Home » Privacy Policy

Privacy Policy

A) Privacy Policy (Website & CRM)
Who we are CONCONSTRUCT, UNIPESSOAL LDA, trading as Living by CO , registered in Portugal with VAT/NIF: 517395649, located at Sitio de Pinheiral, Odiáxere, Post code: 8600-254, City: Lagos, (“we”, “us”). We are the data controller for personal data processed via our websites, contact forms, events, and sales channels. Contact: legal@livingbyco.com. Supervisory authority: CNPD (Portugal).
Scope This notice covers our public websites (including our main site and related brand sites, and any sub‑domains), landing pages, CRM forms, newsletters, and customer communications. If you enter into a contract with us (buying a home or services), additional privacy terms may apply.
What we collect (categories)

Identity & contact data: name, email, phone, nationality, country of residence, company.
Lead & customer data: interest profiles, property typology preferences, budgets, project notes, contract identifiers, payment status (no card data stored by us), support tickets.
Usage data: pages viewed, interactions, consent choices, IP address, device identifiers (e.g., browser type, referral source; collected via cookies subject to consent).
Communications: emails, call notes, meeting notes.
Event/visits: RSVP details, photos if you consent. We do not intentionally collect special category data (e.g., health, political opinions). Please do not send such data.

Why we use your data & legal bases We process data only when a lawful basis applies under the EU GDPR.

The following data uses apply:

Purpose: Respond to inquiries & pre‑contract steps
- Examples: “Contact/booking forms, viewing requests”
- Legal basis: Contract or legitimate interests
Purpose: Sales & client management
- Examples: “CRM notes, quotes, contracts, after‑sales”
- Legal basis: Contract; legitimate interests
Purpose: Marketing communications
- Examples: “Newsletters, events, product updates”
- Legal basis: Consent (opt‑in); legitimate interests for existing clients where permitted
Purpose: Analytics & site performance
- Examples: “Measuring visits, improving UX”
- Legal basis: Consent (non‑essential cookies)
Purpose: Security & fraud prevention
- Examples: “Logs, backups, access control”
- Legal basis: Legitimate interests; legal obligation
Purpose: Legal & compliance
- Examples: “Tax, accounting, regulatory requests”
- Legal basis: Legal obligation

Cookies & tracking We use a Consent Management Platform (CMP) to obtain, record, and honor your choices. Non‑essential tags (analytics/ads) are blocked until you consent. Details are in our Cookie Policy below, where you can review and update settings at any time. For more on how we manage cookies, see the Cookie Policy.
Sharing & processors We share data with:

Service providers (processors) under contract, including: Zoho (Zoho CRM/Zoho One apps), WordPress (self‑hosted website + plugins), Google Tag Manager (tag deployment), Google Workspace/Drive (email, files), web hosting/CDN (e.g., Cloudflare), email delivery , analytics, and security services.
Professional advisors (legal, accounting), and public authorities where required.
Intra‑group companies within the Living by CO group for administration and service delivery.
We do not sell personal data.

International transfers We prefer to process/store data in the EU/EEA. Where transfers to countries without an EU adequacy decision are necessary (e.g., some cloud providers), we rely on EU Standard Contractual Clauses (SCCs) and implement supplementary safeguards (encryption, access controls, minimization). Specific vendors relying on SCCs include Zoho, Google (Workspace/Tag Manager), and Cloudflare.
Retention We keep data only as long as needed:

Leads/prospects: 24 months after last interaction, then delete or anonymize.
Contract/client records: 10 years (Portuguese legal retention) from end of fiscal year.
Support tickets: 2 years after resolution unless longer is required.
Analytics identifiers: per Cookie Policy (typically 3–26 months).
Backups are purged on rolling cycles. These periods align with Portuguese accounting/tax retention rules (confirm specifics with counsel).

