Principles of Data Processing and Personal Data Protection
1. What is our commitment
This document reflects our commitment to (i) communicate transparently about the personal data we process and under what conditions we do so; (ii) ensure the security of personal data and the privacy of data subjects; (iii) provide appropriate mechanisms for exercising the rights of personal data subjects; (iv) comply with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 - General Data Protection Regulation (“GDPR”) - and other applicable legislation, including national legislation that complements the GDPR (“Law 58/2019 of 8 August”) in its current version.
To understand how Lenotis processes personal data, we recommend reading this document, visiting the page on our website dedicated to privacy and personal data protection available at, and reviewing the Terms and Conditions of our products and/or services.
The information provided in this policy about personal data processing may be supplemented by specific information about products and/or services provided by Lenotis.
2. Who we are
References in this document to “Lenotis,” “we,” and “our,” include Trovadores D’Equações - LDA, headquartered at Travessa Joaquim Miguel Serra e Moura, nº 71, 2765-030, Cascais, Portugal, registered at the Lisbon Commercial Registry Office under the unique registration and corporate tax number PT 516 684 892, its branches, its representative offices, and any other company, based in Portugal, over which Lenotis has control (“Group”).
Each of the entities mentioned is responsible for the processing of personal data of different categories of data subjects, namely its customers and employees, and who, in that context, decides what data is collected, the means of processing, and the purposes for which the data is processed (“Data Controller”). The respective contact is as follows:
Trovadores D’Equações - LDA, Postal Address: Travessa Joaquim Miguel Serra e Moura, nº 71, 2765-030, Cascais, Portugal Phone: +351 935 250 900 Email Address: contact@lenotis.com
Lenotis has a Data Protection Officer who (i) monitors compliance with applicable data processing standards, (ii) is one of your points of contact for clarifying questions related to data processing, (iii) cooperates with the National Data Protection Commission (“CNPD”), as the supervisory authority, and (iv) provides information and advises Lenotis or subcontracted entities about their obligations in terms of privacy and personal data protection (“Data Protection Officer”).
The contact for our Data Protection Officer is:
Trovadores D’Equações - LDA, Data Protection Officer Postal Address: Travessa Joaquim Miguel Serra e Moura, nº 71, 2765-030, Cascais, Portugal Email Address: legal@lenotis.com
3. What personal data do we collect and process
In essence, personal data is any information that (regardless of its nature or support), directly or in combination with other data, can identify an individual or can be associated with them (“Personal Data”).
Lenotis only collects personal data in compliance with applicable legislation.
We may collect your personal data from different sources, and these data may be related to any of the products and/or services you have contracted, hold or have held in the past, or result from interactions you have had with us, for example, when visiting our websites or mobile applications, or when you contact us by phone about any of our products and/or services.
We may collect some personal data directly through you or from third parties who are intermediaries or are related to the products and/or services you have subscribed to or from other publicly accessible sources.
The following table presents the main categories of personal data that we process:
| Category of personal data | Examples |
|---|---|
| Identification and contacts | Name, identification document number, tax identification number, photograph, facial biometric pattern, signature, address, telephone contact or email address. |
| Biographical data | Date of birth, gender, nationality, place of birth, marital status, household information, academic qualifications or occupational details. |
| Financial data | Financial assets, financial sector liabilities, or monthly salary. |
| Opinions and preferences | Comments on Lenotis' social media presence, or responses to satisfaction questionnaires. |
| Contents | Information contained in written communications between Lenotis and clients, recorded calls (video and/or audio). |
| Images | Images collected through surveillance cameras placed in our facilities. |
| Access accounts | User account, user authentication credentials related to our services. |
| Use of sites and applications | Pages visited, or information about the devices used (e.g., IP address, geographic location, browser used, cookies). |
Lenotis obtains this personal data through the following collection (or production) methods:
| Means of collection | Examples |
|---|---|
| Data provided by data subjects | Data or content provided directly by personal data subjects (i) in the subscription process or purchase of products and/or services, (ii) in interactions with Lenotis or in person at our facilities, (iii) in letters or email messages sent, (iv) in participation in promotional activities, or (v) in response to satisfaction surveys. |
| Data collected in the context of using products and/or services by data subjects | Data related to the operations and usage of products and services provided by Lenotis. |
| Profiling | Data produced by Lenotis through the application of analytical models to client data and data related to the use of Lenotis products and/or services by contractors. |
| Persistent Cookies | Data related to the use of Lenotis websites and applications (e.g., pages visited; user preferences), obtained through cookies from Lenotis or third parties. You can find more information about the type of cookies used by Lenotis and the data collected, in the cookie policy published on the website |
| Data obtained from third parties | Data obtained by Lenotis from third parties with whom it works, including (i) public authorities or (ii) agents working on behalf of Lenotis. |
Obligation to provide personal data
In the context of commercial and contractual relationships, it is mandatory to present and collect certain personal data from Clients, potential Clients, and other holders (e.g., representatives and beneficial owners), necessary for the fulfillment of obligations and pre-contractual and contractual due diligence, or those arising from current regulations. Generally, without this data, Lenotis may refuse to enter into a contract, execute an order, or terminate a contract, having to resolve it. For example, under legal provisions relating to the prevention of money laundering regime, it is necessary to identify the Holder before and during the commercial relationship, typically through an identification document, collecting the information contained therein, under penalty of refusal of the instruction or request made.
