Font size:

1. INTRODUCTION
 
This Policy aims to demonstrate the commitment of 
 

CCR S.A.

Avenida Chedid Jafet, 222, Bloco B, 5º andar, Bairro Vila Olímpia, in the city and state of São Paulo

Corporate Taxpayer’s ID (CNPJ): 02.846.056/0001-97


with the privacy and protection of your Data, in addition to establishing the rules on the Treatment of your Personal Data, within the scope of the services and functionalities of https://en.grupoccr.com.br/ ("https://en.grupoccr.com.br/"), in accordance with the laws in force, with transparency and clarity with You and the market in general.
 
As a condition for the access and use of the exclusive functionalities at https://en.grupoccr.com.br/, You declare that You have read this Policy fully and carefully, being fully aware, thus granting Your free and express agreement with the terms stipulated herein, including the collection of the Data mentioned herein, as well as its use for the purposes specified below. If You do not agree with the provisions of this Policy, You may terminate Your access or use of https://en.grupoccr.com.br/. 
 
 

SPECIFIC NOTE FOR CHILDREN AND ADOLESCENTS UNDER 16 YEARS

Please do not register at https://en.grupoccr.com.br/ if you are under 16 years old.

SPECIFIC NOTE FOR LEGAL REPRESENTATIVES

Although we prohibit registration of children and adolescents under the age of 16, parents must supervise the online activities of their underage children.

All activities of adolescents over 16 and under 18 years of age must be assisted by their parents or legal representatives.

 
 
2. ABOUT THE DATA WE COLLECT
 
2.1. How we collect Data. Data, including Personal Data, may be collected when You submit it or when You interact with the https://en.grupoccr.com.br/ and services, that includes:
 

What do we collect?

Why do we collect for?

Registration data

Name

(i)                  Identifying You.

(ii)                To comply with the obligations arising from the use of our services.

(iii)              To expand our relationship, inform you about news, features, content, news and other events that we consider relevant to you.

(iv)              To enhance your experience with us and promote our products and services.

(v)                To comply with our legal and regulatory obligations.

E-mail

Company

Message

Digital Identification Data

IP Address and Logical Source Port

(i)                  Identifying You.

(ii)                To comply with legal obligations of record maintenance established by the Civil Landmark of the Internet - Law 12,965/2014.

(iii)              To comply with our legal and regulatory obligations.

Device (operating system version)

Geolocation

Registers of date, time and each action that You perform

Which screens have you accessed

Session ID

Cookies

 
2.2. Required data. Most of our services depend directly on some Data informed in the chart above, mainly Registration Data. If you choose not to provide some of this Data, we may be unable to provide all or part of our services to You.
 
2.3. Data Update and Accuracy. You are solely responsible for the accuracy, reliability or lack of it in relation to the Data you provide or for its out-date. Be aware that it is your responsibility to ensure accuracy or keep them updated.
 
                2.3.1. Likewise, We are not be under any obligation to process or handle any of your Data if there is reason
                          to believe that such processing or handling may attribute to CCR S.A. any violation of any applicable
                          law or if you are using https://en.grupoccr.com.br/ for any unlawful, illicit, or unethical purpose.
 
2.4. Data base. The database constituted through the collection of Data is our property and is under our responsibility, and its use, access and sharing, when necessary, will be done within the limits and purposes of the business described in this Policy. 
 
2.5. Technologies used. We use the following technology(s): 
 
(i) Functionality Cookies, it is up to you to configure your Internet browser if you want to block them. In this case, some features we offer may be limited.
 
                2.5.1. All technologies used will always respect the current legislation and the terms of this Policy.
 
2.6. We do not use any type of solely automated decision that impacts You.
 
 
3. HOW WE SHARE DATA AND INFORMATION
 
3.1. We do not share your personal data with third parties, with the following exceptions:
 
(i) We may share your personal data when we have gained your consent to do so; 
(ii) We may share your personal data with affiliates within Grupo CCR;
(iii) We may share your personal data with Group CCR’s service providers and business partners that process personal data on the Company’s behalf;
(iv) We may share your personal data with Group CCR’s service providers and business partners to fight toll evasion and other unlawful conduct that may cause serious damage, taking into consideration Grupo CCR’s interest and the protection of third parties; 
(v) We may share your personal data with government bodies in compliance with legal and contractual obligations, including within the scope of concession, permission, and authorization contracts; 
(vi) We may share your personal data with police authorities as required by law or when it is reasonably necessary, so as to protect the rights, properties and/or ensure the safety of users, third parties and/or Grupo CCR; and 
(vii) We may share your personal data with competent legal, administrative and government authorities whenever there is a legal determination, request or court order; 
(viii) We may share your personal data when it is required to perform commercial activities and to provide our services through our website https://en.grupoccr.com.br/; 
(ix) We may share your personal data automatically in case of corporate changes, such as consolidation, acquisition and merger. 
 
