// CONTENT
PRIVACY POLICY
01 — Who we are.
// Controller — Altrix Unipessoal Lda · NIPC 516 832 491
"Altrix" refers to Altrix Unipessoal Lda., a private studio registered in Lisbon, Portugal, with secondary operations in Zürich, Switzerland. This document explains what personal data we hold about you, on what legal basis, and what you can ask us to do about it.
We are the data controller for any personal data described in this document, unless explicitly stated otherwise. Our Data Protection contact is privacy@altrix.framer.website
02 — What we collect.
// Scope — Four categories · Minimal by design
We collect personal data in four narrow categories, listed below. We do not collect anything outside these categories without asking you first.
Category | Examples | Source | Status |
|---|---|---|---|
Identity & contact | Name, email, phone, business address | You · provided directly | Required |
Engagement context | Inquiry brief, budget range, timeline | You · inquiry form | Required |
Operational records | Contracts, invoices, project notes | You · during engagement | Required |
Site telemetry | Page, referrer, country, device class | Plausible · aggregated | Optional |
03 — Why we collect it.
// Lawful basis — Contract · Consent · Legitimate interest
Under Article 6 of the GDPR, we rely on the following legal bases:
Contract. To answer your inquiry, draft proposals, and deliver the work we've agreed to. Without this data we cannot run the engagement.
Consent. For our newsletter ("Signal") and any case-study features. You can withdraw at any time, in one click, with no consequence to any active engagement.
Legitimate interest. For minimal site analytics (aggregate, no identifiers) and for retaining historical project records to defend against future claims.
Legal obligation. For invoices and tax records, kept for the periods Portuguese, Swiss and EU law require.
04 — How long we keep it.
// Retention — Short by default
Data | Retention Period | Trigger | Basis |
|---|---|---|---|
Inquiry data (no engagement) | 90 days | From last contact | Legit. Interest |
Active client records | Duration of engagement | Engagement open | Contract |
Post-engagement records | 10 years | From engagement close | Legal · Tax |
Newsletter subscription | Until you unsubscribe | You unsubscribe | Consent |
Site telemetry (aggregate) | 13 months | Rolling window | Legit. Interest |
05 — Who we share it with.
// Sub-processors — Six vendors · All EU/EEA or equivalent
We use a small, fixed set of vendors to run the studio. We do not share your data with anyone outside this list, and we do not sell, rent, license, or otherwise transfer your data to advertisers, brokers, or third-party marketers.
Vendor | Purpose | Location | SCC |
|---|---|---|---|
Fastmail | Email hosting | EU (NL) | N/A |
Stripe | Payment processing | IE / US | Yes |
Notion | Internal project notes | US | Yes |
Plausible | Site analytics | EU (DE) | N/A |
Buttondown | Newsletter delivery | US | Yes |
Hetzner | Site hosting | EU (DE/FI) | N/A |
We also share data when legally required — for example, with our auditors and tax authorities, or in response to a valid court order. We will tell you about any such request unless we are legally prohibited from doing so.
06 — Cookies & telemetry.
// Footprint — Near-zero · No ads · No cross-site
We do not use advertising cookies, conversion pixels, social trackers, or any cross-site identifier. We use one strictly-functional cookie, set by your browser when you change accent preferences in our Tweaks panel, and one analytics tool that does not set cookies or store identifiers of any kind.
altrix_pref — local preferences (theme, accent). Functional. Never sent to a server.
Plausible — fully anonymous, EU-hosted, no cookies, no fingerprinting.
// No cookie banner We don't use a cookie banner because we don't set the kind of cookies that need one. If that ever changes, we'll add one — and tell you why.
07 — International transfers.
// Safeguards — SCC · DPF · Equivalent basis
Some of our vendors (Stripe, Notion, Buttondown) are headquartered in the United States. Where data is transferred outside the EEA / Switzerland / UK, we rely on the EU Standard Contractual Clauses and, where applicable, the EU–US Data Privacy Framework. Copies of these agreements are available on written request.
For Swiss residents, transfers are based on equivalent safeguards under the revised Swiss FADP (nFADP). For UK residents, the UK International Data Transfer Addendum applies.
08 — Your rights.
// Eight rights — No cost · 30-day response window
You have the following rights over the data we hold about you. To exercise any of them, email privacy@altrix.studio. We respond inside 30 days, free of charge, and never ask for ID beyond what we need to verify the request.
Access — a copy of everything we hold about you, in a portable format.
Rectification — to correct anything we have wrong.
Erasure — to be deleted ("right to be forgotten"), subject to legal retention.
Restriction — to limit how we use your data while a dispute is resolved.
Portability — to receive your data in a machine-readable format.
Objection — to opt out of legitimate-interest processing.
Withdraw consent — at any time, with no effect on prior lawful processing.
Lodge a complaint — with your supervisory authority. Ours are CNPD (PT), FDPIC (CH), and ICO (UK).
09 — Security & breach.
// Controls — Encrypted at rest · MFA · Least-privilege
Your data is encrypted in transit (TLS 1.3) and at rest. Access is gated by single-sign-on with multi-factor authentication. Only the operators directly assigned to your engagement have access to your records. We log every access.
In the unlikely event of a breach involving personal data, we will notify the relevant supervisory authority within 72 hours and notify you directly without undue delay if there is a meaningful risk to your rights.
10 — Changes to this policy.
// Change log — Version-controlled · Material changes notified
We version this document. Cosmetic edits are logged silently. Material changes — anything affecting your rights, our retention, our sub-processors, or our lawful bases — trigger a direct email to anyone we have a current relationship with, at least 30 days before they take effect.
// Changelog — 4 entries · Public
Version | Type | Note |
|---|---|---|
v3.2 · 2026.05.02 | Material | Added Buttondown sub-processor for newsletter delivery. |
v3.1 · 2026.02.14 | Cosmetic | Plain-language summary added at top of document. |
v3.0 · 2025.11.20 | Material | Updated for nFADP compliance after Switzerland operations launched. |
v2.0 · 2024.06.01 | Material | Full rewrite. Replaced legacy 2021 policy. |
11 — How to reach us.
// Contact — Human · 72h window · No tickets
Privacy questions are read by a human (currently the founder) inside 72 hours, often same-day. We don't run a support desk and we don't use a ticketing system — just email.
// Privacy office — Direct line Email is the fastest way.
Privacy office | |
General inquiries | |
Postal — Portugal | Altrix Unipessoal Lda · Rua do Século 22, 1200-433 Lisboa, PT |
Postal — Switzerland | Altrix CH · Seefeldstrasse 7, 8008 Zürich, CH |
// LEGAL REGISTRY