PortuguêsEnglish

Privacy and Personal Data Protection Notice

MOAI - Community And Property Management, Sociedade Unipessoal Lda (hereinafter the Organisation or MOAI) is a company within the Mota-Engil Group and the operator of the KITH platform.

MOAI is committed to ensuring the security of personal data and has prepared this Privacy Policy to explain the terms under which it collects and processes personal data, in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation – GDPR), Portuguese Law No. 58/2019 of 8 August (hereinafter the GDPR), and other applicable legislation on personal data protection and privacy in electronic communications.

The processing of personal data described in this Policy concerns personal data of users of our websites, applications, digital products and services.

In this context, we will explain how your data is processed, how we protect it, and how you can exercise your rights.

This Privacy Notice applies to the Kith App, the associated website, and the marketplace features managed by MOAI, in respect of personal data processing in which MOAI acts as data controller.

This Privacy Notice shall be read without prejudice to the privacy policies, terms and conditions and other applicable instruments of the Providers made available in the marketplace and of the payment service provider (PSP), which may act as autonomous controllers within their respective spheres of activity.

Who is responsible for the processing of your personal data?

MOAI - Community And Property Management, Sociedade Unipessoal Lda, with Portuguese tax identification number (NIPC) 518972364, a company within the Mota-Engil Group, is the operator of the KITH platform and is the data controller for personal data processed in the management of user accounts, the technical and functional provision of the platform, the operational management of the KITH App, and the purposes determined by MOAI itself in the context of the services it provides.

In transactions carried out through the KITH platform, other entities may also intervene as autonomous data controllers within their respective spheres of activity, namely:

(i) the Providers, in respect of personal data strictly necessary for the execution of transactions, including delivery of products, provision of services, after-sales support, returns, complaints, invoicing and compliance with their own legal obligations; and

(ii) the payment service provider (PSP) integrated in the platform, in respect of data necessary for payment processing, verification, fraud prevention, and compliance with the legal and regulatory obligations applicable to it.

MOAI may also engage subcontractors to provide maintenance, technical support, communications, security and other services instrumental to the operation of the platform; these subcontractors will process personal data on MOAI's behalf in accordance with applicable law.

MOAI may be contacted at privacy@kith-app.com or at its registered office at Rua do Rego Lameiro, No. 38, 4300-454 Porto, Portugal.

Personal data

Personal data means any information about an identified or identifiable natural person.

Within this Privacy Notice, MOAI collects and processes personal data strictly necessary for the different purposes identified in this document, which may vary depending on the use of the KITH platform, the services requested, the existing contractual relationship, and the profile of the user concerned. This information should be read together with the other sections of this Notice, in particular those relating to the origin of the data, categories of data processed, purposes, legal bases and recipients.

MOAI commits to processing personal data with confidentiality and to implementing appropriate technical and organisational measures to protect personal data against unauthorised, accidental or unlawful destruction, loss, alteration, disclosure or access, in accordance with applicable law.

The data subject, and any user or provider who supplies personal data in the context of using the KITH platform, commits to providing only true, accurate, complete and up-to-date data, and to communicating any relevant changes as soon as reasonably practicable. Without prejudice to applicable law, the provision of inaccurate, outdated or third-party data without legitimacy may compromise the correct delivery of services and the regular functioning of the platform.

What is the origin of your personal data and what data do we process?

Sources of personal data

The personal data processed by MOAI may come from the following sources:

  • Data provided directly by the data subject: Data made available by the user, customer or provider when creating an account on the KITH platform, completing the relevant profile, contracting services, purchasing products, registering as a Provider, sending contact requests, complaints, communications through the platform, or providing documentation necessary for the contractual relationship.

  • Data generated through the use of the KITH platform: Data resulting from the use of the Kith App and the Digital Marketplace, including order history, requests, contracts, in-platform messages, transaction states, scheduling, operational communications, support requests, complaints, and other interactions within the platform's features.

