Privacy and Data Protection Policy

General guidelines for personal data processing at CleverIS.

Official source of this version: CleverIS Privacy Policy (version 1.5). This page reproduces the institutional policy for public consultation.

1. Purpose

This policy establishes general guidelines for personal data protection at CLEVERIS. In its operations, the company collects, handles, and stores information related to identified and/or identifiable natural persons.

Its purpose is to ensure legal compliance, protect data subject rights, and provide transparency over internal personal data processing procedures.

Comply with applicable data protection laws and regulations and follow best practices.
Protect employees, clients, suppliers, and partners against personal data violation risks.
Be transparent about internal personal data processing procedures.
Promote awareness regarding personal data protection and privacy.

2. Scope

These guidelines apply to employees, partners, suppliers, service providers, and any party with a relationship with or access to CLEVERIS information.

3. Terms and Definitions

Term	Description
ANPD	Brazilian National Data Protection Authority.
Authenticity	Confirms the truthfulness or originality of the sender.
Confidentiality	Ensures information is accessible only to duly authorized persons.
Availability	Ensures information is available whenever needed.
PD	Personal data.
Integrity	Ensures information remains in its original state, protected against improper, intentional, or accidental changes.
Non-repudiation	Proves that an event did or did not occur, or that a message was sent by an individual.
IS	Information Security.

4. Data Protection Officer Contact

Questions and requests regarding this policy and the processing of personal data may be sent to the data protection officer, Vanieli Anduia, at vanieli.anduia@cleveris.com, or through the Data Subject Channel.

Requests are answered within up to 15 days.

5. Referenced Documents

This item does not apply to this policy.

6. Details

6.1 Personal Data Protection Principles

The principles guiding personal data processing in the corporate environment must comply with applicable legislation and this policy.

6.2 Lawfulness, Transparency, and Non-Discrimination

CLEVERIS processes personal data fairly, transparently, and in compliance with applicable laws and regulations, only when processing is supported by a valid legal basis.

Necessity for the performance of a contract to which the data subject is a party.
Compliance with legal or regulatory obligations applicable to the organization.
Legitimate interest for processing.
Regular exercise of rights in judicial, administrative, or arbitration proceedings.
When required, obtaining free, specific, informed, and unambiguous consent from the data subject.
Allowing consent withdrawal at any time with the same ease it was provided.

6.3 Purpose Limitation and Adequacy

Personal data processing must be compatible with the original purpose for which data was collected.

6.4 Data Minimization Principle

CLEVERIS may process personal data only to the extent strictly necessary for a specific purpose, ensuring adequacy, relevance, and limitation to what is required.

Internal and external data sharing must respect this principle.
Data may only be shared when supported by an appropriate legal basis.

6.5 Accuracy

Reasonable measures must be taken to ensure personal data is accurate and up to date for its intended purpose.

6.6 Retention and Storage Limitation

The organization must control processing activities, retention periods, and periodic review processes, and may not retain personal data longer than necessary.

6.7 Integrity and Confidentiality

CLEVERIS must apply appropriate technical and administrative measures to protect personal data against unauthorized or unlawful processing, accidental loss, destruction, or damage.

Anonymization: data is irreversibly transformed so it no longer refers to an identified or identifiable person.
Pseudonymization: data no longer directly identifies a person, but re-identification remains possible with controlled additional information.

6.8 Accountability

CLEVERIS is responsible for demonstrating compliance with this policy through governance and accountability measures.

Ensure data subjects can exercise their rights.
Maintain records of processing activities, purposes, recipients, and retention periods.
Maintain records of incidents and personal data breaches.
Ensure third-party processors also comply with this policy and applicable law.
Ensure compliance with ANPD requests and requirements.

7. Security Standards

7.1 Importance of Personal Data Protection

CLEVERIS is committed to implementing information security standards and personal data protection practices to ensure the fundamental right to informational self-determination.

7.2 Ensuring Personal Data Security

Confidentiality, integrity, availability, authenticity, accountability, and non-repudiation are essential objectives of personal data security.

7.3 Duty of Confidentiality

All employees with access to personal data must maintain confidentiality in accordance with the Confidentiality and Secrecy Agreement upon joining and periodically when applicable.

7.4 Data Subject Rights

Receive information on how their personal data is processed and which data is held by the organization.
Correct or delete inaccurate, outdated, incomplete, or incorrect personal data.
Delete, block, and/or anonymize data in applicable circumstances (right to be forgotten).
Restrict data processing in legally applicable circumstances.
Object to processing when legally justified.
Withdraw consent at any time when consent is the legal basis.
Request data portability to another service provider, where applicable and upon explicit request.
Request review of decisions based solely on automated processing.
File complaints with the organization or ANPD in case of possible rights violations.

7.5 Data Breach Management

Incidents and potential data breaches must be reported and escalated immediately.
Data breaches must be formally recorded in a timely manner.
Breaches include loss, deletion, theft, or unauthorized access to personal data controlled or processed by CLEVERIS.

8. Data Protection Audits

CLEVERIS must ensure periodic reviews to confirm that privacy initiatives, systems, measures, processes, and safeguards are effectively implemented, maintained, and compliant with applicable law.

Privacy protection must be periodically assessed according to existing risks. If risks are significant, Internal Audit should include an independent specific review in its annual audit plan.