3.2. Data Anonymization. For the purposes of market intelligence research, disclosure of data to the press, and advertising, the data provided by You will be shared anonymously, that is, in a way that does not allow its identification.
 
 
4. HOW WE PROTECT YOUR DATA AND YOU CAN ALSO PROTECT THEM
 
4.1. Measures that you should take. It is very important that you protect your Data from unauthorized access to your computer, account, or password, and make sure to always click "exit" when you exit from a shared computer. It is also very important that you know that we will never send electronic messages requesting data confirmation or with attachments that can be executed (extensions: exe, .com, among others) or even links for eventual downloads.
 
4.2. Access to Personal Data, proportionality and relevance. Internally, the Personal Data collected are only accessed by properly authorized professionals, respecting the principles of proportionality, necessity and relevance to the objectives of our business, in addition to the commitment to confidentiality and preservation of your privacy under this Policy.
 
4.3. External links. When you use https://en.grupoccr.com.br/, you may be conducted, via link to other portals or platforms, which may collect your information and have their own Data Processing Policy.
 
                4.3.1. You are responsible for reading the Privacy and Data Processing Policies of such platforms or portals
                          outside our environment and it is your responsibility to accept or reject it. We are not responsible for
                          the privacy and data processing policies of third parties and the content of any websites content or
                          services linked to environments other than ours.
 
                4.3.2. Third-Party Services. We have business partners that can eventually offer services through features
                          or websites that can be accessed from https://en.grupoccr.com.br/. The Data You provide to these
                          partners will be the responsibility of these partners, thus being subject to their own data collection
                          and use practices.
 
4.4. Third party processing under our guidelines. In case third party companies perform the Treatment on our behalf of any Personal Data we collect, they will respect the conditions here stipulated and the information security rules, mandatorily.
 
4.5. Data processing agents’ legal responsibilities. As controllers of your personal data, we are responsible for:
 
(i) recording data processing activities;
(ii) adopting technical and administrative security measures;
(iii) ensuring information security;
(iv) respecting holders’ rights;
(v) cooperating with the National Data Protection Authority; and
(vi) ensuring compliance with the principles and legal bases of the Brazilian General Data Protection Law (LGPD).
 
4.6. E-mail communication. To optimize and improve our communication, when we send an email to You we can receive a notification when they are opened, provided this possibility is available. It is important that you be aware because e-mails are sent only by the domain: @grupoccr.com.br.
 
 
5. HOW WE STORE YOUR PERSONAL DATA AND ACTIVITY REGISTERS
 
5.1. Collected personal data and recorded activities are stored in a secure and controlled environment within our local servers.
 
5.2. We keep your personal data for the period necessary to comply with the purposes set out in this Privacy Policy, including to comply with legal and contractual obligations within the scope of concession, permission and authorization contracts. For specific information on the data retention periods, you may email our Data Protection Officer at encarregado.dadospessoais@grupoccr.com.br.
 
5.3. The Data collected will be stored in our servers located in Brazil, as well as in an environment of use of resources or servers in the cloud (cloud computing), which may require a transfer and/or processing of this Data outside Brazil.
 
 
6. WHICH ARE YOUR RIGHTS AND HOW TO EXERCISE THEIR RIGHTS
 
6.1. Your Basic Rights. According to the LGPD, you are entitled to:
 
(i) request the confirmation of whether your personal data will be processed;
(ii) request the access to your personal data;
(iii) request the correction of incomplete, inaccurate or out-of-date personal data;
(iv) request the anonymization, blocking or deletion of unnecessary or excess data, as well as data that is not processed in compliance with the LGPD, if applicable;
(v) request the portability of your personal data to another provider, subject to the regulation of the National Data Protection Authority (ANPD);
(vi) request the erasure or anonymization of personal data processed on the basis of your consent, except where the law authorizes the retention of such data on another basis;
(vii) obtain information about the public and private entities with which we have shared your personal data;
(viii) to request information about the possibility of not consenting to the processing of your personal data and the consequences of this action; and
(ix) to withdraw your consent.
 
