Privacy Policy

Welcome to Indigo Hive!

At Indigo Hive, your privacy is our top priority. We created this policy to let you know what data we collect, why we collect it, how we use it, and what rights you have. Read it with peace of mind — we are here to make sure you have full control over your information.

1. Introduction

INDIGO HIVE INFORMATION TECHNOLOGY CONSULTING LTDA, a limited liability company, registered under CNPJ No. 38.217.648/0001-97, headquartered at Rua Haddock Lobo, No. 578, 4th floor, suite 41, Cerqueira César, CEP 01414-900, São Paulo/SP, hereinafter referred to as "INDIGO HIVE", reaffirms its commitment to the protection of personal data and the preservation of privacy in all its activities and operations.

This Information Privacy Management Policy ("Privacy Policy") reflects our commitment to ethics, transparency, and security in the processing of personal data, in compliance with the General Data Protection Law – LGPD (Law No. 13,709/2018), the Brazilian Internet Civil Rights Framework (Law No. 12,965/2014), and the organization's Information Security Policy (PSI).

In accordance with the principles of the LGPD, INDIGO HIVE may act, depending on the nature of the relationship established and the activities carried out, as:

• Controller, when it defines the purposes and means of processing personal data, including in the context of the provision of services, technological solutions, consulting, platforms, and internal processes related to the management of the organization;

• Joint Controller, when it shares, with other processing agents, decisions related to the purposes and means of processing personal data, assuming joint responsibilities arising from such activity;

• Operator, when it processes personal data on behalf of third parties, in accordance with documented instructions and within the limits defined contractually, with the controller being responsible for defining the purposes of the processing and the applicable legal bases.

Regardless of the role assumed, INDIGO HIVE ensures that personal data will be processed responsibly, securely, and in compliance with applicable legislation, adopting appropriate technical, administrative, and organizational measures to protect the rights and freedoms of data subjects.

2. Objective

This Privacy Policy establishes the guidelines for the safe and responsible processing of personal data, in accordance with applicable laws. The Privacy Policy aims to guarantee the protection of the rights of data subjects, ensure compliance with legal and regulatory obligations, and promote transparency in the use and management of personal data, regardless of its format — whether electronic, paper, audiovisual, or any other medium.

3. Scope

This policy applies to all personal data processed, covering customers, suppliers, service providers, business partners, employees, and any natural person whose information is processed. It covers all activities involving the collection, use, storage, sharing, and disposal of personal data, whether carried out manually or automatically, in any environment or platform.

4. Terms and Definitions

For the purposes of this policy, the following definitions apply:

1. Processing Agents: The Controller and the Operator, responsible for the processing of personal data.

2. Anonymization: Use of reasonable technical means available at the time of processing, through which data loses the possibility of association, directly or indirectly, with an individual.

3. National Data Protection Authority – ANPD: A body of the direct federal public administration of Brazil, linked to the Office of the President, responsible for ensuring, implementing, and monitoring compliance with Law No. 13,709/2018 (General Data Protection Law – LGPD).

4. Database: A structured set of personal data, established in one or more locations, in electronic or physical form.

5. Legal Basis: The legal grounds that authorize the processing of personal data, as provided for by the LGPD.

6. Blocking: Temporary suspension of any processing operation, by retaining the personal data or the database.

7. ID Code (IMEI): A unique numeric identifier for mobile devices, used to identify and authenticate devices such as smartphones and tablets. The IMEI (International Mobile Equipment Identity) is considered personal data, as it can be linked to a specific individual.

8. Consent: Free, informed, and unequivocal expression by which the data subject agrees to the processing of their personal data for a specific purpose.

9. Controller: A natural or legal person, under public or private law, responsible for decisions regarding the processing of personal data.

10. Joint Controller: Processing agents that, jointly, determine the purposes and means of processing personal data, sharing responsibilities, obligations, and duties related to data protection and to the rights of data subjects.

11. Cookies: Files stored on the user's device while browsing the internet, collected by the browser, which record preferences and personalize access to the services of portals, websites, applications, and other tools.

12. Anonymized Data: Data relating to a data subject that cannot be identified, considering the use of reasonable technical means available at the time of processing.

13. Personal Data: Information relating to an identified or identifiable natural person.

14. Personal Data of Children and Adolescents: Personal data of children (up to 12 years old) or adolescents (between 12 and 18 years old). The LGPD requires consent from parents or guardians for the processing of this data.

15. Sensitive Personal Data: Personal data about racial or ethnic origin, religious belief, political opinion, membership of a trade union or of a religious, philosophical, or political organization, data concerning health or sexual life, and genetic or biometric data, when linked to a natural person.

16. Data Mapping: The process of identifying, inventorying, and documenting where and how personal data is collected, stored, used, and shared within an organization.

17. Deletion: Removal of data or a set of data stored in a database, regardless of the procedure used.

18. Data Protection Officer (DPO): A person appointed by the controller and operator to act as a communication channel between the controller, the data subjects, and the ANPD.

19. IP Address: A numerical sequence that identifies a network device on the internet, considered personal data when linked to a specific individual.

