1. Introduction

Starkguards ("we," "us," or "our") is committed to protecting your personal data and respecting your privacy rights. This Privacy Policy explains how we collect, use, process, and protect your personal information when you visit our website 

https://www.starkguards.com or use our cybersecurity services.

This Privacy Policy complies with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and Portuguese Law No. 58/2019 of August 8, 2019, which implements the GDPR in Portugal.

Who We Are:

• Company Name: Starkguards

• Business Type: Cybersecurity services provider specializing in red team engagements, penetration testing, threat modeling, and security assessments

• Location: Portugal (European Union)

• Website: https://www.starkguards.com

• Data Protection Officer Email: dpo@starkguards.com

​

2. Data Controller

For the purposes of the GDPR and Portuguese data protection law, Starkguards is the data controller responsible for your personal data.

Contact Information:

• Email: dpo@starkguards.com

• Data Protection Officer: dpo@starkguards.com

• Postal Address:Estr. Malveira da Serra 920, 2750-834 Cascais, Portugal

If you have any questions about this Privacy Policy or how we handle your personal data, please contact us at dpo@starkguards.com.

​

3. What Personal Data We Collect

We collect and process the following categories of personal data:

3.1 Information You Provide Directly

Contact Form / Service Inquiries:

• Full name

• Company name

• Email address

• Phone number (if provided)

• Job title / role

• Message content and inquiry details

• Any other information you choose to provide

Service Engagement:
When you engage our cybersecurity services, we may collect:

• Technical contact information

• Organizational security requirements

• Project scope and specifications

• Billing and payment information

• Communication records related to service delivery

3.2 Information We Collect Automatically

Website Usage Data:

• IP address

• Browser type and version

• Operating system

• Date and time of visit

• Pages visited and time spent on pages

• Referring website addresses

• Device information

Technical and Security Logs:

• Server logs for security and performance monitoring

• Error logs and diagnostic information

3.3 Information We Do NOT Collect

We do NOT collect:

• Sensitive personal data (racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data, health data, or data concerning sexual orientation) unless specifically required and authorized for a security engagement

• Financial payment details (processed by third-party payment processors)

• Social media tracking data (unless you voluntarily interact with our social media)

​

4. Legal Basis for Processing Your Personal Data

Under GDPR Article 6, we process your personal data based on the following legal grounds:

​

Purpose of Processing: Responding to inquiries and providing requested information

Legal Basis: Consent (Article 6(1)(a)) or Legitimate Interest (Article 6(1)(f))

Purpose of Processing: Delivering cybersecurity services you have contracted

Legal Basis:Performance of Contract (Article 6(1)(b))

Purpose of Processing:Sending service-related communications

Legal Basis:Performance of Contract (Article 6(1)(b))

Purpose of Processing: Website security and fraud prevention

Legal Basis: Legitimate Interest (Article 6(1)(f))

Purpose of Processing: Compliance with legal obligations (e.g., tax, accounting)

Legal Basis: Legal Obligation (Article 6(1)(c))

Purpose of Processing: Website analytics and improvement (if implemented)

Legal Basis: Consent (Article 6(1)(a))

​

Legitimate Interests: Where we rely on legitimate interests, these include:

• Protecting our business and systems from security threats

• Improving our services and website functionality

• Communicating with potential clients about our cybersecurity services

• Ensuring network and information security

You have the right to object to processing based on legitimate interests at any time.

​

5. How We Use Your Personal Data

We use your personal data for the following purposes:

5.1 Service Delivery:

• Responding to your inquiries about our services

• Providing quotes and proposals for cybersecurity engagements

• Delivering red team, penetration testing, and security assessment services

• Managing ongoing client relationships

• Providing technical support

5.2 Communication:

• Sending service-related updates and notifications

• Responding to questions and requests

• Providing information about our services (with consent)

5.3 Legal and Security:

• Complying with legal and regulatory obligations

• Detecting and preventing fraud, security incidents, and illegal activities

• Protecting our legal rights and interests

• Maintaining audit trails for security purposes

5.4 Website Operations:

• Ensuring website functionality and security

• Troubleshooting technical issues

• Monitoring website performance

5.5 Business Improvement (Future):

• Analyzing website usage to improve user experience (only with consent when analytics tools are implemented)

• Understanding client needs to enhance our services

​

6. How We Share Your Personal Data

We do not sell, rent, or trade your personal data to third parties for their marketing purposes.

