Privacy Policy

---

Effective date: 03/01/2023 

Your personal data and your privacy are safe with us.

This policy is intended to clarify to Data Holders (clients, partners, suppliers, users, employees, or people who relate to ATC Compliance Group about our actions for protection and respect for the processing of personal data collected, why they are collected and for what purposes). purposes they are used. 

ATC Compliance Group is formed to the companies in Brazil and Portugal, herein referred to as ATC Compliance Group: 

• Compliance.Com Soluções Empresariais Ltda., CNPJ 22.154.499/0001-24, headquartered at Rua Copaíba, Lote 10, Edifício Rosely Gonçalves, Sala 1709 - Águas Claras, Brasília DF, 71.931-720, Brazil; 

• ATC Compliance - Audit, Training and Consulting, VAT 309.404.754, headquartered at Praceta Gil Eanes, 2, Santo António dos Cavaleiros, Loures/Portugal, 2660-444, Portugal. 

Legal basis 

Brazil: Law 13.709, known as the General Law on Personal Data Protection ("LGPD"), came into force on 18 September 2020. 

Portugal: The General Data Protection Regulation number 679/2016 ("GDPR"), entered into force on 25 May 2018. 

For the purposes of this policy, the legal bases of Brazil and Portugal related to Data Protection will be considered as "GDPR". The purpose of these regulations is to regulate the processing of personal data of customers and users by public or private companies. 

The GDPR sets out rules on the collection, storage, processing and sharing of personal data, imposing more protection and penalties for non-compliance. 

These regulations also establish that data processing must include any operation carried out with personal data, such as: the collection, production, receipt, classification, use, access, reproduction, transmission, distribution, processing, filing, storage, deletion, evaluation or control of information, modification, communication, transfer. 

ATC Compliance Group complies with the following Principles for the processing of personal data: 

Principle of purpose - We obey a determined purpose, being forbidden the subsequent use of the data in a way incompatible with the nature of the business that originated the collection of the data; 

Principle of adequacy - The collection of data ensures compatibility and coherence between the processing and the purposes informed to the data subject to carry out the business; 

Principle of necessity - The data collected is limited to the purpose, pertinence and proportionality to the business, assured the public rights of subsequent Act or by legal determination. Data that is excessive for the correct provision of services or the supply of products is avoided in the ATC Compliance Group. 

Principle of free access and transparency - All use, sharing, communication or duration of use of the data provided shall be informed, free of charge and in a quick and easy way to the holder of the data, apart from commercial and industrialsecrets; 

Principle of data quality - Keeping personal data complete, clear, up-to-date and monitored by the ATC Compliance Group, with a view to maintaining the business and anonymizing or deleting the data (deletion or erasure) at the end of the business relationship; 

Principle of security and prevention - Personal data is protected from damage or unauthorized processing, leakage or breach of confidentiality. ATC Compliance Group adopts protective measures capable of preventing non-compliance with data protection; 

Principle of non-discrimination - The personal data treated in the ATC Compliance Group will not be used in a discriminatory, illicit or abusive way, especially when treating sensitive data. Free trade union association, sexual orientation or health status, for example, will not be subject to non-compliance with this principle, also in accordance with the Brazilian and Portuguese Federal Constitutions; 

Principle of accountability and responsibility - ATC Compliance Group, as Data Processing Agent, is responsible for any damage or non-compliance with the Data Protection regulations to which it gives cause, by virtue of the GDPR, guidelines of the ANPD - Autoridade Nacional de Proteção de Dados in Brazil, CNPD - Concelho Nacional de Dados in Portugal, by the Brazilian and Portuguese Federal Constitutions  and by the best market practices. 

The information that can be reported and communicated to Data Subjects is related to: 

a. purpose on treatment; 

b. which personal data is processed within the ATC Compliance Group; 

c. form and duration of the use of the data; 

d. identification and contact details of the ATC Compliance Group (DPO - Data ProtectionOfficer); 

e. sharing or portability of data, if any; 

f. responsibility of Data Controllers and; 

g. all the rights ensured in the GDPR; 

h. other guidance from the Data Protection Authorities. 

About privacy and Data Protection 

We maintain appropriate administrative, internal controls, digital and physical technical measures to protect personal information from accidental or unlawful destruction, accidental loss, unauthorized alteration, unauthorized disclosure or access, misuse and any other unlawful forms of processing of personal information in our possession. 

Our measures include implementing appropriate access controls, data safekeeping and storage, to secure our environments and ensure that your personal data is encrypted, pseudo-anonymized or anonymized and deleted completely where possible. These measures will be reviewed annually. 

We restrict access to personal information to employees who need to know that data to provide products or services to you. 

So that we can guarantee the secrecy and protection of your personal data, it is important that you also take the following precautions: 

• Only use the official communication channels provided by the ATC Compliance Group; 

• Pay attention to the origin of messages. Do not access content received through links via email, SMS, WhatsApp and others from sources other than official ATC Compliance Group sources; 

• Keep your computer, mobile device, browser and antivirus software up to date; 

• Update your personal data, whenever there is any change, through the channels available in the ATC Compliance Group; 

• Adopt all security measures suggested or directed by the ATC Compliance Group. 

What personal data do we collect? 

• All personal qualification data necessary and appropriate to the business model aimed at offering goods products or services from ATC Compliance Group. 

• In some cases, you provide us with your data yourself and in others it is obtained directly by us, always in compliance and respect of the GDPR regulations. 

