GDPR Compliance

LusoPass has implemented a comprehensive data protection framework that includes: • A designated Data Protection Officer (DPO) overseeing all data processing activities • Data Protection Impact Assessments (DPIAs) conducted for high-risk processing operations • Privacy by Design and Privacy by Default principles embedded in our development process • Regular staff training on data protection obligations and best practices • Documented data processing records as required by Article 30 GDPR

We process personal data only when we have a valid legal basis under Article 6 GDPR: • Contract Performance (Art. 6(1)(b)): Processing necessary to deliver our platform services, manage immigration cases, and administer investment transactions. • Legal Obligation (Art. 6(1)(c)): Processing required by Portuguese immigration law, AML/KYC regulations (Lei n.º 83/2017), tax reporting obligations, and financial services regulations. • Legitimate Interest (Art. 6(1)(f)): Platform security, fraud prevention, service improvement, and internal analytics. We conduct balancing tests to ensure our interests do not override your fundamental rights. • Consent (Art. 6(1)(a)): Marketing communications and optional analytics tracking, which you may withdraw at any time without affecting the lawfulness of prior processing.

When personal data is transferred outside the European Economic Area (EEA), we ensure adequate protection through: • EU Standard Contractual Clauses (SCCs) as approved by the European Commission • Transfer Impact Assessments to evaluate the data protection landscape of the recipient country • Supplementary technical measures including encryption in transit and at rest • Data processing agreements with all sub-processors that meet GDPR requirements We maintain a register of all international data transfers available upon request.

In the event of a personal data breach, LusoPass will: • Notify the Portuguese Data Protection Authority (CNPD) within 72 hours of becoming aware of the breach, as required by Article 33 GDPR • Notify affected data subjects without undue delay when the breach is likely to result in a high risk to their rights and freedoms, as required by Article 34 GDPR • Document all breaches including their effects and remedial actions taken • Implement corrective measures to prevent recurrence

We use the following categories of sub-processors to deliver our services: • Cloud Infrastructure: EU-based data centers for hosting and storage • Payment Processing: PCI DSS-compliant payment providers • Email Services: Transactional email delivery • Analytics: Privacy-focused analytics platforms All sub-processors are bound by data processing agreements that meet GDPR requirements. A complete list of sub-processors is available upon request.

To exercise any of your GDPR rights, you can: • Email our Data Protection Officer at [email protected] • Use the data management tools available in your account settings • Submit a written request to our postal address We will respond to your request within 30 days. If your request is complex, we may extend this period by an additional 60 days, and we will notify you of any such extension. If you are unsatisfied with our response, you have the right to lodge a complaint with the Portuguese Data Protection Authority: Comissão Nacional de Proteção de Dados (CNPD) Rua de São Bento, 148-3° 1200-821 Lisboa, Portugal https://www.cnpd.pt