Your rights You can access, correct, delete, restrict, or port your data, and object to processing based on legitimate interests (e.g., if you believe our interests don’t outweigh your rights). You may withdraw consent at any time (it won’t affect past processing). To exercise rights, contact us at our privacy email address. You may also lodge a complaint with CNPD.
Children Our sites are not intended for children under 16. We do not knowingly collect their data. If events might involve families, we verify age where possible (see our internal event registration processes).
Changes We will update this notice when needed. Material changes will be highlighted here, with an effective date. Continued use of our site after changes indicates acceptance. Contact: [contact email]
B) Terms & Conditions (Website Terms of Use)
Acceptance By accessing or using our websites, you agree to these Terms. If you do not agree, do not use the site.
Who we are The site is operated by CONCONSTRUCT, UNIPESSOAL LDA., VAT/NIF: 517395649

, Sitio de Pinheiral, Odiáxere, Post code: 8600-254, City: Lagos, . Contact: legal@livingbyco.com.

Using the site You must use the site lawfully and not harm its operation. Content is provided for general information and is not legal, financial, or architectural advice. Professional advice should be obtained before acting on information. We may change, suspend, or withdraw the site without notice.
Intellectual property All content (text, graphics, logos, photos, video, designs) is owned by us or our licensors. You are granted a limited, revocable, non‑transferable license to access and use the site for personal, non‑commercial purposes. Do not copy, modify, distribute, or create derivative works without permission.
User content Where the site allows submissions (e.g., forms, comments), you must own the content or have permission and ensure it is lawful and non‑infringing. You grant us a non‑exclusive license to use submissions for the purposes for which they were provided.
Third‑party links Links to third‑party sites are provided for convenience. We have no control over their content and accept no responsibility for them.
Liability To the maximum extent permitted by law, we exclude liability for indirect or consequential loss arising from use of the site. Nothing excludes liability for death/personal injury caused by negligence or for fraud. This does not affect your statutory rights under Portuguese consumer law.
Indemnity You agree to indemnify us for losses arising from your breach of these Terms or misuse of the site.
Governing law & jurisdiction These Terms are governed by Portuguese law. Courts of Lisbon, Portugal have exclusive jurisdiction, subject to mandatory consumer venue rights.
Changes We may update these Terms from time to time. Continued use after changes means you accept the updated Terms.
C) Cookie Policy (Consent‑First)
What are cookies? Cookies and similar technologies (pixels, local storage) store or access information on your device. Some are strictly necessary; others (analytics, personalization, advertising) are non‑essential and require your consent in the EU/EEA.
How we use them

Strictly necessary (always on): security, load balancing, consent storage, form protection.
Functional (consent‑based): remembering choices, enhanced features.
Analytics (consent‑based): measuring traffic and performance.
Advertising (consent‑based): tailoring content/ads, frequency capping.

Your choices On first visit, our banner asks for your preferences. You can Accept All , Reject Non‑Essential , or Customize. You can change settings anytime via Cookie Settings in the footer. We use CookieYes as our CMP for dynamic management.
Managing cookies in your browser You can also block/delete cookies in browser settings. Blocking certain cookies may impact site functionality.
Retention Cookie lifetimes vary by tool. We aim to keep analytics identifiers between 3–26 months unless you withdraw consent sooner. See the CMP‑generated cookie table for current details.
D) Plain‑English: What is the EU GDPR?

The General Data Protection Regulation (GDPR) is the EU law that sets rules for how organizations collect and use personal data. Core ideas:

Lawfulness, fairness, transparency: tell people what you do and why; have a valid legal basis.
Purpose limitation & minimization: collect only what you need for clear purposes.
Accuracy & storage limitation: keep data up to date; don’t keep it longer than necessary.
Integrity & confidentiality: protect data with appropriate security.
Accountability: document decisions, contracts, and safeguards; be able to prove compliance.
Individuals have rights (access, correction, deletion, portability, objection), and companies must respect them within one month.

