1. General Information
1.1 Introduction
At Compass Agentic Platform and any of its affiliated entities or brands (collectively referred to as "Compass," "we," "us," or "our"), we understand that the use of your personal data requires your trust. The confidentiality and integrity of your personal data is one of our primary concerns. We are subject to the highest privacy standards and will only use your personal data for clearly identified purposes.
The provision of personal data in connection with the use of the website at https://app.compassap.ai/ (hereinafter "website") implies knowledge and express acceptance of the conditions set forth in this Privacy Policy. We also recommend reading the Cookie Policy available at the same address.
This Privacy Policy, as well as the collection, processing, or transmission of User Data, are governed by the provisions of the General Data Protection Regulation ("GDPR") - Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 and other applicable data protection laws.
1.2 Data Controller
Compass Agentic Platform is the data controller as defined by the GDPR and is therefore responsible for the processing of your personal data as explained below.
1.3 Data Protection Officer
You may contact our Data Protection Officer ("DPO") in writing at any time using one of the following methods:
Contact Our DPO
2. Data Collection and Processing Purposes
Your personal data will be collected and processed by us in the following situations:
2.1 Website Usage
Access to and navigation of the website does not necessarily require the provision of personal data. However, certain features on the website require the provision of personal data, for example: (i) if you wish to submit an email to the contacts provided with your questions and suggestions; (ii) if you respond to one of the career opportunity announcements open at Compass; (iii) or when you subscribe to the newsletter or similar marketing campaigns.
| Action / Functionality | Data Collected | Purpose |
|---|---|---|
| Contact Request | Name, email, subject of request | Process your request and provide a response. Additional data may be voluntarily provided during the inquiry. |
| Job Application | Name, phone, email, CV, LinkedIn URL (if applicable) | Analyze your application. By submitting your data, you agree that it is true and correct. |
| Newsletter Subscription | Name, email | Send newsletters and communications about events, seminars, training, and other information related to our services and products. |
| Website Optimization | IP address, date and time, browser type, operating system, pages accessed | Optimize and improve our website and online services. Only collected if you provide them voluntarily. |
2.2 Additional Data Collection Scenarios
| Action / Functionality | Data Collected | Purpose |
|---|---|---|
| Service Inquiries | Name, phone number, email, subject of request | Process your request and provide a response. Additional data may be voluntarily provided. |
| Client Service Management | Name, contact number, email, requested service, tax ID | Identify you as a client and manage the services you have contracted. |
| Social Media Contact | IP address, cookies, logs, tracking technologies, contact data | Process your request and provide a response. Access depends on your subscription and acceptance of the service provider's privacy policies. |
| Marketing Campaigns/Events | Name, phone, email | Send marketing communications, invitations, service updates, and other communications we believe are of interest to you. |
| Whistleblowing | Anonymous: irregularity type, date, time, description. Non-anonymous: contact and identification data | Process reports submitted through available channels in compliance with applicable whistleblower protection laws. |
| Third-Party Data | Data sent by partners or third parties | Used within our legitimate interests to develop business, provided data protection requirements are met. |
3. Legal Basis for Data Processing
All information we collect is recorded, used, and protected in accordance with applicable EU data protection legislation. Under this legislation, the processing of personal data must be justified by at least one legal basis. Your data will be processed according to the legal basis under the GDPR for the following purposes:
| Purpose | Legal Basis |
|---|---|
| Client Service Management | Used to identify you as a client and manage contracted services, including ticket management - Contractual obligations (Art. 6(1)(b) GDPR) |
| Job Applications | Constitutes affirmative action through which you consent to the processing of shared personal data for application management - Consent (Art. 6(1)(a) GDPR) |
| Marketing Communications | Marketing communications, newsletters, and other communications of interest are based on your consent - Consent (Art. 6(1)(a) GDPR) |
| Customer Support | We have a legitimate interest in responding to requests or questions made through various contact channels. This processing is also beneficial to you as it allows us to assist you appropriately - Legitimate interest (Art. 6(1)(f) GDPR). For service-related incidents, processing is necessary for contract fulfillment - Contractual obligations (Art. 6(1)(b) GDPR) |
| Rights Requests & Complaints | When your request relates to exercising your rights or service-related complaints, processing is based on compliance with our legal obligations - Legal obligation (Art. 6(1)(c) GDPR) |
| Website Optimization | Based on legitimate interest to protect our website and improve service quality. This processing is also beneficial to you as it aims to improve user experience and offer higher quality service - Legitimate interest (Art. 6(1)(f) GDPR) |
| Whistleblowing | Based on compliance with our legal obligations under applicable whistleblower protection laws - Legal obligation (Art. 6(1)(c) GDPR) |
4. Your Rights
As a data subject, you may contact our Data Protection Officer at any time using the contact information provided in Section 1.3 to exercise your rights. Subject to legally established conditions, these rights are as follows:
- Right to Access: The right to receive information about data processing and a copy of the processed data
- Right to Rectification: The right to require correction of inaccurate data or completion of incomplete data
- Right to Erasure: The right to require deletion of personal data
- Right to Restriction: The right to require restriction of data processing
- Right to Data Portability: The right to receive your data in a structured, commonly used format
- Right to Object: The right to object to data processing
- Right to Withdraw Consent: The right to withdraw consent at any time to stop data processing based on your consent
- Right to Lodge a Complaint: The right to file a complaint with the competent supervisory authority: CNPD - Portuguese Data Protection Authority (Comissão Nacional de Proteção de Dados)
6. Data Sharing
We may use third-party service providers to process your personal data. These service providers may be located in countries within and outside the European Union (EU) and the European Economic Area (EEA). We ensure that these service providers process personal data in accordance with European data protection legislation to guarantee an adequate level of protection, even if personal data is transferred to a country outside the EEA for which there is no adequacy decision from the European Commission.
