GRAPEGAIN, UNIPESSOAL LDA: PRIVACY POLICY
Last updated: September 26, 2023

1. Introduction.
GRAPEGAIN, UNIPESSOAL LDA (PRIVATE LIMITED COMPANY), registered
head office: Rua Natália Correia, nº 25, 2º esqº District: Setúbal Municipality:
Almada Parish: Laranjeiro e Feijó 2810 418 Almada, care about your privacy
and the protection of your Personal data.
This Privacy Policy (“Policy”) explains the general principles on how
the Grapegain Unipessoal LDA, its licensors, affiliates (“GRAPEGAIN”, “we”,
“our” or “us”), collect and use information when you visit our website at
http://www.grapegain.com (“Website”), use any of our services (“Services”) that
we provide to you, or if you interact with us in any other way, e.g. contact us via
social media pages. This Policy explains what personal data we collects from
you, through our interactions with you or your organization and through our
website, products or services, and how we use it. It also describes your choices
regarding access, correction and erasure of your personal information.
By communicating with us through the Website or our Services, you (“you”,
“your”, “client”, “client representatives”, “data subject”) may be explicitly asked
to confirm acceptance of this Policy.
Reference in this Policy to “your Personal Data” means any information that can
be used to directly or indirectly uniquely identify, contact or locate you
(“Personal Data”).
We process Personal Data under this Policy and in accordance with applicable
legislation, including the General Data Protection Regulation (2016/679)
(“GDPR”) and the national data protection laws, as applicable towards
the GRAPEGAIN (“Data Protection Law”).

2. The Scope of the Policy.
2.1. This Policy describes how we process Personal Data in connection with:
2.1.1. all matters related to you as a data subject, such as the obtains personal
data from the forms filled out on the Website, browsing our site, providing the
information, taking steps prior to entering the agreement with your organization
and further processing for the performance of the agreement;
2.1.2. our Demo Mobile App or Web Demo on the Website, other events
and marketing initiatives;
2.1.3. cookies that are used on our Website or live chat operation(if applicable);
2.1.4. all our statutory obligations with respect to the GDPR, any relevant Data
Protection Law, and any other laws and regulations that may be applicable to
us.

3. Principles of Personal data processing.
3.1. We adheres to the principles of personal data protection as envisaged in
the GDPR and Data Protection Law and in accordance with these principles,
Personal data is:
3.1.1. Processed fairly and lawfully and in a transparent manner in relation to
the data subject;
3.1.2. Processed for specified, explicit and legitimate purposes only and not
further processed in a manner that is incompatible with those purposes;
3.1.3. Adequate, relevant and limited to what is necessary in relation to the
purposes for which they are processed;
3.1.4. Kept accurate and up to date;
3.1.5. Retained in a form permitting identification of Data Subjects for no longer
than is necessary for the purposes for which they are processed;
3.1.6. Not retained longer than necessary;
3.1.7. Processed in a manner that ensures their appropriate security;
3.1.8. kept in safe and ensured by training and support for staff who handle
Personal data; and
3.1.9. Responding appropriately when data subjects seek to exercise their
statutory rights of access, correction and objection.

4. The legal basis for processing your Personal data.
We process your Personal Data on the basis of:
• your consent;
• contractual relationship between us;
• legal obligations to which we are subject to; and / or• our legitimate interest to ensure the quality of our services, ensure security,
protection of our financial interests, ensure risk management, spread
information about our services and events, keep business relationships with our
clients, partners and third parties, provide good customer service, understand
and improve how private individual are using our Website.
We limit the processing of your Personal Data to the scope of purpose for which
the data was collected. In cases where the processing is based on your
consent, you have the right to withdraw your consent to such processing at any
time. However, it may limit the services offered to you, if the collection and
processing is required by the law.
Access to your Personal Data will be limited to personnel who are required to
process the Personal Data to fulfil their professional responsibilities and their
duties to you as the Data Subject. Your Personal Data is not stored or
processed longer than is necessary with respect to the data processing
purposes that we have referred to as referred above.
We have taken the appropriate technical and organizational measures to
ensure the secure processing of your Personal Data. Your Personal data will
be processed in such a manner to ensure confidentiality and data integrity.

