Engage Serviços de Informática Ltda – Engage reserves the right to change this Personal Data Privacy Policy (“Engage Policy”) at any time, without prior notice.

Engage’s principle is the preservation and protection of your privacy and Personal Data. Engage is committed to ensuring the privacy of Personal Data collected for the exercise of its business activity and the business activity of its clients, as well as complying with the General Data Protection Law – LGPD (Law 13.709/18) and applicable regulations on the processing of Personal Data.

It is also essential to read the Terms and Conditions of Use of the Engage Platform, https://engage.bz/termos-gerais/, as it explains issues related to its use.

Any questions about applicable legislation and processes involving the handling of Personal Data by Engage, including Sensitive Personal Data, should be directed to the “Data Protection Officer” at lgpd@engage.bz, whose function is to supervise Data Protection.

Definitions

The following terms and expressions shall have the meanings defined below:

“National Data Protection Authority” or “ANPD” means the public administration body responsible for ensuring, implementing and monitoring compliance with the LGPD throughout the national territory.

“Engage Collaborators” means all Engage collaborators, including: partners, employees, directors, interns, apprentices and any other person who has a direct link with the company.

“Consent” means a freely given, informed and unequivocal expression of agreement by which the data subject consents to the processing of their Personal Data for a specific purpose.

“Data Controller” means a natural or legal person, governed by public or private law, who is responsible for decisions regarding the processing of Personal Data.

“Anonymized Data” means data relating to the data subject that does not allow their identification through the use of reasonable and available technical means at the time of processing.

“Personal Data” means information relating to a natural person that allows for their identification in any way.

“Sensitive Personal Data,” for the purposes of this Engage Policy, means Personal Data concerning racial or ethnic origin, religious beliefs, political opinions, membership of a trade union or religious, philosophical or political organization, data concerning health or sex life, genetic or biometric data, when linked to a natural person.

“Data Protection Officer” means a person appointed by the Data Controller and the Data Processor to act as a communication channel with Data Subjects and the National Data Protection Authority (ANPD).

“Engage” means ENGAGE SERVIÇOS DE INFORMÁTICA LTDA – CNPJ: 22.557.336/0001-92.

“LGPD” means General Data Protection Law (Law 13.709/18).

“Data Processor” means a natural or legal person, of public or private law, who processes Personal Data on behalf of the Controller.

“Engage Data Retention Principles” means the document that sets out the general rules for data storage and disposal adopted by Engage.

“Data Protection Impact Assessment Report” or “DPIA” means documentation from the Data Controller that contains a description of the Personal Data processing activities that may generate risks to civil liberties and fundamental rights, as well as measures, safeguards and risk mitigation mechanisms.“Data Subject” means the natural person to whom the Personal Data being processed refers.

“Data Processing” or “Processing” means any operation performed on Personal Data, such as: collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, archiving, storage, elimination, evaluation or control of information, modification, communication, transfer, dissemination or extraction of Personal Data.

“Users” refers to both the “Contracting User” and the “Collaborating User”.

“Collaborating User” refers to the employees of Engage’s clients who will have access to the platform to carry out training and other functionalities, according to what is agreed between the “Contracting User” and Engage.

“Contracting User” means the user (client) who contracts one of Engage’s plans and will have access to the platform and all its functionalities, including the creation of training courses, which will be carried out by “Collaborating Users”.

2. Objective

2.1. The objective of this Privacy Policy is to define the main rules and principles for the processing and handling of Personal Data in the execution of Engage’s activities, in order to guarantee an adequate level of security, through protection actions, in alignment with the LGPD (Brazilian General Data Protection Law) and other regulations that establish rules on the subject.

2.2. This Engage Privacy Policy encompasses all types and categories of Personal Data processed by Engage, including Sensitive Personal Data, collected from contracting users.

3. Purposes and Legal Basis for the Processing of Personal Data

3.1. All Engage’s data processing (including, but not limited to:

collection, storage, use, distribution and disposal) will be carried out exclusively for the following purposes: (i) prospecting, negotiation and making personalized and direct contact with Contracting Users; (ii) contractual obligations to Users (including access by Collaborating Users to services contracted, via the Engage platform, by Contracting Users); (iii) contractual obligations to the service provider or supplier; (iv) product improvement; (v) marketing and sending marketing messages to maintain Users; (vi) compliance with legal and regulatory requirements; (vii) tax and fiscal requirements; (viii) regular exercise of rights;

3.2. The collection of Personal Data will be limited to the data strictly necessary for the fulfillment of the purposes indicated above.

