Privacy Policy

Privacy and the protection of personal data are very important for SantaCruz Group which has always processed the collection, use, consulting and treatment of the data in strict compliance with the applicable legislation regarding personal data protection.

With the application of EU Regulation 2016/679 of the European Parliament and of the Council of of 27 April 2016, also called the General Data Protection Regulation (GDPR), and other legislation on the protection of natural persons with regard to the processing of personal data, SantaCruz Group is committed to providing its customers and others with detailed information about the use and protection of their personal data, the reasons why it is processed and their rights regarding this processing, among others, in compliance with the provisions in articles 13 and 14 of the GDPR.

1.Data Controller

Matrizneptune – Metalomecânica, Lda., commercial limited company, with head office at Rua Dr. Brito Câmara, n.º 20, 9000-039 Funchal, Portugal, tax identification number 513 958 924, is the entity responsible for processing the personal data.

The data subject can contact the data controller, to raise any questions or get clarification regarding personal data protection, by e-mail, to the following e-mail address:

2.Principles applicable to the protection of personal data

SantaCruz Group processes personal data in accordance with the general principles laid down in the General Data Protection Regulation (GDPR) and in other legislation applicable to the protection of personal data, namely:

– “Principle of lawfulness, fairness and transparency“: SantaCruz Group guarantees that your personal data is subject to lawful, fair and transparent processing;

– “Principle of purpose limitation“: Personal data are processed by SantaCruz Group for specified, explicit and legitimate purposes, and are not further processed in a manner incompatible with those purposes;

– “Data minimisation principle“: In the interests of minimal and limited data collection, SantaCruz Group only processes data that is strictly necessary, appropriate and relevant to the purposes for which it is processed;

– “Principle of accuracy“: SantaCruz Group undertakes to delete or rectify any personal data that is found to be inaccurate or imprecise as soon as possible.

– “Principle of conservation“: personal data shall be stored by SantaCruz Group for the period of time strictly necessary to fulfil the purposes for which they were collected;

– “Principle of integrity and confidentiality“: SantaCruz Group undertakes to process your data securely, implementing technical and organizational measures to ensure a high level of protection of personal data, particularly those necessary to ensure the confidentiality and integrity of this data.


3.1 Personal data: any information that, whatever its medium, directly or indirectly identifies or is likely to identify a natural person, in particular by reference to an identifier, such as a name, an identification number, a location data, an electronic identifier, or other specific elements of that natural person’s physical, physiological, genetic, mental, economic, cultural or social identity.

3.2 Personal data subject: any natural person to whom the personal data refer. Within the scope of the activities pursued by SantaCruz Group, the following are data subjects: the users of SantaCruz Group‘s website or other related pages, its clients, employees, service providers and suppliers, among others.

3.3 Processing of personal data: operation or set of operations performed on personal data, by automated or non-automated means, including collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, comparison or interconnection, restriction, erasure or destruction. In short, the concept of Processing of Personal Data is comprehensive and shall apply to all operations or set of operations carried out by SantaCruz Group with reference to your personal data.

3.4 Controller: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

3.5 Processor: the natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

3.6 Third party: the natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.

3.7 Supervisory authority: the independent public authority which is established by a Member State pursuant to Article 51 of the General Data Protection Regulation (GDPR).

4.Grounds for lawfulness

4.1 SantaCruz Group, in accordance with the “lawfulness principle”, only processes personal data when there are legitimate grounds for doing so.

4.2 The processing of the personal data of data subjects is essentially carried out on the following grounds:

Consent: when the data subject has given his/her consent to the processing of his/her personal data, for one or more specific purposes, through a declaration or positive act that expresses a free, specific, informed and explicit expression of will that the data subject authorizes the processing of his or her data;

Performance of pre-contractual diligence: when the processing is carried out with a view to the performance of steps or procedures preceding the conclusion of a certain contract (pre-contractual diligence);

Execution/performance of a contract: when the processing of the data is assumed as necessary for the conclusion, performance or development of a contractual instrument to which the holder of the personal data is a party;

Compliance with a legal obligation: when the processing is necessary to comply with a legal obligation incumbent upon the controller, that is, to comply with a legal imposition to which the controller is bound.

