6	Managing client relationships and CRM	Legitimate interests (Art. 6(1)(f)) — client relationship management	Legitimate interest (Art. 7, X)
7	Sending marketing communications and service updates to clients and prospects	Legitimate interests (Art. 6(1)(f)) / Consent (Art. 6(1)(a))	Consent (Art. 7, I) / Legitimate interest (Art. 7, X)
8	Improving our Website and Services through analytics	Legitimate interests (Art. 6(1)(f)) — service improvement	Legitimate interest (Art. 7, X)
9	Processing job applications and recruitment	Pre-contractual measures / Legitimate interests (Art. 6(1)(b)/(f))	Contract / Legitimate interest (Art. 7, V / X)
10	Security monitoring, fraud prevention, and incident management	Legitimate interests (Art. 6(1)(f)) — protection of our systems and clients	Legitimate interest / Legal obligation (Art. 7, X / II)
11	International mobility and visa/permit support (where applicable)	Legal obligation / Consent (Art. 6(1)(c)/(a))	Legal obligation / Consent (Art. 7, II / I)
12	Exercising or defending legal claims	Legitimate interests / Legal obligation (Art. 6(1)(f)/(c))	Legal protection (Art. 7, VI)

Note on legitimate interests: Where we rely on legitimate interests as a legal basis, we have conducted a balancing test and concluded that our interests are not overridden by your rights and freedoms. You may request further information about this assessment at any time.

Note on marketing: You have the right to opt out of direct marketing communications at any time by clicking “unsubscribe” in any email, or by contacting us at [DPO EMAIL]. Opting out will not affect the processing of data for other purposes.

5. Data Sharing

We do not sell your personal data. We may share your personal data with the following categories of recipients, strictly on a need-to-know basis and under appropriate contractual safeguards:

5.1 Within the Darkmoon Group

We may share data within our group of companies (including our offices in Spain and Brazil) for internal administrative, operational, and service delivery purposes, subject to intra-group data transfer agreements where required.

5.2 Service Providers and Subprocessors

We engage trusted third-party service providers to help us operate our business and deliver our Services. These include:

Category	Examples	Purpose
Cloud infrastructure	Microsoft Azure, AWS, Google Cloud	Hosting, storage, compute
CRM & sales tools	HubSpot, Salesforce, Pipedrive	Client relationship management
Communication tools	Microsoft Teams, Google Workspace, Slack	Internal and client communication
Project management	Jira, Notion, Asana	Project delivery
Analytics	Google Analytics, Hotjar	Website performance
Email marketing	Mailchimp, Brevo	Marketing communications
Payment processing	Stripe, bank transfers	Invoicing and payment
Accounting & ERP	SAP, QuickBooks	Financial management
Recruitment platforms	LinkedIn, job boards	Talent acquisition
Cybersecurity tools	[Relevant vendors]	Security monitoring

All subprocessors are subject to a Data Processing Agreement (DPA) and are required to process data only on our instructions and in compliance with applicable law.

5.3 Business Partners and Subcontractors

Where we engage nearshore partners or freelance contractors to assist with service delivery, we share only the minimum personal data necessary and under appropriate confidentiality and data protection obligations.

5.4 Legal and Regulatory Disclosure

We may disclose personal data to courts, regulators, tax authorities, or law enforcement agencies where required by law or court order, or where we believe in good faith that disclosure is necessary to: (a) comply with a legal obligation; (b) protect the rights or property of Darkmoon; (c) prevent or investigate possible wrongdoing; or (d) protect the personal safety of users or the public.

5.5 Corporate Transactions

In the event of a merger, acquisition, reorganisation, or sale of assets, personal data may be transferred to the relevant acquirer or successor entity, subject to the same privacy protections and your rights under applicable law.

6. International Data Transfers

6.1 Cross-Border Transfers. As a company operating across Portugal (EU), Spain (EU), and Brazil, and using cloud infrastructure and tools from international providers, your personal data may be transferred to and processed in countries outside the European Economic Area (EEA) or Brazil.

