Privacy Policy

Last Updated: 30 November 2025

Your privacy and the protection of your personal data are priorities for Proofmarked. This Privacy Policy explains in clear and transparent terms how we collect, use, disclose, and protect your personal data when you interact with Proofmarked's services. It also outlines your rights regarding your personal data and how you can exercise them.

By using our services, you acknowledge that you have read and understood this Privacy Policy.

1. Scope of Application

This Privacy Policy applies to the personal data processed by Proofmarked in the context of all services offered under the Proofmarked brand. It covers your use of:

• The Proofmarked website (www.proofmarked.com) and any related pages or domains (including the business customer portal).
• The Proofmarked browser extension used by end consumers.
• Any contact or support channels (such as contact forms, emails, or customer support communications).
• Any other tools, applications, or features provided by Proofmarked that reference this Privacy Policy.

Please note that our website may contain links to third-party websites or services that are not operated by Proofmarked. This Privacy Policy does not apply to those third-party sites or services. We advise you to review the privacy policies of any external sites you visit. Proofmarked is not responsible for the content or privacy practices of third parties.

2. Proofmarked as a Data Controller

In certain situations, Proofmarked determines the purposes and means of processing personal data, acting in its own capacity and interest. This occurs particularly in the context of managing its website, user communications, and general business operations.

When Proofmarked determines the purpose and means of data processing, it acts as the Data Controller, in accordance with Article 4(7) of the General Data Protection Regulation ("GDPR").

Proofmarked, Lda., a private limited liability company incorporated under the laws of Portugal, with its registered office at Rua João Saraiva, N.º 38 1700-250 Lisboa, with a share capital of €5000 (five thousand euros).

3. Proofmarked as a Data Processor

In certain situations, Proofmarked may process personal data on behalf of our business clients. This means Proofmarked is acting as a "Data Processor" under Article 28 GDPR, following the instructions of the client (who is the Data Controller for that data). Such scenarios occur when a business client uses the Proofmarked platform or services and provides personal data for us to process solely for that client's purposes.

Processing activities carried out by Proofmarked as a Data Processor are governed by the applicable Data Processing Agreement (DPA), which shall prevail in case of any conflict with this Privacy Policy.

When Proofmarked acts as a processor for a client:

• We process the data only on the documented instructions of the client and for the purposes that the client (Data Controller) has determined.
• We do not use or share that data for our own purposes.
• We ensure appropriate confidentiality, security measures, and data protection agreements are in place as required by GDPR.
• Any personal data processed on behalf of a client will be handled and retained according to the client's instructions (see Data Retention below), and we will assist the client in fulfilling their GDPR obligations when applicable.

Important: If you are an end-user or customer of one of our business clients, and your data is processed through the Proofmarked service, that business client's privacy policy will govern how your data is used. In such cases, any requests to access, correct, or delete your data should be directed to the relevant business client. Proofmarked will assist our clients in responding to such requests as needed and as permitted by law.

4. What Personal Data Do We Collect?

The personal data we collect depends on how you interact with Proofmarked. Generally, we collect data in two main contexts:

(1) when we deal with you directly as a website visitor or business customer (Proofmarked as Data Controller), and

(2) when we handle data on behalf of a client (Proofmarked as Data Processor).

Below we outline the categories of personal data involved in each context.

Information concerning our clients (which are typically not natural persons) is generally not personal data. However, we may collect and process personal data of individuals representing or using the services on behalf of those Clients, in which case this Policy applies.

(1) Personal Data We Collect and Process as a Controller

In its capacity as a controller, Proofmarked may collect and process the following categories of personal data:

• Identification and Contact Data: Information that allows us to identify or communicate with you as a natural person, such as your name, professional email address, phone number, and the name of the company you represent. We collect this data when you interact with us, by filling out a contact form, requesting access to our platform, or corresponding with our team.

• Professional Information: If you act on behalf of a business Client, we may collect information about your role, job title, department, and the organization you represent. Although primarily professional, this may qualify as personal data when linked to you as an individual.

• Account Credentials: When you create an account on our business portal, we collect your login credentials (such as username and password) and related authentication data. Passwords are securely stored using encryption and are never accessible in plain text.

