PRIVACY POLICY

Effective from June 1, 2021

Fleye was born with the mission of developing enchanting digital solutions that propel dreams and businesses towards infinity. We translate user information and data into powerful resources. Personal data is the raw material that supports our work ecosystem. We value privacy and data protection, and transparently demonstrate how we handle personal data through this Privacy Policy, focusing on respecting the rights of data subjects, good faith, and the principles laid out in applicable legislation. To facilitate understanding of this Policy, we assume the position of processor when we handle data on behalf of clients for the purpose of providing service. However, we may also refer to ourselves as the controller of your personal data when processed solely for our purposes.

For questions about this Policy, contact our Data Protection Officer at: lgpd@fleye.com.br.

TECHNICAL TERMS USED IN THIS COMPANY
‍
For the purposes of this Privacy Policy, the expressions adopted here should be interpreted as follows:
‍
Data Subject: A natural person to whom personal data being processed pertains, in this case, employees and interns.
Personal Data: Information of a natural person identified or identifiable from data used for the formation of the behavioral profile of a specific natural person, if identified.
Sensitive Personal Data: Data about racial or ethnic origin, religious beliefs, political opinions, union membership, or membership in religious, philosophical, or political organizations, health or sexual life data, genetic or biometric data, when linked to a natural person.
Data Protection Officer: Appointed by the controller and processor to communicate with data subjects and the National Data Protection Authority.
Processor: A natural or legal person, public or private, that processes data on behalf of the controller.
Controller: A natural or legal person, public or private, responsible for the decisions regarding the purpose and means of data processing.
Platform: MacOS used as management software with multiple functionalities.
Privacy: The right to personal information privacy and personal life, the right to respect for private life, the right to be protected from interference in personal matters.
Processing: Any operation involving the collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, archiving, storage, elimination, evaluation, or control of information, modification, communication, transfer, dissemination, or extraction.
Pseudonymization: Processing in which the data loses the possibility of direct or indirect association with an individual, which can be reversed through the use of additional information kept separately by the controller in a controlled and secure environment.
Consent: A free, informed, and unequivocal expression by which the data subject agrees to the processing of their personal data for a specific purpose.
Elimination: Deletion of data or a set of data stored in a database.
Shared Use of Data: Communication, dissemination, international transfer, interconnection of personal data, or shared processing of personal databases in any relationship by public and/or private entities.
National Authority: The entity responsible for ensuring, implementing, and overseeing compliance with the Law.
‍
DATA PRIVACY AND PROTECTION CULTURE
Fleye believes that transparency with data subjects is necessary so that they have full knowledge of the processing of their data and can manage it in order to exercise their rights, where applicable. We respect fundamental privacy rights as well as the protection of personality attributes in which personal data is embedded. As an educational method of this culture, we promote disclosure, training, and capacity building of the involved collaborators, enabling them to follow the best practices established by Fleye. Our privacy culture includes respect for privacy, informational self-determination, freedom of expression, information, communication, and opinion; the inviolability of intimacy, honor, and image; economic and technological development and innovation; free enterprise, fair competition, and consumer protection; and human rights, the free development of personality, dignity, and the exercise of citizenship by natural persons. Fleye values 360° privacy where it observes, guides, and certifies that employees, collaborators, freelancers, interns, or third parties also comply with data protection legislation.
After access has been authorized, the use of any data or information is exclusively intended for the service performed at Fleye. If you believe you are seeing information beyond your profile, immediately contact Information Security: lgpd@fleye.com.br.

ROLES AND RESPONSIBILITIES
Data Subject:
A natural person to whom the data refers. They are the owner of the collected data, which the LGPD seeks to protect.

Data Subject Rights:
Data subjects have the following rights: confirm the existence of processed data and know what and how it is being processed; request the alteration of already collected data; request that certain collected information not be used for a certain purpose; request the cancellation, revocation, and deletion of their processed data; request the revocation of consent to process; object to the processing of certain data; and request clarification about processed data. Requests from data subjects must be sent to the email address: lgpd@fleye.com.br, which will be answered, after the authenticity has been verified, directly to the data subject or duly appointed representative within 15 (fifteen) business days, always respecting the company's confidential information. The data subject can request the revocation of consent during the course of the survey, and in this case, they must refund any received payments in case of remunerated participation.
Contact the Data Protection Officer at lgpd@fleye.com.br to clarify any doubts, make comments, or suggestions related to the processing of personal data. Processing Agents: The controller is responsible for processing and is responsible for decisions regarding the processing of personal data, the one that determines the objectives/purposes, technical and organizational measures, and the means of processing. The processor is the one who processes personal data on behalf of the controller and following the instructions provided by them. They will be jointly responsible with the controller if they cause harm to others due to the exercise of personal data processing activities. The sub-processor is a third party linked to the processor and authorized to process personal data.

