Under the terms of the applicable legislation on data protection matters, namely the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (GDPR) we hereby inform you:
**SERVICE** – INVOICEXPRESS
**Service Provider: RUPEAL** – **Consultoria e Desenvolvimento de Software, Unipessoal, Lda.**, with head office located at Avenida Duque D’Ávila, n.º 46, 3.º A, 1050-083 Lisboa, registered in the Commercial Registry Office of Lisbon, under the sole identification and registry number 508.025.338.
**USER** – Natural or legal person who acquires/uses the Service
#### USER PERSONAL DATA:
1. RUPEAL, as author and provider of the SERVICE, declares that the personal data of the USER, which is collected, is included in the client’s database owned by RUPEAL for the management of the commercial relationship with the clients, invoicing, sale of products, contact with clients, marketing, promotion, advertising and statistical purposes.
2. When the USER adheres to the SERVICE, accepts and recognizes that he/she will have to provide the data strictly necessary for the provision of the SERVICE; such data will be exclusively used for the purposes referred to above.
3. The USER personal data will not, in any circumstance, be transmitted or assigned to third parties without the express consent of the USER, except in the cases provided for in the following paragraph.
4. RUPEAL will provide the account data of the USER to the competent authorities if such provision is mandatory by law or RUPEAL is notified to do so. RUPEAL may also transfer your data to third parties in case of breach of the terms and conditions of the SERVICE, so that RUPEAL may exercise its rights, or in cases related with civil, misdemeanour or criminal liability.
5. At any moment, the USER may exercise its rights of access, rectification, deletion, restriction, objection and/or portability, in written, accompanied by a document which attests your identity and/or the data to rectify, if applicable, which shall be delivered to the following e-mail address: firstname.lastname@example.org.
6. The objection to the processing of personal data which is communicated to RUPEAL after the beginning of the processing will only have effects as from the date of reception of such communication, not affecting the lawfulness of the processing until such date. Such objection may lead to the impossibility to provide the SERVICE.
7. In what respects to the data portability, please bear in mind that, in accordance with the applicable legislation, such right is only applicable in relation to the data collected with your consent.
#### DATA THAT THE USER INSERTS IN THE INVOICEXPRESS:
1. The USER, in his/her capacity of controller of the data inserted in the software to use the SERVICE, declares and warrants that:
**(a)** The processing of personal data is lawful and all conditions for its performance are met.
**(b)** Will provide RUPEAL with the necessary instructions for the processing intended.
**(c)** Will only transfer to RUPEAL the personal data strictly necessary for the execution of the services.
**(d)** Adopts the necessary technical and organizational measures to ensure the update and correctness of the data communicated to RUPEAL.
**(e)** Adopts the adequate technical and organizational measures to ensure the confidentiality and security of personal data transferred to RUPEAL, in order to prevent and avoid its destruction, accidental or unlawful loss, amendment, diffusion or non-authorized accesses, namely when the data are transferred by electronic means, and against any kind of unlawful processing, in conformity with the categories of data processed.
**(f)** Has implemented the adequate procedures to ensure the satisfaction of the data subjects.
**(g)** Has implemented the adequate procedures to comply with the obligations of informing the supervisory authority and the data subjects in case of a data breach.
2. RUPEAL, as service provider and processor, undertakes to:
**(a)** Process the personal data transferred by the USER only in accordance with the instructions provided by the USER, with the purposes for which the data was collected, and only to ensure the compliance of its obligations under this Agreement and the execution of the operations defined;
**(b)** Adopt the adequate technical and organizational measures to ensure the confidentiality and security of personal data in order to prevent and avoid its destruction, accidental or unlawful loss, amendment, diffusion or non-authorized accesses, namely when the data are transferred by electronic means, and against any kind of unlawful processing;
**(c)** Maintain a written record of all categories of processing activities carried out on behalf of the USER, which shall include, at least, the USER name and contact details, of other processors and, if applicable, the data protection officer and a description of the processing performed;
**(d)** Limit the access by its employees to the personal data transferred by the USER; such access will only be given if it is necessary for the execution of their duties under the provision of the services;
**(e)** Ensure that the employees which have access to the personal data will be bound by confidentiality duties in relation to such data and that will refrain from using the data for other purposes, for owns or others’ benefit;
**(f)** Process the personal data exclusively in Portugal or in another European Union country;
**(g)** Make available to the USER the necessary information which evidence the compliance of its legal obligations as a processor.