5. Categories of Personal Data we processes, purpose and legal basis for
processing.
5.1. Depending on the Services, we may process the following categories of
your Personal Data:
5.1.1. Consent to Personal data processing.
Personal data may be processed with the consent of the data subject. Before
giving consent, the data subject must be informed and accept the Privacy Policy
by marking in the line “I agree with the Privacy Policy” or consent must be
obtained in writing or electronically form for the purposes of documentation.
5.1.2. Personal Data processing for a business relationship.
Your Personal data can be processed in order to establish, execute and
terminate business relationships agreements. Prior to an agreement – during
the agreement initiation phase – personal data can be processed to prepare
bids or purchase orders to the service or to fulfill other requests and
consultations that relate to agreement conclusion and to be contacted during
the agreement preparation process using the information that You have
provided. Any restrictions requested by the You must be complied with.We process the following Personal Data for this purpose: Name and Surname,
Phone, Email address, Identification Document (Passport or ID Card), IP-
address, personal description.
5.1.3. Personal Data processing for marketing purposes.
We may send you information materials, news or events related to our services,
as well as information about the most current events and any upcoming events
related to our services that may be interested to you. Your Personal data can
be processed for marketing purposes or market and opinion research, provided
that this is consistent with the purpose for which the data was originally
collected. The data subject must be informed about the use of his/her Personal
Data for marketing purposes and must provide us with consent via his/her email
address or phone number.
If Personal data is collected only for marketing purposes, the disclosure from
the data subject is voluntary and shall be informed that providing Personal data
for this purpose is voluntary.
If the data subject refuses the use of his/her Personal data for marketing
purposes, it can no longer be used for these purposes and must be blocked
from use.
We process the following Personal Data for this purpose: Name and Surname,
E-mail address, Phone.
5.1.4. Personal Data processing pursuant to legal obligations.
The processing of Personal data is also permitted if the national legislation
requests, requires or allows this. The categories and extent of Personal data
processing must be necessary for the legally authorised data processing
activity and must comply with the relevant statutory provisions and regulations.
5.1.5. Personal Data processing pursuant to legitimate interest.
Personal data can also be processed if it is necessary for a legitimate interest
of the GRAPEGAIN. Legitimate interests are generally of a legal (e.g. collection
of outstanding receivables, in court proceedings or in an administrative or out-
of-court procedure for the protection and assertion of our legal rights, your legal
rights and the legal rights of others) or commercial nature (e.g. avoiding
breaches of agreement) or improvement of our service. Personal data may not
be processed for the purposes of a legitimate interest if, in individual cases,
there is evidence that the interests of the data subject merit protection, and that
this takes precedence. Before Personal data is processed, it is necessary to
determine whether there are legitimate interests that merit Personal data
protection.5.1.6. Personal Data processing using Cookies.
We use cookies to obtain information about your use of our Website. Cookies
allow us to provide you with a more streamlined and accessible experience
when using the Website. The information generally does not comprise any data
that would allow us to individually identify you as a natural person. We will
process your Personal data using cookies for the duration of the period in which
you have granted us consent. For further information, please see GRAPEGAIN
Cookie Policy here: [https://grapegain.com/files/cookies_policy.png]
With regard to each of Your visits to our Website, we may automatically collect
the following information:
• technical information, including the Internet protocol (IP) address used to
connect your computer to the Internet, your login information, browser type and
version, time zone setting, browser plug-in types and versions, operating
system and platform;
• information about your visit, including the full Uniform Resource Locators
(URL) clickstream to, through and from our site (including date and time);
products You viewed or searched for; page response times, download errors,
length of visits to certain pages, page interaction information (such as scrolling,
clicks, and mouse-overs), and methods used to browse away from the page.
5.1.7. Automated decision-making and profiling.
Automated Personal Data processing of Personal data (i.e. profiling) that is
used to evaluate certain aspects (e.g. evaluating specific related the data
subject of personal aspects, especially for the analysis or prediction of aspects
in connection with the behavior, financial condition, performance of the data
subject,) cannot be the sole basis for decisions that have negative legal
consequences or could significantly impair the data subject. The data subject
must be informed of the facts and results of automated individual decisions and
the possibility to respond.
Taking into account the results of profiling, our employees may perform
additional supervision or analysis of a data subject and take an individual
decision. However, in some situations, the offer to receive an additional service
or to change the cooperation conditions can be sent to a client automatically.
5.1.8. Special category of Personal data.
GDPR and Data protection Law provide for the special category of Personal
Data types (“sensitive data”) which we will process if allowed by the legal
enactments. Sensitive personal data is defined as personal data consisting of
information as to:• racial or ethnic origin;
• religious or philosophical beliefs;
• political opinions;
• genetic, biometric data;
• health state data;
• data relating to criminal convictions and offences.
We does not seek to collect or process sensitive personal data for You. If at any
time we will need to process such sensitive personal data in the future due to
the changes in the purposes of Personal data processing, the processing will
be carried out in accordance with the principles set out in the GDPR and Data
Protection Law.
5.1.9. Processing of children’s Personal data.
Our Policy is not to knowingly provide services to or collect Personal data and
information from persons under 18 years of age. Our Website is not directed or
intended for children under this age. If you are under 18 years of age, you
should not provide Personal data or information on our website. If you are the
parent or guardian of a person under the age of 18 whom you believe has
disclosed Personal data or information to us, please immediately contact us
at [●] so that we may delete and remove such person’s data from our system.

