Privacy Policy

1. CONTROLLER IDENTIFICATION AND SCOPE

1.1 Data Controller
This Privacy Policy governs the processing of personal data by Altea Partners Group S.à r.l. (the “Company”), a société à responsabilité limitée organized under Luxembourg law, with its registered office at 1A Heienhaff, L-1736 Senningerberg, Grand Duchy of Luxembourg, and registered with the Luxembourg Trade and Companies Register under number B296428.

1.2 Group Coverage
This Privacy Policy applies to Altea Partners Group S.à r.l. and all of its direct and indirect subsidiaries, affiliates, and related entities (collectively, the “Altea Partners Group” or “we,” “us,” or “our”). All references to the “Company” in this Privacy Policy include the entire Altea Partners Group unless specifically indicated otherwise.

1.3 Contact Information

Data Controller Contact:
Altea Partners Group S.à r.l.
1A Heienhaff
L-1736 Senningerberg
Grand Duchy of Luxembourg
Email: dataprotection@alteapartners.com

2. GENERAL INFORMATION AND DISCLAIMERS

2.1 Nature of This Policy
This Privacy Policy is provided for informational purposes only and does not constitute legal, financial, tax, investment, or professional advice. The information contained herein is of a general nature and may not be suitable for your specific circumstances. You should seek appropriate professional advice before making any decisions based on this Privacy Policy.

2.2 No Warranties
We make no representations or warranties, express or implied, regarding the accuracy, completeness, or reliability of the information in this Privacy Policy. We disclaim all warranties, including but not limited to merchantability, fitness for a particular purpose, and non-infringement.

2.3 Limitation of Liability
To the maximum extent permitted by applicable law, the Altea Partners Group, including its officers, directors, employees, agents, successors, and assigns, shall not be liable for any direct, indirect, incidental, special, consequential, or punitive damages arising from or related to the processing of personal data or your use of this Privacy Policy, even if we have been advised of the possibility of such damages.

3. SCOPE OF DATA PROCESSING

3.1 Types of Personal Data
We may process the following categories of personal data:

Identification Data: Name, date of birth, nationality, passport/ID numbers, tax identification numbers, professional licenses, and similar identifying information.

Contact Information: Email addresses, telephone numbers, postal addresses, and professional contact details.

Professional Information: Employment history, educational background, professional qualifications, business relationships, and related professional data.

Financial Information: Banking details, payment information, credit assessments, investment capacity, and related financial data necessary for our business purposes.

Technical Data: IP addresses, browser information, device identifiers, usage patterns, and other technical information collected through our websites and digital platforms.

Communication Data: Records of communications, meetings, calls, emails, and other business interactions.

3.2 Special Categories of Data
We do not intentionally collect special categories of personal data (such as data concerning health, race, religion, or political opinions) unless required by law or with explicit consent for specific legitimate business purposes.

4. PURPOSES AND LEGAL BASIS FOR PROCESSING

4.1 Business Purposes
We process personal data for the following legitimate business purposes:

Client Services: Providing professional services, managing client relationships, and fulfilling contractual obligations
Regulatory Compliance: Meeting legal and regulatory requirements, including anti-money laundering, know-your-customer, and tax obligations
Business Operations: Managing our business operations, administration, human resources, and corporate governance
Risk Management: Conducting due diligence, risk assessments, fraud prevention, and security measures
Marketing and Communications: Providing information about our services and maintaining business relationships (subject to applicable consent requirements)

4.2 Legal Basis
Our processing is based on one or more of the following legal grounds under Article 6 GDPR:

Contractual Necessity (Article 6(1)(b)): Processing necessary for performing contracts or taking pre-contractual steps
Legal Obligations (Article 6(1)(c)): Processing required to comply with legal or regulatory obligations
Legitimate Interests (Article 6(1)(f)): Processing necessary for our legitimate business interests, provided these interests do not override your fundamental rights and freedoms
Consent (Article 6(1)(a)): Where you have given explicit consent for specific processing purposes
Vital Interests (Article 6(1)(d)): Processing necessary to protect vital interests in exceptional circumstances

5. INTERNATIONAL DATA TRANSFERS AND THIRD-COUNTRY PROCESSING

5.1 Transfer Necessity
As a global organization, we may transfer personal data to countries outside the European Economic Area (EEA) for legitimate business purposes, including to our subsidiaries, service providers, and business partners.