Pursuit of legitimate interests: where the personal data are processed to pursue the legitimate interests of the controller, particularly marketing, except where the interests or fundamental rights and freedoms of the data subject require protection of the personal data.

5.Personal data category

5.1 SantaCruz Group processes personal data of varying nature and sensitivity, depending on each area of activity and the purpose underlying the processing of such data.

5.2 SantaCruz Group, depending on the purpose, may process different categories of data, such as:

Identification data (e.g. name, civil identification number, signature);

Tax identification data (e.g. tax identification number);

Address and contact details (e.g. tax address, correspondence address, telephone contact, email address);

Bank details (e.g. IBAN);

Data related to the family situation (e.g. number of household members, number of dependents);

Data relating to professional activity (e.g. professional category, timesheets);

Data relating to legal qualifications;

Data relating to union membership of the employee and related data;

Biometric data (e.g. fingerprints);

Data concerning health and physical condition (e.g. physical aptitude);

Data inherent to images captured by electronic video surveillance systems;

Data related to the electronic device or web browser (e.g. electronic device information, screen information, web browser information, operating system information);

6.Purposes of processing the data

6.1 Personal data is processed by SantaCruz Group in pursuit of specific, explicit and legitimate purposes and cannot later be processed in a way that is incompatible with these purposes.

6.2 In order to ensure a minimum and limited collection of data, SantaCruz Group only handles data that is strictly necessary, adequate and important for the purposes for which it is handled.

6.3 SantaCruz Group, according to the activities it carries out, processes personal data for the following purposes (non-exhaustive list):

Marketing or related activities

– to send newsletters and promotional campaigns;

– direct marketing;

– to promote and publicise services;

– to promote and publicise activities or events (e.g. charity or festive events), especially on social media, in the press and/or on the company’s website;

– to send invitations, by email or other means of communication, to enable participation in events;

– Disseminate external communications;


– to record data in corporate and customer management programmes;

– to submit proposals and quotes;

– management and processing of orders;

– preparation of technical data sheets;

– contracting of services;

– contractual relationship management;

– service management;

– communication with clients;

– requests, complaints, compliments and incidents management;

Human resources

– recruitment and selection of human resources;

– human resources management (ex: access and attendance management, time and working hours management);

– processing and payment of salaries;

– exercise of disciplinary power;

– professional training;

– performance evaluation;

– evaluation of work capacity, within the scope of occupational medicine;

– assessing the worker’s suitability to carry out the respective functions;

– quality control;

– control of telephone calls made through equipment belonging to the employer;

– Monitoring the use of electronic mail and Internet accesses;

Accounting, fiscal and administrative management

– accounting and invoicing;

– credit notes issue;

– management of payments;

– provision of tax-related information, including sending information to the Tax Authority;

Compliance with legal obligations

– reporting or response to judicial, regulatory and supervisory entities, namely public entities in the social security area;


– Execution of internal audits;


– management of litigation and other conflicts;

– collection management and credit recovery;

Analytical or statistical purposes

Information technology

– reception and processing of requests for computer support;

– information security control;

– access management, logs;

– backups management;

– management of security incidents;

Protection of people and goods

– Physical security;

– Physical access control to SantaCruz Group premises, namely through biometric equipment/systems;

– registration of entrances and exits.

7.Personal data recipients

7.1 For the purposes mentioned above and in compliance with its legal obligations, SantaCruz Group may have to send the personal data of its customers, employees and service providers, among others, to external parties, namely:

– To entities that assume the quality of processors, to provide the contract enforcement services, information technologies, data storage, auditing, document management and litigation, namely with service providers in the security services, AML\CTF, accounting, information systems, auditing and litigation areas. SantaCruz Group shall only use processors who act according to its instructions and as long as they present sufficient guarantees they can undertake the proper technical and organizational measures, so that the processing satisfies, among other things, the security, confidentiality and integrity requirements and these guarantees are formalized in an agreement signed by SantaCruz Group and the processors.

