All articles Privacy & Compliance

What Data We Collect, Why We Collect It, and How We Protect It

Ana Costa
Abstract concept of data privacy and protection for marketplace users

OSCAR operates as a two-sided marketplace: we connect homeowners in Porto with vetted service professionals. That means we hold personal data for both sides — home addresses, phone numbers, job histories, payment records, and professional license details. Under the General Data Protection Regulation (GDPR), which applies in Portugal and across the EU, we are a data controller for most of this data. We take that role seriously, and we want to be direct about what it means in practice.

This post is not a copy of our Privacy Policy (you can read that in full at legal/privacy.html). It is a plain-language explanation of the data decisions we have made, why we made them, and where our current limits are.

What Data We Actually Collect

There are three categories of data we handle: homeowner data, professional data, and job record data.

Homeowner data includes your name, email address, phone number, billing address, and the service address where work is to be carried out. We also retain a record of every booking you have made, including service category, job description, photos you uploaded, and the outcome notes. We do not collect government ID or financial account details directly — card payments are processed through a PCI-DSS certified payment processor, and we receive only a tokenised reference, not raw card data.

Professional data is more extensive, because our vetting process requires it. We hold copies of professional license numbers (Alvará certification, IMPIC registration where applicable), NIF (Número de Identificação Fiscal), bank account details for payouts, a portrait photo, and the full history of jobs completed through the platform including ratings received. We also retain the result of background screening we conduct before onboarding.

Job record data sits between both parties: it includes the job address, before-and-after photos, the time the professional arrived and departed (recorded via the app), and any notes exchanged during the job. This record is the evidence layer that makes dispute resolution possible.

Why We Collect Each Category

GDPR requires that every piece of data we collect has a legal basis. We operate under three of them: contractual necessity, legitimate interest, and legal obligation.

Most homeowner data is collected under contractual necessity — we cannot perform the service without knowing where to send the professional, how to contact you, and how to process payment. The same applies to professional payment and license data: we cannot pay someone without a bank account, and we cannot list a licensed electrician without verifying their license.

Job record data — including arrival times and photos — is retained under legitimate interest. A homeowner who disputes the quality of a job has a right to a fair process, and that process requires evidence. A professional accused of not completing work has the same right. We retain job records for 24 months after job completion. After that, they are anonymised and retained only in aggregate form for service quality analysis.

We are also subject to Portuguese tax law, which requires us to retain financial transaction records for a minimum of ten years (Código do IVA, Art. 52). We cannot delete billing records early even if a user requests it — and we are honest about that constraint in our deletion request process.

Data We Do Not Collect (and Why)

We do not collect location data continuously. The professional's GPS is used only during active jobs — from the moment they mark "on the way" to the moment they mark "job complete." Outside those windows, we have no visibility into where they are. We made this decision deliberately: background location tracking has minimal operational value for our model, and it would require a more intrusive consent framework than we think is warranted.

We do not build behavioural profiles on homeowners for advertising purposes. We do not sell or share data with third-party advertisers. The only external parties who receive your data are those required for the service to function: the payment processor, the transactional email provider, and, in the event of a dispute, our legal counsel.

How We Handle Data Subject Rights Under GDPR

Under Articles 15-22 of the GDPR, every user — homeowner or professional — has the right to access, correct, restrict, or request deletion of their data. We handle these requests manually at the moment, through our support contact. Our target response time is five working days; the regulation requires response within one calendar month.

We will be direct about one limitation: we cannot delete all data on request. As explained above, tax records are legally retained for ten years. Job records where a dispute was filed are retained for the duration of any legal proceedings. If your deletion request is partially fulfilled and partially refused, we will explain exactly which data we cannot delete and why.

The supervisory authority for data protection in Portugal is the CNPD (Comissão Nacional de Proteção de Dados). If you believe we have mishandled your data and our internal process has not resolved it, you have the right to lodge a complaint with the CNPD directly at cnpd.pt.

Security Measures

All data in transit is encrypted via TLS 1.2 or higher. Data at rest in our database is encrypted using AES-256. We operate with role-based access controls — the support team can see job records relevant to a complaint but cannot access raw payment references or professional bank account numbers. Engineering has no production access to personal data outside of controlled, audited processes.

We conduct internal access reviews quarterly. We have not yet conducted a full third-party penetration test — that is on our roadmap for Q4 2025, and we will not claim a security posture we have not independently verified.

Cookies and Tracking

Our cookie policy covers this in detail, but the summary: we use a small number of functional cookies necessary to keep you logged in and to maintain your session during booking. We use one analytics tool (self-hosted Plausible Analytics, which does not use cookies and is GDPR-compliant by design) to understand which pages are useful and which are not. We do not use Google Analytics, Facebook Pixel, or any third-party behavioural tracking. You can verify this by inspecting your browser's network requests during any session on OSCAR.

How to Contact Us

Questions, access requests, deletion requests, and complaints can all go to [email protected]. Under GDPR Article 37, organisations of our size are not required to appoint a Data Protection Officer, but we have a designated person responsible for data protection questions internally. That is currently me, Ana Costa, operations lead. I read every message sent to that address.

We are a small team operating a marketplace in Porto. We do not have a legal department. We made choices about what to collect based on what the service genuinely requires, not on what we could theoretically justify. If something in this post or in our Privacy Policy raises a question, write to us. We would rather answer a difficult question directly than have someone guess at our intentions.