Privacy Policy

Last updated: April 2026

1. Data Controller

Anchor ("we", "our", "us") is the data controller responsible for processing your personal data. Anchor is operated by Talent Empowered and is established within the European Union. For all matters relating to data protection, contact our Data Protection Officer at hello@anchor.pt or by post at our registered office address.

2. Categories of Personal Data We Collect

We collect the following categories of personal data:

  • Identity data: full name, date of birth, nationality, passport/ID number, photographs, and biometric data from identity documents.
  • Contact data: email address, phone number, physical address (current and destination).
  • Immigration and residency data: visa type, residency status, NIF (tax identification), NISS (social security), EU registration status, and associated application documents.
  • Financial data: bank account details (for account opening services), employment status, income documentation, and proof of funds.
  • Family data: marital status, dependant details, family reunification documentation.
  • Health data: health registration information (SNS/Utente number) where you use our health registration services.
  • Voice and conversation data: text transcripts from intake conversations. Audio is processed in real time and not stored.
  • Technical data: IP address, browser type, device information, and usage patterns when you interact with our website.

3. Legal Basis for Processing (Article 6 GDPR)

We process your personal data on the following legal bases:

  • Performance of a contract (Art. 6(1)(b)): processing necessary to deliver the settlement services you have contracted us to provide.
  • Legal obligation (Art. 6(1)(c)): processing required to comply with Portuguese law, EU regulations, immigration requirements, and tax reporting obligations.
  • Legitimate interests (Art. 6(1)(f)): processing for service improvement, fraud prevention, and system security, where these interests are not overridden by your rights.
  • Consent (Art. 6(1)(a)): where we process data based on your consent (such as voice processing during intake sessions or optional analytics cookies), you may withdraw consent at any time.

Where we process special category data (health information under Article 9), we do so with your explicit consent and solely for the purpose of health service registration in your destination country.

4. How We Use Your Information

We use your personal data to:

  • Deliver settlement services including visa processing, tax registration, banking coordination, health enrollment, and housing support.
  • Communicate with you about your case and provide status updates.
  • Coordinate with local specialists (lawyers, fiscal representatives, housing consultants) who assist in your settlement.
  • Submit applications to government agencies on your behalf with your authorization.
  • Improve our services through anonymized, aggregated analysis of processing outcomes.
  • Comply with legal and regulatory obligations.

5. Who We Share Your Data With

We share your personal data only when necessary:

  • Government agencies and regulatory bodies: as required for your visa, tax, social security, or health registration applications (e.g., Portuguese Tax Authority, AIMA, Social Security Institute).
  • Trusted service partners: local specialists who assist in your settlement (lawyers, fiscal representatives, housing consultants, banks). These partners are individually vetted, contractually bound to data protection obligations, and process your data only for your specific case.
  • Technology infrastructure providers: cloud hosting (AWS, EU region), AI processing services (for conversation analysis), and payment processors. All sub-processors are bound by Data Processing Agreements compliant with Article 28 GDPR.

We do not sell your personal data. We do not share your data for advertising purposes. We do not transfer your data outside the European Economic Area without adequate safeguards (Standard Contractual Clauses or adequacy decisions).

6. International Data Transfers

Your data is primarily processed within the European Economic Area. Where processing by sub-processors occurs outside the EEA (for example, AI model providers), we ensure appropriate safeguards are in place, including EU Standard Contractual Clauses (Article 46(2)(c) GDPR) and supplementary technical measures such as encryption in transit and at rest.

7. Data Retention

We retain your personal data according to these periods:

  • Active case data: retained for the duration of your settlement process plus 12 months after case completion.
  • Tax and financial records: retained for 5 years as required by Portuguese tax law (Decreto-Lei 442-B/88).
  • Consent records: retained for the duration of our relationship plus 3 years.
  • Intake conversation transcripts: retained for 2 years, then anonymized or deleted.
  • Voice data: not retained. Audio is processed in real time and discarded immediately after transcription.
  • Website analytics: retained for 26 months in anonymized form.

When retention periods expire, data is securely deleted or irreversibly anonymized.

8. Your Rights Under the GDPR

You have the following rights regarding your personal data:

  • Right of access (Art. 15): request a copy of the personal data we hold about you.
  • Right to rectification (Art. 16): request correction of inaccurate or incomplete data.
  • Right to erasure (Art. 17): request deletion of your data, subject to legal retention requirements.
  • Right to restriction (Art. 18): request that we limit how we process your data in certain circumstances.
  • Right to data portability (Art. 20): receive your data in a structured, machine-readable format.
  • Right to object (Art. 21): object to processing based on legitimate interests.
  • Right to withdraw consent (Art. 7(3)): withdraw consent at any time where processing is based on consent, without affecting the lawfulness of processing prior to withdrawal.

To exercise any of these rights, contact us at hello@anchor.pt. We will respond within 30 days. If your request is complex, we may extend this by a further 60 days with notice.

9. Cookies and Tracking

We use essential cookies required for authentication and site functionality. Optional analytics cookies are used only with your explicit consent, which you can grant or withdraw at any time via the cookie consent banner. We do not use advertising or tracking cookies.

10. Data Security

We implement appropriate technical and organizational measures to protect your personal data, including encryption in transit (TLS 1.2+) and at rest (AES-256), access controls with principle of least privilege, audit logging of all data access, regular security assessments, and incident response procedures. In the event of a data breach that poses a risk to your rights, we will notify you and the relevant supervisory authority within 72 hours as required by Article 33 GDPR.

11. Supervisory Authority

You have the right to lodge a complaint with a data protection supervisory authority. The lead supervisory authority for Anchor is the Portuguese Data Protection Authority (Comissão Nacional de Proteção de Dados — CNPD), Rua de S. Bento 148, 1200-821 Lisboa, Portugal.

12. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices or legal requirements. Material changes will be communicated via email or a prominent notice on our website. The "Last updated" date at the top indicates the most recent revision.

13. Contact

For any questions about this Privacy Policy, to exercise your data rights, or to contact our Data Protection Officer, email us at hello@anchor.pt or write to our registered office.