4. How we process personal data
Data processing is an operation or set of operations carried out on personal data by manual or automated means, including collection, storage, use, copying, and transfer.
At Lenotis, we process personal data in a lawful, fair, and transparent manner and for specific purposes. The following sections describe and illustrate the main processing purposes at Lenotis, framed within the respective bases of legality:
Execution of contract
Lenotis carries out the data processing necessary for the conclusion, execution, and management of contracts in which the data subject is a party, or for pre-contractual due diligence at the request of the data subject.
| Purpose of processing | Examples |
|---|---|
| Initiation and management of contracts | Collection and recording of data from holders or representatives, alteration and beneficial owners. |
| Management of products and/or services | Subscription, production, and provision of payment information, or provision of information about purchased or subscribed products and/or services. |
Compliance with legal or regulatory obligation
Lenotis carries out data processing necessary to ensure compliance with various legal obligations - both national and European - to which it is subject, including but not limited to (i) legislation on the prevention and combat of money laundering and terrorist financing, and (ii) legislation on the protection of Personal Data.
| Purpose of Processing | Examples |
|---|---|
| Provision of information and response to requests from Public Authorities | Provision of mandatory (prudential and other) information in response to various requests from sector regulators, public authorities (e.g., Courts, Police, Tax Authority) or external auditors |
| Accounting and Financial Reporting | Accounting records, production, and disclosure of Lenotis's financial statements. |
| Management of documentary archive | Collection, classification, and storage of physical documents with personal data in the documentary archive, constituting mandatory evidence in the context of Lenotis's activity. |
| Video Surveillance | Video surveillance of Lenotis's physical facilities, aimed at protecting people and property and preventing crime, allowing for the collection of evidence. |
| Management of contacts and complaints | Receipt, analysis, and response to customer information requests and complaints. |
Legitimate Interest
Lenotis carries out data processing necessary to safeguard its legitimate interests or those of third parties.
Whenever Lenotis processes data based on legitimate interests, it conducts a preliminary analysis of the processing to ensure that the rights and interests of the data subjects are not prevailing over such legitimate interests.