Data Protection Officer:
A person appointed by Fleye to act as a communication channel between the company, data subjects, and the National Data Protection Authority (ANPD), in the role of Data Protection Officer.
The activities of the Data Protection Officer consist of:
• Accepting complaints and communications from data subjects, providing clarifications, and taking action;
• Receiving communications from the national authority and taking action;
• Guiding employees and contractors of the entity regarding data protection practices;
• Mapping significant threats to the environment and the risk of information exposure; and
• Performing other duties determined by Fleye or established in complementary regulations.
Fleye appoints Daniel Rieger Beckert, email lgpd@fleye.com.br, to hold the position of Data Protection Officer.

HOW WE COLLECT YOUR PERSONAL DATA
Below we list the data we collect and the reasons for their collection. If you have witnessed anything beyond what is stated in this Policy, please notify us through the channel lgpd@fleye.com.br so that we can take appropriate action.

Customer Data:
‍Customer data (data of their representatives and agents) is necessary to maintain communication between the customer and Fleye, as well as for compliance with legal obligations, contract execution, or the regular exercise of rights. This data will be archived as long as it is essential, and the customer can request access or updates by emailing lgpd@fleye.com.br. Customer data will be deleted when they are no longer necessary, retaining only what is imperative for legal obligations, dispute resolution, security maintenance, fraud prevention, or abuse avoidance, and ensuring contract fulfillment. All documents and information related to Fleye's customers are confidential and accessible exclusively to our employees and agents under current legislation. If you have witnessed anything beyond what is stated in this Privacy Policy, please notify us via email sent to lgpd@fleye.com.br.

Third Party/Employee Data:
Third parties/employees (service providers for conducting research) are chosen carefully because we care about our reputation in the market and adhere to good privacy and data protection practices. Just like customer data is collected, the same happens with our partners. This data is necessary for communication maintenance, compliance with legal obligations, contract execution, or the regular exercise of rights. This data will be archived as long as it is essential, and the third party can request access or updates by emailing lgpd@fleye.com.br. The data will be deleted when they are no longer necessary, retaining only what is imperative for legal obligations, dispute resolution, security maintenance, fraud prevention, or abuse avoidance, and ensuring contract fulfillment.

Research Participant Data:
Fleye collects personal and sensitive data from subjects who are part of the target audience of the research it conducts, with the collaboration of the participants to execute its activity. The personal and sensitive data of the participant are processed to ensure privacy and data protection, observing the purpose of creating the study, the interests of the clients and Fleye, and the principles laid out in current legislation. Examples of data that make up the information collection are: name, address, contact, behavioral and consumption profile, race or ethnicity, image and voice captured in photos and videos, and possible transcription of these, as well as all necessary information for the creation of the research, respecting the principle of limiting the collection only to essential data. The personal identification data (full name, address, ID, CPF) will not be shared with Fleye's clients, except if there is a normative or contractual provision to the contrary. After the research is conducted, the subject's data will undergo processes of anonymization or fragmentation to mitigate the risk of identifying the participant, retaining only what is necessary for the purposes stated in this Privacy Policy, observing what is agreed in the contract. Third parties and service providers are not authorized to disclose or market research participant data. In case of non-compliance, they will be held responsible for such infringements. If you are aware of such a situation, please notify us through the channel lgpd@fleye.com.br so that we can take appropriate action.

DATA PROCESSING ACTIONS
Access Policies:
Fleye adopts the Principle of Least Privilege methodology as its access policy to provide greater protection for the data of all users who circulate through the company. This means that access is gradually granted, and employees only have access to essential data for specific purposes. We believe that transparency with data subjects is important so that they have control over which of their data has been collected and how it will be processed, in accordance with the rights referred to in current legislation.
‍
Collection: Data is received by Fleye in three ways:
• Google Form: a common survey form, and it is the responsibility of the Fleye team to configure the form and send it for response from the data subject. The response is stored with viewing and editing permissions only for individuals necessary for project completion, and when appropriate to keep it, anonymization is carried out at the appropriate time. Customer-provided list: the customer sends a contact list so that Fleye can perform the contracted activity.
‍
• Typeform: a common survey form, and it is the responsibility of the Fleye team to configure the form and send it for response from the data subject. The response is stored with viewing and editing permissions only for individuals necessary for project completion, and when appropriate to keep it, anonymization is carried out at the appropriate time.