3.3. For prospecting and negotiation purposes with Potential Users, the following Personal Data will be collected and used: name, email, telephone number, and function/position.

3.4. For the purposes of contractual obligations with Contracting Users, especially: proposal for contract renewal; provision of support services to Contracting Users; making the platform available to Users; platform onboarding; gamification of the platform; creation of registration for Collaborating Users for the provision of the service; monitoring of activities so that the platform can fulfill its purpose – as provided for in the Terms and Conditions of Use and on our website; sending reminders and notifications to Collaborating Users about new game stages; Regarding the results and new functionalities, the following Personal Data may be collected and used: name, CPF/MF (Brazilian tax identification number), RG (Brazilian identity card number), address, telephone number, email, function/position, professional information, signature, date of birth, financial data, login, ID address.

3.5. For contractual obligations with service providers and suppliers, the following Personal Data will be collected and used: name, address, telephone number, email, CPF, and financial data.

3.6. For product improvement purposes, the following Personal Data will be collected and used: name, telephone number, email, CPF, login, IP address.

3.7. For marketing purposes, the following Personal Data will be collected: name, email, telephone number, function/position.

3.8. For tax and fiscal purposes, the following Personal Data will be collected: name, CPF/MF, email, signature, and bank details.

3.9. For the purposes of exercising rights in a regular manner, the following Sensitive Personal Data will be collected: photo for creating an avatar on the gamified platform.

3.10. When using Engage’s services, it is the responsibility of the Contracting User (Data Controller) to register Collaborating Users, including the following data: name; email and CPF (Brazilian tax identification number). Only the Contracting User has direct control over the insertion and management of Collaborating User data on the Engage platform.

3.11. Except as provided in item 3.10, after collection, Personal Data, including Sensitive Personal Data, will be processed by Engage and contracted companies for the fulfillment of the specific purposes mentioned above, and will also be stored by Engage for the period necessary to fulfill the purpose and comply with legal obligations, as provided in item 4 of this Policy.

3.12. The following are legitimate grounds for the Processing of Personal Data by Engage:

(a) Compliance with a legal or regulatory obligation by Engage;

(b) Performance of a contract or preliminary procedures related to a contract to which the Data Subject is a party, at the request of the Data Subject;

(d) Legitimate interests of Engage or third parties, except where the fundamental rights and freedoms of the Data Subject prevail and require the protection of Personal Data.

3.13. The following are legitimate grounds for the Processing of Sensitive Personal Data by Engage:

(a) Specific, explicit and unequivocal consent by the Data Subject, or their legal representative, when applicable, for the specific purposes, collected through the ‘Consent Form’;

(b) Compliance with a legal or regulatory obligation by Engage; and

(d) The regular exercise of Engage’s rights, including in contracts and in judicial, administrative and arbitration proceedings.

4. Storage, Handling and Disposal of Personal Data

4.1. As a general rule, the storage of Personal Data, including Sensitive Personal Data processed by Engage, when acting as a Data Processor, shall follow the following timeframes:

10 years Contracts with Suppliers and Service Providers

10 years Commercial Contracts

5 years Accounting Documents

Time necessary for the fulfillment of the purpose or exercise of the opt-out by the Data Subject Marketing Documents

4.2. After the fulfillment of the timeframes described above, Personal Data, including Sensitive Personal Data, must be disposed of within the scope and technical limits of the activities, with retention authorized for the following purposes: (i) compliance with a legal or regulatory obligation by Engage; (ii) execution of a contract or preliminary procedures related to a contract to which the Data Subject is a party; (iii) transfer to a third party, provided that the requirements for the processing of Personal Data set forth in the General Data Protection Law are respected; (v) when necessary to meet the legitimate interests of the Controller or third parties; and (iv) exclusive use by Engage, access by third parties being prohibited, and provided that the data is anonymized.

4.3. Personal Data entered and managed on the Engage Platform by Contracting Users may be stored for up to 30 days after the termination of use of the platform and as directed by the Contracting User (Data Controller). The data of the Collaborating User is the responsibility of the Contracting User.

5. Storage and Sharing of Personal Data

5.1. Engage internally limits access to processed Personal Data only to the individuals necessary for fulfilling the purpose. Engage guarantees that, if authorized sharing with third parties occurs, such third parties are bound by the conditions of Personal Data Protection established in the LGPD (Brazilian General Data Protection Law).

5.2. In cases where the processing of Personal Data is carried out by a sub-operator on behalf of Engage, Engage will choose a subcontractor that has sufficient technical and organizational security conditions to ensure that the processing of Personal Data is carried out in accordance with this Policy. Engage must require the subcontractors’ agreement to this Policy.

