Privacy Policy
Last updated: March 8, 2026
Effective date: March 8, 2026
1. Data Controller & Data Protection Contact
This Privacy Policy describes how GESTIVON SOFTWARE SOLUTIONS, LDA (NIF: 519293436), a company registered in Portugal ("Punctual," "we," "us," or "our"), collects, uses, and protects personal data in connection with the Punctual platform and its services.
Punctual acts as the Data Controller for personal data of registered Businesses and their authorised users. Regarding End-User data processed on behalf of a Business, Punctual acts as a Data Processor under the instructions of that Business (the Data Controller). See Section 11 of our Terms of Service for the full Data Processing Agreement.
2. Scope & Who This Policy Applies To
This Privacy Policy applies to:
- Businesses & their staff — organisations and individuals who register and use the Punctual platform to manage their operations;
- Website Visitors — people who visit punctual.pt or related Punctual web properties;
- End-Users / Customers — individuals whose data is processed through the Service on behalf of a Business (e.g., a person booking an appointment). If you are an End-User of a Business using Punctual, the Business's own privacy policy is the primary reference for how they have collected and instructed us to process your data. This Policy explains our role as Data Processor in that context.
3. Personal Data We Collect
3.1 Account & Business Data (Businesses)
- Full name, email address, phone number
- Business name, address, NIF/VAT number, and business registration details
- Subscription and payment information (billing address, last 4 digits of card — full card data is held by Stripe)
- Account credentials (hashed passwords) and session tokens
- Communication preferences and notification settings
3.2 End-User / Customer Data (Processed on behalf of Businesses)
- Name, email address, and phone number (provided during booking)
- Appointment history, booking preferences, and notes
- Voice data is processed ephemerally in real-time to facilitate bookings. We do not record, store, or log any audio files or AI-generated transcriptions.
- WhatsApp message content (chat logs processed through the Business's integration)
- Payment references and transaction status (processed via Stripe)
3.3 Technical & Usage Data
- IP address, browser type and version, operating system
- Pages visited, features used, and interaction logs within the platform
- Error logs and diagnostics
- Cookies and similar tracking technologies (see Section 10)
3.4 Data We Do Not Collect
We do not intentionally collect special categories of personal data (e.g., health data, racial or ethnic origin, political opinions, religious beliefs, biometric data) unless a Business operating in a regulated sector (e.g., healthcare) specifically configures fields for this. In such cases, the Business is responsible for establishing the appropriate legal basis.
4. Legal Basis for Processing (GDPR Article 6)
We rely on the following legal bases when processing personal data:
| Processing Purpose | Legal Basis |
|---|---|
| Creating and managing your Business account | Contractual necessity (Art. 6(1)(b)) |
| Processing Subscription payments | Contractual necessity (Art. 6(1)(b)) |
| Sending transactional emails and SMS notifications | Contractual necessity (Art. 6(1)(b)) |
| Processing booking and customer data on behalf of Businesses | Processor acting on Business's instructions (Art. 6(1)(b) / (1)(f)) |
| Complying with legal obligations (tax, accounting records) | Legal obligation (Art. 6(1)(c)) |
| Improving the platform and preventing fraud / abuse | Legitimate interests (Art. 6(1)(f)) |
| Real-time AI voice processing (ephemeral) | Consent of End-User (Art. 6(1)(a)), obtained by the Business |
| Marketing communications to Businesses (opt-in) | Consent (Art. 6(1)(a)) |
5. How We Use Your Personal Data
We use your data to:
- Provide, operate, and maintain the Punctual platform and all its features;
- Process payments for Subscriptions and enable Business-to-End-User transactions via Stripe;
- Send transactional notifications (booking confirmations, reminders, receipts) via email and SMS;
- Provide customer support and respond to your enquiries;
- Detect, investigate, and prevent fraudulent transactions, abuse, and security threats;
- Analyse usage patterns to improve the platform's features and user experience;
- Comply with applicable legal and regulatory obligations in Portugal and the EU;
- Enforce our Terms of Service and other agreements.