6.2 Safeguards for EEA Transfers (GDPR). When we transfer personal data outside the EEA, we ensure appropriate safeguards are in place as required by Chapter V of the GDPR, including:

Adequacy decisions by the European Commission (e.g., transfers to the UK, Japan, Israel, Canada);
Standard Contractual Clauses (SCCs) as adopted by the European Commission (Commission Implementing Decision 2021/914/EU) for transfers to countries without an adequacy decision;
Binding Corporate Rules (BCRs) where applicable for intra-group transfers;
Other approved transfer mechanisms (e.g., UK International Data Transfer Agreements).

6.3 Transfers to Brazil (LGPD). When transferring personal data to Brazil, we comply with the international transfer requirements of the LGPD (Articles 33–36), including reliance on:

Contractual clauses with equivalent protection guarantees;
Binding corporate rules;
Transfers to countries or organisations with an adequate level of protection as recognised by the ANPD (Autoridade Nacional de Proteção de Dados).

6.4 CCPA (California). We do not “sell” or “share” personal data of California residents as defined under the CCPA/CPRA. California residents have additional rights described in Section 8.

6.5 Further Information. You may request a copy of the relevant transfer mechanisms we use by contacting our DPO at [DPO EMAIL].

7. Cookies and Similar Technologies

We use cookies and similar tracking technologies on our Website. This section explains what they are and how you can control them.

7.1 What are cookies? Cookies are small text files placed on your device when you visit a website. They help websites function properly, provide analytics data, and enable personalised experiences.

7.2 Cookie Consent. When you first visit our Website, we will ask for your consent before setting any non-essential cookies. You can manage your preferences at any time via the cookie settings tool on our Website or by adjusting your browser settings. Note that refusing certain cookies may affect the functionality of our Website.

7.3 Cookie Table.

Cookie Name	Category	Provider	Purpose	Duration
`_ga`	Analytics	Google Analytics	Distinguishes unique users by assigning a randomly generated number as a client identifier	2 years
`_ga_XXXXXX`	Analytics	Google Analytics	Used to persist session state	2 years
`_gid`	Analytics	Google Analytics	Stores and updates a unique value for each page visited	24 hours
`_gat`	Analytics	Google Analytics	Throttles request rate	1 minute
`hubspotutk`	Analytics/Marketing	HubSpot	Tracks a visitor’s identity and manages session data	13 months
`__hstc`	Analytics/Marketing	HubSpot	Tracks visitor history and sessions	13 months
`__hssc`	Analytics/Marketing	HubSpot	Tracks sessions	30 minutes
`__hssrc`	Analytics/Marketing	HubSpot	Detects session resets	Session
`cookielawinfo-*`	Necessary	Cookie Consent Plugin	Stores cookie consent preferences	12 months
`PHPSESSID`	Necessary	WordPress/PHP	Maintains your session state	Session
`wordpress_logged_in_*`	Necessary	WordPress	Indicates when you are logged in	Session
`wp-settings-*`	Functional	WordPress	Stores user preferences	1 year
`_fbp`	Marketing	Meta (Facebook)	Used by Facebook to deliver advertisements	3 months
`_gcl_au`	Marketing	Google Ads	Used by Google AdSense for experimenting with advertisement efficiency	3 months
`li_fat_id`	Marketing	LinkedIn	LinkedIn member indirect identifier for conversion tracking	30 days

Note: The specific cookies in use on our Website may change as we update our technology stack. We update this table regularly, and the most current version is always available on our Website.

7.4 Cookie Categories:

Strictly Necessary: Essential for the Website to function. Cannot be disabled.
Functional: Enable enhanced features and personalisation. Disabled by default; enabled upon consent.
Analytics: Help us understand how visitors use the Website (aggregated and anonymised where possible). Disabled by default; enabled upon consent.
Marketing: Used to deliver relevant advertisements and track campaign effectiveness. Disabled by default; enabled upon consent.

7.5 How to Manage Cookies:

Cookie banner: Use the consent management tool on our Website to set your preferences at any time.
Browser settings: Most browsers allow you to refuse or delete cookies. See your browser’s help section for instructions.
Opt-out tools: You can opt out of Google Analytics at https://tools.google.com/dlpage/gaoptout and of interest-based advertising at https://www.youronlinechoices.eu/ (EU) or https://optout.aboutads.info/ (US).