| Purpose of Processing | Legitimate Interest | Examples |
|---|---|---|
| Provision of information | Ensuring that data subjects are duly informed about the products and/or services they are subscribed to or intend to subscribe to. Transmitting relevant information (related to such products and/or services) to data subjects. | Sending various informational materials (e.g., information security, financial market trends), or in the context of acquiring or subscribing to products or services. |
| Direct marketing | Providing relevant information about products and/or services offered by Lenotis that may be of interest to data subjects. | Providing information or conducting campaigns via phone, SMS, email, or social networks to stimulate the use or promote the acquisition or subscription of products and/or services, which may result from profiling or events generated by real-time analysis of transactions with Lenotis. |
| Segmentation | Improving the suitability and optimally targeting the offer of products and/or services to Clients, according to their characteristics. | Characterization and segmentation of Clients, to better direct and tailor the commercial offer of products and/or services of Lenotis to their specific characteristics. |
| Profiling for commercial purposes | Analyzing the products and/or services purchased by Clients to understand their preferences and interests, in order to better tailor the communications directed at them. | Processing of Clients' personal data, whether objective personal data (e.g., age, gender, address, type of Client, income) or personal data generated by the use of Lenotis's products and/or services (e.g., data on contracted products), with the aim of evaluating the Clients' profiles and building consumption patterns from their transactionality on any channel of Lenotis, thus determining the Clients' propensity regarding such products and/or services - and also regarding other products and/or services of a similar nature - with the goal of personalizing the offers communicated to them based on their respective preferences. Clients have the right to request clarifications regarding the criteria used to create the profiles and to oppose profiling activities designed exclusively for commercial purposes at any time. |
| Evaluation of satisfaction with products and/or services | Ensuring the improvement of products and/or services provided by Lenotis and, as well, adequate levels of satisfaction of its Clients. | Conducting surveys to assess Clients' satisfaction with products and/or services of Lenotis and the quality of the services provided, or sending proposals for changes to the conditions of products and/or services purchased or subscribed. |
| Development of products and/or services | Develop and improve the products and/or services offered by Lenotis. | Collection and analysis of data for the development or adaptation of new products and/or services of Lenotis, with the aim of better serving the specific needs of Clients. |
| Management of litigation | Efficient management of processes and litigation in general. | Exercise of contractual or legal rights and defense in case of judicial or extrajudicial disputes arising, notably in situations of delay or non-compliance with obligations of any nature by the data subject before Lenotis. |
| Credit Recovery and Collections | Recovery of credit in default. | Activities of credit recovery in default, including the search for assets that may cover the debts to Lenotis, in cases where there is a suspicion of dissipation of assets or other acts that, by transferring assets to third parties, aim to frustrate the guarantees or the enforceability of the credits of Lenotis. Asset searches are carried out based on objectively established criteria. |
| Transfer of credits | Management of Lenotis's credit portfolio. | Collection and analysis of data and provision of information to third parties in the context of credit securitization operations. |
| Management control | Sound and prudent management of Lenotis. | Production of control and management information of Lenotis. |
| Internal Audit | Conducting internal audits to assess compliance with legal standards and internal regulations. | Collection and analysis of data in the context of the internal audit of the processes and operations of Lenotis. |
| Management and security of information systems and facilities | Protection of Lenotis's information systems and also of the people and property located in the facilities | Management and monitoring processes of information systems and technological infrastructures, recording of access and use events of systems, processes of detection, analysis, and response to potential information security incidents, control of identities and access to Lenotis's information systems, or control of physical accesses to facilities. |
Data subject's consent
Lenotis may carry out other personal data processing operations when it has obtained prior, explicit consent, whether in writing, orally, or through explicit action, informed, freely given, and for specific purposes of the data subject.
| Purpose of Processing | Examples |
|---|---|
| Proof of information or instructions conveyed by phone | Recording of calls/video calls as a means of proof of information or instructions conveyed in the context of a pre-contractual relationship (e.g., proof of identity of the holder) or instructions conveyed in the context of a contractual relationship (e.g., training). |
| Monitoring service quality | Recording of calls for direct monitoring of the quality of service provided. |
| Market studies | Collection and analysis of personal data in the context of studies or market analysis. |
| Personalizing the experience on Lenotis sites and applications | Use of persistent cookies to record activity and preferences on Lenotis sites. |
| Direct marketing | Promotional actions for products or services to non-customers, or for non-financial products directed at our customer base. |
Lenotis only carries out personal data processing operations with due legal basis, and subject to prior information to the respective data subjects. Any additional secondary data processing operations are only carried out if (i) they are compatible with the authorized purposes and communicated to the data subjects or (ii) they are subject to specific and explicit consent of the data subjects.
