Privacy Policy
DiagnosticMind operates in regulated sectors where compliance is the baseline, not the achievement. This page exists to make the operating reality of how this platform handles personal data legible — not to perform compliance theatre. The detail below is the actual protocol.
01Identity and controller
The controller for personal data processed by this website and the SaaS audit platform is:
| Legal name | Paulo Fernando Marques Ramada (Empresário em Nome Individual) |
|---|---|
| NIF | 193385902 |
| Country of establishment | Portugal |
| Tax address | Available on request to verified business contacts |
| Primary contact | contact@diagnosticmind.eu |
| Data protection contact | privacy@diagnosticmind.eu |
| Designation | Data Protection Contact (not Data Protection Officer — a solo Empresário em Nome Individual cannot be operationally independent of itself, so the honest, equally credible designation is used) |
The controller is established in the European Union; no Article 27 representative is required.
02What data is collected, and why
2.1 Public assessments and scorecards (anonymous funnel)
| Category | Collected | Retention | Lawful basis |
|---|---|---|---|
| Email address (only if you opt in to receive results) | Optional | 24 months from collection | Consent — Art. 6(1)(a) |
| Assessment responses | Yes | Stored only as anonymised benchmark data — no email, name, or other identifier is persisted with the responses (stripped server-side). Retained indefinitely as aggregate benchmark input. | Legitimate interest — benchmark dataset (Art. 6(1)(f)) |
| IP address (Cloudflare logs) | Yes | 30 days (Cloudflare default) | Legitimate interest — security (Art. 6(1)(f)) |
| Browser or device fingerprint | No — Cloudflare Web Analytics is cookieless | N/A | N/A |
2.2 SaaS audit platform — user accounts
| Category | Collected | Retention | Lawful basis |
|---|---|---|---|
| Email address | Yes | Account lifetime + 6 months post-closure | Contract performance — Art. 6(1)(b) |
| Name (if provided) | Optional | Account lifetime + 6 months post-closure | Contract performance |
| Magic link tokens | Transient | 15 minutes maximum | Contract performance |
| Session tokens | Yes | 7 days rolling | Contract performance |
| IP address (audit trail) | Yes | 90 days | Legal obligation + legitimate interest |
2.3 SaaS audit content — high sensitivity
When SaaS customers use the audit platform, the audit content they enter (findings, evidence, non-conformities, corrective actions, names of audited individuals, third-party data referenced in audits) is processed on their behalf. The customer is the controller for that data; DiagnosticMind is the processor. The processing terms are governed by the Data Processing Addendum.
| Category | Retention | Lawful basis |
|---|---|---|
| Audit findings, evidence, NCs, CAs | Account lifetime + 6 months post-cancellation (30-day recovery grace + 30-day full deletion) | Contract performance (as processor) — Art. 6(1)(b) + Art. 28 |
| Names of audited individuals (within audit content) | Same | Customer is controller; provider is processor |
| Third-party data referenced in audits | Same | Customer is controller |
2.4 Special category data (Article 9 GDPR)
No special category data is intentionally collected. If audit content uploaded by SaaS customers includes health, criminal, or other Article 9 data of third parties, the customer (as controller) is responsible for the Article 9 lawful basis. This responsibility is made explicit in the Data Processing Addendum.
03Lawful basis matrix
| Activity | Lawful basis | GDPR Article |
|---|---|---|
| Public assessment scoring | Legitimate interest | Art. 6(1)(f) |
| Email capture for assessment results | Consent | Art. 6(1)(a) |
| Newsletter delivery | Consent | Art. 6(1)(a) |
| SaaS account management | Contract performance | Art. 6(1)(b) |
| SaaS audit content (as processor) | Contract performance | Art. 6(1)(b) + Art. 28 |
| Security logging (IP addresses) | Legitimate interest | Art. 6(1)(f) |
| Benchmark dataset (anonymised) | Legitimate interest | Art. 6(1)(f) |
| AI processing of responses (substantively considered legitimate-interest balancing — formal LIA documentation is deferred to lawyer review) | Legitimate interest | Art. 6(1)(f) |
04Sub-processors
Personal data is shared only with the sub-processors below, each engaged under a written agreement that includes confidentiality and security obligations. All transfers outside the EU rely on Standard Contractual Clauses combined with the EU-US Data Privacy Framework.
| Provider | Service | Region | Transfer mechanism | DPA |
|---|---|---|---|---|
| Cloudflare, Inc. | Workers, D1, KV, R2, Pages, Web Analytics (cookieless) | Global edge (US HQ) | SCC + EU-US Data Privacy Framework | cloudflare.com |
| Anthropic, PBC | Claude API (Sonnet 4.6) — AI inference for assessment narratives, audit suggestions, expert chat | US | SCC + EU-US Data Privacy Framework | anthropic.com |
| Resend, Inc. | Transactional email (magic links, assessment results) | US | SCC + EU-US Data Privacy Framework | resend.com |
Anthropic — additional facts. The Standard API tier is used. Inputs and outputs sent to the Anthropic API are not used to train Anthropic's models, per Anthropic's Commercial Terms. Default retention is 30 days for abuse monitoring. Zero Data Retention is available on enterprise request and will be pursued at the first paid SaaS contract that requires it.
