Privacy Policy
Vertio Platform (vertio.ai)
Last updated: February 2026
1. Data Controller
1.1. The entity responsible for processing personal data is Multilingues21 – Traduções e Edições Técnicas Multilingues, Lda. (hereinafter "M21Global"), with registered office at Rua Febo Moniz, no. 27, 1150-152 Lisbon, Portugal, NIF PT 507 983 815.
1.2. M21Global operates the Vertio platform, accessible at vertio.ai, a self-service document translation platform with automatic AI-powered quality verification.
1.3. For any matter relating to the processing of personal data, the User may contact: hello@vertio.ai.
2. Scope and Application
2.1. This Privacy Policy applies to the processing of personal data carried out in connection with the Vertio platform and is governed by Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation – GDPR), by Law no. 58/2019 of 8 August (the Portuguese implementing law for the GDPR), and other applicable legislation.
2.2. The platform is intended for business and professional use and is not directed at persons under 18 years of age.
3. Personal Data Collected
3.1. Registration Data
a) Name;
b) Email address.
3.2. Billing Data
a) Tax identification number (NIF);
b) Billing address;
c) Payment data (processed exclusively by Stripe – never stored in Vertio);
d) EU tax number validation via the VIES system.
3.3. Usage Data
a) Documents submitted for translation (originals and translations);
b) Translation history (language pairs, dates, amounts);
c) Language preferences and service level;
d) Responses to the onboarding questionnaire.
3.4. Technical Data
a) IP address (from authenticated users and from visitors using the free preview, for usage limit enforcement);
b) Browser type;
c) Strictly necessary cookie data (authentication and session);
d) Access logs.
4. Legal Bases for Processing
4.1. The processing of the User's personal data is based on the following legal grounds, pursuant to Article 6(1) of the GDPR:
4.1.1. Performance of a Contract (point (b))
Processing is necessary for the performance of the service contract concluded with the User, including: account creation and management, document processing, provision of the translation service, payment processing, and invoice issuance.
4.1.2. Compliance with a Legal Obligation (point (c))
Processing is necessary for compliance with legal obligations to which M21Global is subject, in particular tax and accounting obligations (Article 123 of the Corporate Income Tax Code — CIRC) and record-keeping obligations.
4.1.3. Legitimate Interests (point (f))
Processing is necessary for the purposes of legitimate interests pursued by M21Global, namely: service improvement, platform security, fraud and abuse prevention, and network and systems management.
5. Purposes of Processing
5.1. The personal data collected is processed for the following purposes:
a) Creation, management, and maintenance of the User's account;
b) Provision of translation services (processing of submitted documents);
c) Payment processing and wallet management;
d) Invoice issuance and compliance with tax obligations;
e) Transactional communications (confirmations, service notifications);
f) Continuous improvement of the platform and services;
g) Platform security and fraud prevention;
h) Compliance with legal and regulatory obligations.
5.2. M21Global does not use personal data for direct marketing purposes without the User's prior consent.
6. Sub-processors and Data Transfers
6.1. In providing its services, M21Global engages the following sub-processors:
| Sub-processor | Purpose | Location | Notes |
|---|---|---|---|
| Supabase | Authentication, database, storage | EU | Self-hosted at supabase.m21.global |
| Stripe | Payment processing | EU/USA | Card data never stored in Vertio. SCCs for US transfers. |
| AI Services | Translation engine | Outside EU | SCCs applied. Documents NOT used to train models. |
| MemoQ | Formatting processing | EU | — |
| TETOnline | AT-certified billing | Portugal | — |
6.2. International Data Transfers. Stripe's services and AI services involve the transfer of personal data outside the European Economic Area (EEA). These transfers are carried out on the basis of Standard Contractual Clauses (SCCs) approved by the European Commission, in accordance with Articles 46 and 49 of the GDPR.
6.3. M21Global ensures that all sub-processors provide adequate guarantees for the protection of personal data, through data processing agreements compliant with Article 28 of the GDPR.
