DiagnosticMind
Assessments Scorecards Audit Engine
Manifesto Method About
Insights Contact
EN PT
How personal data is handled

Privacy Policy

Last updated: 11 July 2026 · Version 1.1

DiagnosticMind operates in regulated sectors where compliance is the baseline, not the achievement. This page exists to make the operating reality of how this platform handles personal data legible — not to perform compliance theatre. The detail below is the actual protocol.

On this page

  1. Identity and controller
  2. What data is collected, and why
  3. Lawful basis matrix
  4. Sub-processors
  5. International transfers
  6. Cookies and analytics
  7. Your rights
  8. Security
  9. AI processing
  10. Changes to this policy
  11. Acknowledged residual risks

01Identity and controller

The controller for personal data processed by this website and the SaaS audit platform is:

Legal namePaulo Fernando Marques Ramada (Empresário em Nome Individual)
NIF193385902
Country of establishmentPortugal
Tax addressAvailable on request to verified business contacts
Primary contactcontact@diagnosticmind.eu
Data protection contactprivacy@diagnosticmind.eu
DesignationData Protection Contact (not Data Protection Officer — a solo Empresário em Nome Individual cannot be operationally independent of itself, so the honest, equally credible designation is used)

The controller is established in the European Union; no Article 27 representative is required.

02What data is collected, and why

2.1 Public assessments and scorecards (anonymous funnel)

CategoryCollectedRetentionLawful basis
Email address (only if you opt in to receive results)Optional24 months from collectionConsent — Art. 6(1)(a)
Assessment responsesYesStored only as anonymised benchmark data — no email, name, or other identifier is persisted with the responses (stripped server-side). Retained indefinitely as aggregate benchmark input.Legitimate interest — benchmark dataset (Art. 6(1)(f))
IP address (Cloudflare logs)Yes30 days (Cloudflare default)Legitimate interest — security (Art. 6(1)(f))
Browser or device fingerprintNo — Cloudflare Web Analytics is cookielessN/AN/A

2.2 SaaS audit platform — user accounts

CategoryCollectedRetentionLawful basis
Email addressYesAccount lifetime + 6 months post-closureContract performance — Art. 6(1)(b)
Name (if provided)OptionalAccount lifetime + 6 months post-closureContract performance
Magic link tokensTransient15 minutes maximumContract performance
Session tokensYes7 days rollingContract performance
IP address (audit trail)Yes90 daysLegal obligation + legitimate interest

2.3 SaaS audit content — high sensitivity

When SaaS customers use the audit platform, the audit content they enter (findings, evidence, non-conformities, corrective actions, names of audited individuals, third-party data referenced in audits) is processed on their behalf. The customer is the controller for that data; DiagnosticMind is the processor. The processing terms are governed by the Data Processing Addendum.

CategoryRetentionLawful basis
Audit findings, evidence, NCs, CAsAccount lifetime + 6 months post-cancellation (30-day recovery grace + 30-day full deletion)Contract performance (as processor) — Art. 6(1)(b) + Art. 28
Names of audited individuals (within audit content)SameCustomer is controller; provider is processor
Third-party data referenced in auditsSameCustomer is controller
A signed Data Processing Addendum is a prerequisite, not a formality, before audit data is uploaded by SaaS customers. Without it, both parties are in breach of Article 28 GDPR.

2.4 Special category data (Article 9 GDPR)

No special category data is intentionally collected. If audit content uploaded by SaaS customers includes health, criminal, or other Article 9 data of third parties, the customer (as controller) is responsible for the Article 9 lawful basis. This responsibility is made explicit in the Data Processing Addendum.

03Lawful basis matrix

ActivityLawful basisGDPR Article
Public assessment scoringLegitimate interestArt. 6(1)(f)
Email capture for assessment resultsConsentArt. 6(1)(a)
Newsletter deliveryConsentArt. 6(1)(a)
SaaS account managementContract performanceArt. 6(1)(b)
SaaS audit content (as processor)Contract performanceArt. 6(1)(b) + Art. 28
Security logging (IP addresses)Legitimate interestArt. 6(1)(f)
Benchmark dataset (anonymised)Legitimate interestArt. 6(1)(f)
AI processing of responses (substantively considered legitimate-interest balancing — formal LIA documentation is deferred to lawyer review)Legitimate interestArt. 6(1)(f)

04Sub-processors

Personal data is shared only with the sub-processors below, each engaged under a written agreement that includes confidentiality and security obligations. All transfers outside the EU rely on Standard Contractual Clauses combined with the EU-US Data Privacy Framework.

