Privacy Policy

1. Introduction

1.1. Greenplac, a company belonging to the Colpar Brasil group, understands that the processing of personal data must be protected based on the fundamental rights of freedom and privacy, as provided for in Law No. 13.709/18 – General Personal Data Protection Law (“LGPD”).

 

2. Objective

2.1. The purpose of this Privacy and Personal Data Protection Policy (“Policy”) is to provide guidance on the guidelines applicable to the privacy and protection of personal data of customers, employees, third parties, service providers, suppliers and partners to which Greenplac has access due to the performance of its activities, establishing the applicable rules on the collection, registration, storage, use, sharing and elimination of data, in accordance with good practices, regulations and current legislation.

 

3. Scope

3.1. This policy applies to all employees, regardless of the position or function held, as well as third parties, service providers and suppliers who have access to customer or Greenplac employee information.

3.2. All Greenplac units and branches must define their directions based on the guidelines provided in this policy, considering the specific needs and the legal and regulatory aspects to which they are subject.

 

4. Concepts

  • Customers: Natural person who has acquired Greenplac products or services, or who has registered on the Greenplac website and e-commerce pages, to whom the personal data being processed refers.
  • Personal data: Any information related to an identified or identifiable natural person, such as: first name, last name, date of birth, personal documents (CPF, RG, CNH, Work Card, passport, voter registration card, among others), residential or business address, telephone, email, cookies and IP address).
  • Sensitive personal data: Any personal data concerning racial or ethnic origin, religious conviction, political opinion, trade union membership or membership of a religious, philosophical or political organization, data concerning health or sex life, genetic or biometric data, when linked to a natural person.
  • Data Protection Officer – DPO: This is the Data Protection Officer, a person designated by Greenplac to act as a communication channel between the personal data subjects and the National Data Protection Authority (“ANPD”).
  • Information: Data, processed or not, that can be used for the production and transmission of knowledge, contained in any medium, support or format.
  • Personal Data Protection: Guarantee to data subjects the rights of access, correction, control and confidentiality of information.
  • Controlled Companies: These are companies in which Greenplac, directly or indirectly, holds partner or shareholder rights that permanently ensure its preponderance in corporate decisions and the power to elect the majority of administrators.
  • Stakeholders/Publics of Interest: These are all relevant publics with interests pertinent to Greenplac, or individuals or entities that assume some type of direct or indirect risk, due to the company. Among others, the following stand out: shareholders, investors, employees, society, customers, suppliers, creditors, governments, regulatory bodies, competitors, press, associations and class entities, users of digital platforms and non-governmental organizations.
  • Third Parties: Natural or legal person, of public or private law, who provides services to Greenplac, on its premises or remotely, and in the exercise of their activities may have access to information related to Greenplac's business or its customers.
  • Data Subject: Natural person to whom the personal data being processed refers.
  • Anonymization: Use of reasonable and available technical means at the time of processing, through which data loses the possibility of association, direct or indirect, to an individual.
  • Anonymized data: Data relating to a subject that cannot be identified, considering the use of reasonable technical means available at the time of its processing.
  • Pseudonymization: Processing through which data loses the possibility of association, direct or indirect, to an individual, except through the use of additional information kept separately by the controller in a controlled and secure environment.
  • Database: Structured set of personal data, established in one or more locations, in electronic or physical support.
  • Consent: Free, informed and unequivocal manifestation by which the subject agrees to the processing of their personal data for a determined purpose.
  • Deletion: Exclusion of data or a set of data stored in a database, regardless of the procedure employed.
  • International data transfer: Transfer of personal data to a foreign country or international organization of which the country is a member.
  • Shared use of data: Communication, dissemination, international transfer, interconnection of personal data or shared processing of personal data databases by public bodies and entities in the performance of their legal competencies, or between these and private entities, reciprocally, with specific authorization, for one or more types of processing permitted by these public entities, or between private entities.
  • ANPD: National Data Protection Authority, a public administration body responsible for ensuring, implementing and overseeing compliance with this Law throughout the national territory.

 

5. Guidelines

5.1. Initial provisions

5.1.1. This Policy aims to demonstrate Greenplac's commitment to:

5.1.1.1. Ensure the privacy and protection of personal data collected from customers, employees, third parties, service providers, suppliers and partners, due to the performance of its activities;

5.1.1.2. Adopt guidelines that ensure comprehensive compliance with good practices, regulations and laws related to personal data protection;

5.1.1.3. Promote transparency regarding how Greenplac processes personal data; and

5.1.1.4. Adopt protection measures in relation to the risk of security incidents involving personal data.

 

5.2. Information subject to the Policy

5.2.1.  This Policy covers:

5.2.1.1. All information provided or collected in the context of the sale of products or provision of services by Greenplac to its customers; and

5.2.1.2. All information of employees, third parties, service providers, suppliers and partners collected in the context of a contractual or legal obligation.

