1. Institutional Commitment
The IGC Group recognizes the importance and relevance of the electronic records and Personal Data provided in the use of its websites, systems, and services, and, consequently, the protection of its privacy. In such sense, by means of this Policy, the IGC Group communicates to its clients, employees, partners, and any third parties with which it relates, its commitment to: (i) protect the security and privacy of the Personal Data; (ii) transparently communicate its Personal Data processing activities; (iii) adequately implement and execute mechanisms and processes for exercising the rights of the Personal Data subjects; (iv) observe and comply with the legislation, and good governance practices applicable to the processing of Personal Data. We emphasize that the promotion of privacy, transparency, and the ethical and safe treatment of Personal Data are fundamental values for the IGC Group, in such a way that we will endeavor our best efforts to adopt the best practices that enable its adequate and lawful processing.
2. Liability for the processing activities
The IGC Group informs that the agents processing the Personal Data received or collected may either be the IGC Group, or any member connected to it, and, in such regard, clarifies that the IGC Group will act as a controlling agent or joint controller, establishing the purposes for the processing of the Personal Data, and being primarily liable for such activities, being incumbent upon the member to act as the operator of the Personal Data, if necessary.
3. Method of Personal Data Collection
The IGC Group processes the Personal Data necessary to fulfill its business purpose, in accordance with the obligations imposed on it by law. This way, the types and the volume of Personal Data that are processed vary according to the purposes of use, the activities carried out, as well as the interaction with the IGC, always observing an analysis guided by the principles of purpose, necessity, and adequacy. In this sense, the IGC Group may collect Personal Data in different ways, and such data may be provided directly by the subject, automatically through the use of our services, or by third parties as a result of their relationship with the IGC Group. Furthermore, we clarify that the IGC Group may have access to Personal Data of third parties related to its clients for the purpose of providing advisory services for which it may be contracted. In such sense, the IGC Group clarifies that all those who may provide or allow access to Personal Data of other people to the IGC Group (including through access to documents sent to potential interested parties and their respective advisors within the scope of a transaction that is being advised by the IGC Group), shall assure the IGC Group that: (i) they comply with the provisions and legal obligations imposed upon them by applicable regulations and legislation of Personal Data privacy, (ii) IGC will be authorized to process and share such Personal Data with third parties for the applicable purposes, and (iii) they will be liable for any award of damages that may be incurred by the IGC Group due to the provision of Personal Data in violation of applicable law. In order to present our processing activities with transparency, we present the main data we use and what are their respective purposes below. (i) Biographical attributes data of the individual, such as civil or corporate name, date of birth, parents’ names, place of birth, nationality, gender, address, e-mail addresses, telephone numbers; (ii) Registration data profession, occupation, marital status, classification as a Politically Exposed Person, identifying information before the registration of public bodies, such as enrollment number with the Individual Taxpayer’s Register (CPF), Social Identification number (NIS), registration number in the Social Integration Program (PIS), enrollment number in the Public Service Employee Savings (PASEP), Voter's Registration Card number, Brazilian Driver's License (CNH), Identity Card number (RG), or Foreigner's Identity Card (RNE), among others; (iii) Financial and transactional data information regarding financial statements and transactions related to the subject matter of the advisory services provided, bank account and card number, billing address, transaction records, and information of third parties' data regarding our clients and partners; (iv) Automatically collected data, characteristics of the access device, browser, IP (with date and time), location, IP source, information on clicks, pages accessed, the next page accessed after leaving the page from the IGC Group websites, or any search term entered on, or in reference to our websites, among others. For such collection, IGC will use standard technologies, such as cookies, pixel tags, among others, which are used with the purpose of improving the user's browsing experience, according to their habits, and preferences. In order to enable the provision of services for which the IGC Group is contracted, and due to the technological development, it is important to clarify that biometric attributes may be collected, with the user's consent. That is, information with measurable biological and behavioral characteristics of the individual. This information may be collected for automated recognition and fraud prevention. Also, when you access our websites, and social networks, your electronic device will automatically provide some information on how you can interact with our tools. Such information is provided by your browser, or device, through the use of cookies and other related resources, and is used by the IGC Group to help us identify preferences, and improve your experience on our official websites, and social networks. It is also important to remember that the IGC Group does not collect, or individually identify, such information for the purposes of analysis, and does not collect data after you log in to our systems and/or applications. The IGC Group only analyzes such data statistically, never individually, and always with the purpose of better understanding the interests and needs of the users of its channels. In order to prevent the indiscriminate use of data from the website, and official social networks of the IGC Group by internet users, or market analysts in general, visitors to our websites can install security features, such as an add on, or even disable, by means of your internet browser settings, the automatic collection of information through certain technologies, such as cookies and caches. However, it is worth knowing that once these technologies are disabled, some features offered by the website and/or social networks may no longer work correctly. The Personal Data collection activities by the IGC Group occur by means of digital or physical forms, as well as by telephone calls, or by directly accessing our websites and/or social networks, communication channels, tools, “software” (computer programs) or applications. We also clarify that we may collect Personal Data during the campaigns, events, and surveys that we carry out, or during the provision of our services. Regardless of the means used to obtain the Personal Data, its processing will only take place to fulfill the purposes mentioned in this Privacy Policy, especially for the provision of advisory services, in accordance with the applicable law and regulations.