E) Outside the EU vs. other countries

We serve an international audience and apply GDPR‑level protections globally where feasible. Differences:

UK: The UK GDPR is essentially equivalent; we honor UK rights and transfer rules.
EEA→non‑EEA transfers: when using providers outside the EEA, we use EU SCCs or rely on an adequacy decision (if available).
United States & others: Privacy rights differ by state/country. Where required (e.g., California), we will publish a Supplemental Notice describing additional rights (access, deletion, opt‑out of “sale/share”).
Target markets include: Northern Europe (incl. Scandinavia), North America (USA & Canada).

F) Data storage locations & our processors (register excerpt)

This is an operational register summary; keep a full RoPA internally.

Here is a list of vendors and services:

Vendor / Service: “Zoho (Zoho CRM, Zoho One apps)”
- Purpose: “Lead & client management, email campaigns, docs, support”
- Role: Processor
- Primary data region (aim): EU data centers (account setting)
- Notes: Sign Zoho DPA; enable EU data region; set retention; restrict fields; MFA
Vendor / Service: WordPress (self‑hosted)
- Purpose: Website CMS & forms
- Role: Processor / Joint Controller (site owner is controller)
- Primary data region (aim): Depends on hosting provider
- Notes: Ensure hosting in EU where possible; update plugins; log retention; security hardening
Vendor / Service: Google Tag Manager
- Purpose: Tag orchestration
- Role: Processor
- Primary data region (aim): EU storage where possible; executes tags
- Notes: Implement Consent Mode v2; block non‑essential tags until consent
Vendor / Service: Google Workspace/Drive
- Purpose: “Email, documents, file storage”
- Role: Processor
- Primary data region (aim): EU data region (if enabled)
- Notes: Sign DPA; enable EU regions; MFA; drive sharing policies
Vendor / Service: “Web hosting/CDN (e.g., Cloudflare)”
- Purpose: Website delivery
- Role: Processor
- Primary data region (aim): “EU (primary), global CDN as configured”
- Notes: “TLS, WAF, security monitoring”
Vendor / Service: “Email delivery (e.g., Zoho Mail)”
- Purpose: Transactional/marketing emails
- Role: Processor
- Primary data region (aim): EU/EEA where available
- Notes: DKIM/SPF/DMARC; suppression list hygiene
Vendor / Service: CookieYes (CMP)
- Purpose: Consent management
- Role: Processor
- Primary data region (aim): EU
- Notes: Banner + records of consent; auto‑blocking scripts
Vendor / Service: Zoho SalesIQ (chat)
- Purpose: Live chat & lead capture
- Role: Processor
- Primary data region (aim): EU data centers
- Notes: Respect consent for tracking; minimize transcript retention

People & governance

Create a dedicated privacy mailbox; appoint a Data Protection Lead (not necessarily a DPO) and document responsibilities.
Maintain a Record of Processing Activities (RoPA) covering all processes, legal bases, retention, and processors.
Sign Data Processing Agreements (DPAs) with all vendors (Zoho, Google, hosting, plugins/services).

Web & consent

Deploy a Consent Management Platform (CMP) ( CookieYes ) on all domains; auto‑block non‑essential tags.
Configure GTM Consent Mode v2 with EU default = denied (ad_storage, analytics_storage, functionality_storage, security_storage, personalization_storage), and fire tags based on consent.
Add persistent Cookie Settings link in the footer; publish the Cookie Policy page.

Forms & CRM

Add privacy notice + link and explicit consent checkboxes to all lead forms (web/WP/Zoho), separated by purpose: marketing vs. contact.
Implement double opt‑in for newsletters (Zoho Campaigns) and map consent status into CRM fields.
Create data subject request workflow: intake form, ID verification, 30‑day SLA, templates for access/erasure/objection.

Data minimization & retention

Define and automate retention rules: leads 24 months, analytics 3–26 months, contracts 10 years; set deletion/anonymization jobs in Zoho/WordPress/hosting.
Avoid storing special category data in free‑text fields; use picklists and validation.

