Privacy Policy

This Privacy Policy identifies the information collected, explains the need to collect it and how it is used by the STAYAWAY COVID mobile device application (hereinafter referred to as the application). It is important that you as a data subject be aware of it.

Data Controller

FCT – Fundação para a Ciência e Tecnologia. 

Sede Av. D. Carlos I, 126, 1249-074 Lisboa, Portugal. 

Tel: 213 924 300 Fax: 213 956 519

Data processing purpose

The purpose of the data processing in the application is to contribute to a faster and more effective tracing of the COVID-19 contagion chains in Portugal, in the context of the global plan to fight the pandemic defined by the Portuguese health authorities and in line with similar examples from other European Union member states.

The application is part of a computer system that will allow the user to be informed about his potential risk of contagion based on the monitoring of his close contacts in the last 14 days.

Participation and use of the app are voluntary allowing users to stop using it at any given time, based on their autonomous and unilateral decision.

Legal grounds for processing

The grounds for the lawful processing of data in the mobile application is the public interest in the field of public health on the basis of Portuguese national law and Articles 6(1)(e) and 9(2)(i) of the GDPR. 

Categories of data and retention periods

By default, the personal data collected by the application never allows users or their devices to be directly identified. To protect their privacy only ephemeral and randomly generated alphanumeric identifiers are used, which are legally considered pseudo-anonymized data. To the extent that they report to individuals tested positive for Covid 19 or to those users alerted of exposure to a risk of contagion, we may consider those identifiers to refer to data concerning their health.

The application disseminates and receives these random identifiers from other devices that are nearby. The disseminated random identifiers (never received) may be shared publicly by the application on an official server located in the national territory. No identifiers are stored in the system for longer than 14 days.

As a result of processing the random identifiers, the user may receive an alert with information on the potential risk of contagion and the date of occurrence of the most recent close contact. This information is kept by the application until it is uninstalled.

Data collection and processing

The system is composed of two sub-systems:

  • a proximity contact assessment sub-system, comprising the application and a server (SPD);
  • a diagnostic legitimation code management sub-system, comprising a web client and a server (SLD).


Both servers are under the control of the Foundation for Science and Technology.

The application uses Bluetooth Low Energy (BLE) technology to disseminate and receive random identifiers from nearby devices. When within range of another device running the application, the application stores the following data:

  • the random identifiers diffused by the other device;
  • the signal strength;
  • the date and estimated duration of contact.


In case a user is diagnosed with COVID-19 the following data is stored in the SLD:

  • the diagnostic legitimacy code to obtain the SPD access certificate;
  • the date of first symptoms or the test date for asymptomatic individuals;
  • the date these data are to be destroyed at the SLD;
  • the number of times the diagnostic legitimation code was used:


The SPD server contains a list of the following data:

  • the random user identifiers diagnosed with COVID-19;
  • the date of each identifier.

International data transfer

No international data transfers other than those involved in local storage of information on users’ own mobile devices are foreseen.

Data subjects rights

The European Data Protection Regulation (EU Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 – RGPD) guarantees users, as holders of personal data, in addition to the right to information, rights of access, rectification, modification or erasure and opposition to processing. However, given the impossibility for the controller to identify users, in this case Articles 15 to 20 of the Regulation concerning rights of access, rectification, modification or erasure, in accordance with Article 11(2) of the Regulation, will in principle not apply. The right to object will be easily exercised by uninstalling the application.

The data subject may exercise their rights as well as request any information regarding the processing of their personal data by writing to the data controller or the respective data protection officer at the following postal and email addresses:


DPO email:

The RGPD also guarantees the data subject, in accordance with its Article 77, the right to lodge a complaint with a supervisory authority in the European Union. In Portugal, the competent supervisory authority is the CNPD ( ).

Uninstalling and discontinuing the application

The user can at any time uninstall the application without any damage. The uninstallation will result in the deletion of all data processed by the application, including data stored on the system server.

The entire system will be discontinued when the end of the pandemic is declared in Portugal.

Changes to the Privacy Policy

The person responsible for processing personal data has the right to modify and update the Privacy Policy. Information on changes made throughout the text should be summarized in this chapter and associated with the date of their effective implementation.

The user should always have available in the application the updated version of the Privacy Policy.