Sub-processor change notification. Any change to this list will be notified by email to existing paid customers and updated on the Data Processing Addendum page at least 30 days before the new sub-processor goes live.
05International transfers
Cloudflare, Anthropic, and Resend are US-based providers. All transfers rely on the European Commission's Standard Contractual Clauses (Module 2 — controller to processor) supplemented by the EU-US Data Privacy Framework, where the provider is DPF-certified. Transfer impact assessment material is available to enterprise customers on request.
The EU-US Data Privacy Framework remains valid: the EU General Court upheld it on 3 September 2025 (Latombe v Commission, T-553/23). An appeal to the Court of Justice of the EU is pending (C-703/25 P, filed 31 October 2025). Because the Standard Contractual Clauses are the primary transfer mechanism used here — with the Data Privacy Framework as a supplement rather than a sole reliance — transfers remain lawful independently of the appeal's outcome. Developments are monitored.
06Cookies and analytics
This platform does not use third-party advertising cookies, third-party analytics cookies, or any tracking that requires a cookie consent banner. The only analytics is Cloudflare Web Analytics, which is cookieless and aggregates traffic at the edge without storing browser fingerprints.
Functional cookies (or equivalent local storage) are used only by the SaaS audit platform for authentication session continuity. These are strictly necessary for the platform to function and are not subject to consent under ePrivacy Directive Article 5(3) exemption.
07Your rights
Under the GDPR, you have the right to:
- Access your personal data (Art. 15)
- Rectify inaccurate data (Art. 16)
- Erasure — request deletion (Art. 17)
- Restriction of processing (Art. 18)
- Portability of data you provided (Art. 20)
- Object to processing based on legitimate interest (Art. 21)
- Withdraw consent at any time, where processing is based on consent (Art. 7(3))
How to exercise your rights
Send your request to privacy@diagnosticmind.eu. The response time is 30 days from receipt of a valid request, extendable by 60 days for complex requests with notification under Article 12(3).
Identity verification
- If you are a SaaS account holder, send the request from your registered account email.
- If you are not an account holder, a government-issued ID is required to verify the request. The ID is deleted immediately after verification. Verification correspondence is retained for 12 months for audit trail.
Right to lodge a complaint
The lead supervisory authority is the Comissão Nacional de Proteção de Dados (CNPD) in Portugal. You retain the right to lodge a complaint with the CNPD or with your local supervisory authority — cnpd.pt.
08Security
The technical and organisational measures protecting personal data are documented on the Security page. Highlights:
- HTTPS enforced with HSTS preload
- Encryption at rest by Cloudflare default for D1, KV, R2
- Passwordless authentication (magic links — no stored passwords)
- 72-hour breach notification to authority and affected customers, per Articles 33 and 34
09AI processing
AI features in the platform are documented in detail on the AI Governance page. Summary relevant to data handling:
- The model used is Claude Sonnet 4.6, accessed via the Anthropic Standard API.
- Inputs and outputs are not used to train Anthropic's models.
- All AI suggestions in the audit platform are reviewable, editable, and final decisions are made by the human lead auditor — never automatically applied.
- Self-classification under the EU AI Act: Limited Risk (Article 50 transparency obligations apply from 2 August 2026; the Digital Omnibus deferral of high-risk obligations does not affect this classification).
10Changes to this policy
This policy is versioned. Material changes — meaning changes that affect lawful basis, retention, sub-processors, or your rights — will be notified by email to existing paid customers at least 30 days in advance and will be reflected in the updated date at the top of this page. Non-material editorial changes (clarifications, typo corrections) are made silently.
11Acknowledged residual risks
For full transparency:
- A formal Data Protection Impact Assessment is committed before the first paid SaaS customer onboards. It is not yet completed because conducting it without active customers operates on hypothetical processing patterns.
- Lawyer-reviewed legal documentation is committed at the first enterprise contract. The current pages are best-effort defensible — accurate, considered, and reflective of operational reality, but not yet externally counsel-reviewed.
- Formal Records of Processing Activities (Article 30) and a documented Legitimate Interest Assessment are committed at the first enterprise contract. The substantive analysis underlying both has been performed; only the formal documentation is deferred.
These residuals are accepted consciously, not concealed.