Privacy Policy

This Privacy Policy categorises the personal information collected, explains the need for data collection and the way the STAYAWAY COVID system uses said data; in addition, it establishes the rights of users and the respective exercise of said rights. The system includes an application for mobile devices.

The STAYAWAY COVID system was created within the scope of the INCoDe programme.2030, focusing on the development of a COVID-19 tracing solution, in order to address the spreading of the virus. The Institute for Systems and Computer Engineering, Technology and Science (INESC TEC) and the Institute of Public Health of the University of Porto (ISPUP) are the entities in charge of the developing the app, with the support of Keyruptive and Ubirider.

The system underwent a Data Protection Impact Assessment (DPIA), as well as prior consultation by the Portuguese Data Protection Authority (CNPD); the Portuguese National Cybersecurity Centre also audited the system.

Privacy policy

Entity responsible for the data processing:

  • DGS – Directorate-General for Health

Alameda D. Afonso Henriques, 45, 1049-005 Lisbon – Portugal

Phone number: +351 218 430 500


  • INESC TEC – Institute for Systems and Computer Engineering, Technology and Science

Rua Dr. Roberto Frias, 4200-465 Porto, Portugal

Phone number: +351 222 094 000

  • Keyruptive

Praça Conde de Agrolongo 123, 4700-312 Braga, Portugal

  • Ubirider

Rua Alfredo Allen 455/461 – room 1.03, 4200-135 Porto, Portugal

  • SPMS – Shared Services of the Ministry of Health, EPE

Avenida da República no. 61, 8th floor, 1050-189 Lisbon, Portugal

Phone number: +351 211 545 600

  • INCM – Portuguese Mint and Official Printing Office

Av. António José de Almeida, 1000-042 Lisbon, Portugal

Phone number: +351 217 810 700

The goal of data processing through the application is to contribute to a faster, broader and more effective screening of COVID-19 in Portugal, according to the general plan to fight against the pandemic, defined by the Portuguese healthcare authorities, similarly to examples of other European countries. The application is part of a computer system that will inform the users about potential high-risk exposure, according to the monitoring of close contacts during the previous 14 days. Acceding and participating in this initiative is voluntary, and users are allowed to stop using the application, autonomously and unilaterally, at any time

The app’s installation and use is strictly voluntary. Pertaining to users, consent establishes a legal basis for data processing (Articles 6, no. 1, a) and 9, no. 2, a) of the GDPR).

However, since the operation of the application implies different processing procedures, involving different categories of data subjects (users and healthcare professionals), the data processing performed requires a double condition of lawfulness, which only reinforces its legitimacy and leads to a more proportional process.

In fact, when public authorities provide a service based on a mandate given by, and in compliance with the requirements set out in the law, the legal basis for data processing is the need to exercise responsibilities of public interest, under the terms of the provisions of Articles 6, no.1, e), and 9, no. 2), both of the GDPR.

The Decree-Law 52/2020 of 11th August provides a legal framework for the use of STAYAWAY COVID, establishing DGS as the data controller and regulating the doctor’s intervention in the system.

The personal data collected by the application never allow identifying users or their devices. In order to protect the users’ privacy, the application generates random temporary alphanumeric identifiers, considered pseudonymised data

Given the possibility of referring to users diagnosed with COVID-19 or users notified of potential high-risk exposure, we deliberated that said identifiers refer only to data associated with their health.

The application broadcasts and receives random identifiers from other nearby devices. The application can share the random identifiers broadcast (never the received ones) with an official server, located in the national territory. No identifier is stored in the system for more than 14 days.

Because of the processing of random identifiers, the users may receive a notification with information about the potential high-risk exposure, and the date of the most recent close contact, leading to said occurrence. This information is stored in the application until the users uninstall it.

In addition to user data, data from healthcare professionals involved in the validation of contagion information is necessarily processed. The system will use an authentication system, under the responsibility of the SPMS, which will work separately from other systems to ensure the privacy of doctors and patients.

The STAYAWAY system will process the following personal data:

Data Definition Purpose Storage
Pseudonymised data (TEK Identifier Keys and  Random RPI Identifiers) The mobile device generates a TEK Identifier Key on a daily basis. This daily TEK Identifier Key generates a Random RPI Identifier every 15 minutes (on average), during the period that said RPI is valid. Random RPI Identifiers are transmitted in broadcast mode and received by mobile devices that are geographically close. It allows signalling the users’ proximity to someone for at least 15 minutes, at a two-meter distance, without the application being able to identify the users or track the place where the contact took place. Automatically deleted from the mobile device 14 days after being stored.
Pseudonymised data (Universal Unique Identifier) Identifier generated in the Diagnostic Legitimation Service (SLD), part of the Access Code (CA). Stored in the Diagnostic Publishing Service (SPD) when the CA is created, and used later to ensure that each CA is not used more than once within its validity period. Eliminated during the daily database maintenance task, after the end of its validity period – maximum of 24 hours.
Health data (TEK Identifier Keys shared after positive diagnosis) These are the keys submitted by users diagnosed by COVID-19 to the central system server. The devices with the STAYAWAY application download these keys periodically. The application keeps the date of the last update and asks only for the keys published after that date, for each of the relevant days. The DMP calculates the Random RPI Identifiers associated with these keys, in order to compare them with the RPIs received from nearby DMPs during the previous 14 days. Then, it calculates a risk function that assesses the existence of close contacts (less than the two-meter distance, and for more than 15 minutes) using the RPIs, estimated distances and exposure times. The storage period is 14 days.
Health data (date, duration and estimated distance of contact) The DMP calculates a risk function that, following the current guidelines of the World Health Organization, assesses the existence of the existence of close contacts (less than the two-meter distance, and for more than 15 minutes). This function relies on the Random RPIs Identifiers received from nearby DMPS, the TEK Identification Keys from users diagnosed with COVID-19, received from the SPD, as well as the associated temporal metadata. The application notifies the users of high-risk exposure to someone diagnosed with COVID-19, less than the two-meter distance, and for more than 15 minutes. The storage period is 14 days.
Health data (Date of first symptoms or test date for asymptomatic individuals) Information entered by the healthcare professional in the system, concurrently with the generation the Legitimation Code (CL). One can only obtain this date after knowing the CL, shared exclusively by the patient and the healthcare professional. This date aims to reduce the contacts that trigger warnings to those that occurred after the three-day period before the date of the first symptoms, which corresponds to the current consensus on the pre-symptomatic period, in which there is a significant possibility of contagion. Concerning asymptomatic cases, it is the doctor’s responsibility to use the test date or determine the most suitable date.