20. Geolocation: Data indicating the geographic location of a device or individual, obtained through technologies such as GPS, mobile networks, or Wi-Fi.

21. Corporate Governance: The system through which companies and other organizations are directed, monitored, and encouraged, covering the relationships between shareholders, the board of directors, management, oversight and control bodies, and other interested parties.

22. Security Incident: An adverse event, confirmed or suspected, that compromises the confidentiality, integrity, or availability of personal data.

23. LGPD (General Data Protection Law): Law No. 13,709/2018, which regulates the processing of personal data in Brazil, protecting the fundamental rights of privacy and freedom of individuals.

24. Free Access: The guarantee to data subjects of easy and free consultation regarding the form and duration of the processing, as well as regarding the entirety of their personal data.

25. Internet Civil Rights Framework: Law No. 12,965/2014, which establishes principles, guarantees, rights, and duties for the use of the internet in Brazil, regulating aspects such as privacy, security, and freedom of expression on the network.

26. Operator: A natural or legal person, under public or private law, who processes personal data on behalf of the controller.

27. Privacy by Default: A principle ensuring that the default settings of systems and services guarantee maximum data protection, allowing minimal processing of personal information, unless the data subject chooses to change them.

28. Privacy by Design: An approach that integrates data protection and privacy from the beginning of the development of processes, products, and services, ensuring that privacy is a fundamental component at all stages.

29. Data Protection Impact Report: A document prepared by the controller that contains a description of the personal data processing operations that may generate risks to civil liberties and fundamental rights, as well as risk mitigation measures.

30. Data Subject: The natural person to whom the personal data being processed refers, such as employees, shareholders, suppliers, and customers.

31. Processing: Any operation carried out with personal data, such as collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, archiving, storage, deletion, evaluation or control of information, modification, communication, transfer, dissemination, or extraction.

32. International Data Transfer: Sending personal data to a foreign country or international organization.

33. Shared Use of Data: Communication or interconnection of personal data between public and private entities.

34. Personal Data Breach: A security incident resulting in damage to the confidentiality, integrity, or availability of personal data.

5. Roles and Responsibilities

This section establishes the roles assumed by the organization in the processing of personal data, as defined in applicable legislation, as well as the responsibilities assigned internally to ensure compliance with the Privacy Policy and with legal and contractual obligations.

Responsibilities are organized into two main groups:

• Legal Responsibilities, arising from the roles the organization may assume as Controller, Joint Controller, and/or Operator, under the terms of the LGPD and according to the nature of the activities carried out;

• Organizational Responsibilities, which detail the cross-cutting and specific obligations assigned to different areas, agents, or internal functions of the organization.

5.1. Legal Responsibilities

5.1.1. Acting as Controller

When the organization acts as Controller — that is, is responsible for making decisions about the processing of personal data — it must fulfill the following obligations:

1. Define the purposes and means of processing personal data;

2. Appoint the Data Protection Officer (DPO) and ensure they have the autonomy, resources, and appropriate conditions to exercise their legal duties, including the preparation of Data Protection Impact Reports (DPIR), when applicable;

3. Maintain up-to-date records of the processing operations carried out, as provided for in legislation;

4. Conduct risk assessments and adopt safeguards proportionate to the processing operations;

5. Implement and oversee appropriate technical and organizational information security measures, focused on the prevention, detection, and response to incidents;

6. Notify the National Data Protection Authority (ANPD), whenever necessary, of the occurrence of security incidents that may pose risk or relevant harm to data subjects, with due description of the extent, nature, and measures adopted;

7. Prevent discriminatory, unlawful, or abusive practices in the processing of personal data;

8. Include personal data protection clauses in contracts entered into with third parties;

9. Ensure that the rights of personal data subjects are met in a clear, accessible, free, and timely manner, within legal deadlines;

10. Ensure the transparency of processing activities by providing clear and up-to-date information about the operations carried out.

5.1.2. Acting as Joint Controller

When the organization acts as Joint Controller, sharing with one or more other agents the responsibility for decisions regarding the processing of personal data, it must observe the following obligations:

1. Fulfill all obligations applicable to the Controller role, as applicable to the context of joint responsibility;

2. Formalize, through a contract or equivalent instrument, the definition of the purposes and means of processing, the specific responsibilities of each Controller, the security measures adopted, and the procedures for meeting data subjects' rights;

3. Ensure transparency to data subjects, clearly informing who the Controllers involved are, their respective duties, and the channels available for contact and the exercise of rights;

4. Coordinate joint governance and information security actions, including the implementation of policies, audits, protective measures, and incident responses in an integrated manner;

5. Establish cooperation mechanisms between the Controllers to ensure efficient and timely handling of data subjects' requests;

6. Notify the ANPD and the data subjects of security incidents involving joint processing, promoting collaboration between the parties to mitigate risks and comply with legal obligations;

7. Prevent unlawful practices, inconsistencies, or divergences in joint processing, ensuring continuous alignment with legal, contractual, and regulatory requirements.

