Privacy Policy
Last updated: 19 May 2026
This Privacy Policy explains how Rudig Consultores Lda, trading as “bessmo” (“bessmo”, “we”, “us”, “our”), collects, uses and protects personal data when you visit our websites at www.bessmo.com, beta.bessmo.com and app.bessmo.com (the “Sites”) or use the bessmo platform (the “Service”).
This Policy is written in plain language. If anything is unclear, please contact us at contact@bessmo.com.
1. Who is the controller
The controller of your personal data is:
Rudig Consultores Lda (trading as “bessmo”)
Rua da Barroca 6, 2º Esq, 2655-240 Ericeira, Portugal
NIPC: 518031292
Email: contact@bessmo.com
We have not appointed a Data Protection Officer because we are not required to under Article 37 GDPR. The person responsible for data protection inquiries at bessmo is Samira Rudig-Sotomayor, reachable at the email above.
2. Scope of this Policy
This Policy applies to personal data we process as a controller, including:
- personal data of visitors to the Sites;
- personal data of prospective customers and contacts (sales, marketing);
- personal data of account administrators and authorised users of the Service (login, billing, support);
- personal data of applicants and other contacts of bessmo.
This Policy does not cover personal data that we process as a processor on behalf of our business customers — for example, personal data that a customer chooses to upload as part of their input files. That processing is governed by our Data Processing Agreement (DPA) with the customer, and the customer’s own privacy notice applies. If you are an end user of a bessmo customer’s account, please contact that customer for information about their use of your personal data.
3. Personal data we collect and why
We collect personal data in three main ways: information you provide to us, information collected automatically when you use the Sites or the Service, and information we receive from third parties.
3.1 Information you provide
| Data | When we collect it | Why we use it | Lawful basis |
|---|---|---|---|
| Name, email, employer, job title | When you create an account, contact us, or fill in a form | Provide and administer the Service; respond to your enquiry; account communications | Art. 6(1)(b) GDPR — performance of a contract or pre-contractual steps |
| Authentication data (hashed password, MFA secrets) | When you sign up or log in | Authenticate you and secure the account | Art. 6(1)(b) GDPR |
| Billing contact details and VAT number | When you become a paying customer | Bill you, issue invoices, comply with tax law | Art. 6(1)(b) GDPR and Art. 6(1)(c) — legal obligation (accounting) |
| Support correspondence | When you contact support | Provide customer support; improve the Service | Art. 6(1)(b) GDPR; Art. 6(1)(f) — legitimate interest in supporting customers |
| Marketing preferences | When you sign up for marketing, attend an event, or fill in a form | Send you marketing communications you have asked for | Art. 6(1)(a) GDPR — consent |
Billing is currently processed through invoices issued by bessmo. We do not collect or store payment card details.
3.2 Information collected automatically
When you use the Sites or the Service, we automatically collect:
| Data | Why we use it | Lawful basis |
|---|---|---|
| IP address, browser type and version, operating system, device identifiers, referring URLs, timestamps | Security; abuse prevention; service operation; aggregate analytics | Art. 6(1)(f) GDPR — legitimate interest in operating and securing the Service |
| Usage data: pages and features accessed, simulation runs initiated, errors encountered | Operate, troubleshoot and improve the Service | Art. 6(1)(b) and 6(1)(f) GDPR |
| Cookies and similar technologies | See Section 8 (Cookies) | See Section 8 |
3.3 Information from third parties
We may receive personal data from:
- our customer organisations (when they invite you to use their bessmo account);
- public sources (e.g. company registries, LinkedIn) for B2B prospecting in line with Art. 6(1)(f) GDPR;
- service providers helping us operate the Service (see Section 6).
4. How long we keep personal data
We keep personal data only as long as we need it for the purposes set out in this Policy or as required by law. In particular:
- Account data: for the duration of the account, plus up to ninety (90) days after deletion to allow for recovery and audit.
- Billing and tax records: ten (10) years, in line with Portuguese accounting and tax law obligations.
- Marketing data: until you unsubscribe or object, and in any event no longer than three (3) years of inactivity.
- Support correspondence: up to three (3) years after the last interaction.
- Server and security logs: typically up to ninety (90) days, longer where needed for investigation of an incident.
- Customer Data (processed on behalf of customers): for the duration of the customer’s agreement and as described in the DPA.
When we no longer need personal data, we delete or anonymise it.
5. Automated decision-making and profiling
We do not make decisions producing legal or similarly significant effects on you that are based solely on automated processing. The bessmo Service applies optimisation and simulation algorithms to data uploaded by our customers, but those operations work on commercial inputs (battery and market parameters) and not on personal data, and their outputs do not produce legal effects on individuals.
