Privacy Policy

1. Who we are (the controller)

The data controller responsible for your personal data is:

BOCEAN IMMIGRATION PORTUGAL, LDA (trading as Blue Ocean Immigration and Reside in Portugal)
NIPC (Portuguese VAT): 519 043 731
Registered with the Conservatória do Registo Comercial de Lisboa
Registered office: Avenida da Liberdade, n.º 67B, 3.º B, 1250-140 Lisboa, Portugal
General contact: [email protected] · +351 21 824 7167

You can verify our company registration at any time via the Portuguese Commercial Registry's free online search (eportugal.gov.pt) using NIPC 519 043 731.

Data Protection point of contact

We are not legally required to appoint a formal Data Protection Officer under Article 37 GDPR (we are not a public authority, our core activity is not large-scale monitoring, and we do not process special-category data on a large scale). We have nonetheless designated a Privacy Lead as a single point of contact for all data-protection matters. For any matter relating to your personal data, write to [email protected]. We aim to acknowledge your message within 3 business days and provide a substantive response within 30 calendar days as required by Article 12(3) GDPR. Where a request is complex or we have received many requests, we may extend the response window by up to a further 60 days, in which case we will tell you why within the first 30.

2. What personal data we collect

We collect only what we need to deliver the services you purchase. The exact set depends on the service — buying just a NIF requires far less data than a Golden Visa or an LDA incorporation. Categories include:

We follow data minimisation (Art. 5(1)(c) GDPR): if a category is not required for the service you bought, we don't collect it. If you don't want to provide a piece of information, you can ask whether the service can still be delivered without it — sometimes yes (e.g. a middle name on a passport that doesn't appear on your ID), sometimes no (e.g. a passport scan for a NIF application — the AT will reject the file without it).

3. Where we get your data from

Almost all of it comes directly from you. A smaller set comes from third parties acting on your behalf or by operation of law:

• From the Portuguese authorities — once we file on your behalf under your procuração, the AT, AIMA or IRN return the relevant numbers (NIF, NIPC, residence-card number) to us so we can complete the case
• From the partner bank — when we open an account, the bank shares your IBAN and onboarding outcome with us
• From the consulate / VFS centre — when we coordinate a visa appointment, the centre confirms the booking
• From Stripe — payment outcomes (paid / failed / refunded) flow back to us via Stripe's webhooks
• From esignatures.com — signature events (signed / declined / expired) and the resulting signed PDF + audit trail

We do not buy lists of names, scrape public databases, or enrich your file using commercial data brokers.

4. Legal basis for processing

Article 6 of the GDPR requires us to have a lawful basis for every processing activity. Our bases are mapped below — most of our work runs on basis (b) (contract performance):

5. How we use your data

• To deliver the immigration / fiscal / corporate services you purchased
• To prepare legal documents (powers of attorney, declarations, contracts) for you to sign
• To act on your behalf under power of attorney before the Portuguese tax authority (AT), AIMA, IRN, Conservatórias and banks — within the precise scope authorised by each procuração
• To send transactional emails (account creation, signature requests, document deliveries, case updates) — these are not marketing and you cannot opt out without ending the engagement
• To process payments, issue invoices, manage subscriptions (e.g. Caixa Postal Digital) and refunds
• To respond to your questions and provide customer support
• To detect and prevent fraud, abuse and account take-over
• To comply with our legal obligations (anti-money-laundering, tax law, court orders)
• To defend our rights in any dispute, where a refund is contested or a chargeback is filed

6. Special categories of data

Some Portuguese-authority filings require categories of data that the GDPR treats as "special" under Article 9 (data revealing health, religious or philosophical beliefs, biometric data, etc.). Where this applies to your case, we rely on the specific exception that allows the processing:

• Health data — limited to vaccination records (children's school onboarding) or a basic medical declaration where a visa category requires it. Basis: Art. 9(2)(a) explicit consent, plus Art. 9(2)(g) substantial public interest where the State expressly requires it
• Biometric data — the facial image on your passport or ID is biometric in principle, but is used only to verify your identity and not for unique identification under Art. 9(1). AIMA biometrics (fingerprints, photo) are taken by AIMA itself on arrival — we never collect or store biometric data
• Religious / philosophical beliefs — only collected if you choose to declare them on a marriage record, civil-union document or other certificate that intrinsically contains them. We do not ask, profile or use this information beyond the document itself
• Criminal record — under Art. 10 GDPR. We process apostilled criminal-record certificates only because the Portuguese visa or residence-permit authority requires them. The certificate is transmitted to the authority and our retained copy is governed by the same retention periods set out in §11 (typically the 7-year AML retention or the 10-year archival retention of signed documents, whichever ends later) — after which it is permanently destroyed. We never use the criminal record for any purpose beyond the specific authority filing for which you provided it

If your case does not involve any of the above, we don't process any special categories of data at all.

7. Anti-money-laundering (AML / KYC)

Some — but not all — of our services fall within the scope of Portuguese anti-money-laundering legislation (Lei n.º 83/2017). Specifically, we are an "entidade obrigada" under Article 4(1)(f) of that law when we act as a "prestador de serviços a sociedades" — that is, when our role on your case includes:

• The incorporation of a Portuguese LDA or other legal entity
• Providing the company's registered office, business address or postal address (e.g. when the Caixa Postal Digital is your statutory mailbox)
• Fiscal representation for a non-resident before the Portuguese tax authority
• Coordination of a Portuguese bank-account opening under our mandate, where we handle source-of-funds documentation on your behalf
• Acting as administrator, secretary, nominee partner or comparable fiduciary on a legal entity

For these services we must perform Customer Due Diligence (CDD / KYC):

1. Identification — verify who you are using a government-issued document (passport or national ID). For higher-risk profiles we may also ask for a recent utility bill or bank statement to confirm your address
2. Beneficial-ownership check — for company incorporation, we identify the natural persons who ultimately own or control the entity
3. Source-of-funds declaration — for any movement of money (LDA capital, IRN fees, banking onboarding), we ask you to declare the legitimate origin of the funds and to support it with documentation proportional to the amount
4. Risk classification — we classify the case as standard, enhanced or simplified due diligence based on objective criteria (PEP status, country of origin, complexity of the structure)
5. Ongoing monitoring — throughout the engagement we keep an eye on inconsistencies between what you told us and what actually happens; significant changes trigger an update of the file

If you are a Politically Exposed Person (PEP) — that is, you currently hold or have held a prominent public function — Article 19 of Lei 83/2017 requires us to apply enhanced due diligence. Please tell us at the start of the engagement; this is not a barrier to service but it does affect the time we spend on file preparation.

Reporting suspicious operations. If we identify a transaction or attempted transaction that we reasonably suspect to be linked to money laundering or terrorism financing, Lei 83/2017 obliges us to report it to the Unidade de Informação Financeira (UIF) at the Polícia Judiciária. We are required by Article 54 of that law not to tell you that we have done so — this is known as the "no tipping-off" rule and is a legal duty, not a stylistic choice.

Services outside the AML perimeter

For services that do not involve company formation, fiscal representation, fiduciary services or the movement of money on your behalf — for example, a stand-alone NIF Express, a visa-only filing (D7, D8, Golden Visa) or a NHR / IFICI tax-regime registration — Lei 83/2017 does not classify us as an obligated entity. We nonetheless verify your identity with the same care under our general contractual due-diligence framework, and Portuguese authorities (AT, AIMA, consulates) and partner banks may apply their own independent KYC checks before accepting our filings.

8. Children's data

Some of our services involve minors — typically the dependent children of a primary applicant for a family-reunification visa, schooling onboarding or healthcare enrolment. When the case involves a minor (defined under Portuguese law as a person below 18, but with parental consent required up to 13 under Art. 16 of Lei 58/2019 for online information-society services):

• We process the child's data based on Art. 6(1)(b) GDPR (performance of a contract with the parent or legal guardian who purchased the service). The child is not our customer — the parent is
• For any processing that goes beyond what is strictly necessary to the engagement, we obtain the explicit consent of both holders of parental responsibility where applicable
• We collect only what the Portuguese authority requires for the specific case (typically: full name, date and place of birth, nationality, passport / ID, school records, vaccination records, apostilled birth certificate)
• We do not market services to children, we do not profile them and we do not enrich their data with third-party sources
• The same retention, security and rights described elsewhere in this policy apply to the child's data
• Rights are exercised by the parent or legal guardian until the child reaches the age of majority (18). On reaching 18, the (now adult) data subject can exercise their rights directly

9. Who we share data with

We share your data only with parties involved in delivering your service, and only the minimum needed for each disclosure. We never sell or rent your data.