It may be necessary to share your personal data in the following situations:
| Partner / Entity | Purpose of Sharing | Legal Basis |
|---|---|---|
| Supervisory authorities and/or public or governmental authorities | Compliance with legal obligations and/or court orders, particularly under legal duties of cooperation with public institutions and authorities | Legal obligation |
| Subcontracted entities providing services within the scope of this Policy | Under contracts entered into with them, including but not limited to marketing and advertising service providers; financial institutions; fraud detection and prevention entities; technology service providers | Contractual fulfillment and/or legal compliance |
| Service providers contractually bound to us | To fulfill the purposes described and/or contractual compliance | Contractual obligations |
7. Retention Periods
Your personal data will be retained for the period necessary for the purposes for which it was collected or for the period necessary to comply with legal obligations and/or European regulations to which we must respond. The retention period of your data depends on the purposes for which we process it, as explained below:
| Purpose | Retention Period |
|---|---|
| Client Service Management | Data will be retained while you are an active client. When you cease to be a client, data will be securely deleted 5 years after the last interaction. |
| Job Applications | Application data retained for 3 months; unsuitable candidate data deleted after candidate selection; selection and recruitment process data retained for 5 years for legal compliance. |
| Marketing Communications | We will process your data until you cancel your newsletter subscription. If you are our client and have consented to processing for service communications, events, and Compass updates, data will be retained until consent is revoked, automatically deleted 5 years after the last interaction. |
| Customer Support | We will process your data for the time necessary to satisfy your request and/or to comply with retention periods imposed by legal obligations. |
| Website Optimization | Personal data provided through our website will only be stored until the purpose for which it was processed is fulfilled. Consult the Cookie Policy for complete information. |
| Whistleblowing | All data related to incidents will be retained for compliance with applicable legislation for at least five years. For matters related to Money Laundering and Terrorist Financing, the retention period for communications and resulting reports will be seven years. |
8. International Data Transfers
As a rule, personal data is not transmitted outside the European Economic Area (EEA). In the event that such transfers are necessary, they will only occur in accordance with appropriate security measures, complying with applicable legal provisions, particularly regarding the determination of the adequacy of such country with respect to data protection and the requirements applicable to such transfers, such as through the execution of Standard Contractual Clauses approved by the European Commission.
8.1 Safeguards for International Transfers
- Adequacy Decisions: Transfers to countries recognized by the European Commission as providing adequate data protection
- Standard Contractual Clauses: Use of EU-approved standard contractual clauses for transfers to countries without adequacy decisions
- Additional Safeguards: Implementation of supplementary measures where necessary to ensure data protection equivalent to EU standards
9. Data Security
We have taken appropriate measures to ensure that the data provided to us is properly protected. To this end, we have adopted various technical and organizational security measures to protect personal data against loss, dissemination, alteration, unauthorized processing or access, as well as against any other form of unlawful processing, including but not limited to:
- Encryption: Data in transit and at rest is encrypted using industry-standard protocols
- Access Controls: Strict access controls and authentication mechanisms to limit data access to authorized personnel only
- Network Security: Firewalls, intrusion detection systems, and regular security audits
- Data Segregation: Logical separation of data and segregation of rights based on roles
- Regular Backups: Automated backup systems with secure storage and recovery procedures
- Internal Audits: Regular internal security audits and compliance assessments
- Employee Training: Ongoing security awareness training for all personnel handling personal data
- Incident Response: Established procedures for detecting, responding to, and reporting security incidents
10. Updates to This Privacy Policy
We may periodically update this Privacy Policy to reflect legal changes and/or business practices. We recommend that you consult this Policy regarding possible changes whenever you visit our website.
When we make material changes to this Privacy Policy, we will notify you through:
- A prominent notice on our website
- Email notification to registered users (where applicable)
- Updated "Last Updated" date at the bottom of this policy
Your continued use of our services after such modifications constitutes your acknowledgment of the modified Privacy Policy and agreement to abide and be bound by it.
Effective Date: March 2026
Version: 2.1