Privacy Policy
Last updated: 2026-05-14
This Privacy Policy describes how João Barbosa, sole trader registered in Portugal under category B activity, trading as OCCULTA ("OCCULTA", "we", "us"), processes personal data when you use OCCULTA Marketing Intelligence ("the Service").
1. Data Controller
João Barbosa (ENI, Cat. B)
Rua Padre Luís Campos 1083, 3.º Esq., 4470-324 Maia, Portugal
Email: support@occulta.co
A formal Data Protection Officer is not appointed: the processing operations of OCCULTA do not meet the criteria of Article 37(1) GDPR. The contact above serves all data protection enquiries.
2. Data We Process
OCCULTA Marketing Intelligence is a B2B analytics platform that processes marketing data on behalf of business clients ("Tenants"). Categories of data:
- Account data: name, email, role of authorised users invited by a Tenant
- Authentication data: session tokens, IP address, user agent
- Marketing performance data retrieved from third-party platforms on behalf of the Tenant (Meta, Google, Brevo, D-EDGE and similar): aggregated metrics, post and campaign metadata, audience-level aggregates
- Usage data: pages visited within the Service, feature interactions, error logs
- Audit log: actions performed within the Service for security and compliance
We do not process special categories of personal data (Art. 9 GDPR).
3. Source of Data
Some categories of data are not collected directly from you (Art. 14 GDPR):
- Marketing performance data is retrieved from third-party platforms (Meta Platforms Ireland Ltd., Google Ireland Ltd., Sendinblue/Brevo, D-EDGE Hospitality Solutions, and similar) via their official APIs, under the access scopes that the Tenant has authorised.
- Where these APIs expose any identifying field of an end-user (e.g. a public commenter name on a Page post), OCCULTA stores only the minimum required to render aggregated analytics.
4. Legal Basis
- Contract performance (Art. 6(1)(b) GDPR): to provide the Service to authorised users of a Tenant
- Legitimate interest (Art. 6(1)(f) GDPR): security, fraud prevention, service improvement, aggregated analytics. The balance of interests has been assessed; data subjects may object under section 7.
- Legal obligation (Art. 6(1)(c) GDPR): audit logs and tax records
5. Sub-processors
We rely on the following sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase (Supabase Inc.) | Database, authentication, file storage | EU (Frankfurt) |
| Vercel Inc. | Application hosting | EU regions |
| Anthropic PBC | AI assistant (cached data only, no raw exports) | USA (SCC) |
| Sentry (Functional Software Inc.) | Error monitoring | EU |
| Cloudflare Inc. | DNS, email routing, CDN | Global (SCC) |
Data transferred outside the EEA is protected by Standard Contractual Clauses (SCCs) under Art. 46 GDPR.
6. Automated Decision-Making
OCCULTA does not engage in automated decision-making producing legal or similarly significant effects on data subjects under Article 22 GDPR. The AI assistant feature is non-determinative: it summarises and answers questions about already-aggregated data, and no business decision is automatically enforced by it.
7. Retention
- Account data: while the Tenant has an active subscription, plus 12 months
- Marketing performance data: rolling 24 months
- Audit log: 24 months
- Backups: 30 days
8. Your Rights (Art. 15–22 GDPR)
You have the right to access, rectify, erase, restrict, port and object to the processing of your personal data. To exercise any right, contact support@occulta.co. We respond within 30 days.
For data deletion specifically, see our Data Deletion Instructions.
You may lodge a complaint with the Portuguese data protection authority CNPD (cnpd.pt).
9. Revoking Third-Party Permissions
If access to your data via Meta is via Facebook Login or Business asset assignment, you can revoke OCCULTA's access at any time:
- Facebook: Settings & Privacy → Settings → Apps and Websites → remove OCCULTA Marketing Intelligence
- Instagram: Settings → Apps and Websites → Active → revoke OCCULTA Marketing Intelligence
- Meta Business Manager: Business Settings → Integrations → remove OCCULTA
Equivalent revocation flows exist for Google, Brevo, D-EDGE and other connected platforms.
10. Security
OCCULTA enforces multi-tenant isolation at the database level (Postgres Row-Level Security), field-level encryption of sensitive credentials (pgsodium), audit logs in append-only form, MFA for administrative accounts and HTTPS-only transport.
11. Children
The Service is not directed at individuals under 16. We do not knowingly process data of minors.
12. Changes
We may update this policy. Material changes are communicated by email to authorised users at least 30 days in advance.
13. Contact
support@occulta.co