5.1.3. Acting as Operator

When the organization acts as Operator — that is, processes personal data on behalf of and under the instructions of a Controller — it must fulfill the following obligations:

1. Process personal data exclusively in accordance with the Controller's documented instructions, refraining from carrying out any operation outside the authorized scope;

2. Adopt appropriate technical and organizational measures to ensure the security of personal data against unauthorized access, leaks, losses, alterations, or any form of inadequate or unlawful processing;

3. Maintain records of the processing activities carried out on behalf of the Controller, as required contractually or by applicable legislation;

4. Promptly inform the Controller of any security incident involving personal data, providing the information necessary to respond to and contain the event;

5. Comply with the ANPD's guidelines and determinations when directly applicable to its activities;

6. Ensure that contracts with sub-operators or third parties involved in the processing chain comply with the legal and contractual requirements established by the Controller;

7. Inform the Controller, in a reasoned manner, whenever it understands that an instruction received may violate applicable legal or regulatory provisions, suggesting alternatives for correction;

8. Provide the Controller with sufficient information to demonstrate compliance with the legal and contractual obligations related to data protection;

9. Support the Controller in responding to requests from personal data subjects, in accordance with contractual guidelines and within legal deadlines;

10. Prevent discriminatory, unlawful, or abusive practices in the processing carried out under its responsibility.

5.1.4. Data Protection Officer (DPO)

Under article 41 of Law No. 13,709/2018 (LGPD) and Resolution CD/ANPD No. 18/2024, the Data Protection Officer (DPO) is legally responsible for:

• a) Acting as a communication channel between the organization (controller), the data subjects, and the National Data Protection Authority (ANPD);

• b) Receiving complaints and communications from data subjects, providing the relevant clarifications, and taking the appropriate measures;

• c) Receiving communications from the ANPD and taking the measures necessary for their proper handling, including forwarding them to the competent areas of the organization and formally indicating representatives of the controller, when applicable;

• d) Guiding employees and contractors on the recommended practices for the adequate and secure processing of personal data;

• e) Performing other duties as determined by the controller or established in supplementary ANPD regulations.

In addition, the DPO is responsible for:

• a) Ensuring the adequate and timely handling of data subjects' requests to exercise their rights;

• b) Providing technical, legal, and organizational support to the organization's internal areas on matters related to privacy and data protection;

• c) Keeping the CSGI and other governance bodies informed about risks, indicators, plans, and relevant events related to data protection;

• d) Following and supporting the preparation, updating, and implementation of the following instruments:

  • i. Records of personal data processing operations;

  • ii. Data Protection Impact Reports (DPIR);

  • iii. Internal privacy policies, standards, and procedures;

  • iv. Mechanisms for supervising and mitigating risks related to data processing;

  • v. Technical and administrative information security measures;

  • vi. Contractual clauses and legal instruments with third parties involving personal data;

  • vii. Governance rules and good practices set out in article 50 of the LGPD;

  • viii. International data transfer processes;

  • ix. Products and services based on privacy by default and by design.

• e) Coordinating or supporting internal and external audits related to privacy and information security;

• f) Monitoring and recording the handling of privacy and security incidents, acting as the organization's focal point;

• g) Assessing risks associated with data processing and proposing corrective or preventive measures;

• h) Promoting awareness, training, and organizational culture initiatives in privacy and data protection;

• i) Staying permanently up to date on legislation, regulations, and national and international good practices in data protection;

• j) Declaring any conflict of interest and ensuring their functional independence in the exercise of their duties.

5.1.5. Data Subjects

1. Provide correct, complete, and up-to-date personal data, promptly reporting any change that may affect its processing;

2. Be aware of their rights under the LGPD and exercise them consciously, through the official channels made available by the organization;

3. Comply with the policies, terms, and guidelines applicable to privacy and data protection.

5.2. Organizational Responsibilities

5.2.1. General Responsibilities

Applies to all areas, units, leaders, and professionals of the organization, regardless of their hierarchical level or function. Part of these responsibilities may also be extended contractually to third parties that process personal data on behalf of the organization.

1. Know, respect, and apply the internal policies on privacy, data protection, and information security;

2. Process personal data ethically and responsibly, observing the legal principles of purpose, necessity, adequacy, security, and good faith;

3. Safeguard the confidentiality, integrity, and availability of the personal data accessed or processed in the course of their activities;

4. Refrain from any form of improper, unnecessary, excessive, or unauthorized use of personal data;

5. Immediately report to the Data Protection Officer (DPO) or the competent area any incident, suspected breach, or misuse of personal data;

6. Cooperate with the Data Protection Officer (DPO), audit officers, and information security teams whenever requested;

7. Participate in training and awareness initiatives on data protection, information security, and privacy, as defined by the organization;

8. Collaborate, whenever required, with the handling of data subjects' rights and with audit or compliance review activities.

5.3. Specific Responsibilities

Responsibilities assigned to different areas and agents:

1. Internal Audit:

   • a) Carry out periodic audits of data processing processes.

   • b) Identify risks and failures in compliance with the LGPD and propose corrective actions.

   • c) Verify the effectiveness of security controls.