  • Data obtained through navigation and technical use of the platform: When you navigate and use the Kith App and/or the associated website, technical data may be collected, namely IP address, device identifiers, date and time of access, logs, usage events and information necessary for the security of the platform and fraud prevention. The installation of cookies or similar technologies is governed by the relevant Cookies Notice; non-strictly-necessary cookies require prior user consent where legally required.

  • Data contained in documentation associated with the management of individual units and the underlying contractual relationship: Where applicable to the features made available on the KITH platform, MOAI may process personal data contained in documentation associated with the management of individual units, the underlying contractual relationship, or the use of the services provided, including, where strictly necessary, elements of contracts, property documentation or other documents relevant to the purpose in question, always in accordance with the principle of data minimisation.

Categories of personal data

Depending on the feature used, the service requested, the type of user and the contractual relationship:

  • Account and registration data: Name, email address, telephone, account identifiers, password in protected format, and preferences associated with use of the platform.

  • Identification and contact data necessary for executing transactions or services: Name, address or place of delivery/service, contacts and instructions relevant for the execution of orders, bookings, services or use of platform features.

  • Data relating to transactions and functional use of the platform: History of orders, requests, bookings, contracts, transaction states, products purchased, services contracted, transaction values, payment method, scheduling, and use of features available in the Kith App.

  • Navigation and online behaviour data: IP address and behavioural patterns on our website (e.g., how you navigate the different sections of the website) where you have accepted the use of cookies and similar technologies; ISP data (provider domain giving access to the network) and the date/time associated with access; device identifiers, date and time of access, logs, usage events, security information, fraud detection and prevention, and other data strictly necessary for the technical and secure functioning of the platform.

  • Data related to behaviour and habits: Scheduling for use of condominium equipment (e.g., pool and fitness area), scheduling of services contracted from external providers, purchases made in our Marketplace, deliveries of products purchased from external providers.

  • User support data: Communications with MOAI, information requests, complaints, associated evidence, and other elements necessary for incident monitoring, user support and service quality management.

  • Compliance and Provider verification data: Corporate identification data, tax ID/business registration number, address, contacts, data of legal representative(s), IBAN, and other elements necessary for registration validation, payment settlement, invoicing, eligibility verification, fraud prevention, compliance and fulfilment of legal obligations.

MOAI does not intend to process special categories of personal data in the normal context of using the KITH platform; therefore, we ask users, customers and providers to refrain from entering or communicating such data on the platform, unless strictly necessary and supported by an adequate legal basis.

Not all data categories identified above are processed in all cases. Personal data will be processed only to the extent that it is adequate, relevant and limited to what is necessary for each specific purpose, in accordance with the principle of data minimisation.

For what purposes, on what legal basis, and for how long do we process your data?

MOAI processes personal data only when there is a determined purpose and an adequate legal basis, in accordance with applicable law. The purposes, legal bases and retention periods set out below should be read in conjunction with the data categories identified above.

Processing necessary for the performance of your contractual relations with MOAI

This subsection refers to processing whose legal basis is the necessity to perform your contractual relations with MOAI.

MOAI processes personal data where necessary for the creation and management of user accounts, the technical and functional provision of the Kith App and the Digital Marketplace, the management of orders, bookings, operational communications, user support, management of services made available on the platform, management of scheduling of condominium-related features, and other operations necessary for regular use of the platform and execution of the contractual relationship established with MOAI.

In this context, the legal basis for processing is performance of a contract or pre-contractual steps, as applicable.

For these purposes, the following may be processed, depending on the specific case: account and registration data, identification and contact data, data relating to transactions and functional use of the platform, data necessary for transaction execution, user support data and, where applicable, data associated with documentary and contractual management of individual units and related services, always respecting the principle of data minimisation.

Processing necessary for platform security, fraud prevention, quality control and operational management

MOAI also processes personal data for the purposes of Kith App security, fraud prevention and detection, protection of the platform and users, activity logging, incident management, technical support, performance monitoring, service quality control, complaint handling, management of chargebacks, refunds and disputes, as well as the application of risk mitigation, security and contractual compliance measures.

