Global Privacy Policy

1. OBJECTIVE

SoftExpert Software S.A. (“SoftExpert” or “organization”) was founded on February 1, 1995, and is currently a leading company in the information technology sector, with the main objective of offering its clients software and services aimed at continuous improvement and optimization of their business processes, transforming operational excellence into a true competitive advantage.

SoftExpert's business is the commercialization of products and services for legal entities. However, in the performance of its functions, the organization may carry out activities characterized as processing personal data. During the execution of these operations, SoftExpert is committed to observing the basic security and privacy requirements defined by the General Data Protection Law (“LGPD”).

The privacy and security of personal data collected by SoftExpert are of enormous importance. For this reason, SoftExpert seeks, through this document, to demonstrate its commitment to the protection and privacy of personal data, covering topics such as data subjects' rights, data usage methods and types, legal bases legitimizing the processing, and means of contact for exercising rights and communication with SoftExpert.

2. SCOPE

This document is applicable to all data subjects whose personal data is processed by SoftExpert, including employees, clients, suppliers, business partners, and any other involved parties, in accordance with applicable data protection legislation.

3. REFERENCES

The following are the standards that this document adopts:

• a) LGPD - General Data Protection Law.
• b) NBR ISO27001 - Information security management systems - Requirements.

4. TERMS

For the purposes of this document, the following terms and definitions are adopted:

4.1 Data Subject

Natural person to whom the personal data being processed refers.

4.2 Controller

The natural or legal person, public or private, to whom the decisions regarding the processing of personal data belong. In other words, it is the entity responsible for decision-making related to the activity to be performed with personal data.

4.3 Processor

The natural or legal person, public or private, who processes personal data on behalf of the controller and in accordance with the purpose determined by them.

4.4 Personal Data

Any information or combination of information that can uniquely identify a data subject without ambiguity.

4.5 Sensitive Personal Data

Personal data related to racial or ethnic origin, religious beliefs, political opinions, union membership or membership in religious, philosophical, or political organizations, data concerning health or sex life, genetic or biometric data.

4.6 Data Protection Officer/DPO

The person responsible for acting as a communication channel between the Controller, data subjects, and the National Data Protection Authority, when the matter involves personal data.

4.7 Processing

Any activity that uses personal data in its execution, including but not limited to collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, filing, storage, deletion, and evaluation.

5. About This Policy

This Policy aims to:

1. Ensure that individuals from whom SoftExpert collects information understand what personal data SoftExpert processes, the reasons for processing it, and whether their information is shared or not.
2. Explain how SoftExpert uses the mentioned personal data.
3. Explain that SoftExpert collects and processes data and how SoftExpert will protect this data.

SoftExpert hopes that this policy helps in understanding its commitment to the privacy of its clients and third parties from whom SoftExpert collects information.

6. Rights and preferences of individuals: SoftExpert provides users with options and control

As provided in applicable law and unless limited by it, the rights granted to individuals are as follows:

1. Right to confirmation and access: The data subject has the right to verify if a certain organization processes their personal data. If so, they also have the right to access their own information.
2. Right to correct incomplete, inaccurate, or outdated data: This is the right to request that SoftExpert corrects or updates personal data whenever it is incorrect or incomplete.
3. Right to information deletion, where possible: The data subject has the right to request the deletion of their data, provided there is no legal basis justifying the retention of their information in the database.
4. Right to object: (i) Right to object, at any time, to the processing of their personal data for reasons related to their particular situation; (ii) Right to object to their personal data being processed for direct marketing purposes.
5. Right to data portability: Consists of the right to request a copy of their personal data in electronic format and the right to transfer such personal data for use in third-party services.
6. Right to revoke consent, where the legal basis is consent: Consists of the right to request the revocation of any consent previously provided, authorizing the processing of their personal data.
7. Right to obtain information on the possibility of not providing consent and on the consequences of refusal: Depending on the specific case, the legal basis may be consent. Thus, if this occurs, the data subject has the right to obtain clear information about what will be done with their personal data and what might happen if they do not authorize the processing.