   • d) Support the Data Protection Officer (DPO) in preparing compliance reports.

2. Employees:

   • a) Process personal data in accordance with the company's policies and procedures.

   • b) Ensure the confidentiality and security of data in the performance of their duties.

   • c) Immediately report any security incident or suspected data breach to the Data Protection Officer (DPO) or the security team.

   • d) Participate in training and development on data protection and information security.

3. Data Governance Committee (CSGI):

   • a) Define and monitor data protection and privacy strategies.

   • b) Review and approve data protection impact reports.

   • c) Monitor the effectiveness of data protection practices and suggest continuous improvements.

   • d) Coordinate efforts between different areas of the company to ensure an integrated approach to privacy and data protection.

4. Data Protection Officer (DPO):

   • a) Under the second paragraph of article 41 of the LGPD, the activities of the DPO consist of:

     • i. Accepting complaints and communications from data subjects, providing clarifications, and taking the necessary measures.

     • ii. Receiving communications from the ANPD and taking the relevant measures.

     • iii. Guiding employees and contractors on the recommended practices for protecting personal data.

     • iv. Performing other duties determined by the controller or established in supplementary standards.

   • b) In addition, the DPO is responsible for:

     • i. Supporting, advising, monitoring, and supervising those responsible for processing personal data, internally or externally, on behalf of the organization.

     • ii. Following the maintenance and annual review of the organization's privacy and data protection standards and policies, ensuring the generation of the history and evidence necessary for the certification and auditing of the processes.

     • iii. Ensuring the performance and monitoring of internal biannual and external annual audits for privacy and personal data protection management.

     • iv. Overseeing compliance with the organization's privacy standards and policies.

     • v. Staying up to date on the applicable regulatory landscape and interacting with the Information Security team on data protection and incident monitoring.

     • vi. Keeping senior management informed about the internal aspects of privacy and personal data management.

     • vii. Monitoring and following up on the handling of privacy and personal data incidents.

     • viii. Following, monitoring, and proposing corrective measures for processes associated with data subjects' rights.

     • ix. Reviewing, monitoring, and approving personal data processing records.

     • x. Driving the privacy culture in the organization through awareness, interaction with departments, and the promotion of specific activities.

     • xi. Participating in area meetings when required and providing legal support on data protection matters whenever requested.

     • xii. Following compliance with the contractual requirements related to data processing and ensuring that third parties involved in the processes also follow data protection standards.

     • xiii. Determining, monitoring, and reviewing internal and external factors relevant to the organization's context that affect its ability to achieve the intended results of its privacy and data protection management program.

5. Information Technology Team (TSI):

   • a) Ensure the compliance of systems and applications with privacy and data protection policies, ensuring that they follow the requirements established by the LGPD and by the company's internal policies.

   • b) Implement appropriate technical and organizational measures to ensure the integrity, confidentiality, and availability of the personal data processed by INDIGO HIVE.

   • c) Establish and maintain security standards for the protection of personal data, ensuring that data is duly protected against unauthorized access, breaches, and other threats.

   • d) Respond promptly to security incidents related to the processing of personal data and adopt the necessary corrective measures.

   • e) Collaborate with the Data Protection Officer (DPO) to ensure that security measures are aligned with data protection standards and market best practices.

6. Partners, Third Parties, and Suppliers:

   • a) Process personal data in accordance with the definitions and instructions provided, without using them for divergent purposes.

   • b) Comply with the obligations established in the contract, which include responsibilities and penalties, to ensure the protection of data subjects' rights.

   • c) Ensure that the processing of personal data complies with our policies and with security and governance best practices.

   • d) Undergo periodic assessments and monitoring to verify compliance with our policies and security standards.

   • e) Take responsibility for any personal data breach originating in their operating environments.

7. Data Subjects:

   • a) The data subject is responsible for ensuring that the personal data provided to INDIGO HIVE is correct and up to date, avoiding the provision of false or insufficient information that could compromise the proper processing of the data.

   • b) The data subject must promptly report any change in their personal data to ensure that the information held by INDIGO HIVE is accurate and up to date.

   • c) Data subjects must be aware of their rights and obligations under the LGPD and ensure that their interactions with INDIGO HIVE comply with legal requirements.

   • d) The data subject must observe and respect the policies established by INDIGO HIVE to ensure the protection and security of their personal data.

6. Guidelines

The following guidelines aim to detail the principles and practices that guide the processing of personal data. They aim to ensure compliance with applicable legislation, ensuring that the collection, use, storage, and disposal of data are carried out responsibly, protecting the privacy of data subjects and fulfilling the established legal obligations.

How We Process Your Data

Personal data is processed responsibly and in accordance with current legislation. In this section, we present the principles that guide the processing, the purposes for which the data is used, the legal bases that support these operations, and how the data is collected and managed throughout its life cycle.

Our Principles

We are deeply committed to protecting the privacy and security of the personal information under our responsibility. All activities involving the use of personal data strictly follow the principles established by the LGPD and the foundations of Privacy by Design. Our priority is to ensure that information is processed in an ethical, transparent, and responsible manner, reinforcing our commitment to the integrity and trust of data subjects.

