GDPR Policy

Drifter Apps Unipessoal Limited, registered in Portugal with VAT number PT515983128, is the data controller responsible for the processing of personal data collected through the HelmShare platform. We process personal data based on the following legal bases as defined in Article 6 of the GDPR: (a) Consent: where you have given clear consent for us to process your personal data for specific purposes; (b) Contractual necessity: where processing is necessary for the performance of a contract to which you are a party or to take steps at your request before entering into a contract; (c) Legal obligation: where processing is necessary for compliance with a legal obligation to which we are subject; (d) Legitimate interests: where processing is necessary for the purposes of our legitimate interests or those of a third party, except where such interests are overridden by your interests or fundamental rights and freedoms. We will always inform you of the specific legal basis we rely on for each type of data processing activity.

We collect and process the following categories of personal data: (a) Identity and contact data: including but not limited to your name, email address, postal address, telephone number, date of birth, national identification numbers, passport numbers, and proof of identity documents; (b) Financial data: including bank account details, payment card information, transaction history, investment amounts, income information, and tax identification numbers; (c) Technical data: including IP addresses, browser type and version, device information, time zone settings, location data, and other technology on the devices you use to access our platform; (d) Profile data: including your username, password, investment preferences, risk tolerance assessments, investment history, and any other information you provide in your account profile; (e) Usage data: including information about how you use our website and services, including pages visited, time spent on pages, clickstream data, and interaction with our platform features; (f) Marketing and communications data: including your preferences in receiving marketing communications from us and third parties, and your communication preferences; (g) Compliance and regulatory data: including information required for know-your-customer (KYC) checks, anti-money laundering (AML) compliance, accreditation status, and other regulatory requirements; (h) Special categories of personal data: in limited circumstances, we may process special categories of personal data (such as information about your political opinions, religious beliefs, or health information) only where you have given explicit consent or where required by law for the establishment, exercise, or defense of legal claims.

We process your personal data for the following purposes: (a) To provide and administer our investment services, including account creation, identity verification, investment processing, transaction execution, and account management; (b) To comply with legal and regulatory obligations, including anti-money laundering regulations, tax reporting requirements, securities regulations, and other financial services legislation applicable in the European Union and MENA regions; (c) To communicate with you regarding your account, investments, transactions, important service updates, and changes to our terms and conditions; (d) To provide customer support and respond to your inquiries, requests, and complaints; (e) To prevent fraud, money laundering, terrorist financing, and other illegal activities; (f) To improve our services, conduct research and analysis, develop new features, and enhance user experience; (g) To send you marketing communications (where you have consented or where we have a legitimate interest), including newsletters, investment opportunities, and promotional materials; (h) To ensure the security and integrity of our platform, including monitoring for security threats, conducting security audits, and maintaining system availability; (i) To enforce our terms and conditions and protect our legal rights and interests; (j) To manage our business operations, including risk management, internal reporting, and business planning.

Under the GDPR, you have the following rights regarding your personal data: (a) Right of access (Article 15): You have the right to obtain confirmation as to whether or not personal data concerning you is being processed, and where that is the case, access to the personal data and information including the purposes of processing, categories of personal data concerned, recipients or categories of recipients, retention periods, and your rights; (b) Right to rectification (Article 16): You have the right to have inaccurate personal data corrected and incomplete personal data completed; (c) Right to erasure ('right to be forgotten') (Article 17): You have the right to request the deletion of your personal data where: the data is no longer necessary for the purposes for which it was collected, you withdraw consent and there is no other legal basis, you object to processing and there are no overriding legitimate grounds, the data has been unlawfully processed, or deletion is required to comply with a legal obligation; (d) Right to restriction of processing (Article 18): You have the right to request restriction of processing where: you contest the accuracy of the data, processing is unlawful and you oppose erasure, we no longer need the data but you require it for legal claims, or you have objected to processing pending verification of legitimate grounds; (e) Right to data portability (Article 20): You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit that data to another controller where processing is based on consent or contract and carried out by automated means; (f) Right to object (Article 21): You have the right to object to processing of your personal data based on legitimate interests or for direct marketing purposes, including profiling related to such direct marketing; (g) Rights related to automated decision-making and profiling (Article 22): You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you, except where such processing is necessary for entering into or performance of a contract, authorized by law, or based on your explicit consent; (h) Right to withdraw consent (Article 7): Where processing is based on consent, you have the right to withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal. To exercise any of these rights, please contact us at mike@helmshare.yachts. We will respond to your request within one month, which may be extended by two further months where necessary, taking into account the complexity and number of requests. We may require proof of identity before processing your request.