 

5.3. Personal data collected

5.3.1. The personal data collected may vary according to the relationship maintained with Greenplac and are classified into the following groups:

5.3.1.1. Information provided by the data subject: This is information entered or submitted by the data subject or their legal representative, resulting from contact, registration, contract or invoice issuance with Greenplac, which may include, but is not limited to, the following data: full name, CPF, date of birth, marital status, nationality, place of birth, filiation, beneficiaries, profession, data of the company of which they are a partner, owner, legal representative or proxy, full address, banking details, email address, telephone number and biometric data;

5.3.1.2. Information collected from the use of e-commerce services: This is information related to the use of Greenplac's e-commerce, such as website registration, electronic payment methods, captured by Greenplac and transmitted and/or shared with third parties in the context and limit necessary for the processing of orders and settlement of electronic payment transactions or for the transmission of information relating to non-financial transactions, the object of the products purchased or services rendered;

5.3.1.3. Information collected from the use of websites and applications: This refers to access and navigation to Greenplac's websites, pages and applications, containing information about device identification and connection (date, time and IP). Geolocation may also be collected, for fraud prevention and security;

5.3.1.4. Information collected from interactions on social media and platforms: This is information collected from interactions made through Greenplac's social media and/or networks;

5.3.1.5. Financial information: This is information about the financial or credit situation, such as income, assets, negative credit status, positive credit registration data and data from the Central Bank's Credit Information System, in accordance with applicable law; and

5.3.1.6. Greenplac will only process data of minors under 18 years of age under the terms of article 14 of Law 13.709/2018 and relevant legislation.

 

5.4. Method and purpose of collection

5.4.1. Information will be collected through ethical and legal means and stored in a secure and controlled environment, for the period required by law or current regulation. Greenplac undertakes to take all appropriate measures to maintain absolute secrecy and strict confidentiality of all information, personal data or specifications to which it has access or that it may come to know or become aware of regarding commercial transactions, sales of its products or services to its customers, as well as individuals directly related to customers, to which it may have access due to the employment relationship, contractual relationship or partnership, being prohibited from assigning and/or allowing third parties access to such information, except for the hypotheses described in this Policy and determined by law.

5.4.2. Greenplac uses all collected information, via physical or digital registration completed by the user on its website, page or application, collected directly from customers or automatically, for the following purposes: (i) request for service and/or product quotation; (ii) sale of products or contracting of service provision; (iii) expand offers for commercialization and dissemination of products and services of interest to customers, employees and partners, sending email marketing or advertising campaigns; (iv) personalize and improve offered products and services; and (v) prevent fraud, among other cases that may deviate from the conventional.

5.4.3. Greenplac, in some cases, may also process personal data when necessary for the fulfillment of a legal or regulatory obligation or the regular exercise of rights in a judicial, administrative or arbitration proceeding.

5.4.4. Greenplac may also process personal data based on its legitimate interest, always within the limits of its expectation, and never to the detriment of the data subject's interests, fundamental rights and freedoms.

5.4.5. Greenplac may process sensitive personal data for fraud prevention or for research purposes and in this case, whenever possible, the anonymization of sensitive personal data will be guaranteed. And also, with due consent, specifically and prominently.

5.4.6. The collected information may also be used for advertising purposes, such as sending communications and news that may be of interest to current and potential customers and third parties. In these cases, the objective will be to better serve the target audience by offering products suited to their needs and profile.

5.4.7. The collected information may also be used for profile analysis, identification, management and treatment of potential risks in the offer and contracting of products and/or services and in other risk management activities, also aiming at the security of customers and users.

5.4.8. Greenplac may also collect and process data for:

 

4.8.1. Analyze activities related to credit protection, such as credit risk assessment and management, financial and asset situation assessment, collection, credit assignment, activities related to information and consultation with credit protection entities and positive registration, among others;

 

4.8.2. Comply with legal, regulatory and self-regulatory obligations, such as: internal audit activities and compliance, prevention of money laundering and terrorist financing, reports to the Federal Revenue Service, fraud prevention measures, provision of information to the Central Bank of Brazil and other competent bodies, in Brazil and abroad, communication of suspicious operations to COAF (Council for Financial Activities Control), among other activities;

