Privacy Policy

1. Introduction

1.1. Greenplac, a company belonging to the Colpar Brasil group, understands that the processing of personal data must be protected based on the fundamental rights of freedom and privacy, as provided for in Law No. 13.709/18 – General Personal Data Protection Law (“LGPD”).

 

2. Objective

2.1. This Privacy and Personal Data Protection Policy (“Policy”) aims to guide the applicable guidelines for the privacy and protection of personal data of customers, employees, third parties, service providers, suppliers, and partners to whom Greenplac has access due to the performance of its activities, establishing the applicable rules for the collection, registration, storage, use, sharing, and elimination of data, in accordance with good practices, regulations, and current legislation.

 

3. Scope

3.1. This policy applies to all employees, regardless of position or function performed, as well as third parties, service providers, and suppliers who have access to information from Greenplac's customers or employees.

3.2. All Greenplac units must define their guidelines based on the provisions of this policy, considering the specific needs and the legal and regulatory aspects to which they are subject.

 

4. Concepts

  • Customers: Natural person who has acquired products or services from Greenplac or has registered on Greenplac's website and e-commerce pages, to whom the personal data being processed refers.
  • Personal data: Any information related to an identified or identifiable natural person, such as: name, surname, date of birth, personal documents (CPF, RG, CNH, Work Permit, passport, voter ID, among others), residential or business address, telephone, email, cookies, and IP address.
  • Sensitive personal data: Any personal data about racial or ethnic origin, religious belief, political opinion, trade union membership or membership of a religious, philosophical or political organization, data related to health or sexual life, genetic or biometric data, when linked to a natural person.
  • Data Protection Officer– DPO: This is the Data Protection Officer, the person appointed by Greenplac to act as a communication channel between the personal data subjects and the National Data Protection Authority (“ANPD”).
  • Information: Data, processed or not, that can be used for the production and transmission of knowledge, contained in any medium, support or format.
  • Personal Data Protection: Guarantee to data subjects the rights of access, correction, control, and confidentiality of information.
  • Controlled Companies: These are companies in which Greenplac, directly or indirectly, holds shareholder or partner rights that permanently assure it preponderance in corporate resolutions and the power to elect the majority of administrators.
  • Stakeholders/Interested Publics: These are all relevant publics with interests pertinent to Greenplac, or individuals or entities that assume some type of risk, direct or indirect, in relation to the company. Among others, these include: shareholders, investors, employees, society, customers, suppliers, creditors, governments, regulatory bodies, competitors, press, associations and class entities, users of digital platforms, and non-governmental organizations.
  • Third Parties: Natural or legal person, public or private law, who provides services to Greenplac, on its premises or remotely, and in the exercise of their activities may have access to information related to Greenplac's business or its customers.
  • Data subject: Natural person to whom the personal data being processed refers.
  • Anonymization: Use of reasonable and available technical means at the time of processing, through which data loses the possibility of direct or indirect association with an individual.
  • Anonymized data: Data related to a data subject that cannot be identified, considering the use of reasonable technical means available at the time of its processing.
  • Pseudonymization: Processing by which data loses the possibility of direct or indirect association with an individual, except through the use of additional information kept separately by the controller in a controlled and secure environment.
  • Database: Structured set of personal data, established in one or several locations, in electronic or physical support.
  • Consent: Free, informed, and unequivocal manifestation by which the data subject agrees to the processing of their personal data for a specific purpose.
  • Deletion: Exclusion of data or a set of data stored in a database, regardless of the procedure used.
  • International data transfer: Transfer of personal data to a foreign country or international organization of which the country is a member.
  • Shared use of data: Communication, dissemination, international transfer, interconnection of personal data or shared processing of personal databases by public bodies and entities in the fulfillment of their legal competencies, or between these and private entities, reciprocally, with specific authorization, for one or more types of processing permitted by these public entities, or between private entities.
  • ANPD: National Data Protection Authority, a public administration body responsible for ensuring, implementing, and supervising compliance with this Law throughout the national territory.

 

5. Guidelines

5.1. Initial provisions

5.1.1. This Policy aims to demonstrate Greenplac's commitment to:

5.1.1.1. Ensuring the privacy and protection of personal data collected from customers, employees, third parties, service providers, suppliers, and partners, due to the performance of its activities;

5.1.1.2. Adopting guidelines that ensure comprehensive compliance with good practices, regulations, and laws related to personal data protection;

5.1.1.3. Promoting transparency about how Greenplac processes personal data; and

5.1.1.4. Adopting protection measures against the risk of security incidents involving personal data.

 

5.2. Information subject to the Policy

5.2.1. This Policy is applicable to:

5.2.1.1. All information provided or collected in the context of the sale of products or provision of services by Greenplac to its customers; and

5.2.1.2. All information of employees, third parties, service providers, suppliers, and partners collected in the context of a contractual or legal obligation.

