1. ABOUT US

This Privacy Policy applies to Falconi Group companies, as listed below:

2. OBJECTIVE

Falconi Group is highly committed to compliance issues and could not be different when it comes to the treatment of personal data. The privacy of our stakeholders, employees, clients, and society as a whole is one of the main topics of internal discussions since the publication of LGPD, and this Privacy Policy aims to consolidate all this work and clarify the main points regarding the treatment of personal data by Falconi Group.

Therefore, the objective of this Policy is to present the most important information about the operations of personal data processing carried out by Falconi Group, so that we fulfill our duty of transparency and clarify any doubts that may exist regarding this topic.

The data subject has the right to know information about the type of processing to which their data is subjected, its duration, the purposes for which it is intended, in which cases it is shared, or even if any type of automated decision is made about it, provided, of course, that the right of Falconi Group not to disclose any information that constitutes a trade or industrial secret is respected.

3. TERMS AND DEFINITIONS

To enable a better understanding of terms that may not be so clear, we present a brief glossary about the concepts and definitions of some commonplace words in the General Data Protection Law, as well as other complementary ones to better understand the subject:

a) Personal Data: Any information related to an identified or identifiable natural person. In other words, any information, regardless of format (physical or electronic), that may allow the identification of a natural person, or that, when a person is identified, can be associated with them, revealing characteristics about them.

b) Sensitive Personal Data: Any personal data that concerns racial or ethnic origin, religious belief, political opinion, union membership or membership of a religious, philosophical, or political organization, health, or sexual life data, genetic or biometric data when linked to a natural person.

d) Data Subject: The natural person to whom the personal data that are the subject of processing refer. In other words, you who read this Policy and have data processed by Falconi Group are a data subject.

e) Controller: The natural or legal person, public or private, who is responsible for decisions regarding the processing of personal data. The controller holds the decision-making power over the processed data, including the indication of their necessity, purposes, legal bases assigned, retention period, and disposal method. In some situations, Falconi Group will be the controller of the personal data it processes.

f) Processor: The natural or legal person, public or private, who processes personal data on behalf of the controller. The processor only processes the data according to the controller’s determinations, as long as they do not violate LGPD or other laws. Therefore, it is their responsibility to strictly follow the processing scopes defined by the controller and provide security for the processed data. In some situations, Falconi Group will be the processor of the personal data it processes.

j) Processing: Basically, any operation performed with personal data is a hypothesis of processing. LGPD specifies some of them (although it is not an exhaustive list), such as collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, filing, storage, elimination, evaluation or control of information, modification, communication, transfer, dissemination, or extraction.

4. HOW AND WHY WE COLLECT PERSONAL DATA

The Falconi Group companies focus on providing management consulting services using the total quality management concept and developing management and performance monitoring software, with a focus on serving other companies (B2B business model). Therefore, the processing of personal data is not the core business of any of the Falconi Group companies. Therefore, your personal data may be collected from the following sources:

a) Through sharing by the company, the data subject works for: in most cases, your personal data will be provided to us by the company you work for, so that we can perform the contracted service well. In this case, the Falconi Group companies are personal data processors and adopt measures to require compliance with privacy and data protection rules by data controllers. In addition, we always determine that only personal data strictly necessary for the specific purpose intended, which will be the subject of the contracted service, is shared, and preferably provided to us in anonymized format.

b) By providing data by the data subject himself/herself: the data may be provided directly by the data subject to the Falconi Group in two distinct situations, namely, through express and unequivocal consent previously collected for specific purposes or to perform a contract or preliminary procedures to a contract of which the data subject is part and at his/her request. Examples that fit into such situations are, in the first case, related to consent, when filling out the contact form on the Falconi Group websites, indicating that the data subject consents to the use of the data for commercial contact purposes, and in the case of contract execution or preliminary procedure, the submission of a resume for participation in selection processes;

c) Collection of cookies through interaction with websites: through your access and interaction with the websites of any of the Falconi Group companies, it is possible that we collect personal data such as your internet protocol (IP) number, the browser used, and how the interaction takes place with the sites so that the experience can be personalized, as well as to improve marketing strategies through the collection of cookies;

d) By providing by parents or legal guardians: all data of incapable persons (total or relative), as well as children and adolescents, which are eventually collected, will only be processed by the Falconi Group after obtaining the consent of their parents or legal guardians, authorizing the processing;

e) Data manifestly made public by the data subject: we can also collect personal data manifestly made public by the data subject, subject to the rights of the data subject and the principles concerning privacy and data protection.

If this information is not sufficient and you still have any doubts or curiosity about any detail of the processing of your personal data, please contact our DPO at the email indicated at the end of this Policy, always remembering that we reserve the right not to disclose any information that may violate our trade or industrial secrets.