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, comply with legal obligations, resolve disputes, and enforce our agreements. Specific retention periods are as follows: (a) Account and transaction data: retained for the duration of your account relationship plus seven years after account closure to comply with financial services regulations and tax obligations; (b) Identity verification and KYC data: retained for seven years after the end of the business relationship or transaction, as required by anti-money laundering regulations; (c) Marketing and communications data: retained until you withdraw consent or object to processing, or for three years from last contact if based on legitimate interest; (d) Technical and usage data: retained for two years from collection for security and analytical purposes; (e) Legal and compliance records: retained for periods required by applicable law, which may extend beyond the account relationship; (f) Special categories of data: retained only for the minimum period necessary for the specific purpose for which consent was given. After the retention period expires, personal data will be securely deleted or anonymized so that it can no longer be associated with you. In some cases, we may retain certain data longer where required by law or where necessary for the establishment, exercise, or defense of legal claims.

We may share your personal data with the following categories of recipients: (a) Service providers and processors: We engage third-party service providers who process personal data on our behalf, including cloud hosting providers, payment processors, email service providers, customer relationship management systems, analytics providers, identity verification services, and IT support services. These processors are contractually bound to process data only in accordance with our instructions and in compliance with GDPR requirements; (b) Financial institutions and partners: We may share data with banks, payment service providers, investment fund managers, and other financial institutions necessary for executing transactions and providing investment services; (c) Regulatory and supervisory authorities: We may disclose personal data to regulatory bodies, tax authorities, law enforcement agencies, and other public authorities when required by law or to comply with legal obligations; (d) Professional advisors: We may share data with our legal, accounting, auditing, and other professional advisors who are bound by confidentiality obligations; (e) Business transfers: In the event of a merger, acquisition, or sale of assets, personal data may be transferred to the acquiring entity, subject to the same privacy protections; (f) With your consent: We may share data with other parties where you have given explicit consent. For transfers of personal data outside the European Economic Area (EEA), we ensure appropriate safeguards are in place, including: Standard Contractual Clauses approved by the European Commission, adequacy decisions by the European Commission recognizing the recipient country's data protection laws as adequate, or other legally recognized transfer mechanisms. We will provide you with details of any international transfers and the safeguards in place upon request.

We implement comprehensive technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include: (a) Technical measures: encryption of data in transit using TLS/SSL protocols, encryption of data at rest using industry-standard encryption algorithms, secure authentication mechanisms including multi-factor authentication where appropriate, regular security assessments and penetration testing, network security controls including firewalls and intrusion detection systems, access controls and authentication systems to ensure only authorized personnel can access personal data, regular software updates and security patches, secure backup and disaster recovery procedures, and monitoring and logging of system access and activities; (b) Organizational measures: staff training on data protection and security, confidentiality agreements with all employees and contractors, access controls limiting data access to personnel who need it for their job functions, regular reviews of data processing activities and security measures, incident response procedures for security breaches, and data protection impact assessments for high-risk processing activities. Despite these measures, no method of transmission over the Internet or electronic storage is completely secure. While we strive to protect your personal data, we cannot guarantee absolute security. In the event of a data breach that is likely to result in a high risk to your rights and freedoms, we will notify you and the relevant supervisory authority without undue delay and in any event within 72 hours of becoming aware of the breach, where feasible.

