This policy has been prepared in compliance with the General Data Protection Regulation (GDPR — EU Regulation 2016/679). Basi-on, Unipessoal Lda is the Data Controller for your personal data.
Basi-on, Unipessoal Lda
VAT: PT516453769
Portugal
Contact for privacy matters: form available at Settings → Support on the BasiDocs platform.
2.1 Account data
• Email address
• Company name
• Country and sector of activity
• Certifications and facility details (optional)
2.2 Usage data
• Documents created and updated
• Audit records (platform actions)
• Date and time of access
• IP address (for security)
2.3 Payment data
• Processed exclusively by Stripe, Inc. — Basi-on, Unipessoal Lda does not store credit card data.
2.4 Content data
• GxP documents created by the user
• Deviations, NCs, CAPAs and other quality records
• Files attached to the Quality Assistant
• Service provision — performance of contract (Art. 6(1)(b) GDPR)
• Billing and payment management — legal obligation (Art. 6(1)(c) GDPR)
• Security and fraud prevention — legitimate interests (Art. 6(1)(f) GDPR)
• Service communications — performance of contract (Art. 6(1)(b) GDPR)
• Regulatory audit trail — legal obligation and performance of contract
• Service improvements — legitimate interests, using anonymised data
Your personal data is not sold or shared for commercial purposes. We may share data with:
• Supabase (Supabase Inc.) — database and authentication, EU servers
• Stripe, Inc. — payment processing, PCI DSS certified
• Vercel Inc. — application hosting
• Anthropic, PBC — AI processing for document generation (anonymised where possible)
All providers are bound by GDPR-compliant Data Processing Agreements (DPA). No data is transferred to third countries without appropriate safeguards.
• Account data — retained while account is active + 90 days after closure
• Quality documents and records — retained as requested by user; obsolete documents are automatically deleted after 10 days
• Audit trail — retained for 5 years (FDA 21 CFR Part 11 and EU GMP Annex 11 requirement)
• Billing data — 10 years (Portuguese tax obligation)
• Security logs — 12 months
After retention periods, data is securely and irreversibly deleted.
Under the GDPR, you have the following rights:
• Right of access — request a copy of your personal data
• Right to rectification — correct inaccurate data
• Right to erasure ("right to be forgotten") — request deletion of your data
• Right to portability — receive your data in a structured format
• Right to object — object to certain processing activities
• Right to restriction — restrict processing in certain circumstances
To exercise your rights, use the contact form at Settings → Support. We will respond within 30 days.
You also have the right to lodge a complaint with the National Data Protection Commission (CNPD) — www.cnpd.pt
Basi-on, Unipessoal Lda implements appropriate technical and organisational measures to protect your data:
• Encryption in transit (TLS 1.3) and at rest (AES-256)
• Secure authentication with email verification
• Row-level access control (Row Level Security in Supabase)
• Immutable audit trail with SHA-256 hashes
• Automatic daily backups
• Restricted internal team access
In the event of a data breach that may affect your rights, you will be notified within 72 hours as required by the GDPR.
BasiDocs only uses cookies strictly necessary for the operation of the platform:
• Authentication session cookie (Supabase) — necessary to maintain the active session
• Language preferences — stored locally
We do not use tracking, advertising or third-party analytics cookies.
BasiDocs is intended exclusively for professional use by adults. We do not knowingly collect data from persons under 18 years of age. If we become aware that we have collected data from a minor, we will delete that information immediately.
We may update this Privacy Policy periodically. The last updated date is shown at the top of this document. For material changes, we will notify users by email or through a notice on the platform.