1. LGPD Principles:

   • a. Purpose: Data is used exclusively for legitimate, specific, and explicit purposes, previously informed to the data subject.

   • b. Adequacy: The use of data is compatible with the purposes stated, taking into account the context and needs of the process.

   • c. Necessity: We limit the use of data to what is essential to fulfill the established purposes, avoiding the collection and use of unnecessary information.

   • d. Free Access: We guarantee data subjects the right to easily access their information, offering free and facilitated consultation.

   • e. Quality of Information: We keep personal data correct, clear, and up to date, ensuring its accuracy and relevance.

   • f. Transparency: We provide clear and accessible information about how data is used and the agents involved.

   • g. Security: We adopt technical and administrative measures to protect personal information against unauthorized access and security incidents.

   • h. Prevention: We implement preventive measures to avoid any harm resulting from the use of information.

   • i. Non-Discrimination: Personal information is never used for discriminatory, unlawful, or abusive purposes.

   • j. Accountability and Demonstration of Compliance: We demonstrate compliance with legislation and ensure the effectiveness of the measures adopted to protect personal information.

2. Privacy by Design Principles:

   • a. Proactivity and Prevention: Our approach involves identifying and preventing privacy risks from the beginning of projects, not just when problems arise.

   • b. Privacy as the Default (Privacy by Default): We ensure that privacy protection measures are automatically applied in all projects.

   • c. Full Functionality: We seek a balance between the protection of personal information and the efficiency of processes, ensuring that privacy does not compromise the functionality of operations.

   • d. End-to-End Security: Personal information is protected throughout its entire life cycle, from collection to disposal or anonymization.

   • e. Visibility and Transparency: We maintain full transparency regarding the activities involving data and the protection measures adopted, providing clear and accessible information to data subjects.

   • f. Respect for the Data Subject's Privacy: Our commitment is to ensure that personal information is processed responsibly and securely, respecting the interests and rights of data subjects.

Why We Process Your Data

We are a technology company that operates in several areas and, in order to provide our products and services efficiently and securely, we need to use personal data in several essential activities. We use this information responsibly and in compliance with applicable legislation, always with the aim of providing the best experience for our customers and stakeholders.

The main purposes include:

1. Formalizing and fulfilling contracts, ensuring the delivery of the agreed products and services.

2. Managing the relationship with customers and stakeholders, maintaining efficient communication, resolving complaints, queries, and requests, and offering the support necessary to ensure everyone's satisfaction.

3. Sending relevant communications, including service updates, maintenance, policy changes, and other important information.

4. Managing candidate and employee data, covering processes such as recruitment, payroll, benefits, and performance, in compliance with legal requirements.

5. Complying with legal and regulatory obligations, processing data to meet tax, accounting, and legal requirements.

6. Preventing fraud and unlawful activities, implementing identity verification and monitoring of suspicious transactions.

7. Ensuring information security, protecting our systems and networks against cyberattacks, fraud, and unauthorized access.

8. Monitoring access and surveillance at our facilities, ensuring security through access control and surveillance cameras.

9. Managing payments and billing, processing financial transactions, issuing invoices, and ensuring that financial obligations are met.

10. Responding to access and correction requests, ensuring that data subjects can review, correct, or delete their data as permitted by law.

11. Conducting satisfaction surveys, collecting feedback to improve our services and ensure they meet expectations and regulatory requirements.

12. Developing new products and services, using anonymized or pseudonymized data to better understand our customers' needs.

13. Responding to demands from the ombudsman, ensuring compliance with legal requirements in sensitive or formal cases.

14. Exercising the right of defense in judicial or administrative disputes, using data as necessary to protect our legal interests.

Our Legal Bases

For each personal data processing activity carried out, an appropriate legal basis is assigned, as established by the LGPD. Below, we present the legal bases that support these operations, applied in accordance with the purposes described above:

Legal BasisApplication (Purpose)LGPDPerformance of a ContractUse of data for the formalization and fulfillment of contracts, agreements, and pre-contractual obligations.Art. 7, VCompliance with a Legal or Regulatory ObligationNecessary to meet applicable tax, labor, legal, regulatory, and other obligations.Art. 7, IILegitimate InterestApplicable to the recruitment and selection of candidates, improvements to products and services, security, and fraud prevention, provided the rights of the data subject are respected.Art. 7, IXConsentNecessary for sending newsletters and marketing communications, or for recruitment and selection, with the explicit authorization of the data subject.Art. 7, IRegular Exercise of RightsNecessary for defense in judicial, administrative, or arbitration proceedings.Art. 7, VIProtection of Life or Physical SafetyNecessary to protect the life or physical integrity of the data subject or of third parties in emergency situations.Art. 7, VIIProtection of HealthUse of employee data to meet occupational health and safety obligations.Art. 7, II and Art. 11, II, "f"Scientific ResearchConducting scientific research or studies with anonymized or pseudonymized data.Art. 7, IVCredit ProtectionApplicable to actions related to collection and default, in accordance with the Positive Credit Reporting Law.Art. 7, X

How We Obtain Your Consent

If consent is the legal basis for the processing of your personal data, it will be obtained freely and in an informed, specific, and unequivocal manner. If there is any change in the purpose, form, or duration of the processing, or in any aspect that differs from what was initially agreed, we will inform you, and you may revoke your consent at any time. We respect all your rights as a data subject and guarantee the possibility of exercising them, as described in the topic "Your Rights and How to Exercise Them." Contact instructions are available in "How to Contact Us."

