ICOLABORA is a company specializing in business process automation, offering customizable solutions that adapt to each client's needs. For our services to function efficiently and securely, the handling of different types of data, including personal data, is essential.

This data may belong to people who use our automation platforms or who, in some way, participate in projects, services, or operations carried out by ICOLABORA.

When carrying out this processing, we act as personal data processing agents, strictly observing the rules of Law No. 13.709/2018 – General Law on the Protection of Personal Data (LGPD), which establishes rights for data subjects and duties for organizations in the use of personal information.

We take care of the protection of personal data and, therefore, we provide this privacy policy which contains important information about:

I. Scope and Purpose of the Privacy Policy;
II. Regarding the personal data we process;
III. Sharing and transfer of personal data;
IV. Regarding the retention period for personal data;
V. Legal bases for the processing of personal data;
VI. Regarding the rights of the holders;
VII. Security measures in the processing of personal data;
VIII. Automated decisions and Artificial Intelligence tools;
IX. Communication to a control authority;
X. Changes to this policy;
XI. How to contact us.

I. Scope and Purpose of the Privacy Policy

This Privacy Policy aims to inform, in a clear, transparent and accessible way, how ICOLABORA processes personal data in the context of its automation platforms, digital solutions, consulting and technological services.

Its scope covers all activities related to the collection, use, storage, sharing, and deletion of personal data carried out by ICOLABORA, both through its websites, portals, applications, corporate systems, and customer service channels, and in internal and contractual operations with clients, partners, suppliers, and employees.

This policy applies to all holders of personal data whose information is processed by ICOLABORA, including users of its solutions, representatives of
Contracting companies, service providers, and internal employees, regardless of the means or technology used for processing.

By using our services or interacting with our systems, the user declares to be aware of the conditions presented here, without prejudice to any specific privacy terms or additional contracts applicable to certain products, modules or customized projects.

II. Regarding the personal data we process

Our services may require the collection and use of personal data of data subjects, in accordance with the provisions of this section.

II.1. Personal data provided by the user in the platform registration modules.

We process the following personal data that users of our solutions provide us to enable their access and use of the automation platforms:

❖NAME
❖CPF
❖CELL PHONE
❖E-MAIL

This data is collected during the implementation of projects in a real-world environment. In this case, the user or administrator will input personal data into the solution. There is also the possibility of personal data being processed by the administrator for registration maintenance purposes.

The data provided by our users is collected to identify and authenticate their access to the solution. To this end, only the data necessary and essential for maintaining registration and access is processed.

II.2. Personal data obtained through solutions and other forms

In order to provide some of our services to our clients and partners, we may process data belonging to natural persons. The processing of data belonging to data subjects will always be based on legal grounds and supported by specific and legitimate purposes.
In general, the data processing carried out by ICOLABORA may include the following types of personal data:

❖IDENTIFICATION DATA: name, CPF (Brazilian tax identification number), email, phone number, cell phone number.
❖GEOGRAPHIC DATA: residential address, household, geolocation.
❖ COMPANY INFORMATION: trade name, company name, CNPJ (Brazilian tax ID), and customer service contacts.
❖TECHNICAL DATA: IP address, device information and cookies.
❖ HISTORICAL DATA AND OTHER INTERACTIONS: ratings, complaint history, posts on platforms maintained by us.

The processing of data will depend on the project and service provided to the client or partner, observing the appropriate legal basis. In some situations, ICOLABORA may process personal data when the data subject files a complaint about products or services provided by our clients with regulatory agencies or consumer protection bodies.

In these cases, information related to the complaint — including the complainant's personal data — may be captured and processed by ICOLABORA's automation platforms, with the aim of forwarding the request to the responsible client and enabling the problem to be addressed and resolved quickly and effectively.

Considering the above hypothesis, ICOLABORA would only process essential and necessary data to achieve the specific purpose of resolving the complainant's demand, based on the execution of the contract signed with its client.

II.3. Personal data of ICOLABORA employees

Although in most cases ICOLABORA acts as a personal data processor, when processing the data of our employees, our responsibility is that of a data controller, according to the law. For example, an employee must provide a copy of their personal documents to finalize their hiring or enable the provision of services to the company. In these cases, the legal bases used will be the execution of the contract or compliance with a legal obligation. For these situations, the following documents will be required:

❖ PERSONAL DOCUMENTS: ID card, CPF (Brazilian tax identification number), birth or marriage certificate, proof of address.
❖REGISTRATION DOCUMENTS: Employment Record Book (CTPS), Social Security Number (PIS), voter registration card, military service certificate;
❖ BUSINESS DOCUMENTS: proof of registration and tax status.

II.4. Sensitive data

Currently, ICOLABORA does not process sensitive personal data of data subjects, but acknowledges the possibility of doing so depending on the nature of the client's activity and the scope of the project.
Thus, sensitive personal data is understood to be that defined in Article 11 of the General Data Protection Law, such as, for example, data relating to: racial or ethnic origin; religious beliefs; political opinions; membership in a trade union or religious, philosophical or political organization; health or sex life; genetic or biometric data, when linked to a natural person.

In any case, when processing sensitive personal data, ICOLABORA will pay attention to what is provided for in Art. 11 and following clauses, in particular the express prohibitions set out in §§ 4 and 5 of this article.

II.5. Processing of data not provided for in this policy

In exceptional situations, ICOLABORA may process other types of personal data not expressly mentioned in this Policy, provided that there is an applicable legal basis and that the principles of legitimate purpose, necessity, proportionality, and transparency in the use of this information are strictly observed.

III. Sharing and transfer of personal data

III.1. Sharing data with third parties.

Personal data sharing occurs when a data controller transfers personal data for which it is responsible to another data controller. In most cases, data sharing requires the data subject's consent, but such authorization may be waived, for example, when the data is essential for the data controller to comply with legal or regulatory obligations. Some data sharing by ICOLABORA is supported by compliance with a legal obligation.

Regarding the personal data that ICOLABORA is responsible for as an operator, data sharing may occur within the scope of maintaining the systems where our solutions are hosted. The company uses cloud hosting and storage, which makes companies specializing in providing this service sub-operators of personal data. ICOLABORA uses the services of established companies in the market that adopt the best information security standards and can safeguard data privacy. In these cases, data sharing occurs to enable the fulfillment and execution of the contract.

The company does not share data for marketing purposes or transfer data whose processing is in disagreement with the established security criteria or that may harm data privacy.

III.2. International transfer of personal data.

If personal data is transferred to foreign countries, we will comply with Resolution CD/ANPD No. 19/2024 and other applicable regulations. Transfers will only be permitted in the following cases:

• Decision regarding the suitability of the competent authority;
• Standard contractual clauses approved;
• Binding Corporate Rules;)
• Legal requirements or requirements necessary for the execution of a contract.

For each international transfer, we will indicate the destination country and the safeguards adopted.

IV. Regarding the retention period for personal data

The personal data collected will be processed for the period strictly necessary to achieve the specific purposes set out in this policy, observing the rights of the data subjects, the data controllers, and the applicable legal or regulatory provisions.

Once the purpose for which the personal data was initially processed has ended, it may be removed from our database, observing cases in which there is a need for storage due to a legal or regulatory provision, in addition to other provisions provided for in the execution of the contract, provided they are legitimate.

Furthermore, for certain types of processing, personal data will be stored for the following minimum periods:

• System records and audit logs: maintained for at least three years for security and traceability purposes;
• Registration data and access to solutions: kept for at least one year after account deactivation, to allow for possible verifications or reactivations;
• Employee data: kept for at least five years, or for the time necessary to comply with applicable legal and labor obligations.

V. Legal bases for the processing of personal data

A legal basis for processing personal data is simply a legal basis provided by law that justifies it. Therefore, each personal data processing operation must have a corresponding legal basis.

In general, the legal bases that authorize processing by ICOLABORA are:

• Consent of the holder (Art. 7, paragraph I);
• Compliance with legal or regulatory obligation (Art. 7, paragraph II);
• Execution of contract or preliminary procedure (Art. 7, item V);
• Regular exercise of rights (Article 7, item VI);
• Legitimate interest (Art. 7, paragraph IX).

Furthermore, other legal bases not expressly provided for in this policy may eventually be used depending on the processing of personal data, always observing the need and legitimate purpose.

VI. Regarding the rights of data subjects

VI.1. Rights of data subjects

According to the General Data Protection Law, holders of personal data have the following rights:

• Confirmation of the existence of treatment;
• Access to data;
• Correction of incomplete, inaccurate or outdated data;
• Anonymization, blocking or deletion of unnecessary, excessive data or data processed in non-compliance with the provisions of the law;
• Portability of data to another service or product provider, upon express request, in accordance with the regulations of the national authority, observing commercial and industrial secrets;
• Deletion of personal data processed with the consent of the holder, except in cases provided for by law;
• Information on public and private entities with which the controller shared data;
• Information about the possibility of not providing consent and the consequences of refusal;
• Revocation of consent.

It is important to highlight that under the LGPD there is no right to delete data processed based on legal grounds other than consent, unless the data is unnecessary, excessive or processed in non-compliance with the provisions of the law.

VI.2. How the holder can exercise their rights

Data subjects may exercise their rights by contacting the email address provided at the end of this document or by writing to our Data Protection Officer. The necessary information can be found in the "How to contact us" section of this Privacy Policy.

To ensure that the user wishing to exercise their rights is, in fact, the owner of the personal data subject to the request, we may request additional information that may be necessary.
to assist in your correct identification, in order to safeguard our rights and the rights of third parties.

After analysis, ICOLABORA will contact you within a reasonable timeframe to determine whether the request is admissible. It is important to note that if the company is a data processor, the request will be duly forwarded to the responsible data controller so that the controller can fulfill the rights of the requesting data subject.

VII. Security measures in the processing of personal data

In order to protect personal data, we employ technical and organizational measures capable of preventing unauthorized access, destruction, loss, misplacement or even improper alteration.

These measures take into account the nature of the data, the context and purpose of the processing, the risks that a possible violation would generate for the rights and freedoms of the data subject, in addition to the standards currently used in the market by companies similar to ours.

Among the security measures adopted, we highlight the following:

• Password and internet access encryption;
• Segregation of responsibilities, especially in production servers and databases;
• Storage on reliable and certified servers with physical monitoring;
• Recording of audit logs and security incidents;
• 2FA (two-factor authentication) password validation;
• Training and capacity building in security and privacy measures with periodic refresher courses.

In the event of any security incident that could pose a significant risk or harm to data subjects, ICOLABORA will diligently implement security measures aimed at containing and mitigating damage, and reviewing and improving its information security systems and policies. Furthermore, it will adhere to the provisions of our Incident Communication Policy, which aims to provide transparency to affected data subjects, clients, and partners, in addition to complying with obligations to the National Data Protection Agency (ANPD).

VIII. Automated decisions and Artificial Intelligence tools.

Where applicable, our solutions may utilize automated processes and artificial intelligence (AI) tools to enhance the efficiency and security of operations. These technologies are employed for the following purposes:

• To automatically analyze the performance and productivity of processes, seeking to optimize workflows;
• To anticipate potential operational events, such as delays, bottlenecks, or failures in automated processes;
• Classify and prioritize tasks based on technical and historical criteria;
• Generate automated recommendations, alerts, and insights to support decision-making;
• To identify usage and behavior patterns in systems, aiming at continuous improvement and information security;
• Automate communications and customer service, including the use of chatbots and virtual assistants based on natural language.

In certain situations, automated data processing may influence decisions that have legal or relevant effects on the data subject. In these cases, we guarantee the exercise of the rights provided for in Article 20 of the General Data Protection Law (LGPD), including:

• Request clear information about the criteria and procedures used in automated processes;
• To request human review of any decision that produces significant legal effects or impacts;
• To object to automated processing based on legitimate interest, where applicable.

We emphasize that no automated decision is made without human supervision when it may have a significant impact on the data subject, except in cases where such processing is necessary for the performance of a contract, for compliance with a legal or regulatory obligation, or when there is specific consent from the data subject.

IX. Communication to a control authority

Without prejudice to any other administrative or judicial remedy, holders of personal data who feel harmed in any way as a result of a possible security incident involving their data may file a complaint with the ANPD (National Data Protection Authority).

We reaffirm our commitment to keeping our privacy and security policies always up-to-date.

X. Changes to this policy

This Privacy Policy was updated and revised in: November 2025.

We reserve the right to modify these provisions at any time, especially to adapt them to any changes in our platform and services, whether by providing new features or removing or modifying existing ones.

This policy will be available in its updated version on the website https://portal.icolabora.com.br/politica-de-privacidade/

XI. How to contact us

To clarify any doubts about this Privacy Policy or to exercise the rights of data subjects, please contact our Data Protection Officer through the channel mentioned below:

E-mail: dpo@icolabora.com
Person in charge: André Porto Faruoli de Brito
Address: Avenida Doutor Chucri Zaidan 1550, Conj. 2515 – Vila São Francisco – São Paulo/SP – CEP: 04.711-130