Privacy Policy

1. OBJECTIVE

Recognizing the importance of personal data privacy in our organization, in compliance with the General Personal Data Protection Law - LGPD, and emphasizing transparency and the principle of accountability, demonstrate how CARBON collects, stores and processes personal data.

2. FIELD OF APPLICATION

Applicable to all CARBON employees, partners and customers, it describes the practices adopted with regard to data collected in printed or digital forms through the website, members, service providers and/or applications for fixed and mobile devices, operated and controlled by CARBON. By providing your personal data to CARBON, you are aware of the terms and conditions of this Privacy Policy.

3. GENERAL CONTENT

3.1 DEFINITION

The purpose of this Privacy Policy is to demonstrate our commitment to transparency, privacy and the protection of personal data collected, establishing the rules on the collection, recording, storage, use, sharing and deletion of personal data collected, in accordance with Law No. 13,709/2018, the General Personal Data Protection Law - LGPD, and ensuring its faithful compliance.

We hope that this Policy shall help you understand our commitments regarding your privacy.

3.2 TERMINOLOGY

The following definitions of the terms used in this document are taken from article 5 of the General Data Protection Law (LGPD):

PROCESSING AGENTS: the controller and the operator.

CONTROLLER: natural or legal person governed by public or private law, responsible for decisions regarding the processing of personal data.

OPERATOR: a natural or legal person, governed by public or private law, who processes personal data on behalf of the controller;

PERSONAL DATA: any and all information relating to an identified or identifiable natural person. E.g.: Name; Social name; Date of birth; Last Name; CPF; Identity card; National driving license (CNH); Age; Nationality; E-mail; Place of birth; Home address; Business address; Marital status; Gender; Home telephone numbers; Business telephone numbers; Mobile telephone numbers;

SENSITIVE PERSONAL DATA: personal data on racial or ethnic origin, religious conviction, political opinion, membership of a trade union or religious, philosophical or political organization, data relating to health or sex life, genetic or biometric data, when linked to a natural person.

DATA SUBJECT: natural person to whom the personal data being processed refers.

PROCESSING: any operation carried out with personal data, such as those relating to the collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, archiving, storage, elimination, evaluation or control of information, modification, communication, transfer, dissemination or extraction.

PERSONAL DATA PROCESSOR (DPO): person appointed by the controller and operator to act as a communication channel between the controller, the data subjects and the National Data Protection Authority (ANPD).

Among the main responsibilities of the person in charge of processing personal data is to ensure compliance with the provisions of the General Data Protection Law, to receive requests, complaints and communications from data subjects, to provide the necessary clarifications, to adopt measures of interest to data subjects and to communicate with the ANPD.

3.3 REFERENCE DOCUMENTS

- General Data Protection Law (Law 13.709/18), which in Art. 1 provides for the processing of personal data, including digital data, by natural persons or legal entities governed by public or private law, with the aim of protecting the fundamental rights of freedom and privacy and the free development of the personality of natural persons.

- LOB6-POL0001:00 Information Security Policy

- LOB6-POL0004:00 Information Handling and Disposal Policy

3.4 ROLES AND RESPONSIBILITIES

CARBON is considered to be the CONTROLLER of the personal data of its employees, as it has control over the processing of personal data, i.e. it determines the purposes of the processing to which the personal data is subject and is responsible for the safekeeping and disposal of the data under the terms of this policy and in compliance with the General Data Protection Act.

CARBON, in its capacity as a service provider and, in cases where it has no control over personal data processing activities, shall act as the OPERATOR of the personal data of the clients of the CONTROLLER company, always observing the provisions of the LGPD.

As a service provider and, in cases where it does not have interference in relation to personal data processing activities, CARBON will act as OPERATOR of the said CONTROLLER company client’s personal data, always observing the provisions of the LGPD.

In addition, data collected by CARBON as CONTROLLER may be processed and stored on internal servers or by the Google Drive server.

When CARBON is in the capacity of OPERATOR, the data subjects' data shall be processed and stored in the CONTROLLER's systems that act in accordance with the security policies and mechanisms, specific contractual clauses relating to privacy and protection of personal data.

