Legal

Privacy

Last updated: 20 June 2026

1. Who is responsible for your data

The data controller is Selin Takci, operating as Ponte Collective from Porto, Portugal (“we”, “us”). For any privacy matter, contact privacy@pontecollective.com.

2. Scope

This policy covers the personal data we process through this website and in the course of our consulting practice. It does not cover personal data we process on behalf of a client under a separate agreement, where the client is the controller and we act on their instructions.

3. What we collect, and how

CategoryExamplesSource
Site usage / analyticsdevice, browser, pages viewed, approximate regioncookies (GA4), only with your consent
Enquiry dataname, email, company, messagecontact form, email to us
Prospective-client dataname, role, employer, business contact details, notesour research and outreach; your reply
Engagement datathe above + the information needed to deliver a service, materials you shareintake form, the engagement
Scheduling dataname, email, chosen timeCal.com booking
Signature dataname, email, signing metadataZoho Sign
Newsletter subscribersname, emailyour sign-up via Substack
Correspondencethe content of your emails/messagesdirect contact

We do not seek special-category data. Please do not send it through the contact form.

4. Why we use it, and our lawful basis (GDPR Art 6)

PurposeLawful basis
Replying to enquiriesLegitimate interests (responding to you) / steps prior to a contract
Sending a proposal, NDA, or payment link; delivering an engagementPerformance of a contract / steps prior to entering one
Contacting businesses about our services (outreach)Legitimate interests (B2B marketing) — see note below
Sending you our newsletterConsent
Website analyticsConsent
Meeting tax, accounting, and legal obligationsLegal obligation
Establishing or defending legal claimsLegitimate interests

Outreach note: we contact people in their professional capacity, on behalf of their employer, about services relevant to their role. You can object or unsubscribe at any time (Section 8).

5. Cookies and analytics

We use only strictly necessary cookies by default. Analytics (Google Analytics 4) load only if you consent via our cookie banner, and we keep Google Signals turned off, so no cross-site advertising identifiers are used. See the Cookie Notice.

6. Who we share it with

We do not sell personal data. We share it with service providers who process it on our behalf (our processors) under a data-processing agreement, and with our accountant and lawyers where needed. Our current processors and where they process data:

ProviderPurposeProcessing location / safeguard
Supabaseapplication data hostingEU (Frankfurt)
Vercelwebsite hosting / edge deliveryEU + global edge; SCCs
Google (Workspace, GA4)email; analyticsEU + US; EU-US Data Privacy Framework + SCCs
Zoho Signe-signatureEU data centre (Amsterdam/Dublin); DPA / SCCs
Cal.comschedulingEU (EU-hosted offering)
Stripepayment processingEU + US; Data Privacy Framework / SCCs (also an independent controller for certain payment processing)
Resendsending service emailsUS; EU-US Data Privacy Framework + SCCs
Substacknewsletter subscription + deliveryUS; SCCs (also a controller for its own platform)
Anthropic (Claude)AI assistance in our outreach and content work, where usedUS; SCCs

7. International transfers

Where a provider processes data outside the EEA, we rely on an EU adequacy decision, the EU-US Data Privacy Framework, or Standard Contractual Clauses, as noted above.

8. Your rights

Under the GDPR you may: access your data; have it corrected or erased; restrict or object to processing; receive it in a portable format; and withdraw consent at any time (without affecting prior processing). To exercise any right, email privacy@pontecollective.com. We respond within one month.

You may also complain to the Portuguese supervisory authority, the CNPD (Comissão Nacional de Proteção de Dados, cnpd.pt). Individuals in the UK may instead contact the ICO (ico.org.uk).

9. How long we keep it

  • Enquiries that do not become engagements: 12 months, then deleted.
  • Engagement records: the duration of the engagement plus 5 years.
  • Accounting and tax records: the period required by Portuguese law (currently 10 years).
  • Newsletter: until you unsubscribe.
  • Analytics: per the durations in the Cookie Notice.

10. Security

We use appropriate technical and organisational measures, including access controls and EU-region hosting for stored personal data.

11. Children

Our services are B2B and not directed to anyone under 18.

12. Changes

We may update this policy; the “last updated” date shows the current version.

Privacy and analytics

We use Google Analytics only with your consent, to understand how the site is used. No analytics are loaded until you accept. You can change your choice at any time.