El centro de cada decisión.

XCST Software ("we", "our", or "CaduCore") is committed to protecting your privacy. This Privacy Policy explains how your personal information is collected, used, shared, and protected, in accordance with the General Data Protection Regulation (GDPR), Portuguese Law No. 58/2019, and, where applicable, the data-protection laws of the other markets in which we operate.

1. Data Controller

The entity responsible for processing your personal data is:

• Company: XCST Software
• Address: Rua do Fojo, porta 62D, Hab. 3.2, Vila Nova de Gaia, Portugal
• VAT/Tax ID (NIF): 515624861
• Contact e-mail (data-protection matters): contact@CaduCore.com

Because we are established in Portugal, our lead supervisory authority (the "one-stop-shop" mechanism) is the Comissão Nacional de Proteção de Dados (CNPD). Users in other countries retain the right to lodge a complaint with the authority in their country of residence (see Sections 13 and 15).

2. Scope

This Policy applies to all users of the CaduCore Service worldwide, and in particular to our main markets: Portugal, Spain, Ireland, the United Kingdom, and the United States. Where local law grants additional rights, the region-specific provisions in Section 13 apply.

3. Data We Collect

We may collect the following categories of data:

• Identity Data: Name, username, or similar identifiers.
• Contact Data: E-mail address and billing information.
• Payment Data: Processed securely by our payment provider; we do not store full card details.
• Technical Data: IP address, browser type, approximate location, and device data.
• Usage Data: Information about how you use our platform and services.
• Marketing Preferences and Consents: Your choices regarding our communications.

4. Purposes and Legal Bases for Processing

We process your data on the following grounds:

• Performance of a Contract: To provide the platform services and manage your account.
• Consent: To send marketing communications (which you may withdraw at any time).
• Legitimate Interest: To improve platform functionality and ensure network security.
• Legal Obligation: To comply with tax and accounting obligations.

5. Cookies

We use only strictly necessary cookies, required for the platform to function — specifically, to authenticate your login and maintain your session. We do not use analytics, advertising, tracking, or any other non-essential cookies.

• Because these cookies are strictly necessary to provide the service you request, they are exempt from the consent requirement under the ePrivacy rules and the GDPR; no cookie-consent banner is shown or required.
• You can block or delete cookies through your browser settings, but doing so may prevent you from logging in or using the platform properly.
• These cookies do not track you across other websites and are not used for marketing.

6. How We Share Your Data

We share personal data only as necessary with the following categories of recipients, all bound by data processing agreements:

• Cloud hosting: Microsoft Azure.
• Payment service providers.
• Analytics and e-mail communication providers.
• Professional advisors, auditors, and authorities where legally required.

We do not sell your personal data.

7. International Data Transfers

Your data is primarily processed and stored within the European Economic Area (EEA). Where a transfer outside the EEA or the UK occurs (for example, to a sub-processor or support team), we ensure an adequate level of protection through one of the following safeguards:

• An adequacy decision of the European Commission;
• The EU Standard Contractual Clauses (SCCs);
• For transfers from the UK, the UK International Data Transfer Agreement (IDTA) or UK Addendum;
• Where relevant, the EU-US Data Privacy Framework.

You may request a copy of the applicable safeguards by contacting contact@CaduCore.com.

8. Data Storage and Security (Microsoft Azure)

• Location: Data is processed and stored in data centres located within the EEA.
• Security: We use strict technical and organisational measures (encryption, firewalls, access controls) to protect your data against unauthorised access, loss, or alteration.
• Data Breaches: In the event of a personal-data breach that poses a risk to your rights, we will notify the competent supervisory authority and, where required, affected individuals, within the legal time limits.

9. Data Retention

We will retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, namely:

• Account data: for the duration of your account and a reasonable period after closure.
• Billing and tax records: for the period required by Portuguese law (generally 10 years).
• Marketing data: until you withdraw your consent.
• Technical logs: for a limited period, for security purposes.

10. Your Rights (GDPR)

Under the GDPR (and the UK GDPR where applicable), you have the following rights:

• Right of Access: Request a copy of the data we hold about you.
• Right to Rectification: Request correction of incomplete or inaccurate data.
• Right to Erasure ("Right to be Forgotten"): Request deletion of your data under certain conditions.
• Right to Object and Restrict: Object to processing of your data for marketing, or restrict processing in specific cases.
• Right to Portability: Request transfer of your data to another entity.
• Right to Withdraw Consent: At any time, without affecting the lawfulness of prior processing.
• Right to Complain: Lodge a complaint with a supervisory authority (see Sections 13 and 15).

To exercise these rights, contact us at contact@CaduCore.com. We will respond within the applicable legal time limits.

11. Automated Decision-Making

We do not use solely automated decision-making that produces legal effects or similarly significantly affects you. If this changes, we will inform you and provide the applicable safeguards.

12. Children's Privacy

The Service is not directed to children below the applicable age of digital consent in their country (16 in Portugal; potentially lower in other Member States, and 13 in the United States under COPPA). We do not knowingly collect children's data; if we become aware of such, we will delete it.

13. Region-Specific Provisions

Portugal / EEA

Our lead supervisory authority is the Comissão Nacional de Proteção de Dados (CNPD) — https://www.cnpd.pt. You may also complain to the authority in your Member State of residence.

Spain

For residents of Spain, Organic Law 3/2018 (LOPDGDD) also applies. The competent authority is the Agencia Española de Protección de Datos (AEPD) — https://www.aepd.es.

Ireland

For residents of Ireland, the competent authority is the Data Protection Commission (DPC) — https://www.dataprotection.ie.

United Kingdom

For UK residents, the UK GDPR and the Data Protection Act 2018 apply. The competent authority is the Information Commissioner's Office (ICO) — https://ico.org.uk. Transfers out of the UK are protected by the IDTA or UK Addendum. [If applicable: we will appoint a UK representative under Article 27 of the UK GDPR — contact details to be provided.]

United States / California

California residents have the right, under the CCPA/CPRA, to know, delete, and correct their personal information, to opt out of the "sale" or "sharing" of it, to limit the use of sensitive personal information, and not to be discriminated against for exercising these rights.

We do not sell personal information, and we do not "share" personal information for cross-context behavioural advertising, as we use only strictly necessary cookies and no advertising or tracking technologies. The categories of data we collect are listed in Section 3. Authorized agents may submit requests on your behalf, and you may exercise your rights by contacting contact@CaduCore.com.

14. Changes to This Policy

We may update this Policy from time to time. Material changes will be communicated through the platform or by e-mail. The "Last Updated" date reflects the most recent version.

15. Contact and Supervisory Authorities

For any question relating to this Privacy Policy, contact us at contact@CaduCore.com.

Reference supervisory authorities: CNPD (Portugal), AEPD (Spain), DPC (Ireland), ICO (United Kingdom), and, in the US, the applicable state Attorney General.