Privacy Policy

ENSO Consulting respects the privacy of holders whose personal data is under its control, always being guided by good faith and the ethical use of this data. As a way to achieve these objectives, this Policy presents you with the guidelines and responsibilities for implementing and maintaining the company's good governance practices in privacy and personal data protection.

We kindly ask that you read this Policy carefully so that you understand our Personal Data processing practices.

This Policy applies to individuals, such as customers, suppliers or interested parties, who interact with the services provided by ENSO Consulting. It shows how you can access and update your Personal Data and exercise your rights relating to it.

For more information about the processing of personal data carried out within the scope of ENSO Consulting's activities, please contact the Personal Data Protection Officer - DPO through the channel provided at the end of this document.

1. FOR WHAT PURPOSES DO WE COLLECT PERSONAL DATA

ENSO Consulting processes the Holders' personal data for the following purposes and always in accordance with the legal bases established by Law No. 13,709/18, the General Data Protection Law (“LGPD”):

• For guidance and responses to interested parties;

• For recruitment processes, candidate selection and CV database maintenance;

• For internal and external training;

• For the registration of customers and suppliers;

• Participation in administrative and judicial proceedings and possible preparatory or mitigating measures;

• Formalization and registration of corporate acts.

2. DATA WE COLLECT AND HOW WE COLLECT IT

The collection of personal data varies according to the Holder's interaction with ENSO Consulting. Below are the main categories of personal data that may be subject to processing, related to some examples of the Owner's interaction:

• Personal information of interested parties: This includes any information you provide to us through the electronic contact form on our website. The main data collected are: Full name, email address, company name, landline and cell phone.

• Personal information of our employees and their beneficiaries: Includes the necessary information, in line with legislation, to operate the personnel department and people management processes. The main data collected are: Full name, email address, company name, landline and cell phone, social security data, ID, CNH, affiliation, education, professional experience, dependents, race, sex, social security documents, medical certificates and health conditions are usually necessary in relation to employees and, possibly, providers, in the management of the area of human resources and occupational health. The sensitive data of employees and their beneficiaries, when necessary, will be treated in accordance with the guidelines of the General Personal Data Protection Law-LGPD.

• Personal information from customers or suppliers: Includes information necessary for the execution of service supply contracts or the acquisition of goods or services. The main data collected via email are: Full name of partner or administrators, financial information, email address, company name, landline and cell phone.

• Personal information from children or adolescents: ENSO CONSULTING does not collect personal data from children or adolescents, but if necessary, due to marketing campaigns or internal actions, the appropriate terms of express consent from a parent or responsible and complied with the guidelines of the General Personal Data Protection Law-LGPD for the topic.

No sensitive data will be collected from our interested parties, understanding those defined in arts. 11 et seq. of the Personal Data Protection Law-LGPD. Thus, there will be no collection of data on racial or ethnic origin, religious conviction, political opinion, membership of a trade union or organization of a religious, philosophical or political nature, data relating to health or sexual life, genetic or biometric data, when linked to a natural person.

Occasionally, other types of data not expressly provided for in this Privacy Policy may be collected, provided that they are provided with the user's consent, or that collection is permitted based on another legal basis provided for by law.

3. HOW LONG YOUR PERSONAL DATA IS STORED

Personal data collected by ENSO Consulting is maintained in accordance with the principles of purpose, necessity and adequacy. ENSO Consulting will keep personal data:

• For the time required by law;

• Until the end of the processing of personal data;

• For the time necessary to preserve ENSO Consulting's legitimate interests.

The processing of personal data will be terminated in the following cases:

• When the purpose for which the Holder's personal data was collected is achieved and/or the personal data collected is no longer necessary or relevant to achieving such purpose;

• When the Owner has the right to request the termination of processing and the deletion of their personal data and does so;

• When there is a legal determination in this regard. In these cases of termination of processing of personal data, except in the cases established by applicable legislation or this Privacy Policy, personal data will be deleted.

Once the storage periods for personal data have expired, they are removed from our databases or anonymized, except in cases where there is the possibility or need for storage due to legal or regulatory provisions.

4. SHARING OF PERSONAL DATA WITH THIRD PARTIES

ENSO Consulting may share personal data of the Holders with regulatory bodies, public agents, third parties or business partners that are relevant for the purposes of enabling the services provided by ENSO Consulting or maximizing the quality and efficiency of its services and commercial operations. The collected data may be shared with the following third parties, based on the purposes described below:

• Operators of health plans and/or other benefits;

• Request from competent authority, in order to respond to or defend oneself in investigations, legal measures, legal proceedings or to investigate, prevent or take measures regarding illegal activities, suspected fraud or situations involving potential threats to the physical safety of any person or if otherwise required by law;

• Cloud database platforms that help ENSO Consulting in carrying out its services. For these cases, a careful analysis is previously carried out by ENSO Consulting on the third party's data governance and information security practices.

