Font size:

1.           INTRODUCTION

This Policy aims to demonstrate the commitment of

CCR S.A.

Avenida Chedid Jafet, 222, Bloco B, 5º andar, Bairro Vila Olímpia, in the city and state of São Paulo

Corporate Taxpayer’s ID (CNPJ): 02.846.056/0001-97

with the privacy and protection of your Data, in addition to establishing the rules on the Treatment of your Personal Data, within the scope of the services and functionalities of www.ccr.com.br ("www.ccr.com.br"), in accordance with the laws in force, with transparency and clarity with You and the market in general.

As a condition for the access and use of the exclusive functionalities at www.ccr.com.br, You declare that You have read this Policy fully and carefully, being fully aware, thus granting Your free and express agreement with the terms stipulated herein, including the collection of the Data mentioned herein, as well as its use for the purposes specified below. If You do not agree with the provisions of this Policy, You may terminate Your access or use of www.ccr.com.br.

SPECIFIC NOTE FOR CHILDREN AND ADOLESCENTS UNDER 16 YEARS

Please do not register at www.ccr.com.br if you are under 16 years old.

SPECIFIC NOTE FOR LEGAL REPRESENTATIVES

Although we prohibit registration of children and adolescents under the age of 16, parents must supervise the online activities of their underage children.

All activities of adolescents over 16 and under 18 years of age must be assisted by their parents or legal representatives.

2.           ABOUT THE DATA WE COLLECT

2.1.           How we collect Data. Data, including Personal Data, may be collected when You submit it or when You interact with the www.ccr.com.br and services, that includes:

What do we collect?

Why do we collect for?

Registration data

Name

(i)                  Identifying You.

(ii)                To comply with the obligations arising from the use of our services.

(iii)              To expand our relationship, inform you about news, features, content, news and other events that we consider relevant to you.

(iv)              To enhance your experience with us and promote our products and services.

(v)                To comply with our legal and regulatory obligations.

E-mail

Company

Message

Digital Identification Data

IP Address and Logical Source Port

(i)                  Identifying You.

(ii)                To comply with legal obligations of record maintenance established by the Civil Landmark of the Internet - Law 12,965/2014.

(iii)              To comply with our legal and regulatory obligations.

Device (operating system version)

Geolocation

Registers of date, time and each action that You perform

Which screens have you accessed

Session ID

Cookies

2.2.         Required data. Most of our services depend directly on some Data informed in the chart above, mainly Registration Data. If you choose not to provide some of this Data, we may be unable to provide all or part of our services to You.

2.3.           Data Update and Accuracy. You are solely responsible for the accuracy, reliability or lack of it in relation to the Data you provide or for its out-date. Be aware that it is your responsibility to ensure accuracy or keep them updated.

2.3.1.                   Likewise, We are not be under any obligation to process or handle any of your Data if there is reason to believe that such processing or handling may attribute to CCR S.A. any violation of any applicable law or if you are using www.ccr.com.br for any unlawful, illicit, or unethical purpose.

2.4.           Data base. The database constituted through the collection of Data is our property and is under our responsibility, and its use, access and sharing, when necessary, will be done within the limits and purposes of the business described in this Policy.

2.5.           Technologies used. We use the following technology(s):

(i)                  Functionality Cookies, it is up to you to configure your Internet browser if you want to block them. In this case, some features we offer may be limited.

2.5.1.                   All technologies used will always respect the current legislation and the terms of this Policy.

2.6.           We do not use any type of solely automated decision that impacts You.

3.           HOW WE SHARE DATA AND INFORMATION

3.1.           Data sharing assumptions. Data collected and recorded activities may be shared:

(i)                  Along with appropriate judicial, administrative or governmental authorities, whenever there is a legal determination, request, requisition or judicial order;

(ii)                When necessary to the commercial activities and services provided by Us through the www.ccr.com.br;

(iii)              Automatically, in case of corporate transactions, such as mergers, acquisitions and incorporations.

3.2.           Data Anonymization. For the purposes of market intelligence research, disclosure of data to the press and advertising, the data provided by You will be shared anonymously, that is, in a way that does not allow its identification.

4.           HOW WE PROTECT YOUR DATA AND YOU CAN ALSO PROTECT THEM

4.1.           Measures that you should take. It is very important that you protect your Data from unauthorized access to your computer, account, or password, and make sure to always click "exit" when you exit from a shared computer. It is also very important that you know that we will never send electronic messages requesting data confirmation or with attachments that can be executed (extensions: exe, .com, among others) or even links for eventual downloads.

4.2.           Access to Personal Data, proportionality and relevance. Internally, the Personal Data collected are only accessed by properly authorized professionals, respecting the principles of proportionality, necessity and relevance to the objectives of our business, in addition to the commitment to confidentiality and preservation of your privacy under this Policy.

4.3.           External links. When you use www.ccr.com.br, you may be conducted, via link to other portals or platforms, which may collect your information and have their own Data Processing Policy.

4.3.1.                   You are responsible for reading the Privacy and Data Processing Policies of such platforms or portals outside our environment and it is your responsibility to accept or reject it. We are not responsible for the privacy and data processing policies of third parties and the content of any websites content or services linked to environments other than ours.

4.3.2.     Third-Party Services. We have business partners that can eventually offer services through features or websites that can be accessed from www.ccr.com.br. The Data You provide to these partners will be the responsibility of these partners, thus being subject to their own data collection and use practices.

4.4.           Third party processing under our guidelines. In case third party companies perform the Treatment on our behalf of any Personal Data we collect, they will respect the conditions here stipulated and the information security rules, mandatorily.