• Technical and Browsing Data: When you visit our website or portal, we process limited technical information that is strictly necessary to ensure the security, stability, and proper functioning of our services. This may include IP address, browser type, device information, operating system, referring URL, and timestamps of access. Proofmarked does not use analytics, marketing, or advertising cookies, and does not track users for behavioural analysis or profiling purposes. Any technical logs collected are used solely for security, abuse prevention, and service reliability and are processed in an aggregated and non-identifying manner. For further information on cookies and similar technologies, please refer to our Cookie Policy.

• Usage Data: If you are a business client using our platform, we may collect data about how you use our services. For example, logs of actions taken in the dashboard, API calls made, features utilized, and other service performance metrics. While primarily tied to a company account, this may be associated with specific user identities or email addresses. This data is used to monitor service usage, improve features, and support you as a customer.

• Communication Records: If you contact Proofmarked for support or inquiries (via email, phone, or other channels), we will keep records of that correspondence. This may include your contact details, the date and time of communications, and any information you share during the conversation (such as details of a support issue).

• Billing and Financial Information: For paid Clients, we process billing details such as company name, VAT/NIF number, billing address, and transaction history. Although this data generally relates to companies, it may occasionally include personal data (for instance, if the billing contact is an individual).

• Any Other Information You Provide Voluntarily: You might provide additional personal data when interacting with us, such as when responding to surveys, participating in a marketing event, or providing feedback. We will collect and use any such information in accordance with this Policy.

We make sure to collect only the minimum personal data necessary for the relevant purpose. When certain data is requested for a specific service or feature, we will indicate if providing that information is required. If you choose not to provide required data, some services or features may not be available.

(2) Personal Data We Collect and Process as a Processor

When Proofmarked operates as a service provider for our clients, the personal data processed depends on what our client submits or uses in our platform. In general, the types of personal data that we might handle on behalf of a client include:

• Identification or Contact Details of Individuals that our client chooses to input into the Proofmarked system or share with us. For example, a client might provide details of their own customers or users (names, emails, etc.) if such data is needed to integrate our trust-mark services or to investigate phishing reports. (Note: Proofmarked's core service is designed not to require end-customer personal data in most cases. However, we mention these categories for completeness in case any client-initiated process involves personal information.)

• Any Personal Data Contained in Client Materials: This could include any information embedded in documents, images, or other content a client submits to Proofmarked for analysis or processing. For instance, if a client shares a list of fraudulent websites or phishing emails that include personal data (such as an individual's name or email in a phishing report), we will process that information only as needed to provide the service (to help take down a malicious site) and under the client's direction.

• Professional or Organizational Data: If a client manages user accounts or permissions on our platform for their staff or associates, we may process those users' details (name, email, role) on the client's behalf to administer access to the service.

In these cases, Proofmarked acts as a Data Processor, and the Client is the Data Controller. The terms governing such processing are set out in the applicable Master Services Agreement (MSA) and Data Processing Agreement (DPA) executed between the parties.

Data Collected by the Proofmarked Browser Extension (End Consumers)

Proofmarked's browser extension is built with privacy by design. If you are an end-user installing and using the Proofmarked extension, we want to reassure you that we do not collect personal data through the extension. The extension's functionality operates locally in your browser and communicates with our servers only in very limited ways necessary for it to function (for example, to check a website's trust status). These communications are anonymized and do not include your personal information.

Specifically, we do NOT collect from consumer extension users:

• No personally identifiable information (PII): We do not ask for or record your name, email, phone number, or any contact details when you use the extension.

• No browsing history or website content: The extension does not track which websites you visit or what you do on those websites. It only checks, in real-time, if a visited site's URL/domain has a Proofmarked trust indicator, without logging the visit against your identity.

• No cookies or tracking tokens: The extension does not plant or use cookies, nor does it create persistent identifiers to follow your browsing.

• No precise location information: We do not collect GPS or any precise location data from your device via the extension.

• No device fingerprinting or behavioural profiling: We do not attempt to uniquely identify your device beyond what is necessary for security. We do not collect metrics on your behaviour for advertising or other purposes.

• No keystrokes or form data: The extension does not access your inputs or personal data on websites you visit.

The extension only communicates with Proofmarked servers for essential technical functionality. For example, it may query our service to ask, "Is this website proofmarked (verified)?" and get a simple yes/no or related trust data. These queries are not tied to your personal identity. We may rely on transient technical identifiers strictly necessary for the extension to function securely. These identifiers are not used to track users, create profiles, or identify individuals.