5. What are the retention and processing periods for personal data
Lenotis retains and processes personal data for the necessary time and as long as the legitimate purposes for which the data are processed subsist, to fulfill contractual, legal, and regulatory obligations, or to protect the legitimate interests of Lenotis or third parties.
| Reason for retention | Retention period |
|---|---|
| Fulfillment of contract | Duration of the contract. Lenotis may retain personal data for periods longer than the duration of the contractual relationship, to ensure rights or duties related to the contract, based on legitimate interests that justify it, including the defense of Lenotis in legal proceedings or based on the consent of the data subject. |
| Legal, tax, or regulatory obligation | Legal prescription periods associated with legal, tax, or regulatory obligations, or the periods provided in special legislation, whichever is longer. |
| Retention of call recordings for contractual proof | Duration of the contract plus the prescription and expiration period of 10 years. |
| Retention of call recordings for the Contact Center (requests for clarification, complaints, and support) | 10 years. |
| Retention of call recordings for monitoring service quality | 30 days. |
| Retention of surveillance camera footage | 30 days. |
| Asset searches for Credit Recovery | Deletion, within 30 days, of data that do not confirm suspicions of asset dissipation or transfer from Lenotis's debtors. In other cases, retention, for the legal prescription period of the underlying obligations. |
6. What are your rights as a data subject
Lenotis ensures the exercise of the rights of data subjects in relation to the processing of their data.
| Data Subject's Right | Description |
|---|---|
| Access | Subject to the protection of third-party rights, data subjects have the right to access their personal data and to obtain information about the conditions of its processing. |
| Rectification | Data subjects have the right to request the rectification of their personal data that is inaccurate or incomplete (e.g., address, email address, telephone contacts). |
| Opposition | Data subjects have the right to object to data processing based on Lenotis' legitimate interest. |
| Withdrawal of consent | Data subjects have the right to withdraw consent they have given for data processing based on that consent. |
| Erasure | Data subjects have the right to have their personal data erased by Lenotis, provided there are no valid grounds for its retention (e.g., compliance with a legal obligation, defense of Lenotis or third parties in a legal proceeding). |
| Restriction | Data subjects have the right to request the restriction of data processing when (i) they dispute the accuracy of the personal data, allowing time for Lenotis to verify its accuracy, (ii) the processing is unlawful and they oppose the erasure of personal data, (iii) Lenotis no longer needs the personal data but it is required by the data subjects for the establishment, exercise, or defense of legal claims, (iv) they have objected to processing pending the verification of whether Lenotis' legitimate grounds override theirs. |
| Portability | Data subjects have the right to receive the personal data they have provided to Lenotis in a structured, commonly used, and machine-readable format, and have the right to transmit those data to another controller. |
| Not to be subject to automated decision-making | Data subjects have the right to request human intervention or to challenge decisions based on solely automated processing of personal data that may have significant effects on their legal or personal lives, except when the processing is necessary for (i) compliance with a legal obligation, (ii) performance of a contract and the information is necessary for the execution of the contract, or (iii) when they have given explicit consent. Lenotis has mechanisms to ensure human intervention in data processing based on automated decisions, allowing the data subject to express their point of view and to contest the decision. |
| Complaint to the CNPD | Data subjects have the right to lodge complaints with the CNPD concerning issues related to the exercise of their rights and the protection of their personal data. |
Data subjects can exercise their rights in data protection matters via letter or email to the contacts of Lenotis or the Data Protection Officer. Lenotis will respond to requests within a maximum of 30 days, except in particularly complex cases. In these cases, Lenotis will inform the data subjects about (i) the need to extend the response time by an additional maximum of 60 days, (ii) the respective justification.
Whenever Lenotis considers it not possible to comply with requests, data subjects will be informed of the reasons by Lenotis, within the established deadlines.
The exercise of rights is free of charge, except in situations considered excessive, abnormal, and/or made in bad faith. In these cases, Lenotis will inform data subjects in advance of any fees to be charged and the respective justification.
Lenotis has appropriate mechanisms to verify and confirm the identity of data subjects wishing to exercise their rights, exclusively attending to those whose identity can be confirmed, and through a channel that allows maintaining evidence of the request and the respective response.