Portuguese authorities (as authorised by your power of attorney)

• Autoridade Tributária e Aduaneira (AT) — for NIF issuance, fiscal representation, IFICI registration, tax declarations
• AIMA — Agência para a Integração, Migrações e Asilo — for residence-permit applications and renewals
• IRN / Conservatórias do Registo Comercial — for LDA company registration, beneficial-owner declarations (RCBE), and other commercial registry filings
• Segurança Social — for NISS enrolment and any social-security registrations tied to a Portuguese employment relationship
• VFS Global / Portuguese consulates — to coordinate visa appointments outside Portugal

Partner banks & financial intermediaries (only when you instruct us)

• Novobanco, Millennium bcp, ActivoBank, BPI — or any partner bank you elect, when we coordinate the opening of your Portuguese bank account
• The Caixa Postal Digital service provider (operated by the Portuguese State via ViaCTT / IRN) — when you subscribe to the digital mailbox add-on

Service providers (data processors acting on our instructions)

Each of these processors is bound by a Data Processing Agreement compliant with Article 28 GDPR and processes your data only on our documented instructions, with confidentiality obligations, security measures and breach-notification commitments. We review the list at least once a year and publish the current version here.

You can request the current, dated list of sub-processors at any time by emailing [email protected]. We will give you at least 30 days' notice before adding a new sub-processor that processes a material category of your data.

10. International transfers

The bulk of our infrastructure sits in the EU (Lisbon office, Frankfurt and Belgium GCP regions). When personal data needs to flow outside the European Economic Area, we use one of the safeguards permitted by Chapter V of the GDPR:

• Adequacy decisions — where the European Commission has formally decided that a destination country offers an adequate level of protection (e.g. United Kingdom, Switzerland)
• The EU–US Data Privacy Framework — for transfers to the US-based processors listed in §9 that are DPF-certified (Stripe sub-processing, Resend, Cloudflare, Google LLC for Analytics)
• EU Commission's Standard Contractual Clauses (Implementing Decision 2021/914) plus supplementary technical and organisational measures (encryption in transit and at rest, pseudonymisation where feasible, controller-only access keys for sensitive data) — for any transfer not covered by the above

You can request a copy of the SCCs we rely on (with confidential commercial terms redacted) by writing to [email protected].

11. How long we keep your data

Once the retention period for a category ends, we permanently delete the data or, where deletion is technically impractical (e.g. archived backups), we render it inaccessible until the backup is itself overwritten. Pseudonymised statistical aggregates may be retained indefinitely but contain nothing that can be linked back to you.

Even after you receive a refund and we cancel the engagement (see the Refund Policy and the Terms of Service), the invoicing, signed-documents and AML records remain stored for the statutory periods above. They are placed under "archival lock": access is restricted to staff who specifically need it (e.g. responding to a tax inspection), and the records cannot be deleted, edited or used for any operational purpose.

12. Your rights under GDPR

Articles 15 to 22 of the GDPR give you a set of rights over the personal data we hold about you. In summary:

13. How to exercise your rights

1. Email [email protected] with the subject "GDPR request — <your case reference or email>". Tell us which right you want to exercise and what you want us to do.
2. Identity verification — to prevent third parties impersonating you, we ask for one piece of evidence linking you to the account (e.g. confirmation from the email we have on file, or a photograph of the same ID we already hold). We do not collect new identification documents for a rights request.
3. Acknowledgement — we confirm receipt within 3 business days and tell you who is handling the request.
4. Substantive response — within 30 calendar days. For complex or many-pronged requests we may extend by up to 60 days, with reasons explained in writing within the first 30.
5. Format — access and portability responses are delivered through the portal as a downloadable archive (JSON + PDFs) or by encrypted email at your choice. We don't post paper copies unless you specifically ask.
6. Cost — the first request in any 12-month period is free. We may charge a reasonable administrative fee — in line with the guidance of the CNPD and Article 12(5) GDPR — only for manifestly excessive or repetitive requests, and we explain it upfront.
7. Appeal — if we refuse a request, you may lodge a complaint with the CNPD (see §20) or seek judicial remedy under Art. 79 GDPR.

