1 INTRODUCTION

Protecting the security and privacy of your personal data is a priority for GreyLogix. This Privacy Policy describes how we collect, use, store, share, protect, and process your personal data, in compliance with ISO 27001 standards (Annex A.5), ISO/IEC 27701, ISO/IEC 29100, ISO/IEC 27018, and applicable legislation, such as the General Data Protection Law (LGPD – Law No. 13.709/2018), the General Data Protection Regulation (GDPR – Regulation (EU) 2016/679), the Brazilian Civil Code, and the Brazilian Internet Framework (Law No. 12.965/2014). Our goal is to ensure transparency and security in the processing of your data, respecting your rights as a data subject.

This policy applies to all individuals who interact with us, including visitors to our websites, customers, business partners, suppliers, and job applicants (“Data Subjects” or “you”), in the context of our business activities.

2 Purposes of Personal Data Processing

The personal data we collect varies according to the context of your interaction with us, the services or products used, your location, and applicable legislation. Below, we detail the main purposes and categories of data processed.

a) Use of Websites, Applications, and Online Services

Categories of Personal Data Processed:

• Contact information: full name, business address, phone, mobile, and business email;
• Organizational information: position and company name;
• Data provided in forms, support requests, surveys, comments, or forums;
• Interaction data: device identifier, operating system, accessed sites, date and time of visits.

Processing Purposes:

• Provide, administer, and improve our online services, including account creation and management, updates, technical support, and development of new functionalities;
• Bill service usage;
• Verify user identity;
• Respond to requests or instructions;
• Conduct customer satisfaction surveys, as permitted by legislation;
• Comply with terms of use, prevent fraud, protect systems against illegal activities, and establish or defend legal claims.

Legal Basis:

• Contract performance (Art. 6(1)(b) GDPR; Art. 7, V, LGPD);
• Legitimate interests (Art. 6(1)(f) GDPR; Art. 7, IX, LGPD), provided they do not override the data subject’s rights and freedoms;
• Consent, when applicable (Art. 6(1)(a) GDPR; Art. 7, I, LGPD);
• Compliance with legal obligations (Art. 6(1)(c) GDPR; Art. 7, II, LGPD).

When online services are provided by your organization, we act as data processors, processing information under the organization’s direction, according to data processing agreements.

b) Use of Marketplaces

Categories of Personal Data Processed:

• Contact information: full name, business address, phone, mobile, and business email;
• Organizational information: position and company name;
• Payment data: credit/debit card information, security codes, and billing data;
• Data provided in forms, support, surveys, or forums;
• Compliance data: date of birth, nationality, identification numbers, information about litigation or legal proceedings;
• Interaction data: device identifier, operating system, accessed sites, date and time of visits.

Processing Purposes:

• Manage communications about products, services, and projects, including responses to inquiries;
• Execute transactions, process payments, perform accounting, auditing, deliveries, and support;
• Send marketing communications and conduct satisfaction surveys, when permitted;
• Protect the security of products, services, and systems, preventing fraud or malicious activities;
• Comply with legal obligations, such as export control, compliance screening, and record maintenance;
• Resolve disputes and enforce contractual agreements.

Legal Basis:

• Contract performance (Art. 6(1)(b) GDPR; Art. 7, V, LGPD);
• Compliance with legal obligations (Art. 6(1)(c) GDPR; Art. 7, II, LGPD);
• Legitimate interests (Art. 6(1)(f) GDPR; Art. 7, IX, LGPD);
• Consent, when applicable (Art. 6(1)(a) GDPR; Art. 7, I, LGPD).

c) Business Relationship

Categories of Personal Data Processed:

• Contact information: full name, address, phone, mobile, and business email;
• Organizational information: position and company name;
• Contractual data: order information, payments, project milestones;
• Public source data: social media information, integrity databases, or credit agencies;
• Compliance data: date of birth, nationality, identification numbers, information about litigation or legal proceedings.

Processing Purposes:

• Communicate about products, services, and projects;
• Manage contractual relationships, including transactions, payments, deliveries, and support;
• Create business profiles to personalize communications and offers;
• Conduct market analysis, sweepstakes, or events;
• Send marketing communications and satisfaction surveys, when permitted;
• Protect the security of products and systems;
• Comply with legal obligations and resolve disputes.

Legal Basis:

• Contract performance (Art. 6(1)(b) GDPR; Art. 7, V, LGPD);
• Compliance with legal obligations (Art. 6(1)(c) GDPR; Art. 7, II, LGPD);
• Legitimate interests (Art. 6(1)(f) GDPR; Art. 7, IX, LGPD);
• Consent, when applicable (Art. 6(1)(a) GDPR; Art. 7, I, LGPD).

d) Direct Marketing and Satisfaction Surveys

When permitted by legislation, we may use your contact information to send marketing communications (such as newsletters or event invitations) and conduct satisfaction surveys. You may object to this processing at any time, using the opt-out mechanism provided or by contacting us.