We may share your personal data with the following categories of recipients:

6.1 Service Providers and Processors

We may share data with trusted third-party service providers who process data on our behalf, including:

• Website Hosting Providers: To host our website and store data

• Email Service Providers: To send and receive communications

• IT Security and Infrastructure Providers: To maintain secure systems

• Payment Processors: To process payments for our services (they process data under their own privacy policies)

• Cloud Storage Providers: To securely store project data and communications

All third-party processors are contractually obligated to:

• Process data only according to our instructions

• Implement appropriate security measures

• Comply with GDPR requirements

• Not use data for their own purposes

6.2 Legal Requirements

We may disclose your personal data if required to:

• Comply with legal obligations, court orders, or regulatory requirements

• Protect the rights, property, or safety of Starkguards, our clients, or others

• Detect, prevent, or address fraud, security, or technical issues

• Enforce our Terms and Conditions

6.3 Business Transfers

In the event of a merger, acquisition, or sale of all or part of our business, your personal data may be transferred to the acquiring entity, subject to the same privacy protections.

6.4 With Your Consent

We may share data with other third parties when you have given explicit consent.

​

7. International Data Transfers

As a company based in Portugal (EU), we primarily store and process your data within the European Economic Area (EEA).

If we transfer personal data outside the EEA, we ensure appropriate safeguards are in place, such as:

• Standard Contractual Clauses (SCCs) approved by the European Commission

• Adequacy Decisions by the European Commission for certain countries

• Binding Corporate Rules or other approved mechanisms

You have the right to request information about the safeguards we use for international transfers by contacting 

dpo@starkguards.com.

​

8. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected and to comply with legal obligations.

Retention Periods:

Data Type: Contact form inquiries (no service engagement)

Retention Period: 2 years from last contact

Reason: Legitimate business interest

Data Type: Client project data and communications

Retention Period: 7 years after project completion

Reason: Legal and contractual obligations; industry best practice

Data Type: Financial and accounting records

Retention Period: 10 years

Reason: Portuguese tax and accounting law requirements

Data Type: Website logs and security data

Retention Period:12 months

Reason:Security monitoring and incident response

Data Type: Marketing communications (if subscribed)

Retention Period: Until withdrawal of consent

Reason: Consent-based processing

After the retention period expires, we will securely delete or anonymize your personal data.

You may request earlier deletion by exercising your right to erasure (see Section 10).

​

9. Data Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, loss, destruction, alteration, or disclosure.

Security Measures Include:

Technical Measures:

• Encryption of data in transit (TLS/SSL) and at rest

• Secure authentication and access controls

• Regular security testing and vulnerability assessments

• Firewall and intrusion detection systems

• Secure backup and disaster recovery procedures

• Regular software updates and patch management

Organizational Measures:

• Strict access controls and need-to-know principles

• Confidentiality agreements with all personnel

• Data protection training for staff

• Incident response and breach notification procedures

• Regular security audits and compliance reviews

• Data minimization and privacy by design practices

As a cybersecurity company, we apply industry-leading security standards to protect your data. However, no method of transmission over the Internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your data, we cannot guarantee absolute security.

If you become aware of any security incident involving your data, please contact us immediately at dpo@starkguards.com.

 

10. Your Data Protection Rights Under GDPR

Under the GDPR and Portuguese law, you have the following rights regarding your personal data:

10.1 Right of Access (Article 15)

You have the right to request a copy of the personal data we hold about you and information about how we process it.

10.2 Right to Rectification (Article 16)

You have the right to request correction of inaccurate or incomplete personal data.

10.3 Right to Erasure / "Right to be Forgotten" (Article 17)

You have the right to request deletion of your personal data in certain circumstances, including:

• Data is no longer necessary for the purposes collected

• You withdraw consent (where processing was based on consent)

• You object to processing based on legitimate interests

• Data was unlawfully processed

• Legal obligation requires erasure

Limitations: We may be unable to delete data if required for legal obligations, legal claims, or other legitimate purposes.

10.4 Right to Restriction of Processing (Article 18)

You have the right to request that we restrict processing of your data in certain situations:

• You contest the accuracy of the data

• Processing is unlawful but you prefer restriction over erasure

• We no longer need the data but you need it for legal claims

• You have objected to processing pending verification

10.5 Right to Data Portability (Article 20)

You have the right to receive your personal data in a structured, commonly used, machine-readable format and transmit it to another controller where:

• Processing is based on consent or contract

• Processing is carried out by automated means

10.6 Right to Object (Article 21)

You have the right to object to processing based on legitimate interests or for direct marketing purposes. We will stop processing unless we have compelling legitimate grounds that override your interests.

10.7 Right to Withdraw Consent (Article 7(3))

Where processing is based on consent, you have the right to withdraw consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.

10.8 Right Not to be Subject to Automated Decision-Making (Article 22)

You have the right not to be subject to decisions based solely on automated processing, including profiling, that produce legal effects or similarly significantly affect you.

We do not currently use automated decision-making or profiling.

