Privacy Police

Introduction

This Privacy Policy expresses our commitment to process your personal data in a responsible and ethical way, also in line with our principles , values and, particularly, in compliance with Federal Law no. 12.965 of April 23, 2014 (Marco Civil da Internet), Federal Law no. 13.709 August 14, 2018 (Personal Data Protection Law) and EU Regulation no. 2016/679 of April 27, 2016 (European General Data Protection Regulation - GDPR).

This Privacy Policy contains information on how we process our customers' personal data, as whole or partial, whether automated or not. Its purpose is to clarify for interested parties the types of data that are collected, the reasons for collection, the purpose, how and where we store it, with whom we share it and how the user can update, manage or delete this information. It also sets out your rights in relation to your personal data and who you can contact for further information or clarification on this subject.

Scope

All administrators and employees of Dengine Informática ltda, hereinafter referred to as Dengine - SCORB Product, as well as third parties, service providers and/or suppliers who have access to this company's customer information.

Initial Arrangements

This Policy aims to demonstrate Dengine - SCORB Product's commitment to:

• Ensure the privacy and protection of personal data collected from customers, employees and partners of Dengine - SCORB Product, as a result of the performance of its activities.

• Adopt guidelines that ensure comprehensive compliance with standards and good practices relating to privacy and the protection of personal data.

• Promote transparency about the way in which Dengine - SCORB Product processes personal data; and

• Adopt protective measures in relation to the risk of a security incident involving personal data.

Definitions about your privacy

Dengine - Product SCORB establishes all legal requirements to protect your privacy. Our Privacy Policy is a legal statement that explains how we may collect your information, how we may share your information and how you can limit our sharing of your information. You will see some terms in our Privacy Policy that have some very specific meanings, as described below under Definitions.

Definitions

• Personal Data: information relating to an identified or identifiable natural person; data about a natural person, a living individual who can be identified from this data (or from this and other information we hold or may hold).

• Sensitive Personal Data: personal data on racial or ethnic origin, religious conviction, political opinion, membership of a trade union or religious, philosophical or political organization, data relating to health or sexual record, genetic or biometric data, when linked to a natural person.

• Usage Data: automatically collected data generated within the usage of the Service or by the Service infrastructure itself (for example, the duration of a visit to the page).

• Cookies are small pieces of data stored on the user's device (e.g., data from websites or links already visited).

• Data Controller: natural or legal person, governed by public or private law, who is responsible for decisions relating to the processing of personal data. Data Operator: a natural or legal person, governed by public or private law, who processes personal data on behalf of the controller.

• Operador dos Dados: pessoa natural ou jurídica, de direito público ou privado, que realiza o tratamento de dados pessoais em nome do controlador.

• Processing Agents: the group of which the controller and the operator are part. For the purposes of this Privacy Policy, we are part of the Data Processing Agents, as we fulfil both the roles of Controller and Operator, since we collect, process, use, share and store your personal data.

• Data Subject: Data Target or Data Subject is any living individual who is the subject of Personal Data

• User: The user is the individual using our service.

Personal information gathered and purpose

Personal information about you or your company is gathered and processed for the delivery of services and other business-related activities, as detailed below:

Personal information arisen from the delivery of services:

personal data may be gathered while providing services to our customer to fulfil any contract. Although we provide our products and services primarily to companies, Dengine - Product SCORB may gather any information it reasonably deems necessary to prepare, enter into and fulfil contractual agreements. The way we use personal data in relation to our services may also vary. For example, our SCORB product may use personal data about a customer's employees to help with Headcount budget control. When your personal data is provided to us by our client, we take steps to ensure that the client has complied with privacy and data protection laws and regulations.

• Applicable legal or regulatory requirements.

• Requests and communications from competent authorities.

• Registration of customer users and other administrative purposes.

• Support service. When we receive support-related contact, we gather your contact information, the description of the problem and possible resolutions. We record the information that is provided to handle the support enquiry for administrative purposes, to promote our relationship with you, for staff training and for quality assurance purposes.

• Financial accounting, invoicing and risk analysis.

• Customer relationship purposes, which may involve: (i) sending content about our products and services; (ii) contacting customers through their representatives to receive feedback on the services provided; and (iii) contact for other market or research purposes.

• To improve your business operations, systems and processes. For example, we may use information to carry out, maintain, audit and optimize our operations, protect our assets and employees for the development or improvement of a product.

• Services we receive from our professional advisers, such as lawyers, accountants and financial advisers.

• For the purposes of due diligence checks relating to services.

• Protection of our rights and those of our clients.