Legal Basis:

• Consent (Art. 6(1)(a) GDPR; Art. 7, I, LGPD);
• Legitimate interests (Art. 6(1)(f) GDPR; Art. 7, IX, LGPD), provided they do not override the data subject’s rights.

e) Job Applications

Personal data provided in selection processes are processed according to our Recruitment Portal Privacy Policy, in compliance with LGPD and GDPR.

3 Automatic Data Collection

We use cookies and similar technologies to automatically collect data, such as browser type, operating system, domain name, number of visits, access time, and pages visited. This data is used to improve user experience and the quality of our services, as detailed in our Cookie Policy.

Legal Basis:

• Consent, when applicable (Art. 6(1)(a) GDPR; Art. 7, I, LGPD);
• Legitimate interests (Art. 6(1)(f) GDPR; Art. 7, IX, LGPD).

4 Personal Data Sharing

We may share your personal data in the following situations, always seeking to protect your privacy:

• Suppliers: Partners who assist us in activities such as storage, website hosting, and event organization, subject to contracts that ensure data protection (ISO/IEC 27701, ISO/IEC 27018).
• Public Authorities: When required by law or to comply with regulatory obligations (Art. 7, II, LGPD; Art. 6(1)(c) GDPR).
• Rights Protection: To comply with contractual obligations, protect our rights, or resolve disputes (Art. 7, IX, LGPD; Art. 6(1)(f) GDPR).
• Affiliates: Transfers within the business group for legitimate business purposes, always with adequate protections.
• International Transfers: Data may be transferred to countries with adequate protections, subject to agreements that ensure the same level of protection (ISO/IEC 29100).
• Online Offers: Data published in forums or chats may be globally accessible to other registered users.

5 Data Subject Rights

According to LGPD (Art. 18), GDPR (Art. 15-22), and the Brazilian Internet Framework, you have the following rights:

To exercise these rights, contact our Data Protection Officer (DPO) at: dpo@greylogix.com. For your security, we may request additional information to verify your identity. In some cases, we may deny requests if there are legal or contractual obligations that prevent compliance, but we will always respond within a reasonable timeframe, according to legislation.

6 Data Retention Period

We store personal data only for the time necessary to fulfill the described purposes, except when there are legal, regulatory, or contractual obligations that justify retention (Art. 16, LGPD; ISO/IEC 27701). For example, access data (IP, date, and time) are retained for at least 6 months, according to the Brazilian Internet Framework (Art. 15).

7 Data Security

We adopt technical and organizational measures to protect your data against loss, alteration, unauthorized access, or disclosure, according to ISO 27001 (Annex A.5) and ISO/IEC 27018. Despite this, no system is completely secure. We recommend practices such as protecting your passwords and immediately notifying us of any security incident.

8 International Data Transfers

When we transfer personal data outside Brazil or the European Economic Area, we ensure compliance with LGPD (Art. 33-36) and GDPR (Art. 44-50). This includes:

• Use of Binding Corporate Rules (BCR) for transfers within the Group;
• Standard contractual clauses for external recipients;
• Other safeguards required by legislation.

For more information, contact: dpo@greylogix.com.

9 Contact

For questions, suggestions, or exercise of rights, contact our Data Protection Officer:

Data Protection Officer (DPO): Rafael Gonçalves

Email: dpo@greylogix.com

Note: This channel is exclusively for privacy matters. For commercial matters, access our contact page.

10 Policy Updates

We may update this Policy to reflect improvements in our services or changes in legislation. We recommend visiting this page periodically. Relevant changes will be communicated directly to data subjects.

11 Additional Information for the European Economic Area

• Data Controller: Greylogix identified as the website or marketplace operator is the data controller, according to Art. 47 GDPR.
• Legal Basis: In addition to the mentioned bases, processing may be necessary for legitimate interests, assessed through a balancing test.
• Data Protection Authority: You may contact the competent authority in your country.

12 Information for US Residents

• Do Not Track: Our services do not currently respond to “Do Not Track” signals. Consult your browser’s documentation for more information.
• Children: We do not intentionally collect data from minors under 13 without parental consent, as required by law.
• State Rights: Residents of certain states may have additional rights. Consult our privacy page for details.

13 Links to Other Sites

Our sites may contain links to third-party sites. We are not responsible for the privacy practices or content of these sites.

This Privacy Policy reflects our commitment to protecting your data, in compliance with the cited standards and laws. For more information, contact our DPO.