Terms and Conditions — Privacy Policy

Last updated: March 2026|Version 1.0

1. Object

These Terms and Conditions govern participation in the Observatory of Artificial Intelligence in Business ("Observatory"), as well as the processing of personal and non-personal data collected through questionnaires, diagnostics, benchmarks, studies, reports, dashboards, interviews, use case submissions, and other interactions with the platform.

By submitting information to the Observatory, the user declares that they have read and understood these terms and accepts the conditions set forth herein.

2. Purpose of the Observatory

The Observatory aims to collect, analyze, systematize, and disseminate information on the adoption, maturity, governance, impact, and best practices of Artificial Intelligence in a business context, producing useful knowledge for companies, decision-makers, researchers, institutional partners, and other interested entities.

3. Data Controller

The data controller is:

  • [Name of the promoting entity]
  • NIPC: [to be inserted]
  • Address: Avenida dos Extremos, 62, R/C, 4705-136 Braga
  • Email for privacy matters: admin@alongside.team
  • Data Protection Officer / privacy contact: [to be inserted, if applicable]

    • 4. Categories of Data Processed

    Depending on user participation, the following types of data may be processed within the Observatory:

  • a) Identification and contact data, such as name, professional email, phone number, and role;
  • b) Professional and organizational data, such as company, sector, size, location, position, functional area, and level of responsibility;
  • c) Questionnaire and diagnostic response data, including perceptions, organizational maturity, technology usage, governance, compliance, use cases, and operational indicators;
  • d) Technical platform usage data, such as access logs, date and time, IP, credentials, usage history, and exported files;
  • e) Voluntarily submitted content, including use cases, comments, documents, and evidence;
  • f) Derived analytical data, such as scores, clusters, benchmarks, segmentations, and statistical indicators.

    • As a rule, the Observatory does not request special categories of personal data, except when strictly necessary, duly justified, and subject to an appropriate legal basis.

    5. Purposes of Processing

    Data may be processed for the following purposes:

  • a) Managing user participation in the Observatory;
  • b) Executing questionnaires, diagnostics, and benchmarks;
  • c) Returning individual and organizational results to the participant;
  • d) Conducting longitudinal tracking of AI maturity evolution;
  • e) Producing aggregate indicators, studies, reports, dashboards, and publications;
  • f) Ensuring quality control, methodological standardization, and prevention of duplicates or invalid responses;
  • g) Communicating methodological updates, results, initiatives, and publications, where there is a legitimate basis or consent;
  • h) Complying with legal, regulatory, and audit obligations;
  • i) Ensuring security, integrity, traceability, and proper functioning of the platform;
  • j) Developing and improving analytical methodologies, provided adequate safeguards are in place and, whenever possible, using aggregated, pseudonymized, or anonymized data.

    • 6. Legal Basis for Processing

    Data processing may be based, as applicable, on the following legal grounds:

  • a) Performance of pre-contractual steps or a participation/service relationship;
  • b) Consent of the data subject, when required or adopted by the promoting entity;
  • c) Legitimate interests of the promoting entity, namely for applied research, methodological improvement, platform security, fraud prevention, production of aggregate statistics, and longitudinal tracking, provided that the rights and freedoms of the data subjects do not prevail;
  • d) Compliance with applicable legal obligations.

    • Whenever processing is based on consent, it may be withdrawn at any time without affecting the lawfulness of processing carried out prior to that date.

    7. Use of Aggregated, Pseudonymized, and Anonymized Data

    Collected data may be transformed into aggregated, pseudonymized, and, whenever technically and methodologically possible, anonymized information for purposes of analysis, research, statistical production, benchmarking, publications, institutional communication, and Observatory development.

    Pseudonymized data continues to be considered personal data and remains subject to applicable data protection rules.

    Anonymized data, when anonymization is effective and irreversible by reasonably available means, may be used without identification of the data subject or the organization, namely for:

  • a) Public reports;
  • b) Aggregated dashboards;
  • c) Sector studies;
  • d) Barometers and indices;
  • e) Research, temporal comparison, and benchmarking;
  • f) Training, testing, calibration, or improvement of low-risk internal analytical models, provided there is no re-identification and no use for individually harmful decisions.

    • The Observatory commits to not publishing personally identifiable data and not publishing organization-identifiable rankings, except with express, specific, and documented authorization from the entity concerned.

    The Observatory commits to not attempting to re-identify data subjects from anonymized datasets, nor contractually allowing third parties to do so.

    The GDPR clearly distinguishes anonymization from pseudonymization: pseudonymized data remains covered by the GDPR; effectively anonymized data does not.

    8. Methodological Transparency and Data Layer Separation

    To ensure rigor, trust, and proportionality, the Observatory adopts a functional separation between:

  • a) Raw data submitted by participants;
  • b) Data processed for normalization and methodological control;
  • c) Aggregate indicators intended for analysis, dashboards, and publications;
  • d) Individual results accessible only to the participant or the legitimately authorized organization.

    • Access to each layer is restricted by profiles, permissions, and operational necessity.

    9. Confidentiality

    All identifiable data collected within the Observatory will be treated with confidentiality and only by persons subject to duties of secrecy, functional necessity, and internal control measures.

    Employees, service providers, technical partners, and subcontractors who may access personal data are bound by contractual obligations of confidentiality, security, and data protection.

