Information Security and Cybersecurity Policy

By reading this Privacy Policy, the Client is informed about how BREE EFICIENCIA ENERGETICA S.A. collects, processes, and protects the personal data that you may provide on the BREE Website and those accessible through said domain (“Website”), as well as through any other method or channel provided by it. Personal data means all the information about an identified individual or that allows one to directly or indirectly determine their identity.

The Client must carefully read this Privacy Policy, which has been written in a clear and simple manner to make it easier for you to understand it so that you can freely and voluntarily determine whether or not you want to provide your personal data to BREE. This policy may be updated at any time upon notice on the Website and/or by email, for which reason, it is advisable that you periodically review the Website and/or your email inbox.

1. Who is responsible for processing your data?

It is the person responsible for processing your personal data at the company listed below, followed by its primary communication channel and an email for contact and any questions or needs relatively to data protection:

BREE

Primary communication channel/Privacy Center:
https://bree.inpakta.tech/bree

Email:
dpo@inpakta.com.br

BREE will request, before processing the personal data of its clients, express acceptance of this Privacy Policy, whenever applicable, and for any other situation requiring their prior authorization.

2. What do we process your personal data for?

The Client is informed that BREE will process the personal data that they provide by filling out contact forms and sending résumés on the Website, for the purposes indicated below, to the extent that there are legal grounds for each processing operation, as explained below:

(a) Ensuring a contact with the Client;

(b) Managing the Client’s relationship with BREE and accessing the various resources available on the Website;

(c) Preventing frauds; applying information security measures to ensure the adequacy of the Client’s access and use;

(d) Conducting statistical and market studies, including an analysis of the user’s behavior when browsing and creating Client profiles through integration and joint processing of the information obtained from cookies or similar technologies;

(e) Informing the user by any means, including by sending sales communications to the email address provided by the Client. You can oppose at any time to the processing of your personal data for marketing purposes by exercising your right in that regard;

(f) Making sure that résumés are registered in a database for BREE’s hiring purposes, for a maximum of 2 years, according to the consent to and use of the indicated form.

3. What are the legal grounds for the processing of your personal data?

3.1. The legal grounds for data processing for the purposes in (a), (b), and (c) are the performance of the services agreement.

3.2. The legal grounds for data processing for the purposes in (d), (e), and (f) are the Client’s consent and the Company’s rightful interest whenever applicable, it being possible for the Client to opt out of that processing, at any time, without prejudice to performance of the agreement.

3.3. The rights to data access, data removal, portability, or non-use of data for sales communication purposes can be directly exercised by the Client by managing the Information in their account and/or canceling the subscription in the communication channels and with the Privacy Center provided in item 1. of this Privacy Policy, whereas any other right will depend upon a review and establishment of other provisions by BREE.

3.4. As to exercising the right to portability of your data, this will not lead to a transfer of data or other information in addition to registration information.

4. What are the Client’s obligations as to data recording?

4.1. The data requested are usually required for the operation, but they can also relate to product and/or service offers on the website or advertisements directed at the Client’s profile. The Client knows and accepts that their failure to complete certain personal data may prevent BREE from providing all the benefits associated with such data.
In the process of registering and filling out the contact form, the Client will be informed about the non-mandatory nature of the collection of some of their data by BREE.

5. How long will we keep your data?

5.1. The data will be kept for as long as necessary to achieve the goals for which they were collected, unless the Client requests their removal, opposes, or revokes their consent.

5.2. Data are generally kept for the following periods:

• Documentation associated with the Client’s agreement: five (5) years from the end of their status as a BREE client;

• Documentation associated with performance of fiscal and tax obligations: five (5) years from the end of the tax year;

• Data concerning application records for performance of obligations under the applicable laws, which in Brazil are in the Civil Rights Framework for the Internet (Law 12965): six (6) months from collection of the application record data;

6. Which personal data will be processed?

6.1. BREE will process the following types of data for clients:

• Identification information: Name, last name, résumé, and data concerning professional work, when applicable and provided upon the data subject’s consent for certain purposes;

• Contact information: contact information, including email, address, and telephone;

• Data relating to use of the Website: search, research, and use of the services by clients, Website benefits and access, information on clicks, pages accessed, and the pages accessed right after departure from the Website.

• Client logging information: access to the device resources, browser, IP number (with date and time), IP source;

7. What recipients will we share your data to?

7.1. Business partners available for reference on the Website: for use of the benefits from BREE, including, but not limited to, partner companies. The sharing in commercial cases will be only performed according to an executed agreement and around the agreed-upon service.

