1. Data Controller
The data controller is XPGRP, Lda., with headquarters at Avenida da Liberdade, no. 9 – 6th floor right, 1250-139 Lisbon, Portugal. For any questions regarding data protection, you may contact us at info@xpgrp.com or in writing to our registered office address.

2. Purposes and Legal Basis
We collect and process personal data for the following purposes: provision of contracted services; compliance with legal obligations; communication with the data subject; legitimate interest (e.g., service improvement); and explicit consent (when applicable).

3. Categories of Data Processed
Name, contact details, nationality, identification documents, tax data, professional information, interaction history, and data necessary for the execution of requested services.

4. Data Recipients
Data may be shared with public authorities, financial institutions, or technical and legal service providers, only to the extent necessary for service provision and in compliance with applicable law.

5. International Data Transfers
If data must be transferred outside the European Economic Area, appropriate safeguards will be ensured in accordance with the GDPR.

6. Data Retention
Data is retained for as long as necessary to fulfill the purposes or for the legally required periods.

7. Data Subject Rights
Under Article 12 and subsequent provisions of the GDPR, data subjects have the right to: access; rectification; erasure (“right to be forgotten”); restriction of processing; data portability; objection; withdraw consent (when applicable); and lodge a complaint with the CNPD (www.cnpd.pt).

8. Data Security
We implement appropriate technical and organizational measures to ensure the confidentiality, integrity, and availability of personal data.