Standard network information like an IP address may transiently pass through our server logs when the extension checks a site, but we do not store or use it to profile users.

5. For What Purposes Do We Process Your Data?

We collect and use personal data only for specific, explicit, and legitimate purposes. Depending on the context in which you interact with Proofmarked, we process your data under different legal bases permitted by the GDPR. Below, we detail the purposes for which Proofmarked uses personal data, categorized by whether we act as a controller or processor, and outline the relevant data involved, legal basis, and typical retention period for each purpose.

(1) Processing Activities When Proofmarked is a Controller:

In these cases, Proofmarked decides why and how (purposes and means) the data is processed.

• Account Setup and Service Delivery (Business Clients): When you request access to Proofmarked or sign up for an account on our platform, we process your personal and business information to create and manage your user or customer account, authenticate you, and provide our SaaS services to you. This includes allowing you to whitelist domains, verify trademark ownership, configure the Proofmarked trust indicators, and generally use the platform's features. We also use your data to fulfil any contracts or agreements we have with you: for example, to provide customer support, to enable the browser extension functionality for your domains, and to monitor usage for fair use and security.

  • Data processed: identification and contact details, account credentials and login data, business information, usage data on the platform, and payment details (if applicable).

  • Legal basis: Performance of a contract to which you (or your company) are a party, or to take pre-contractual steps at your request, in accordance with Article 6(1)(b) of the GDPR. Without this data, we cannot provide the Proofmarked services you've requested.

  • Retention: We retain your account data for as long as you are an active customer. If you terminate your account, we will delete or anonymize personal data associated with your account up to 2 (two) years after account closure, except for data we must keep longer to comply with legal obligations.

• Payment and Billing Administration: To process subscription fees or other payments, we handle billing contact information and liaise with third-party payment processors.

  • Data processed: billing name and address, tax identification (if needed on invoices), transaction amounts, and payment method details (note: credit card or bank info is usually processed directly by our payment provider and not stored in full by Proofmarked).

  • Legal basis: Performance of contract, in accordance with Article 6(1)(b) of the GDPR, for processing payments you owe under our agreement, and compliance with a legal obligation, in accordance with Article 6(1)(c) of the GDPR, for financial record-keeping (tax and accounting laws require us to retain invoices and other financial data).

  • Retention: We retain invoice and transaction records for a period of 10 years, or as otherwise required by applicable tax and accounting laws in Portugal, even after your account is closed. This retention is necessary to comply with our legal obligations. We do not store full payment method details; however, we may retain tokenized references or minimal billing metadata for the purpose of managing recurring payments until the end of the subscription period.

• Customer Support and Contact Requests: If you reach out to us with a question, support ticket, or feedback (via email, contact form, or phone), we use your information to respond and resolve your request.

  • Data processed: your name, contact information (email/phone), and the content of your request. We may also process technical data (such as error logs, screenshots) or account data if needed to troubleshoot an issue you're facing.

  • Legal basis: Our legitimate interest, in accordance with Article 6(1)(f) of the GDPR, in providing effective support and ensuring customer satisfaction. When you contact us, it's understood that we need to process your data to assist you. In some cases, handling your request may also be considered pre-contractual steps (Article 6(1)(c) GDPR) if you're asking about our service before deciding to sign up.

  • Retention: Support communications are typically retained for the duration of the issue and a period afterward. We generally keep support records for up to 3 (three) years after resolution, which helps us maintain a history of service and improve our support process. This also allows us to refer back if you have follow-up issues. Content that is purely informational (like general inquiries not leading to a contract) may be kept for a shorter period.

• Website Functionality, Security, and Performance Monitoring: When you access our website, Proofmarked processes limited technical data to ensure the website functions correctly, remains secure, and is protected against malicious activity. This includes detecting abuse, preventing fraud, and maintaining service availability.

  • Data processed: Technical data strictly necessary for security and operational purposes, such as IP address, browser type and version, device and operating system information, referring URL, and timestamps of access. Any cookies used are strictly necessary for security, authentication, and service integrity, as described in our Cookie Policy.

  • Legal basis: Our legitimate interest, in accordance with Article 6(1)(f) of the GDPR, in maintaining website integrity, preventing fraud, and improving our services applies. We have a legitimate interest in understanding site performance and ensuring network and information security.