10.9 Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority, in particular in the EU Member State of your habitual residence, place of work, or place of alleged infringement.

Portuguese Data Protection Authority:

• Name: Comissão Nacional de Proteção de Dados (CNPD)

• Website: https://www.cnpd.pt

• Address: Av. D. Carlos I, 134, 1º, 1200-651 Lisboa, Portugal

• Phone: +351 21 392 84 00

• Email:  geral@cnpd.pt

 

11. How to Exercise Your Rights

To exercise any of your data protection rights, please contact us:

Email: dpo@starkguards.com

Subject Line: "Data Subject Rights Request - [Your Name]"

Please include:

• Your full name

• Your email address

• Description of your request

• Proof of identity (to verify your identity and prevent unauthorized access)

Response Time: We will respond to your request within one month of receipt. In complex cases, we may extend this by up to two additional months and will notify you of the extension and reasons.

Free of Charge: Exercising your rights is generally free. However, we may charge a reasonable fee for manifestly unfounded or excessive requests.

​

12. Cookies and Tracking Technologies

Our website uses cookies and similar technologies. For detailed information about the cookies we use and how to manage them, please see our Cookie Policy https://www.starkguards.com/.

Current Cookie Usage:
At present, we only use strictly necessary cookies that are essential for website functionality and security. These cookies do not require your consent under GDPR.

Future Cookie Usage:
When we implement analytics, marketing, or other non-essential tools, we will:

• Request your explicit consent before setting non-essential cookies

• Provide a cookie consent banner

• Allow you to manage your cookie preferences

• Update our Cookie Policy accordingly

 

13. Third-Party Links

Our website may contain links to third-party websites, services, or resources. This Privacy Policy does not apply to those third-party sites.

We are not responsible for the privacy practices or content of third-party websites. We encourage you to review the privacy policies of any third-party sites you visit.

​

14. Children's Privacy

Our services are intended for businesses and professional use. We do not knowingly collect personal data from individuals under the age of 16.

If you believe we have inadvertently collected data from a child under 16, please contact us immediately at dpo@starkguards.com, and we will delete it promptly.

​

15. Data Protection Officer (DPO)

While not legally required to appoint a DPO under Article 37 GDPR, we have designated a data protection contact point for privacy inquiries:

Data Protection Contact:

• Email: dpo@starkguards.com

• Responsibilities:

  • Monitoring GDPR compliance

  • Advising on data protection obligations

  • Cooperating with the supervisory authority

  • Serving as contact point for data subjects

​

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or business operations.

Notification of Changes:

• Material Changes: We will notify you by email (if you have provided an email address) and/or by prominent notice on our website

• Minor Changes: Will be posted on this page with an updated "Last Updated" date

Your Continued Use: Continued use of our website or services after changes become effective constitutes acceptance of the updated Privacy Policy.

We encourage you to review this Privacy Policy periodically.

​

17. Legal Framework and Compliance

This Privacy Policy complies with:

• General Data Protection Regulation (EU) 2016/679 (GDPR)

• Portuguese Law No. 58/2019 (GDPR implementation in Portugal)

• ePrivacy Directive 2002/58/EC (as amended)

• Portuguese Consumer Protection Law (Lei No. 24/96)

• Portuguese Electronic Commerce Law (Decreto-Lei 7/2004)

​

18. Business Services and Confidentiality

Cybersecurity Services:
When you engage Starkguards for cybersecurity services (red team engagements, penetration testing, threat modeling, etc.), additional data protection and confidentiality terms will apply as outlined in our service agreements and non-disclosure agreements (NDAs).

Confidentiality Commitment:
All information obtained during security engagements is treated as strictly confidential and is protected by contractual confidentiality obligations in addition to this Privacy Policy.

 

19. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data protection practices, please contact us:

General Inquiries:

• Email: dpo@starkguards.com

• Website: https://www.starkguards.com

Data Protection Officer:

• Email: dpo@starkguards.com

Postal Address: Estr. Malveira da Serra 920, 2750-834 Cascais, Portugal

Portuguese Data Protection Authority (CNPD):

• Website: https://www.cnpd.pt

• Email: geral@cnpd.pt

​

20. Definitions

Personal Data: Any information relating to an identified or identifiable natural person.

Processing: Any operation performed on personal data, including collection, storage, use, disclosure, or deletion.

Data Controller: The entity that determines the purposes and means of processing personal data.

Data Processor: An entity that processes personal data on behalf of the controller.

Data Subject: The individual to whom personal data relates.

Consent: Freely given, specific, informed, and unambiguous indication of agreement to processing of personal data.

 

This Privacy Policy was last updated on November 7, 2025.

Effective Date: November 8, 2025

 

 

© 2025 Starkguards. All rights reserved.