4.8.3. The regular exercise of rights, including in judicial or arbitration proceedings to which Greenplac is a party;

4.8.4. Execution of internal and managerial processes for decision-making on operations, businesses, services, products, activities and initiatives carried out by Greenplac;

4.8.5. Processing of purchases, returns and exchanges of products, deliveries, invoice issuance, among others;

4.8.6. Transfer of information or sharing of data in cases of credit assignment for debt collection;

4.8.7. Other situations of processing based on legitimate purposes, such as, for example, supporting and promoting activities or providing services that benefit customers; and

4.8.8. Promote events, carry out sponsorships and other activities and initiatives.

 

5.5. Relationship with third parties

5.5.1. Third-party access to information collected by Greenplac occurs exclusively for the purposes informed in this Policy and within the limit necessary for the performance of activities related to the course of its business, and may include, but is not limited to, access by:

5.5.1.1. Payment scheme institutions and members of such schemes;

5.5.1.2. Electronic funds transfer networks;

5.5.1.3. Clearing and settlement banks;

5.5.1.4. Service providers that perform commercial and/or information processing operations for Greenplac;

5.5.1.5. Marketing partners;

5.5.1.6. Independent auditors;

5.5.1.7. Collection agencies, credit protection services and similar; and

5.5.1.8. Competent regulatory bodies.

5.5.2. The use of information collected by Greenplac, in any of the hypotheses provided for in item 5.1 above, is made exclusively to fulfill the purposes informed in this Policy, in the performance of Greenplac's activities or in offering the client specific content based on the use of information securely and aggregated about its area of operation, whenever possible in an encrypted manner and, when applicable, anonymized or pseudonymized.

5.5.3. Greenplac may share aggregated information publicly and/or with its partners, provided that such information is not personally identifiable. For example, it may publicly share information to demonstrate trends in the general use of its services and/or market trends and indices.

5.5.4. Whenever it is necessary to use the information collected by Greenplac for purposes other than those defined in this Policy or those expressly authorized by the data subject, Greenplac will directly inform the data subject about this new purpose and, when necessary, will collect a new authorization.

5.5.5. Additionally, some of the transfers indicated above may occur outside Brazilian territory.

5.5.6. The recipient countries of personal data are: the United States and countries that are members of the European Union, in which case Greenplac undertakes to do so only to countries that provide a degree of protection for your personal data considered adequate to that provided for in the applicable legislation; or through the adoption of guarantees and safeguards such as specific clauses, standard clauses, global corporate rules, among others; as well as through the prior collection of your specific consent or the observance of other hypotheses authorized by law.

5.5.7. Greenplac also requires all third parties contracted by it to maintain the confidentiality of the information shared with them or to which they have access by virtue of the exercise of their activity, as well as to use such information exclusively for the expressly permitted purposes. However, Greenplac will not be responsible for the improper use of such information, whether by third parties or by its employees, due to non-compliance with this Policy and the contractual obligations assumed through specific instruments.

5.5.8. Greenplac also requires all third parties contracted by it to comply with all the obligations contained in this Policy, and third parties will be subject to the same obligations as Greenplac, for the data processing activities carried out, before the data subjects.

 

5.6. Data security and confidentiality

5.6.1. Aiming at the security of collected and/or provided data, Greenplac has physical, logical, technical and administrative security processes compatible with the sensitivity of the collected information.

5.6.2. Greenplac implements new procedures and continuous technological improvements to protect all collected personal data.

5.6.3. Greenplac uses the latest methods and equipment available on the market to encrypt and anonymize personal data, when necessary. Encryption allows us to protect data before it is transmitted over the internet. Encryption techniques make this information unreadable and prevent others from viewing it before it reaches our technological environment.

5.6.4. Greenplac only authorizes specific individuals to access the location where personal information is stored, provided that this access is essential for the development of the intended activity.

5.6.5. Greenplac guarantees that employees, third parties or partners who process personal data must commit to maintaining absolute confidentiality of the accessed information, as well as adopting the best practices for handling this information, as determined in internal policies and regulations.

5.6.6. In addition to technical efforts, Greenplac also adopts institutional measures aimed at protecting personal data, maintaining a privacy governance program applied to its activities and structure.

5.6.7. Access to collected information is restricted to employees and authorized individuals. Those who misuse this information will be subject to applicable administrative, disciplinary, and legal sanctions.

5.6.8. Notwithstanding the security measures adopted, Greenplac is not responsible for damages resulting from the violation of information confidentiality due to the occurrence of any fact or situation for which it is not responsible.

5.6.9. In processing collected information, Greenplac uses structured systems to meet security and transparency requirements, good practice and governance standards, and the general principles established in Law No. 13,709/18 – LGPD.

