Data Protection & Privacy Policy

For the purposes of the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and applicable Portuguese data protection legislation, Xborder Partners Wealth — Empresa de Investimento, S.A. (“Xborder”, “we”, “us”, or “our”) is the data controller in respect of personal data collected through this website and in connection with the provision of its investment services.

If you have any questions or concerns about this Policy or about how Xborder processes your personal data, please contact us at:

Data Protection Contact: carol.dailly@plu-financial.com

1. Scope of This Policy

This Privacy and Data Protection Policy (“Policy”) explains:

What personal data Xborder collects about you;
Why we collect it and on what legal basis;
How and with whom we share it;
How long we retain it;
Your rights as a data subject; and
How to contact us or lodge a complaint.

This Policy applies to personal data collected:

Through the Xborder website;
In the course of providing investment services (investment advice and reception and transmission of orders) to clients;
Through any other communication channels (email, telephone, post, or electronic forms).

2. Personal Data We Collect

Depending on the nature of your relationship with Xborder, we may collect and process the following categories of personal data:

Identity data: full name, date of birth, nationality, national identification number or passport number, tax identification number.
Contact data: postal address, email address, telephone number.
Financial and investment data: information about your financial situation, investment knowledge and experience, investment objectives, risk tolerance, and source of funds — collected for the purposes of client suitability assessment and KYC/AML compliance.
Transaction data: details of investment orders received, transmitted or advised upon, including instrument type, transaction amounts, dates, and relevant counterparties.
Communication data: records of communications between you and Xborder, including emails and, where applicable, records of telephone conversations (which are recorded as required by applicable law — see Section 6 below).
Technical and usage data: IP address, browser type and version, device identifiers, pages visited, time and date of access, and other standard web server log data, collected through cookies and similar technologies when you visit our website.
Identification and verification data: copies of identity documents and other documentation collected for anti-money laundering (“AML”) and know-your-customer (“KYC”) verification purposes.

3. Purposes and Legal Bases for Processing

Xborder processes your personal data for the following purposes, on the following legal bases:

Purpose	Legal Basis
Providing investment services (investment advice, RTO) to you as a client	Performance of a contract (Article 6(1)(b) GDPR)
Client onboarding, suitability assessment, and KYC verification	Performance of a contract and compliance with a legal obligation (Article 6(1)(b) and (c) GDPR)
Anti-money laundering and counter-terrorism financing compliance	Compliance with a legal obligation (Article 6(1)(c) GDPR)
Regulatory reporting and record-keeping (including MiFID II and Portuguese securities law obligations)	Compliance with a legal obligation (Article 6(1)(c) GDPR)
Recording of telephone communications (where applicable)	Compliance with a legal obligation (Article 6(1)(c) GDPR)
Managing our relationship with you (including responding to queries and complaints)	Performance of a contract and legitimate interests (Article 6(1)(b) and (f) GDPR)
Marketing and communications about our services (where you have opted in)	Consent (Article 6(1)(a) GDPR)
Website analytics and improvement	Legitimate interests (Article 6(1)(f) GDPR), subject to cookie consent where required
Fraud prevention and information security	Legitimate interests (Article 6(1)(f) GDPR)

Where processing is based on consent, you have the right to withdraw that consent at any time without affecting the lawfulness of any processing carried out before withdrawal.

Where processing is based on legitimate interests, we have balanced those interests against your rights and interests and concluded that our legitimate interests are not overridden by your rights, given the context and nature of the processing.

4. How We Share Your Personal Data

Xborder does not sell your personal data. We may share your personal data with the following categories of third parties, strictly for the purposes described in this Policy:

Regulated investment intermediaries and platforms to which we transmit your orders (e.g., Wealthcraft and other approved counterparties), to the extent necessary to execute or settle your transactions;
Custodians and depositaries holding financial instruments on your behalf (noting that Xborder itself does not hold client assets);
Regulatory authorities, including CMVM and other competent authorities, where required by law or by regulatory obligation;
Professional advisers, including lawyers, auditors, and compliance consultants, acting under obligations of professional confidentiality;
IT service providers and cloud infrastructure providers that support Xborder’s operations, acting as data processors under appropriate data processing agreements; and
Other third parties where required or permitted by law (e.g., courts, tax authorities, law enforcement agencies).

All third parties with whom we share personal data are required to process it in accordance with applicable data protection law and, where they act as data processors, under a written data processing agreement in compliance with Article 28 GDPR.

5. International Transfers of Personal Data

Where we transfer personal data to recipients located outside the European Economic Area (“EEA”), we will ensure that such transfers are carried out in compliance with GDPR, including by relying on:

An adequacy decision by the European Commission confirming that the recipient country provides an adequate level of data protection; or
Appropriate safeguards, such as the European Commission’s standard contractual clauses (“SCCs”), supplemented by any additional technical or organisational measures required by applicable guidance.

