Privacy Policy

Milestone is committed to protecting the privacy of all of its customers’ and suppliers’ data and has drawn up this privacy policy to demonstrate its commitment to upholding the rights of data subjects in accordance with the General Data Protection Regulation (GDPR) and other applicable laws.

We follow data security and protection best practices and have developed and implemented a set of strict technical and organisational measures to ensure protection of the data you provide us.

The purpose of this Privacy Policy is to inform you about how we process the personal data we collect and store and the rights you have in this regard.

Please read this policy carefully to understand what data we collect, the purposes for which it is collected and how we process it, and your rights.

Personal Data

Personal data means any information relating to an identified or identifiable natural person. An identifiable person is one who can be directly or indirectly identified by reference to an identification number or one or more factors specific to the physical, physiological, mental, financial, cultural or social identity of that person.

Data Controller

Milestone, with registered office at Estrada de Alfragide nº 107 Edifício A2 Piso1, 2610-008 Alfragide, registered in the Lisbon Companies Registration Office under unique registration and taxpayer number 509 459 838, is the controller of your personal data.

  1. Data processing principles


Milestone processes data only in the situations provided for by law, inter alia when:

  • data subjects have given explicit consent for the processing of their personal data for one or more specific purposes;
  • processing is necessary for the performance of a contract or in order to take steps prior to entering into a contract;
  • processing is necessary for compliance with a legal obligation to which Milestone is subject;
  • processing is necessary in order to protect the vital interests of data subjects or of another natural person;
  • processing is necessary for the purposes of the legitimate interests pursued by Milestone or by a third party, except where such interests are overridden by the rights, freedoms and guarantees of data subjects.
  • Proportionality
  • All data collected is processed in accordance with the necessary, appropriate and relevant purposes.


All information to be provided to you shall be clear, concise, intelligible and easily accessible.

Purpose limitation

Milestone shall ensure that the processing of your personal data is limited to the legitimate purposes for which it is collected.

Data minimisation and accuracy

All personal data processed shall be adequate, relevant and limited to what is strictly necessary to fulfil the purposes of the processing.

Storage limitation

Personal data shall be retained in accordance with the provisions of item 7 below.

Integrity and confidentiality (security), availability and accountability

All data is processed in a manner that ensures protection against accidental loss, destruction or damage and protection against unauthorised processing.


To this end, Milestone will take all appropriate technical and organisational measures, including, where necessary, pseudonymisation or encryption of the data.


Why we use your data

We process personal data for the following purposes:


contractual relations, when the collection and processing of personal data is necessary for the execution of the pre-contracted service (example: management of the service provided, invoicing management, among others).

compliance with legal obligations to which Milestone is subject;

promotional offers/campaigns, with your consent;

provision of documents, with your consent.


How we collect your data

Your data may be collected in a number of ways, including:

  • in person
  • via telephone
  • e-mail
  • website


Your rights as a data subject

Right of access

You have the right to access your personal data and obtain information about:

  • processing purposes
  • type of data processed
  • how data was collected
  • third parties to whom your data is disclosed
  • storage period
  • whether your data is subject to automated decision-making
  • whether your data is transmitted to third parties outside the EU


Right to rectification

You have the right to rectify and/or complete your personal data.

Right to erasure

You have the right to request that your personal data be deleted where any of the following conditions are met:

  • the personal data is no longer needed for the purposes for which it was collected or otherwise processed;
  • the consent on which the data processing is based no longer exists;
  • there are no overriding legitimate interests for the processing;
  • the personal data has been unlawfully processed;
  • personal data must be deleted due to legal obligations.


Right to restriction of processing

You have the right to request that the processing of your data be restricted when you contest the accuracy of the personal data collected.


Right to data portability

You have the right to receive personal data concerning you in a structured and commonly used and machine-readable format and to request portability of such data to another controller without any hindrance.

Right to object

You have the right to object, at any time, to the processing of your personal data on grounds relating to your particular situation, when it involves:

  • processing necessary for the performance of a task carried out in the public interest or in the exercise of an official authority;
  • the pursuit of the legitimate interests of the controller or third party;
  • re-use of the data for a purpose other than that for which it was originally collected, including


Response time

You may exercise any of the above rights under the terms set out in item 12 below. Should you exercise any of these rights, we will review your request and respond within 30 days.

You also have the right to lodge a complaint with a national data protection authority if you are unhappy with the use of your personal data or with the response after exercising any of the above rights. To this end, you may lodge a complaint with the Portuguese Data Protection Authority (CNPD – Comissão Nacional de Proteção de Dados), located at Rua de São Bento, n.º 148, 3º, 1200-821 Lisbon, telephone number +351 213928400, fax number +351 213976832, e-mail:


Data retention period

We process and store personal data in accordance with the purposes for which such data was collected. We only process personal data for the time needed to perform the specified purpose or in accordance with applicable laws or until you exercise your right to object or to be forgotten or withdraw your consent.

As such, Milestone will process and store personal data for as long as it maintains a contractual relationship with you. That said, data may have to be stored for a longer period than the contractual relationship, either based on the your consent or to ensure contractual rights and obligations or where there are legitimate interests to do so, but only for the period strictly necessary to fulfil the respective purposes and in accordance with CNPD guidelines.

The personal data we collect and process with your consent will be stored for a maximum period of 5 years. After 5 years we will seek new consent from you.

Once the respective retention period has lapsed, we will erase or anonymise your data, whenever such data should no longer be stored for any other purpose.



Personal data processed by Milestone is not used for profiling or automated decision-making.


Milestone will request your consent for data processing. Consent should be given, if you so wish, by a clear affirmative act establishing a freely give, specific, informed and unambiguous indication of your agreement to the processing of your data.

Should you need any additional information to that received when giving your consent, you may request it using the contact information provided under item 12 below.

How to change or withdraw your consent

You may change or withdraw your consent at any time, prospectively. To do so, you should send a letter or an e-mail to the addresses provided under item 12 below.

Policy changes

The privacy policy is reviewed and updated periodically. Any amendments will appear on this page.

  • Contact information of the Data Controller
  • Any questions regarding data processing may be addressed in writing to:

– the email address of the Data Protection Officer

– our head office, to the following address:


Estrada de Alfragide nº 107 Edifício A2 Piso 1,

2610-008 Alfragide