Privacy Policy

Milestone is committed to protecting the privacy of all of its customers’ and suppliers’ data and has drawn up this privacy policy to demonstrate its commitment to upholding the rights of data subjects in accordance with the General Data Protection Regulation (GDPR) and other applicable laws.

We follow data security and protection best practices and have developed and implemented a set of strict technical and organisational measures to ensure protection of the data you provide us.

The purpose of this Privacy Policy is to inform you about how we process the personal data we collect and store and the rights you have in this regard.

Please read this policy carefully to understand what data we collect, the purposes for which it is collected and how we process it, and your rights.

Personal Data

Personal data means any information relating to an identified or identifiable natural person. An identifiable person is one who can be directly or indirectly identified by reference to an identification number or one or more factors specific to the physical, physiological, mental, financial, cultural or social identity of that person.

Data Controller

Milestone, with registered office at Estrada de Alfragide nº 107 Edifício A2 Piso1, 2610-008 Alfragide, registered in the Lisbon Companies Registration Office under unique registration and taxpayer number 509 459 838, is the controller of your personal data.

  1. Data processing principles


Milestone processes data only in the situations provided for by law, inter alia when:

  • data subjects have given explicit consent for the processing of their personal data for one or more specific purposes;
  • processing is necessary for the performance of a contract or in order to take steps prior to entering into a contract;
  • processing is necessary for compliance with a legal obligation to which Milestone is subject;
  • processing is necessary in order to protect the vital interests of data subjects or of another natural person;
  • processing is necessary for the purposes of the legitimate interests pursued by Milestone or by a third party, except where such interests are overridden by the rights, freedoms and guarantees of data subjects.
  • Proportionality
  • All data collected is processed in accordance with the necessary, appropriate and relevant purposes.


All information to be provided to you shall be clear, concise, intelligible and easily accessible.

Purpose limitation

Milestone shall ensure that the processing of your personal data is limited to the legitimate purposes for which it is collected.

Data minimisation and accuracy

All personal data processed shall be adequate, relevant and limited to what is strictly necessary to fulfil the purposes of the processing.

Storage limitation

Personal data shall be retained in accordance with the provisions of item 7 below.

Integrity and confidentiality (security), availability and accountability

All data is processed in a manner that ensures protection against accidental loss, destruction or damage and protection against unauthorised processing.


To this end, Milestone will take all appropriate technical and organisational measures, including, where necessary, pseudonymisation or encryption of the data.


Why we use your data

We process personal data for the following purposes:


contractual relations, when the collection and processing of personal data is necessary for the execution of the pre-contracted service (example: management of the service provided, invoicing management, among others).

compliance with legal obligations to which Milestone is subject;

promotional offers/campaigns, with your consent;

provision of documents, with your consent.


How we collect your data

Your data may be collected in a number of ways, including:

  • in person
  • via telephone
  • e-mail
  • website


Your rights as a data subject

Right of access

You have the right to access your personal data and obtain information about:

  • processing purposes
  • type of data processed
  • how data was collected
  • third parties to whom your data is disclosed
  • storage period
  • whether your data is subject to automated decision-making
  • whether your data is transmitted to third parties outside the EU


Right to rectification

You have the right to rectify and/or complete your personal data.

Right to erasure

You have the right to request that your personal data be deleted where any of the following conditions are met:

  • the personal data is no longer needed for the purposes for which it was collected or otherwise processed;
  • the consent on which the data processing is based no longer exists;
  • there are no overriding legitimate interests for the processing;
  • the personal data has been unlawfully processed;
  • personal data must be deleted due to legal obligations.


Right to restriction of processing

You have the right to request that the processing of your data be restricted when you contest the accuracy of the personal data collected.


Right to data portability

You have the right to receive personal data concerning you in a structured and commonly used and machine-readable format and to request portability of such data to another controller without any hindrance.

Right to object

You have the right to object, at any time, to the processing of your personal data on grounds relating to your particular situation, when it involves:

  • processing necessary for the performance of a task carried out in the public interest or in the exercise of an official authority;
  • the pursuit of the legitimate interests of the controller or third party;
  • re-use of the data for a purpose other than that for which it was originally collected, including


Response time

You may exercise any of the above rights under the terms set out in item 12 below. Should you exercise any of these rights, we will review your request and respond within 30 days.

You also have the right to lodge a complaint with a national data protection authority if you are unhappy with the use of your personal data or with the response after exercising any of the above rights. To this end, you may lodge a complaint with the Portuguese Data Protection Authority (CNPD – Comissão Nacional de Proteção de Dados), located at Rua de São Bento, n.º 148, 3º, 1200-821 Lisbon, telephone number +351 213928400, fax number +351 213976832, e-mail:


Data retention period

We process and store personal data in accordance with the purposes for which such data was collected. We only process personal data for the time needed to perform the specified purpose or in accordance with applicable laws or until you exercise your right to object or to be forgotten or withdraw your consent.