Security

Enforce MFA for Zoho, Google, hosting, and WordPress admins.
Keep WordPress core/plugins/themes updated; limit admin accounts; install a security/WAF plugin.
Maintain encrypted backups , with tested restore procedures and rolling retention; document.
Define an incident response plan (72‑hour breach notification assessment, CNPD contact, user communications templates).

Transparency

Publish these pages and link in footer: Privacy Policy , Terms of Use , Cookie Policy.
Add a brief just‑in‑time notice near each data collection point (e.g., “We’ll use your details to respond to your inquiry. See Privacy Policy”).

International transfers

Confirm EU data regions (Zoho EU cluster, Google EU data regions) and document SCCs for any non‑EEA transfers (Zoho, Google, Cloudflare).

Testing & records

Run a cookie scan and verify that non‑essential tags do not fire without consent; record screenshots.
Keep a vendor/sub‑processor inventory with links to DPAs and security pages; review every 6 months.

H) Optional Add‑Ons (if/when needed)

California (CCPA/CPRA) Supplemental Notice: publish a short addendum if you actively target California residents.
UK GDPR/PECR: duplicate EU approach for UK domains; name the UK ICO as the relevant authority.

Privacy Policy

A) Privacy Policy (Website & CRM)

Scope This notice covers our public websites (including our main site and related brand sites, and any sub‑domains), landing pages, CRM forms, newsletters, and customer communications. If you enter into a contract with us (buying a home or services), additional privacy terms may apply.

What we collect (categories)

Identity & contact data: name, email, phone, nationality, country of residence, company.

Lead & customer data: interest profiles, property typology preferences, budgets, project notes, contract identifiers, payment status (no card data stored by us), support tickets.

Usage data: pages viewed, interactions, consent choices, IP address, device identifiers (e.g., browser type, referral source; collected via cookies subject to consent).

Communications: emails, call notes, meeting notes.

Event/visits: RSVP details, photos if you consent. We do not intentionally collect special category data (e.g., health, political opinions). Please do not send such data.

Why we use your data & legal bases We process data only when a lawful basis applies under the EU GDPR.

The following data uses apply:

Purpose: Respond to inquiries & pre‑contract steps

Examples: “Contact/booking forms, viewing requests”

Legal basis: Contract or legitimate interests

Purpose: Sales & client management

Examples: “CRM notes, quotes, contracts, after‑sales”

Legal basis: Contract; legitimate interests

Purpose: Marketing communications

Examples: “Newsletters, events, product updates”

Legal basis: Consent (opt‑in); legitimate interests for existing clients where permitted

Purpose: Analytics & site performance

Examples: “Measuring visits, improving UX”

Legal basis: Consent (non‑essential cookies)

Purpose: Security & fraud prevention

Examples: “Logs, backups, access control”

Legal basis: Legitimate interests; legal obligation

Purpose: Legal & compliance

Examples: “Tax, accounting, regulatory requests”

Legal basis: Legal obligation

Sharing & processors We share data with:

Service providers (processors) under contract, including: Zoho (Zoho CRM/Zoho One apps), WordPress (self‑hosted website + plugins), Google Tag Manager (tag deployment), Google Workspace/Drive (email, files), web hosting/CDN (e.g., Cloudflare), email delivery , analytics, and security services.

Professional advisors (legal, accounting), and public authorities where required.

Intra‑group companies within the Living by CO group for administration and service delivery.

We do not sell personal data.

Retention We keep data only as long as needed:

Leads/prospects: 24 months after last interaction, then delete or anonymize.

Contract/client records: 10 years (Portuguese legal retention) from end of fiscal year.

Support tickets: 2 years after resolution unless longer is required.

Analytics identifiers: per Cookie Policy (typically 3–26 months).

Backups are purged on rolling cycles. These periods align with Portuguese accounting/tax retention rules (confirm specifics with counsel).

Children Our sites are not intended for children under 16. We do not knowingly collect their data. If events might involve families, we verify age where possible (see our internal event registration processes).

