ICOLABORA is a company specializing in business process automation, with customizable options for our clients' diverse needs. It's absolutely necessary for us to process a wide range of data, including personal data.

We process personal data belonging to those who use our automation platform, or, in any way, to data subjects who may be part of a project or service provided by ICOLABORA. In doing so, we act as data processing agents and are subject to the provisions of Federal Law No. 13,709/2018 (General Personal Data Protection Law – LGPD).

We take care of the protection of personal data and, therefore, we provide this privacy policy which contains important information about:

I. Who should use our automation platforms;
II. What data we process and what we do with it;
III. Sharing personal data with third parties;
IV. How long will personal data be stored;
V. Legal bases for the processing of personal data;
VI. Rights of holders;
VII. Security measures in the processing of personal data;
VIII. Communication to a supervisory authority;
IX. Changes to this policy;
X. How to contact us.

I. Who should use our automation platforms?

Our automation platforms must be used by people over eighteen years of age. Therefore, children and adolescents should not use them.

II. What data we collect and what we do with it

Our services may require the collection and use of personal data of data subjects, in accordance with the provisions of this section.

II.1. Personal data provided by the user in the platform registration modules.

We process the following personal data that users of our solutions provide us to enable their access and use of the automation platforms:

❖ FULL NAME
❖ CPF
❖ CELL PHONE
❖ EMAIL

This data is collected during project implementation in a real-world environment. In this case, the user or administrator will input personal data into the solution. Personal data may also be processed by the administrator for registry maintenance. 

The data provided by our users is collected to identify and authenticate their access to the solution. To this end, only the data necessary and essential for maintaining registration and access is processed.

II.2. Personal data obtained through solutions and other forms

In order for some of our services to be made available to our customers and partners, we may process personal data in other ways. The processing of data subjects' data will always be based on legal grounds and supported by specific and legitimate purposes.

In the event of data processing carried out by ICOLABORA, the following personal data may be processed:

❖ FULL NAME
❖ CPF
❖ TELEPHONE
❖ CELL PHONE
❖ HOME ADDRESS
❖ EMAIL
❖ GEOLOCATION DATA

Data processing will depend on the project and the service provided to the client or partner, observing its legal basis. The following example may be considered a processing scenario:

When the data subject files a complaint regarding the product or service provided by ICOLABORA's customers with entities such as regulatory agencies and consumer protection agencies, ICOLABORA will capture this complaint along with the complainant's personal data and will then pass through our process automation platforms, reaching our customers. This enables us to handle the complaint in the best possible way and resolve the complainant's issue.

Considering the above hypothesis, ICOLABORA would only process essential and necessary data to achieve the specific purpose of resolving the complainant's demand, based on the execution of the contract signed with its client.

II.3. Personal data of ICOLABORA employees

Although in most cases ICOLABORA acts as a personal data processor, when it comes to our employees' data, our responsibility is that of data controller. For example, an employee must provide their personal data to be hired or to enable the provision of services to the company. In these cases, the legal basis used will be the performance of the contract or compliance with a legal obligation.

II.4. Sensitive data

Currently, ICOLABORA no processes sensitive personal data of data subjects, but recognizes its possibility depending on the nature of the client's activity and the scope of the project.

Thus, it is understood as sensitive personal data those defined in Art. 11 of the General Data Protection Law, such as, for example, data relating to: racial or ethnic origin; religious belief; political opinion; membership of a trade union or organization of a religious, philosophical or political nature; health or sexual life; genetic or biometric data, when linked to a natural person.

In any case, when processing sensitive personal data, ICOLABORA will pay attention to what is provided for in Art. 11 and following clauses, in particular the express prohibitions set out in §§ 4 and 5 of this article.

II.5. Processing of data not provided for in this policy

Occasionally, other types of data not expressly provided for in this Privacy Policy may be processed based on other legal bases. In any case, the collection and processing will always respect the specific purpose and

legitimate.

III. Sharing personal data with third parties

Personal data sharing occurs when a data controller transfers personal data for which it is responsible to another data controller. In most cases, data sharing requires the data subject's consent, but such authorization may be waived, for example, when the data is essential for the data controller to comply with legal or regulatory obligations. Some data sharing by ICOLABORA is supported by compliance with a legal obligation. 

Regarding the personal data for which ICOLABORA is responsible as an operator, data sharing may occur within the scope of maintaining the systems where our solutions are hosted. The company uses cloud hosting and storage. (cloud computing), which makes companies specializing in this service personal data subprocessors. ICOLABORA uses the services of established companies in the market that adopt the best information security standards and can protect data privacy. In these cases, data sharing is done to enable compliance and execution of the contract. 