In these cases, the legal basis for processing is, depending on the situation, performance of a contract and/or MOAI's legitimate interest in the security, integrity and regular functioning of the platform, service improvement, and defence of its rights and the rights of third parties.

For these purposes, technical and usage data, logs, security and anti-fraud information, communications, complaints, associated evidence, transaction data and other elements strictly necessary for the analysis and management of the specific situation may be processed.

Processing necessary for compliance with legal obligations

MOAI may process personal data whenever necessary for the fulfilment of legal obligations, namely in tax, accounting, administrative, regulatory matters, fraud prevention, response to competent authorities, and exercise or defence of rights in judicial, extrajudicial or administrative proceedings.

In these cases, the legal basis for processing is compliance with a legal obligation and, where applicable, MOAI's legitimate interest in declaring, exercising or defending rights.

Processing based on consent, where applicable

Whenever the use of certain features, technologies or communications legally depends on consent, namely in the case of non-strictly-necessary cookies or promotional communications, MOAI will request prior consent from the data subject, as legally required. Withdrawal of consent does not compromise the lawfulness of processing carried out based on consent previously given.

For how long do we retain your personal data?

Personal data will be retained only for the period necessary for the purposes for which it was collected and processed, taking into account the nature of the data, the purpose of processing and applicable legal periods.

In particular, personal data may be retained:

(i) while the user account is active and necessary for the use of the KITH platform;

(ii) while necessary for the management and execution of transactions, orders, bookings, service provision, user support and regular platform functioning;

(iii) for the period required for compliance with legal obligations, in particular of a tax, accounting, administrative, regulatory or archival nature; and

(iv) for the period necessary for the declaration, exercise or defence of rights in judicial, extrajudicial or administrative proceedings, including for the management of complaints, returns, warranties, chargebacks, payment disputes, fraud, security incidents or contractual breaches.

Where there is no specific legal retention period, personal data will be retained only for the period strictly necessary to pursue the purpose that determined its collection and processing, in accordance with the storage limitation principle.

Upon expiry of applicable retention periods, personal data will be deleted or anonymised, except where legally required to be retained or where retention is necessary for the declaration, exercise or defence of rights.

The data subject's exercise of the rights of objection, restriction or erasure will be assessed in accordance with applicable law and without prejudice to cases where processing or retention of data continues to be necessary on sufficient legal grounds.

To which recipients will your personal data be communicated?

The personal data processed by MOAI for the purposes set out above may be communicated to the following recipients depending on the legal basis for the communication.

The following data communications seek to ensure the correct development of the contractual relationship and to comply with legal obligations that require such communications. In particular, personal data may be communicated to the following categories of recipients:

a) Providers available in the Kith App marketplace: Personal data may be communicated to the Providers selected by the User, strictly to the extent necessary for the management and execution of the transaction, including delivery of products, provision of services, after-sales support, returns, complaints and other acts directly related to the transaction. For these purposes, the Providers act, as a rule, as autonomous data controllers under the Contract and within their own sphere of decision and control.

b) Payment Service Provider (PSP) / payment platform: Personal data necessary for payment processing may be communicated to the payment service provider integrated in the Kith App for the purposes of transaction execution, verification, fraud prevention, management of refunds, chargebacks, disputes, and compliance with the relevant legal and regulatory obligations. The PSP acts, for these purposes, as autonomous data controller on its own terms and conditions.

c) MOAI's subcontractors: MOAI may engage service providers that process personal data on its behalf, in particular for hosting/cloud, maintenance and technical support, electronic communications, helpdesk, security, fraud prevention, analytics, operational management of the platform and services instrumental to the functioning of the Kith App. These providers act as subcontractors under documented instructions from MOAI and contracts compliant with Article 28 of the GDPR.

d) Financial, banking or collection entities, where applicable: Where necessary for invoicing, collection, refunds, financial management associated with the provision of MOAI's services or the execution of transactions through the Kith App, data may be communicated to financial, banking or collection service providers strictly to the extent necessary for the relevant purpose.

e) Public, administrative, regulatory, tax or judicial authorities: Personal data may be communicated to public, administrative, regulatory, tax, police or judicial authorities whenever required by law, by decision of a competent authority, or where necessary for the declaration, exercise or defence of rights in judicial, extrajudicial or administrative proceedings.