• Selection processes for acquiring new talent. Candidates are referred to the Consent and Privacy Notice for more information;

• For the performance of your employees' employment contract and compliance with labor obligations. When an employee leaves Dengine - Product SCORB, we continue to process information relating to them for any remaining business, contractual, employee, legal and tax purposes, provided this is done solely by Dengine.

• Where there are legitimate interests of Dengine - Product SCORB in offering and delivering our services to you or our customer, as well as for the effective and lawful operation of our business, provided that such interests are not overridden by your interests, fundamental rights and freedoms.

• Compliance with applicable legal and regulatory obligations that may require us to collect, store and share your personal data in order to comply with legal and regulatory provisions, such as

• Keeping records for tax purposes or providing information to a public body or law enforcement agency; (ii) complying with labor and social security obligations; (iii) complying with obligations to combat corruption, money laundering, fraud and irregular conduct.

Likewise, your sensitive personal data will be processed in the following cases:

• By providing your specific and detached consent for the processing of your data.

• When necessary for compliance with applicable legal or regulatory obligations that may require the collection, storage and sharing of your personal data in order to comply with legal and regulatory provisions, such as (i) keeping records for tax purposes or providing information to a public body or law enforcement agency; (ii) complying with labor and social security obligations; (iii) complying with obligations to combat corruption, money laundering, fraud and irregular conduct.

Further information on how we use cookies and other tracking technologies, as well as how you can control them, can be found in the Cookies.

We realize the importance of providing exceptional protection for the privacy and personal data of children and teenagers. Our services and website are not designed for or intentionally targeted at children and adolescents. It is not part of our policy to intentionally collect or store information about this type of public, however, in situations where it may be necessary to collect and use this type of personal data, such as in the provision of services that involve analyzing the personal data of underage dependents, the treatment will take place in the best interests of the child and/or adolescent, under the terms of current legislation.

User Rights

Users have the following rights under the General Data Protection Act:

• Right of confirmation and access: the user's right to obtain confirmation from the company that personal data concerning them is or is not being processed and, if this is the case, the right to access their personal data.

• Right to rectification: the user's right to obtain, without undue delay, the rectification of inaccurate personal data concerning them.

• Right to erasure of data (right to be forgotten): this is the user's right to have their data erased from the organization's records.

• Right to restriction of data processing: this is the user's right to restrict the processing of their personal data, which they can obtain when they dispute the accuracy of the data, when the processing is unlawful, when the organization no longer needs the data for the purposes proposed and when they have objected to the processing of the data and in the event of unnecessary data processing;

• Right to object: this is the user's right to object at any time, on grounds relating to their particular situation, to the processing of personal data concerning them, and to object to the use of their personal data for profiling purposes.

• Right to data portability: this is the user's right to receive the personal data concerning them that they have provided, in a structured, commonly used and machine-readable format, and the right to transmit this data to another company;

• Right not to be subject to automated decisions: the user's right not to be subject to any decision taken solely because of automated processing, including profiling, which produces effects in their legal sphere or significantly affects them in a similar way.

Users can exercise their rights by sending a written communication by e-mail with the subject "LGDP", specifying:

• Full name or company name, CPF (Individual Taxpayer Registry) or CNPJ (Corporate Taxpayer Registry) number and e-mail address of the user and, if applicable, their representative.

• The right you wish to exercise with the company.

• The date of the request and the user's signature.

• Any document that can demonstrate or justify the exercise of your right.

• The request should be sent to the following e-mail address: [email protected]. The user will be informed if their data is rectified or deleted.

When you submit a request asserting your rights as a data subject, you provide SCORB with personal information, including your name and contact details, which will be used to respond to your request. In some circumstances, in order to verify your identity and ensure that personal information has been disclosed to the correct individual, SCORB may also request a copy of your photo ID, which is deleted immediately after verification of identity. Upon your request, your personal information is processed for the purpose of handling and fulfilling your request, in accordance with SCORB's legal obligations and commitments.

Data Disclosure

Dengine - Product SCORB may share your personal information internally or externally with suppliers or consultants for legitimate SCORB business purposes, to technology companies responsible for storing and ensuring the security of the processing of your data and only if it is strictly necessary in connection with one or more of the purposes described in section 5. We may also need to disclose your personal data if required to do so by law, regulator or during legal proceedings. We may share non-personal, de-identified and aggregated information with third parties for various purposes, including data analysis, research, contributions, eminence content and promotional purposes. Some of our clients may be located in countries outside Brazil or outside the European Union, whose laws may not offer the same level of data protection. In such cases, we will ensure that we take all possible steps to protect your personal data in accordance with our legal obligations. We also provide further details on the transfers described above and the appropriate safeguards used by SCORB with respect to such transfers, by e-mail: [email protected].