14. Automated decisions & profiling

We do not make decisions that produce legal effects on you (or similarly significantly affect you) based solely on automated processing within the meaning of Article 22 GDPR. Every consequential decision about your case — accepting an engagement, classifying a KYC risk, refusing a service, issuing or denying a refund — is reviewed by a human consultant.

Some operations are automated for routing or convenience: the platform suggests document checklists based on the service you bought, the cookie banner sets analytics flags, and our anti-fraud checks score a checkout based on Stripe's fraud signals. None of these produce legal effects on you, and you can always escalate to a human by emailing [email protected].

We do not use your data to build advertising or marketing profiles, and we do not share your data with ad networks.

15. Marketing communications

We may send you marketing emails (e.g. an annual immigration-policy roundup, occasional product news) only if you opted in and we have a current legitimate interest in offering you related services. Every marketing email contains a one-click unsubscribe link; you can also email [email protected]. Unsubscribing from marketing does not affect transactional emails about your active cases.

We do not run paid ads with profiling on Facebook, Instagram, TikTok, X or comparable platforms. If we ever do, we will update this section, notify subscribers by email at least 30 days in advance, and request fresh consent where required.

16. Cookies and tracking

We use a small set of cookies, all set on the resideportugal.com and app.resideportugal.com domains:

Strictly-necessary cookies cannot be disabled; without them the portal cannot keep you signed in or remember your consent choice. Analytics cookies only fire after you accept them via the banner — you can change your mind at any time by deleting the rp_cookie_consent cookie in your browser settings and reloading the page (the banner will reappear).

We do not use advertising, retargeting, social-media tracking pixels, fingerprinting libraries or session-recording tools.

17. Security & data breaches

We follow industry-standard security practices proportionate to the sensitivity of the data we hold:

Technical measures

• TLS 1.3 encryption in transit on every endpoint (HTTPS everywhere, HSTS preloaded)
• Encryption at rest for databases, backups and document storage (AES-256)
• Least-privilege database access; production credentials stored in Google Secret Manager and rotated at least once a year
• HMAC-signed server-to-server webhooks (Stripe, esignatures.com, the bocean admin) with replay protection
• Audit log capturing every administrative action (status changes, document uploads, message sends, refunds)
• Application-level CSRF protection, rate limiting on authentication endpoints, automatic logout after 30 days
• Regular dependency updates and security patches; we monitor Composer / npm advisories continuously

Organisational measures

• Two-factor authentication on every staff account for the portal, email, Stripe, the bocean admin and the cloud console
• Need-to-know access: each staff member sees only the cases they are working on
• All staff sign confidentiality undertakings on hire and receive practical GDPR / AML guidance before being given access to client files
• Sub-processors are bound by DPAs that mirror the security obligations above

If a personal-data breach occurs

If we become aware of a personal-data breach that is likely to result in a risk to your rights and freedoms, we will:

1. Notify the CNPD within 72 hours of becoming aware, as required by Article 33 GDPR
2. Notify you without undue delay if the breach is likely to result in a high risk to your rights and freedoms, as required by Article 34 GDPR. The notification will describe in clear language what happened, what data was affected, what we are doing about it and what you can do to protect yourself
3. Investigate the root cause, contain the incident, restore service from clean backups where needed, and apply remediation to prevent recurrence
4. Publish a public summary (without exposing individuals) once the investigation is complete, in the spirit of transparency

If you suspect that your account has been compromised or that we may have been breached, please email [email protected] immediately. We treat security reports confidentially and do not retaliate against good-faith reporters.

