Privacy Policy

1. Intro

‍

This Privacy Policy describes the guidelines and principles regarding the protection of personal data adopted by companies belonging to the economic group called “CASTRO GROUP” and which includes all companies in a domain relationship with CASTRO GROUP, SGPS, S.A. and which are under dominant influence with it, in accordance with article 486 of the Commercial Companies Code (the”CASTRO GROUP”).

‍

This Privacy Policy thus applies to all personal data processing activities carried out by the companies that make up the CASTRO GROUP.

‍

CASTRO GROUP is an economic group composed of several companies that operate, essentially, in the following sectors of activity:

‍

1. Real estate promotion and management: buying and selling real estate, leasing, coworking, construction and real estate projects, etc.;
2. Asset management: management of investment funds, collective investment companies, etc.

‍

On this date, with reference to the sectors of activity mentioned above, the CASTRO GROUP includes the following companies:

‍

1. Real estate promotion and management: CASTRO RED BUILD, LDA., CASTRO RED, S.A., SOLID CONDITION, LDA., FUSE VALLEY, LDA., 2GETHER SPACES, LDA.
2. Asset Management: ICON SIC, S.A., CASTRO RED CAPITAL SIC, S.A., NEXA SGOIC, S.A., FUSE VALLEY — Private Subscription Closed Real Estate Investment Fund

‍

CASTRO GROUP may also include non-majority shareholding in other companies, which may adhere to this Privacy Policy if the activities you pursue fall within the “real estate promotion and management” and/or “asset management” activity sectors. Membership always depends on a written agreement between CASTRO GROUP, SGPS, S.A. and the entity in question, whose essential conditions and terms, together with this Policy, must be made available to data subjects.

‍

This Privacy Policy also applies to personal data processing activities carried out by entities that, in the future, will join the CASTRO GROUP, in a domain relationship. It is up to these entities, but also to the entities that currently make up the CASTRO GROUP, to ensure that data subjects are informed about the existence and content of this Privacy Policy.

Regarding the personal data processing activities conducted by companies with reference to the “asset management” sector, this Privacy Policy also applies to data processing activities conducted by the entities under their management (funds and corporations).

‍

In the course of their activities, CASTRO GROUP companies collect and process personal data from various owners, including:

‍

1. participants in investment funds (”Participants”) and potential buyers of investment fund units (”Potential Participants”);
2. tenants and guarantors or potential tenants and guarantors under contracts for the rental or use of spaces (”Tenants and Guarantors” and”Potential Tenants and Guarantors”);
3. sellers and buyers or potential sellers and buyers under contracts for the purchase and sale of real estate (”Buyers and Sellers” and”Potential Buyers and Sellers”);

‍

(all hereinafter jointly referred to, for the purposes of this policy, as”data subjects”).

‍

2. Identification of the person responsible for the treatment

‍

Depending on the processing activity in question, the CASTRO GROUP company is responsible for the treatment, which, in this processing activity, determines the purposes and means of processing the personal data of the data subjects (the”Responsible for the Relevant Treatment”).

‍

‍

3. Personal Data Categories

‍

Personal Data of Participants and Potential Participants

Regarding Potential Participants and Participants, the Relevant Data Controller may process personal data integrated into the following categories:

‍

• Identification Data, such as gender, profession, name, age or date of birth, citizen card number, taxpayer number, foreign taxpayer number if applicable, social security identification number, nationality, profession, employer, marital status and identification of the spouse);
• Contact Data, such as address, email address, telephone and mobile phone contacts, among others;
• Bank account identification data and financial information, such as IBAN and individual income tax (“IRS”) declarations.

