Last Updated: 30 April 2026
Effective Date: 30 April 2026
Version: 1.0

1. Introduction and Scope

This Privacy Policy describes how Cost & Profitability Consulting, Lda. (NIF 516606498), trading as CostCTRL, with registered office in Porto, Portugal (hereinafter “we”, “us”, “our”, or “the Company”), collects, uses, stores, shares, and protects personal data obtained through our website costandprofitability.com, our diagnostic tools (including the Profitability Health Check), our services, and any related platforms or communications.

This policy applies to all visitors, users, clients, and business contacts who interact with our website, complete our diagnostic assessments, subscribe to our communications, attend our events, or otherwise engage with our services. It applies regardless of your geographic location, including the European Economic Area (EEA), the United Kingdom, Brazil, and all other jurisdictions.

We are committed to processing personal data in accordance with Regulation (EU) 2016/679 (General Data Protection Regulation, “GDPR”), Lei n.o 58/2019 (Portuguese data protection law), Lei Geral de Protecao de Dados (“LGPD”, Brazil), and all other applicable data protection legislation.

By accessing our website or using our services, you acknowledge that you have read and understood this Privacy Policy. Where we rely on consent as a legal basis for processing, we will obtain your explicit consent at the point of data collection.

2. Data Controller

The data controller responsible for your personal data is:

Cost & Profitability Consulting, Lda.
NIF: 516606498
Porto, Portugal
Email: info@costandprofitability.com
Website: costandprofitability.com

For any data protection inquiries, requests, or complaints, please contact us at info@costandprofitability.com. We will respond within 30 days (or 15 days for requests made under the LGPD).

3. Data We Collect

We collect and process the following categories of personal data:

3.1 Identity and Contact Data

When you complete a diagnostic assessment, request a consultation, subscribe to our communications, or otherwise interact with us, we may collect: your full name, email address, telephone number, job title or role, company name, company size (number of employees), industry sector, and country of operation.

3.2 Assessment and Diagnostic Data

When you complete the Profitability Health Check or any other diagnostic tool, we collect: your responses to each assessment question, your computed scores across each diagnostic dimension, your overall profitability score and risk classification, the date, time, and duration of completion, the language in which the assessment was completed, and any free-text comments or additional information you provide.

3.3 Technical and Usage Data

When you visit our website, we automatically collect: your IP address, browser type and version, operating system, device type, pages visited and time spent on each page, referring website or source, and interactions with our diagnostic tools (e.g., completion rates, drop-off points).

3.4 Communication Data

When you contact us or we communicate with you, we retain: the content of emails, messages, or form submissions, records of consultations or calls (with your knowledge), and preferences regarding marketing communications.

3.5 Business Relationship Data

For clients and business contacts, we may also collect: billing and invoicing details, contract and engagement history, and notes from meetings or workshops.

4. How We Use Your Data

We process your personal data for the following purposes, each supported by one or more lawful bases under Article 6 of the GDPR and/or Article 7 of the LGPD:

4.1 Service Delivery (Legal Basis: Contract Performance / Legitimate Interest)

To deliver the Profitability Health Check assessment and generate your personalised results report. To provide consulting, advisory, audit, and implementation services you have engaged us for. To send you your assessment results, PDF reports, and related follow-up materials. To schedule and conduct review calls or consultations you have requested.

4.2 Benchmarking, Research, and Industry Analysis (Legal Basis: Legitimate Interest / Consent)

This is a critical section. Please read it carefully.

We use assessment data, after aggregation and anonymisation, for the following commercial and research purposes:

(a) Creation of Industry Benchmarks. We aggregate assessment responses across all participants to create sector-specific, size-specific, and geography-specific benchmark databases. These benchmarks allow us to compare individual company scores against industry medians and percentiles. Benchmarks are derived from aggregated data pools and never identify individual respondents or specific companies.

(b) Publication of Reports and Indices. We create and publish research reports, white papers, articles, and industry indices (such as the “Profitability Health Index”) based on anonymised, aggregated assessment data. These publications may be distributed freely, sold commercially, used in marketing materials, presented at conferences, or shared with media outlets. No individual respondent or specific company will be identifiable in any published report.

(c) Sale of Benchmark Data Products. We may create and sell commercial data products, including benchmark reports, industry analyses, sector comparisons, and data-driven insights derived from anonymised, aggregated assessment data. These data products are offered to businesses, consultants, researchers, and other interested parties. All such products are based exclusively on anonymised, aggregated data from which no individual or specific organisation can be identified.