5. DATA TRANSFER TO OTHER COUNTRIES

Although ENSO Consulting's operation is exclusively national, some service providers, such as services that host information in the cloud, may involve the transfer of personal data to a foreign country. For these cases, ENSO Consulting will previously carry out a careful analysis of the third party's data governance and information security practices and their compliance with the General Personal Data Protection Law-LGPD.

6. RIGHTS OF PERSONAL DATA SUBJECTS

ENSO Consulting is committed to adopting effective measures to guarantee all rights of holders of personal data controlled by it, as specified by the General Personal Data Protection Law - LGPD and other Brazilian laws and regulations applicable to privacy and data protection. personal data. In particular, the legal rights of personal data holders are:

• Confirmation of the existence of processing of your personal data by ENSO Consulting and access to the data.

• Correction of incomplete, inaccurate or outdated personal data under the control of ENSO Consulting.

• Anonymization, blocking or deletion of personal data that is unnecessary, excessive or processed by ENSO Consulting in non-compliance with the provisions of the law, as well as opposition to the processing of personal data by ENSO Consulting in the same circumstances.

• Data portability to another provider of services similar to those of ENSO Consulting, upon express request and observing business secrets, as this right may be regulated by the public authorities.

• Information from public and private entities with which ENSO Consulting may share personal data.

• Information on the possibility of not providing consent to the processing of personal data by ENSO Consulting and on the consequences of refusing consent, as well as the rights to withdraw that consent at any time and to delete personal data processed based on it, which may this data will be kept by ENSO Consulting for exclusive use in other lawful purposes that do not depend on consent or through anonymization.

• Possibility of reviewing decisions that affect your interests and are taken by ENSO Consulting solely based on the processing of personal data in an automated manner.

To ensure that the user who intends to exercise their rights is, in fact, the holder of the personal data subject to the request, we may request documents or other information that can assist in their correct identification, in order to protect our rights and the rights of third parties. This will only be done, however, if absolutely necessary, and the applicant will receive all related information.

7. SECURITY MEASURES IN THE PROCESSING OF PERSONAL DATA

ENSO Consulting adopts technical and organizational information security measures compatible with the state of the art and the assessed level of risk to guarantee the confidentiality, integrity, availability and resilience of its computerized systems, databases, physical files and other information repositories, in order to avoid unauthorized access and accidental or illicit situations of destruction, loss, alteration, communication or dissemination of personal data. The risks and measures and protocols adopted will be recorded in policies and other regulatory documents that are mandatory for people under the responsibility of ENSO Consulting, and must be reviewed and updated with reasonable frequency and upon the occurrence of relevant events.

ENSO Consulting maintains a security incident response plan that ensures the rapid assessment, interruption, remediation and, when necessary, mitigation and repair of damage caused by incidents. Records of security incidents will be maintained, identifying the categories and holders of personal data potentially affected, to enable immediate communication of these incidents to the competent authorities and respective holders in accordance with the law, with the commitment to assist them in good faith in mitigation or repair of the damage actually suffered.

8. PROCEDURES IN THE EVENT OF PERSONAL DATA BREACH

Any breach of personal data or possibility of breach must be urgently and immediately reported to the Personal Data Protection Officer - DPO, who will be responsible for carrying out the initial analysis and adopting immediate prevention and correction measures necessary to preserve the security of data and information.

In the event of a security incident that may result in significant risk or damage to the Holders, ENSO Consulting will adopt the appropriate legal measures, including informing the Holder about the event.

Without prejudice to any other means of administrative or judicial recourse, holders of personal data who feel, in any way, aggrieved, may lodge a complaint with the National Data Protection Authority-ANPD.

9. CHANGES TO THIS POLICY

This version of this Privacy Policy was last updated on: 07/02/2022.

ENSO Consulting reserves the right to change this Privacy Policy at any time by publishing the updated version on our website. In case of material changes to this Privacy Policy, the Owner will receive a notice in this regard.

10. PERSONAL DATA HOLDER CUSTOMER SERVICE CHANNEL

To clarify any doubts about this Privacy Policy or the personal data we process, please contact our Personal Data Protection Officer, through the channel mentioned below:

e-mail: dpo@ensoconsulting.com.br

Tel: 55 (11) 4506-3253