Privacy Policy

Last updated: 20 May 2026

1. Who we are

Liminal Consulting is the trading name of David Rug, a sole trader (trabalhador por conta própria) registered in Portugal under tax number (NIF) 323009239, with a registered address at Rua Senhor do Bonfim 341, 4730-190 Goães, Vila Verde, Portugal. For the purposes of the EU General Data Protection Regulation (GDPR), Liminal Consulting is the data controller for personal data it determines the purposes and means of processing, and acts as a data processor when handling data on behalf of a client under a service engagement.

Contact for any privacy matter: consulting@liminality.space.

2. What data we process

Depending on how you interact with us, we may process:

  • Contact and enquiry data — name, email, company, and the content of messages you send us through the website, email, or a booking request.
  • Financial and transactional data — where you are a client, or where Liminal Consulting connects its own bank account for internal accounting, we process bank transaction data (amounts, counterparties, references, dates) to reconcile invoices and manage payments. Bank-account access is read-only and obtained through a regulated Open Banking provider under PSD2, with explicit consent that you can revoke at any time.
  • Operational data — where engaged to build and operate software for a client, we process the operational data the client entrusts to us (for example documents, schedules, internal communications) strictly to deliver the agreed service.
  • Technical data — standard server and security logs (IP address, request metadata) generated when you use our websites or applications.

3. Why we process it (legal bases)

  • To respond to enquiries and provide our services — performance of a contract, or steps taken at your request before entering one.
  • To issue invoices and meet tax obligations — compliance with a legal obligation.
  • To reconcile payments via Open Banking — your explicit consent, which you may withdraw at any time.
  • To keep our systems secure — our legitimate interest in operating a safe service.

4. Who we share data with

We do not sell personal data. We share data only with the service providers necessary to operate, each acting under its own terms and data-protection commitments:

  • Cloudflare — hosting, content delivery, and data storage for our websites and applications.
  • Enable Banking — regulated Open Banking access provider used to read bank transaction data with your consent.
  • Apple (iCloud) and, where a client uses it, Google (Workspace) — email delivery and storage.

Where data is transferred outside the European Economic Area, it is protected by appropriate safeguards such as the provider's Standard Contractual Clauses.

5. How long we keep it

We keep personal data only as long as needed for the purpose it was collected, or as required by law. Invoicing and tax records are kept for the statutory retention period under Portuguese law. Open Banking transaction data is kept only for as long as needed to reconcile the relevant invoices, and access ends when you withdraw consent or the consent period lapses.

6. Your rights

Under the GDPR you have the right to access, correct, delete, restrict, or object to the processing of your personal data, and the right to data portability. Where processing relies on consent, you can withdraw it at any time without affecting prior processing. To exercise any right, contact consulting@liminality.space. You also have the right to lodge a complaint with the Portuguese supervisory authority, the Comissão Nacional de Proteção de Dados (CNPD).

7. Changes to this policy

We may update this policy as our services evolve. The "last updated" date above always reflects the current version.