Privacy Policy

Last Updated: March 2, 2026 | Version: 2.0

Etho Agency ("we", "us", "our") is a Lisbon-based brand transformation agency. We are committed to protecting your personal data in accordance with the EU General Data Protection Regulation (GDPR) and applicable Portuguese data protection law.

For any privacy-related questions, contact us at hello@etho.agency. Etho Agency is based in Lisbon, Portugal.

What Data We Collect

We collect only the personal data necessary to provide our services:

● Website Forms (Typeform/Framer: Name, email address, and any message you include.
● Email & Scheduling: Communications via Zoho Mail, newsletter subscriptions via MailerLite, and call bookings via
Calendly.
● Google Analytics: IP address, browser/device information, pages visited, and similar usage data collected via cookies or similar technologies. ● Framer Analytics: anonymised, privacy-first usage data used to understand site performance and visitor behaviour.
● Clients: Name, contact details, and contract information necessary to deliver our services.
We do not collect sensitive personal data (such as health information or political opinions).

1. How We Collect Data
   ● Directly from you: When you complete a form, send us an email, message us on LinkedIn or Instagram, subscribe to our newsletter, or book a call.
   ● Automatically: Through cookies and analytics tools when you browse our website.
   ● From third parties: We do not currently collect personal data from third-party lead sources.

   
   

2. Why We Use Your Data & Our Legal Basis

   Data Purpose / Legal Basis

   ● Form submissions: Responding to enquiries, delivering audits, and providing strategic advice (legitimate interests).

   ● Client data: Delivering contracted services (performance of a contract).

   ● Email subscriptions: Sending newsletters and insights (consent).

   ● Cookies (essential): Ensuring website functions correctly (strictly necessary).

   ● Cookies (analytics): Understanding how site is used and improving our services (consent).

3. Who We Share Your Data With

   
   We do not sell your personal data. We share it only with trusted service providers who help us operate our business, each bound by a Data Processing Agreement (DPA):

   
   ● Zoho Mail: client and outreach communications
   ● Typeform: website forms
   ● MailerLite: newsletters
   ● Google Workspace: client calls, internal communications, and file storage
   ● Google Analytics: website analytics
   ● Calendly: call scheduling

   
   We may also disclose your data if required to do so by law or a competent authority.

   
   International Transfers: Some of the above providers are based in the United States. Where data is transferred outside the
   EEA, we ensure appropriate safeguards are in place, including EU Standard Contractual Clauses (SCCs) and, where
   applicable, the EU–US Data Privacy Framework.

4. How Long We Keep Your Data

   
   ● Leads & enquiries: 2 years from last contact, or until you request deletion.
   ● Email subscribers: Until you unsubscribe.
   ● Analytics data: 14 months (Google Analytics default).
   ● Client data: For the duration of the contract and as required by applicable law thereafter.
   Data is securely deleted at the end of the applicable retention period.

   
   

5. Cookies

   We use a cookie consent banner on our website to obtain your consent before placing non-essential cookies.

   
   ● Essential cookies: Required for the website to function. No consent needed.
   ● Analytics cookies: Used to understand how our website is used and improve our services. These are placed only with your consent.
   ● Framer analytics: We also use Framer’s built-in analytics, which Framer describes as privacy-first and cookie-free.

   You can update your cookie preferences at any time via the banner on our website.

   
   

6. Your Rights

   
   Under GDPR, you have the following rights regarding your personal data:
   ● Access: Request a free copy of the data we hold about you.
   ● Rectification: Ask us to correct inaccurate or incomplete data.
   ● Erasure: Ask us to delete your data ("right to be forgotten").
   ● Restriction: Ask us to limit how we process your data.
   ● Objection: Object to processing based on legitimate interest.
   ● Portability: Receive your data in a structured, machine-readable format.
   ● Withdraw Consent: Where processing is based on consent, you can withdraw it at any time. This does not affect the
   lawfulness of processing carried out before withdrawal.

   
   To exercise any of these rights, email hello@etho.agency. We will respond within one month, free of charge.
   You also have the right to lodge a complaint with the Portuguese data protection authority, the CNPD (Comissão Nacional de Proteção de Dados): www.cnpd.pt.

   
   

7. Security

   
   We take reasonable technical and organisational measures to protect your data, including HTTPS encryption in transit,
   encryption at rest via our service providers, and access controls limiting data to those who need it. In the event of a personal data breach that poses a risk to your rights, we will notify the relevant supervisory authority within 72 hours as required by GDPR.

   
   

8. Children

   
   Our services are directed at businesses and organisations. We do not knowingly collect personal data from anyone under the
   age of 18. If you believe we have inadvertently done so, please contact us and we will delete it promptly.

   
   

9. Changes to This Policy

   
   We may update this policy from time to time. The "Last Updated" date at the top will always reflect the most recent version. For
   significant changes, we will notify active subscribers by email.

Questions? Contact us at hello@etho.agency