Changes We will update this notice when needed. Material changes will be highlighted here, with an effective date. Continued use of our site after changes indicates acceptance. Contact: [contact email]

B) Terms & Conditions (Website Terms of Use)

Acceptance By accessing or using our websites, you agree to these Terms. If you do not agree, do not use the site.

Who we are The site is operated by CONCONSTRUCT, UNIPESSOAL LDA., VAT/NIF: 517395649

, Sitio de Pinheiral, Odiáxere, Post code: 8600-254, City: Lagos, . Contact: legal@livingbyco.com.

User content Where the site allows submissions (e.g., forms, comments), you must own the content or have permission and ensure it is lawful and non‑infringing. You grant us a non‑exclusive license to use submissions for the purposes for which they were provided.

Third‑party links Links to third‑party sites are provided for convenience. We have no control over their content and accept no responsibility for them.

Liability To the maximum extent permitted by law, we exclude liability for indirect or consequential loss arising from use of the site. Nothing excludes liability for death/personal injury caused by negligence or for fraud. This does not affect your statutory rights under Portuguese consumer law.

Indemnity You agree to indemnify us for losses arising from your breach of these Terms or misuse of the site.

Governing law & jurisdiction These Terms are governed by Portuguese law. Courts of Lisbon, Portugal have exclusive jurisdiction, subject to mandatory consumer venue rights.

Changes We may update these Terms from time to time. Continued use after changes means you accept the updated Terms.

C) Cookie Policy (Consent‑First)

What are cookies? Cookies and similar technologies (pixels, local storage) store or access information on your device. Some are strictly necessary; others (analytics, personalization, advertising) are non‑essential and require your consent in the EU/EEA.

How we use them

Strictly necessary (always on): security, load balancing, consent storage, form protection.

Functional (consent‑based): remembering choices, enhanced features.

Analytics (consent‑based): measuring traffic and performance.

Advertising (consent‑based): tailoring content/ads, frequency capping.

Your choices On first visit, our banner asks for your preferences. You can Accept All , Reject Non‑Essential , or Customize. You can change settings anytime via Cookie Settings in the footer. We use CookieYes as our CMP for dynamic management.

Managing cookies in your browser You can also block/delete cookies in browser settings. Blocking certain cookies may impact site functionality.

Retention Cookie lifetimes vary by tool. We aim to keep analytics identifiers between 3–26 months unless you withdraw consent sooner. See the CMP‑generated cookie table for current details.

D) Plain‑English: What is the EU GDPR?

The General Data Protection Regulation (GDPR) is the EU law that sets rules for how organizations collect and use personal data. Core ideas:

Lawfulness, fairness, transparency: tell people what you do and why; have a valid legal basis.

Purpose limitation & minimization: collect only what you need for clear purposes.

Accuracy & storage limitation: keep data up to date; don’t keep it longer than necessary.

Integrity & confidentiality: protect data with appropriate security.

Accountability: document decisions, contracts, and safeguards; be able to prove compliance.

Individuals have rights (access, correction, deletion, portability, objection), and companies must respect them within one month.

E) Outside the EU vs. other countries

We serve an international audience and apply GDPR‑level protections globally where feasible. Differences:

UK: The UK GDPR is essentially equivalent; we honor UK rights and transfer rules.

EEA→non‑EEA transfers: when using providers outside the EEA, we use EU SCCs or rely on an adequacy decision (if available).

United States & others: Privacy rights differ by state/country. Where required (e.g., California), we will publish a Supplemental Notice describing additional rights (access, deletion, opt‑out of “sale/share”).

Target markets include: Northern Europe (incl. Scandinavia), North America (USA & Canada).

F) Data storage locations & our processors (register excerpt)

This is an operational register summary; keep a full RoPA internally.

Here is a list of vendors and services:

Vendor / Service: “Zoho (Zoho CRM, Zoho One apps)”