‍

Personal Data of Tenants, Guarantors and Potential Tenants and Guarantors, Buyers and Sellers, and Potential Buyers and Sellers

With regard to Potential Tenants and Guarantors, Tenants and Guarantors, Buyers and Sellers, and Potential Buyers and Sellers, the Responsible for the Relevant Treatment may process personal data included in the following categories:

‍

• Identification Data, such as gender, profession, name, age or date of birth, citizen card number, taxpayer number, foreign taxpayer number if applicable, social security identification number, nationality, data about academic education, among others;
• Contact Data, such as address, email address, telephone and mobile phone contacts, among others;
• Bank account identification data and financial information, such as IBAN and individual income tax (“IRS”) declarations.

‍

4. Origin of personal data

‍

Personal data is mostly provided by data subjects upon first contact and while data subjects maintain a contractual relationship with the Relevant Data Controller.

Personal data can be collected at various times and through various communication channels, including telephone, email and in person.

‍

5. Purposes of personal data processing, legal basis for processing and storage periods

‍

Personal data are processed for various reasons, justified by the applicable data protection laws in the European Union and in Portugal.

‍

Personal Data of Participants and Potential Participants

The Responsible for the Relevant Treatment processes the personal data of Participants and Potential Participants for the following purposes and based on the following legal grounds:

‍

‍

Participants' personal data is kept for the duration of the contractually established relationship with the Relevant Data Controller, as applicable, and up to 10 (ten) years from the end of that relationship, and in some situations the retention period may be longer, in which case this extension will be legally justified and supported. This deadline was defined taking into account the possibility that the Responsible for the Relevant Treatment needs to present evidence in any dispute or potential dispute between themselves and the data subjects.

‍

In the case of Potential Participants, the Responsible for the Relevant Treatment processes their personal data for the purpose of gathering the relevant and necessary information for the implementation of the contractual relationship, in accordance with the relevant Portuguese and Community legislation. In this case, there are two legal bases for the processing, on the one hand, the execution of pre-contractual steps at the request of the data subject and, on the other hand, the fulfillment of legal obligations to which the Data Controller

‍

Relevant is subject, especially in the phase preceding the conclusion of a contract for the subscription of units of participation.

‍

The personal data of Potential Participants are kept during the pre-contractual phase that precedes the conclusion of participation unit contracts. If a contract is concluded, the data will be used for the contractual phase and treated as data from

Participants. If, perhaps, no contract is concluded due to the lack of interest of the data subject or any other reason, the data may still be kept for a period calculated on a case-by-case basis, up to 10 (ten) years from the last contact, depending on the reason for which no contract was concluded. In some situations, the conservation period may be longer, in which case this extension will be legally justified and sustained.

‍

Personal Data of Tenants, Guarantors and Potential Tenants and Guarantors, Buyers and Sellers, and Potential Buyers and Sellers‍

‍

The Relevant Data Controller processes the personal data of Potential Tenants and Guarantors, Tenants and Guarantors, Buyers and Sellers, and Potential Buyers and Sellers, for the following purposes and based on the following legal grounds:

‍

‍

‍

The personal data of the Tenants, Guarantors, Buyers and Sellers are kept for the duration of the contractually established relationship with the Responsible for the Relevant Treatment and up to 10 (ten) years from the end of that relationship, and in some situations the retention period may be longer, in which case this extension will be legally justified and sustained. This deadline was defined taking into account the possibility that the Responsible for the Relevant Treatment needs to present evidence in any dispute or potential dispute between themselves and the data subjects.

‍

In the case of Potential Tenants and Guarantors, and Potential Buyers and Sellers, the respective data is kept during the pre-contractual phase that precedes the conclusion of contracts for the rental or use of spaces. If a contract for the rental or use of spaces is concluded, the data will be used for the contractual phase and treated as data of Tenants and Guarantors or Buyers and Sellers, as applicable. If, perhaps, no contract is concluded due to the lack of interest of the data subject or any other reason, the data may still be kept for a period calculated on a case-by-case basis, up to 10 (ten) years from the last contact, depending on the reason for which no contract was concluded. In some situations, the conservation period may be longer, in which case this extension will be legally justified and sustained.