8. Your Rights

You have the following rights over your personal data. We will respond to verified requests within 30 days (extendable by a further 60 days for complex requests under GDPR, or within 15 business days under LGPD).

8.1 Rights Under GDPR (EEA Residents)

Right	What It Means
Right of Access (Art. 15)	You may request a copy of the personal data we hold about you and information about how we process it
Right to Rectification (Art. 16)	You may ask us to correct inaccurate or incomplete data
Right to Erasure / “Right to be Forgotten” (Art. 17)	You may ask us to delete your data where it is no longer necessary, you withdraw consent, or where processing is unlawful
Right to Restriction of Processing (Art. 18)	You may ask us to restrict how we process your data in certain circumstances
Right to Data Portability (Art. 20)	You may request your data in a structured, machine-readable format for transfer to another controller
Right to Object (Art. 21)	You may object to processing based on legitimate interests or for direct marketing
Rights related to automated decisions (Art. 22)	You have the right not to be subject to solely automated decision-making, including profiling, with significant effects on you
Right to withdraw consent (Art. 7(3))	Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing

8.2 Rights Under LGPD (Brazilian Residents — Art. 18)

Right	What It Means
Confirmação	Confirm whether we process your personal data
Acesso	Access your personal data
Correção	Correct incomplete, inaccurate, or outdated data
Anonimização, bloqueio ou eliminação	Anonymise, block, or delete unnecessary or excessive data or data processed in non-compliance with the LGPD
Portabilidade	Receive your data for transfer to another service or product provider
Eliminação	Delete personal data processed with your consent
Informação sobre compartilhamento	Obtain information about public and private entities with which we have shared your data
Revogação do consentimento	Revoke consent at any time
Oposição	Object to processing that does not comply with the LGPD
Revisão de decisões automatizadas	Request review of decisions made solely by automated means

8.3 Rights Under CCPA/CPRA (California Residents)

Right	What It Means
Right to Know	Know what personal information we collect, use, disclose, and sell
Right to Delete	Request deletion of your personal information subject to certain exceptions
Right to Correct	Correct inaccurate personal information
Right to Opt Out of Sale/Sharing	We do not sell or share personal information as defined under CCPA/CPRA
Right to Limit Use of Sensitive PI	Limit our use of sensitive personal information to necessary purposes
Right to Non-Discrimination	We will not discriminate against you for exercising your rights

Do Not Sell or Share My Personal Information: Darkmoon does not sell personal information to third parties, nor do we share it for cross-context behavioural advertising. If this policy changes, we will provide a prominent opt-out mechanism before any such sharing commences.

8.4 How to Exercise Your Rights

Submit a request by:

Email: [DPO EMAIL]
Postal mail: Darkmoon Innovations Lda, Attention: Data Protection Officer, Praça do Marquês de Pombal 14, 1250-162 Lisbon, Portugal

We may need to verify your identity before processing your request. We will never charge a fee for a first request unless it is manifestly unfounded or excessive.

8.5 Right to Lodge a Complaint

If you are not satisfied with how we handle your data or respond to your request, you have the right to lodge a complaint with the competent supervisory authority:

Portugal / EU: Comissão Nacional de Proteção de Dados (CNPD) — https://www.cnpd.pt
Spain: Agencia Española de Protección de Datos (AEPD) — https://www.aepd.es
Brazil: Autoridade Nacional de Proteção de Dados (ANPD) — https://www.gov.br/anpd
California (US): California Privacy Protection Agency (CPPA) — https://cppa.ca.gov

9. Data Security

9.1 Technical and Organisational Measures. We implement appropriate technical and organisational security measures to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. Our measures include:

Encryption: Data in transit is protected using TLS 1.2+ (HTTPS). Sensitive data at rest is encrypted using AES-256 or equivalent.
Access controls: Role-based access control (RBAC) and the principle of least privilege. Multi-factor authentication (MFA) is required for all internal systems.
Secure development: Where we develop software, we follow secure development lifecycle (SDLC) practices and conduct regular security reviews.
Penetration testing and vulnerability management: We conduct periodic security assessments and promptly remediate identified vulnerabilities.
Vendor security: We conduct security due diligence on subprocessors and require contractual security commitments via DPAs.
Employee training: All staff receive regular data protection and security awareness training.
Incident response: We maintain an incident response plan and will notify affected individuals and competent authorities in the event of a data breach, as required by applicable law (within 72 hours under GDPR and within reasonable time under the LGPD).