As the CONTROLLER, CARBON shall be responsible for the personal data processing activities of the following processes, in accordance with the legal bases of articles 7, V, 11, I and II, a, LGPD:

• Registration in the client's system;
• Selection of candidates;
• Hiring process;
• Registration of employees in the internal system;
• Receipt of documents from the employee;
• Unsuccessful candidates, not selected;
• Segregation of access to the server;
• Equipment;
• Corporate telephone;
• Physical files;
• Sale of cloud services;
• Commercial proposal;
• Employee registration in accounting (Medical part);
• Employee registration in accounting (Contractual part);- Hiring a Legal Entity;
• Sporadic service providers (cooperative);
• Registration of employees for access to the building;
• Registration of employees for access to the head office;
• Health plan;
• Food or meal vouchers;
• Childcare assistance;
• Transport vouchers;
• Payroll;
• Medical certificates;
• Termination of employment;
• NDA subscription;
• Sharing data with clients;
•Payroll - Companies.

As OPERATOR, CARBON shall be responsible on behalf of the CONTROLLER for the personal data processing activities of the following processes, based on the execution of the contract, in accordance with art. 7, V, LGPD:

• Infrastructure administration/support;
• Software as a service (SaaS) support
• IT infrastructure projects;
• SaaS development or implementation projects (including Analytics);
• IT infrastructure monitoring;
• Cloud Broker.

4. GUIDELINES

4.1 PURPOSES FOR THE USE OF DATA SUBJECTS' PERSONAL DATA

In accordance with the LGPD, data subjects' data may only be processed if it meets the legal purposes set out in the LGPD. Therefore, we shall only process your personal data: When you interact with CARBON's solutions and platforms, we use various technologies to process the personal data collected. The legal grounds on which we rely and which legally allow us to process personal data may be contract performance, compliance with legal obligations and legitimate interest.

If the user decides to provide their personal information on the CARBON website in order to take advantage of the Online Services or any other services, this information shall be processed for the specific purposes previously defined or as described in the service agreement.

The user reserves the right to inform CARBON at any time, including when providing personal information, through the communication channels available for the registration of such information, of their lack of interest in receiving such advertisements, including by e-mail (opt-out), in which case CARBON shall discontinue such services as soon as possible. If you wish to unsubscribe, please contact our Data Controller at the address indicated in section 4.10 of this document.

4.2 PROCESSING OF PERSONAL DATA

CARBON, under the terms of the legislation, may collect, receive, classify, use, access, transmit, store, archive, eliminate, share with third parties, always in strict compliance with the Law, your personal data and registration information, when necessary for the fulfillment of the agreements made between the parties and, also, in other cases based on legitimate purposes, such as support and promotion of CARBON activities or for the provision of services that benefit others involved in the process.

4.3 PERSONAL DATA COLLECTED

For our suppliers' employees and contractors, we collect basic identification information such as name, title, position, professional history, experience, and contact details.

In addition, for employees and contractors working on CARBON premises, we shall generally collect the following:

• Detailed identification information (name, job title, e-mail address, office location, telephone number, date and place of birth, image, ID card, CPF and other national identification numbers as required);
• Electronic identification data (e.g. login information, access right, badge number, IP address, online identifiers/cookies, logs and connection time, sound or image recording such as CCTV or voice recordings);
• Personal and physical characteristics (e.g. gender, date of birth and marital status);
• Special categories of personal data and background and criminal offense information, as part of the background checks/personnel verification we carry out to satisfy regulatory and/or prudential requirements, for which you have given your explicit consent and can therefore revoke it at any time, provided you duly request it from the Data Controller, as part of the "Onboarding" process.

4.4 TECHNICAL AND ORGANIzATIONAL MEASURES

Access to personal information collected, stored or otherwise processed by CARBON is restricted to professionals authorized to make direct use of this information and necessary for the provision of its services, with limited use for other tasks. Any organization or individual hired to provide support services is also required to comply with the Privacy Policy adopted by CARBON.

