SUMAQ
A-A+

Privacy and Data Protection Policy

This Policy describes how SUMAQ Comunicação Financeira S.A. processes personal data in the context of the use of our website and in the context of providing services, including projects to implement and integrate solutions, such as the Workiva platform. Here you will find information about what data may be collected, for what purposes, with whom it may be shared, how long it may be retained, and what your rights are as a data subject.

SUMAQ adopts governance, information security, and privacy practices to ensure that processing takes place in a transparent manner, limited to what is necessary, and aligned with applicable legislation.

1. Scope of this Policy

This Policy applies:

  • To access and navigation on websites under the SUMAQ domain.
  • To relationships with leads, clients, partners, and suppliers, including in digital channels and events.
  • To the execution of contracts and projects, including deployment, support, integration, automation, and technical activities.
  • To communication with authorized users in environments and solutions used in projects.

2. Roles and responsibilities (Controller and Processor)

Depending on the context, SUMAQ may act as:

  • Controller of personal data: when it decides the purposes and means of processing (e.g., data collected on the website, commercial contacts, relationship management, customer service, and institutional communication).
  • Processor of personal data: when it processes data on behalf of the client, in accordance with contractual instructions and for the execution of services (e.g., implementation projects, loading and integrating data into client platforms).

3. Categories of personal data processed

SUMAQ may process, as applicable:

  • Identification and contact data: name, email, phone, company, job title.
  • Navigation data: IP address, date and time of access, pages visited, device and browser identifiers.
  • Relationship and service data: history of interactions, requests, support records, and communications.
  • Project data: information needed to deploy and operate the contracted services. This may include, on a limited basis, corporate personal data of authorized users (e.g., corporate email and access identifiers), as well as the client's operational and financial data.

SUMAQ does not intentionally process card data (e.g., number, CVV, expiration) and does not request this type of information through its channels. If you identify any improper submission, we recommend not sharing it and notifying us immediately.

4. Purposes and legal bases for processing

Personal data may be processed for the purposes below, as applicable, using the legal bases provided for in the legislation:

  • Performance of a contract: delivery of services, deployment, integrations, support, and contractual obligations.
  • Legitimate interest: communication with clients and prospects, process improvement, fraud prevention, and security.
  • Consent: when necessary for specific promotional communications and non-essential cookies.
  • Compliance with a legal or regulatory obligation: when applicable, especially in regulatory contexts.

In projects, processing is limited to the purposes defined in the contract and the client's instructions. If an additional purpose is necessary, an analysis of compatibility and adequacy is carried out, observing purpose, necessity, and minimization.

5. Public, internal, and confidential information

In the context of the services provided, there may be different classifications of information:

  • Public information: data and documents that are already public or that will be disclosed at the end of a process (e.g., regulatory reports and publications).
  • Internal and confidential information: operational, preliminary, unpublished, or restricted data used for the execution, validation, and approval of projects.

SUMAQ maintains controls to ensure that internal and confidential information is accessed only by authorized persons, based on the need to use and the responsibilities of the project.

6. Data sharing and third parties

SUMAQ does not sell personal data. Sharing may occur only when necessary and in a proportionate manner, for example:

  • With infrastructure providers and technical services (e.g., hosting, corporate email, support tools), when applicable.
  • With platforms used by the client in the project (e.g., Workiva), in accordance with the contractual scope and the client's instructions.
  • With competent authorities, upon a legal or regulatory obligation.

When suppliers/sub-processors are involved, SUMAQ maintains assessment processes and appropriate contractual clauses to define responsibilities, confidentiality, and security and privacy requirements.

7. International data transfer

When there is an international transfer of personal data, it will be carried out in a controlled manner and aligned with legal requirements, including appropriate contractual and security measures, and limited to the minimum necessary for the purpose of the processing.

8. Cookies and tracking technologies

The website may use cookies and similar technologies for essential functionality, security, and experience improvement. Non-essential cookies may depend on consent, when applicable.

You can manage cookies in your browser settings. Disabling essential cookies may impact the operation of the website.

9. Information security

SUMAQ adopts technical and organizational security measures to protect personal data and business information against unauthorized access, loss, improper alteration, or disclosure, including access controls, traceability, segregation of duties, and good operational practices.

10. Retention and disposal

Personal data is retained only for as long as necessary to fulfill the purposes of this Policy, contractual and legal obligations, and to safeguard rights in any claims. After this period, the data is deleted or anonymized, when applicable.

11. Data subject rights and service channel

You may request, as applicable, confirmation of the existence of processing, access, correction, update, anonymization, deletion, portability, information about sharing, and revocation of consent.

To exercise your rights or to clarify questions, use the channel: Email: lgpd@sumaq.com.br

12. Data Protection Officer (DPO) and contact

The Data Protection Officer (DPO) of SUMAQ is: André Ourives. Contact channel: lgpd@sumaq.com.br

The DPO acts as a point of contact for data subjects and authorities, supporting privacy governance, guiding good practices, and cooperating, when applicable, in impact assessments and demands related to data protection.

13. Updates to this Policy

This Policy may be updated to reflect legal, technological, or operational changes. We recommend periodically reviewing this page. Relevant changes may be communicated through appropriate means.