As such, Milestone will process and store personal data for as long as it maintains a contractual relationship with you. That said, data may have to be stored for a longer period than the contractual relationship, either based on the your consent or to ensure contractual rights and obligations or where there are legitimate interests to do so, but only for the period strictly necessary to fulfil the respective purposes and in accordance with CNPD guidelines.

The personal data we collect and process with your consent will be stored for a maximum period of 5 years. After 5 years we will seek new consent from you.

Once the respective retention period has lapsed, we will erase or anonymise your data, whenever such data should no longer be stored for any other purpose.



Personal data processed by Milestone is not used for profiling or automated decision-making.


Milestone will request your consent for data processing. Consent should be given, if you so wish, by a clear affirmative act establishing a freely give, specific, informed and unambiguous indication of your agreement to the processing of your data.

Should you need any additional information to that received when giving your consent, you may request it using the contact information provided under item 12 below.

How to change or withdraw your consent

You may change or withdraw your consent at any time, prospectively. To do so, you should send a letter or an e-mail to the addresses provided under item 12 below.

Policy changes

The privacy policy is reviewed and updated periodically. Any amendments will appear on this page.

  • Contact information of the Data Controller
  • Any questions regarding data processing may be addressed in writing to:

– the email address of the Data Protection Officer

– our head office, to the following address:


Estrada de Alfragide nº 107 Edifício A2 Piso 1,

2610-008 Alfragide

Privacy Policy Download

Cookie Policy

Terms of use

Definition and function of cookies

What are cookies?

Cookies are small text files containing information needed to make websites work. This information is sent via the browser and saved on your device (computer, mobile phone, smartphone or tablet) when you visit a website. Cookies only store information related to your preferences; they do not collect personal information.

Certain cookies are strictly necessary and essential for the proper functioning of websites, while others are used to store and retrieve information on your browsing habits, IP address, connection time and the operating system of the accessing device, and to recognise your device the next time you visit the website or to ensure the security and privacy of your browsing sessions.

What types of cookies are there?

Persistent cookies – these cookies are stored on your computer or device and are used to remember you when you revisit our website. They are used to remember your settings and preferences, thus enabling us to provide a personalised service.

Session cookies – these are temporary cookies that are stored in your browser until you leave our website. The information these cookies collect is used to analyse web traffic patterns and help us identify any problems and provide a better browsing experience.

What types of cookies does this site use?

We use three types of cookies:

Technical cookies – these include performance cookies, which are used to help improve the quality of the service, and functionality cookies, which store your preferences.

Statistical cookies – these cookies collect information about the visit date, the URL and the title of the web page visited.

Analytical cookies – these cookies are used to determine which search engine was used and what search terms were used to find our website. They also determine the time spent online in each session and the number of times you visited the page.


Cookie management

When you use our site some cookies are downloaded by third parties, namely by browsers. These companies have their own privacy policies. For more information about the cookies these third parties install, please visit the links below:

  • Chrome

  • Internet Explorer

  • Microsoft Edge

  • Firefox

  • Safari


For all other internet browsers, please refer to the browser’s “help” menu or contact the browser provider.

Most browsers allow, enable, block or delete cookies; however, limiting or refusing the use of cookies may affect your browsing experience and may even prevent you from using some of the features available on the website.

You can manage cookies in your browser. To learn how, visit the links below:

  • Chrome

  • Chrome on Android

  • Internet Explorer

  • Windows Phone

  • Android

  • Firefox

  • Firefox on Android

  • Safari


More information on how to manage and delete cookies can be found at

Milestone reserves the right to amend or change this Policy at any time. Such changes will be published accordingly.

If you have any questions or concerns regarding this policy, please contact us at

Last updated: 9 November 2020

Cookies Policy Download

Exercise of Personal Data Subject Rights

The data controller is responsible for complying with all the principles relating to the processing of personal data under his responsibility, being obliged to prove compliance.

Article provides. 12, paragraph 2, of the General Data Protection Regulation (GDPR), that the controller facilitates the exercise of their rights by the data subject, namely the rights referred to in articles 15 to 22. Recital (59) of the RGPD also states in this regard that “rules must be laid down to facilitate the exercise by the data subject of the rights conferred on him under this regulation, including procedures for requesting and, where applicable, obtain free of charge, in particular, access to personal data, their rectification or erasure and the exercise of the right to object.

The controller must provide the necessary means for requests to be submitted electronically when the data is also processed electronically. The controller should be obliged to respond to the data subject’s requests without undue delay and at the latest within one month and state its reasons when intending to refuse the request.

For this purpose, Milestone makes available to the holders of the data it collects and processes a form so that, in a simple way and electronically, they can exercise their rights.