7. Retention Periods
7.1. Personal data is retained for the following periods:
| Data Type | Retention Period |
|---|---|
| Account data (name, email) | For as long as the account is active |
| Uploaded files (original documents and translations) | 30 days after job completion or failure (automatic deletion) |
| Billing data | 10 years (Art. 123 CIRC) |
| Access logs and visitor preview data (IP address) | 90 days (preview data) / 12 months (access logs) |
| Onboarding data | For as long as the account is active |
7.2. The User may request deletion of their documents at any time. Deletion of the account entails deletion of all personal data, except that retained by legal obligation.
8. Cookies
8.1. The Vertio platform uses only strictly necessary cookies for its operation:
a) Authentication cookies (User session management);
b) Session cookies (session state maintenance).
8.2. No tracking, advertising, third-party analytics, or any non-essential cookies are used.
8.3. As these are exclusively strictly necessary cookies for the provision of the service, consent is not required, pursuant to Article 5(3) of Directive 2002/58/EC (the ePrivacy Directive) and Law no. 41/2004 of 18 August.
9. Security Measures
9.1. M21Global implements appropriate technical and organisational measures to protect personal data against loss, unauthorised access, destruction, misuse, or alteration, pursuant to Article 32 of the GDPR. These measures include:
a) Passwordless authentication (magic link) – no passwords stored;
b) Session verification middleware on all protected routes;
c) Documents processed in a private environment;
d) Documents never used to train artificial intelligence models;
e) Card data processed by Stripe (PCI DSS compliant) and never stored in Vertio;
f) Preview protected against copying (watermark, copy/paste blocking);
g) Rate limiting implemented on API routes.
10. Rights of the Data Subject
10.1. Pursuant to Articles 15 to 22 of the GDPR, the User has the following rights:
a) Right of access (Article 15) – to obtain confirmation that their data is being processed and to access that data;
b) Right to rectification (Article 16) – to request correction of inaccurate or incomplete data;
c) Right to erasure ("right to be forgotten", Article 17) – to request deletion of their data, without prejudice to legal retention obligations;
d) Right to restriction of processing (Article 18) – to request restriction of processing in certain circumstances;
e) Right to data portability (Article 20) – to receive their data in a structured, machine-readable format;
f) Right to object (Article 21) – to object to the processing of their data on the basis of legitimate interests.
10.2. The exercise of these rights may be requested by contacting: hello@vertio.ai.
10.3. M21Global undertakes to respond to requests within a maximum of 30 days, which period may be extended by a further 60 days in cases of particular complexity, subject to notification to the User.
10.4. The User also has the right to lodge a complaint with the competent supervisory authority:
Comissão Nacional de Protecção de Dados (CNPD)
Rua de S. Bento, no. 148, 3rd floor, 1200-821 Lisbon
Website: www.cnpd.pt
11. Data Protection Officer
11.1. M21Global has assessed the obligation to designate a Data Protection Officer (DPO) pursuant to Article 37 of the GDPR and concluded that this is not required, given that:
a) M21Global is not a public authority or body;
b) M21Global's core activities do not consist of processing operations which, by virtue of their nature, scope, and/or purposes, require regular and systematic monitoring of data subjects on a large scale;
c) M21Global's core activities do not consist of large-scale processing of special categories of data within the meaning of Article 9 of the GDPR, nor of personal data relating to criminal convictions and offences within the meaning of Article 10 of the GDPR.
11.2. Notwithstanding the above, M21Global continuously monitors the evolution of its data processing activities and will reassess the need to designate a DPO whenever a significant change in the nature or scale of the data processing carried out takes place.
11.3. For any matter relating to the protection of personal data, the User may contact directly: hello@vertio.ai.
12. Amendments to the Privacy Policy
12.1. M21Global reserves the right to amend this Privacy Policy at any time.
12.2. Amendments will be communicated to the User via the platform and/or by email, and the updated version will always be available at vertio.ai/privacy.
12.3. Periodic review of this Policy is recommended.
13. Contact
For any matter relating to the protection of personal data:
Entity: Multilingues21 – Traduções e Edições Técnicas Multilingues, Lda.
Trading name: M21Global
Address: Rua Febo Moniz, 27, 1150-152 Lisbon, Portugal
Email: hello@vertio.ai
Website: vertio.ai