Privacy Policy

Last updated: March 11, 2026

1. Introduction

CompliantLease ("we", "our", or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you use our lease agreement creation platform.

This policy is issued in compliance with Regulation (EU) 2016/679 (General Data Protection Regulation — GDPR) and Portuguese Law 58/2019 of August 8.

This policy applies to all individuals who visit our website, create an account, or use our services.

2. Data Controller

The data controller for your personal data is:

Emil Bundgaard, operating under the brand CompliantLease

NIF (Tax ID): 307297578

Rua Das Trinas 66, 1200-873 Lisbon, Portugal

For data protection inquiries, contact us at: privacy@compliantlease.com

Given the nature and scale of our data processing, we are not required to appoint a Data Protection Officer under Article 37 of the GDPR.

3. Personal Data Collected

We collect the following types of personal data:

Data you provide directly:

Identification Data: Full name, email address

Contract Data: Information entered in lease agreements, including landlord, tenant, and property details (names, addresses, NIF/tax identification numbers, bank details)

Uploaded Documents: ID documents, energy certificates, supporting documents, and other files you upload to the platform

Data collected automatically:

Payment Data: Securely processed through Stripe (we do not store credit/debit card data)

Usage Data: IP address, browser type and operating system, pages visited, session duration, and interactions with the platform

Authentication Logs: Login date and time, session tokens, authentication method used

Technical Data: Device type, screen resolution, approximate geolocation data (based on IP address)

Special category data:

We do not intentionally collect special category data (e.g., data relating to health, religion, or ethnicity). If such data is inadvertently included in uploaded documents, it is processed solely for the purpose of contract generation and for no other purpose.

4. Purposes of Processing

We process your personal data for the following purposes:

Contract Performance: Generation, management, and storage of your lease agreements

Account Management: Creation, maintenance, and authentication of your user account

Billing and Tax Obligations: Payment processing, invoice issuance, and compliance with tax-related legal obligations

Service Communications: Sending important operational notifications about your contracts and account

Security and Fraud Prevention: Monitoring for unauthorized access, protecting against fraudulent activity, and ensuring platform integrity

Service Improvement: Aggregated, anonymized analysis of usage patterns to identify platform and user experience improvements

Legal Compliance: Compliance with applicable legal obligations, including tax legislation and data protection regulations

Dispute Resolution: Handling complaints and resolving disputes related to our services

We do not use automated decision-making or profiling that produces legal or similarly significant effects on our users.

5. Legal Basis for Processing

The processing of your data is based on the following GDPR legal bases, mapped to each purpose:

Purpose	Legal Basis
Contract generation and management	Art. 6(1)(b) — contract performance
Account creation and authentication	Art. 6(1)(b) — contract performance
Payment processing and invoicing	Art. 6(1)(b) — contract performance + Art. 6(1)(c) — legal obligation (tax)
Operational notifications	Art. 6(1)(b) — contract performance
Security and fraud prevention	Art. 6(1)(f) — legitimate interest
Analytics and service improvement	Art. 6(1)(f) — legitimate interest
Marketing communications	Art. 6(1)(a) — consent
Legal compliance	Art. 6(1)(c) — legal obligation
Dispute resolution	Art. 6(1)(f) — legitimate interest

Legitimate interests: Where we rely on legitimate interest as a legal basis, we have conducted a balancing assessment. Our legitimate interest in platform security and fraud prevention is balanced by the fact that these activities directly protect users. Our interest in usage analytics is balanced by the anonymization of analytical data, minimizing the impact on your privacy.

Consent: Where processing is based on consent, you may withdraw it at any time by contacting us at privacy@compliantlease.com or by clicking "unsubscribe" in our marketing emails. Withdrawal of consent does not affect the lawfulness of processing carried out prior to withdrawal.

6. Data Retention Period

We retain your data according to the following criteria:

Active Accounts: Data is kept while your account is active and the service is being used

Inactive Accounts: Accounts with no activity for 24 months will be notified before deletion. If no response is received, data will be deleted within 30 days of notification

Deleted Accounts: After account deletion by the user, personal data is completely removed within 30 days

Uploaded Documents: Documents uploaded to the platform are retained for the duration of the associated contract and deleted 6 months after contract completion or deletion

Tax Documents: Invoices and payment records are kept for 10 years as required by Portuguese tax law

Cancelled Subscription: If you cancel your subscription but do not delete your account, contract data remains accessible in read-only mode until you request account deletion

Anonymized usage data may be retained indefinitely for statistical purposes.