4. Purposes of the Personal Data processing:
In general, the IGC Group processes Personal Data to enable the performance of its business, particularly, to provide the advisory services for which it is contracted. The processing of Personal Data will only be carried out when the law allows for it, that is, when it is necessary to, for example: (i) comply with contractual obligations, and perform services for which the IGC Group was contracted; (ii) comply with legal and regulatory obligations; (iii) exercise rights in administrative or arbitration, in or out of court proceedings, or even to determine, and remedy claims and/or complaints; (iv) protect its legitimate interests (for example, carrying out our business efficiently and conscientiously); (v) enable inspection actions by administrative bodies and authorities, including all activity of access, obtainment, and verification of data and information, by means of procedures and techniques applied by the Inspection Agent for the purpose of gathering evidence to determine compliance with obligations, and compliance by the inspected party; (vi) identify and prevent situations of non-compliance with its internal policies and regulations; (vii) promote the security of its facilities and systems; (viii) allow for the analysis and protection of credit, and of reputational risks. In such regard, the Personal Data may be used by the IGC Group for the purposes below, among others: (i) management and execution of commercial, financial, and other agreements of any kind; (ii) administrative management of suppliers and contractors, (iii) management of the team and of the labor relations, and recruitment of new employees; (iv) actions of communication, marketing, and prospecting for new clients; (v) maintenance of accounting records, and execution of internal audits; (vi) records of calls, visits, and messages; (vii) activities of intelligence and analytics, in which case, the data will be grouped in order to provide a macro analysis of a given scenario, and, therefore, will not seek to identify or make the subjects of the Personal Data identifiable, but only to better understand how they access our platforms, in order to improve the provision of services and customize products more targeted to the interests of the users, according to the mechanisms described in Section 3 above; and (viii) other purposes, such as preservation of the operations and documents history in order to meet regulatory, administrative, and auditing requirements, as well as the protection and exercise of its rights. In addition, the IGC Group may process Personal Data to maintain contact with you, by means of: (i) sending institutional communications and statements of transactions; (ii) organizing events, including management of those enrolled, reminders, and thank-you notes; and (iii) carrying out satisfaction surveys and providing feedback regarding our services and initiatives.
5. Sharing of Personal Data
The IGC Group does not sell Personal Data, but such data may be shared with third-party employees, representatives, and companies that are affiliated or partners of the IGC Group based in Brazil or abroad, with the purpose of fulfilling the purposes described in this Policy. It is worth mentioning that during the data-sharing process, the IGC Group will implement the best governance and information security practices to ensure the protection of your privacy. In such regard, the IGC Group may share Personal Data with: (i) Outsourced Companies: In the course of providing the services for which we are contracted, we may rely on outsourced companies to assist us, and, for such purpose, we will eventually share Personal Data with them in order to provide the services for which we are contracted. Such third parties may include, among others, correspondents, agents, consultants, specialists in the legal and accounting areas, and software providers, such as, for example, data hosting services for storing our database, and management services that allow us to manage and automate our activities. We emphasize that such third parties are only authorized to use the Personal Data shared for the specific purposes of performing the services for which they were contracted, and are required to process them with the security standards established by themselves, or by our internal policies; (ii) Banks, finance and card operating companies, and payment methods: We may share Personal Data with payment processors, fraud prevention agents, tax identification number agencies, companies that are part of payment arrangements, and banks so that we may process the payments for the goods and services you contracted; (iii) Analytics: We may share Personal Data with partners who provide intelligence and analytics services in order for us to better develop our activities. In such regard, the information shared is only that necessary for the analysis to be carried out and, whenever possible, we will anonymize the Personal Data that could identify the subject; (iv) Marketing Companies: We may share Personal Data with marketing companies for the sending of communications. All Personal Data shared have an adequate legal basis that justifies this type of processing, which may be your consent or a legitimate interest of IGC. In any case, during such process, we will always consider your privacy, and, where applicable, your right to object to the processing of such data; and (v) Regulatory and inspection bodies: We may, finally, when requested, whenever there is a legal obligation, or even in the regular exercise of our rights, share Personal Data with regulatory and inspection bodies such as Ministries, State, and Municipal Secretariats, Boards, and Development Agencies, including presenting documents in lawsuits and administrative proceedings, if necessary, or in order to comply with a court order, or request from a competent authority. Additionally, in the context of providing advisory services to a client, the IGC Group clarifies that it may share Personal Data (including those of third parties, as applicable) with potential companies interested in the transactions for which the IGC Group has been contracted to provide advisory, and their respective advisors, and representatives. If the IGC Group decides to sell or acquire companies, subsidiaries, products, assets, or even participate in corporate reorganizations, and considering that in such transactions, information regarding customers, employees and/or partners is generally one of the transferable assets of the business, your Personal Data may be transferred to interested third parties, as well as their respective advisors, including abroad.