Security in the processing of users' personal data

Dengine - Product SCORB undertakes to apply technical and organizational measures to protect personal data from unauthorized access and from situations of destruction, loss, alteration, communication or dissemination of such data. To guarantee security, solutions will be adopted that consider: the appropriate techniques; the costs of implementation; the nature, scope, context and purposes of the processing; and the risks to the rights and freedoms of the user. However, Dengine - Product SCORB disclaims liability for the sole fault of the user, such as when the user transfers their data to a third party. Dengine - Product SCORB also undertakes to notify the user within an appropriate period of time in the event of any breach of the security of their personal data that may cause a high risk to their personal rights and freedoms. A personal data breach is a breach of security that causes the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed. Finally, Dengine - Product SCORB undertakes to treat the user's personal data confidentially, within the limits of the law.

Personal data retention period

We will keep your personal data in our systems for the longer of the following periods:

• As long as it is necessary for the relevant activity or services. Any retention period required by law.

• The end of the period in which disputes or investigations in relation to the services may arise.

• Fim do período no qual os litígios ou investigações em relação aos serviços possam surgir;

• As long as your consent is valid, in the applicable cases.

• In accordance with current legislation.

The personal data of users who visit our site for commercial purposes will be kept for a maximum of one (1) year.

For our regular customers, we adopt the retention period for as long as the service contract is in force plus 30 days. If this contract is terminated, the personal data shared by the client will be manually deleted. The user’s personal data that visits our website for commercial ends will be kept for a maximum time of one (1) year.

Management of consequences

Employees, suppliers or other stakeholders/publics of interest who observe any deviations from the guidelines of this Policy may report the fact to our Data Officer (DPO), by e-mail: [email protected], and may or may not identify themselves. Internally, failure to comply with the guidelines of this Policy will result in the application of measures to hold agents accountable for non-compliance, depending on the seriousness of the breach.

Responsibilities

Managers, employees and third parties:

Observe and ensure compliance with this Policy and, when necessary, contact the Data Protection Officer (DPO) for advice on situations that conflict with this Policy or when situations described in it occur.

Data Protection Officer (DPO):

• Keeping this Policy up to date in order to ensure that any regulatory/legal changes to the guidelines and general rules established herein are observed.

• Clarify doubts regarding this Policy and its application.

• Accept complaints and communications from data subjects, provide clarification and adopt measures.

• Receive communications from the National Data Protection Authority ("ANPD") and take action.

• Provide guidance to Dengine - SCORB Product employees on the practices to be adopted in relation to the protection of personal data. and

• Adopt initiatives to share information about incidents containing personal data with the ANPD and data subjects, when necessary.

SCORB Data Protection Committee

SCORB's Data Protection Committee has a multidisciplinary organizational structure made up of committed, qualified professionals who know the organization's values, purpose and mission. Its aim is to transform the existing culture towards a new era of absolute respect for the personal data of directors, employees, service providers, clients and partners.

In addition to the ongoing training that it will have to implement, this Committee has various other responsibilities, such as:

• Monitoring the Privacy Programme's indicators and action plans.

• Discuss and make decisions on new personal data processing activities.

• Levelling up knowledge about privacy with stakeholders.

• Ensuring the commitment of employees and institutional partners to the Privacy Programme.

• Evaluate existing data processing and protection mechanisms and propose policies, strategies and targets for compliance.

• Formulating principles and guidelines for personal data management.

Legal Department:

• Clarify doubts regarding the relevant legislation and regulations.

Complementary documentation

• Article 5 of the Brazilian Federal Constitution of 1988.

• Dengine Code of Ethical Conduct - SCORB Product.

• Cookies Policy.

• Brazilian law number 13.709/2018.

• Internal rules and procedures that are constantly improved, approved by the competent authorities and made available to all employees.

Histórico de Revisões

Contact us

SCORB's Data Protection Officer (DPO) is Mrs. Evelyn M. C. Gama. The Data Protection Officer's contact and channel for objections, questions, complaints and comments about this Policy and our privacy practices is [email protected]. We will receive and investigate any complaints about the way we manage Personal Data (including complaints about failure to respect your rights under applicable privacy laws). This Policy takes effect on the date of its approval by the Board of Directors of Dengine - Product SCORB and revokes any documents to the contrary.

Updates

This Privacy and Data Protection Policy may be modified at any time, according to the purpose or need for adequacy and compliance with the provisions of the law or whenever Dengine - SCORB Product deems it necessary. Changes will be publicised by the website www.scorb.com.br. Continued use of Dengine - SCORB Product services or provision of services for Dengine - SCORB Product, as the case may be, after the changes have been publicized shall be deemed acceptance by the customer and third parties of the new terms and conditions. Therefore, we encourage you to periodically review this Policy to be informed of how we are protecting your information.