Privacy Policy

Last updated: 26 May 2026

This Privacy Policy describes how Kraken Steel (“we”, “the company”) collects, uses and protects the personal data of users of the application available at app.krakensteel.eu (“the application”).

Table of Contents

  1. Data Controller
  2. Data Collected
  3. Purposes and Legal Bases
  4. Retention Period
  5. Recipients and Sub-processors
  6. International Transfers
  7. Data Subject Rights
  8. Cookies
  9. Security
  10. Changes
  11. Contact

1. Data Controller

Kraken Steel
NIPC: 518101185
Rua dos Carvalhinhos n.º 77, Cabanelas — 4730-099 Vila Verde, Portugal
Email: geral@krakensteel.eu

2. Data Collected

In the context of using the application, the following data are processed:

  • Authentication data: Google identifier, name, email address and profile picture — obtained through Google’s OAuth 2.0 flow when the user logs in.
  • Billing data: name (or company name), VAT/NIPC number, address, postcode, locality and phone number — when voluntarily provided by the user on the Profile page.
  • Quotation data: DXF/SVG files uploaded by the user, selected parameters (material, thickness, finish, quantity) and calculated quotations (including the associated PDF).
  • Technical data: essential session cookie (required to keep the user authenticated), IP address and request timestamps, temporarily logged for security and abuse-prevention purposes.

3. Purposes and Legal Bases

PurposeLegal basis (GDPR)
Authentication and session maintenanceConsent (Article 6(1)(a) GDPR)
Calculation of quotations, PDF generation, sending by email at the user’s requestPerformance of a contract and pre-contractual steps (Article 6(1)(b) GDPR)
Order management and commercial relationshipPerformance of a contract (Article 6(1)(b) GDPR)
Compliance with tax and accounting obligationsLegal obligation (Article 6(1)(c) GDPR)
Application security and abuse preventionLegitimate interest (Article 6(1)(f) GDPR)

4. Retention Period

  • Account data (authentication and profile): for as long as the user’s account is active. The user may delete their account at any time via the “Delete my account” button on the Profile page, whereupon all personal data are irreversibly erased.
  • Quotations and DXF/SVG files: for as long as the account is active, or until deleted by the user.
  • Documents with accounting and tax relevance (e.g. confirmed orders, invoicing): retained for the legally required period — as a rule, ten years (cf. the VAT Code and other applicable legislation).
  • Technical security records (access logs): retained for the time strictly necessary for their purpose, as a rule no longer than 90 days.

5. Recipients and Sub-processors

Data are shared only with the technical sub-processors listed below, exclusively for the operation of the application:

  • Google LLC / Google Ireland Ltd. — authentication (OAuth) and email delivery via Gmail API (Google Workspace).
  • Railway Corporation — application hosting, EU West region (Amsterdam).
  • Hostinger International Ltd. — DNS management for the krakensteel.eu domain.

Kraken Steel does not transfer personal data to third parties for commercial purposes. We do not carry out direct marketing, automated profiling or automated decisions with legal effect on the data subject.

6. International Transfers

Data are stored on servers located in the European Union (Amsterdam, Netherlands). For Google authentication and email delivery, transfers to Google servers outside the EEA may occur; these transfers are covered by the EU–US Data Privacy Framework and the Standard Contractual Clauses approved by the European Commission.

7. Data Subject Rights

Under the GDPR and Law No. 58/2019, the user has the right to:

  • Access, rectification, erasure, restriction, objection and portability of their personal data.
  • Withdraw consent at any time, without affecting the lawfulness of processing carried out on the basis of consent before its withdrawal.
  • Lodge a complaint with the competent supervisory authority — the CNPD — Comissão Nacional de Proteção de Dados (Portuguese Data Protection Authority).

These rights may be exercised directly within the application (profile update and account deletion on the Profile page) or by sending a request to geral@krakensteel.eu. Requests will be answered within a maximum of one month.

8. Cookies

The application uses exclusively essential cookies:

  • ks_sess and ks_sess.sig — session cookies required to keep the user authenticated between requests. Validity: 7 days.

No marketing, advertising, social media or analytics cookies are used. As we use only strictly necessary cookies, prior consent is not required under Article 5(3) of Directive 2002/58/EC; nonetheless, users are informed of their existence via a banner on the first visit.

9. Security

The following technical and organisational measures are in place:

  • All communication is encrypted via HTTPS/TLS.
  • Session cookies are marked as secure and httpOnly.
  • Authentication is delegated to Google (OAuth 2.0) — the application does not store passwords.
  • Rate limiting to prevent abuse.
  • Access to data restricted to essential Kraken Steel personnel.

10. Changes to This Policy

This Privacy Policy may be updated to reflect legal, technical or operational changes. The date of the last update is indicated at the top of this page. In the event of material changes, users will be notified within the application.

11. Contact

For any questions regarding the processing of your personal data or the exercise of your rights, please contact us:

Kraken Steel
Email: geral@krakensteel.eu
Address: Rua dos Carvalhinhos n.º 77, Cabanelas — 4730-099 Vila Verde

See also the Terms and Conditions of use of the application.