• Customer-provided list: the customer sends a contact list so that Fleye can perform the contracted activity. Fleye uses Google Workspace as a tool to ensure data security within its network. Thus, the data that is necessary for the project's execution is meticulously mapped and tracked by the platform itself, guaranteeing efficiency from inception to the end of its cycle. Fleye applies access controls and the Principle of Least Privilege, emphasizing that employees cannot access confidential information without explicit authorization from the data subject.

• Recording of Interviews: Fleye records interviews to improve the quality of research, obtaining consent to do so through appropriate documentation and confirming consent with participants during interviews.

• Storage of Information: All information, files, and data collected during the research process are stored in Fleye's drive within the specific project folder, so no file is kept locally or on removable media.

Sharing: Data sharing with third parties/employees is done through Google Workspace drive and Notion. Only the necessary files for the purpose described in this Privacy Policy are shared, and access is revoked after the activity is completed. Fleye provides access to Google Workspace to all its employees to facilitate communication and file storage, emphasizing the Principle of Least Privilege. After access is authorized, the use of any data or information is exclusively for the services performed at Fleye.

• Client Reports: Reports are delivered through Google Workspace via a shared folder with Fleye's client, retaining only the files being transferred at that moment. Access permissions to the folder are revoked after the client receives the files, and their files are deleted, unless otherwise stipulated in the contract.

• Anonymization: The personal data of the participants, which make up the deliverables for the client, are processed and anonymized using currently available technologies, removing the link between the data subject and the collected data, so that identification is no longer possible, except when the participant is an expert in a certain field, thus considering professionals with notorious recognition in their field of activity. Therefore, unless stipulated in terms or contracts, identifying data and opinions will be anonymized so that they can no longer identify the data subject, such as CPF, ID, phone number, specific address details (building number, apartment), workplace details, etc.
‍
• Data Disposal and Deletion: After the project is completed, the collected/generated personal data will be disposed of. If there is an agreement providing for the maintenance of any type of personal data, this data is handed over to the client by Fleye's project manager with appropriate formalization. Fleye will ensure that all external file sharing has been removed by the project manager.

INTERNATIONAL DATA TRANSFERS
‍
Fleye enters into contracts that authorize and establish rules for the international transfer of third parties, collaborators, research participants, or clients. The transfer only takes place by ensuring that the destination location, transfer methods, and processing agent observe the same level of guarantee provided in the applicable data protection legislation. Fleye's data is stored on Google Drive, and there may be international transfer of personal data when the server is completely unavailable in the storage location, to ensure the integrity of stored data.

SECURITY INCIDENT
‍
Fleye is always vigilant to fully comply with the LGPD and any data protection laws. In the event of a security incident, the following steps will be taken:
‍
• Adoption of internal measures already communicated to all employees;
• Communication of the incident to the data controllers; and
• If there is a risk of relevant harm, communication will be made to the ANPD and the data subject, informing them of the plan to restore the security of their data. We also rely on you to report any possible incidents you are aware of, informing us as soon as possible through contact: lgpd@fleye.com.br.

POLICY REVIEW AND UPDATES
‍
In order to provide greater security and convenience to interested parties, Fleye will update this Policy whenever there is a change in its process or to comply with applicable legislation. Rest assured, you will be notified! Before protecting third-party data, ALL of us are data subjects and want our privacy to be respected too, so when it is envisioned and consented to, it is for reciprocal, legitimate, and transparent benefit. If you have any questions regarding this Policy, please signal via email. It will be our pleasure to clarify.

DATA PROTECTION IN INTERNAL DEPARTMENTS
‍
• Finance Department:
Data maintenance by the finance department only occurs when there is a paid contractual relationship. When a specific term is signed, information is collected to make the payment. Thus, the data of customers, employees, third parties, and research participants are necessary for contractual execution, as well as compliance with current legislation regarding issuing invoices, statements, and the like. The data will be kept as long as a valid and effective contract exists, and the data subject, customer, employee, or third party can request access or updates to their data by emailing lgpd@fleye.com.br. The data will be deleted when they are no longer necessary or when the contractual relationship ceases, retaining only what is strictly necessary for legal obligations, dispute resolution, security maintenance, fraud prevention, or abuse avoidance, and ensuring contract fulfillment.

• Contracts:
‍Fleye's contracts are reviewed and negotiated continuously and periodically to ensure the best agreement and transparency in the relationships it maintains with third parties, collaborators, clients, and research participants, always in accordance with current legislation and observing, especially, the LGPD. The relationship maintained with research participants is transparent and straightforward, establishing a consent, confidentiality, and image rights transfer agreement, as well as confirming the signing of the agreement during the interview.

POLICY REVIEW AND UPDATES
‍
Name: Daniel Beckert
Position: Data Protection Officer
Email: lgpd@fleye.com.br