 

5.3. Personal data collected

5.3.1. The personal data collected may vary according to the relationship maintained with Greenplac and are classified into the following groups:

5.3.1.1. Information provided by the data subject: These are those entered or forwarded by the data subject or their legal representative, resulting from contact, registration, contract, or issuance of an invoice with Greenplac, which may include, but are not limited to, the following data: full name, CPF, date of birth, marital status, nationality, place of birth, parentage, beneficiaries, profession, data of the company of which they are a partner, owner, legal representative, or proxy, full address, banking details, email address, telephone number, and biometric data;

5.3.1.2. Information collected from the use of e-commerce services: These are those related to the use of Greenplac's e-commerce, such as website registration, electronic payment methods, captured by Greenplac and transmitted and/or shared with third parties in the context and extent necessary for processing orders and settling electronic payment transactions or for transmitting information related to non-financial transactions, the subject of the products purchased or services rendered;

5.3.1.3. Information collected from the use of websites and applications: These correspond to accesses and navigation on Greenplac's websites, pages, and applications, containing information about device identification and connection (date, time, and IP). Geolocation may also be collected for fraud prevention and security;

5.3.1.4. Information collected from interactions on social media and platforms: These are those collected from interactions made through Greenplac's social media and/or networks;

5.3.1.5. Financial information: This refers to financial or credit status, such as income, assets, negative credit history, positive credit register data, and data from the Central Bank's Credit Information System, in accordance with applicable legislation; and

5.3.1.6. Greenplac will only process data of minors under 18 years of age in accordance with Article 14 of Law 13.709/2018 and relevant legislation.

 

5.4. Method and purpose of collection

5.4.1. Information will be collected by ethical and legal means and stored in a secure and controlled environment for the period required by law or current regulation. Greenplac undertakes to take all reasonable measures to maintain absolute secrecy and strict confidentiality of all information, personal data, or specifications to which it has access or which it may come to know about commercial transactions, sales of its products or services to its customers, as well as individuals directly related to customers, to which it may have access due to the employment, contractual or partnership relationship, being forbidden to assign and/or allow third parties access to such information, except for the hypotheses described in this Policy and determined by law.

5.4.2. Greenplac uses all collected information, via physical or digital registration completed by the user on its website, page, or application, collected directly from customers or automatically, for the following purposes: (i) request for service and/or product quotes; (ii) sale of products or contracting of service provision; (iii) expanding offers for commercialization and dissemination of products and services of interest to customers, employees, and partners, sending email marketing or advertising campaigns; (iv) personalizing and improving offered products and services; and (v) preventing fraud, among other cases that may be outside the conventional.

5.4.3. In some cases, Greenplac may also process personal data when necessary for compliance with a legal or regulatory obligation or the regular exercise of rights in judicial, administrative, or arbitration proceedings.

5.4.4. Greenplac may also process personal data based on its legitimate interest, always within the scope of its expectation, and never to the detriment of the data subject's interests, fundamental rights, and freedoms.

5.4.5. Greenplac may process sensitive personal data for fraud prevention or for research purposes, and in this case, the anonymization of sensitive personal data will be ensured whenever possible. And also, with due consent, specifically and prominently.

5.4.6. The collected information may also be used for advertising purposes, such as sending communications and news that are of interest to current, potential customers and third parties. In these cases, the objective will be to better serve the target audience by offering products suited to their needs and profile.

5.4.7. The collected information may also be used for profile analysis, identification, management, and treatment of potential risks in the offering and contracting of products and/or services and in other risk management activities, also aiming at the security of customers and users.

5.4.8. Greenplac may also collect and process data for:

5.4.8.1. Analyzing activities related to credit protection, such as credit risk assessment and management, financial and asset status assessment, collection, credit assignment, activities related to information and consultation with credit protection entities and positive credit registration, among others;

5.4.8.2. Complying with legal, regulatory, and self-regulatory obligations, such as: internal audit and compliance activities, prevention of money laundering and terrorist financing, reports to the Federal Revenue, fraud prevention measures, provision of information to the Central Bank of Brazil and other competent bodies, in Brazil and abroad, communication of suspicious operations to COAF (Council for Financial Activities Control), among other activities;

5.4.8.3. The regular exercise of rights, including in judicial or arbitration proceedings to which Greenplac is a party;

5.4.8.4. Execution of internal and managerial processes for decision-making on Greenplac's operations, businesses, services, products, activities, and initiatives;

5.4.8.5. Processing purchases, returns and exchanges of products, deliveries, invoice issuance, among others;

5.4.8.6. Passing on information or sharing data in cases of credit assignment for debt collection; and

5.4.8.7. Other legitimate processing situations, such as supporting and promoting activities or providing services that benefit customers.