6. Your rights subject to Personal Data processing.
We have a legal obligation to ensure that your Personal Data is kept accurate
and up to date. We kindly ask you to assist us to comply with this obligation by
ensuring that you inform us of any changes that have to be made to any of your
Personal Data that we are processing.
You may, at any time, exercise the following rights with respect to our
processing of your Personal Data:
a) Right to access: You have the right to request access to any data that can
be considered your Personal Data. This includes e.g. the right to be informed
on whether we process your Personal data, what Personal Data categories are
being processed by us, and the purpose of our data processing;
b) Right to rectification: You have the right to request that we correct any of
your Personal Data if it is inaccurate or incomplete;
c) Right to object: You are entitled to object to certain processing of Personal
Data, including for example, the processing of your Personal Data for marketingpurposes or when we otherwise base our processing of you on legitimate
interest;
d) Right to erasure: You may also request that your Personal Data be erased
subject to certain statutory exceptions if the Personal Data is no longer
necessary for the purposes for which it was collected, or if you consider that the
processing is unlawful, or if you consider that the Personal Data should be
erased to enable us to comply with legal requirements;
e) Right to data portability: If we process your Personal Data based on your
consent or on the basis of a mutual contractual relationship, you may request
that we provide you with that Personal Data in a structured, commonly used
and machine-readable format. Moreover, you may also request that the
Personal Data is transmitted to another controller. Bear in mind that the latter
can only be done if that is technically feasible;
f) Right to withdraw your consent: In cases where the processing is based on
your consent, you have the right to withdraw your consent to such processing
at any time;
g) Opt-out from marketing: We will also give you the opportunity to opt out of
our communication with you whenever we send you information about us, the
events that we organize or any other information that we believe may be of
interest to you. Additionally, you can also opt out at any time by contacting us.
When providing Services to You, there may be circumstances where our
statutory obligations that will prohibit us from disclosing or erasing the Personal
data that we store and process. Moreover, such laws, regulations or rules may
prevent you from exercising other data subject rights as well.
If you have complaints on how we process your Personal Data, or you would
simply like to know more about our Personal data processing activities, feel free
to contact us at any time by using the information noted below.
For questions or concerns relating to the processing of your Personal Data and
this Policy, please contact us either by emailing to our designated Data
Protection Officer at [info@grapegain.com] or at the GRAPEGAIN,
UNIPESSOAL LDA (PRIVATE LIMITED COMPANY), registered head office:
Rua Natália Correia, nº 25, 2º esqº District: Setúbal Municipality: Almada
Parish: Laranjeiro e Feijó 2810 418 Almada;
If cooperating with us cannot achieve the realization of your data subject’s
rights, you do have the right to lodge a complaint with a Data Protection
Authority, Comissão Nacional de Proteção de Dados, https://www.cnpd.pt/
(“DPA”) if you think that your Personal Data is being processed incorrectly or
your data subject’s rights have been violated by us. You can lodge a complaint
by contacting the DPA that is local to your jurisdiction i.e. the location of thealleged violation of your data subject rights or the inappropriate processing or
your data, or the place you live and work.