6. International transfer of Personal Data
The IGC Group has its principal place of business in Brazil, and data processing operations are subject to Brazilian legislation. Therefore, when accessing or using the services we make available, the user located abroad consents to the transfer of their Personal Data to Brazil, and to other countries, within the limits of the legality of the Brazilian legal system. Although primarily carrying out our processing activities in the Brazilian territory, the IGC Group may, by means of operators, carry out the international transfer of Personal Data through its partners and/or suppliers. Notwithstanding, the IGC Group clarifies that when your Personal Data are transferred outside Brazil, appropriate measures will be implemented to seek the protection of the data shared in accordance with the requirements of the applicable law. However, when using our products or services, or providing Personal Data to the IGC Group, you are aware of and agree to the processing and international transfer of such data.
7. Rights of the Personal Data subject
Subject to the terms of the applicable law, the Personal Data subject may request to the IGC Group, at any time: (i) access and confirmation of the existence of the processing of their Personal Data, enabling the subject to be aware of whether their Personal Data are processed or not, and with whom they were shared; (ii) correction of the incomplete, inaccurate, or outdated Personal Data; (iii) anonymization, blocking, or exclusion of unnecessary or excessive Personal Data, as well as opposition to the processing provided in breach of the provisions of the applicable law; (iv) portability of Personal Data to a new supplier or service provider; (v) revocation of consent for the processing of Personal Data, in accordance with the terms of the applicable law; and (vi) information regarding the possibility of not providing consent to the processing of your Personal Data and its consequences.
8. Retention of the Personal Data
The IGC Group will keep your Personal Data stored only for as long as it is necessary to fulfill the purposes for which it was collected, including to comply with the legal, regulatory, fiscal, contractual, accountability obligations, to safeguard, or otherwise regularly exercise our rights. To determine the appropriate retention period, we consider the amount, nature, sensitivity of the Personal Data, and the potential risk of damage arising from its unauthorized use, as well as the purpose of the processing, and whether we can achieve such purposes by others means, as well as applicable legal requirements.
9. Security of the Personal Data processed
The IGC Group adopts security measures to protect your Personal Data and prevent it from being accidentally lost, used, changed, or disclosed in an unauthorized manner. The Personal Data is stored in a secure operating environment that is not accessible to the public, and we seek to limit access to such data to those who need to know it, being certain that anyone who has access to the Personal Data will be subject to obligations of confidentiality. Our Policy follows good market practices to protect the Personal Data sent to us, however, although we endeavor the best efforts to preserve your privacy and protect your Personal Data, we cannot guarantee complete security of data transmission, always being susceptible to the occurrence of information security incidents. In the remote event of incidents of this nature, the IGC Group will implement the measures it deems suitable to remedy the consequences of the event, always seeking the due transparency to the data subject. Furthermore, we request that in addition to implementing good security practices in relation to your account and your data, if you identify or become aware of something that compromises the security of your data, please contact us.
10. Updating rules and Policy changes
We regularly review our Privacy Policy, always seeking compliance with laws, regulations and new technologies, reflecting possible changes in our operations and business practices. Therefore, the IGC Group may change this Privacy Policy from time to time, due to our commitment to continuous improvement. Whenever any relevant condition of this Privacy Policy is changed, the new version will be published on our website, therefore, we recommend that it be periodically consulted on the IGC Group website. By continuing to use our services after a change in the Privacy Policy, said changes will be valid, effective and binding, and you will be agreeing to the new conditions. However, you can always express your disagreement through our service channels indicated below, if applicable. In the event that changes to this Privacy Policy result in changes in Personal Data processing practices that depend on your consent, we will request your consent to the new terms of the Privacy Policy in relation to the data processing and purposes indicated.
11. Contact us
The IGC Group appointed a Person in Charge of Personal Data Protection (DPO) to provide clarifications regarding the protection of the Personal Data collected, receive complaints, implement the necessary measures in relation to the protection of the privacy of Personal Data or even receive communications from the Brazilian Data Protection Authority (ANPD), as well as other assignments provided for by law or established by such Authority. The DPO will be available with the following contacts: Person in Charge of Personal Data Protection (DPO): Priscila Sartori Pacheco e Silva Mailing Address: Av. Brigadeiro Faria Lima, 2277, 6o andar, Jardim Paulistano, São Paulo, State of São Paulo, CEP (Zip Code) 01452-000 Email: priscila.pacheco@igcp.com.br