5. WHY DO WE PROCESS PERSONAL DATA

All personal data processing operations carried out by the Falconi Group are supported by the legal bases listed in Articles 7 and/or 11 of the LGPD, reaffirming the lawfulness of all our operations.

In this sense, when any of the companies within the Falconi Group is acting as a data controller, we can process your data according to one of the hypotheses listed below:

a) By collecting your express and unequivocal consent, on occasion, the data subject will be informed in advance about the purpose and other information of the processing, except for data made manifestly public by the data subject;

b) To comply with a legal or regulatory obligation by the Falconi Group, i.e., in cases where some normative act establishes the obligation of processing, such as tax and/or labor legislation;

c) When necessary for the performance of a contract or preliminary procedures related to a contract in which you are a party and at your request;

d) For the regular exercise of rights in a judicial, administrative, or arbitral process;

e) When we verify that it is necessary to meet our legitimate interests or those of third parties, which may be for the support and promotion of our activities or for the provision of services that benefit the data subject, except in cases where the fundamental rights and freedoms of the data subject require the protection of their personal data.

In situations where any of the companies within the Falconi Group are acting as data processors, decisions on the purpose and manner in which personal data should be processed will be defined by the data controller. The vast majority of these situations will occur when the data subject works for a Client company of the Falconi Group and it is necessary to share data for the provision of the contracted service.

However, we have already clarified in advance that, as privacy and protection of your personal data are the number one priority in all companies of the Falconi Group, we formally communicate to all personal data controllers for whom we act as processors that we reserve the right to expressly disregard any and all guidance provided by controllers that are manifestly illegal and/or contrary to any provision of the LGPD.

6. HOW WE SHARE PERSONAL DATA WITH PARTNERS

Falconi Group does not have any economic activity that involves sharing personal data with third-party companies as part of its core business. For this reason, your data may only be shared with third parties when it is:

a) absolutely necessary for us to provide a service to you or the company you represent;

b) important to add security to the processed data and ensure their confidentiality, integrity, and availability. For example, when your data is stored in cloud hosting external to Falconi Group‘s servers;

c) relevant to the performance of administrative functions in our company, such as measuring the performance of our employees, conducting customer satisfaction and organizational climate surveys, developing our products and services, and providing customer service. When applicable, data anonymization is used in statistical form;

d) required by court order, legal obligation, or competent administrative authority.

In the above cases where sharing is Falconi Group‘s choice, we inform you that we have documented all contracts with our partners that are rigorously drafted regarding the protection of your personal data. All partners are aligned with our requirements. Moreover, our information security criteria are high and continuously updated to avoid any lag that may cause damage to you or your personal data. It is worth noting that we also demand such high levels of security from all our partners.

It is important to highlight that Falconi Group never sells personal data it collects to third parties.

7. TERMINATION OF THE PROCESSING AND RETENTION OF PERSONAL DATA

The processed data is stored for as long as necessary or allowed depending on the treatment, according to the legal basis that justifies it. Therefore, it is certain to inform you that your data will be deleted, as a rule:

a) upon verification that the purpose has been achieved or that the data is no longer necessary or relevant to achieve the specific purpose sought;

b) after the end of the informed treatment period;

c) upon request for deletion by the data subject, if the treatment modality allows for such a request;

d) by order of the National Data Protection Authority (ANPD), in case of a violation of the LGPD provisions.

Additionally, we declare that some of our physical and electronic documents are sent to a company specialized in document storage, where they are archived according to our Retention and Disposal Policy until they are definitively eliminated or completely anonymized.

However, in some cases, personal data may be retained even after the end of treatment:

i) to comply with a legal or regulatory obligation by Falconi Group;

ii) to ensure legal certainty in the relationship established with the data subject or third parties;

iii) to transfer to a third party, provided that the LGPD data processing requirements are respected.

It is worth noting that we have activities to improve our services and products through the analysis of graphical indicators that may have been originally generated from personal data. In these cases, we guarantee the complete anonymization of this information, completely dissociating it from any identified or identifiable natural person, and its use is exclusive to Falconi Group companies, with access by third parties being prohibited.

8. HOW WE KEEP YOUR DATA SAFE

In addition to valuing your privacy, the Falconi Group also cares about the security of the information that passes through here.

At the Falconi Group, the employees responsible for the information assets that support personal data are signatories to a “Non-Disclosure, Confidentiality and Responsibility Agreement” and have extensive knowledge of our Information Security Policy, as well as our Code of Conduct and Ethics.

