MITUP PRIVACY POLICY

1. Introduction and Commitment to Data Protection

MITUP, a legal entity with taxpayer number 515.866.121, headquartered at Estrada Nacional 3, nº 9, Loja J – ZIP Code 2250-028, Constância, Portugal, is committed to protecting and respecting the privacy of personal data belonging to all its users, clients, employees, and partners. This Privacy Policy describes how we collect, use, protect, and share your personal data, in compliance with the following laws and regulations:

Key Legislation

• General Data Protection Regulation (GDPR): Regulation (EU) 2016/679 of the European Parliament and Council, dated April 27, 2016, regarding protecting individuals concerning personal data processing and the free movement of such data. The GDPR sets a high standard for data protection, ensuring data is processed lawfully, fairly, and transparently.
• California Consumer Privacy Act (CCPA): A California law that grants significant rights to California residents regarding their personal data, including the right to know, delete, and opt out of the sale of personal information.
• Portuguese Laws 58/2019 and 59/2019: This is national legislation ensuring the application of GDPR in Portugal, establishing specific rules for personal data processing in the country.

Technical Standards

• ISO/IEC 27001:2013: International standard specifying requirements for an Information Security Management System (ISMS) to protect information confidentiality, integrity, and availability.
• ISO/IEC 27701:2019: An international standard specifying additional requirements for a Privacy Information Management System (PIMS) complements ISO/IEC 27001 to help ensure compliance with global privacy laws.
• ENISA (European Union Agency for Cybersecurity): Guidelines and best practices promoted by ENISA to strengthen cybersecurity and data protection across the European Union.
• NIST Cybersecurity Framework (CSF): A set of guidelines and standards developed by the U.S. National Institute of Standards and Technology (NIST) to help organizations manage and reduce cybersecurity risks.
• CERT-RMM (Resilience Management Model): A resilience management framework that assists organizations in protecting themselves from threats and recovering from security incidents.

2. Data Controller

Your personal data will be processed by MITUP, a legal entity with taxpayer number 515.866.121, headquartered at Estrada Nacional 3, nº 9, Loja J – ZIP Code 2250-028, Constância, Portugal.

You can contact us or our Data Protection Officer (DPO) via email at dpo@mitup.pt.

All data-related requests will be addressed within the specified timeframes: 30 days for the EU and 45 days for the U.S. [Article 12(3) GDPR / §1798.130 CCPA].

3. What Personal Data Does MITUP Process?

We collect various types of personal data to provide our services and improve your experience. The data collected depends on your interactions with MITUP and may include:

• Identification Data: Full name, email address, phone number, home address, taxpayer identification number (e.g., NIF, VAT ID, CPF, etc.).
• Professional Data: Job title, employer, and area of expertise.
• Browsing Data: IP address, browser type, operating system, webpages visited, time spent on the site, and clicked links.
• Marketing Data: Marketing preferences and responses to promotional campaigns.
• Communication Data: Content of emails and other communications shared with us.
• Financial Data: Bank details for invoicing and payment purposes.

4. How Do We Use Your Personal Data?

We use your personal data for various purposes, always complying with applicable data protection laws:

• Service Provision: To deliver the services you have contracted.
• Communication: Send relevant information about our services, updates, or promotional offers.
• Marketing: To personalize our marketing campaigns based on your preferences and interests.
• Billing: To process payments and issue invoices.
• Service Improvement: To analyze usage data for quality improvement and development of new features.
• Legal Compliance: To meet legal and regulatory obligations, such as responding to requests from competent authorities.
• Security: To protect our systems and data against unauthorized access and other threats.
• Recruitment: To evaluate candidates for opportunities at Biz2People.

5. Legal Basis for the Processing of Personal Data

The processing of your data is conducted based on the following legal grounds:

• Consent: When you have explicitly consented to processing your data for specific purposes (e.g., receiving marketing communications).
• Contract Execution: When processing is necessary to fulfil your contract with us (e.g., to deliver your contracted services).
• Legal Obligation: When processing is required to comply with legal obligations (e.g., issuing invoices).
• Legitimate Interest: When processing is necessary to pursue our legitimate interests and does not override your rights and freedoms (e.g., improving our services).

