1. INTRODUCTION

Before hiring and/or using any of our services or browsing our website www.fenixconsultoria.com (“Site”), you should read this Privacy and Data Protection Policy (“Privacy Policy”).

If you are a Client of Fênix Sistemas e Consultoria (“Fênix”), this Privacy Policy will be incorporated into the contract that governs your relationship with Fênix, in order to guarantee the security of the data you provide to us as Holder or Controller.

In the event that you are only a User of our Website, you should read this Privacy Policy whenever you browse it and prior to sending data through the forms provided for this purpose in our Website. This Privacy Policy also applies to data that may be collected through the Website.

This Privacy Policy includes the guidelines and performance principles of Fênix for the treatment of the personal data that you provide us, as well informs you about how it collects and process your personal data.

Fênix may change the terms established in this Privacy Policy, both partially and totally, in order for this document to be updated at any time and in accordance with the General Data Protection Law (Law nº 13.709/18) (“LGPD”) and any requirements established in national and international regulations.

If you are a Fenix Client and changes are made to the terms of this Privacy Policy, we will inform you so that you are aware of any terms that may affect you.

This policy will be valid until it is modified, amended and replaced by another policy. In this case, the new policy will be published in our Website.

2. DEFINITIONS

• Anonymization: use of technical means available at the time of Treatment, which make it impossible to associate, directly or indirectly, data to an individual or to identify him/her;
• National Authority for the Protection of Personal Data (ANPD): is the federal public administration authority in Brazil, with duties related to the protection of Personal Data, privacy, and supervision of compliance and application of the General Data Protection Law (LGPD) throughout the national territory;
• Blocking: temporary suspension of any processing operation, by keeping the Personal Data or Database;
• Client: an individual or legal entity to which Fênix provides services;
• Consent: free, informed and unequivocal statement by which the Holder agrees with the Processing of his Personal Data for a specific purpose;
• Controller: a natural or legal person, governed by public or private law, who is responsible for decisions concerning the Processing of Personal Data;
• Personal Data: Information related to an identified or identifiable natural person;
• Sensitive Personal Data: Personal data concerning racial or ethnic origin, religious belief, political opinion, membership of a trade union or religious, philosophical or political organization, data concerning health or sex life, genetic or biometric data when linked to a natural person;
• Deletion: exclusion of data or a set of data stored in a Database, regardless of the procedure used;
• Legitimate Interest: legal basis that authorizes the processing of Personal Data when the use of such data is necessary to fulfill legitimate interests;
• General Data Protection Law (LGPD): Law No. 13,709 of August 14, 2018, which provides for the treatment of Personal Data, including in digital media, by natural person or legal entity of public or private law, in order to protect the fundamental rights of freedom and privacy and the free development of the personality of the natural person;
• Operator: a natural or legal person, governed by public or private law, who carries out the Processing of Personal Data on behalf of the Controller;
• Holder: the person to whom the Personal Data that are the object of the Processing refers to;
• Processing: all operations carried out with Personal Data, such as those referring to the collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, archiving, storage, elimination, evaluation or control of information, modification, communication, transfer, diffusion or extraction;
• Shared Use of Data: communication, dissemination, interconnection of Personal Data or shared Treatment of Personal Databases by public agencies and entities in compliance with their legal competences, or between these and private entities, reciprocally, with specific authorization, for one or more allowed Treatment modalities by these public entities, or between private entities;
• User: a person who browses the Site.

3. FÊNIX AND ITS COMMITMENT TO PRIVACY

Fênix is a company committed with ethics, honesty and transparency. For this reason, Fênix is deeply committed to the protection of personal data, the security and the privacy of Users/Clients, always in line with the LGPD and other applicable standards.

Fênix has adopted and will continue to adopt all necessary technical and organizational measures to prevent the loss, misappropriation, change, unauthorized access and theft of the personal data provided, taking into account the state of technology, the data nature and the risks to which they are exposed.

Fênix will only obtain personal data when it is adequate, pertinent and not excessive in relation to the specific, explicit and legitimate purpose for which it was obtained. In other words, Fênix will only collect data that are strictly necessary for each of the purposes pursued.

You, as the Holder and/or Controller of the personal data that you provide us with, must comply with this Privacy Policy.

Fênix commitment to privacy is reflected in the following guidelines:

Fênix respects the privacy of the Users and Clients as well as their choices at any time, for this reason, it incorporates respect for privacy in each of its actions.