MOAI does not sell personal data to third parties. Whenever MOAI engages subcontractors, it will ensure that they offer sufficient guarantees of implementation of adequate technical and organisational measures and of compliance with applicable data protection legislation.

Under what circumstances do we transfer your personal data to third countries?

The activity conducted by MOAI may involve the transfer of your personal data to third countries — those outside the European Union or which do not belong to the European Economic Area — even though this occurs only occasionally and always in connection with other services used by MOAI. In such situations all necessary and appropriate measures will be adopted to ensure the protection of your personal data.

What are the rights of data subjects?

Under applicable personal data protection legislation, the data subject may exercise, where applicable, the following rights in respect of their personal data processed by MOAI:

  • Right to be informed: You have the right to be informed in a concise, transparent, intelligible and easily accessible form, using clear and plain language, about the use and processing of your personal data.

  • Right of access: You have the right to request, at any time, that we confirm whether we are processing your personal data, that we provide you with access to such data and information about its processing, and that you obtain a copy of such data. The copy of your personal data that we provide will be free of charge, although requests for additional copies may be subject to a reasonable fee based on administrative costs. For our part, we may ask you to prove your identity or request further information necessary to process your request.

  • Right to rectification: You have the right to request the rectification of inaccurate, outdated or incomplete personal data concerning you. You may also request the completion of incomplete personal data, including by means of a supplementary declaration.

  • Right to erasure: You have the right to request the erasure of your personal data when, among other grounds, the data is no longer necessary for the purposes for which it was collected. However, this right is not absolute, and MOAI may continue to retain the data, duly blocked, in cases provided for by applicable regulation.

  • Right to restriction of processing: You have the right to request that we restrict the processing of your personal data, meaning we may continue to store it but not continue to process it if any of the following conditions are met: for example, when you contest the accuracy of the data, for a period enabling the controller to verify the accuracy;

    • The processing is unlawful and you oppose erasure of the data and request restriction of its use instead;

    • Our entity no longer needs the data for processing purposes, but you need it for the establishment, exercise or defence of legal claims;

    • You have objected to processing pending verification of whether our legitimate grounds override yours.

  • Right to data portability: You have the right to have your data transmitted to another controller in a structured, commonly used and machine-readable format. This right applies where processing of your personal data is based on consent or on the performance of a contract and is carried out by automated means.

  • Right to object: This right allows you to object to the processing of your personal data, including profiling. We will not be able to honour your right where we demonstrate compelling legitimate grounds for processing or for the establishment, exercise or defence of legal claims.

  • Right not to be subject to automated decisions, including profiling: This right allows you not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects on you or similarly significantly affects you. Unless such decision is necessary for entering into or performing a contract, is authorised by law, or is based on consent.

  • Right to withdraw consent where processing is based on consent: In cases where we have obtained your consent for the processing of your personal data in relation to certain activities (for example, sending commercial communications), you may withdraw your consent at any time. We will then stop carrying out that specific activity for which you previously consented, unless another reason justifies continued processing of your data for these purposes, in which case we will notify you.

  • Right to lodge a complaint with a supervisory authority: You have the right to lodge a complaint with the Portuguese Data Protection Authority (Comissão Nacional de Proteção de Dados — CNPD), Avenida D. Carlos I, 134, 1º, 1200-651, Lisboa, Portugal (https://www.cnpd.pt/), or at the email address: https://www.cnpd.pt/cidadaos/participacoes/geral/.

