Legal
Privacy Policy
Last updated: April 2026 · Breathcraft, Lisbon, Portugal
This policy explains what personal data Breathcraft collects, why it is collected, how it is used, and your rights under the General Data Protection Regulation (GDPR) and applicable Portuguese data protection law. Breathcraft is a sole trader practice operated by João Tomé, based in Lisbon, Portugal.
1. Who we are
Data controller: João Tomé, trading as Breathcraft, Lisbon, Portugal.
Contact: joao@breathcraft.me
2. What data we collect
We collect only the data necessary to operate the practice and communicate with clients:
- Contact data — name, email address, and any information you provide voluntarily in application forms or emails.
- Health and wellbeing information — relevant background you share before or during sessions (e.g. medical conditions, current medications, mental health history). This is special category data under GDPR and is handled with strict confidentiality.
- Session notes — brief practitioner notes kept for continuity of care. These are never shared.
- Payment data — processed through third-party payment providers (Stripe or equivalent). We do not store card details.
- Usage data — basic analytics on website visits (page views, referral source) via privacy-preserving tools. No personally identifying data is collected in analytics.
3. Why we collect it and the legal basis
- To deliver the service (contractual necessity) — scheduling, session notes, follow-up communications.
- To process payment (contractual necessity) — invoicing and payment records.
- To maintain a record of care (legitimate interest) — practitioner notes for continuity and safety.
- Health data (explicit consent) — collected only with your informed consent prior to working together.
- Marketing communications (consent) — only if you have explicitly opted in. You can withdraw at any time.
4. How data is stored
Client data is stored in encrypted form using services that comply with GDPR (Google Workspace for communications, Notion or equivalent for session notes). Health and session data is never stored in unencrypted form and is never transmitted to third parties except where legally required.
Data is retained for a maximum of three years after the end of a client relationship, after which it is securely deleted.
5. Who we share data with
We do not sell, rent, or share your data with third parties for marketing purposes. Data may be shared only with:
- Payment processors (Stripe) — for transaction processing only.
- Scheduling tools (Calendly) — for booking management only.
- Legal or regulatory authorities — only if required by law.
All third-party processors used are GDPR-compliant.
6. Your rights
Under GDPR you have the right to:
- Access — request a copy of the data we hold about you.
- Rectification — ask us to correct inaccurate data.
- Erasure — ask us to delete your data, subject to legal retention requirements.
- Restriction — ask us to limit how we use your data.
- Portability — receive your data in a portable format.
- Objection — object to processing based on legitimate interest.
- Withdraw consent — at any time, for processing based on consent.
To exercise any right, email joao@breathcraft.me. We will respond within 30 days. You also have the right to lodge a complaint with the Portuguese data protection authority (CNPD).
7. Cookies
This website uses minimal cookies. See our Cookie Policy for full details.
8. Changes to this policy
We may update this policy from time to time. The date at the top of this page reflects the most recent revision. Continued use of the site or service after a change constitutes acceptance of the updated policy.
9. Contact
For any privacy-related questions: joao@breathcraft.me