​

1. Purpose

This Privacy Notice (“Notice” or “Privacy Notice”) aims to establish rules and guidelines regarding the processing of personal data collected by RSA CONSULTORIA E TREINAMENTO EIRELI (“Company”), in accordance with applicable regulations. By agreeing with this Privacy Notice, the data subject consents to the terms described herein and to the processing of personal data for the purposes defined in this document.

2. Scope

This Notice applies to all activities involving the processing of personal data and covers all Company portals, applications, and forms.

3. Definitions and terminology

For the understanding of this Notice, the following definitions shall apply:

• Data Processing Agents: the controller and the processor.

• Anonymization: the use of reasonable and available technical means at the time of processing, through which a data loses the possibility of association, directly or indirectly, with an individual.

• ANPD / National Data Protection Agency: public authority responsible for ensuring, implementing, and supervising compliance with the Brazilian LGPD.

• Database: structured set of data established at one or several locations, in electronic or physical format.

• Blocking: temporary suspension of any processing operation by retaining the personal data or the database.

• Employees: individuals hired to integrate the Company’s workforce.

• Consent: free, informed, and unambiguous expression by which the data subject agrees to the processing of personal data for a specific purpose.

• Controller: natural or legal person, public or private, responsible for decisions regarding the processing of personal data.

• Cookies: files containing small data sets shared between a technological device and a web server to improve navigation and user experience.

• Anonymized Data: data related to a data subject who can no longer be identified, considering anonymization at the time of processing.

• Personal Data: information related to an identified or identifiable natural person.

• Sensitive Personal Data: personal data revealing racial or ethnic origin, religious beliefs, political opinions, union membership or membership in organizations of a religious, philosophical or political nature, data concerning health or sexual life, genetic or biometric data, when related to a natural person.

• Deletion: removal of data or data sets stored in a database, regardless of procedure used.

• DPO / Data Protection Officer: individual appointed by the controller or processor to act as a communication channel between the controller, data subjects, and the data protection authority.

• Purpose: the reason why the personal data of a data subject is processed.

• LGPD: Brazilian General Data Protection Law (Law No. 13.709/2018).

• Processor: natural or legal person, public or private, who processes personal data on behalf of the controller.

• Research Institution: public or private non-profit entity established in Brazil, legally constituted, whose institutional mission or corporate purpose includes academic, scientific, technological, historical or statistical research.

• RIPD / Data Protection Impact Assessment: documentation prepared by the controller describing processing operations that may generate risks to civil liberties and fundamental rights, as well as mitigation measures.

• Website: virtual address composed of a set of electronic pages.

• Data Subject / User: natural person to whom the personal data subject to processing refers.

• International Data Transfer: transfer of personal data to a foreign country or an international organization of which Brazil is a member.

• Processing: any operation performed with personal data, including collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, archiving, storage, deletion, evaluation, modification, communication, transfer, dissemination, or extraction.

• Data Sharing: distribution, international transfer, interconnection, or any shared processing of personal data between public entities or between private entities, under authorization for one or more processing purposes.

4. Purposes of personal data processing

Personal data processed by the Company is primarily based on the need to execute a contract (Article 7, V of the LGPD), that is, to fulfill the service of providing access to the DPO NOTE software upon subscription.

In addition to the primary legal basis above, personal data may also be processed for the following purposes:

• Provision of Company services;

• Relationship management and provision of information related to products and services contracted by Company customers;

• Registration and account creation to access Company platforms;

• Customer support and service;

• Fulfillment of legal, regulatory, or administrative obligations;

• Exercise of regular rights in judicial, administrative, or arbitration proceedings;

• Response to complaints and proceedings before public authorities;

• Storage of information for defense in judicial, administrative, or arbitration proceedings;

• Company’s legitimate interest, within the limits of data subjects’ expectations and without prejudice to fundamental rights and freedoms;

• When the data subject provides prior consent.

The database formed through the collection and storage of personal data is owned by the Company. Data use, access, and sharing, when necessary, will be carried out within the limits and purposes of Company activities, and may be shared with suppliers, service providers, and authorities, in accordance with this Privacy Notice and applicable regulations.

No document, information, or personal data will be disclosed or shared under any circumstances, unless expressly authorized by the user, required to fulfill contracted services, or by court order or legal requirement.

It may be necessary to transmit users’ personal data to another Company entity, partner, or external service provider. The Company requires service providers to process such data strictly in accordance with this Privacy Notice and applicable regulations.