The data subject also has the right to be informed, in a concise, transparent, intelligible and easily accessible manner, about the terms on which their personal data is processed.

The exercise of the rights above may be subject to limitations and conditions provided for in applicable law, particularly where the processing or retention of personal data is necessary for compliance with legal obligations, performance of a contract, protection of overriding legitimate interests, or the declaration, exercise or defence of rights in judicial, extrajudicial or administrative proceedings.

You may exercise the rights indicated above by sending an email to privacy@mota-engil.com, attaching a document proving your identity and providing the data necessary to process your request.

Interested parties may obtain additional information about their rights on the website of the Portuguese Data Protection Authority, https://www.cnpd.pt/.

What security measures are adopted?

MOAI implements appropriate technical and organisational measures to protect personal data against unauthorised, accidental or unlawful destruction, loss, alteration, disclosure or access, taking into account the nature of the data processed, the context and purposes of processing, and the risks to the rights and freedoms of data subjects.

These measures may include, depending on the case, authentication mechanisms, access control, activity logging, encryption where applicable, measures to prevent fraud and abuse, logical and physical security mechanisms, and internal procedures designed to prevent improper access, unauthorised use, accidental loss, destruction or compromise of personal data.

MOAI also ensures that its subcontractors and service providers with access to personal data are subject to adequate security and confidentiality obligations, in accordance with applicable law and the contractual instruments concluded for that purpose.

Notwithstanding the measures adopted, no electronic data transmission or storage system is entirely free from risk; MOAI therefore recommends that users adopt good security practices, in particular the use of strong passwords, not sharing credentials, and immediate notification of any suspected misuse or unauthorised use of their account.

In this regard, MOAI, as part of the Mota-Engil Group, conducts all its activity using systems intended to ensure the security of your personal data, by creating procedures that prevent unauthorised access, accidental losses and/or destruction of your personal data, and committing to respect and compliance with personal data protection legislation.

Relationship with Marketplace Providers

When using the Marketplace of the KITH platform, the user may share personal data not only with MOAI, as platform operator, but also with the providers who make their products and/or services available on the platform.

MOAI will process personal data necessary for the technical and functional operation of the platform, the routing of the transaction, operational management of the marketplace, user support, Kith App security, fraud prevention, and compliance with its legal and contractual obligations.

The Providers will process the personal data communicated to them strictly to the extent necessary for the management, execution and fulfilment of the transaction requested by the user, including, where applicable, delivery of products, provision of services, after-sales support, returns, complaints, invoicing and compliance with their own legal obligations. For these purposes, the Providers act, as a rule, as autonomous data controllers, within their respective spheres of decision and control.

Personal data obtained by the Providers through the Kith App may not be used for own purposes beyond the execution of the transaction, in particular for direct marketing, commercial prospecting, contact outside the platform, creation of autonomous databases, or diversion of the commercial relationship away from the Kith App, unless the Provider has an autonomous legal basis for that and complies with the legally applicable information duties.

Whenever the user shares additional data directly with a Provider or consents to autonomous processing promoted by that Provider for its own purposes, including promotional communications or marketing actions, such processing will be carried out under the sole responsibility of the relevant Provider, in accordance with its own privacy policy and applicable law.

MOAI recommends that, before sharing any additional personal information directly with third-party Providers, the user consult the relevant privacy policies and terms applicable to the processing of their personal data.

Changes to the Privacy Notice

This Privacy Notice may be updated periodically by MOAI, whenever necessary to reflect legal, regulatory, operational or functional changes relating to the KITH platform and the processing of personal data.

The most recent version of the Privacy Notice will always be available on the KITH platform and/or its associated website. Whenever the changes introduced are materially significant, MOAI will adopt reasonable means to communicate them to users through the platform, the website or other appropriate means of contact.

Periodic consultation of this Privacy Notice is recommended to keep abreast of any updates.

Date of last update: 21/05/2026 Version: 1.0