It is crucial to keep the date of symptom onset and diagnosis, so the application can only notify those who have been in contact with someone diagnosed with SARS-CoV-2 infection over the three-day period before the symptom onset, or diagnosis, in case of asymptomatic individuals. The goal is reducing the number of false positives, thus decreasing the demand for health care (without compromising the efficiency of the system), the costs associated with said demand and testing, the number of people in isolation without any instructions, and , finally, the psychological stress related to the (false) suspicion of high-risk exposure/close contact with a COVID-19 patient.

The date is sent to the SLD as soon as the doctor generates the CL, and is saved in the registry associated with the CL in the SLD and the respective CA. It is later used by the SPD to determine the TEK Identifier Keys that must be disseminated by the DMPs.

As soon as the CL has expired (24 hours), it is eliminated during the daily database maintenance task
IP address The SLD stores IP addresses for security purposes. In the case of the SPD, there is no provision for storing IP addresses or another identifier directly associated with the mobile device. The IP address is stored for a short period by the perimeter infrastructure, for the sole purpose of ensuring security, namely against DDoS attacks. The perimeter infrastructure equipment is independent of the SLD and there is no data crossing. The storage period of IP addresses in the perimeter equipment is no longer than one hour.

The STAYAWAY COVID system comprehends two subsystems:

  • a subsystem for evaluating close contacts, comprising the application and a server (SPD);
  • a diagnostic legitimation code management subsystem, comprising a web client and a server (SLD).

Both servers will be in national territory, and under the control of the following entities: INCM (SPD server) and SPMS (SLD server).

The application uses Bluetooth Low Energy (BLE) technology to broadcast and receive random identifiers from nearby devices. When under the reach of another device running the application, the application stores the following data:

  • the random identifiers broadcast by the other device;
  • signal strength;
  • the date and approximate duration of the contact.

In case a user is diagnosed with COVID-19, the following data is stored in the SLD:

  • the diagnostic legitimation code, in order to obtain the SPD access code;
  • the date of the symptom onset, or the test date in cases of asymptomatic individuals;
  • the scheduled date for elimination of said data in the SLD;
  • the number of times the diagnostic legitimation code was used (0 or 1, since it is for single use).

The SPD server contains a list with the following data:

  • the TEK Identifier Keys for users diagnosed with COVID-19;
  • the date of each TEK Identifier Key.

The application uses the protocol implemented by the GAEN API. Google and Apple provide the protocol specification, algorithms and respective API. However, the GAEN API code is not open. According to GAEN, only one officially endorsed application per country is authorised to access the API.

In the event that Google and Apple report changes to the GAEN API, and said changes affect users, information regarding such changes will be added to this Privacy Policy immediately.

Once installed, the application requests the users’ authorisation to run in the background, use Bluetooth communication and location services. Failure to grant said permission will prevent the application from running correctly. The GPS interface is not used. However, users must enable the GPS functionality on their Android systems, in order to make sure that the application runs correctly. This configuration is part of the Google operating system.

The European Data Protection Regulation (Regulation (EU) 2016/679, of the European Parliament and of the Council, of 27 April 2016 – GDPR) ensures the users’ (data subjects) right to information, the right to request access, rectification, erasure or restriction of processing.

However, considering the date controllers’ inability to identify users, the Articles 15 to 20 of the Regulation, relating to the rights to request access, rectification, erasure or restriction of processing, shall not the applied, in accordance with the provisions in Article 11, no. 2 of the same Regulation. The data subjects can exercise their right to object by uninstalling the application.

The data subject may exercise his/her rights, as well as request any information regarding the processing of personal data, upon written request addressed to the data controller or the respective data protection officer, through the following postal and email addresses:

Questions/Technical support:

Data Protection:

Under the terms of the Article 77 of the GDPR, the data subject has the right to lodge a complaint with a supervisory authority in the European Union. In Portugal, the supervisory authority is the CNPD (

The users can uninstall the application at any time, without causing any damage. The uninstallation will lead to the immediate deletion of all data processed locally by the application. The remaining data stored on the system’s servers will be automatically deleted after the respective regular storage period.

The entire system will be dropped as soon as the authorities declare the official end of the epidemic caused by COVID-19 in Portugal.

Information on any changes introduced throughout the text will be summarised in this chapter, and associated with the date of its effective implementation.

The users must always have access to the updated version of the Privacy Policy, available via the application.

Go to Top