Home
Construway
Last updated: May 23, 2026

GDPR Compliance

Construway is committed to complying with the EU GDPR and Brazil's LGPD. This page explains how we meet our obligations and how you can exercise your rights.

Our Commitment

We take data protection seriously. Our platform is designed with privacy in mind — we collect only what we need, process it lawfully, and store it securely. This page summarises our GDPR obligations and how we fulfil them. For full details of what data we collect and how, see our Privacy Policy.

Data Controller

For personal data collected through our website and contact forms, Construway is the Data Controller. For data your organisation processes within the platform, your organisation is the Data Controller and Construway acts as a Data Processor under a Data Processing Agreement (DPA).

Enterprise customers can request a signed DPA by contacting us.

Lawful Basis for Processing

We always identify a lawful basis before processing personal data. The bases we rely on are:

  • Performance of a contract — to provide the services you have subscribed to and manage your account.

  • Legitimate interests — to respond to enquiries, detect fraud, and improve our platform, where these interests are not overridden by your rights.

  • Legal obligation — to comply with applicable law, including tax and financial regulations.

Your Rights as a Data Subject

Under the GDPR, you have the following rights:

  • Right of access — you can request a copy of the personal data we hold about you.

  • Right to rectification — you can ask us to correct inaccurate or incomplete data.

  • Right to erasure — you can request deletion of your personal data in certain circumstances.

  • Right to restriction — you can ask us to pause processing of your data in certain situations.

  • Right to data portability — you can request your data in a structured, machine-readable format.

  • Right to object — you can object to processing based on legitimate interests or for direct marketing.

To exercise any of these rights, contact us. We will respond within 30 days.

Data Minimisation & Purpose Limitation

We collect only the personal data that is necessary for the specific purpose it is collected for. We do not use data for purposes incompatible with those originally stated, and we do not retain it longer than necessary.

International Data Transfers

The Construway platform is hosted on infrastructure in Brazil. Personal data submitted by users outside Brazil is transferred to and processed in Brazil. We apply appropriate technical and organisational safeguards to protect that data in accordance with applicable law, including the EU GDPR and Brazil's LGPD.

Construway also complies with Brazil's LGPD (Law No. 13,709/2018). Brazilian data subjects may exercise their rights directly with us or with the ANPD (Autoridade Nacional de Proteção de Dados).

Data Breach Response

In the event of a personal data breach that is likely to result in a risk to individuals' rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware, as required by GDPR Article 33. Where the breach is likely to result in a high risk, we will also notify affected individuals without undue delay.

Contact & Complaints

For any GDPR-related enquiry, data subject request, or to request a Data Processing Agreement, please contact us.

You also have the right to lodge a complaint with your local data protection supervisory authority, or with the ANPD in Brazil at gov.br/anpd.