privacy policy
Last updated: April 2026
1. Who we are
Portuguese Tune ("we", "our") operates the language training platform at portuguesetune.com. This policy explains what personal data we collect, why, and your rights under the General Data Protection Regulation (GDPR).
2. Data we collect
We only collect data that is necessary to provide our service. Providing your email and address is required to use the platform; without them we cannot process bookings or issue invoices.
Email address
Used to authenticate you and send booking confirmations.
Name
Used for booking confirmations. Provided optionally or taken from Google OAuth.
Address
Street, number, city, postal code, country, and optionally company name. Required for booking confirmation and invoicing under Portuguese tax law.
Booking history
Sessions booked and credit transactions.
Payment records
Order amount and status. Card details are handled entirely by Stripe and never stored on our servers.
3. Legal basis for processing
Contract — email, name, address, and booking history are necessary to deliver the service you purchased.
Legal obligation — address and payment records are required for invoicing and accounting under Portuguese tax law, retained for 7 years.
Strictly necessary — the session cookie enables authentication; no consent required.
4. Third-party processors
We share personal data only with processors necessary to deliver the service, all with signed Data Processing Agreements:
Neon
Database hosting, EU-Frankfurt
Vercel
Hosting and analytics, EU-Frankfurt
Stripe
Payment processing
US-based — transfer via Standard Contractual Clauses
Cal.com
Scheduling (receives name, email, address)
Resend
Email delivery for sign-in codes
US-based — transfer via Standard Contractual Clauses
OAuth sign-in (optional)
US-based — transfer via Standard Contractual Clauses
5. International data transfers
Your data is primarily stored in the EU (Frankfurt). Some processors (Stripe, Resend, Google) are based in the United States. These transfers are protected by the EU–U.S. Data Privacy Framework and/or Standard Contractual Clauses approved by the European Commission, ensuring an adequate level of data protection.
6. Data retention
Active accounts — until you request deletion.
Order records — 7 years (legal obligation), anonymised on account deletion.
Authentication sessions — 30 days.
7. Your rights
Under GDPR you have the right to access, rectify, erase, restrict processing, data portability, and object to processing of your personal data. Visit your account page to download your data or delete your account. For other requests contact us at privacy@portuguesetune.com.
If you believe your data protection rights have not been adequately addressed, you have the right to lodge a complaint with the Portuguese supervisory authority: Comissão Nacional de Proteção de Dados (CNPD), www.cnpd.pt.
8. Automated decision-making
We do not use automated decision-making or profiling that produces legal effects or similarly significantly affects you.
9. Cookies
We use a single session cookie that is strictly necessary for authentication. We also use Vercel Analytics, which collects anonymous, aggregated usage data without cookies or personal identifiers. No tracking or advertising cookies are used.
10. Contact
Questions about this policy? privacy@portuguesetune.com