(d) Improvement of Diagnostic Tools. We use aggregated response patterns to improve the quality, accuracy, and discriminatory power of our assessment questions, scoring models, and recommendation engines.

(e) Training of AI and Machine Learning Models. We may use anonymised, aggregated assessment data to develop, train, and improve artificial intelligence models, machine learning algorithms, and predictive analytics tools. Individual data or identifiable information is never used for AI/ML training purposes. Any such processing occurs within EU-hosted infrastructure.

4.3 Marketing and Communications (Legal Basis: Consent / Legitimate Interest)

To send you newsletters, articles, event invitations, and other marketing communications (only with your consent, which you can withdraw at any time). To personalise our communications based on your assessment results, industry, or interests. To retarget you with relevant advertising on platforms such as LinkedIn or Google (only with your cookie consent).

4.4 Website Operations and Security (Legal Basis: Legitimate Interest)

To operate, maintain, and improve our website. To analyse website traffic and usage patterns. To detect and prevent fraud, abuse, or security threats. To comply with legal obligations and respond to lawful requests.

5. Company Name and Logo Usage

We respect the confidentiality of our clients and assessment participants. Our approach to referencing companies is as follows:

5.1 Without Your Consent: We will never publicly identify your company by name, logo, or any information from which your company could be reasonably identified in connection with specific assessment scores, results, or recommendations.

5.2 With Your Explicit Consent: If you provide explicit written consent (which may be obtained via email, a consent form, or a checkbox during the assessment process), we may: include your company name and/or logo in our client list on our website or marketing materials; reference your company in case studies, testimonials, or success stories; use your company name in proposals, presentations, or sales materials to demonstrate our experience.

5.3 Anonymised References: We may reference assessment participants in anonymised form (e.g., “a mid-size manufacturing company in Portugal with 85 employees”) in marketing materials, case studies, or presentations without obtaining specific consent, provided that the description does not allow reasonable identification of the company. If the combination of sector, size, geography, or other attributes could allow a knowledgeable reader to infer the company’s identity, we will obtain consent before publication.

5.4 Withdrawal of Consent: You may withdraw your consent for company name or logo usage at any time by contacting info@costandprofitability.com. We will remove your company’s identifying information from our materials within 30 days of receiving your request, except where removal is technically infeasible (e.g., printed materials already in circulation or third-party publications).

6. Anonymisation and Aggregation

A core principle of our data strategy is the distinction between personal data (which is subject to data protection law) and anonymised data (which is not).

6.1 Definition of Anonymisation. We consider data to be anonymised when it has been processed in such a way that the data subject is no longer identifiable, directly or indirectly, by any person, using any means reasonably likely to be used. This is consistent with Recital 26 of the GDPR and Article 12 of the LGPD.

6.2 Our Anonymisation Process. Before using assessment data for benchmarking, research, or commercial purposes, we apply the following measures: removal of all direct identifiers (name, email, phone, company name); removal or generalisation of indirect identifiers (exact company size is replaced with size bands; specific location is replaced with country or region); aggregation of data points so that no individual response can be isolated; a minimum threshold of respondents per segment before any benchmark is published (we will not publish benchmark data for any segment with fewer than five respondents); review of outputs for re-identification risk, particularly for niche sectors or small geographies.

6.3 Legal Status of Anonymised Data. Once data has been irreversibly anonymised in accordance with the above process, it is no longer personal data under the GDPR or the LGPD. Accordingly, we may use, publish, sell, share, or otherwise exploit anonymised, aggregated data without restriction and without further notice to you. This includes, without limitation, the creation and commercial sale of benchmark reports, industry indices, trend analyses, data visualisations, and AI-driven insights.

7. Data Sharing and Third Parties

We may share your personal data with the following categories of recipients:

7.1 Service Providers and Processors. We engage third-party service providers who process data on our behalf, including: website hosting providers (InMotion Hosting, USA, with data adequacy safeguards); email delivery services (for sending assessment results and marketing communications); analytics tools (Google Analytics or equivalent); payment processors (for paid services); CRM and business management tools. All processors are bound by data processing agreements that require them to process data only on our instructions and to implement appropriate technical and organisational security measures.

7.2 Partners and Affiliates. Where we offer co-branded versions of our diagnostic tools with partners, we may share your contact data and assessment results with the relevant partner, but only where you have been clearly informed at the point of data collection that the assessment is co-branded and that your data will be shared with the named partner.

7.3 Professional Advisors. We may share data with our legal, accounting, or insurance advisors where necessary for the conduct of our business.

