HillForte Privacy Policy

1. Introduction

Hillforte Consultoria Unipessoal Lda ("Hillforte", "we", "us", or "our") is committed to protecting the privacy and personal data of our clients, prospects, and website visitors. This Privacy Policy explains what personal data we collect, why we collect it, how we use and share it, and what rights you have in relation to it.

We process personal data in full compliance with the General Data Protection Regulation (GDPR) (EU) 2016/679 and applicable Portuguese data protection legislation.

By using our website or services, you acknowledge that you have read and understood this Privacy Policy.

2. Data Controller

The entity responsible for processing your personal data is:

Hillforte Consultoria Unipessoal Lda

Mercado de Ribeira, Av. 24 de Julho, 1o andar

1200-479 Lisboa, Portugal

Email: info@hillforte.com

If you have any questions or concerns about how we process your personal data, please contact us using the details above.

3. Personal Data We Collect

3.1 Information You Provide Directly

We collect personal data that you voluntarily provide to us, including:

  • Full name

  • Email address

  • Phone number

  • Nationality

  • Investment interests and financial background (where relevant to our services)

  • Any other information you submit through contact forms, emails, or consultations

3.2 Information Collected Automatically

When you visit our website, we may automatically collect certain technical data, including:

  • IP address

  • Browser type and version

  • Device type and operating system

  • Pages visited, time spent, and navigation patterns

  • Referring URL and exit pages

  • Cookies and similar tracking technologies (see Section 10)

4. Purposes of Data Processing

We process your personal data for the following purposes:

  • Responding to your inquiries and contact requests

  • Providing information about investment opportunities and residency programs (including Portugal's Golden Visa and related schemes)

  • Managing our client and prospect relationships

  • Sending newsletters or marketing communications, where you have given your explicit consent

  • Improving and personalising our website and service offerings

  • Complying with our legal, regulatory, and contractual obligations

  • Preventing fraud and ensuring the security of our systems

5. Legal Basis for Processing

We only process your personal data where we have a valid legal basis under GDPR Article 6. The applicable bases are:

Consent (Article 6(1)(a)): For marketing communications and non-essential cookies, where you have given us clear, freely given, and withdrawable consent.

Contract Performance (Article 6(1)(b)): Where processing is necessary to fulfil a contract with you or to take pre-contractual steps at your request.

Legal Obligation (Article 6(1)(c)): Where we are required to process data to comply with applicable laws, including anti-money laundering (AML) and Know Your Customer (KYC) requirements.

Legitimate Interests (Article 6(1)(f)): For activities such as improving our services, conducting business analytics, and ensuring the security of our systems, where these interests are not overridden by your rights and freedoms.

6. Data Sharing and Disclosure

We may share your personal data with trusted third parties only where necessary and in accordance with applicable law. Recipients may include:

  • Legal advisors, notaries, and consultants involved in your investment or residency process

  • Financial institutions and banks required for transaction processing

  • Portuguese and EU government authorities, where legally required (e.g., SEF/AIMA, tax authorities)

  • IT service providers and cloud hosting partners who support our operations under appropriate data processing agreements

All third-party recipients are required to handle your data in accordance with GDPR and applicable confidentiality obligations.

We do not sell, rent, or trade your personal data to any third party.

7. International Data Transfers

Your personal data is primarily stored and processed within the European Economic Area (EEA). In certain cases, it may be necessary to transfer your data to countries outside the EEA — for example, where a client is based in a non-EEA jurisdiction or where a service provider operates internationally.

In all such cases, we ensure that appropriate safeguards are in place, which may include:

  • Standard Contractual Clauses (SCCs) approved by the European Commission

  • Transfers to countries with an adequacy decision from the European Commission

  • Other appropriate safeguards as permitted under GDPR Chapter V

You may request further information about the specific safeguards in place for any given transfer by contacting us at the address in Section 2.

8. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law. Our general retention periods are as follows:

Contact and enquiry data: Up to 2 years from the date of last contact, unless a client relationship is established.

Client and contractual data: For the duration of the contractual relationship and up to 10 years thereafter, as required by applicable legal and regulatory obligations (including tax and AML law).

Marketing data: Until you withdraw your consent or unsubscribe, whichever comes first.

Website analytics data: Up to 13 months from collection, subject to cookie consent.

After the applicable retention period, data is securely deleted or anonymised.

9. Your Rights Under GDPR

As a data subject, you have the following rights under GDPR, which you may exercise at any time:

Right of Access (Article 15): Request a copy of the personal data we hold about you.

Right to Rectification (Article 16): Request correction of inaccurate or incomplete data.

Right to Erasure (Article 17): Request deletion of your personal data, subject to our legal obligations.

Right to Restrict Processing (Article 18): Request that we limit how we use your data in certain circumstances.

Right to Data Portability (Article 20): Receive your data in a structured, machine-readable format, where technically feasible.

Right to Object (Article 21): Object to processing based on legitimate interests or for direct marketing purposes.

Right to Withdraw Consent (Article 7(3)): Withdraw any previously given consent at any time, without affecting the lawfulness of prior processing.

To exercise any of these rights, please contact us at:

[Insert Privacy Contact Email]

We will respond to your request within 30 days. In complex cases, this may be extended by a further two months, and we will inform you accordingly.

If you believe your rights have not been adequately respected, you have the right to lodge a complaint with the Portuguese Data Protection Authority:

Comissão Nacional de Proteção de Dados (CNPD)

Website: www.cnpd.pt  |  Email: geral@cnpd.pt  |  Phone: +351 213 928 400

10. Cookies and Tracking Technologies

Our website uses cookies and similar technologies to improve user experience, analyse traffic, and support marketing activities. Cookies are small text files stored on your device when you visit a website.

10.1 Types of Cookies We Use

Strictly Necessary Cookies: Essential for the website to function correctly. These cannot be disabled.

Analytics Cookies: Help us understand how visitors interact with our website (e.g., Google Analytics). Enabled only with your consent.

Marketing Cookies: Used to deliver relevant advertising and track campaign performance. Enabled only with your consent.

10.2 Managing Your Cookie Preferences

You can manage or withdraw your cookie consent at any time through the cookie banner on our website, or by adjusting your browser settings. Note that disabling certain cookies may affect website functionality.

For full details, please refer to our separate Cookie Policy [link to Cookie Policy].

11. Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, accidental loss, alteration, disclosure, or destruction. These measures include:

  • Encryption of data in transit (HTTPS/TLS) and at rest where applicable

  • Access controls and authentication requirements for staff handling personal data

  • Regular review of our security policies and procedures

  • Staff training on data protection and confidentiality obligations

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the CNPD within 72 hours and, where required, inform affected individuals without undue delay.

12. Automated Decision-Making and Profiling

We do not carry out automated decision-making or profiling that produces legal or similarly significant effects on individuals, as described in Article 22 of the GDPR.

13. Updates to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or operational procedures. The revised version will be published on our website with an updated "Last updated" date at the top.

We encourage you to review this policy periodically. Where changes are material, we will make reasonable efforts to notify you directly (for example, by email, where we hold your contact details).

Hillforte Consultoria Unipessoal Lda  |  info@hillforte.com  |  Lisboa, Portugal