We do not use your data or your End-Users' data to train third-party AI models. Voice transcriptions generated by Deepgram are used solely to power the AI booking assistant and are not shared for model training.
6. AI Voice Processing (Zero Retention)
If a Business enables the AI voice assistant feature, telephone calls handled through the Punctual platform are processed by an AI in real-time. This automated processing of communications is subject to Portuguese law (Lei n.º 41/2004, de 18 de Agosto) and applicable EU telecommunications regulations governing interception and privacy.
Consent responsibility & Disclaimer: The Business (as Data Controller) is responsible for ensuring that End-Users are informed of and have consented to automated AI processing prior to each call. Punctual's AI voice assistant is configured to always explicitly announce at the beginning of the call that the interaction is being handled by an AI. If the End-User does not wish to interact with an AI, the assistant will instruct them to reach the Business through alternative channels (e.g., WhatsApp or email). While Punctual enforces this technical safeguard, the ultimate legal obligation for valid consent rests with the Business.
How voice data is processed:
- Audio is transmitted securely via our self-hosted LiveKit infrastructure;
- Real-time transcription is performed by Deepgram (speech-to-text) under a strict data processing agreement;
- No storage: Voice data is processed strictly in real-time (ephemerally) in memory. We explicitly do not record, save, store, or log any audio files or AI-generated transcriptions to our databases or servers after the call concludes.
Retention: Because neither call audio nor transcriptions are stored, the retention period for voice data and transcriptions is zero seconds post-call (Privacy by Design).
7. Data Sharing & Sub-Processors
We do not sell your personal data or your End-Users' data to third parties. We only share personal data with the following categories of recipients, under strict contractual obligations:
7.1 Sub-Processors
All sub-processors are bound by data processing agreements and are required to maintain appropriate technical and organisational security measures:
| Sub-Processor | Country | Purpose | Data Transferred |
|---|---|---|---|
| Google Cloud (GCP / Vertex AI) | USA (EU region) | Backend hosting, AI/LLM, text-to-speech | All processed data |
| Neon | USA (EU region) | PostgreSQL database | All stored data |
| OVH Cloud | EU | VPS hosting (LiveKit, SIP server, AI agent) | Audio streams, call metadata, and application data |
| Cloudflare | USA (global CDN) | Frontend hosting, CDN, WAF | IP addresses, HTTP metadata |
| Stripe | USA (EU entity) | Payment processing | Cardholder data, billing info, transaction details |
| Deepgram | USA | Speech-to-text transcription | Real-time ephemeral voice audio (not stored) |
| Dominios.pt (SMTP) | Portugal (EU) | Transactional email delivery | Recipient email address, message content |
| Zadarma | UK/EU | SIP telephony, SMS | Phone numbers, SMS content |
7.2 Other Disclosures
We may also share your data with:
- Legal authorities: When required by law, court order, or to protect the rights and safety of Punctual, our users, or the public;
- Business transfers: In connection with a merger, acquisition, or sale of all or part of our business, with notice provided to you;
- Professional advisers: Lawyers, accountants, and auditors, subject to professional confidentiality obligations.
8. International Data Transfers
Some of our sub-processors are located outside the European Economic Area (EEA), including in the United States. Where personal data is transferred to countries not recognised by the European Commission as providing an adequate level of protection, we rely on one or more of the following safeguards:
- Standard Contractual Clauses (SCCs) approved by the European Commission (Decision 2021/914), incorporated into our data processing agreements with sub-processors;
- EU–US Data Privacy Framework, where the relevant sub-processor is certified.
You may request a copy of the relevant safeguards by contacting us at privacy@punctual.pt.