‍

6. Marketing

‍

The Responsible for the Relevant Treatment may process the personal data of the data subjects to send them institutional information or commercial communications.

This data processing will be carried out only with the consent of the data subject, provided at the time the personal data was collected. If you consent, the data subject may receive marketing communications via e-mail, postal letter and SMS.

Consent to the processing of personal data for direct marketing purposes can be revoked at any time, although this right to withdraw consent does not compromise the lawfulness of the processing carried out based on the consent previously given or the subsequent processing of the same data, based on another legal basis, such as, for example, the execution of a contract to which the data subject is a party, or for pre-contractual steps at the request of the data subject and compliance with legal obligations.

If you wish to withdraw your consent, the data subject may contact the Relevant Data Controller at the contacts indicated in this Policy.

‍

‍

7. Automatic Decisions (“Profiling”)

‍

CASTRO GROUP companies do not use technologies to make decisions solely based on the automated processing of the data of the data subjects.

Without prejudice, these entities may use technologies to define a profile about the data subject, however, never in a totally or exclusively automated way and without this implying any legally relevant (even if positive) consequences for the data subject.

‍

8. Categories of recipients of personal data

‍

The personal data of the data subjects may be transmitted to companies in the same economic group, which, in any case, are obliged to respect this Privacy Policy and, in particular, the purposes for which the personal data were initially collected.

The personal data of the data subjects may also be shared with entities that provide services to CASTRO GROUP companies and that, as part of the provision of these services, may process personal data on behalf of and upon instructions from one or more of these entities, as applicable, such as:

‍

• companies specializing in the provision of accommodation services of Website and systems of Backups and other IT support and development services;
• companies providing digitization and documentary archiving services;
• companies specialized in providing programming and digital marketing services, in situations where the data subject has given their respective consent;
• companies providing communication, dissemination and marketing services, in situations where the data subject has given their respective consent;
• lawyers, financial auditors and other advisors who provide consulting services to CASTRO GROUP companies.

‍

In the case of transfers of personal data to service providers, the subcontracting entity is bound by a subcontracting agreement that requires it to process personal data in compliance with the legislation on the protection of personal data.

The personal data of the data subjects may also be shared with third parties (i) by virtue of a requirement or judicial notification for this purpose, provided that it is duly substantiated and legally supported; (ii) in the case of a request from a public authority, provided that it is duly substantiated and legally supported; (iii) following an express request by the data subjects regarding the data they hold, in the exercise of their rights, in particular, the right to portability; (IV) by the requirements of existing legislation.

‍

9. Transfer of personal data to other countries

‍

Currently, CASTRO GROUP companies do not use subcontractors or transfer data to third entities based outside the European Union.

However, if and when this transfer occurs, for any reason, the transmitting entity will ensure that these third parties agree to protect the transmitted data against misuse or disclosure, in accordance with the legal regime for the protection of personal data, by signing subcontracting agreements integrated with model clauses approved by the European Commission or other legally appropriate means.

‍

10. Rights of the holders of personal data

‍

As an expression of their commitment to guarantee the privacy of data subjects, CASTRO GROUP companies guarantee, in accordance with applicable national and community legislation, a wide range of rights that can be exercised under the following terms:

• Right of Access

Data subjects may, at any time, contact the Relevant Data Controller and request confirmation that their personal data is being processed and, if so, to be informed about: (i) the categories of personal data in question; (ii) the purposes of processing your data; (iii) the respective storage period or criteria used to fix it; (iv) their rights and the way to exercise them; (v) the origin of the data concerning you; (vi) the existence of automated decisions, including profiling.

‍

The Responsible for the Relevant Treatment may only provide the information of the data subjects and not personal data about other people. In addition, if access could negatively affect the rights of another person, it may not be possible for us to provide them.