7. What personal data do we share
At Lenotis, personal data access is granted to Employees who need it to fulfill their roles, particularly within the scope of contractual, pre-contractual, and legal obligations of Lenotis. Additionally, personal data may be made available to third-party entities – distinct from Lenotis:
| Third-party entities | Examples |
|---|---|
| Group Companies | Companies of the Group or complementary groups of companies formed by the Group, within the framework of measures to prevent money laundering, terrorism financing, and fraud, or for purposes of administrative and financial management at the Group level. |
| Public bodies and supervisory institutions | Tax authorities, whenever there is a legal or regulatory obligation, for example (i) during an investigation, complaint, or procedure, to Public Bodies, to the Court, and to the Security Forces responsible for the matter, or (ii) to authorities or official bodies of other countries, located inside or outside the European Union, in the context of combating terrorism financing, serious forms of organized crime, and prevention of money laundering. |
| Subcontracted entities | Subcontracted entities and service providers, acting on behalf of or under the instructions of Lenotis (e.g., document management and archival service providers; technological service providers). |
Transfer of data to third countries or international organizations
The transfer of data to countries outside the European Union only occurs when necessary for (i) the execution of contracts or delivery of products (for example, using labor located abroad), (ii) by legal requirement, or, in specific cases, (iii) with the express authorization of the data subject.
It is important to be aware that the transfer of data outside the European Union may entail increased risks for the protection of personal data, notably because the destination countries may offer lower legal guarantees for the protection of your personal data.
In the case of needing to use service providers from third countries, Lenotis will ensure contractually that these entities comply with all legal obligations in terms of data protection, notably using so-called standard data protection clauses and additional mitigation measures, as foreseen in Article 46 of the General Regulation on Personal Data Protection. These entities will process personal data according to Lenotis' prior and documented instructions and exclusively for the purposes indicated by Lenotis.
8. How we protect personal data
The protection of the confidentiality and integrity of data has long been considered by Lenotis as one of the fundamental pillars in building trust relationships with our Clients, employees, regulatory entities, and business partners.
Lenotis has implemented appropriate organizational measures, processes, and security systems to protect your personal data against destruction, alteration, and unauthorized access, including: (i) access control mechanisms to information systems and data; (ii) specialized security systems (e.g., firewalls, antivirus, intrusion detection systems); (iii) logging mechanisms of actions performed by employees, Clients, and other users of information systems (e.g., access, modification, deletion of personal data); (iv) mechanisms for encryption, pseudonymization, and anonymization of data; (v) encryption measures for equipment and mobile devices; (vi) physical security measures to protect facilities (e.g., physical access controls, video surveillance, various alarms); and (vii) an awareness and training program for Lenotis employees and partners in information security and personal data protection.
9. Changes to the Privacy Policy
Lenotis reserves the right, at any time, to make changes to this document to align it with market best practices or future legislative or regulatory changes. The updated version will always be available for consultation at any Lenotis branch or on the lenotis.com.
In situations where the changes are significant and substantial, Lenotis will make appropriate and reasonable efforts to inform you, using the normal contact channels and mechanisms between Lenotis and the data subjects.
What are cookies?
Cookies are small text files containing relevant information that are stored on the user’s computer or mobile device and used by websites for various purposes.
The functions of cookies**
Cookies are used to manage the functioning of websites and user sessions, thereby improving the experience and also providing important information to the entities responsible for the websites. Cookies also enable the user to be recognized and personalize the browsing experience according to their interests and preferences.
Use of Cookies on Lenotis' Websites
Lenotis uses cookies on its websites to manage user navigation and thus enhance their experience. Cookie management can be done directly by Lenotis or by third-party sites for statistical analysis purposes. We have various cookies that serve different purposes, namely:
Essential cookies - ensure that the website functions properly, allowing navigation between pages and the use of the available features and services. They also allow the recognition of the user during their session, support implemented security features, and detect malicious activities.
Statistical cookies - collect anonymous statistical data related to users' use of the site such as, for example, the websites they come from, the pages visited, the software used, and the number of visitors. This information helps us improve our products and services.
Functional cookies - enable the identification of users' language preferences and customize their navigation on the site.
By browsing the Lenotis sites, you consent to the use of cookies.
Use of Cookies for Remarketing
Potential service providers of Lenotis, such as Google, Facebook, Instagram, and LinkedIn, may use cookies to advertise our products and services on their respective websites or social networks. Thus, marketing cookies allow these providers to collect information about users' visits to our sites and present Lenotis ads, tailored to each user's interests, on third-party websites. Visitors to Lenotis sites can choose at any time to opt out of the use of Google cookies through Google's Ad Settings.
Control and Blocking of Cookies
Most browsers allow the control of cookies through their settings. By navigating the Lenotis sites, you are consenting to the use of essential cookies. The use of other cookies is optional. However, disabling them may impair the user's browsing experience and, ultimately, prevent logging into our sites.