Privacy Policy

The data controller for your personal data is:

SteerCFO (trading name of Diogo Simões) Email: diogo@steercfo.pt Website: www.steercfo.pt Portugal

For any questions regarding the processing of your personal data, please contact us at the email address above.

SteerCFO collects the following categories of personal data:

a) Contact form: full name, email address, company name and free-text message submitted by the user.

b) Lead magnet / newsletter: email address voluntarily provided to receive free content or periodic communications.

c) Navigation data: IP address, browser type and version, pages visited, time spent and other information collected automatically through cookies and similar technologies. See our Cookie Policy for details.

We do not collect special categories of personal data (Article 9 GDPR) or data from individuals under 16 years of age.

We process your personal data for the following purposes and on the following legal bases:

a) Responding to contact requests Purpose: to reply to questions, information requests or business enquiries submitted via the contact form. Legal basis: legitimate interests of the controller (Article 6(1)(f) GDPR) — interest in responding to communications initiated by the data subject.

b) Sending newsletters and requested content Purpose: delivery of the requested free guide and periodic communications on financial management, CFO-as-a-Service and related topics. Legal basis: consent of the data subject (Article 6(1)(a) GDPR). Consent may be withdrawn at any time.

c) Service delivery Purpose: performance of the service agreement entered into with the client. Legal basis: performance of a contract (Article 6(1)(b) GDPR).

d) Website analytics Purpose: understanding user behaviour on the website to improve the browsing experience and content. Legal basis: consent of the data subject (Article 6(1)(a) GDPR), obtained via the cookie banner.

Personal data is retained only for as long as necessary to fulfil the purposes for which it was collected:

Contact form data: retained for a maximum of 2 years from the date of last contact, unless a contractual relationship results.

Newsletter data: retained while consent remains active. Following unsubscription, data is deleted within 30 days.

Contractual data: retained for the period legally required for tax and accounting purposes, generally 10 years under applicable Portuguese commercial and tax legislation.

Navigation / analytical cookies: retained for the period set out in the Cookie Policy, generally up to 13 months.

Upon expiry of the applicable retention period, data is deleted or irreversibly anonymised.

SteerCFO does not sell, rent or transfer personal data to third parties for commercial purposes. Data may be shared with the following processors, solely for the purposes described in this policy:

Vercel, Inc. (website hosting): navigation data and form submissions are processed on Vercel's servers. Vercel acts as a processor and is bound by a Data Processing Agreement (DPA) compliant with the GDPR.

Calendly, LLC (meeting scheduling): if you use the scheduling button, you will be redirected to the Calendly platform, which operates under its own privacy policy.

Google LLC (Google Workspace for email): emails sent to diogo@steercfo.pt are processed through Google Workspace.

All processors have been selected with appropriate data protection guarantees.

Some of the processors referred to above have servers located outside the European Economic Area (EEA), in particular in the United States of America.

In these cases, SteerCFO ensures that transfers are carried out using appropriate legal mechanisms, including:

— Standard Contractual Clauses approved by the European Commission (Implementing Decision 2021/914/EU); — Processor certification under the EU-US Data Privacy Framework, where applicable.

For more information about the applicable safeguards, please contact us at diogo@steercfo.pt.

SteerCFO implements appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure or destruction, including:

— Encrypted data transmission via HTTPS/TLS; — Restricted access to personal data by authorised personnel only; — Periodic review of security practices.

In the event of a personal data breach that may pose a risk to your rights and freedoms, we will notify the CNPD within 72 hours and, where required, notify affected data subjects, in accordance with Articles 33 and 34 GDPR.

Under the GDPR (Articles 15–22) and Portuguese Law No. 58/2019 of 8 August, you have the following rights:

Right of access (Art. 15): to obtain confirmation as to whether your data is being processed and, if so, to access a copy of it.

Right to rectification (Art. 16): to request correction of inaccurate or incomplete data.

Right to erasure / 'right to be forgotten' (Art. 17): to request deletion of your data when no longer necessary, when you withdraw consent or object to processing.

Right to restriction of processing (Art. 18): to request suspension of processing in certain circumstances.

Right to data portability (Art. 20): to receive your data in a structured, commonly used, machine-readable format and transmit it to another controller.

Right to object (Art. 21): to object to processing based on legitimate interests or for direct marketing purposes.

Right not to be subject to automated decision-making (Art. 22): not to be subject to decisions based solely on automated processing that produce significant legal effects.

To exercise any of the rights described above, please send a written request to:

Email: diogo@steercfo.pt Subject: GDPR Rights Request

We will respond to your request within one month of receipt. This period may be extended by a further two months in cases of particular complexity, with prior notice to the data subject.

We may request verification of your identity before processing the request.

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with the competent supervisory authority in Portugal:

CNPD — Comissão Nacional de Proteção de Dados www.cnpd.pt Rua de São Bento, n.º 148 — 3.º, 1200-821 Lisboa, Portugal

If you reside or work in another EU Member State, you may also lodge a complaint with the supervisory authority of that State.

This Privacy Policy may be updated periodically to reflect changes in our data processing practices or as a result of legislative changes.

Where material changes occur, we will notify users via the website and, where applicable, by email. Continued use of the website after publication of changes implies acceptance of those changes.

We recommend that you check this page regularly.