7. The Recipients of Personal Data.
When We providing services to our clients, we may be obliged to transfer
Personal Data to third parties. This may include data transfer in the context of
our services or legal procedure and litigation, as well as generally any services
that we offer to our Clients.
However, outside of the provision of our services, we do use the services of
certain third parties to ensure the functionality of our services and the Website.
We are required to transfer your Personal Data to these third-party service
providers, including, but not limited:
• Business partners, suppliers and sub-contractors for the performance of any
agreement we enter into with You or them;
• Advertisers and advertising networks that require the data to select and serve
relevant adverts to You and others on the internet;
• IT services, accounting, security or translation services providers;
• our associates, audit firms, legal service providers, agents, attorneys or other
representatives for compliance with legal obligations to which we are subject or
for the establishment, exercise or defense of legal claims, whether in court
proceedings or in an administrative or out-of-court procedure;
• in the event that we sell or buy any business or assets, in which case we may
disclose Personal data to the prospective seller or buyer of such business or
assets;
• If we are under a duty to disclose or share Personal data in order to comply
with any legal obligation, or in order to enforce or apply our Terms of Use of our
Website or any other agreements or to protect our rights, property, or safety, or
those of our clients, or others.
We have ensured that all third-party service providers to whom we transfer your
Personal Data will follow our instructions with respect to how they process your
Personal Data. The transfer of your Personal Data is regulated by the data
processing agreements or data processing terms that exist between us and
third-party service providers. Any third-party service providers, as data
processors, must ensure that they process your Personal Data with the same
level of care and diligence as we do and are legally liable to you and to us if the
data processors act contrary to those warranties. Furthermore, these third-party
service providers are required to implement technical and organizationalmeasures to ensure an equal level of data protection to the one that we bring
to our data processing efforts.
We will take all necessary precautions to ensure that your Personal Data is
treated securely and in accordance with the applicable GDPR and Data
Protection Laws. For example, we may transfer your Personal Data based on:
• an adequacy decision by the European Commission;
• standard data protection clauses elaborated by the European Commission;
• standard data protection clauses elaborated by the DPA;
• using other possible safeguards and derogations where it is allowed by
the GDPR and Data Protection Laws.
Please note that in cases when we transfer or disclose information to any third
parties we always carefully consider the conditions under which Personal data
will be processed and stored after transfer to other entities both in European
Union (EU)/European Economic Area EEA) and outside EU/EEA.

8. Security measures and technical solutions.
We take reasonable measures, including administrative, technical and
organizational, to ensuring physical and environmental security of Personal
Data, encrypting Personal Data, providing computer network protection,
personal device protection, data backup and other protection measures thus
also protecting your Personal Data from loss, theft, misuse, and unauthorized
access, disclosure, alteration and destruction.
Within the framework of processing of your Personal Data, access to your
Personal Data is restricted to our authorized staff who need it for the
performance of their work duties and who process your Personal Data in
compliance with the technical and organizational requirements for the
processing of Personal Data specified in the GDPR and Data Protection
Law. We regularly audit and tests systems, trains and instructs the our staff,
and also defines areas of responsibility in the processing of personal data.
In the event that Personal Data in our possession or under our control is
compromised as a result of a security breach (such as accidental or unlawful
destruction, loss, alteration, unauthorized disclosure or access of Personal
Data) we shall promptly take appropriate and reasonable steps to mitigate the
effects of such a security breach, to the extent such efforts are within our
reasonable control.
Within the framework of the data protection system, appropriate processes
have been developed to investigate any incident related to the security of
personal data, which, if necessary, provide for notifying us.

9. Personal Data storage and retention.
We will retain your Personal Data for no longer than is necessary for the
purposes for which they are collected and processed for.
Please note that after the retention period or if the legal basis for processing
has ceased, we have the right to retain the documents and materials containing
the Personal Data in its backup systems, from which the Personal Data will be
deleted in the end of the backup retention cycle. We ensure that during the
backup period and after the retention period or ceasing of the legal basis,
applicable safeguards are in place, the Personal Data is put beyond use in the
backup systems and the Personal Data are subsequently deleted as soon as
possible, i.e. on our next deletion/destruction cycle.

10. Amendments to the Policy.
We may make changes to this Policy to reflect changes in our processing
methods and the best practices of data protection. If the Policy has been
changed in any way, then the newest edition of this Policy will be published on
our Website and, when changes are material, we will alert you. Your continued
use of our Services after this Policy has been amended will be deemed to be
your continued acceptance of the terms of this Policy, as amended.

11. Contact us.
If you have any questions regarding this Policy, please contact us using the
information below:
GRAPEGAIN
Rua Natália Correia, nº 25, 2º esqº District: Setúbal Municipality: Almada
Parish: Laranjeiro e Feijó 2810 418 Almada
E-mail: info@grapegain.com