In situations where we act as an operator, we process personal data under the instructions of the company with which you have a contract — the controller. All decisions regarding consent (such as review, update, or revocation) are the responsibility of that company. Therefore, any request regarding consent must be directed directly to it, as it is responsible for managing these requests.

How We Collect and Receive Your Data

We collect your personal data directly from you in an ethical and responsible manner, requesting only the information strictly necessary to fulfill specific purposes. Following the principle of data minimization, we ensure that the volume and type of information collected is adequate and limited to what is essential for the execution of services, compliance with legal obligations, or to meet legitimate interests, always respecting your rights.

1. The types of data we collect directly may include:

   • a. Identification Data: Name, surname, CPF, RG (ID), date of birth, age, marital status, place of birth, nationality, parentage.

   • b. Contact Data: Email, address, telephone numbers.

   • c. Financial Data: Used for payment processing.

   • d. Login Data: Username and password (for authentication in systems or platforms).

   • e. Technical Data: Records of IP address, device type, operating system used, and geolocation (latitude and longitude, for security and fraud prevention purposes).

   • f. Navigation Data: Pages visited, time spent, usage statistics, and interaction with our websites and platforms, as well as cookies (including third-party cookies for analytics and marketing).

   • g. Interaction Data: Recordings of interactions with our customer support, such as phone calls or chat history, where applicable.

2. In addition, we may receive your data from authorized third parties or from public sources, always in compliance with applicable legislation. Such data may include:

   • a. Registration Information: Provided by partners or service providers.

   • b. Data from Public Sources: For identity verification or other legitimate purposes.

In situations where we act as an Operator, we process your personal data in accordance with the instructions and purposes defined by the company with which you have entered into a contract — the Controller. In such cases, we have no control over the types of data provided, receiving only the information necessary to fulfill the purposes established by that company.

Sensitive Data

We are committed to ensuring that Sensitive Personal Data is processed with the highest possible security and in a manner restricted to the minimum necessary. In some situations, such as protecting our facilities or authenticating to confirm a person's identity, the use of sensitive data, such as biometric or medical data, is essential to meet operational and legal purposes.

1. Biometric Data: Information such as facial and fingerprint data, used to control access to facilities or for authentication in systems, when it is necessary to confirm identity.

Whenever the processing of Sensitive Personal Data is necessary, you will be informed of the purpose and, where applicable, your consent will be obtained clearly, specifically, and in accordance with current legislation.

Children's and Adolescents' Data

Although we do not offer products or services directly to children and adolescents, the processing of personal data from this group may occur in some specific situations:

In the case of young apprentices and interns, in addition to complying with legal obligations, formal consent from the parents or guardians is required, as provided for in the Apprenticeship Law (Law No. 10,097/2000).

In other contexts, the processing of data from children and adolescents will be carried out upon the specific and prominent consent of at least one of the parents or the legal guardian, in accordance with the requirements of the LGPD.

Who We Share Your Data With

In order to offer our products and services efficiently, it may be necessary, in some situations, to share personal data with trusted business partners who help us ensure the quality and agility of our operations.

We may share your personal data with:

1. Service Providers: We share your personal data with providers contracted to facilitate, promote, and optimize our activities. These providers are contractually prohibited from using the data for any purposes not previously established by us. Our contracts clearly specify their responsibilities and penalties, ensuring the protection of your rights.

2. Authorities and regulatory bodies: When required by law, regulation, or court order, your data may be shared with government authorities and regulatory bodies, always respecting privacy and data protection requirements.

3. Companies of the same economic group: For internal administrative purposes, auditing, or process optimization, your data may be shared between companies of the same economic group, always with guarantees of security and confidentiality.

4. Mergers, acquisitions, or corporate reorganizations: In the event of a merger, acquisition, or sale of assets, your data may be shared with the entities involved, in compliance with privacy and data protection requirements.

5. External law firms: Your data may be shared with law firms to act in extrajudicial, judicial, administrative, or arbitration proceedings, when necessary to safeguard our rights, prevent fraud, or comply with legal obligations.

6. Business partners: In specific circumstances, we may share your data with business partners for the execution of contracts or to offer complementary products and services. This sharing will always be based on the purposes previously informed and, when necessary, with the consent of the data subject.

To ensure the protection of your data, all third parties with whom we share information undergo rigorous assessments and continuous monitoring, ensuring compliance with our policies and with security and governance best practices. In addition, these third parties are held liable for any personal data breach that occurs within their environments.