5.4.8.8. Promoting events, carrying out sponsorships and other activities and initiatives.

 

5.5. Relationship with third parties

5.5.1. Third-party access to information collected by Greenplac occurs exclusively for the purposes informed in this Policy and within the necessary limits for performing activities related to its business operations, and may occur, including, but not limited to, with:

5.5.1.1. Payment scheme institutions and members of such schemes;

5.5.1.2. Electronic funds transfer networks;

5.5.1.3. Clearing and settlement banks;

5.5.1.4. Service providers who perform commercial and/or information processing operations for Greenplac;

5.5.1.5. Marketing partners;

5.5.1.6. Independent auditors;

5.5.1.7. Collection agencies, credit protection services and similar; and

5.5.1.8. Competent regulatory bodies.

5.5.2. The use of information collected by Greenplac, in any of the hypotheses provided for in item 5.1 above, is made exclusively to meet the purposes informed in this Policy, in the performance of Greenplac's activities or in offering the customer specific content based on the use of secure and aggregated information about its area of operation, whenever possible in encrypted form and, when applicable, anonymized or pseudonymized.

5.5.3. Greenplac may share aggregated information, publicly and/or with its partners, provided that such information is not personally identifiable. For example, it may publicly share information to demonstrate trends in the general use of its services and/or market trends and indices.

5.5.4. Whenever it becomes necessary to use information collected by Greenplac for purposes other than those defined in this Policy or those expressly authorized by the data subject, Greenplac will directly inform the data subject about this new purpose and, when necessary, collect new authorization.

5.5.5. Additionally, some of the transfers indicated above may occur outside Brazilian territory.

5.5.6. The recipient countries of personal data are: the United States and countries members of the European Union, in which case Greenplac undertakes to do so only for countries that provide a degree of protection for your personal data considered adequate to that provided for in the applicable legislation; or through the adoption of guarantees and safeguards such as specific clauses, standard clauses, global corporate rules, among others; as well as through the prior collection of your specific consent or compliance with other hypotheses authorized by law.

5.5.7. Greenplac also requires all third parties contracted by it to maintain the confidentiality of the information shared with them or to which they have access by virtue of their activity, as well as to use such information exclusively for the purposes expressly permitted. However, Greenplac will not be responsible for the improper use of such information, whether by third parties or by its employees, due to the non-compliance with this Policy and the contractual obligations assumed through specific instruments.

5.5.8. Greenplac also requires all third parties contracted by it to comply with all obligations contained in this Policy, and third parties will be subject to the same obligations as Greenplac, for the data processing activities performed, towards the data subjects.

 

5.6. Data security and confidentiality

5.6.1. Aiming at the security of collected and/or provided data, Greenplac has physical, logical, technical, and administrative security processes compatible with the sensitivity of the collected information.

5.6.2. Greenplac implements new procedures and continuous technological improvements to protect all collected personal data.

5.6.3. Greenplac uses the latest methods and equipment available on the market to encrypt and anonymize personal data, when necessary. Encryption allows us to protect data before it is transmitted over the internet. Encryption techniques make this information unreadable and prevent others from viewing it before it reaches our technological environment.

5.6.4. Greenplac only authorizes specific individuals to access the location where personal information is stored, provided that this access is essential for the development of the intended activity.

5.6.5. Greenplac guarantees that employees, third parties, or partners who process personal data must commit to maintaining absolute confidentiality of the accessed information, as well as adopting the best practices for handling this information, as determined in internal policies and norms.

5.6.6. In addition to technical efforts, Greenplac also adopts institutional measures aimed at protecting personal data, maintaining a privacy governance program applied to its activities and structure.

5.6.7. Access to collected information is restricted to employees and authorized individuals. Those who misuse this information will be subject to applicable administrative, disciplinary, and legal sanctions.

5.6.8. Notwithstanding the security measures adopted, Greenplac is not responsible for damages resulting from the violation of information confidentiality due to any fact or situation for which it is not liable.

5.6.9. In processing the collected information, Greenplac uses structured systems to meet security and transparency requirements, good practice and governance standards, and the general principles established in Law No. 13,709/18 – LGPD.