5.2 Transfer Safeguards
For transfers to countries without an adequacy decision from the European Commission, we implement appropriate safeguards, including:

Standard Contractual Clauses approved by the European Commission
Binding Corporate Rules (where applicable)
Adequacy decisions for specific countries or organizations
Other legally recognized transfer mechanisms under GDPR

5.3 Third-Country Tool Warning
IMPORTANT NOTICE REGARDING THIRD-COUNTRY PROCESSING:
We use, among other technologies, tools from companies located in third-party countries that are not deemed safe under data protection law, as well as US tools whose providers are not certified under the EU-US Data Privacy Framework (DPF). If these tools are enabled, your personal data may be transferred to and processed in these countries.

Please note that no level of data protection comparable to that in the EU can be guaranteed in third countries that are insecure in terms of data protection law. In particular:

Government authorities in such countries may have broader access rights to personal data
Legal remedies may be more limited than those available in the EU
Data subjects may have fewer enforceable rights regarding their personal data
Surveillance and data access by government agencies may occur without equivalent judicial oversight

By using our services or providing personal data to us, you acknowledge these risks and consent to such transfers where necessary for our legitimate business purposes.

6. DATA RETENTION AND SECURITY

6.1 Retention Periods
We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, comply with legal obligations, or protect our legitimate interests. Specific retention periods depend on:

The nature of the personal data and processing purposes
Legal and regulatory requirements applicable to our business
Limitation periods for potential legal claims
Business operational requirements

6.2 Security Measures
We implement appropriate technical and organizational measures to protect personal data against unauthorized access, alteration, disclosure, or destruction. However, no method of transmission or storage is completely secure, and we cannot guarantee absolute security of personal data.

6.3 Security Incident Response
In the event of a personal data breach, we will comply with applicable notification requirements under GDPR and take appropriate remedial measures. However, our liability for security incidents is limited to the extent permitted by applicable law.

7. YOUR RIGHTS AS A DATA SUBJECT

7.1 Individual Rights
Subject to applicable legal conditions and exceptions, you have the following rights regarding your personal data:

Right of Access (Article 15): Request confirmation of whether we process your personal data and obtain a copy of such data.

Right to Rectification (Article 16): Request correction of inaccurate or incomplete personal data.

Right to Erasure (Article 17): Request deletion of personal data in certain circumstances.

Right to Restriction (Article 18): Request restriction of processing in specific situations.

Right to Data Portability (Article 20): Request transfer of your personal data to another controller in certain circumstances.

Right to Object (Article 21): Object to processing based on legitimate interests or for direct marketing purposes.

Right to Withdraw Consent: Where processing is based on consent, you may withdraw consent at any time.

7.2 Exercising Your Rights
To exercise your rights, contact us using the contact information provided in Section 1.3. We will respond to your request within one month, which may be extended by two additional months for complex requests.

7.3 Limitations on Rights
Your rights may be subject to limitations under applicable law, including where processing is necessary for:

Compliance with legal obligations
Establishment, exercise, or defense of legal claims
Protection of the rights and freedoms of others
Important public interest reasons

8. COOKIES AND TRACKING TECHNOLOGIES

8.1 Use of Cookies
Our websites may use cookies and similar tracking technologies. We categorize cookies as follows:

Essential Cookies: Necessary for website functionality and security
Performance Cookies: Collect information about website usage for analytical purposes
Functional Cookies: Enable enhanced functionality and personalization
Marketing Cookies: Used for advertising and marketing purposes (subject to consent)

8.2 Cookie Consent
By using our websites, you consent to our use of essential cookies. For non-essential cookies, we will obtain your explicit consent where required by applicable law.

8.3 Managing Cookies
You can control cookie settings through your browser preferences. However, disabling certain cookies may affect website functionality.

9. THIRD-PARTY SERVICES AND LINKS

9.1 Third-Party Services
We may use third-party service providers to support our business operations. These providers are contractually obligated to protect personal data and use it only for specified purposes.

9.2 Third-Party Links
Our websites may contain links to third-party websites or services. We are not responsible for the privacy practices or content of such third parties. We recommend reviewing their privacy policies before providing personal data.

9.3 Social Media
Our websites may include social media features that are hosted by third parties. These features may collect information about your usage and are governed by the privacy policies of the respective social media platforms.