Further information about the safeguards applicable to international transfers is available on request.

6. Recording of Telephone Communications

In accordance with Article 16(7) of MiFID II and applicable Portuguese securities law, Xborder may record telephone communications that relate to, or may result in, the reception or transmission of client orders, or the provision of investment advice. Recordings are retained for a minimum of seven years (or such longer period as may be required by applicable law or by CMVM) and may be provided to clients or to competent authorities upon request.

By contacting Xborder by telephone in connection with investment services, you acknowledge that the call may be recorded.

7. Data Retention

Xborder retains personal data only for as long as necessary for the purposes for which it was collected, and in accordance with applicable legal and regulatory obligations. Indicative retention periods are as follows:

Category of Data	Retention Period
Client records and transaction data (MiFID II)	Minimum 5 years from the end of the client relationship
AML/KYC records	Minimum 5 years from the end of the business relationship, or longer if required by applicable AML law
Recorded telephone communications	Minimum 7 years (or as required by CMVM)
Marketing consent records	Until consent is withdrawn, plus a reasonable period thereafter
Website log data	Typically 12 months from collection

At the end of the applicable retention period, personal data will be securely deleted or anonymised.

8. Data Security

Xborder takes the security of your personal data seriously and implements appropriate technical and organisational measures to protect it against unauthorised access, accidental loss, alteration, or disclosure. Our security measures include:

Encryption of data in transit using industry-standard protocols (TLS/HTTPS);
Role-based access controls limiting access to personal data to authorised personnel only;
Endpoint protection and anti-malware software;
Secure cloud-based infrastructure with regular backups; and
Access logging and periodic access reviews.

Notwithstanding the above, no method of electronic transmission or storage is completely secure. If you have reason to believe that your personal data has been compromised, please notify us immediately at carol.dailly@plu-financial.com.

9. Cookies

Xborder’s website uses cookies and similar technologies to support the operation of the site, improve your experience, and, where you have provided consent, to analyse how the site is used.

Strictly necessary cookies: These are essential for the website to function and cannot be disabled. They do not require your consent.

Analytics and performance cookies: These cookies allow us to understand how visitors use our website (e.g., pages visited, time spent, errors encountered). We will only deploy these cookies where you have provided your prior consent via our cookie banner.

Marketing and preference cookies: Where we use cookies for marketing or personalisation purposes, we will also seek your prior consent.

You may withdraw your cookie consent at any time by adjusting your browser settings or using the cookie preference centre available on our website. Withdrawing consent will not affect the lawfulness of any processing carried out before withdrawal.

For further information about the cookies we use and how to manage them, please consult our Cookie Policy.

10. Your Rights as a Data Subject

Under the GDPR, you have the following rights in relation to your personal data processed by Xborder:

Right of access: you have the right to request a copy of the personal data we hold about you;
Right to rectification: you have the right to request that we correct any inaccurate or incomplete personal data;
Right to erasure (“right to be forgotten”): you may request that we delete your personal data in certain circumstances, subject to our legal and regulatory retention obligations;
Right to restriction of processing: you may request that we restrict the processing of your personal data in certain circumstances;
Right to data portability: where processing is based on your consent or on a contract, you have the right to receive your personal data in a structured, commonly used and machine-readable format;
Right to object: you have the right to object to processing based on legitimate interests, including for direct marketing purposes; and
Right not to be subject to automated decision-making: you have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects, subject to certain exceptions.

To exercise any of these rights, please submit a written request to carol.dailly@plu-financial.com. We will respond to your request within 30 days of receipt. In cases of complexity or a high volume of requests, we may extend this period by a further two months, of which we will notify you.

We will not charge a fee for processing your request unless it is manifestly unfounded or excessive.

11. Right to Lodge a Complaint

If you are dissatisfied with how Xborder has handled your personal data, you have the right to lodge a complaint with the competent supervisory authority. In Portugal, the competent data protection supervisory authority is:

Comissão Nacional de Proteção de Dados (CNPD)
Rua de São Bento, 148-3°
1200-821 Lisbon, Portugal
Website: www.cnpd.pt

We would however encourage you to contact us in the first instance at carol.dailly@plu-financial.com so that we can address your concerns directly.

12. Changes to This Policy

Xborder reserves the right to update or amend this Policy from time to time to reflect changes in applicable law, regulatory requirements, or our data processing activities. The date of the most recent update is indicated at the top of this page. We encourage you to review this Policy periodically. Where a change is material, we will notify clients directly.