5. Categories of personal data subjects

The personal data subjects processed by the Company are categorized as Customers/Users.

6. Data collected

To provide services, the Company needs to collect certain information. Personal data may be collected directly from the data subject, from third parties, or automatically, depending on the service, product, or relationship type.

Forms of data collection:

• Personal data provided directly by the data subject:
  All data entered or submitted when accessing our channels (portals or applications) or contracting products/services provided by the Company may be collected.

• Personal data provided by third parties:
  The Company may receive personal data from partners, service providers, public sources, or data publicly shared by the data subject online.

• Automatically collected personal data:
  The Company may collect information automatically using technologies such as cookies, in order to improve user experience and navigation based on preferences and behavior.

Data collection principles:

• Only essential data for service provision will be collected;

• If necessary, the Company will request authorization or notify the data subject before collecting new data, along with a justification;

• Personal data will only be used for the purposes informed to the data subject.

Processing of personal data from children or adolescents, if applicable, will only occur with the specific and highlighted consent of a parent or legal guardian.

Personal data will be stored for the period necessary to fulfill the purposes for which it was collected or to comply with legal or regulatory obligations. Once the retention period ends or upon data subject request, the Company will securely delete the data.

7. Data sharing with third parties

Personal data may be accessed by third parties under the following conditions:

• For commercial purposes: strictly necessary sharing to provide or enable service provision, ensure product and service security, support consumer service, and improve performance.

• To provide services and products: sharing of data categories listed in item 6 with partners and service providers assisting the Company in providing services and support.

• For strategic reasons: sharing with partners for data analysis, system security, legal compliance, auditing, accounting, or other professional services.

• For legal or regulatory reasons: sharing with partners or authorities when necessary to comply with obligations or in judicial/administrative proceedings.

• Corporate operations: sharing in case of mergers, acquisitions, or asset transfers.

• With consent: when the data subject provides prior and explicit consent.

8. Data subject rights

In accordance with relevant data protection regulations, the Company ensures the following rights:

• Confirmation of data processing;

• Access to personal data;

• Correction of incomplete, inaccurate, or outdated data;

• Anonymization, blocking, or deletion of unnecessary or excessive data;

• Portability to another service provider;

• Deletion of personal data processed with consent (subject to legal exceptions);

• Information about public or private entities with whom data is shared;

• Information on the possibility of withholding consent and its consequences;

• Withdrawal of consent;

• Review of automated decisions.

Requests may be submitted through the privacy contact channel available on the website or directly to the DPO via email.

The data subject acknowledges that a deletion request of essential information for management may lead to termination of the contractual relationship.

9. Security

Any personal data in Company possession will be stored according to strict industry-standard security measures, including but not limited to:

• Protection against unauthorized access;

• Restricted access to authorized personnel;

• Confidentiality and handling procedures applicable to employees, suppliers, and partners;

• Continuous updates to privacy governance programs and internal controls.

In the event of a security incident, the Company will take all reasonable measures to mitigate impacts and ensure transparency to data subjects.

10. Links to third-party websites

The Company may provide links to third-party websites. The Company is not responsible for privacy practices adopted by such websites. Each third party maintains its own privacy notice or relevant terms. Users are encouraged to read those policies.

11. Cookies

Cookies may be stored on the user’s device to facilitate navigation and personalization.

Types of cookies:

• Essential cookies

• Performance cookies

• Functionality cookies

• Advertising cookies

• Social media cookies

Users may disable cookies in their browser settings at any time, but doing so may affect some website features.

12. Applicable law and general provisions

This Notice is drafted in accordance with applicable data protection laws, including but not limited to the Brazilian Constitution, Consumer Protection Code, Civil Code, Brazilian Internet Law (“Marco Civil da Internet”), its regulatory decree, and the LGPD.

This Notice is subject to the Terms of Use available on the website and will be governed by Brazilian law. The parties elect the Courts of Belo Horizonte, State of Minas Gerais, as the competent jurisdiction, to the exclusion of any other.

If any provision of this Privacy Notice is deemed invalid or unenforceable, the remaining provisions shall remain in full force and effect.

Electronic communications (email, SMS, instant messaging applications, etc.) shall be considered valid and legally binding for notification purposes.

13. Contact us

If the data subject has questions, requests, or needs clarification, please contact the DPO at:
📧 fale@dponote.com.br

14. Updates to this Notice

This Privacy Notice may be amended at any time to improve security, update internal processes, or comply with legal or regulatory obligations. The Company encourages users to periodically review this Notice to stay informed about how their personal data is processed.