9.2 Limitation. While we implement robust security measures, no system is completely immune to breaches. We cannot guarantee absolute security. We encourage you to protect your own account credentials and to notify us immediately if you suspect any unauthorised activity.

10. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law.

Data Category	Retention Period	Reason
Client contact and contract data	Duration of contract + 7 years	Legal and tax obligations (PT Commercial Code, LGPD)
Financial records (invoices, payments)	10 years from financial year end	Tax and accounting law (Portugal, Spain, Brazil)
Communication records (CRM, emails)	5 years from last contact	Legitimate interests; legal claim limitation periods
Website analytics data	26 months (Google Analytics default)	Service improvement
Cookie consent records	3 years	Evidence of lawful processing
Recruitment data (unsuccessful applicants)	12 months from application	Legal protection / potential future openings (with consent)
Recruitment data (employees)	Duration of employment + 5 years	Legal obligations
Marketing / newsletter subscriber data	Until opt-out + 6 months	Consent-based processing
Security logs	12 months	Incident investigation

After the applicable retention period, personal data is securely deleted, anonymised, or archived in accordance with our data retention policy.

11. Children and Minors

11.1 Our Website and Services are intended for business professionals and companies. We do not knowingly collect, process, or store personal data from children under the age of:

16 years in the EU/EEA (or the age of digital consent in the applicable Member State, which may be as low as 13 in some countries);
18 years in Brazil, unless there is parental or guardian consent;
13 years in the United States (under COPPA), or 16 years under CCPA.

11.2 If you are under the applicable minimum age, please do not use our Website or submit any personal data to us. If we become aware that we have inadvertently collected personal data from a minor without parental consent, we will take prompt steps to delete such data. If you believe we have collected data from a minor, please contact us immediately at [DPO EMAIL].

12. Updates to This Policy

12.1 We may update this Privacy Policy from time to time to reflect changes in our data practices, applicable law, or business operations. We will notify you of material changes by:

posting the updated Policy on our Website with a revised “Last updated” date;
sending an email notification to clients and subscribers for significant changes;
displaying a prominent banner on our Website where required.

12.2 We encourage you to review this Policy periodically. Your continued use of our Website or Services after the effective date of any changes constitutes your acknowledgement of the updated Policy.

12.3 Previous versions of this Policy are available upon request by emailing [DPO EMAIL].

13. Data Protection Officer (DPO) and Controller Contact

13.1 Data Controller

Darkmoon Innovations Lda
Praça do Marquês de Pombal 14, 1250-162 Lisbon, Portugal
Email: [email protected]
Website: https://www.darkmooninnovations.com

13.2 Data Protection Officer (DPO)

Darkmoon Innovations has appointed a Data Protection Officer who can be contacted for all matters relating to personal data protection:

DPO Department
Data Protection Officer — Darkmoon Innovations Lda
Email: [email protected]
Postal address: Darkmoon Innovations Lda, Attention: DPO, Praça do Marquês de Pombal 14, 1250-162 Lisbon, Portugal

13.3 Brazilian Operations Contact

For enquiries specifically relating to the processing of personal data in Brazil under the LGPD:

Darkmoon Innovations — Brazil Operations
R. Rio do Banho, 1 – Saubara, Bahia, 44220-000, Brazil
Email: [email protected]

13.4 Spanish Operations Contact

For enquiries specifically relating to processing activities carried out from Spain:

Darkmoon Innovations — Spain Operations
C. de Manzanares, 4, Arganzuela, 28005 Madrid, Spain
Email: [email protected]

Darkmoon Innovations Lda · Praça do Marquês de Pombal 14, 1250-162 Lisbon, Portugal · [email protected]