6. How Long Will My Personal Data Be Retained?

The period during which your personal data is stored depends on the purpose for which it was collected:

• Marketing/Commercial: Retained 12 months from the last contact unless consent is withdrawn earlier.
• Project Billing: Retained during the commercial relationship and 10 years after contract termination, in compliance with legal obligations.
• Project Execution: Retained for the duration needed to fulfil the commercial contract.
• Recruitment Data: Retained for the duration needed to assess the application, and if hired, for the duration of the employment contract and the legally required period after termination.
• Browsing Data: Retained for 14 days for website analysis and improvement purposes.

After the retention period ends, your data will either be securely deleted or anonymized unless it is needed to meet legal obligations or defend our rights in litigation.

7. How Do We Protect Your Personal Data?

We apply appropriate security measures to protect your data from unauthorised access, alteration, disclosure, or destruction. These measures include:

• Encryption: Using encryption to secure data in transit and at rest.
• Access Control: Implementing restricted access ensures only authorized personnel can access your data.
• Firewalls: Using firewalls to protect our systems against unauthorised access.
• Security Monitoring: Continuously monitoring our systems to detect and respond to security incidents.
• Security Audits: Conducting regular audits to assess the effectiveness of our security measures.
• Staff Training: Providing ongoing training to our staff on data protection and information security.
• Standards Compliance: Implementing an Information Security Management System (ISMS) in compliance with ISO/IEC 27001:2013 and ISO/IEC 27701:2019 standards.

8. Who May Receive My Data?

Your data may be shared with the following entities:

• Service Providers: Companies providing services on our behalf, such as data hosting, payment processing, email delivery, and data analysis. Confidentiality agreements bind these service providers and must protect your data according to our instructions.
• Competent Authorities: Governmental, regulatory, or judicial authorities, when required by law or to protect our rights.
• Group Companies: Other companies within our corporate group for administrative and service delivery purposes.
• Marketing Partners: Partners we collaborate with in marketing campaigns, provided you have consented.

9. International Data Transfers

Some of our service providers may be outside the European Economic Area (EEA). In such cases, we ensure that data transfers comply with the applicable data protection laws, including signing standard contractual clauses approved by the European Commission or verifying that the destination country ensures adequate data protection.

10. What Are My Rights?

Under GDPR and CCPA, you have the following rights regarding your data:

• Right of Access: You have the right to confirm whether your personal data is being processed and access the data and information about the processing.
• Right to Rectification: To correct inaccurate or incomplete personal data.
• Right to Erasure (“Right to Be Forgotten”): To request the deletion of your data unless there are legitimate reasons for retaining it.
• Right to Restriction of Processing: To request the limitation of processing under certain circumstances.
• Right to Data Portability: To receive your data in a structured, commonly used, and machine-readable format and transmit it to another data controller.
• Right to Object: To object to processing your personal data for reasons related to your situation.
• Right to Withdraw Consent: To withdraw your consent when processing is based on your consent.
• Non-Discrimination Right (CCPA): Your privacy rights must not result in discrimination.
• Right to Opt-Out of Data Sale (CCPA): To opt out of the sale of your data.

11. How Can I Exercise My Rights?

To exercise your rights, email a request to dpo@mitup.pt. Indicate your name and the right you wish to exercise.

We will respond to your request within the mentioned timeframes, in compliance with applicable data protection laws.

12. Complaints

If you believe there has been a violation of data protection laws, you have the right to file a complaint with the relevant supervisory authority. In Portugal, the competent authority is the National Data Protection Commission (CNPD), whose website is www.cnpd.pt

13. How Will I Be Informed About Changes to This Privacy Policy?

MITUP may update this policy at any time. Such updates will always be available and published on the website at WEBSITELINK. We recommend you review this policy regularly to stay informed about our privacy practices.

14. Contact

If you have any questions or concerns about this Privacy Policy or our data protection practices, contact us at dpo@mitup.pt.

Last Update Date: 22/07/2025