Legal

Privacy Policy

Last updated: 12 May 2026

Who we are

Salvado (“we”, “us”) operates salvado.ai. We are an AI advisory and implementation practice; the named person accountable for this site and its data handling is the founder. For data-protection questions, use the contact options at the bottom of this page.

The short version

  • All personal data we hold is stored on our own infrastructure in the EU. No US-based AI providers process the contents of your intake or contact form.
  • We don't use Google Analytics, Meta pixels, or any third-party tracking. The cookie banner you saw exists to flag the one localStorage entry we use to save your intake draft.
  • You can request full erasure of your data at /gdpr/erasure. It runs within minutes, not 30 days.

Data we collect

Intake wizard (/intake)

When you complete the intake form, we store everything you typed: company context, your stated objective, infrastructure preferences, compliance context, decision context (budget, approvals), and your contact details. Each step you complete is saved as an append-only event so we can reconstruct your journey if needed for audit purposes.

We also record the IP address and user-agent of the device that submitted the intake, used for anti-abuse rate-limiting only.

Contact form (/contact)

Name, company, email, phone (optional), message, source (how you found us), and your GDPR consent flag.

Newsletter

Email address and a record of your double-opt-in confirmation. We store an unsubscribe token so one click removes you instantly.

Free tools (e.g. /tools/ai-act-classifier)

Tool inputs are processed in your browser. If you choose to email the result to yourself, we store the email + the classification outcome.

Attribution

If you arrive via a campaign URL, we record the UTM parameters alongside your intake so we know which sources produce serious leads. We do not cross-reference this with any third-party identity graph.

Browser storage

We use localStorage to save your in-progress intake draft in your browser. This is technical storage strictly necessary for the feature to work; under ePrivacy it does not require consent, but we surface a banner anyway so you can opt out. We also store your first-touch UTM parameters and the banner choice.

How we use it

  • Respond to your inquiries with a scoped quote, follow-up questions, or an honest “not a fit.”
  • Generate the personalized AI Deployment Brief (PDF) for qualifying intakes.
  • Send the newsletter (only if you double-opt-in).
  • Defend the wizard from abuse (rate-limiting, spam filtering).
  • Improve the wizard based on aggregate completion patterns.

We do not sell your data, ever. We do not share it with marketing networks. We don't use it to train any model.

Lawful bases (GDPR Article 6)

  • Contract performance (6(1)(b)) — for responding to your intake or contact form.
  • Consent (6(1)(a)) — for newsletter subscription and any non-essential storage.
  • Legitimate interest (6(1)(f)) — for security, anti-abuse, and aggregate analytics.
  • Legal obligation (6(1)(c)) — for retaining business records as required by EU and Portuguese law.

Where your data is stored

On servers we operate in the EU. The Postgres database holding intake and contact data is in the same EU jurisdiction as our application servers. No data is replicated to non-EU regions.

Our nightly database backup is encrypted and stored on infrastructure we operate, also in the EU.

Retention

  • Abandoned intake drafts (incomplete, not submitted): deleted automatically after 90 days.
  • Submitted intakes: retained for the duration of any engagement plus 3 years for tax/accounting records, then deleted.
  • Newsletter subscribers: retained until you unsubscribe.
  • Anti-abuse rate-limit records: 7 days.
  • Erasure-request audit logs: 12 months, for proof of compliance.

Your rights (GDPR Articles 12–22)

  • Access — ask what we hold about you
  • Rectification — correct inaccurate data
  • Erasure — have your data deleted (use /gdpr/erasure)
  • Restriction — ask us to stop processing while a dispute is resolved
  • Portability — receive a copy of your data in machine-readable format
  • Objection — object to processing based on legitimate interest
  • Withdraw consent — for newsletter, click the unsubscribe link in any email
  • Lodge a complaint with your supervisory authority (CNPD in Portugal, your national DPA elsewhere in the EU)

Sub-processors

We use the smallest possible set of third parties for things we cannot do ourselves. None of them process the contents of your intake or contact form.

  • SMTP relay: outbound transactional email (intake confirmations, resume links, newsletter, GDPR confirms) is sent via the same EU-based SMTP relay used by our sister sites. We do not use external email-API providers like Resend, SendGrid, or Postmark.
  • Our hosting provider: provides the EU-resident hardware our application servers run on.

We do not use OpenAI, Anthropic, or any other third-party AI API to process customer-facing intake data. Internal LLM evaluation of intake quality is performed by our own backend infrastructure.

Security

  • HTTPS with HSTS preload across the entire site.
  • Database access restricted to the application server and audited operations roles.
  • Reference codes for intake submissions are bearer-like; we recommend treating yours as confidential.
  • Nightly encrypted backups, with a 30-day retention window.

Changes to this policy

Material changes are dated above. We do not make retroactive changes — if a future version is less protective than this one for data you already gave us, we apply the older terms to that data.

Contact

For privacy questions, email hello@salvado.ai or use the contact form. For erasure, use /gdpr/erasure.