• Suppliers and service providers that support or help maintain BREE, such as through the use of infrastructure services or third-party tools that help with BREE’s ongoing improvement.

• Government authorities, for compliance with the laws in force, applicable regulations, government requests, or court orders or notifications, and for protecting the rights, property, or security of Clients.

• In case of corporate restructuring, it will be possible to share the Client’s information if the disclosure is done as part of a purchase, transfer, or sale of services or assets (e.g., if the assets are purchased by another party, the client’s information may be transferred).

8. What are the requests that can be placed about personal data?

8.1. The Client may, upon request to BREE, at any time:

• Revoke their consent granted;

• Obtain confirmation about whether the personal data relating to the Client are being processed by BREE;

• Access their personal data;

• Correct imprecise or incomplete data;

• Request a removal of their data when, among other reasons, the data are no longer necessary for the purposes for which they were collected;

• Request portability of the data provided by the Client, as well as the registration data provided;

• Get in touch with BREE’s DPO at the indicated email or by calling the Privacy Center made available;

• Request a limitation of and opposition to data processing, in addition to not being subject to decisions based only on the automated processing of their data, according to the regulations applicable to personal data protection.

• File a complaint regarding the protection of their personal data with the competent control authority when the concerned party finds that BREE has violated the rights that are acknowledged by the applicable data protection regulations.

9. How are your personal data protected?

9.1. BREE processes the data subject’s data at all times in an absolutely confidential manner and keeps a secrecy duty to them, according to the provisions of the applicable regulation, and has the necessary technical and organizational measures in place for the security of your data and to avoid their change, loss, or unauthorized processing or access, taking into consideration the state of the technology, the nature of the data stored, and the risks to which they are exposed.

10. What is your responsibility for the data that you provide us?

10.1. The Client warrants that the data provided to BREE are true, precise, complete, and up to date. For these purposes, the Client is liable for the truth of the data that they communicate and will keep them conveniently up to date, so that their data will match their current situation.

10.2. The Client will be liable for false, excessive, or inaccurate information that they provide on the Website and for any direct or indirect damage that it causes to BREE or third parties.

10.3. In case you provide third-party data, you represent that you have their consent, if required, and undertake to transfer to the concerned party owning these data the information contained in this Policy, discharging BREE from any responsibility in that regard. However, BREE may conduct the necessary verifications to check that fact by taking the appropriate due diligence actions, according to the data protection regulations.

10.4. BREE will ensure an adequate use of personal data of minors, assuring its respect for the laws applicable to them, through reasonably appropriate measures. However, BREE will not be liable for the personal data provided by minors who have not yet reached the legal minimum age under current regulations to consent to the processing of their personal data on their own, without the prior consent of their parents, guardians, or legal representatives.

11. Automatically collected information and cookies

11.1. BREE may also collect some information automatically, including electronic network activity. Selected third parties are allowed to add cookies through the Website to provide the program with the best information on Website use or Client location or advertising that is relevant to the Client. These third parties may collect information on the Client’s online activities on different websites based on their access to the Website.

11.2. BREE may receive information about the Client from third parties to conduct security checks, make more adequate offers for the Client’s profile, and foster third-party engagement for its services.

12. Privacy Policy Validity

12.1. The Program will remain valid for an indefinite term and may be changed by BREE upon prior notice to Clients ninety (90) days in advance.

13. Partner Network

13.1. BREE reserves the right to, at any time and regardless of the Client’s prior consent, add, delete, or change the participation of Partners with regard to data processing by digital means and its infrastructure. Relatively to its services, supplies, customer service, and sales, any amendments to the agreements with each Client are conditioned upon them.

14. Official time of the country

14.1. The time considered will be the official time, including for promotions and digital campaigns of both BREE and its Partners in the country, except as otherwise expressly provided in the regulations of the promotion or campaign.

15. Applicable law

15.1. BREE may also collect some information automatically, including electronic network activity. Selected third parties are allowed to add cookies through the Website to provide the program with the best information on Website use or Client location or advertising that is relevant to the Client.

15.2. These third parties may collect information on the Client’s online activities on different websites based on their access to the Website. BREE may receive information about the Client from third parties to conduct security checks, make more adequate offers for the Client’s profile, and foster third-party engagement for its services.

16. Validity of these Terms and Conditions

16.1. This Terms and Conditions document is in force and subject to changes without prior notice.