Provider Service Region Transfer mechanism DPA
Cloudflare, Inc. Workers, D1, KV, R2, Pages, Web Analytics (cookieless) Global edge (US HQ) SCC + EU-US Data Privacy Framework cloudflare.com
Anthropic, PBC Claude API (Sonnet 4.6) — AI inference for assessment narratives, audit suggestions, expert chat US SCC + EU-US Data Privacy Framework anthropic.com
Resend, Inc. Transactional email (magic links, assessment results) US SCC + EU-US Data Privacy Framework resend.com

Anthropic — additional facts. The Standard API tier is used. Inputs and outputs sent to the Anthropic API are not used to train Anthropic's models, per Anthropic's Commercial Terms. Default retention is 30 days for abuse monitoring. Zero Data Retention is available on enterprise request and will be pursued at the first paid SaaS contract that requires it.

Sub-processor change notification. Any change to this list will be notified by email to existing paid customers and updated on the Data Processing Addendum page at least 30 days before the new sub-processor goes live.

05International transfers

Cloudflare, Anthropic, and Resend are US-based providers. All transfers rely on the European Commission's Standard Contractual Clauses (Module 2 — controller to processor) supplemented by the EU-US Data Privacy Framework, where the provider is DPF-certified. Transfer impact assessment material is available to enterprise customers on request.

The EU-US Data Privacy Framework remains valid: the EU General Court upheld it on 3 September 2025 (Latombe v Commission, T-553/23). An appeal to the Court of Justice of the EU is pending (C-703/25 P, filed 31 October 2025). Because the Standard Contractual Clauses are the primary transfer mechanism used here — with the Data Privacy Framework as a supplement rather than a sole reliance — transfers remain lawful independently of the appeal's outcome. Developments are monitored.

06Cookies and analytics

This platform does not use third-party advertising cookies, third-party analytics cookies, or any tracking that requires a cookie consent banner. The only analytics is Cloudflare Web Analytics, which is cookieless and aggregates traffic at the edge without storing browser fingerprints.

Functional cookies (or equivalent local storage) are used only by the SaaS audit platform for authentication session continuity. These are strictly necessary for the platform to function and are not subject to consent under ePrivacy Directive Article 5(3) exemption.

07Your rights

Under the GDPR, you have the right to:

  • Access your personal data (Art. 15)
  • Rectify inaccurate data (Art. 16)
  • Erasure — request deletion (Art. 17)
  • Restriction of processing (Art. 18)
  • Portability of data you provided (Art. 20)
  • Object to processing based on legitimate interest (Art. 21)
  • Withdraw consent at any time, where processing is based on consent (Art. 7(3))

How to exercise your rights

Send your request to privacy@diagnosticmind.eu. The response time is 30 days from receipt of a valid request, extendable by 60 days for complex requests with notification under Article 12(3).

Identity verification

  • If you are a SaaS account holder, send the request from your registered account email.
  • If you are not an account holder, a government-issued ID is required to verify the request. The ID is deleted immediately after verification. Verification correspondence is retained for 12 months for audit trail.

Right to lodge a complaint

The lead supervisory authority is the Comissão Nacional de Proteção de Dados (CNPD) in Portugal. You retain the right to lodge a complaint with the CNPD or with your local supervisory authority — cnpd.pt.

08Security

The technical and organisational measures protecting personal data are documented on the Security page. Highlights:

  • HTTPS enforced with HSTS preload
  • Encryption at rest by Cloudflare default for D1, KV, R2
  • Passwordless authentication (magic links — no stored passwords)
  • 72-hour breach notification to authority and affected customers, per Articles 33 and 34

09AI processing

AI features in the platform are documented in detail on the AI Governance page. Summary relevant to data handling:

  • The model used is Claude Sonnet 4.6, accessed via the Anthropic Standard API.
  • Inputs and outputs are not used to train Anthropic's models.
  • All AI suggestions in the audit platform are reviewable, editable, and final decisions are made by the human lead auditor — never automatically applied.
  • Self-classification under the EU AI Act: Limited Risk (Article 50 transparency obligations apply from 2 August 2026; the Digital Omnibus deferral of high-risk obligations does not affect this classification).

10Changes to this policy

This policy is versioned. Material changes — meaning changes that affect lawful basis, retention, sub-processors, or your rights — will be notified by email to existing paid customers at least 30 days in advance and will be reflected in the updated date at the top of this page. Non-material editorial changes (clarifications, typo corrections) are made silently.

11Acknowledged residual risks

For full transparency:

  • A formal Data Protection Impact Assessment is committed before the first paid SaaS customer onboards. It is not yet completed because conducting it without active customers operates on hypothetical processing patterns.
  • Lawyer-reviewed legal documentation is committed at the first enterprise contract. The current pages are best-effort defensible — accurate, considered, and reflective of operational reality, but not yet externally counsel-reviewed.
  • Formal Records of Processing Activities (Article 30) and a documented Legitimate Interest Assessment are committed at the first enterprise contract. The substantive analysis underlying both has been performed; only the formal documentation is deferred.

These residuals are accepted consciously, not concealed.

Last updated 11 July 2026 · Version 1.1 Privacy · Data Processing · AI Governance · Security
DiagnosticMind
Assessments Scorecards Audit Engine
Manifesto Method About
Newsletter Contact
© 2026 DiagnosticMind
Privacy Data Processing AI Governance Security