Privacy Policy

Privacy Policy

How we process your personal data when you use the website and submit the form.

Last update: 27/02/2026

1) Who is the data controller

The controller of the personal data collected through this website is the entity operating the “IMT Portugal” service and handling contact/legal assessment requests.

IMT and Stamp Duty Portugal

2) What data we collect

When you submit the form, we may collect:

  • Contact data: name, email and phone (if provided).
  • Request data: area of interest, message/question and additional details.
  • Optional context data: estimated property value, location (text), property use (HPP/secondary), age and tax residence country.
  • Technical and usage data: IP address, IP country, user-agent (device/browser), page URL, referrer and campaign parameters (UTM/gclid/fbclid), when available.

Anti-spam: we use Cloudflare Turnstile to prevent automated submissions. This mechanism may process/evaluate technical signals necessary for security and abuse prevention.

3) Purposes and legal bases

  • Responding to your request and providing professional contact — pre-contractual steps at the data subject’s request and/or contract performance (when applicable).
  • Preliminary assessment of your eligibility based on the submitted information — pre-contractual steps and/or legitimate interest in providing an appropriate response.
  • Security and fraud/abuse prevention (e.g., anti-spam, rate limiting) — legitimate interest.
  • Compliance and record-keeping of communications (when necessary) — compliance with legal obligations and/or legitimate interest.

4) Who we share data with (processors)

We may use service providers that process data on our behalf, including:

  • Cloudflare (infrastructure/security) to operate the form and store request records.
  • Mailgun to send notifications.

Access is limited to what is necessary for the service and subject to confidentiality and security obligations.

5) International transfers

Data may be processed by providers with internationally distributed infrastructure. Where applicable, appropriate safeguards (e.g., Standard Contractual Clauses) are used to protect personal data.

6) Retention periods

We retain data for the period necessary to handle the request and comply with legal or record-keeping requirements.

  • Requests/leads: typically up to 12 months after the last contact, unless longer retention is required by law or for case record-keeping.
  • Technical logs (security/anti-abuse): variable periods, generally limited to what is necessary for protection and auditing.

These periods may be adjusted depending on the nature of the request and applicable legal/professional requirements.

7) Data subject rights

Under the GDPR, you may exercise the following rights: access, rectification, erasure, restriction, objection and portability (where applicable).

To exercise your rights, contact: [email protected]

8) Security and confidentiality

We apply appropriate technical and organisational measures to protect data (e.g., access controls, logging and monitoring, anti-spam and abuse protection).

Where the request is handled by legal professionals, confidentiality and professional secrecy duties may apply under applicable law.

9) Changes to this policy

We may update this Privacy Policy to reflect service improvements or legal/operational changes. The “last update” date will be revised accordingly.

Back to the form