    10. Data Sharing with Third Parties

    Data may be shared with:

  • a) Technology suppliers and subcontractors supporting the platform, hosting, security, analytics, communications, or technical processing;
  • b) Academic or institutional partners, only in aggregated, anonymized form or under adequate contractual safeguards;
  • c) Public authorities, regulators, courts, or competent entities, when there is a legal obligation.

    • Personal data will not be sold to third parties.

    11. International Transfers

    Whenever personal data is transferred outside the European Economic Area, it will only occur with an appropriate legal basis and with appropriate safeguards under the GDPR.

    12. Data Retention

    Personal data will be retained only for the period necessary for the purposes that justified its collection, including:

  • a) Managing participation in the Observatory;
  • b) Returning diagnostics;
  • c) Longitudinal tracking;
  • d) Compliance with legal obligations;
  • e) Defense of rights in case of litigation.

    • Specific retention periods will be defined in a dedicated internal policy.

    Upon expiry of the applicable retention period, data will be deleted, anonymized, or securely archived, depending on the legal basis and remaining purpose.

    The GDPR requires data minimization, purpose limitation, storage limitation, and adequate data security.

    13. Data Subject Rights

    Under applicable legislation, data subjects may exercise, where applicable, the rights of:

  • a) Access;
  • b) Rectification;
  • c) Erasure;
  • d) Restriction of processing;
  • e) Objection;
  • f) Data portability;
  • g) Withdrawal of consent, when processing is based on that ground;
  • h) Filing a complaint with the competent supervisory authority.

    • Requests should be sent to: admin@alongside.team.

    The Observatory will respond within the legally applicable timeframes.

    The EDPB recalls that information must be provided transparently and that data subject requests must, as a rule, be answered within one month.

    14. Security and Technical and Organizational Measures

    The Observatory will adopt appropriate technical and organizational measures proportionate to the risk, including, where appropriate:

  • a) Profile-based and role-based access controls;
  • b) Strong authentication;
  • c) Logging and auditing of access and changes;
  • d) Encryption in transit and, where appropriate, at rest;
  • e) Pseudonymization by default whenever direct identification is not necessary;
  • f) Segregation between identifiable data, processed data, and public indicators;
  • g) Backup, continuity, and recovery mechanisms;
  • h) Periodic review of permissions, security, and data quality.

    • 15. Use of Artificial Intelligence by the Observatory

    The Observatory may use algorithmic systems or AI tools to support statistical analysis, classification, methodological scoring, insight generation, inconsistency detection, benchmark production, or automation of operational tasks.

    This usage will be guided by the principles of:

  • a) Proportionality;
  • b) Adequate human oversight;
  • c) Traceability;
  • d) Data minimization;
  • e) Non-unjustified discrimination;
  • f) Methodological robustness;
  • g) Security;
  • h) Accountability.

    • The Observatory commits to not using AI for:

  • a) Practices prohibited by applicable legislation;
  • b) Undue manipulation of participants;
  • c) Exploitation of people's vulnerabilities;
  • d) Social scoring of natural persons;
  • e) Excessive inference or processing of data without a legitimate basis;
  • f) Solely automated decisions with legal effects or similarly significant effects on natural persons, except when legally permitted and subject to appropriate safeguards.

    • Whenever the Observatory uses AI in a relevant manner in producing results, it will endeavor to provide adequate information about the role of this technology, methodological limitations, and the existence of human oversight.

    The AI Act prohibits certain AI practices and imposes, among other matters, AI literacy duties on providers and deployers; for higher-risk systems, the regulation also requires governance, risk management, data quality, documentation, and human oversight.

    16. Alignment with the AI Act

    To the extent that the Observatory's activities or technological components fall within the scope of Regulation (EU) 2024/1689 (AI Act), the promoting entity commits to:

  • a) Assessing the Observatory's role as a provider, deployer, or other relevant operator;
  • b) Classifying systems used according to the applicable risk framework;
  • c) Avoiding prohibited uses;
  • d) Ensuring adequate AI literacy for persons operating the systems;
  • e) Maintaining governance, documentation, monitoring, and human oversight proportionate to the risk;
  • f) Articulating compliance with the AI Act alongside the GDPR, information security, and internal Responsible AI policies.

    • 17. No Use for Individual Public Surveillance

    Data submitted to the Observatory is not intended for publicly identifiable exposure of individuals nor, except where expressly provided by law, for individual punitive surveillance of participants. The Observatory's focus is analytical, scientific, strategic, and responsible benchmarking.

    18. Communications

    The user may receive service communications related to their participation, such as submission confirmation, diagnostic availability, methodological updates, security alerts, or account management.

    Informational, editorial, or promotional communications depend on an appropriate legal basis and may be deactivated under applicable terms.

    19. Cookies and Similar Technologies

    The platform may use cookies and similar technologies for authentication, security, performance, metrics, and experience improvement, in accordance with the applicable cookie policy.

    20. Amendments to These Terms

    These Terms and Conditions may be updated to reflect legal, regulatory, methodological, technological, or operational changes. The version in force will be made available on the platform with indication of the respective update date.

    21. Contacts and Complaints

    For any questions regarding privacy, data protection, or exercise of rights, the user may contact:

  • admin@alongside.team
  • Avenida dos Extremos, 62, R/C, 4705-136 Braga

    • Without prejudice to other means, the data subject has the right to file a complaint with the competent supervisory authority.

    22. Applicable Law and Jurisdiction

    These Terms and Conditions are governed by European Union law and applicable Portuguese law. For dispute resolution, the legally applicable jurisdiction shall apply, without prejudice to mandatory rules to the contrary.