5.3. Engage employees will sign an independent contractual clause or confidentiality agreement regarding Personal Data relating to employees, users, suppliers, contacts, and other third parties to which they have access due to their work.

5.4. Engage stores the collected Personal Data on a cloud server called AWS. To access the Privacy Policy of this server, simply access the following link: https://aws.amazon.com/pt/archive/

5.5. In addition, Engage may share Personal Data with Engage Partners, which currently are:

(a) GitHub: Version control system for the application’s source code (https://github.com)

(b) Freshdesk: Incident logging system (helpdesk) (https://engagebz.freshdesk.com)

(d) Cloudflare CDN (Content Delivery Network) service: System for static files such as web pages, images and other content files.

(e) Office 365, Office Suite and Microsoft Teams:(https://office365.com)

6. Geographic Scope

6.1. This Engage Privacy Policy applies to the collection and other forms of processing of Personal Data occurring in Brazil.

7. Engage Privacy Principles

7.1. The processing of data under Engage’s responsibility shall be carried out in accordance with applicable laws and regulations, as well as this Engage Privacy Policy, observing the following principles:

(a) Personal Data, including Sensitive Personal Data, must be obtained fairly, lawfully and transparently. Whenever necessary, the express consent of the Data Subject must be collected clearly and unequivocally, through a ‘Consent Form’;

(b) The Data Subject has the right to information about their processed Personal Data, except if its provision is impossible or requires disproportionate effort on the part of Engage;

(c) The collection of Personal Data must be carried out only for specific, explicit and legitimate purposes, and the processing of data for other purposes is prohibited. The sharing of data with third parties will be for the purposes previously specified or otherwise permitted or required by applicable laws, and will not be processed subsequently in a manner incompatible with these purposes;

(d) Engage will implement appropriate technical and organizational controls and procedures to ensure the security of Personal Data, including Sensitive Personal Data, and to prevent unauthorized access or disclosure, which could result in eventual alteration, accidental or unlawful destruction, loss of data and all other unlawful forms of processing of Personal Data. Considering legal obligations and best practices, technical measures must be adopted to ensure a level of security appropriate to the risks represented by the processing and nature of the Personal Data to be protected;

(e) The retention of Personal Data, including Sensitive Personal Data, must be for a period no longer than is indispensable for the specific purposes for which it was obtained, except when a different period is required by applicable law or regulation or when a different period is stated in the specific consent obtained. The retention of this data must be limited to the time necessary to achieve the purposes for which the processing is intended. Once these objectives have been achieved, the data must be deleted or, at least, devoid of any element that allows the identification of its Holders;

(f) If a Data Protection Impact Assessment (DPIA) is necessary, it must be prepared incorporating the principles of Article 6 of the LGPD (purpose; adequacy; necessity; free access; data quality; transparency; security; prevention; non-discrimination; accountability and reporting);

(g) Procedures must be implemented to ensure responses to requests from Data Subjects, guaranteeing the proper exercise of the right of access, rectification, and refusal of data processing, except when the LGPD otherwise authorizes it;

(h) For greater information security, the review and management of access permissions to the network and internal systems by employees must be implemented;

7.2. In the processing of Personal Data, no Engage Employee and/or Personal Data Operator is permitted to:

(a) Retain papers, letters, emails, or any other document or Personal Data without Engage’s authorization;

(b) Intercept telecommunications or use devices for listening, transmitting, recording, or reproducing sound or images, or any other communication signal without legal authorization to violate privacy and Personal Data;

(c) To seize, use, or modify without authorization the Personal Data of Engage Employees, their family members, or third parties that are physically or digitally registered in any form of public or private record;

(d) To access or remain on computer data or programs in violation of security measures and without authorization; and,

(e) To disclose, reveal, or transfer Personal Data without the Data Subject’s authorization or an appropriate legal basis.

7.3 The definitive deletion of Personal Data may occur through:

(a) Autonomously by the employee user;

(b) By the Contracting User upon request of the employee user;

(d) After the termination of the contract between Engage and the Contracting User, Engage will be responsible for backing up the database with the termination date and storing this backup for a period of 30 days for possible use by the Contracting User.

(e) Backups generated by Engage are deleted 10 days after they are generated, therefore all backups will be deleted 10 days after the contract ends.

