Webfy Logo
Create Free AccountSign In
Talk to us

Privacy Policy

Last updated: May 2026

1. Data Controller

Webfy is the entity responsible for the processing of personal data collected through the website webfy.pt and associated services.

For privacy-related questions, you can contact us via email: geral@webfy.pt

2. Personal Data Collected

We collect the following personal data when you use our services:

  • Identification data: full name, email address, phone number
  • Authentication data: login credentials (email/password or Google authentication)
  • Business data: information about your company or project (company name, industry, business description, visual references)
  • AI assistant conversation: when you use the assistant to prepare your site briefing, we store the full message history, the suggestions the assistant generated and the conversation state
  • Call scheduling with the Team: the time slots you propose, your preferred channel (phone, video call, WhatsApp or "no preference"), notes you add to the request, the Team's counter-proposal and the meeting link sent by the administrator
  • Project Demo status: current phase (in development, under review, approved, declined, archived), the temporary URL where the Demo is available and the dates of your decisions (approval or rejection)
  • Payment data: processed directly by Stripe — we do not store card data on our servers
  • Technical data: IP address, browser type, pages visited

3. Purpose of Processing

Your data is processed for the following purposes:

  • Creation and management of your user account
  • Provision of contracted services (website creation and hosting)
  • Conversational assistance by our AI assistant to define the site structure
  • Structured scheduling of calls with the Team, with time slots proposed by the client and confirmation by email
  • Payment processing and invoicing
  • Communication about the status of your projects
  • Sending service-related notifications (payment reminders, hosting status)
  • Improvement of our services and user experience

4. Legal Basis

The processing of your data is based on the following legal grounds, under the General Data Protection Regulation (GDPR):

  • Contract performance: processing necessary for the provision of the services you contracted
  • Consent: when you expressly authorise us (e.g., account creation)
  • Legitimate interest: for service improvement and fraud prevention
  • Legal obligation: compliance with tax and legal obligations

5. Data Sharing with Third Parties

Your data may be shared with the following service providers, strictly for the purposes described:

  • Stripe: payment processing (card, Apple Pay, Google Pay, MB WAY, Revolut Pay, Samsung Pay, Klarna, Link, PIX)
  • Supabase: data storage and authentication
  • Google: authentication via Google OAuth (when chosen by the user)
  • Anthropic: provider of the technology that powers our AI assistant (Claude model). Messages exchanged during the assisted briefing are processed by Anthropic for the sole purpose of generating the assistant's response. Anthropic does not retain the content after processing.
  • Resend: transactional email delivery — the recipient's email address and delivery metrics are processed to ensure emails reach the inbox
  • Vercel: hosting of the Webfy platform
  • Hosting provider (internal infrastructure): hosting of the Demos during the review phase and of clients' published websites

We do not sell, rent or share your personal data with third parties for marketing purposes.

Calls with the Team: when a call is confirmed, the administrator picks the tool (Google Meet, Zoom, WhatsApp, phone, etc.) and pastes the meeting link. Webfy does not store recordings of those calls, does not access the call content and does not process metadata from the video call platform — by accepting the invite, the client agrees directly with the policy of the chosen platform.

6. Data Retention

Your personal data is retained as long as you maintain an active account on our platform and for the period necessary to fulfil the purposes for which it was collected. The following specific deadlines also apply:

  • Demos not decided by the client: after 15 days with no decision (approval or rejection), the Demo is automatically archived — it remains accessible but is marked as expired. After 45 days with no decision, it is permanently deleted. You receive several email reminders before expiration.
  • AI assistant conversations: retained for 7 days after the conversation ends, except when the client moves on to the Demo phase — in that case they stay associated with the project for its entire duration.
  • Call requests with the Team: kept for the duration of the project. History of no-shows and cancellations is retained for internal operational analysis.
  • Internal Team notes about the project: kept for the duration of the project plus an additional 2 years, to defend against potential claims.

After account closure, data may be retained for the legally required period for tax and legal purposes.

7. Data Subject Rights

Under the GDPR, you have the following rights:

  • Right of access: obtain confirmation and access to your personal data
  • Right of rectification: correct inaccurate or incomplete data
  • Right to erasure: request the deletion of your personal data
  • Right to restriction: restrict the processing of your data in certain circumstances
  • Right to portability: receive your data in a structured, machine-readable format
  • Right to object: object to the processing of your data for specific purposes

To exercise any of these rights, contact us via email at geral@webfy.pt. We will respond to your request within a maximum of 30 days.

8. Cookies

Our website uses essential cookies for the functioning of the platform, including session cookies for authentication. We do not use third-party tracking or advertising cookies.

9. Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure or destruction. This includes data encryption in transit (HTTPS/TLS), secure authentication and access controls.

10. Changes to This Policy

We reserve the right to update this privacy policy at any time. Any significant changes will be communicated by email or through a notice on the platform. The date of the last update is shown at the top of this page.

11. Contact and Complaints

If you have questions about this policy or about the processing of your personal data, contact us:

You also have the right to lodge a complaint with the Portuguese National Data Protection Commission (CNPD)www.cnpd.pt