The company does not share data for marketing purposes or transfer data whose processing is in disagreement with the established security criteria or that may harm data privacy.

IV. How long will personal data be stored?

The personal data collected are stored and used for the period necessary to achieve the specific purposes and which considers the rights of their holders, the rights of the processing agents and the applicable legal or regulatory provisions.

Once the purpose for which the personal data was initially processed has ended, it may be removed from our database, observing cases in which there is a need for storage due to a legal or regulatory provision, in addition to other provisions provided for in the execution of the contract, provided they are legitimate.

V. Legal bases for the processing of personal data

A legal basis for processing personal data is simply a legal basis provided by law that justifies it. Therefore, each personal data processing operation must have a corresponding legal basis.

In general, the legal bases that authorize processing by ICOLABORA are:

• Consent of the holder (Art. 7, paragraph I);
• Compliance with legal or regulatory obligation (Art. 7, paragraph II);
• Execution of contract or preliminary procedure (Art. 7, item V);
• Legitimate interest (Art. 7, paragraph IX).

Furthermore, other legal bases not expressly provided for in this policy may eventually be used depending on the processing of personal data, always observing the need and legitimate purpose.

VI. Rights of data subjects

According to the General Data Protection Law, holders of personal data have the following rights:

• Confirmation of the existence of treatment;
• Access to data;
• Correction of incomplete, inaccurate or outdated data;
• Anonymization, blocking or deletion of unnecessary, excessive data or data processed in non-compliance with the provisions of the law;
• Portability of data to another service or product provider, upon express request, in accordance with the regulations of the national authority, observing commercial and industrial secrets;
• Deletion of personal data processed with the consent of the holder, except in cases provided for by law;
• Information on public and private entities with which the controller shared data;
• Information about the possibility of not providing consent and the consequences of refusal;
• Revocation of consent.
  
  

It is important to highlight that under the LGPD there is no right to delete data processed based on legal grounds other than consent, unless the data is unnecessary, excessive or processed in non-compliance with the provisions of the law.

VI.1. How the data subject can exercise his/her rights

Holders of personal data may exercise their rights through the address e-mail available at the end of this document or by writing to our Personal Data Protection Officer. The necessary information can be found in the "how to contact us" section of this Privacy Policy.

To ensure that the user who wishes to exercise their rights is, in fact, the holder of the personal data subject to the request, we may request further information that may assist in their correct identification, in order to protect our rights and the rights of third parties. 

After analysis, ICOLABORA will contact you within a reasonable timeframe to determine whether the request is admissible. It is important to note that if the company is a data processor, the request will be duly forwarded to the responsible data controller so that the controller can fulfill the rights of the requesting data subject.

VII. Security measures in the processing of personal data

In order to protect personal data, we employ technical and organizational measures capable of preventing unauthorized access, destruction, loss, misplacement or even improper alteration.

These measures take into account the nature of the data, the context and purpose of the processing, the risks that a possible violation would generate for the rights and freedoms of the data subject, in addition to the standards currently used in the market by companies similar to ours.

Among the security measures adopted, we highlight the following:

• Encrypted password storage;
• Use of encryption at the transport layer in all internet access (HTTPS);
• Segregation of responsibilities (SoD – Segregation of Duties) between the teams involved, especially with regard to production servers and databases;
• Use of TIER III Datacenters which, therefore, have physical access monitoring;

• Two-step password validation whenever possible;

• Training on security policies in hiring with periodic refresher training for all employees.

In the event of any security incident that may pose a significant risk or harm to data subjects, ICOLABORA will act diligently to implement security measures aimed at containing and mitigating damage, and to review and improve its information security systems and policies. Furthermore, it will follow the provisions of our Incident Communication Policy, which aim to provide transparency to affected data subjects, customers, and partners, in addition to complying with its obligations to the National Data Protection Authority (ANPD).

VIII. Communication to a supervisory authority

Without prejudice to any other administrative or judicial remedy, holders of personal data who feel harmed in any way as a result of a possible security incident involving their data may file a complaint with the National Data Protection Authority (ANPD).

Furthermore, we reinforce our commitment to keeping our privacy and security policies up to date, in addition to remaining available to data subjects so they can exercise their rights.

IX. Changes to this policy

This Privacy Policy was updated and revised on: APRIL/2024.

We reserve the right to modify these provisions at any time, especially to adapt them to any changes in our platform and services, whether by providing new features or removing or modifying existing ones.

This policy will be available with its updated version on the website www.icolabora.com.

X. How to contact us

To clarify any questions about this Privacy Policy or to exercise the rights of data subjects, please contact our Personal Data Protection Officer through the channels mentioned below:

E-mail: dpo@icolabora.com

Postal address: Postal Code 04711-130.