The form can be sent by email to the following address:

Form Download


Milestone’s DATA PROTECTION OFFICER (EPD/DPO) is Drª Liliana Silva, director of human resources, appointed to the position since 2020.

The Data Protection Officer has the mission of informing and advising Milestone on the obligations arising from the General Regulation on Data Protection and verifying the applicability of Milestone’s Data Protection Policy, ensuring that citizens and other data holders have knowledge of how your Personal Data is treated and what rights you have in this regard, as well as being Milestone’s point of contact with the Control Authority (National Data Protection Commission/CNPD).

Holders of Personal Data can always contact the Data Protection Officer to clarify any questions they deem relevant related to the processing of their Personal Data and the exercise of their rights.

EPD contacts –

Reporting Channel

An ethical commitment to organizations

The means for collecting and handling complaints are one of the main ways for organizations to detect illegal occurrences, which violate their policies, or which do not respect their ethical principles and conduct. Additionally, these means are a demonstration of the ethical commitments and protection of the reputation of the organizations.

The company collaborates with judicial and police authorities, in strict compliance with legal regulations, considering the specific responsibilities of said authorities, refraining from placing obstacles to their functions and providing the requested information in a timely, precise and clear manner.

Topics related to fraud, corruption, cybercrime, workplace harassment, damage to the environment, bullying, inappropriate conduct or unethical practices are some of the areas that, in addition to being part of the ethical commitments and conduct of organizations, benefit from the existence of a Whistleblowing Channel. This will work mainly as a deterrent to irregular practices and transparency towards interested parties.

As it is an element for preventing and detecting these same practices, the Whistleblowing Channel makes a significant contribution to mitigating not only possible financial impacts, but, above all, reputational ones.


Vulnerability Disclosure Notification Process

How to notify Milestone of a security issue

If you discover a vulnerability in our system, services, or product, notify us as soon as possible by sending an email to:

Include, at a minimum, the following information:

  • Your preferred contact details (including contact phone number)
  • Detailed description of the vulnerability
  • Time and method of its discovery
  • Specification of the system, service or product where the vulnerability was discovered
  • Any other related information (code samples, logs, screenshots, etc.)
  • Your identification if you so wish, considering, if you do not, an anonymous report.


Resolution process

We will investigate any reporting issues and take all necessary actions and measures to mitigate and/or resolve the reporting issue.


By submitting a vulnerability notification, you agree to:

  • Not disclose or publish the vulnerability to others before it is patched and before the expiration of a mutually agreed time period;
  • Not take advantage of the vulnerability, modify, download or delete any logs or data or launch any type of attack based on the vulnerability;
  • Comply with laws and regulations related to your location;
  • Comply with applicable data protection legislation, namely not disclosing personal data of third parties without a valid legal basis;
  • Confirm that the elements contained in the notification you are sending do not infringe third party intellectual property rights (ie, you have not copied elements available on the internet, for example).


By submitting a vulnerability notification to Milestone, you agree to grant Milestone an irrevocable worldwide right to use it, free of charge, for a period of fifty years.

Processing of your personal data

By submitting your notice, you understand that Milestone will process your personal data. Such processing is carried out in compliance with applicable data protection laws and, in any case, your personal data will be processed only to follow up on your notification. Milestone undertakes not to process your personal data for any other purpose.

Employees must report to the authorities the facts of which they are aware and which constitute acts of a criminal nature, they may make reports within the scope of their work activity, confidentiality being guaranteed.

Employees will be able to make anonymous complaints using the Reporting Channel for this purpose, confidentiality being guaranteed.

With whom do we share your personal data?

Your personal data will be shared with third parties only to the extent strictly necessary. When relying on such third parties, please ensure that Milestone has entered into contractual agreements to ensure that your personal data is processed securely and strictly in accordance with Milestone’s instructions.

For more information about our policies, click on the following link: Exercise of Personal Data Subject Rights

 How long does Milestone keep your personal data?

Milestone will keep your personal data longer than necessary for the purpose(s) for which it was collected.

Milestone will retain your personal data for three (3) years from the date of collection.

What are your rights and how to exercise them?

You can request access, rectification, or deletion of your personal data. You can also object to the processing of your personal data or request that it be restricted. In addition, you may request the communication of your personal data in a structured, commonly used, and machine-readable format.

If you wish to exercise these rights, please contact our Global Data Protection Office by sending an email to the following address: . Where appropriate, we will communicate your request and/or complaint to the local data protection officer.

Please note that you also have the right to file a complaint with a data protection authority or the competent court.

The sustainability:

The company guarantees and promotes sustainability and seeks to minimize the environmental impacts resulting from the activity it carries out, aiming at the optimization and responsible use of available resources and the prevention of waste.