  • Retention: Technical logs and related data are retained only for as long as necessary to achieve the security and operational purposes described above. Where possible, such data is aggregated or anonymized. Cookies persist for the duration defined in our Cookie Policy.

• Marketing and Communications: If you are a contact person for a business client or you subscribed to our newsletter or updates, we may use your information to send you newsletters, product updates, marketing communications, or to invite you to events/webinars. We strive to send communications that are relevant and not excessive.

  • Data processed: your name, email address, company, and communication preferences. We also might note your interactions with our communications to gauge engagement, but this is typically aggregated.

  • Legal basis: Consent, according to Article 6(1)(a) of the GDPR. We will only send you email marketing if you have opted in. You can withdraw your consent at any time by clicking "unsubscribe" in those emails or contacting us. For existing customers, in some cases, we may rely on our legitimate interest, in accordance with Article 6(1)(f) of the GDPR, to inform you about similar services or updates that you might find useful, but we will always honour objection or opt-out requests immediately.

  • Retention: We keep marketing subscription data until you unsubscribe or for a period of up to 3 years after your last interaction with us (whichever comes first). If you are a business client contact, we may keep your contact info on a marketing suppression list thereafter to ensure we don't accidentally send you emails if you've opted out.

• Service Improvements and Research & Development: We may use data (mostly aggregated or pseudonymized) about how our clients use Proofmarked to improve our platform and develop new features. This includes analysing usage trends, performance metrics, and user feedback.

  • Data processed: Aggregated or pseudonymized usage data from the platform (such as feature adoption, service performance metrics, and error rates) and feedback provided by users. This data is not used for behavioural tracking and is not derived from analytics or marketing cookies.

  • Legal basis: Legitimate interest, according to Article 6(1)(f) of the GDPR. It is in our interest (and generally in our customers' interest) that we continuously improve our services, ensure usability, and innovate based on how the service is used.

  • Retention: Improvement-related data is often aggregated and kept indefinitely in a non-personal format. Any personal identifiers in raw usage logs are either removed or heavily minimized after at most 2 years.

• Legal Compliance and Risk Management: We will process personal data as necessary to comply with our legal obligations, such as maintaining business records, preventing illegal activities (fraud, money laundering), and responding to lawful requests by authorities. We also may process data to establish or defend legal claims if needed.

  • Data processed: This could include any of the data categories relevant to the specific legal requirement. For example, retaining contract and payment information for auditing, or identification data to respond to a law enforcement subpoena.

  • Legal basis: Compliance with a legal obligation (Article 6(1)(c) GDPR) when processing is required by law and legitimate interest (Article 6(1)(f) GDPR) in protecting our rights, property, and ensuring security or enforcement of contracts.

  • Retention: Such data is kept as long as required by the specific law or as long as necessary to resolve the particular legal matter. For instance, tax and accounting records are kept for 10 years as mandated by Portuguese law. Data involved in a dispute or legal claim may be retained until the matter is fully resolved, plus any additional statute-of-limitations period.

• Business Operations and B2B Relationships: If you are a representative or employee of one of our suppliers, partners, or corporate customers, we may process your contact details in the context of our business-to-business communications and operations. For example, to negotiate and manage contracts with vendors, or to collaborate with partners in joint initiatives.

  • Data processed: name, professional contact details, role, and any business communications exchanged.

  • Legal basis: Legitimate interest in managing our business relationships and fulfilling contracts with other organizations (Article 6(1)(f) GDPR), or performance of a contract (Article 6(1)(b) GDPR) if you are personally a contracting party.

  • Retention: Business contact data is kept for the duration of the relationship and then archived according to legal requirements. For example, contracts and related communications might be kept for 5 years after the contract ends. Prospect or partner contact information used for B2B outreach is typically kept for up to 3 years from the last interaction, unless you object or request deletion sooner.

• Recruitment (Job Applicants): (If you apply for a job at Proofmarked) Although not a user-facing service, if we collect CVs or job applications, we will use candidate data to process and evaluate applications.

  • Data processed: CV/resume details, contact information, education and work history, and any other info you provide in your application or interviews.

  • Legal basis: Pre-contractual steps at the request of the data subject (Art. 6(1)(b) GDPR). Also, consent (Art. 6(1)(a) GDPR) for retaining CVs for future opportunities (if you explicitly agree to that).

  • Retention: If you are not hired, we may retain your application data for up to 2 years after the process (in case suitable positions arise or for legal record of the hiring process), unless you do not consent or remove your consent. If you join Proofmarked, your application data becomes part of your employee record and will be retained accordingly.

(2) Processing Activities When Proofmarked is a Processor:

When our clients utilize Proofmarked's services in a way that involves processing personal data of their end-users or others, we perform that processing strictly for the following purposes:

• Providing the Proofmarked Service to Our Client: We use the personal data provided by the client to perform the functions that the client has signed up for. This primarily includes the technical hosting and operation of the Proofmarked platform features for that client, performing maintenance, updates, and support related to the service, and any necessary technical processing to enable the client's use cases.

• Operational Communications (on behalf of client): In general, Proofmarked does not contact our clients' end-users directly. However, if as part of the service, it is necessary to send an email or notification to an end-user, we would process the necessary data strictly to send that communication, following the client's instructions.

• Data Storage and Management: We will store and organize the personal data input by the client (if any) on our secure systems so that the client can retrieve and use it. We may perform backups and implement recovery measures as part of maintaining the service, which involves handling the data but not altering it except as needed for reliability.

In all these cases where we act as a Data Processor:

• Data processed: Typically includes identification data and any personal information that the client has chosen to submit or manage using our platform. It may also include professional data related to those individuals. We do not add to or enrich this data; we simply process what the client provides or instructs.

• Legal basis: From Proofmarked's perspective, the legal basis is the contract with our client to provide the service (Article 6(1)(b) of the GDPR) as between Proofmarked and the client, and Article 28 obligations for processing on instructions. The client is responsible for ensuring they have a valid legal basis to collect and have us process that personal data.

• Retention: We retain the data on behalf of the client for the period defined in our agreement with them. Generally, we will not keep such data longer than the duration of the client's use of Proofmarked services. Upon termination of the client's contract or upon their instruction, we will either return the data to the client or delete it, except for any copies we must retain by law or for legitimate business record-keeping, which will be handled securely. We also periodically delete any client data that is no longer necessary for the service, in line with our Data Processing Agreement terms.

6. How Do We Share Personal Data?

We treat your personal data with care and confidentiality. Proofmarked does not sell your personal information to any third parties. We only share your data in the following circumstances and with appropriate safeguards:

• Internal Sharing within Proofmarked: Your data is accessed only by authorized personnel of Proofmarked who need it to perform their job duties and provide our services. Internal access to personal data is strictly controlled on a "need-to-know" basis. Staff only see the data required for their function, and all employees and contractors are bound by confidentiality obligations.

• Service Providers (Sub-processors): We may share personal data with trusted third-party vendors who perform services on our behalf and under our instructions. These providers help us run our business operations and the Proofmarked platform. They include, for example:

  • Cloud hosting and infrastructure providers (for secure data storage, servers, and cloud services).
  • IT support and maintenance services (ensuring our platform and website are up-to-date and secure).
  • Payment processors (to handle credit card transactions and billing securely, and fraud prevention services to protect against payment abuse).
  • Email and communication services (for sending service-related emails, newsletters, or support communications).
  • Infrastructure monitoring and security service providers used solely for error detection, system reliability, and abuse prevention, without user profiling or behavioural tracking.
  • Other specialized vendors as needed, such as security auditors or backup services.

  These service providers act as our data processors (sub-contractors). We make sure to sign data processing agreements (DPAs) with them that require them to:

  • Use the data only for the purposes we specify and not for their own purposes.
  • Keep the data confidential and secure, implementing appropriate technical and organizational measures.
  • Assist us in complying with data protection requirements.

  We carefully vet our vendors for strong data protection practices and choose providers who offer guarantees of GDPR-level protection. A list of our major sub-processors can be made available on request.

• Business Partners or Third Parties at Your Direction: In certain cases, we might share data with independent third parties when it is necessary for the service or you explicitly request it. For example, if verifying your trademark is part of our service onboarding, we may share relevant information with official verification entities like the World Intellectual Property Organization (WIPO) or the Trademark Clearinghouse to confirm your rights. This is done to fulfil the service of authenticating your brand.