5.6.10. All technologies used will always respect current legislation and the terms of this Policy.

 

5.7. Data Subject Rights

5.7.1. In compliance with applicable regulations regarding the processing of personal data, Greenplac respects and guarantees data subjects the possibility to submit requests based on the following rights:

5.7.1.1. Confirmation of processing existence;

5.7.1.2. Access to data;

5.7.1.3. Correction of incomplete, inaccurate, or outdated data;

5.7.1.4. Anonymization, blocking, or deletion of unnecessary, excessive, or unlawfully processed data;

5.7.1.5. Deletion of data processed with the data subject's consent;

5.7.1.6. Obtaining information about public or private entities with whom Greenplac shared their data;

5.7.1.7. Information about the possibility for the data subject not to provide consent, as well as being informed about the consequences in case of refusal; and

5.7.1.8. Revocation of consent.

5.7.2. Part of the rights outlined above may be exercised directly by the data subject or their legal representative, through the management of registration information available in the logged-in area of the website, while another part will depend on submitting a request to our Data Protection and Privacy Department, for subsequent evaluation and adoption of necessary measures. The channel for receiving requests of this nature is the email of the Data Protection Officer – DPO: dpo@asperbras.com.

 

5.7.3. Any request for the exclusion of information essential for managing registration with Greenplac will imply the termination of its contractual relationship, with the consequent cancellation of the services then provided, and the data may be kept in Greenplac's database, for compliance with legal or regulatory requirements.

 

5.8. Cooperation with Regulatory Authorities

5.8.1. In cases where the disclosure of personal data of customers, employees, or partners is necessary, whether due to compliance with the law, a court order, or a competent body overseeing the activities developed by Greenplac and/or third parties, such information shall be revealed only under the strict terms and within the limits required for its disclosure, and the data subjects of the disclosed information, as far as possible, will be notified of such disclosure, so that they may take appropriate protective or corrective measures.

 

5.9. Changes

5.9.1. This Policy may be modified at any time, according to the purpose or need for adaptation and compliance with legal provisions, regulations, or whenever Greenplac deems necessary. Changes will be published through the website: www.greenplac.com.br. Continued use of services, purchase of products, or provision of services to Greenplac, as the case may be, after publication of changes will be considered acceptance by the customer and third parties of the new terms and conditions.

 

6. Consequence Management

Internally, non-compliance with the guidelines of this Policy leads to the application of accountability measures for the agents who fail to comply, according to the respective severity of the non-compliance and in accordance with internal regulations.

Employees, suppliers, or other stakeholders (interested parties) who observe any deviations from the guidelines of this Policy may report the fact to the Communication Channel at the email below, optionally identifying themselves:

When an incident reported to the Communication Channel involves personal data and/or sensitive personal data, the area responsible for the Communication Channel must promptly inform the Data Protection Officer – DPO of the complaint.

 

7. Responsibilities

7.1. All employees or professionals who perform their activities on behalf of or for the economic benefit of Greenplac must read, understand, and ensure compliance with this regulation, especially:

7.1.1. Administrators, employees, and third parties: Observe and ensure compliance with this Policy and, when necessary, contact the Data Protection Officer – DPO for consultation on situations involving conflict with this Policy or upon the occurrence of situations described herein.

7.1.2. Integrity and Privacy Committee and Data Protection and Privacy Department: (i) Keep this Policy updated to ensure that any regulatory/legal changes to the guidelines and general rules established herein are observed; (ii) Clarify doubts regarding this Policy and its application; (iii) Accept complaints and communications from data subjects, provide clarifications, and take action; (iv) Receive communications from the National Data Protection Authority ("ANPD") and take action; (v) Guide Greenplac's employees and third parties regarding the practices to be taken in relation to personal data protection; and (vi) Adopt initiatives for sharing information about incidents containing personal data with the ANPD and with data subjects, when necessary.

7.1.3. Legal Department: Clarify doubts regarding relevant legislation and regulation.

 

8. Omitted Cases

8.1. In case of doubts, users of this standard should promptly contact Greenplac's Data Protection and Privacy Department for clarification, and external users may contact the Data Protection Officer – DPO via email: dpo@asperbras.com.

 

9. Revisions

9.1. This regulation may be reviewed annually or at any time deemed necessary by Greenplac's Administration.

 

10. Reference Documents

  • Law 13.709/18 – General Data Protection Law;
  • Law 13.853/19 – Provisions on LGPD and Creation of the ANPD.

 

11. General Provisions and Policy Management

This Policy will come into force from the date of its approval by the Administration of Colpar Brasil, Greenplac's controlling holding company, and will revoke any contrary documents.