8. Rights of Personal Data Subjects

8.1. The Data Subject must receive information about the processing of their Personal Data, whenever possible (depending on the operation, contract or service), at the time of collection. The minimum information for any situation is:

(a) Name of the Controller;

(b) Type of Personal Data collected;

(d) Whether the Personal Data will be sent for processing by third parties;

(e) Their right to access, rectify and update their Personal Data and how to exercise it; and,

(f) Their right to withdraw consent and delete Personal Data and how to exercise it.

8.2. Engage will respect the rights of the Data Subject as required by law. In particular, Engage will facilitate the rights of Data Subjects related to: (i) access to information; (ii) confirmation of the existence of processing and access to data; (iii) correction of incomplete, inaccurate or outdated data; (iv) anonymization, blocking or deletion of unnecessary, excessive or unlawfully processed data; (v) objection to processing; (vii) objection to automated decision-making and profiling; (viii) restriction of processing; (iv) data portability; (x) deletion of data, as applicable in each case;

8.3. The information provided in this item may be made available in Impact Reports, in the terms of use of its website, or in contracts signed with collaborators, suppliers, and users.

8.4. Engage undertakes to support the Contracting User in the demands of Data Subjects in which it participates in the respective processing of Personal Data.

8.5. As provided for in the General Data Protection Law, you may, whenever you wish, request which of your data we hold.

8.6. You may also correct, change, or update any data, and you have the right to request that your data be deleted at any time, provided that you do not use or no longer wish to use the Platform. Remember that, if there is any legal or regulatory requirement, Engage is obliged to keep your data for the period required by law.

9. Actions for Implementing the Personal Data Privacy Policy

9.1. Engage will conduct a training program to guide its employees on the necessary precautions and processes for handling Personal Data, in accordance with this Engage Policy. The importance of data protection will be reinforced in Engage’s daily operations, not only through the training program but also by sharing practical examples through awareness sessions.

9.2. The training will be based, at a minimum, on this Engage Policy and the LGPD (Brazilian General Data Protection Law).

9.3. Engage has a Data Protection Officer, responsible for collaborating on the privacy strategy for Personal Data processed by the company, as well as monitoring its effectiveness. The Data Protection Officer is also designated to respond to and assist Data Subjects and the ANPD (Brazilian National Data Protection Authority), and their contact information is available on all Engage communication channels.

Data Protection Officer (DPO) Engage: Ricardo Carvalho

Contact via email: lgpd@engage.bz

10. Communication Log

10.1. Engage will maintain an internal process, centralized in the Data Protection Officer, for receiving communications/complaints regarding the processing of Personal Data. Therefore, any and all communications/complaints should be sent to the Data Protection Officer, Ricardo Carvalho, via email: lgpd@engage.bz

10.2. Complaints/requests will be evaluated and answered within the deadlines and in the manner established in the LGPD (Brazilian General Data Protection Law) and by the regulations issued by the ANPD (National Data Protection Authority).

11. Mutual Assistance and Cooperation with the National Data Protection Authority

11.1 Engage, as the Controller, will cooperate with the ANPD on matters related to the privacy of Personal Data under its processing, within the limits of the LGPD, maintaining its right to a fair hearing.

11.2. If the ANPD requests information or issues any order, any Employee who receives the information/order must immediately inform the Data Protection Officer. The Data Protection Officer must prepare the response to the Authority, with the support of Engage Employees, Operators/Service Providers who may be involved, administrators and managers.

11.3. The Data Protection Officer will be the direct and primary contact between Engage and the ANPD (Brazilian National Data Protection Authority).

12. Effective Date and Term

12.1. This Engage Privacy Policy will come into effect on November 11, 2021, for an indefinite period.

13. General Provisions

13.1. In the event of a compromise of Personal Data processed by Engage, any Employee or third party who becomes aware of it must immediately notify the Data Protection Officer. After assessing the risks, the Data Protection Officer will be responsible for communicating this to the ANPD and the Data Subjects, if applicable. If notification to the ANPD is necessary, it must include: (a) a description of the type and category of Personal Data affected; (b) which Data Subjects were involved; (c) the measures used to protect the data, respecting the limits of commercial and industrial secrets; as well as (d) in the event of a delay in responding to the incident, the reason.

13.2. It is the responsibility of every Engage Employee to comply with the Engage Policy. Failure to comply with these privacy rules and principles may result in disciplinary action, in accordance with applicable human resources procedures and local laws.

13.3. The Data Protection Officer must ensure regular reviews and updates of the Engage Policy, for example, as a consequence of changes in the corporate structure and the regulatory environment. Thus, the definition and updating of the technical and organizational measures to be implemented in the processing of Data, in accordance with legal provisions, must be drafted with the assistance of the Data Protection Officer and will only come into effect upon their review and approval.