BastionBack to Home

Privacy Policy

Last updated: April 9, 2026

Controller

Bastion Unipessoal Lda.
E-Mail: hello@bastion.eu

What Data We Collect

When you submit the pilot assessment form on our website, we collect:

  • Company name
  • Your name
  • Your role or title
  • Your work email address
  • Your description of your current Article 75 compliance approach (if provided)

We do not use cookies for tracking or advertising. We use Vercel Analytics for anonymous, aggregate website usage statistics. Vercel Analytics does not use cookies, does not collect personal data, and processes all data within the EU.

Why We Collect It

We process your data for one purpose: to evaluate whether a Bastion pilot engagement is a mutual fit and to respond to your inquiry.

Legal basis: Article 6(1)(b) GDPR — processing necessary for steps prior to entering into a contract (your request for a pilot assessment constitutes a pre-contractual inquiry).

Alternative legal basis: Article 6(1)(f) GDPR — our legitimate interest in responding to business inquiries from compliance professionals at regulated institutions. You can object to this processing at any time by contacting us.

Where Your Data Is Stored

Form submissions are processed by Formspree and stored in the United States and EU.

Form submissions are processed by Formspree, which is certified under the EU-US Data Privacy Framework. We have verified that Formspree maintains adequate safeguards under Article 46 GDPR.

How Long We Keep It

We retain your form submission data for 12 months from the date of submission. If we enter into a pilot engagement, your data becomes part of the contractual relationship and is retained for the duration of that engagement plus 6 years (statutory retention period).

If we do not proceed with a pilot engagement, we delete your data within 12 months of your submission unless you request earlier deletion.

Your Rights

Under GDPR, you have the right to:

  • Access the personal data we hold about you
  • Rectify inaccurate data
  • Erase your data ("right to be forgotten")
  • Restrict processing in certain circumstances
  • Object to processing based on legitimate interest
  • Data portability — receive your data in a structured, machine-readable format

To exercise any of these rights, contact us at hello@bastion.eu. We will respond within 30 days.

You also have the right to lodge a complaint with a supervisory authority. The relevant authority depends on your location:

  • Germany: Der Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI)
  • Netherlands: Autoriteit Persoonsgegevens
  • Portugal: Comissão Nacional de Proteção de Dados (CNPD)

Third-Party Services

ServicePurposeData ProcessedLocation
FormspreeForm submission processingName, email, company, role, messageUS (EU-US DPF Certified)
Vercel AnalyticsAnonymous analyticsNone (no personal data collected)EU
VercelWebsite hostingIP address (server logs, auto-deleted after 30 days)EU region

Changes to This Policy

We may update this policy to reflect changes in our practices or legal requirements. Material changes will be posted on this page with an updated date.

Contact

For any privacy-related questions: hello@bastion.eu

Return to Home