CARBON is committed to providing quality and secure services. Therefore, in all processes, all plausible technical measures of the current state of technology are adopted in order to guarantee the security of personal data and to prevent its alteration, loss, processing and unauthorized access, whether from human action or from natural, physical or electronic actions.

4.5 TRANSFERS TO THIRD PARTIES

CARBON shares infrastructure, systems and technology with partner companies to provide an innovative, relevant, consistent and secure experience across all CARBON products and services. In addition, we process information about you at the partner companies for this purpose, as permitted by applicable law and in accordance with this policy.

Please note that new online services made available by CARBON shall automatically be subject to the Privacy Policy in force at the time of their use.

We shall share your personal data when we believe in good faith that it is necessary for compliance with a legal obligation under applicable law or to respond to a valid legal process, such as a search warrant, court order or subpoena.

We shall also share your personal data if we believe, in good faith, that it is necessary for our legitimate interest, or that of a third party, relating to national security, law enforcement, litigation, criminal investigation, protecting the safety of any person, or preventing death or imminent bodily harm, provided that we consider that such interest does not outweigh your interests or fundamental rights and freedoms that require the protection of your personal data.

4.6 DATA INTERNATIONALIZATION

Personal data processed as a result of the use of the Services shall be processed by CARBON in accordance with current applicable legislation. CARBON is headquartered in Brazil but may process personal data in other countries by contracting partner companies, which in turn shall be subject to the obligations of this Privacy Policy.

The international transfer of data shall only take place if it is proven that the receiving country complies with the data protection requirements of the LGPD, as well as if such an event occurs on behalf of its partners and clients. All personal data processing activities are in accordance with personal data protection legislation, observing compliance with the principles and rights of the data subject legally provided for in the LGPD. This protection is achieved through security and confidentiality policies and mechanisms, as well as specific contractual clauses for international transfers.

4.7 OWNERS' RIGHTS

In compliance with the applicable regulations, when in force, regarding the processing of personal data, in particular the General Data Protection Law (Law no. 13.709/2018), CARBON respects and guarantees you the possibility of submitting requests based on the rights provided for in article 18 of the LGPD, such as access, deletion, portability, etc.

4.7.1 RIGHT TO WITHDRAW CONSENT:

You may withdraw your Consent when your Personal Data shall not be used for [DESCRIBE DATA PROCESSING AGAIN], there is no legitimate interest in its processing, it is not necessary for compliance with a legal, contractual or regulatory duty of [COMPANY'S CORE NAME/RESPONSIBLE PROFESSIONAL] and/or its [CUSTOMERS/PARTNERS ] or it does not fall within any other legal hypothesis that authorizes the processing of Personal Data [ON THE DEFINED LEGAL BASIS].

Consent may be withdrawn free of charge by sending a [WRITTEN/SENT] request to [INSERT LOCATIONS/ADDRESSES FOR SENDING REQUESTS]. At this point, we shall delete all the data that you have provided directly to us on the [WEBSITE/APPLICATIVE] and that depend on Consent for their processing in the form of the law in force at the time of your request for cancellation.

4.7.2 CORRECTION OF PERSONAL DATA:

You shall have free access to your data at any time. If they are not correct or do not correspond to the truth, you may request that they be updated, rectified, modified, canceled or that additional information be recorded, free of charge, by sending a [WRITTEN/SENT] request to [INSERT LOCATIONS/ADDRESSES FOR SENDING REQUESTS]. At this point, we shall delete any data that you have provided directly to us on the [WEBSITE/APPLICATIVE] and that require Consent for processing in accordance with the law in force at the time of your request for updating/correction.

Personal Data may be kept in an internal file, unavailable to third parties, if it is necessary to comply with legal, regulatory, judicial or administrative obligations. Under no circumstances shall it be disclosed, shared or passed on to any client or partner.

4.7.3 RESPONSIBILITY FOR LOGIN AND PASSWORD:

You may access the [SITE/APPLICATIVE] by means of a "logon-account" and an exclusive and individual password for your personal use, which is non-transferable and known only to you.