Fênix will never send commercial communications unless you have expressly consented it. You can change your mind about your preferences at any time, and Fênix will respect and guarantee this option.

Fênix will not at any time offer and sell the data you provide us with.

Your data will be secure and protected. Fênix will always guarantee its confidentiality. Therefore, Fênix only accepts high standards of quality and trust in its relationships.

We will never use your data for purposes other than those for which they were collected.

4. LIABILITIES

As the Holder or Personal Data Controller, you are responsible for ensuring that the data you provide are accurate, complete and up to date. Therefore, you will be solely responsible in the event that the Personal Data you provided us is false, inaccurate, incomplete and/or out of date and, furthermore, is provided in accordance with the applicable legislation, that is, you will be responsible for the Personal Data relating to third parties, of which you have not obtained express Consent or have not informed them of your processing.

In the specific event that, during the contractual relationship, the Client provides Fênix with the personal data of employees or third parties, the Client, as the Data Controller, must have previously informed them of the processing of their personal data, the purpose of the same, must have obtained the express consent of the Holders, by means of a written document, with which the Client declares to agree and comply.

You undertake to notify Fênix if the Personal Data you have provided are modified.

Any loss or damage caused to Fênix due to the communication of erroneous, inaccurate, incomplete information or information from third parties that have not provided their express Consent and/or are provided in non-compliance with the applicable legislation, either in the contractual relationship or in the forms available on the Site , will be the sole responsibility of the Client and/or User, who will also be responsible for any sanctions applied by the National Authority for the Protection of Personal Data to Fênix.

In the event that FÊNIX acts as Data Processor for the processing of personal data for which the Client is the Data Controller, both parties undertake to collaborate to guarantee the protection of such data and the effective exercise of the rights of their Holders.

The Client undertakes not to provide FÊNIX at any time with special categories of personal data, nor with any information or personal data that are not necessary or relevant for the execution of the contractual relationship.

5. WHICH PERSONAL DATA ARE COLLECTED BY FÊNIX?

If you are a Fênix Client, we may collect the following Personal Data for the execution of services: first and last name, telephone number, e-mail, official identity document and professional data, depending on the type of service provided by Fênix.

If you are only a User of our Site, the following Personal Data may be collected: first and last name, e-mail, professional data and telephone number.

The Personal Data collected by Fênix are only those strictly necessary for the intended purpose or for the provision of the service.

Fênix never collects Sensitive Personal Data.

6. WHO CAN ACCESS PERSONAL DATA?

Companies of the Fênix Group: Companies of the Fênix Group: Depending on the services contracted, data can be processed by other companies of the Fênix Group, with legal basis in Legitimate Interest, for the provision of the service and for administrative and/or legal purposes.

Trusted suppliers: We also sign contracts with trusted suppliers, from whom we demand compliance with current Data Protection regulations, for the provision of certain services and to carry out a variety of commercial operations on behalf of Fênix. We only provide them with information that is strictly necessary to perform the services and require them to comply with all applicable regulations. In the event that the Client does not authorize the provision of a service by a trusted provider, we may choose between contracting with another provider or not to provide the service.

Authorities: Depending on the services that the Client may contract, we can communicate their data to certain authorities to comply with the service of tax compliance or management of registrations at the National Insurance, among others. Fênix will always inform the Client in advance who may have access to the Personal Data provided, according to the services contracted.

7. HOLDERS’ RIGHTS AND HOW TO EXERCISE THEM

The Holder has the following rights in relation to their Personal Data processed by Fênix:

1. To confirm the existence of the Treatment;
2. Request access to Personal Data;
3. Request the correction of Personal Data that are incomplete, inaccurate or outdated;
4. Request the Anonymization, Blocking or Deletion of unnecessary, excessive data or data that is proven to be processed in non-compliance with the LGPD;
5. Request data portability from another service or product provider, in accordance with the regulations of the National Authority for the Protection of Personal Data, and in compliance with commercial and industrial secrets;
6. Request the Deletion of Personal Data processed with your Consent, except in cases where Fênix is authorized to retain such data, under the terms of the LGPD;
7. Request information about public and private entities that Fênix has shared data with;
8. Request information about the possibility of not providing Consent and the consequences of such refusal;
9. Revoke Consent when Treatment is performed based on Consent, in which case the Treatment performed by Fênix under the cover of the previously expressed Consent will be ratified as long as there is no request for Elimination.