Where We Store Your Data

We store the personal data we collect or receive from third parties securely, using a combination of data centers, cloud services, and our own servers or those of partners. All storage environments follow rigorous security standards and comply with data protection legislation.

We use the following forms of storage:

1. Own servers, located on the company's premises or at partners (data centers), with exclusive administration by our team.

2. Cloud services, administered by us, with infrastructure maintained by partners that follow the same security standards established in our policies. These servers may be located in other countries, and we contractually guarantee that our partners keep the data in countries that offer adequate levels of protection as required by legislation, or that they adopt appropriate security measures, regardless of location.

3. Partner servers, administered by these partners and monitored by us, with security and data protection controls guaranteed by contracts.

How Long We Keep Your Data

The personal data we collect or receive is retained for as long as necessary to fulfill the purposes described in this policy and to meet legal, contractual, and regulatory requirements. The retention period varies according to the nature of the information and the purpose of the processing. We carry out periodic reviews of our policy to ensure that data is not retained for longer than necessary.

After the end of its necessity, data is securely and irreversibly deleted or anonymized. Retention follows the following principles:

1. Compliance with Legal or Regulatory Obligations: Data may be retained for as long as necessary to meet tax, labor, accounting obligations or for litigation and investigation purposes.

2. Contractual Obligations: Data is retained for as long as necessary for the fulfillment of contractual obligations, including warranties and limitation periods related to the contract.

3. Legitimate Interest: In situations justified by legitimate interest, data is kept until the purpose is achieved, provided this does not infringe the rights of the data subject.

4. Deletion Request by the Data Subject: Should the data subject request the deletion of the data, we will proceed with the secure disposal, provided there is no other legal basis that justifies the retention.

5. Controller Instructions: In cases where we act as an operator on behalf of another organization (controller), we follow the retention period defined by the controller, complying with the specific instructions for the deletion or anonymization of data at the end of the established purpose.

Use of Cookies

To provide an enhanced experience with our services and products, we use cookies. But what are cookies? Cookies are small files saved on the user's device during navigation, stored in their browser, which assist in personalizing access and remembering preferences.

For details on how they work, see our Cookie Policy.

We use cookies to collect, process, store, and/or share navigation information (with partner companies) for the following purposes:

1. Make navigation more agile and efficient;

2. Improve your experience and interaction with our services, products, websites, applications, and communications;

3. Offer content and offers that are more relevant and aligned with your interests;

4. Increase the effectiveness and continuity of our communication with you;

5. Respond to queries and requests;

6. Conduct marketing and relationship research to improve our products and services, as well as to obtain general statistical data.

You can, at any time, set your browser to warn you about the use of cookies or to disable them, if you prefer. Disabling non-essential cookies may limit your experience and affect some functionality.

To disable them, consult the specific settings of each browser:

Internet Explorer / Firefox / Google Chrome / Safari / Microsoft Edge

Use of Third-Party Links and Platforms

Our websites and platforms may contain links to third-party websites or services. The presence of these links does not represent an endorsement or sponsorship of these platforms, which are subject to their own terms of use and privacy policies, over which we have no control or responsibility. We recommend that you read the terms and privacy policies of these websites before providing any personal data.

Should you choose to contact us through third-party platforms (such as LinkedIn, Instagram, Telegram, or WhatsApp), the processing of your data will also follow the terms and privacy policies of these platforms, and is the sole responsibility of these companies. We assume no responsibility for the use of the information shared on these external platforms.

Use of Automated Decisions

In certain situations, INDIGO HIVE may employ automated technologies to process personal data in order to make decisions more quickly and efficiently. This may include, among others, customer profiling, process optimization, personalized recommendations, or security verification.

Automated decisions based on these technologies will be conducted in a transparent manner, allowing data subjects to understand the criteria used. When these decisions affect the rights or interests of the data subject, the data subject will have the right to request a review of these decisions by a natural person, as provided for in article 20 of the General Data Protection Law (LGPD).

To exercise this right, the data subject can contact us through the service channels indicated in this policy.

International Transfers

We use cloud services and technologies to store data, which may be located both in Brazil and in other countries. When data is stored outside Brazil, this constitutes an "International Data Transfer," in accordance with national legislation.

We guarantee that, regardless of where your personal data is stored, it will be subject to the same rigorous protection and security measures applied in Brazil. Transfers of personal data to other countries will only occur to destinations that offer a level of protection compatible with that provided for in the LGPD, or to companies that commit, through contracts, to adopt the same security and compliance standards.

All international transfers will follow the ANPD's guidelines, in compliance with applicable regulations, ensuring that legal and regulatory requirements are respected and that your data is protected.

Data Protection Impact Report (DPIR)

At INDIGO HIVE, we have adopted the Data Protection Impact Report (DPIR) as an essential tool for assessing and managing the risks associated with the processing of personal data. The DPIR ensures that our practices comply with data protection legislation and allows for the identification of possible impacts on the rights and freedoms of data subjects, in accordance with the principles of the General Data Protection Law (LGPD).

The DPIR is prepared whenever a project, system, or process involves a high potential risk to privacy, especially in cases such as:

1. Implementation of New Technologies: Risk assessment when new tools, platforms, or systems are incorporated into the processing of personal data.

