1. Introduction

Welcome to Coompass, a digital platform operated by Broadpath, Lda. ("Coompass", "we", "our"). We respect your privacy and are committed to safeguarding your personal data in accordance with applicable data protection laws, including the General Data Protection Regulation (GDPR).

This Privacy Policy explains:

• What data we collect and why

• How we process, store, and share it

• What rights you have over your data and how to exercise them

By accessing or using Coompass services, you acknowledge that you have read and understood this Privacy Policy.

2. Data We Collect

We collect personal information strictly for the purposes of operating, maintaining, and improving the Coompass platform, in compliance with applicable data protection laws.

2.1 Information Provided by Users

• Profile Information: profile photo (optional), skills and interests (optional).

• Contact Information: name or nickname and email address.

• Communication Data: messages exchanged with the Coompass support team or notifications sent via the platform.

• Authentication Data: email and password (where applicable) or login via Single Sign-On (SSO).

2.2 Automatically Collected Data

When you use the platform, certain technical data is collected to ensure proper functioning and security:

• Device Information: browser type, operating system, IP address, device type, and anonymized location (region-level only).

• Usage Logs: timestamps of logins, actions performed, session duration, error reports, and engagement with system emails.

2.3 Data from Third-Party Sources

Coompass does not actively collect or enrich user profiles from external third-party sources. However, if you access external content or integrations (e.g., third-party links, embedded media), those services may independently collect data under their own privacy policies, for which Coompass assumes no responsibility or control.

3. How We Use Your Data

Coompass, operated by Broadpath, Lda., uses the personal data collected strictly for the following purposes:

• Provide Services: To create and manage your account, enable participation in volunteering opportunities, facilitate team collaboration, and generate sustainability and social impact reports where applicable.
  Basis for Processing: performance of a contract.

• Improve and Personalize Services: To analyze platform usage, detect errors, improve user experience, and offer relevant content and functionalities.
  Basis for Processing: legitimate interests.

• Legal and Regulatory Compliance: To respond to lawful requests by public authorities, prevent fraud, protect rights, perform internal audits, and comply with applicable laws and regulations.
  Basis for Processing: legal obligation.

We do not process personal data for marketing or profiling purposes, and we do not sell or share user data with advertisers.

4. Data Sharing and Disclosure

Coompass does not sell or disclose your personal data to third parties for advertising or profiling purposes. We only share data where necessary to provide the service or comply with legal obligations.

4.1 Sharing with Partners

If you register interest in a specific mission or volunteering opportunity, limited data such as your name and contact email may be shared with the corresponding nonprofit or partner organization responsible for that activity. Each partner operates under their own privacy policy, and we encourage you to review those policies before engaging in any specific mission.

4.2 Service Providers

We use carefully selected service providers (sub-processors) to support the core operations of the Coompass platform, including infrastructure, authentication, customer support, and secure communication. For example, we rely on trusted infrastructure providers such as Vercel (cloud hosting). All service providers act under our documented instructions and are contractually bound to implement appropriate safeguards, including those required under the GDPR and, where applicable, Standard Contractual Clauses (SCCs) for data transfers outside the European Economic Area.

4.3 Legal and Compliance

We may disclose personal information when legally required to do so, or when necessary to protect the rights, safety, or legitimate interests of Coompass, its users, or others. This includes responding to lawful requests by public authorities.

5. Security Measures

Coompass implements appropriate technical and organizational measures to safeguard personal data against unauthorized access, loss, or disclosure.

These measures include encrypted communications (HTTPS), secure authentication mechanisms, access control based on roles, and monitoring of system activity.

While we strive to maintain a high level of security, no online platform can be entirely immune to threats. We therefore encourage all users to:

• Use strong, unique passwords

• Log out after each session (especially on shared devices)

• Notify our support team immediately if they suspect any unauthorized access to their account

6. Cookies and Tracking Technologies

The Coompass platform may use essential cookies and similar technologies to enable secure login, maintain session state, and improve user experience.

We do not use tracking cookies for marketing or profiling purposes.

You may control or disable cookies through your browser settings; however, doing so may affect the platform's core functionality.

7. International Data Transfers

Your personal data may be processed outside the European Union or the European Economic Area, for example, when using third-party service providers located in countries with different data protection standards.

Whenever such transfers occur, we ensure that appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) adopted by the European Commission, in accordance with Articles 44–49 of the GDPR.

8. Notification and Complaint

If you have any concerns about how your personal data is processed by Coompass, you can contact us using the details provided at the end of this Privacy Policy.

You also have the right to lodge a complaint with the Portuguese supervisory authority:
Comissão Nacional de Proteção de Dados (CNPD)

9. Your Rights and Choices

Under the General Data Protection Regulation (GDPR) and other applicable laws, you have specific rights regarding your personal data. These include the right to:

• Access: Request a copy of the personal data we hold about you.

• Correction: Request that we correct inaccurate or incomplete data.

• Deletion: Request the deletion of your personal data, unless we are legally required to retain it.

• Objection: Object to the processing of your data under certain conditions, including direct marketing.

• Restriction: Request the temporary limitation of processing in certain circumstances (e.g., pending correction).

• Portability: Receive your data in a structured, commonly used, and machine-readable format, or request its transfer to another controller.

To exercise any of these rights, please contact us at hello@coompass.org. We will respond to all legitimate requests in accordance with applicable data protection regulations and within the legally required timeframe.

10. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, including to meet legal, contractual, and operational requirements. When personal data is no longer required, we take appropriate steps to securely delete, anonymize, or archive it.

When you delete your account, we will automatically erase or anonymize your personal data without undue delay, unless retention is required by law (for example, for compliance with tax, legal, or security obligations). Certain technical records (such as backup copies or audit logs) may be retained for a limited period, but will be isolated and inaccessible for active use

Certain technical records (such as audit logs or system backups) may be retained for a limited period beyond account closure, solely for security, compliance, or disaster recovery purposes.

11. Privacy Policy Updates

We may update this Privacy Policy from time to time to reflect changes in our services, legal requirements, or data processing practices.

When we make material changes, we will notify users by appropriate means, such as a notice on the platform or an email to registered users. The revised policy becomes effective upon publication, unless otherwise stated.

Your continued use of Coompass services after any updates constitutes your acceptance of the revised Privacy Policy.

12. Contact Information

For questions or concerns regarding this Privacy Policy, please contact us:

Broadpath, Lda.
Email: hello@coompass.org