7.4 Legal and Regulatory Requirements. We may disclose data where required by law, regulation, court order, or governmental request, or where we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others.

7.5 Business Transfers. In the event of a merger, acquisition, reorganisation, or sale of assets, your personal data may be transferred to the successor entity, subject to the same privacy protections described in this policy.

We do not sell your personal data to third parties. The sale of anonymised, aggregated benchmark data (as described in Sections 4.2 and 6.3) does not constitute a sale of personal data.

8. International Data Transfers

Our primary data processing takes place within the European Union. However, some of our service providers may process data outside the EEA. Where personal data is transferred outside the EEA, we ensure that appropriate safeguards are in place, including:

8.1 Adequacy Decisions. Transfers to countries that the European Commission has determined provide an adequate level of data protection (the current list is available at ec.europa.eu).

8.2 Standard Contractual Clauses (SCCs). For transfers to countries without an adequacy decision (including Brazil), we use the European Commission’s Standard Contractual Clauses adopted under Decision 2021/914, supplemented by Transfer Impact Assessments where required.

8.3 EU-US Data Privacy Framework. For transfers to the United States, we rely on certifications under the EU-US Data Privacy Framework where applicable.

For users in Brazil: we comply with Articles 33-36 of the LGPD regarding international data transfers. Transfers are made on the basis of Standard Contractual Clauses or to countries recognised by the ANPD (Autoridade Nacional de Protecao de Dados) as providing an adequate level of protection.

9. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by applicable law. Our retention periods are as follows:

9.1 Assessment Data (Individual Responses). We retain your individual, identifiable assessment responses for up to 36 months from the date of completion. After this period, individual responses are either deleted or irreversibly anonymised and incorporated into our aggregate benchmark database.

9.2 Account and Contact Data. We retain your contact data for the duration of our business relationship plus 24 months. If you are a marketing subscriber, we retain your data until you unsubscribe plus 12 months (to maintain suppression lists and consent records).

9.3 Anonymised and Aggregated Data. Once data has been irreversibly anonymised, it is no longer personal data and may be retained indefinitely for benchmarking, research, and commercial purposes.

9.4 Financial and Billing Records. We retain invoicing and payment records for 10 years, as required by Portuguese tax and commercial law (Codigo do IRC, Article 123).

9.5 Server Logs. Technical server logs are retained for up to 12 months.

9.6 Cookie Data. Cookie data is retained for a maximum of 13 months, in accordance with EDPB (European Data Protection Board) guidance.

9.7 Consent Records. Records of consent (including proof of when and how consent was obtained) are retained for the duration of consent plus 5 years, to demonstrate compliance with legal obligations.

10. Cookies and Tracking Technologies

Our website uses cookies and similar tracking technologies. A cookie is a small text file placed on your device when you visit a website.

10.1 Categories of Cookies

(a) Strictly Necessary Cookies. These are essential for the website to function and cannot be disabled. They include session management cookies, security cookies, and cookies required to remember your cookie consent preferences. Legal basis: legitimate interest (website functionality).

(b) Analytics and Performance Cookies. These help us understand how visitors use our website by collecting anonymised usage statistics. We use these to improve our website and services. These cookies are only activated with your consent.

(c) Functional Cookies. These remember your preferences (such as language selection) to provide a more personalised experience. These cookies are only activated with your consent.

(d) Marketing and Advertising Cookies. These are used to track visitors across websites and display relevant advertisements. We may use these in connection with LinkedIn, Google, or other advertising platforms. These cookies are only activated with your consent.

10.2 Cookie Consent

When you first visit our website, you will be presented with a cookie consent banner that allows you to accept or reject each category of non-essential cookies. You may change your preferences at any time by clicking the cookie settings link in the footer of our website. Rejecting cookies is as easy as accepting them. We do not use pre-ticked consent boxes or dark patterns.

10.3 Third-Party Cookies

Some cookies are placed by third-party services that appear on our pages. We do not control these cookies. Please refer to the respective third party’s privacy policy for more information.

11. Your Rights

Depending on your jurisdiction, you have the following rights regarding your personal data:

11.1 Rights Under the GDPR (EEA and UK Residents)

Right of Access (Article 15). You have the right to obtain confirmation of whether we process your personal data, and to receive a copy of that data in a structured, commonly used format.

Right to Rectification (Article 16). You have the right to request correction of inaccurate or incomplete personal data.