                6.1.1. In case you request the deletion of your Personal Data, it may occur that the Data need to be kept for
                          a period longer than the request for deletion, according to article 16 of the General Data Protection
                          Regulation, in order to (i) fulfill a legal or regulatory obligation, (ii) study by a research organization,
                          and (iii) transfer to a third party (respecting the data process). In all cases by anonymizing the
                          Personal Data, as long as possible.
 
                6.1.2. Once the maintenance period and the legal requirement have expired, the Personal Data will be
                          deleted using safe disposal methods or used anonymously for statistical purposes.
 
 
7. INFORMATION ON THIS POLICY
 
7.1. Amendment of the content and updating. You hereby agree that we have the right to change the content of this Policy at any time, for any purpose or need, as appropriate and in accordance with the law or any rule that has equivalent legal force, and it is your responsibility to check it whenever you access https://en.grupoccr.com.br/ or use our services.
 
                7.1.1. If there are updates to this document that require further collection of consent, You will be notified
                          through the contact channels You inform.
 
7.2. Non-applicability. Should any part of this Policy be deemed inapplicable by a Data Authority or court, the remaining conditions will remain in full force and effect.
 
7.3. Electronic Communication. You understand that any communication made by e-mail (to the addresses informed in your registration), SMS, instant communication applications or any other digital form, are also valid, effective and sufficient for the disclosure of any matter that refers to the services we provide, your Data, as well as the conditions of its provision or any other subject addressed therein, being the exception only that this Policy provides as such.
 
(i) Communication Channels. In case of any doubt regarding the provisions of this Privacy and Data Processing Policy, you may contact through the Communication Channel E-mail: encarregado.dadospessoais@grupoccr.com.br. 
 
7.4. Applicable law and jurisdiction. This Policy will be interpreted according to the Brazilian legislation, in the Portuguese language, being elected the forum of its domicile to settle any controversy that involves this document, except for specific reservation of personal, territorial or functional competence by the applicable legislation.
 
                7.4.1. If You do not reside in Brazil, and because of the services offered by Us only in the national
                          territory, you submit yourself to the Brazilian legislation, agreeing, therefore, that in case
                          of litigation to be resolved, the lawsuit should be proposed in the Courts of São Paulo - SP.
 
 
8. GLOSSARY
 
8.1. For the purposes of this Policy, the following definitions and descriptions should be considered for your best understanding:
 
(i) Data: Any information inserted, processed or transmitted through the https://en.grupoccr.com.br/.
(ii) Personal Information: Data related to an identified or identifiable individual.
(iii) Anonymization: Use of reasonable and available technical means at the time of the Treatment, by which a data loses the possibility of association, directly or indirectly, to an individual.
(iv) In charge (Data Protection Officer -DPO): Person designated by Us to act as a communication channel between the controller, the data owners and the National Data Protection Authority (ANPD).
(v) Cloud Computing: Or cloud computing, is service virtualization technology built from the interconnection of more than one server via a common information network (e.g. the Internet), aiming to reduce costs and increase the availability of sustained services.
(vi) https://en.grupoccr.com.br/: Assigns the electronic address https://en.grupoccr.com.br/ and its subdomains.
(vii) Cookies: Some small files sent by https://en.grupoccr.com.br/, saved on your devices, which store the preferences and few other information, in order to customize your navigation according to your profile.
(viii) IP: Abbreviation for Internet Protocol; It is an alphanumeric combination that identifies users' devices on the Internet;
(ix) Logs: Activities registers of any users who use https://en.grupoccr.com.br/.
(x) Decisions only automated: These are decisions that affect a user that have been programmed to operate automatically, without the need for a human operation, based on automated processing of personal data.
(xi) Treatment: Every activity executed with Personal Data, such as the collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, filing, storage, deletion, evaluation or control of information, modification, communication, transfer, dissemination or extraction.
 
Update: November 23, 2021