It should also be clarified that the data subject may exercise their rights through written communication, specifying the right they wish to exercise, as well as requesting clarifications on any questions about processing. For this, they should send an email to privacy@softexpert.com. SoftExpert will respond to requests within the legal timeframe of 15 days, reserving the right to extend this period, provided it is justified.

7. How SoftExpert collects personal data

SoftExpert collects personal data in the following ways:

1. By filling out forms on the SoftExpert website: SoftExpert receives and stores all information provided through contact forms on its website, either for contracting SoftExpert products and services or showing interest in promotional and marketing materials.
2. Third parties: SoftExpert receives certain information from third parties, including, but not limited to, partners it works with.
3. Customer employees’ data: SoftExpert receives and stores personal data of Customer employees designated to centralize the opening of service tickets for SoftExpert support services.
4. Contract signatories' data: SoftExpert receives personal data of legal representatives and witnesses designated as signatories of Contracts and Amendments signed with clients, service providers, and suppliers.
5. Cookies: SoftExpert collects data to improve users’ browsing experience while using the organization’s website.
6. Events: SoftExpert collects data through events it participates in or organizes for clients, partners, or the general community, and such data is collected to maintain contact with participants when there is an interest in keeping in touch.
7. Recruitment platform and employee data: During the recruitment process for job vacancies, SoftExpert uses third-party software to host information and carry out candidate prospecting, interviews, and hiring. Once this process is complete, the candidate will be asked to submit the documentation and information required for registration.

Whenever possible, SoftExpert uses anonymized and aggregated information for purposes that include testing its IT systems, investigation, data analysis, creating marketing and promotional models, improving its software and services, and developing new features and functionalities.

8. Personal data processed by SoftExpert

In carrying out SoftExpert's commercial activities, it may process personal data relating to individuals who interact, have interacted, or will interact with the organization, directly or indirectly, as well as personal data specifically related to clients, business partners, service providers, employees, and associates. Such personal data may be expanded depending on the specific case; however, SoftExpert primarily processes:

1. Contact and Identification Data: Information that can minimally identify a data subject, such as name, email, phone number, job position, and the company they work for. This data may also be used for service provision by SoftExpert to clients.
2. Professional data: In addition to the previous data, data on the data subject’s professional context, such as history and experiences, may be processed.
3. Cookies: Cookies are information related to how the SoftExpert website is used, such as the content and links accessed, and the time spent viewing information. The data subject can find more information in SoftExpert's Cookie Policy.

SoftExpert may, in certain situations, process personal data of children or adolescents, always linking this processing to the legal basis that makes it legitimate, as per LGPD.

Occasionally, SoftExpert may process sensitive personal data. In cases where SoftExpert is the controller, it will respect the provisions of article 11 of the LGPD, which requires obtaining the data subject's consent or, if there is no consent, when processing is essential for compliance with legal or regulatory obligations, the regular exercise of rights, including in contracts and legal, administrative, and arbitration processes, protection of life or physical integrity of the data subject or third parties, health protection, exclusively in procedures performed by health professionals, health services, or health authority; or ensuring fraud prevention and data subject security in identification and authentication processes for electronic system registration, safeguarding the rights mentioned in article 9 of the LGPD and except where fundamental rights and freedoms of the data subject prevail that require personal data protection. The types of personal data processed vary according to the purposes and activities performed.

In cases where SoftExpert acts as a processor, personal data processing will be limited to the execution of the service itself, with the controller being responsible for correctly associating the legal basis or even obtaining appropriate consent, as applicable.

However, SoftExpert limits its processing to the minimum necessary personal data for each process.

9. SoftExpert's role as Data Controller and/or Data Processor

Depending on the formalized legal relationship, SoftExpert may occupy the position of Controller or Processor of data, according to the concepts indicated in this document and in accordance with LGPD.

Thus, when it is up to SoftExpert to determine the purposes, means, and decision-making regarding data processing, the organization will be considered a Controller, as is the case with its employees' personal data, for example.

When SoftExpert performs data processing on behalf of a Controller, it will be considered a Processor, such as when SoftExpert provides cloud environment management services to the client. Additionally, service providers, consultants, and partners may also act as Data Processors when they perform data processing operations for SoftExpert clients.