Right to Erasure (Article 17). You have the right to request deletion of your personal data where it is no longer necessary for the purposes for which it was collected, where you withdraw consent, or where processing is unlawful. This right does not apply to anonymised data or where retention is required by law.

Right to Restriction of Processing (Article 18). You have the right to request that we limit how we use your data in certain circumstances.

Right to Data Portability (Article 20). You have the right to receive your personal data in a structured, machine-readable format and to transmit it to another controller.

Right to Object (Article 21). You have the right to object to processing based on legitimate interest. Where you object, we will cease processing unless we demonstrate compelling legitimate grounds that override your interests.

Right Regarding Automated Decision-Making (Article 22). Our diagnostic tools produce automated scores and recommendations. These are provided for informational and advisory purposes only and do not constitute decisions that produce legal effects or similarly significant effects on you. You have the right to request human review of any automated assessment.

Right to Withdraw Consent. Where we rely on consent as a legal basis, you may withdraw your consent at any time without affecting the lawfulness of processing carried out prior to withdrawal.

11.2 Additional Rights Under the LGPD (Brazilian Residents)

In addition to the rights above, if you are a resident of Brazil, you also have the right to: receive confirmation of the existence of processing; access your data; request anonymisation, blocking, or deletion of unnecessary or excessive data; request data portability to another service provider; be informed about public and private entities with which we have shared your data; be informed about the possibility of denying consent and the consequences thereof; and petition the ANPD (Autoridade Nacional de Protecao de Dados) regarding your data.

11.3 How to Exercise Your Rights

To exercise any of your rights, please contact us at info@costandprofitability.com. We will verify your identity before processing your request. We will respond within 30 days (GDPR) or 15 days (LGPD) of receiving a verified request. Complex requests may require an extension of up to 60 additional days (GDPR), in which case we will inform you of the extension and the reasons for it.

12. Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These measures include: encryption of data in transit using TLS/SSL; access controls limiting data access to authorised personnel on a need-to-know basis; regular security reviews of our systems and processes; secure storage of assessment data with restricted server access; and staff awareness and training on data protection obligations.

While we take all reasonable steps to protect your data, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security.

13. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority (CNPD in Portugal) without undue delay and, where feasible, within 72 hours of becoming aware of the breach. Where the breach is likely to result in a high risk to your rights, we will also notify you directly without undue delay.

For Brazilian users, we will notify the ANPD and affected data subjects within a reasonable time frame, in accordance with ANPD guidance.

14. Children’s Privacy

Our services are designed for business professionals and are not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If you believe that we have inadvertently collected data from a minor, please contact us immediately at info@costandprofitability.com and we will promptly delete such data.

15. Third-Party Links

Our website may contain links to third-party websites, platforms, or services (such as LinkedIn, CostCTRL.com, scheduling tools, or payment processors). We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies before providing them with your personal data.

16. Marketing and Opt-Out

We will only send you marketing communications where you have given your consent or where we have a legitimate interest in doing so (e.g., sending service-related updates to existing clients).

Every marketing email includes an unsubscribe link. You may also opt out at any time by contacting info@costandprofitability.com. Opting out of marketing does not affect service-related communications (such as delivery of your assessment results).

17. Supervisory Authorities

If you are not satisfied with our response to a data protection concern, you have the right to lodge a complaint with a supervisory authority:

Portugal: Comissao Nacional de Protecao de Dados (CNPD) – www.cnpd.pt
Brazil: Autoridade Nacional de Protecao de Dados (ANPD) – www.gov.br/anpd
Other EU/EEA countries: Your local data protection authority. A list of EU data protection authorities is available at edpb.europa.eu.

18. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or services. When we make material changes, we will: update the “Last Updated” date at the top of this policy; post a notice on our website; and, where required by law or where changes affect the legal basis for processing, notify affected users by email.

We encourage you to review this policy periodically. Your continued use of our website and services after any changes constitutes your acknowledgement of the updated policy.

19. Governing Law and Jurisdiction

This Privacy Policy is governed by the laws of Portugal and the European Union. Any disputes arising from this policy shall be subject to the exclusive jurisdiction of the courts of Porto, Portugal, without prejudice to your right to lodge a complaint with a supervisory authority or to bring proceedings before the courts of your habitual residence.

20. Contact Us

For any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Cost & Profitability Consulting, Lda.
Data Protection Enquiries
Email: info@costandprofitability.com
Website: costandprofitability.com
Porto, Portugal

---

Cost & Profitability Consulting, Lda. · NIF 516606498 · Porto, Portugal
This Privacy Policy was last reviewed and updated on 30 April 2026.