If the data subject so requests, the Responsible for the Relevant Treatment will send a copy of your personal data being processed, in electronic format. If other copies are requested, the Responsible for the Relevant Treatment reserves the right to be able to demand the payment of a fee equivalent to the administrative costs incurred to satisfy the request.

• Right to Erasure

Also known as “the right to be forgotten”, it allows the data subject to request the deletion or removal of their personal data when there is no compelling reason for the Relevant Data Controller to continue using them. The right to deletion is not absolute because the Relevant Data Controller may have the right or obligation to retain the information, as is the case, for example, when subject to a legal obligation or has another valid reason to retain it.

• Right of Rectification

Whenever they verify that the personal data being processed are out of date, incomplete or incorrect, the data subjects may request their correction as soon as possible.

• Portability Right

‍

Data subjects also have the rights to: (i) receive personal data concerning you from the Responsible for the Relevant Treatment, in a commonly used format; (ii) to transmit this data to third parties, under their sole responsibility; and/or (iii) to request the Relevant Data Controller to transmit that data to third parties. The right to portability only covers data for which the holder has given consent to be processed, data relating to a contract to which the holder is a party, or if the processing is carried out by automated means.

The Relevant Data Controller reserves the right to refuse portability requests whenever they harm the rights and freedoms of third parties, or conflict with any legal requirement.

‍

• Right to restrict treatment

‍

In certain situations, the data subject has the right to “block” or to suppress the continued use of data subjects' information. When processing is limited, the Relevant Data Controller is still able to keep the information of the data subjects, but cannot continue to use it.

‍

The data subject may request the limitation of the processing of their data for an indefinite period, when they wish to suspend the treatment but keep their data. This situation may occur when:

‍

1. the data subject disputes the accuracy of the data, and the processing is limited for a period of time that allows the Relevant Data Controller to verify the accuracy of the data, or
2. the data subject is awaiting a response to a request to object to the treatment.

‍

When processing is limited, personal data will only be re-processed if the data subject gives their consent, except for specific treatments contemplated by law. The Responsible for the Relevant Treatment guarantees that the data subject who requested the limitation of their data is informed before the limitation to said processing is lifted. The Responsible for the Relevant Treatment reserves the right to limit the processing of data of the holders when it does not need it, committing to keep the data for the pre-established retention period. The Responsible for the Relevant Treatment guarantees that the data subject who requested the limitation of their data is informed before the respective cancellation.

‍

• Right to object

‍

The Responsible for the Relevant Treatment ensures the necessary means for the data subject to object to certain personal data processing for certain purposes, without prejudice to regulations or laws in force.

The data subject may object to the processing under the following circumstances:

‍

1. for reasons related to your particular situation, at any time, opposing the processing of any personal data relating to you based on legitimate interests. However, the Responsible for the Relevant Treatment may continue to process the data subject's data if he can demonstrate compelling legitimate reasons for the processing of personal data that override the interests, rights and freedoms of the data subject, or if he needs personal data to establish, exercise or defend himself in legal proceedings;
2. You can object at any time to the use of your personal data for direct marketing purposes (including creating profiles related to such direct marketing).

‍

• Right of Complaint

‍

Finally, data subjects are granted the right to file a complaint with the National Data Protection Commission (https://www.cnpd.pt) regarding the processing of your data, by any of the means permitted by the said Control Authority.

‍

‍

11. Contact us

‍

The rights provided for and described in this Policy and, as well as other rights legally provided for in the relevant legislation in force, can be freely exercised by contacting the following address and email:

‍

Address: Avenida 31 de Janeiro, 307, 4715-052 Braga

Email: geral@castro-group.pt

‍

12. Changes to the privacy policy

‍

This Privacy Policy may change due to new legal or regulatory requirements, as well as following improvements in the quality of services and the development of the commitment of CASTRO GROUP companies regarding the protection of personal data. Any changes to this Privacy Policy will be duly publicized on the various communication channels of the Relevant Data Controller.

‍