We also have an internal Privacy and Data Protection Policy, whose purpose is to raise awareness and clarify our employees on how personal data should be treated here at the Falconi Group, always based on the law, good faith, and best information security practices, so that your data is always safe with us.

Regarding information storage, all personal data processed by the Falconi Group may be located in three different environments, depending on the type and sensitivity of the information, which are:

a) a Data Processing Center with access control through biometrics;

b) an outsourced data center aligned with the best security practices provided by the security standard for hosting systems owned by the Falconi Group; or

c) in highly secure clouds, with trusted providers and widely certified in the international frameworks of the highest standard of rigor.

In addition, our suppliers also adopt several measures to prevent privacy violations, but if they happen, effective procedures are followed for detecting, responding, and correcting the incident as quickly as possible, in line with the strict Falconi Group security standard.

With these and other measures, the Falconi Group aims to mitigate the risks of security incidents that may affect the data it handles, and even in the unlikely event of such an incident, we are committed to identifying, detecting, protecting, and responding to incidents with maximum efficiency, informing, whenever necessary, their occurrence, if it may represent a risk to your privacy.

However, even though we use the best security measures available in the market and are constantly evolving and continuously improving in this regard, it is important to clarify that it is not possible to guarantee the total inviolability of the data we handle (and this applies to companies in the Falconi Group and any other company). In any case, even if this happens, we have a remediation plan so that the potential damage is as minimal as possible or, preferably, non-existent.

9. WHAT ARE THE RIGHTS OF THE DATA SUBJECT

The Brazilian General Data Protection Law (LGPD) sets out in its articles 9, 18, and 20 the rights of the data subject, which can be exercised before the Falconi Group by making a direct request to our Data Protection Officer (DPO) at the email address indicated at the end of this Policy.

According to Article 9 of the LGPD, as a data subject, you have the right to easily access the following information about the processing of your data:

i) the purpose of the processing of your data;

ii) its form and duration, provided that our trade secrets and industrial secrets are respected, that is, if a request is likely to violate our trade secrets and industrial secrets, we reserve the right not to comply, as permitted by the LGPD;

iii) the identification and contact information of the data controller;

iv) information about any sharing of the processed data;

v) the responsibilities of the processing agents involved; and

vi) all your rights listed in Article 18 of the LGPD, which are as follows:

a) Confirmation of the existence of processing by any of the companies in the Falconi Group;

b) Access to the personal data processed by the companies in the Falconi Group, once the existence of the processing has been confirmed;

c) Correction or updating of data processed by the Falconi Group;

d) Anonymization, blocking, or elimination of data processed unnecessarily, excessively, or in non-compliance with the LGPD, previously evaluated by our Data Protection Officer (DPO) and our Privacy team;

e) Portability of your data to another provider of goods or services, preserving the industrial and commercial secrets of the Falconi Group;

f) Revocation of consent and elimination of data;

g) Information about sharing your personal data with public or private entities, subject to trade secrets and industrial secrets;

h) Possibility of not providing consent and consequences of not providing consent.

In addition to the rights listed above, the data subject may also request a review of automated decisions made solely based on automated processing of personal data that affect their interests, including decisions intended to define their personal, professional, consumer, and credit profile, or aspects of their personality. For this purpose, “automated decisions” are those made through a process that automates data filtering through pre-established criteria, usually by using algorithms.

If, for any reason, the Falconi Group cannot take immediate action to comply with the data subject’s requests, we will send a response as soon as possible, explaining the reason, which may be one of the following:

1. The Falconi Group is not a data processor for your data, in which case we will indicate, if we have knowledge, the correct data processor; or

2. There is some factual or legal reason that prevents the immediate adoption of the requested measure, which, if possible, will be informed in the response.

Finally, to enable us to comply with requests and ensure the security of your data, we may request some information to verify your identity and confirm the authenticity of the request.

10. HOW TO EXERCISE YOUR RIGHTS

If your question has not been resolved or if you want to discuss any topic related to privacy and/or personal data protection, you can contact our Data Protection Officer (DPO), Caio Amorim, at any time through the link below or by email at [email protected].

Open your request

In addition, you can manage your consents through our Preference Center , without the need to open a request. If your contact intends to report any suspicious, illegal, or unethical conduct and/or attitude that violates our Code of Conduct, our Compliance Policy, our Anti-Corruption and Relationship with the Public Power Policy, or any current legislation, you can use the Whistleblowing Channel contained at https://compliance.falconi.com/ (which can be used completely anonymously and without any type of retaliation against the whistleblower, under any circumstance).

11. PRIVACY POLICY UPDATE

This Privacy Polícy is in its first version. This document is subject to further modification for update purposes and may be changed without Policy.