Your data security is our priority

Adjunto is operated by Adjunto Tech, Lda., a Portuguese company headquartered in Torres Novas (NIPC 519470036). Customers own the data they enter into the platform; Adjunto acts as a technical processor under Article 28 GDPR (see next section). All data protection requests are handled through privacidade@adjunto.pt.

When a customer (the club or any user, including coaches or technical staff on the Adjunto One and Adjunto Base plans) enters data about athletes, members, teams, injuries or finances into the platform, that CUSTOMER is the Data Controller. Adjunto acts exclusively as a PROCESSOR, under Article 28 GDPR, processing the data only on the customer's instructions. In practice: • The customer can export its data at any time • The customer can terminate the contract and request deletion of the data • Adjunto does not use customer data for any purpose other than delivering the service We provide a Data Processing Agreement (DPA) with the mandatory clauses of Art. 28(3) GDPR, on request at privacidade@adjunto.pt.

Primary data of clubs and athletes is hosted on Supabase servers in Frankfurt (Germany), within the European Union. Where subprocessors are based outside the European Economic Area (essentially parent companies in the US), the safeguards in Chapter V of the GDPR apply: adherence to the EU-US Data Privacy Framework (DPF), Standard Contractual Clauses (SCC) and additional technical measures, such as encryption in transit and at rest.

We apply appropriate technical and organizational measures: • TLS on all communications between your browser and Adjunto • Encryption at rest in the database • Profile-based access control (coach, coordination, board, secretary, doctor) • Strengthened authentication for profiles with access to sensitive data, particularly the Doctor profile • Regular backups • Continuous security monitoring

Most athletes in youth clubs are minors. We treat this with special care. • Minors' data: the legal basis is defined by the customer as the data controller. In Portugal, Law no. 58/2019 sets 13 as the minimum age for direct consent. For younger minors, the customer must ensure guardian consent. • Health data (Clinical module): processed only in the context of sports practice, with access restricted to the Doctor profile. Assignment of this profile is the customer's responsibility and should be limited to professionals bound by secrecy. • No automated individual decisions with legal effects on data subjects are made (Art. 22 GDPR).

We work with a small set of specialized providers, all subject to contractual obligations of confidentiality and GDPR compliance.

If a data breach occurs affecting data processed on behalf of a customer, we notify the customer (the controller) without undue delay and, in any case, within a maximum of 72 hours after becoming aware, under Article 33(2) GDPR.

We never sell, trade or transfer personal data to third parties for marketing, advertising or any other commercial purpose. This is an absolute guarantee. Our business is subscription software, not data monetization.

Data subjects have the right to: • Access to personal data • Rectification of inaccurate data • Erasure ("right to be forgotten") • Restriction of processing • Objection to processing • Portability in a structured format (CSV or JSON) • Withdrawal of consent at any time For data we process directly (account, communications, billing): privacidade@adjunto.pt. For data about you entered by a customer of the platform (for example, by your club, coach or technical staff on the Adjunto One or Adjunto Base plans): contact that customer first, as they are the data controller.