Regardless of the role played by SoftExpert during the execution of its activities, SoftExpert declares through this document that it has good data governance practices, taking into account the nature, scope, purpose, probability, and severity of risks and benefits arising from data processing.

10. Legal basis for Personal Data Processing

LGPD establishes, in its article 7, the grounds that legitimize personal data processing, i.e., it lists situations that authorize the execution of activities considered data processing. The Law establishes that each process involving data processing must be based on at least one legal basis that authorizes the operation.

SoftExpert may process personal data based on the following situations:

1. When the data subject authorizes and consents to the processing of their data.
2. To comply with a legal or regulatory obligation imposed by law or by a competent entity.
3. For the regular exercise of rights in judicial, administrative, or arbitration processes.
4. To protect the life or physical integrity of the data subject or third parties.
5. To serve SoftExpert’s or third parties' legitimate interests, except in cases where the data subject's fundamental rights and freedoms prevail, requiring personal data protection.
6. For credit protection, including as provided in applicable legislation.

Additionally, SoftExpert invests, adopts, and exerts significant efforts to implement technical and organizational measures to protect personal data from unauthorized and improper access. These measures and solutions take into account the nature, context, risks, purposes, and costs involved in their application.

11. International Data Transfers

SoftExpert processes personal information within national territory and in countries with similar and equivalent legislation. In this regard, when SoftExpert performs cross-border data processing, it safeguards data subjects' rights and adopts technical and organizational measures capable of protecting data subjects' personal data.

Additionally, SoftExpert may share personal data to assist in fraud investigations and prevention, where requests from corresponding authorities are compatible with legal, regulatory, or applicable legal process requirements.

12. Data Retention and Disposal

SoftExpert may retain personal data collected for as long as necessary to provide the services it makes available to its clients and for legitimate and essential commercial purposes, such as to maintain the performance of its software, make business decisions regarding features and offerings based on data, meet legal obligations, and resolve disputes.

Once the intended purpose is met, such information may be discarded unless another legal basis justifies the retention of this information.

13. Personal Data Security

SoftExpert is committed to adopting the necessary technical and organizational measures to protect personal data it processes, ensuring it is safeguarded against unauthorized access, destruction, loss, alteration, improper communication, or unauthorized disclosure. Although we strive to maintain a high level of security, it is important to emphasize that no system is completely immune to risks.

To ensure adequate protection, SoftExpert uses solutions that follow the best technical practices available in the market, considering implementation costs, the nature and context of data processing, specific purposes, and risks associated with data subjects' rights and freedoms.

SoftExpert also holds ISO 27001:2022 certification, attesting to the existence of an Information Security Management System (ISMS). This system includes policies, procedures, and processes that guide the protection of information confidentiality, integrity, and availability. As part of this commitment, internal and external audits are periodically conducted by certification bodies, ensuring continuous improvement and compliance with high-security standards.

In addition, SoftExpert commits to promptly notify data subjects in the event of a security incident that could pose risks or cause significant harm to their rights and freedoms, adopting all necessary corrective measures.

It is worth noting that, under the General Data Protection Law (LGPD), SoftExpert cannot be held responsible for events exclusively caused by third parties or by the data subject.

Finally, SoftExpert ensures that personal data under its management is processed based on the principles of confidentiality, integrity, and availability, in accordance with legal requirements and information security standards.

14. Data Protection Officer (DPO)

The figure of the Data Protection Officer, also known as the DPO, is the person appointed by the Controller to act as a communication channel between the Controller, data subjects, and the ANPD.

The Data Protection Officer/DPO appointed by SoftExpert is Tatiane Arnhold, who can be contacted via email at privacy@softexpert.com.

15. Privacy Notice Changes

This Privacy Notice was last updated on 10/05/2024. SoftExpert reserves the right to change this document at any time, at its sole discretion or regulatory update. The provisions of this document will take effect immediately after its publication on the SoftExpert website.

16. How to contact us

If you have any questions about this document or how personal data is handled by the organization, you can contact us through the following means:

1. Controller/Processor: SoftExpert Software S.A.
2. Phone: +55 (47) 2101-9900
3. Data Protection Officer (DPO): Tatiane Arnhold
4. Email: privacy@softexpert.com