Privacy
Last updated: 20 June 2026
1. Who is responsible for your data
The data controller is Selin Takci, operating as Ponte Collective from Porto, Portugal (“we”, “us”). For any privacy matter, contact privacy@pontecollective.com.
2. Scope
This policy covers the personal data we process through this website and in the course of our consulting practice. It does not cover personal data we process on behalf of a client under a separate agreement, where the client is the controller and we act on their instructions.
3. What we collect, and how
| Category | Examples | Source |
|---|---|---|
| Site usage / analytics | device, browser, pages viewed, approximate region | cookies (GA4), only with your consent |
| Enquiry data | name, email, company, message | contact form, email to us |
| Prospective-client data | name, role, employer, business contact details, notes | our research and outreach; your reply |
| Engagement data | the above + the information needed to deliver a service, materials you share | intake form, the engagement |
| Scheduling data | name, email, chosen time | Cal.com booking |
| Signature data | name, email, signing metadata | Zoho Sign |
| Newsletter subscribers | name, email | your sign-up via Substack |
| Correspondence | the content of your emails/messages | direct contact |
We do not seek special-category data. Please do not send it through the contact form.
4. Why we use it, and our lawful basis (GDPR Art 6)
| Purpose | Lawful basis |
|---|---|
| Replying to enquiries | Legitimate interests (responding to you) / steps prior to a contract |
| Sending a proposal, NDA, or payment link; delivering an engagement | Performance of a contract / steps prior to entering one |
| Contacting businesses about our services (outreach) | Legitimate interests (B2B marketing) — see note below |
| Sending you our newsletter | Consent |
| Website analytics | Consent |
| Meeting tax, accounting, and legal obligations | Legal obligation |
| Establishing or defending legal claims | Legitimate interests |
Outreach note: we contact people in their professional capacity, on behalf of their employer, about services relevant to their role. You can object or unsubscribe at any time (Section 8).
5. Cookies and analytics
We use only strictly necessary cookies by default. Analytics (Google Analytics 4) load only if you consent via our cookie banner, and we keep Google Signals turned off, so no cross-site advertising identifiers are used. See the Cookie Notice.
6. Who we share it with
We do not sell personal data. We share it with service providers who process it on our behalf (our processors) under a data-processing agreement, and with our accountant and lawyers where needed. Our current processors and where they process data:
| Provider | Purpose | Processing location / safeguard |
|---|---|---|
| Supabase | application data hosting | EU (Frankfurt) |
| Vercel | website hosting / edge delivery | EU + global edge; SCCs |
| Google (Workspace, GA4) | email; analytics | EU + US; EU-US Data Privacy Framework + SCCs |
| Zoho Sign | e-signature | EU data centre (Amsterdam/Dublin); DPA / SCCs |
| Cal.com | scheduling | EU (EU-hosted offering) |
| Stripe | payment processing | EU + US; Data Privacy Framework / SCCs (also an independent controller for certain payment processing) |
| Resend | sending service emails | US; EU-US Data Privacy Framework + SCCs |
| Substack | newsletter subscription + delivery | US; SCCs (also a controller for its own platform) |
| Anthropic (Claude) | AI assistance in our outreach and content work, where used | US; SCCs |
7. International transfers
Where a provider processes data outside the EEA, we rely on an EU adequacy decision, the EU-US Data Privacy Framework, or Standard Contractual Clauses, as noted above.
8. Your rights
Under the GDPR you may: access your data; have it corrected or erased; restrict or object to processing; receive it in a portable format; and withdraw consent at any time (without affecting prior processing). To exercise any right, email privacy@pontecollective.com. We respond within one month.
You may also complain to the Portuguese supervisory authority, the CNPD (Comissão Nacional de Proteção de Dados, cnpd.pt). Individuals in the UK may instead contact the ICO (ico.org.uk).
9. How long we keep it
- Enquiries that do not become engagements: 12 months, then deleted.
- Engagement records: the duration of the engagement plus 5 years.
- Accounting and tax records: the period required by Portuguese law (currently 10 years).
- Newsletter: until you unsubscribe.
- Analytics: per the durations in the Cookie Notice.
10. Security
We use appropriate technical and organisational measures, including access controls and EU-region hosting for stored personal data.
11. Children
Our services are B2B and not directed to anyone under 18.
12. Changes
We may update this policy; the “last updated” date shows the current version.