– Entities that are considered to be third parties, such as the Tax and Customs Authority, Judicial Entities and Regulators.

8.Storage period

8.1 SantaCruz Group will retain personal data for the period of time strictly necessary for the performance of the respective purposes or, as the case may be, until the data subject withdraws the consent given or exercises his/her right to object or erasure.

8.2 SantaCruz Group may be required to retain some of the personal data for a longer period taking into account factors such as:

– Legal obligations, under the laws in force;

– Statute of limitations under applicable laws;

– (possible) litigation;

– guidelines issued by competent data protection authorities.

9.Data Subjects’ Rights

9.1 Data subjects, through the collection and processing of their data, have the following rights:

– the right of access: whenever they request, they can access their personal data, get information about the processing of their data and get a copy of their personal data that is handled;

– the right of rectification: whenever they consider that their personal data is incomplete or inaccurate, they can request its rectification\modification;

– right of data erasure: notwithstanding any legal obligations that may limit this right, the data subjects can request their data elimination when: the data no longer needs to be processed for the purpose that justified its collection or processing; the data subject withdraws its consent on which the data processing was grounded and there are no other legal grounds for it; they present opposition to the processing of the data and there are no prevailing legal interests, to be assessed on a case by case basis, that justify the processing; when the data has been processed illegally; the personal data has to be deleted to comply with a legal obligation that the data controller is subject to; the data has been collected in the context of the offer of services by the company mentioned in article 8(1) of the General Data Protection Regulation (GDPR);

– right of limiting the processing: the data subjects can request to limit the processing of their data in the following situations: if the user challenges the accuracy of the data, during a period that allows the controller to check its accuracy; if the processing is illegal and the data subject opposes to their personal data being deleted and requests that its use be limited; if the data processor no longer needs the data to be processed but the data is still necessary for the purposes of declaration, exercise or defense of a right in a legal process; if the user opposes to the processing, until it is seen that the legitimate interests of the data processor prevails over theirs.

– the right of objection: the data subject has the right to oppose to the processing of their data when the processing is based on the legitimate interest of the controller or when the data is processed for other reasons than those for which it was collected, but that is compatible with it. If you oppose to the processing of the data, SantaCruz Group shall stop processing your data unless it has legitimate reasons to conduct this processing and these prevail over your interests. You can also oppose the processing of your data at any time for direct marketing purposes.

– right to portability: if the personal data of the data subjects are in a structured format that is in current use and of automatic reading, and the processing is based on the express consent or by contractual form and if it is done by automatic means, the users have the right to send them to another controller as long as if that is technically possible.

– right to withdraw your consent: in situations where the processing in question is undertaken based on data subjects´ consent, the data subjects have the right to withdraw the consent they gave at any time. In this case, the controller will stop processing the data in question, unless there are other grounds that justify the processing.

– the right to lodge a complaint with the supervisory authority: the data subjects have the right to lodge a complaint, with the competent supervisory authority of the country where the controller (SantaCruz Group) is based, regarding the matters concerning the processing of their personal data.

10.Use of Cookies

10.1 When you browse SantaCruz Group‘s website, cookies are collected. A cookie is a small text file that is placed on users´ hard drive by a web page to improve performance and the users´ browsing experience, increasing the speed and efficiency of replies while eliminating the need to enter the same information several times.

10.2 In particular, there are two main types of cookies:

permanent cookies – which are saved in the browser used on users´ equipment (e.g. PC, mobile and tablet) and that are used whenever users return to the website. They are normally used to direct the browser according to the users´ interests, allowing the website to provide a more personal service.

session cookies – these are temporary cookies that remain in the users’ browser cookie folder until they leave the website. The information these cookies collect is used to analyze web traffic patterns, enabling the website to identify problems and provide a better browser experience.