  • In all such cases, the third parties will receive only the information required, and they will handle your data as independent Data Controllers under their own privacy policies. We recommend you review those policies when relevant.

• Legal Obligations and Safety: We may disclose personal data to third parties (such as courts, law enforcement authorities, regulators, or legal counsel) if and to the extent we are required or allowed by law.

  • In these cases, we will, when possible and legally permitted, notify you of such disclosure. We will also ensure any request is legitimate (e.g., we may seek to narrow a request or object if it overreaches or lacks proper authority).

• Business Transfers: If Proofmarked undergoes a business transaction such as a merger, acquisition by another company, reorganization, or sale of all or part of its assets, personal data may be transferred to the successor entity as part of the transaction. We will ensure that the new owner will continue to handle your personal data in accordance with this Privacy Policy (or inform you of any changes). If such a transfer would result in a material change in the way your data is used, you will be given the opportunity to opt out or exercise your rights as appropriate.

In all sharing scenarios, we aim to apply the principle of data minimization, which means that only the data that is necessary for the specific purpose will be shared. We also document all our data sharing arrangements to maintain transparency and accountability.

7. International Data Transfers

Proofmarked operates primarily from Portugal (within the European Economic Area, EEA). We endeavour to store and process personal data within the EEA whenever possible.

However, some of our service providers or partner organizations may be located outside of the EEA, or use servers located in other countries. This means your personal data might be transferred to or accessed from countries outside the EU/EEA.

For example, we have a branch in the United States and some infrastructure or backup services could be hosted in non-EU regions. Additionally, if you are using our services from outside the EU, your data will inherently travel across international borders to reach our servers.

When we transfer personal data internationally, we take appropriate safeguards in accordance with GDPR requirements to ensure your data remains protected. These safeguards include:

• Adequacy Decisions: In cases where data is sent to countries that the EU has recognized as having adequate data protection laws, we rely on those decisions.

• Standard Contractual Clauses (SCCs): We incorporate the latest EU-approved SCCs in our contracts with service providers outside the EEA, obligating them to protect EU personal data to European standards.

• Supplementary Measures: We assess, on a case-by-case basis, whether additional technical or organizational measures are needed to ensure data security when transferring. This may include encryption of data in transit and at rest, pseudonymization of data, and strict access controls. We also contractually prohibit foreign recipients of the data from disclosing it or using it for purposes other than those we specify.

By using our services, you understand that your personal data may be transferred internationally as described.

8. How do We Protect Our Data?

Proofmarked implements a variety of technical and organizational security measures to guard your personal data against unauthorized access, disclosure, alteration, or destruction. We are committed to upholding a high standard of security appropriate to the sensitivity of the data we handle. Our security practices include:

• Access Control: Internal access to personal data is tightly restricted. Only employees or contractors who have a legitimate business need to access your data can do so, and they are given the minimum access privileges necessary. All staff with such access are bound by confidentiality agreements. We use role-based access controls and regular review of access rights.

• Encryption: We employ encryption to protect data in transit and at rest. For example, data exchanged between your browser and our website/servers is secured via HTTPS/TLS encryption. Sensitive data stored in our databases is encrypted or hashed.

• Network and Application Security: Our infrastructure is protected by firewalls and monitoring systems that guard against intrusions. We keep our software and systems updated with security patches. We use anti-malware, intrusion detection/prevention systems, and conduct regular vulnerability scans and penetration testing to identify and address potential weaknesses.

• Organizational Policies: We have internal policies and procedures for data protection, including incident response plans, regular security training for employees, and protocols for handling personal data. We conduct periodic assessments and audits of our data handling practices to ensure compliance with GDPR and security standards. We also require any temporary or contract staff to follow the same rules when handling data.

• Vendor Management: As noted, any third-party service providers we use are carefully evaluated for security, and we ensure they contractually commit to protecting personal data.

• Backups and Resilience: We perform regular backups of critical data to prevent data loss. Backup data is stored securely (often encrypted) and tested for restorability. Our systems are designed with redundancy and failover capabilities to ensure continuity of service and protection of data in case of hardware or software failures.

• Data Minimization: We strive to collect only the data that is necessary, and we purge or anonymize data that we no longer need.

Proofmarked is ISO/IEC 27001 certified and SOC 2 Type II certified, demonstrating its ongoing commitment to best practices in information security management and compliance with industry standards.