9. Data Retention Periods
We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, including satisfying any legal, accounting, or reporting requirements.
| Data Category | Retention Period | Basis |
|---|---|---|
| Business account data | Duration of subscription + 90 days after cancellation | Contractual / operational |
| Billing & payment records | 10 years after transaction | Tax & commercial law (Portugal) |
| Booking records (End-User data) | 2 years after appointment date | Legitimate interests / contractual |
| Voice audio & AI transcriptions | Not retained (processed ephemerally in real-time) | Privacy by Design / Data Minimization |
| SMS & email logs | 12 months | Operational / support purposes |
| Application & security logs | 90 days | Security monitoring |
| Consent records | 3 years after consent withdrawal or account deletion | Compliance / legal defence |
10. Cookies & Tracking Technologies
We use cookies and similar technologies on our website and platform. A cookie is a small text file placed on your device to help us provide and improve our services.
| Type | Purpose | Can be disabled? |
|---|---|---|
| Strictly Necessary | Authentication sessions, security tokens, CSRF protection | No — required for the platform to function |
| Functional | Language preferences, theme (light/dark) selection | Yes — disabling may affect user experience |
| Analytics | Usage statistics via Google Analytics 4 (GA4) to understand how the platform is used | Yes — via cookie consent banner |
You can manage or delete cookies through your browser settings at any time. Disabling strictly necessary cookies will impair your ability to use the Service. For analytics cookies, you may withdraw consent using the cookie preferences toggle available on our website.
11. Your Rights Under GDPR (Articles 15–22)
If you are in the EU/EEA, you have the following rights regarding your personal data. To exercise any of these rights, contact us at privacy@punctual.pt. We will respond within 30 days (extendable by two further months for complex requests, with notice).
Right of Access (Art. 15)
You may request a copy of the personal data we hold about you and information about how we use it.
Right to Rectification (Art. 16)
You may ask us to correct inaccurate or incomplete personal data. You can update most account information directly in your profile settings.
Right to Erasure / "Right to be Forgotten" (Art. 17)
You may ask us to delete your personal data where it is no longer necessary, where you withdraw consent, or where you object to processing. Erasure may be limited where retention is required by law.
Right to Restriction of Processing (Art. 18)
You may ask us to pause processing of your data in certain circumstances (e.g., while contesting accuracy or while an objection is assessed).
Right to Data Portability (Art. 20)
Where processing is based on consent or contract and carried out by automated means, you may request your data in a structured, machine-readable format (e.g., JSON or CSV) for transfer to another service.
Right to Object (Art. 21)
You may object to processing based on legitimate interests. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests.
Right to Withdraw Consent (Art. 7(3))
Where processing is based on consent (e.g., marketing emails, analytics cookies), you may withdraw consent at any time without affecting the lawfulness of prior processing.
Rights Related to Automated Decision-Making (Art. 22)
We do not make solely automated decisions that produce legal or similarly significant effects about individuals without human involvement.
12. Right to Lodge a Complaint
If you believe we have not handled your personal data in accordance with applicable data protection law, you have the right to lodge a complaint with the Portuguese supervisory authority:
Comissão Nacional de Proteção de Dados (CNPD)
Av. D. Carlos I, 134 — 1200-651 Lisboa, Portugal
Tel: +351 21 392 84 00
We would appreciate the opportunity to address your concerns before you contact the CNPD. Please reach out to us first at privacy@punctual.pt.
13. Children's Privacy
The Service is not directed to, and we do not knowingly collect personal data from, children under the age of 16. If you are a parent or guardian and believe your child has provided us with personal data without your consent, please contact us at privacy@punctual.pt and we will take steps to delete such information promptly.
14. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, the Service, or applicable law. We will notify you of material changes by:
- Sending an email to the address associated with your account; and/or
- Displaying a prominent notice within the platform.
The updated policy will be effective as of the date stated at the top of this document. We encourage you to review this page periodically. Your continued use of the Service after the effective date constitutes acceptance of the revised Policy.
15. Contact Us
For any privacy-related questions, requests to exercise your rights, or concerns, please contact our Data Protection contact: