PRIVACY AND DATA PROTECTION

AND INFORMATION SECURITY POLICY

The present Policy applies to individuals who interact with services provided by FATO RELEVANTE AGENCY (“FR”). This Policy explains how your personal data is collected, used, shared and stored by FR.

This Policy covers our online and offline data collection activities, covering Personal Data we collect through our various channels, including third-party websites, applications and social networks. Please note that we may aggregate Personal Data from different sources (websites, offline events). To do this, we cross-check Personal Data that was originally collected by different means.

If you do not provide the necessary Personal Data (we will indicate where applicable, for example, by clarifying such information in our registration forms), we may not be able to provide you with our services.

This Policy may be changed from time to time as informed at the end of this document.

1. PERSONAL DATA

Personal Data is all and any information that allows for your identification, such as your name, CPF (Taxpayer Registration Number), email, and phone number, among others.

Sensitive Personal Data is personal data relating to racial or ethnic origin, religious conviction, political opinion, labor union membership or membership in religious, philosophical, or political organizations. Also relates to data regarding health or sexual life, genetic or biometric data.

Personal Data Processing means any operation, such as collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, filing, storage, deletion, evaluation, or control of information. Also modification, communication, transfer, dissemination or mining of personal data.

2. SOURCES OF PERSONAL DATA

In order to build and maintain our relationship of partnership and trust with our clients, it is important that you are aware of how we process your Personal Data, and especially of how and where we collect your Data.

FR Website. A client focused website managed by FR, including sites that we operate under our own domains/URLs and commercial web pages that we maintain on third-party social networks, such as Facebook and LinkedIn.

Email, text messages and other electronic messages. Interactions we have with you, such as electronic communications sent by FR via email, for example.

Registration forms. Printed or digital or similar forms by which we request your Personal Data, for example forms shared on digital platforms such as Google Drive.

Interactions with ads. Interactions with our ads (for example, if you interact with one or more of our posts on a third-party website, we may receive information about such interaction).

Data from other sources. Third-party social media (such as Facebook, LinkedIn, and Google), market research (if return is not anonymized), public sources and data received when acquiring or merging with other companies.

3. COLLECTED PERSONAL DATA

We collect the following types of data about you, as follows:

– FR uses all information collected through registration forms completed by users on this website or automatically for the purpose for which you provided the information;

– Personal contact information: basically full name and email address, in addition to complementary information when you become an FR client and/or supplier.

FR does not collect and does not process personal data defined as sensitive by the General Data Protection Law (GDPR), understood as such data related to: racial or ethnic origin, religious conviction, political opinion, labor union membership or memberships in religious, philosophical, or political organizations, data regarding health or sexual life, genetic or biometric data. Whenever we find it necessary to process your Sensitive Personal Data, we will inform you of the intended purpose and rely on your prior and express consent, where this is a legal requirement.

Children’s Personal Data: FR does not collect and does not process children's personal data. Where the collection of children's personal data is absolutely necessary, consent must be obtained from the person responsible, and such data will be used only once only and will not be stored by FR.

4. USE OF PERSONAL DATA

FR processes your Personal Data, mainly to enable our business relationships feasible and to fulfill some contractual and legal obligations, abiding by the stated purposes and the authorization previously granted when there is a legal requirement to collect such data.

In addition, the information collected may, with your prior consent, be used for advertising purposes, such as sending communications and news that are of interest to you.

FR may use your Personal Data to provide information about its services (e.g. marketing communications). This can be done by means such as email, to the extent permitted by the applicable law.

Such use of your Personal Data is not mandatory, which means that you may request the deletion of your Personal Data from our database at any time, and we will then discontinue the processing of your data for such purposes.

Customization of your preferences (offline and online). FR uses your Personal Data to:

(I) Analyze your preferences and habits;

(II) Anticipate your needs, based on our analysis of your profile;

(III) Improve and customize your experience on our website and applications;

(IV) Ensure that the content of our website and applications is optimized for you and your computer or device;

(V) Send targeted advertising and content, and

(VI) Allow you to participate in interactive functions, when you decide to do so.

Legal reasons or merger/acquisition. If FR is acquired by or merged with another company, we will share your Personal Data with our legal successors.

We will also disclose your personal data to third parties (i) when required by the applicable law; (ii) in response to legal procedures; (iii) in response to a request from the competent legal authority; (iv) to protect our rights, privacy, security or property; or (v) to enforce the terms and conditions of any agreement or the terms and conditions of our website.

5. COOKIES AND OTHER TECHNOLOGIES

A cookie is a small file added to your device or computer by websites you visit. They are widely used to make websites work, or work more efficiently, and also to provide a customized access experience and provide information to website owners.

We may eventually use cookies to improve the use and functionality of FR websites and better understand how our visitors use our websites, as well as the tools and services offered on them. Cookies help us adapt the FR website to your personal needs, make it increasingly easier to use, receive customer satisfaction feedback and communicate with you from other internet websites.

What cookie categories may be used on FR websites:

Session Cookies. These are temporary cookies that are deleted when you close your browser. When you restart your browser and return to the website that created the cookie, that website treats you as a new visitor.

Necessary Cookies. These are cookies strictly necessary for the operation of the FR website. They allow you to browse the website and use our resources. You may not reject such treatment or disable such cookies.

Other similar technologies. The FR website may use other tracking technologies, including IP addresses and log files, which also help us adapt the website to your personal needs.

IP address. An IP Address is a number that computers on the network use to identify your computer each time you connect to the internet. We may register IP Addresses for the following purposes: (I) technical troubleshoot problems (problems that a product, process, or operating system may present); (II) maintenance of the website protection and security; (iii) to better understand how our website is used; and (iv) content better suited to your needs, depending on where you are.

Registry Files. FR (or a third party on our behalf) may collect information in the form of Registry Files that store website activities and collect statistics about user navigation habits. In general, such files are generated anonymously and help us collect (I) the user's browser type and system; (II) information about the user's session (such as its source URL, date, time, and which pages the user visited on our website and how long they remained on it); and, (iii) other browsing or click count data.

6. SHARING PERSONAL DATA

During our business relationship, FR will share your Personal Data with some entities or organizations.

Service providers: Companies we use to assist us in operationalizing our business. In such cases, only selected employees will be authorized to access your Personal Data on behalf of FR for the specific tasks that are requested from them, based on our instructions. Moreover, providers with which we share your Personal Data are obliged to keep the data confidential and secure.

Third-party companies that use Personal Data for their own marketing purposes: We do not license or sell your Personal Data to third parties for their own marketing purposes. Should this occur, we will ask for your consent, stressing the purpose for which it is intended. The identity of such companies shall be disclosed as soon as your consent is requested.

Third parties that use your Personal Data for legal reasons or due to a merger/acquisition: we will share your Personal Data with third parties for legal reasons or in the context of a merger or acquisition.

7. THIRD PARTIES THAT USE YOUR PERSONAL DATA FOR LEGAL REASONS OR DUE TO A MERGER/ACQUISITION: WE WILL SHARE YOUR PERSONAL DATA WITH THIRD PARTIES FOR LEGAL REASONS OR IN THE CONTEXT OF A MERGER OR ACQUISITION.

We will use your personal data for as long as is necessary to achieve the purposes for which it was collected or to comply with applicable legal obligations.

User information may be retained for compliance with legal or regulatory obligations, transfer to third parties – provided that data processing requirements are complied with – and exclusive use of FR, including for the exercise of our rights in court or administrative proceedings.

8. YOUR RIGHTS

As Data Subject and as our client, you have the following rights with regard to your Personal Data:

1. Access and review your Personal Data and request an electronic copy of the information we hold about you;

2. Correct or request correction of incomplete, inaccurate or outdated Personal Data;

3. Request anonymization, blocking or deletion of unnecessary and excessive Personal Data;

4. Request the portability of Personal Data to another supplier of similar products or services;

5. Request the deletion of Personal Data collected and used on the basis of your consent;

6. Obtain information about public or private entities with which we share your Personal Data;

7. When the processing activity needs your consent, you may deny consent. In such case, we will inform you about the consequences of not performing such activity;

8.When the processing activity requires your consent, you may at any time revoke it.

To exercise your rights, use the channels provided at the end of this Policy.

9. MAINTAINING THE SECURITY OF YOUR PERSONAL DATA

FR uses appropriate measures (described below) to keep your personal data confidential and secure. Note, however, that such protections do not apply to information that you have chosen to share in public areas, such as third-party social networks.

Persons who may access your personal data. Your Personal Data will be processed by our employees or authorized agents, provided that they need access to such information, depending on the specific purposes for which your Personal Data has been collected.

Measures in operating environments. We store your Personal Data in operating environments that use reasonable security measures to prevent unauthorized access. We follow reasonable protocols to protect Personal Data. The transmission of information over the Internet is unfortunately not completely secure and, although we endeavor our best efforts to protect your Personal Data, we cannot guarantee the security of data during transmission by our websites/applications.

Measures we expect you to take. Your role is critical to keeping your Personal Data safe. When you create an online account, please make sure you choose a password that is difficult for others to guess. You are responsible for keeping such password confidential in any use of your account. If you use a shared or public computer, never choose the option to remember your login ID, email address, or password and make sure you have exited your account (“log out”) each time you leave the computer. You should also use any privacy settings or controls that we provide on our website or application.

We have adopted strict policies and procedures that determine how personal data should be processed. Such standards are intended to ensure proper and lawful processing of your Personal Data.

Our security measures are continuously monitored and reviewed according to the latest technological advances and organizational resources.

To ensure information security, FR exercises its activities based on the following pillars:

• Confidentiality: Ensuring that information is only accessible to authorized persons;

• Integrity: Ensuring that information, whether stored or in transit, is not subject to any unauthorized modification, whether intentional or not;

• Availability: Ensuring that information is available whenever necessary.

FR considers as information assets all information generated or developed for the business that may exist in various forms, such as: digital files, equipment, external media, printed documents, systems, mobile devices, databases and conversations.

FR determines that, regardless whether shared or stored, information assets should be used only for their duly authorized purpose, subject to monitoring and auditing.

FR establishes that all Cielo's proprietary information assets are tied to a responsible person and that it is appropriately classified according to the criteria established in a specific standard and adequately protected from any risks and threats that might compromise the business

10. USE AND DISCLOSURE OF YOUR PERSONAL DATA

We do our utmost to give you choices about the Personal Data you provide to us. The following mechanisms give you the following control over your Personal Data:

Cookies/similar technologies. You can manage your consent through your browser settings. To decline some or all Cookies/similar technologies, or to alert you when they are being used.

Advertising and marketing. If you decide that you no longer wish to receive the communications we send to you relating to marketing, you may revoke your consent at any time by following the instructions provided in such communications. To unsubscribe from marketing communications sent by any means, you may, at any time, revoke your consent through the links available in our communications. Please note that even when you unsubscribe from our marketing communications, you will still receive our administrative communications, and other important non-marketing communications.

11. POLICY CHANGES

If FR changes the way it handles your Personal Data, we will update this Policy.

We reserve the right to make changes to our practices and this Policy at any time. Please access it frequently to check for any updates or changes.

12. CONTACT

For any queries or comments on this Policy and our privacy practices, or to make a complaint, please contact us by email at privacidade@agenciafr.com.br, or personally at Rua Alves Guimaraes, 309, Pinheiros, São Paulo, SP, Brazil, by attaching a copy of your ID Card/driver's license.

If the request is submitted by a person other than you without providing evidence that the request is legitimately made on your behalf, the request will be rejected. Please note that any identification information provided by FR will only be processed in accordance with the applicable laws.

We will receive and investigate any complaints about how we manage Personal Data, including claims about non-compliance with your rights under applicable privacy laws and regulations.