9. Your Rights as a Data Subject

Under the GDPR (and corresponding data protection laws), individuals have certain rights regarding their personal data. Proofmarked is committed to facilitating the exercise of these rights. Here is an overview of your rights and how you can use them:

Right of Access: You have the right to obtain confirmation whether or not we are processing personal data about you, and if so, request access to that data. We will provide you with a copy of the personal data we hold about you, along with information on how we use it, who we share it with, and how long we intend to keep it, among other details.

Right to Rectification: If you believe that any personal data we hold about you is inaccurate or incomplete, you have the right to request that we correct or update it. We encourage you to keep your account information up-to-date, and we will promptly make corrections based on your instructions (within reason).

Right to Erasure (Right to be "Forgotten"): You can ask us to delete your personal data in certain circumstances. For example, if the data is no longer necessary for the purposes it was collected, if you withdraw consent (where the processing was based on consent) and we have no other legal basis, or if you object to processing and we have no overriding legitimate grounds to continue. Please note, for legal or contractual reasons we may not be able to delete certain data immediately, but we will inform you of such situations if they apply.

Right to Data Portability: You have the right to receive the personal data you provided to us in a structured, commonly used, machine-readable format, and to have that data transmitted to another controller where technically feasible. This right applies when processing is based on your consent or on a contract with you and is carried out by automated means.

Right to Object: You have the right to object to our processing of your personal data when that processing is based on legitimate interests. If you object, we must stop that processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or if we need to continue processing for the establishment, exercise, or defence of legal claims. You also have an absolute right to object to the processing of your data for direct marketing purposes at any time.

Right to Restriction of Processing: You can request that we limit the processing of your personal data in certain situations. This is an alternative to full deletion, for example, you might request restriction if you contest the accuracy of the data or if you have objected to processing and are awaiting verification of whether our legitimate grounds override yours. When processing is restricted, we will store your data but not use it (unless for establishing or defending legal claims, or with your consent).

Right not to be Subject to Automated Decision-Making: Proofmarked does not make any legally significant decisions about you solely by automated means (with no human involvement) or does profiling in a way that produces legal or similarly significant effects. In the event that we ever implement automated decision-making that could affect you, you would have the right to request human intervention, express your point of view, and contest the decision.

10. Right to Lodge a Complaint

If you have any concerns about how Proofmarked is handling your personal data, we kindly ask you to contact us first, and we will do our best to address the issue. Your privacy is important to us, and we will work with you to resolve any problems.

However, if you believe we have not handled your personal data lawfully or satisfied your rights, you also have the right to lodge a complaint with a supervisory authority (data protection regulator).

For Proofmarked's operations in Portugal, the relevant supervisory authority is Comissão Nacional de Proteção de Dados (CNPD).

• Address: Av. Dom Carlos I 134 1, 1200-651 Lisboa
• Website: Lodge a Complaint Here

If you reside or work in another European Union member state, you may alternatively lodge a complaint with your local Data Protection Authority.

11. Changes to This Privacy Policy

We may update or modify this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or for other operational reasons. When we make changes, we will update the "Last Updated" date at the top of the Policy.

If we make material changes (significant alterations to how we process your data or your rights), we will inform you in a clear manner. For example, we might notify our business customers via email or display a prominent notice on our website or portal. For minor or clarifying updates that do not significantly affect your rights, we may simply post the revised Policy on our site.

We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your information. Where required by law, Proofmarked will obtain your consent for material changes affecting how your personal data is processed. Otherwise, continued use of the services after an update means that the updated Policy applies on a forward-looking basis.

12. Contact Us

If you wish to exercise your rights or have any questions, concerns, or feedback regarding this Privacy Policy or our privacy practices, please do not hesitate to reach out:

Proofmarked, Lda.

Mail: Rua João Saraiva, N.º 38 1700-250 Lisboa

E-mail: legal@proofmarked.com

Contact Form: Here

To help us process your request efficiently, please clearly state which right you wish to exercise and provide relevant details. We may need to verify your identity to ensure we do not disclose or modify data to the wrong person; we might ask for information to confirm you are who you claim to be.

We will be happy to assist you and address any issues.

Thank you for trusting Proofmarked with your personal data. We are committed to keeping that trust by safeguarding your privacy and security every step of the way.