4.5.           E-mail communication. To optimize and improve our communication, when we send an email to You we can receive a notification when they are opened, provided this possibility is available. It is important that you be aware because e-mails are sent only by the domain: @grupoccr.com.br.

5.           HOW WE STORE YOUR PERSONAL DATA AND ACTIVITY REGISTERS

5.1.           The Personal Data collected and the activity records are stored in a safe and controlled environment for a minimum period that follows the table below:

STORAGE PERIOD

LEGAL BASIS

Registration data

5 years after the termination of the association

Article 12 and 34 of Brazilian Consumer Defense Code

Digital Identification Data

6 months

Article 15 of Civil Landmark of the Internet

Other data:

For the duration of the association and no request for deletion or revocation of consent

Article 9, Item II of the General Data Protection Regulation

5.2.   Higher storage times. For auditing, security, fraud control, credit protection and preservation of rights purposes, we may keep your Data registration history for a longer period of time in the event that the law or regulatory standard so establishes or for preservation of rights.

5.3.      The Data collected will be stored in our servers located in Brazil, as well as in an environment of use of resources or servers in the cloud (cloud computing), which may require a transfer and/or processing of this Data outside Brazil.

6.           WHICH ARE YOUR RIGHTS AND HOW TO EXERCISE THEIR RIGHTS

6.1.           Your Basic Rights. You may request our Personal Data Officer to confirm the existence of the processing of Personal Data, in addition to the exhibition or amendment of your Personal Data, through our Communication Channels.

6.2.           Data limitation, opposition and exclusion. Through the Communication Channels, You may also apply:

(i)                  The use restriction of your Personal Data;

(ii)                Express your opposition and/or revoke consent to the use of your Personal Data; or

(iii)              Request the exclusion of your Personal Data that has been collected by Us.

6.2.1.                   If You request the exclusion of your Personal Data or withdraw your consent for purposes fundamental to the regular operation of www.ccr.com.br and services, such environments and services may be unavailable to You.

6.2.2.                   In case you request the deletion of your Personal Data, it may occur that the Data need to be kept for a period longer than the request for deletion, according to article 16 of the General Data Protection Regulation, in order to (i) fulfill a legal or regulatory obligation, (ii) study by a research organization, and (iii) transfer to a third party (respecting the data process). In all cases by anonymizing the Personal Data, as long as possible.

6.2.3.                   Once the maintenance period and the legal requirement have expired, the Personal Data will be deleted using safe disposal methods or used anonymously for statistical purposes.

7.           INFORMATION ON THIS POLICY

7.1.           Amendment of the content and updating. You hereby agree that we have the right to change the content of this Policy at any time, for any purpose or need, as appropriate and in accordance with the law or any rule that has equivalent legal force, and it is your responsibility to check it whenever you access www.ccr.com.br or use our services.

7.1.1.                   If there are updates to this document that require further collection of consent, You will be notified through the contact channels You inform.

7.2.           Non-applicability. Should any part of this Policy be deemed inapplicable by a Data Authority or court, the remaining conditions will remain in full force and effect.

7.3.           Electronic Communication. You understand that any communication made by e-mail (to the addresses informed in your registration), SMS, instant communication applications or any other digital form, are also valid, effective and sufficient for the disclosure of any matter that refers to the services we provide, your Data, as well as the conditions of its provision or any other subject addressed therein, being the exception only that this Policy provides as such.

(i)                  Communication Channels. In case of any doubt regarding the provisions of this Privacy and Data Processing Policy, you may contact through the Communication Channel E-mail: encarregado.dadospessoais@grupoccr.com.br.

7.4.           Applicable law and jurisdiction. This Policy will be interpreted according to the Brazilian legislation, in the Portuguese language, being elected the forum of its domicile to settle any controversy that involves this document, except for specific reservation of personal, territorial or functional competence by the applicable legislation.

7.4.1.     If You do not reside in Brazil, and because of the services offered by Us only in the national territory, you submit yourself to the Brazilian legislation, agreeing, therefore, that in case of litigation to be resolved, the lawsuit should be proposed in the Courts of São Paulo - SP.

8.           GLOSSARY

8.1.           For the purposes of this Policy, the following definitions and descriptions should be considered for your best understanding:

(i)                  Data: Any information inserted, processed or transmitted through the www.ccr.com.br.

(ii)                Personal Information: Data related to an identified or identifiable individual.

(iii)              Anonymization: Use of reasonable and available technical means at the time of the Treatment, by which a data loses the possibility of association, directly or indirectly, to an individual.

(iv)              In charge (Data Protection Officer -DPO): Person designated by Us to act as a communication channel between the controller, the data owners and the National Data Protection Authority (ANPD).

(v)                Cloud Computing: Or cloud computing, is service virtualization technology built from the interconnection of more than one server via a common information network (e.g. the Internet), aiming to reduce costs and increase the availability of sustained services.

(vi)              www.ccr.com.br: Assigns the electronic address [•] and its subdomains.

(vii)            Cookies: Some small files sent by www.ccr.com.br, saved on your devices, which store the preferences and few other information, in order to customize your navigation according to your profile.

(viii)          IP: Abbreviation for Internet Protocol; It is an alphanumeric combination that identifies users' devices on the Internet;

(ix)              Logs: Activities registers of any users who use www.ccr.com.br.

(x)                Decisions only automated: These are decisions that affect a user that have been programmed to operate automatically, without the need for a human operation, based on automated processing of personal data.

(xi)              Treatment: Every activity executed with Personal Data, such as the collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, filing, storage, deletion, evaluation or control of information, modification, communication, transfer, dissemination or extraction.