Our website uses cookies and similar tracking technologies to collect and store information about your browsing behavior and preferences. Cookies are small text files stored on your device when you visit our website. We use the following types of cookies: (a) Strictly necessary cookies: These cookies are essential for the website to function and cannot be switched off. They are usually set in response to actions made by you such as setting your privacy preferences, logging in, or filling in forms; (b) Performance and analytics cookies: These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us understand how visitors interact with our website by collecting and reporting information anonymously; (c) Functionality cookies: These cookies enable the website to provide enhanced functionality and personalization, such as remembering your preferences and settings; (d) Marketing and advertising cookies: These cookies may be set through our site by our advertising partners to build a profile of your interests and show you relevant content on other sites. You can control and manage cookies through your browser settings. Most browsers allow you to refuse cookies or delete them. However, disabling certain cookies may impact the functionality of our website. For detailed information about the cookies we use, their purposes, and how to manage them, please refer to our Cookie Policy. We also use web beacons, pixel tags, and similar technologies to track your interaction with our emails and website content.

We may use automated processing, including profiling, in the following circumstances: (a) Risk assessment and suitability checks: We may use automated systems to assess your investment risk profile, verify your accreditation status, and determine your suitability for certain investment products. This processing is necessary for compliance with financial services regulations and to protect your interests; (b) Fraud prevention and security: We use automated systems to detect and prevent fraudulent activities, money laundering, and security threats. This processing is necessary for our legitimate interests in protecting our platform and users; (c) Marketing personalization: We may use profiling to personalize marketing communications and recommend investment opportunities that may be of interest to you, based on your investment history and preferences. This processing is based on your consent or our legitimate interests. You have the right not to be subject to decisions based solely on automated processing that produce legal effects or similarly significantly affect you. Where such processing occurs, you have the right to: obtain human intervention, express your point of view, and contest the decision. If you wish to exercise these rights or have questions about our automated processing activities, please contact us at mike@helmshare.yachts.

Our services are not directed to individuals under the age of 18. We do not knowingly collect personal data from children under 18 without appropriate parental consent. If we become aware that we have collected personal data from a child under 18 without proper consent, we will take steps to delete such information promptly. If you believe we have collected personal data from a child under 18, please contact us immediately at mike@helmshare.yachts.

We have appointed Michael Soertsz as our Data Protection Officer (DPO) in accordance with Article 37 of the GDPR. The DPO is responsible for: monitoring our compliance with the GDPR and other data protection laws, providing advice and guidance on data protection impact assessments, acting as a point of contact for data subjects and supervisory authorities, cooperating with supervisory authorities, and ensuring staff training on data protection. You can contact our DPO directly at mike@helmshare.yachts regarding any questions or concerns about how we process your personal data or to exercise your data protection rights. The DPO operates independently and reports directly to senior management on data protection matters.

If you are located in the European Union, you have the right to lodge a complaint with your local data protection supervisory authority if you believe that our processing of your personal data violates the GDPR. In Portugal, the supervisory authority is the Comissão Nacional de Proteção de Dados (CNPD) - National Data Protection Commission. You can contact the CNPD at: Comissão Nacional de Proteção de Dados, Av. D. Carlos I, 134, 1º, 1200-651 Lisboa, Portugal, Telephone: +351 213 928 400, Email: geral@cnpd.pt, Website: www.cnpd.pt. We encourage you to contact us first at mike@helmshare.yachts if you have any concerns about how we process your personal data, as we are committed to resolving any issues promptly and amicably.

We may update this GDPR Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational, legal, or regulatory reasons. When we make material changes to this policy, we will notify you by: posting the updated policy on our website with a new 'Updated date' at the top, sending you an email notification to the email address associated with your account, or displaying a prominent notice on our platform. We encourage you to review this policy periodically to stay informed about how we protect your personal data. Your continued use of our services after any changes to this policy constitutes your acceptance of the updated policy. If you do not agree with any changes, you may need to discontinue using our services and may request deletion of your account and personal data, subject to our legal obligations to retain certain information.

If you have any questions, concerns, or requests regarding this GDPR Policy or our data processing practices, or if you wish to exercise any of your data protection rights, please contact us: Data Controller: Drifter Apps Unipessoal Limited, Address: R Philip Folque, 2, 2, Lisbon 1050-113, Portugal, Email: mike@helmshare.yachts, Data Protection Officer: Michael Soertsz, Email: mike@helmshare.yachts. We will respond to your inquiry within one month of receipt. If your request is complex or we receive multiple requests, we may extend this period by up to two months, and we will inform you of any such extension and the reasons for it within one month of receiving your request.