10. SPECIAL PROVISIONS FOR CORPORATE GROUPS

10.1 Intra-Group Transfers
Personal data may be shared within the Altea Partners Group for legitimate business purposes, including:

Administrative and operational purposes
Risk management and compliance
Provision of group-wide services
Business development and strategic planning

10.2 Group Liability Framework
Each entity within the Altea Partners Group is responsible for its own data processing activities. However, this Privacy Policy provides unified principles and protections across the entire group structure.

10.3 Subsidiary Compliance
All Altea Partners Group entities are required to implement and maintain data protection measures consistent with this Privacy Policy and applicable local law requirements.

11. CHILDREN’S PRIVACY
We do not knowingly collect personal data from children under 16 years of age (or the applicable minimum age in your jurisdiction) without appropriate parental consent. If we become aware that we have collected personal data from a child without proper consent, we will take steps to delete such information.

12. DATA PROTECTION IMPACT ASSESSMENTS
Where required by law, we conduct Data Protection Impact Assessments (DPIAs) for high-risk processing activities. We implement appropriate risk mitigation measures and consult with supervisory authorities when necessary.

13. SUPERVISORY AUTHORITY AND COMPLAINTS

13.1 Lead Supervisory Authority
Our lead supervisory authority is the Luxembourg National Commission for Data Protection (CNPD):

Commission nationale pour la protection des données (CNPD)
15, Boulevard du Jazz
L-4370 Belvaux
Grand Duchy of Luxembourg
Phone: (+352) 26 10 60-1
Email: info@cnpd.lu
Website: cnpd.public.lu

13.2 Right to Lodge Complaints
You have the right to lodge a complaint with the CNPD or any other competent supervisory authority if you believe our processing of your personal data violates applicable data protection law.

14. UPDATES TO THIS PRIVACY POLICY

14.1 Policy Changes
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or business operations. We will notify you of material changes through appropriate means, which may include posting notices on our website or sending direct communications.

14.2 Continued Use
Your continued use of our services after changes to this Privacy Policy constitutes acceptance of the updated terms, unless you expressly object to such changes.

14.3 Version Control
This Privacy Policy version is effective as of the date listed at the top of this document. Previous versions are available upon request.

15. LEGAL DISCLAIMERS AND LIMITATIONS

15.1 Governing Law and Jurisdiction
This Privacy Policy and all related matters are governed by Luxembourg law. Any disputes arising from or relating to this Privacy Policy or our data processing activities shall be subject to the exclusive jurisdiction of the Luxembourg courts.

15.2 Severability
If any provision of this Privacy Policy is deemed invalid, illegal, or unenforceable, the remaining provisions shall continue in full force and effect.

15.3 Force Majeure
We shall not be liable for any failure or delay in performance of our data protection obligations due to circumstances beyond our reasonable control, including but not limited to acts of God, government actions, cyber attacks, or other force majeure events.

15.4 Indemnification
To the maximum extent permitted by law, you agree to indemnify and hold harmless the Altea Partners Group from any claims, damages, losses, or expenses arising from your violation of this Privacy Policy or applicable data protection laws.

16. BUSINESS PROTECTION PROVISIONS

16.1 No Fiduciary Relationship
Nothing in this Privacy Policy creates a fiduciary, advisory, or special relationship between you and the Altea Partners Group. Our data processing activities are conducted in our capacity as a data controller for our legitimate business purposes.

16.2 Business Continuity
In the event of a merger, acquisition, sale of assets, or similar business transaction involving the Altea Partners Group, personal data may be transferred to the successor entity as part of the transaction, subject to appropriate data protection safeguards.

16.3 Legal Compliance Priority
Where there is any conflict between this Privacy Policy and applicable legal or regulatory requirements, the legal requirements shall take precedence.

16.4 Professional Privilege
Nothing in this Privacy Policy shall waive or limit any rights to claim professional privilege, legal professional privilege, or attorney-client privilege where applicable to our business activities.

17. CONTACT AND COMMUNICATION

17.1 Privacy Inquiries
For questions about this Privacy Policy or our data processing practices, please contact us using the information provided in Section 1.3.

17.2 Response Times
We aim to respond to privacy inquiries within a reasonable timeframe, typically within 30 days for complex matters, unless extended time periods are permitted by applicable law.

17.3 Communication Preferences
You may specify your preferred method of communication for privacy-related matters. However, we reserve the right to choose the most appropriate communication method for specific types of notices or responses.

This Privacy Policy represents our commitment to protecting your personal data while maintaining the flexibility necessary to conduct our global business operations effectively and in compliance with applicable laws.