The rights expressed above may be exercised upon express request to Fênix, by sending an (i) e-mail to atendimento@fenixconsultoria.com, indicating in the subject “Exercise of rights”; or (ii) by post to 1 Embaixador Abelardo Bueno Ave., Block 01, suites 521/522, CEP (zip code) 22775-022, Jacarepaguá, Rio de Janeiro, RJ, Brazil, in both cases accompanied by a copy of your official identity document proving your identity.

8. INTERNATIONAL DATA TRANSFERS

Fênix does not carry out international personal data transfers at any time. In the event that, in order to provide a contracted service, Fênix will previously request the Customer’s Consent.

We emphasize that all of our subsidiaries and suppliers are obliged to comply with Brazilian Data Protection regulations, wherever they are located.

9. HOW LONG DO WE STORE YOUR PERSONAL DATA?

Fênix will only keep your personal data for the necessary time to comply with the purposes for which they were collected or to comply with legal obligations.

Fênix, at the Client’s choice, will delete or return the personal data to the Client at the end of the service, except in cases where it is obliged to keep them due to legal, contractual and/or regulatory obligations.

The personal data obtained by giving your consent, will be maintained until you inform us that you wish us to delete your data, according to the procedure indicated in item 7 above.

The personal data obtained in recruiting processes will be kept until the candidate unilaterally decides that we should delete them, according to the procedure indicated in item 7 above, or after 1 (one) year from the recruiting process.

Fênix will securely and permanently delete personal data after the end of the purpose for which it was granted or the period during which it must comply with a legal obligation.

10. SECURITY AND CONFIDENTIALITY OF PERSONAL DATA

In order to guarantee the security and confidentiality of your personal data, Fênix adopts the highest levels of security, using all the technical and personal measures at its availability to prevent the loss, misuse, change, unauthorized access and theft of the personal data provided.

The personal data that FÊNIX may collect, derived from the contractual relationship with the Client or through the different communications that maintain with the Client/User will be treated with absolute confidentiality.

The technical and organizational measures implemented by FÊNIX to guarantee the security of your data are detailed below. All measures are implemented in the Group’s subsidiaries.

Organizational controls: Fênix has implemented a Data Protection and Privacy Policy, as well as a Data Protection and Privacy Manual, which are available to all organization employees and are periodically reviewed to adjust to the standards in force when necessary. In addition, employees also receive regular training on data protection and data security.

All Fênix employees and suppliers sign confidentiality agreements, and compliance with the rules on personal data protection.

Physical data access controls: With regard to measures to control physical access to Personal Data, Fênix keeps the data in a place of restricted access and with the proper security measures. In this way, access by unauthorized persons is avoided.

In addition, Fênix has measures to ensure the safe disposal of documents or files containing personal data.

System access controls: Regarding control of access to the systems, Fênix has a system of user authentication and password for access to them. At the same time, for better control, we have a list of people/users who have access to data processing systems for authentication purposes, identifying each one of the accesses.

All data processing systems are password protected to prevent unauthorized access to personal data.

All employees receive training on how to protect their IT equipment, ensuring that the information contained in it is always protected. The IT equipment is programmed so that, after detecting inactivity on the IT equipment in a short period of time, it is blocked to prevent unauthorized access to the system. The account is also blocked after several unsuccessful sequential login attempts.

Security systems: As for the security systems used to ensure data security, Fênix has established a control system to ensure that only authorized equipment is used in the provision of the service. Remote access is via VPN, with connection auditing available.

Fênix also has technical security measures such as antimalware, automatic backups, antivírus.

Business Continuity: At Fênix, backup copies are created. These copies are stored in protected environments. Fênix also has the ability to restore data from these backups.

11. INCIDENT MANAGEMENT

Fênix has established a procedure for the management of incidents, so that if a violation or breach of security occur, it can be communicated to the National Data Protection Authority (ANPD) and/or the Data Subject within 72 hours.

12. CONTACT

If you have any questions regarding the protection of personal data, please write to us at atendimento@fenixconsultoria.com or by post to our Legal Department located at our Branch: 1 Embaixador Abelardo Bueno Ave., Block 01, suites 521/522, CEP(zip code) 22775-022, Jacarepaguá, Rio de Janeiro, RJ, Brazil.