• For the purposes of this Privacy and Data Protection Policy, personal information or data is all information relating to an identified or identifiable individual. 

• When you use ATC Compliance Group services through the website, we may collect certain information by automated means, such as: cookies, IP and MAC address, device ID, location data, network information, information about activities you have performed, dates and amounts of activities, and other trackers. 

• We use this information to improve our products and services based on an understanding of factors such as how many users’ accesses or use our services, what content and features our visitors are most interested in, performance and performance of our channels. 

You provide us with your data when: 

• Get in touch with our service channels (Call Center, ATC Compliance Group website, ATC Compliance Group WhatsApp, social media, contact option on ATC Compliance Group partner websites or in a face-to-face and consented manner); 

• Use or hire any of our products or services; 

• Or when the ATC Compliance Group contacts you. 

We collect your data when: 

• ATC Compliance Group requests permission to collect information necessary to provide you with convenience, ensure your safety and for the preparation of contracts; 

• You browse our website, use our WhatsApp or use our Social Networks; 

• We consult external sources, including public data, such as credit bureaus, notary offices, information disclosed under the Access to Information Act and other sources, for data validation purposes and to enrich our databases. 

For what purpose do we use your data? 

We use your personal data only for legitimate, lawful purposes related to our activity, always observing the current legislation and good market practices. Your data is used so that we can: 

• Get in touch with you; 

• To provide, improve and develop products and services to better serve you; 

• To offer you greater security and protection; 

• Send you marketing materials when authorized or requested by you; 

• Improve our data analysis; 

• Comply with your contract with ATC Compliance Group, as well as the legal obligations described therein. 

How do we use your data? 

We may use your personal information to:

• Execute your product contract; 

• To provide our services, offers, promotions and benefits; 

• Send communications about offers, benefits, sweepstakes and surveys; 

• Answer your questions about ATC Compliance Group products and services; 

• Send marketing communications about ATC Compliance Group products and services; 

• Protect and prevent fraud, unauthorized transactions, claims and other liabilities; 

• Perform data analysis (including anonymized data); 

• Comply with applicable legal requirements and standards as well as our policies; 

• Perform audits, internal controls, research and analysis to maintain, protect and improve our products and services. 

Sharing data with other parties 

We have relationships with several partner companies, such as data controllers or operators, sponsors or from complementary segments aiming at the provision of our services. 

When we share data with third parties, we only share those data that are necessary to carry out our contractually defined activities and in accordance with safeguards and good practice. 

If data is processed outside of the Brazilian territory or the European Union due to  business needs or legal requirements, we take all necessary measures to ensure that  the Laws are observed and complied with in the country of destination of this data. 

We may share personal information with our service providers who perform services on our behalf or with partner companies, however we only authorize the use or disclosure of the data to the extent necessary to provide specific services on our behalf or to comply with legal requirements. 

We require by contract that these service providers adequately protect the privacy and security of personal information processed by them on our behalf. 

The transfer of personal customer information occurs only for the purpose of conducting our business, providing customer service or as permitted or required by law, and shall occur only with partners or entities with whom a contractual business agreement exists or who have an explicit requirement to handle the information, with the assurance of agreement between Data Controller and Data Operator. 

We may also transfer and disclose your personal data to third parties: 

• To comply with a legal obligation; 

• At the request of government authorities in the context of any investigation;

 • For detection and protection against fraud or security vulnerabilities; 

• To respond to an emergency; 

• To protect the rights, property, warranties, safety of third parties or users and visitors to the ATC Compliance Group website. 

ATC Compliance Group will always notify you when any product, process or service offered by us requires sharing, communication or transfer of information and personal data with partner companies or third parties, or treatment outside Brazil or the European Union, to fully exercise mutual rights. 

What are your rights as a Data Subject 

The GDPR is legislation that regulates how companies and institutions handle your personal data. 

You have rights over your personal information and our intention is to ensure that we respect your interests and maintain an ethical, responsible and diligent relationship with you. 

As a data subject, your rights are: 

• Confirm and receive information about the existence or processing of your personal data in the ATC Compliance Group; 

• Access your data; 

• Correct data that is incomplete or incorrect. To correct your data please contact us; 

• Request the anonymization, blocking or deletion of unnecessary, excessive or non-compliant data; 

• Request data portability to another product or service provider; 

• Request the deletion of your personal data processed, if there is noimpediment such as a legal or regulatory obligation;

 • Withdraw consent for data processing; 

• Review the procedures used for automated decision making, if any;

 • File a complaint with the supervisory authority, consumer protection bodies or judicial bodies.

To exercise your rights, you can contact us at atc@atccompliance.com. To do so, it will  be necessary for us to identify you before providing any information. No personal information or data will be provided to a third party without the proper presentation oflegal representation. 

These rights may be limited in some circumstances by legal requirements. 

Where required by Law, we will obtain your prior consent at the time of data collectionfor  the processing of personal information for marketing purposes and voluntary participation in ATC Compliance Group initiatives. 

In addition, there may be occasions when your consent will be collected at the specifictime,  such as when entering a contract, and you should be notified of the consequence of  refusal, where applicable. 

If we have your consent to the processing of your personal information, you have the right to revoke that position at any time. 

For other assistance not related to the General Data Protection Law, please access our contact channels available at www.atccompliance.com . 

Data Protection Officer 

LUCIANO VASCONCELOS LEITE atc@atccompliance.com