5.6.10. All technologies used will always comply with current legislation and the terms of this Policy.

 

5.7. Data Subject Rights

5.7.1. In compliance with applicable regulations regarding the processing of personal data, Greenplac respects and guarantees data subjects the possibility to submit requests based on the following rights:

5.7.1.1. Confirmation of processing;

5.7.1.2. Access to data;

5.7.1.3. Correction of incomplete, inaccurate, or outdated data;

5.7.1.4. Anonymization, blocking, or elimination of unnecessary, excessive, or unlawfully processed data;

5.7.1.5. Elimination of data processed with the data subject's consent;

5.7.1.6. Obtaining information about public or private entities with which Greenplac shares your data;

5.7.1.7. Information about the possibility of the data subject not providing consent, as well as being informed about the consequences in case of refusal; and

5.7.1.8. Revocation of consent.

5.7.2. Some of the rights listed above may be exercised directly by the data subject or their legal representative, through the management of registration information available in the logged-in area of the website, while others will depend on sending a request to our Data Protection and Privacy Department, for subsequent evaluation and adoption of necessary measures. The channel for receiving such requests is the email of the Data Protection Officer – DPO: dpo@asperbras.com.

5.7.3. Any request for the exclusion of essential information for managing registration with Greenplac will imply the termination of your contractual relationship, with the consequent cancellation of the services then provided. The data may be kept in Greenplac's database to comply with legal or regulatory requirements.

 

5.8. Cooperation with Regulatory Authorities

5.8.1. In cases where the disclosure of personal data of customers, employees, or partners is necessary, whether due to compliance with law, court order, or competent body overseeing activities developed by Greenplac and/or third parties, such information must be revealed only within the strict terms and limits required for its disclosure. The data subjects whose information is disclosed will be notified, whenever possible, about such disclosure, so that they can take appropriate protective or corrective measures.

 

5.9. Changes

5.9.1. This Policy may be modified at any time, according to the purpose or need for adaptation and compliance with legal provisions, regulations, or whenever Greenplac and Conexões deem it necessary. Changes will be disclosed through the website: www.greenplac.com.br. Continued use of services, purchase of products, or provision of services to Greenplac, as the case may be, after disclosure of changes will be considered acceptance by the customer and third parties of the new terms and conditions.

 

6. Consequence Management

Internally, non-compliance with the guidelines of this Policy entails the application of accountability measures to agents who fail to comply, according to the severity of the non-compliance and in accordance with internal regulations.

Employees, suppliers, or other stakeholders who observe any deviations from the guidelines of this Policy may report the fact to the Communication Channel at the email below, with or without identifying themselves:

When an incident reported to the Communication Channel involves personal data and/or sensitive personal data, the area responsible for the Communication Channel must promptly inform the Data Protection Officer – DPO of the complaint.

 

7. Responsibilities

7.1. All employees or professionals who carry out their activities on behalf of or for the economic benefit of Greenplac must read, understand, and ensure compliance with this regulation, especially:

7.1.1. Administrators, employees, and third parties: Observe and ensure compliance with this Policy and, when necessary, contact the Data Protection Officer – DPO for consultation on situations involving conflict with this Policy or upon the occurrence of situations described herein.

7.1.2. Integrity and Privacy Committee and Data Protection and Privacy Department: (i) Keep this Policy updated to ensure that any regulatory/legal changes to the guidelines and general rules established herein are observed; (ii) Clarify doubts regarding this Policy and its application; (iii) Accept complaints and communications from data subjects, provide clarifications, and take measures; (iv) Receive communications from the National Data Protection Authority (“ANPD”) and take measures; (v) Guide Greenplac employees and third parties on the practices to be taken in relation to personal data protection; and (vi) Adopt initiatives for sharing information about incidents containing personal data with the ANPD and with data subjects, when necessary.

7.1.3. Legal Department: Clarify doubts regarding relevant legislation and regulation.

 

8. Omitted Cases

8.1. In case of doubts, users of this standard should promptly contact Greenplac's Information Data Protection and Privacy Department for clarification, and external users may contact the Data Protection Officer – DPO via email: dpo@asperbras.com.

 

9. Revisions

9.1. This regulation may be reviewed annually or at any time deemed necessary by Greenplac's Administration.

 

10. Reference Documents

  • Law 13.709/18 – General Data Protection Law;
  • Law 13.853/19 – Provisions on LGPD and Creation of ANPD.

 

11. General Provisions and Policy Management

This Policy will come into force from the date of its approval by the Administration of Colpar Brasil, Greenplac's controlling holding company, and will revoke any contrary documents.