6. Who we share personal data with
6.1 Service providers (sub-processors and other vendors)
We use a small number of carefully selected service providers to help us deliver and operate the Service. Each is bound by a written contract that requires it to protect personal data in line with applicable law. The current list of providers used in connection with the Sites and the Service is:
- Amazon Web Services EMEA SARL — cloud hosting and infrastructure (EU regions).
- Hetzner Online GmbH — cloud hosting for the marketing website (www.bessmo.com) and the staging environment (app.bessmo.com) (EU regions).
- Web3Forms — processing of contact-form submissions on www.bessmo.com, including the name, email, company and message you provide.
- Functional Software, Inc. (Sentry) — application error and crash monitoring. May process IP addresses, user agents and limited account identifiers contained in error reports.
- GitHub, Inc. — source-code hosting and engineering workflow; may incidentally process personal data included in commit metadata, bug reports or internal issues. No customer or visitor data is intentionally stored on GitHub.
An up-to-date list of sub-processors used in our customer-facing Service is published at www.bessmo.com/subprocessors.
6.2 Professional advisers and authorities
We may share personal data with our accountants, lawyers, insurers and similar advisers, and with public authorities or courts where we are required to do so by law.
6.3 Business transfers
If we are involved in a merger, acquisition or sale of all or part of our business, personal data may be transferred to the relevant counterparty, subject to confidentiality undertakings.
We do not sell personal data.
7. International transfers
Where we transfer personal data outside the European Economic Area, we put in place safeguards required by GDPR. In practice this typically means relying on:
- the European Commission’s adequacy decisions, where they apply;
- the European Commission’s Standard Contractual Clauses (SCCs); and
- supplementary measures (such as encryption and contractual safeguards) where appropriate.
You can request a copy of the safeguards we rely on for a specific transfer by contacting us.
8. Cookies and similar technologies
We use cookies and similar technologies only for purposes that are strictly necessary to operate the Service (for example, to keep you logged in or to remember your consent choices). These do not require your consent under applicable law. We do not currently set analytics, advertising or preference cookies that would require your consent. If that changes, we will update this Policy and present a cookie consent banner before any non-essential cookies are set.
9. Security
We take the security of personal data seriously. We implement technical and organisational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access. These measures include encryption in transit and at rest, role-based access controls, multi-factor authentication for personnel access to production systems, logging and monitoring, and contractual safeguards with our service providers.
No system is perfectly secure. If we become aware of a personal data breach affecting your personal data and likely to result in a risk to your rights and freedoms, we will notify you and/or the competent supervisory authority as required by law.
10. Your rights
Under the GDPR, you have the following rights in relation to your personal data:
- Access — to obtain confirmation of whether we process your personal data and a copy of that data.
- Rectification — to have inaccurate or incomplete personal data corrected.
- Erasure — to have your personal data deleted in certain circumstances.
- Restriction — to have processing of your personal data restricted in certain circumstances.
- Objection — to object to processing carried out on the basis of legitimate interests (including direct marketing).
- Portability — to receive personal data you have provided to us in a structured, commonly used and machine-readable format.
- Withdrawal of consent — where processing is based on your consent, to withdraw that consent at any time without affecting the lawfulness of processing carried out before withdrawal.
- Complaint to a supervisory authority — to lodge a complaint with a data protection authority. In Portugal, the relevant authority is the Comissão Nacional de Proteção de Dados (CNPD) — www.cnpd.pt. You may also complain to the supervisory authority in the EU/EEA country where you live or work.
To exercise your rights, contact us at contact@bessmo.com. We may need to verify your identity before responding. We will respond within one month of receiving your request, although that period may be extended by a further two months for complex requests.
If you are an end user of a bessmo customer (for example, if your employer is a bessmo customer and you use the Service through them), please direct rights requests to that customer in the first instance, as they are the controller of your personal data within the Service.
11. Children
The Service is not directed to children under sixteen (16) and we do not knowingly collect personal data from children. If you believe a child has provided personal data to us, please contact us so we can delete it.
12. Changes to this Policy
We may update this Policy from time to time. The “Last updated” date at the top of this Policy shows when it was last changed. For material changes, we will provide additional notice (for example, by email or a banner in the Service).
13. Contact us
If you have any questions about this Policy or our processing of your personal data, please contact:
Rudig Consultores Lda (trading as bessmo)
Rua da Barroca 6, 2º Esq, 2655-240 Ericeira, Portugal
NIPC: 518031292
Email: contact@bessmo.com