18. Government & third-party data requests

If a Portuguese or foreign authority asks us for personal data about you outside the channels of your power of attorney, we apply the following rules:

• Portuguese authorities — we comply with valid Portuguese court orders, judicial subpoenas and tax / AML inspections under Portuguese law. We do not voluntarily disclose data beyond what the order strictly requires.
• Foreign authorities — we do not directly comply with foreign-government requests for personal data unless they have been validated by a Portuguese court or are channelled through a mutual legal-assistance treaty (MLAT) and the Portuguese Ministério Público. This includes US executive orders, US grand-jury subpoenas, requests under the US CLOUD Act and equivalent third-country instruments.
• Civil third-party requests (e.g. opposing parties in a private lawsuit) — we require a Portuguese court order or the data subject's written consent.

Where the law allows us to tell you about a request that involves your data, we will — typically before complying, so you have the chance to seek judicial relief yourself. Where we are legally prohibited from telling you (e.g. gag orders under Art. 54 Lei 83/2017), we comply with the minimum strictly required by the order. Aggregate information about any government data requests we have received is available on written request to [email protected].

19. Changes to this policy

We may update this policy from time to time. The "Last updated" date at the top reflects the most recent change. For changes that materially affect your rights — adding a sub-processor that processes sensitive data, materially extending a retention period, changing the legal bases relied on — we will notify you by email and via a banner on the website at least 30 days before they take effect, so you have time to react. Minor editorial changes (typos, clarifications) take effect immediately and are listed in the change log below.

Change log

• 18 May 2026 — initial publication of the policy.

20. Contact & complaints

For any privacy-related question, to exercise your rights, or to report a security concern:

We aim to resolve every concern in-house. If you are not satisfied with our response, or if you believe our processing of your data infringes the GDPR, you have the right to lodge a complaint with the supervisory authority — in Portugal:

Comissão Nacional de Proteção de Dados (CNPD)
Av. D. Carlos I, 134 — 1.º, 1200-651 Lisboa
www.cnpd.pt · [email protected]

Under Article 77 GDPR, EU residents may also lodge a complaint with the supervisory authority of their country of habitual residence or place of work.

21. Glossary of terms

AIMA

Agência para a Integração, Migrações e Asilo — the Portuguese authority responsible for immigration and residence permits (successor to SEF).

AML / KYC

Anti-Money Laundering / Know-Your-Customer — the legal obligation to verify clients and the source of funds before providing services that can be misused for financial crime.

AT

Autoridade Tributária e Aduaneira — the Portuguese tax authority. Issues NIFs, manages VAT, runs IFICI / NHR registrations.

CNPD

Comissão Nacional de Proteção de Dados — the Portuguese data-protection supervisory authority. Equivalent of the French CNIL, the Spanish AEPD, the German BfDI.

Controller

The legal entity that decides why and how your personal data is processed. In this policy, the controller is BOCEAN IMMIGRATION PORTUGAL, LDA.

DPA / DPF / SCCs

DPA = Data Processing Agreement (the contract that binds a processor to a controller under Art. 28 GDPR). DPF = the EU–US Data Privacy Framework, an adequacy regime for transferring data to certified US companies. SCCs = Standard Contractual Clauses, model contracts issued by the European Commission for transfers to third countries.

GDPR

General Data Protection Regulation — Regulation (EU) 2016/679, the EU's main data-protection law. Supplemented in Portugal by Lei n.º 58/2019.

IRN

Instituto dos Registos e do Notariado — the Portuguese authority responsible for civil, commercial and property registries. Issues NIPCs and runs the Caixa Postal Digital.

Lei 83/2017

Portuguese anti-money-laundering and counter-terrorism-financing law (Lei n.º 83/2017 de 18 de agosto).

NIF / NIPC

NIF = Número de Identificação Fiscal, the Portuguese taxpayer number for individuals. NIPC = Número de Identificação de Pessoa Coletiva, the Portuguese taxpayer number for companies.

PEP

Politically Exposed Person — someone who currently holds or has recently held a prominent public function, plus close family members and known associates. Triggers enhanced due diligence under Lei 83/2017 Art. 19.

Processor

A third party that processes your personal data on the controller's behalf and instructions (e.g. Stripe processing payments for us).

UIF

Unidade de Informação Financeira — Portugal's financial-intelligence unit, housed inside the Polícia Judiciária. Receives suspicious-transaction reports.