10.3 The cookies are used, namely, for the following purposes:

– strictly necessary cookies – Allow the users to browse the website and use the applications as well as letting users access secure areas on the website. Without these cookies, the services the users request cannot be provided.

– analytical cookies – These are cookies that collect information about the use of the website, allowing to improve the way it works. By way of example, cookies of this nature are likely to reveal which pages are most visited on the website and help to register any difficulties that users experience when navigating and interacting on the website, also having the virtuality to demonstrate whether or not the advertising is effective. This makes it possible to view and analyze overall patterns of website use, rather than the use of a single individual.

– functional cookies – Save the user’s preferences regarding its use of the site so they do not need to be configured every time you visit it.

– third-party cookies (e.g. Cloudflare and Google Analytics) – These measure the success of the applications and the effectiveness of third-party publicity. They can also be used to customize a widget with the user’s details.

– Ads cookies – provide direct advertising, depending on each user’s interests so as to give ads campaigns taking into account the user’s preferences and they also limit the number of times an advert is seen, helping to measure the effectiveness of publicity and the success of the website organization.

10.4 Depending on the users management of cookies on SantaCruz Group‘s website and their interaction with it, SantaCruz Group uses some information collected by cookies in order to ensure proper functioning on the site, highlighting the appropriate display of content, adjust users´ screen resolution, to improve offers, among others. This information includes, among others, registration data, location data, session length, users´ equipment, users´ browser and user´s IP address. Third-party analytics providers (e.g. Cloudflare and Google Analytics) may supplement the aggregated data with demographic data and other information of interest, so that SantaCruz Group can better understands the visitors/users of website.

10.5 As a rule, cookies do not have any harmful effects on your processor and do not contain viruses. You can disable the use of cookies at any time in your browser settings or directly on our website.

10.6 Used Cookies


Cookie Name Domain Expiration Purpose Category
DV 24 hours Used to store user preferences and statistics Performance and analytics
OTZ 1 month Used to track site traffic information Performance and analytics
1P_JAR 1 month Used to collect statistics to display relevant Google Ads Performance and analytics
AEC 6 months Used to ensure requests are made by a user and not other sites Performance and analytics
NID 6 months Used to store user preferences and statistics Performance and analytics
__Secure-1PSIDCC 1 year Used to access specific options and services Performance and analytics
__Secure-3PSIDCC 1 year Used to collect statistics to display relevant Google Ads Performance and analytics
SIDCC 1 year Used to protect user data from unauthorized access Functionality
AID 13 months Used to link activity between different devices Performance and analytics
APISID, SAPISID 13 months Used to collect statistics to display relevant Google Ads Performance and analytics
CONSENT, SOCS 13 months Used to store user preferences regarding cookie choices Performance and analytics
HSID, SID 13 months Used to prevent fraudulent activity Performance and analytics
_Secure-ENID 13 months Used to collect statistics to display relevant Google Ads Performance and analytics
_Secure-1PAPISID, SSID 13 months Used to display relevant Google Ads Performance and analytics
__Secure-1PSID 13 months Used to access specific options and services Performance and analytics
__Secure-3PSID 2 years Used to collect statistics to display relevant Google Ads Performance and analytics
_ga, _ga_B8SKQ9HHPZ, _ga_X6LMX9VR0Y 13 months Registers a unique ID with a visitor to generate data on how the visitor uses the website Performance and analytics
_ga_BDJCJ7JL22 18 months Registers a unique ID with a visitor to generate data on how the visitor uses the website Performance and analytics
_ga_0V7JNYGWCC 23 months Registers a unique ID with a visitor to generate data on how the visitor uses the website Performance and analytics
SEARCH_SAMESITE 2 years Used to prevent the browser from sending this cookie along with cross-site requests Performance and analytics

ent some web services from working correctly, affecting the navigation on the website in part or in full.