7. Processors and Third Parties

To provide our services, we share data with the following processors:

Processor	Purpose	Location	Safeguards
Supabase	Database and authentication	EU (Frankfurt)	EU processing
Vercel	Web hosting and CDN	EU / USA	Standard Contractual Clauses (SCCs)
Stripe	Payment processing	USA	EU-US Data Privacy Framework + SCCs
Resend	Transactional email delivery	USA	Standard Contractual Clauses (SCCs)

We have entered into Data Processing Agreements (under Article 28 GDPR) with all processors listed above.

We will notify you of any changes to our processors. You may object to new processors within 30 days of notification.

8. International Data Transfers

Some of our processors are located in the United States of America. We ensure adequate protection of your data through the following mechanisms:

EU-US Data Privacy Framework: Where the processor is certified under the Data Privacy Framework (e.g., Stripe)

Standard Contractual Clauses (SCCs): Contracts approved by the European Commission that impose data protection obligations equivalent to those under the GDPR

Transfer Impact Assessments (TIA): We conduct assessments of the legal regime in the destination country to ensure that contractual safeguards are effective in practice

Your data is processed within the EU whenever possible. Transfers outside the EEA occur only when necessary for the services described above.

9. Your Rights

Under GDPR, you have the following rights:

Right of Access: Obtain confirmation and access to your personal data

Right to Rectification: Correct inaccurate or incomplete data

Right to Erasure: Request deletion of your data ("right to be forgotten")

Right to Portability: Receive your data in a structured, machine-readable format

Right to Object: Object to processing for direct marketing purposes or processing based on legitimate interest

Right to Restriction: Restrict processing in certain circumstances

Right to Withdraw Consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing

Response Timeframe: We will respond to your request within 30 days. If the request is complex, we may extend this period by a further 60 days, informing you of the extension.

Identity Verification: To protect your privacy, we may verify your identity before processing your request.

To exercise your rights, contact us at: privacy@compliantlease.com

You also have the right to lodge a complaint with the CNPD (see section 16).

10. Cookies and Similar Technologies

We use cookies for platform functionality. The types of cookies we use are:

Essential Cookies: Necessary for platform operation, including authentication and session security. These cookies do not require consent

Analytical Cookies: Used to understand how you use our service and improve the user experience. These cookies are activated only with your prior consent

Under the ePrivacy Directive and CNPD guidance, non-essential cookies require your prior and explicit consent. You can manage your cookie preferences at any time through your browser settings.

We do not use marketing or third-party tracking cookies.

11. Data Security

We implement appropriate technical and organizational measures to protect your data, including:

Encryption of data in transit (HTTPS/TLS)

Encryption of data at rest in the database

Row-Level Security (RLS) in the database, ensuring each user can only access their own data

Mandatory authentication on all API endpoints

Strict access controls and the principle of least privilege

Continuous error and anomaly monitoring

Incident response plan with regular security reviews

12. Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms:

Notification to CNPD: We will notify the Comissão Nacional de Proteção de Dados within 72 hours of becoming aware of the breach, in accordance with Article 33 of the GDPR

Notification to Users: We will inform you without undue delay when the breach is likely to result in a high risk to your rights and freedoms, in accordance with Article 34 of the GDPR

The notification will include: the nature of the breach, the likely consequences, the measures taken or proposed to address the situation, and, where applicable, recommendations to mitigate possible adverse effects.

13. Children's Data

Our services are not directed at individuals under 18 years of age. We do not knowingly collect personal data from minors.

Under Portuguese Law 58/2019, consent for data processing in the context of information society services is valid from the age of 13 in Portugal. Below that age, consent from a legal representative is required.

If you believe a minor has provided us with personal data, please contact us immediately at privacy@compliantlease.com so that we can proceed with its deletion.

14. Changes to This Policy

We may update this Privacy Policy periodically. Significant changes include: introduction of new data categories, new processing purposes, new processors, or changes to your rights.

We will notify you of significant changes with a minimum of 30 days' advance notice, via email or a notice on the platform. The date of the last update is shown at the top of this page.

Continued use of the platform after changes take effect constitutes acceptance of the updated policy.

15. Data Protection Impact Assessments

We conduct Data Protection Impact Assessments (DPIAs) when processing is likely to result in a high risk to the rights and freedoms of data subjects, in accordance with Article 35 of the GDPR.

Given the current nature and scale of our processing, our assessment is that there are no high risks requiring a formal DPIA. This assessment is reviewed periodically as our services evolve.

16. Contact

For questions about this Privacy Policy or the processing of your data, contact us:

Emil Bundgaard — CompliantLease

Email: privacy@compliantlease.com

Address: Rua Das Trinas 66, 1200-873 Lisbon, Portugal

We will respond to your inquiries within a maximum of 10 business days.

You also have the right to lodge a complaint with the Portuguese supervisory authority:

CNPD — Comissão Nacional de Proteção de Dados

Av. D. Carlos I, 134, 1.º

1200-651 Lisboa