You are responsible for safeguarding your login account and password and shall not pass them on to any third party under any circumstances.

4.7.4 SENDING MESSAGES BY ELECTRONIC MEANS AND ADVERTISING IN DIGITAL MEDIA:

Information about our services may be sent to you through any channels, including, but not limited to, electronic means such as e-mail, SMS, WhatsApp or via Social Networks.

You acknowledge and accept that your Registration and Personal Data may be used by us to maintain a commercial and institutional relationship with you. We may send you periodic communications relating to news on the Sites, information of specific interest to you, for marketing purposes, satisfaction surveys and campaigns with promotional offers for the solutions offered by the company and its partners.

To stop receiving our promotional campaigns and requests to participate in surveys by electronic means, such as e-mail or SMS, you should contact the Customer Service Center, whose telephone numbers and opening hours are available in item 5.15 of this document or at: https://carbon.cars/. Another option is to unsubscribe using the link available in our emails or on [SITE/APPLICATIVE].

4.7.5 ANTI-SPAM AND ANTI-PHISHING COMMITMENT:

We act in accordance with the best practices of the digital market. Marketing communications are only sent to those who request to receive messages or who have already contacted us.

We therefore recommend that if you receive an e-mail from us and suspect fraud, do not open the attached files or click on any links or buttons. You can also send a message to [EMAIL ADDRESS SET UP FOR THIS PURPOSE] so that we can take all possible measures to combat electronic crime.

Note: Only messages concerning fraud, complaints and information about possible irregularities occurring on our behalf shall be accepted. If you have any questions or would like information on other matters, please contact the service channels described in section 5.15 below.

4.7.6 DATA SECURITY:

We protect security during access to our Sites, in transactions and in the capture of information, through the process of data encryption, using the Secure Socket Layers (SSL) security protocol that proves the authenticity of our Sites, as well as ensuring the integrity and confidentiality of the data during its transmission.

4.7.7 COPYRIGHT:

All texts, images, sounds and/or applications displayed on our Sites are protected by copyright. You may not modify, reproduce, store, transmit, copy, distribute or use these resources in any other way for commercial purposes without our prior and formal consent, which shall never be presumed.

Attempts to hack into our Sites shall be considered as damage, theft or any other criminal offense that corresponds to the consequences of the hack.

4.7.8 STORAGE TIME AND DELETION OF PERSONAL DATA

Your personal data shall be processed and stored for as long as necessary for the purposes listed above and shall be deleted after a specified period or at the request of the data subject in the exercise of their rights, where applicable, with the exception of storage when CARBON is complying with a legal or regulatory obligation.

4.7.9 UPDATING INFORMATION

CARBON reserves the right to improve the functionality of the Services and to implement new technologies and products. Accordingly, the Terms of Use may be amended at any time to include the changes implemented, except in the event of a legal prohibition. By continuing to use our Services after the Terms of Use have been amended, you agree to the changes made and in force at the time of access.

4.7.10 REQUESTS AND COMPLAINTS

For more information and in case of any questions, concerns or requirements, please contact us at the following e-mail address: ouvidoria@carbon.cars

When you contact us, you may be asked to provide personal data to confirm your identity. Occasionally, other information may be requested to confirm your identity in order to better respond to your request or complaint, if there is any doubt about the veracity or legitimacy of the information provided.

5. CHANGES TO THIS DOCUMENT:

This document is subject to change at any time, always seeking to improve our services for your benefit. Any and all changes are aimed at adapting to possible modifications to our Sites, whether changes to new technologies or whenever necessary, as well as new legal, regulatory or contractual requirements. When this happens, we shall inform you of the change by sending an e-mail to the address provided by you and/or when you next access our Sites or applications.

If you do not agree with the changes included in the document, you have the right to request the cancellation of your registration at any time.

We require our clients to commit to using the contracted services in accordance with the law, the respective regulations, the principles of morality, good customs, and public order.

Localizer: AFO-POL 0001:00

Rating Public