3. The USER is responsible to inform data subjects, at the time of collection of the personal data, about the data processing and its communication to RUPEAL, and, if necessary, to obtain their consent to the data processing.
4. RUPEAL undertakes to assist the USER, insofar as it is possible, so that the USER may satisfy the data subjects rights.
5. Where the data subjects submit requests to RUPEAL exercising their rights of access, rectification, objection, erasure or portability of their data, RUPEAL undertakes to forward those requests, as soon as possible, to the USER, to the e-mail registered in the USER account.
6. RUPEAL undertakes not to communicate the personal data to which it has access to third parties, not even for its preservation, except the communication which is necessary so that it may be able to keep the systems safe (hardware and software), and always upon the signature of an agreement under which such third party ensures that it complies with its obligations as a sub-processor.
7. The USER shall be aware that RUPEAL has contracts with providers located in the United States of America, and that the data uploaded through the SERVICE may be transferred to that country. By contracting with those providers for the processing of data on behalf of the USER, RUPEAL ensures that such third parties commit themselves to the same data protection obligations as the ones established in this privacy police, in particular, the obligation to provide sufficient guarantees in what respects to the execution of adequate technical and organizational measures so that the processing is compliant with the GDPR.
8. In any case, whenever RUPEAL intends to contract with third parties, it undertakes to inform the USER of that fact. The information to be provided shall include the identification of the third party, the data to communicate to the third party and the security measures implemented to ensure the safety of data.
9. RUPEAL undertakes to inform the USER, without undue delay after becoming aware of a data breach.
10. Such communication shall be accompanied by the relevant documents which allow the USER, if necessary, to notify the competent supervisory authority.
11. The USER is responsible to notify the competent supervisory authority in case of a data breach.
12. RUPEAL undertakes to keep complete secrecy and confidentiality regarding the personal data which it processes under the provision of services to the USER, in particular, the information and data of the USER or third parties to which it may have access during the execution of the services. RUPEAL also undertakes not to disclose, publish, or disseminate such information by any means, either directly or through third parties, without the prior written consent of the USER.
13. The USER undertakes to respect the confidentiality of the methods and procedures applied by RUPEAL for the provision of the services and undertakes the responsibility for the compliance of this obligation by its employees. The confidentiality duty is not applicable to information which is accessible to the public in general.
14. Upon the term of the provision of the SERVICE, RUPEAL undertakes to return or destroy, as instructed by the USER, the personal data which is under its possession, regardless of the format in which it is stored, except the minimum essential data which shall be kept for the compliance of RUPEAL legal obligations.
15. Right to claim before a supervisory authority. The candidate has the right to submit a claim before the supervisory authority competent in Portugal, which is the Data Protection Commission (“Comissão Nacional de Proteção de Dados”), if he/she understands that InvoiceXpress is breaching its legal obligations.
16. Third Parties providers. InvoiceXpress has service providers which are located within the European Union and in the United Kingdom and, therefore, your data may be processed outside of Portugal. Upon contracting with such providers for the execution of specific data processing, InvoiceXpress ensures that such third parties commit themselves to the same data protection obligations as the ones established in this privacy police, in particular, the obligation to provide sufficient guarantees in what respects to the execution of adequate technical and organizational measures so that the processing is compliant with the GDPR.
These conditions intend to ensure to the USER a safe and effective use of the service provided by RUPEAL.