2. Processing of Sensitive Data: Identification of risks and security measures when the processing includes sensitive personal data, such as biometrics, health data, or financial information.

3. Continuous Monitoring and Automated Decisions: Impact analysis in situations involving the constant monitoring of data subjects or the use of automated processes that may significantly affect the rights of individuals.

4. International Data Transfers: Assessment of the protections applied when transferring personal data to other countries, ensuring compliance with the requirements of the LGPD.

Each DPIR includes a detailed description of the processing operations, the risks identified, the security measures applied, and the corrective actions recommended to mitigate those risks. The report is documented and reviewed regularly, with the support of our security team and the Data Protection Officer (DPO), ensuring that INDIGO HIVE remains compliant with the best practices in privacy and data protection.

How We Keep Your Data Safe

At INDIGO HIVE, we prioritize the protection of and respect for the security and privacy of our customers' personal data. We act as data controllers and operators, guided by our Information Security Policy and our commitment to privacy. These guidelines ensure solid and transparent practices to protect information, in accordance with the principles of confidentiality, integrity, availability, and privacy.

Our main practices include:

1. Information Security and Privacy Policy: Our policy defines rigorous practices to ensure the protection of personal data in all processes, following the highest security standards and legal requirements.

2. Data Encryption and Privacy: We use advanced encryption to protect data, both at rest and in transit, reinforcing security against unauthorized access.

3. Access Controls and Training: We adopt role-based access controls and conduct continuous security and privacy training to ensure that only qualified professionals access sensitive information.

4. Constant Monitoring and Audits: We carry out uninterrupted monitoring and regular audits to verify compliance with our policies, promptly correcting any vulnerabilities.

5. Privacy Protection with Anonymization and Pseudonymization: Whenever applicable, we employ anonymization and pseudonymization techniques to preserve data privacy and reduce the impact of possible security incidents.

6. Incident Response and Privacy Protection Plans: We maintain a security incident response plan, which includes actions to protect data privacy and mitigate any impacts.

7. Third-Party Agreements: We establish rigorous privacy and confidentiality contracts with third parties that may have access to data, requiring that their processes meet the same protection and privacy standards adopted by INDIGO HIVE.

Security Incident Notification

We adopt rigorous measures to protect our customers' personal data, acting both as data controller and data operator, with the aim of preventing security incidents. However, in the event of an incident that compromises the confidentiality, integrity, or availability of personal data, we have a Personal Data Breach Incident Management Plan to manage and mitigate the impacts, following the guidelines of the General Data Protection Law (LGPD).

In the event of a security incident, we commit to following the steps defined in our plan:

1. Incident Identification and Assessment: As soon as it is identified, the incident will be analyzed by the security team to determine its severity, possible causes, and impact on the personal data and systems involved.

2. Containment and Mitigation Measures: Immediately after detection, we will implement actions to contain the incident and reduce risks to data subjects, including blocking access, correcting vulnerabilities, and continuously monitoring the affected systems.

3. Notification to Data Subjects: In cases where there is a relevant risk to the rights and freedoms of data subjects, we will notify the affected individuals promptly, providing clear information about the nature of the incident, the potentially compromised data, the measures adopted, and guidance to minimize the effects.

4. Notification to Competent Authorities: In compliance with the LGPD, we will notify the National Data Protection Authority (ANPD), whenever necessary, with details about the extent and nature of the incident, as well as the containment and corrective actions adopted.

5. Post-Incident Monitoring and Reporting: After the incident, we will carry out a detailed analysis to identify opportunities for improvement in our security controls, in order to prevent recurrences. We will document and store all reports about the incident, as provided for in our security and privacy policies.

Our Personal Data Breach Incident Management Plan is reviewed periodically to ensure that the measures are always aligned with best practices and in compliance with legal obligations.

Periodic Audits

We carry out regular audits to ensure that the processing of personal data complies with this policy and with the LGPD. These audits verify the correct application of the internal guidelines and identify improvements, when necessary.

Your Rights and How to Exercise Them

At INDIGO HIVE, we have a solid commitment to transparency and respect for your privacy rights. We know how important it is for you to have control over your personal data and to be able to decide how it is used. In compliance with the General Data Protection Law (Law No. 13,709/2018 – LGPD), we ensure a series of rights that can be exercised directly with us, as described below:

1. Confirmation and Access: Request confirmation of the existence of processing and obtain access to the personal data we hold about you (Art. 18, I and II).

2. Data Correction: Request the correction of information that is outdated, incorrect, or incomplete (Art. 18, III).

3. Blocking, Anonymization, or Deletion: Request the blocking, anonymization, or deletion of data considered unnecessary, excessive, or processed in non-compliance with the law (Art. 18, IV).

4. Opposition to Processing: Object to the processing of personal data, especially in the event of non-compliance with legal provisions (Art. 18, IX).

5. Revocation of Consent: Revoke the consent previously provided for the processing of personal data, interrupting the use of the data under this legal basis (Art. 18, IX).

6. Data Portability: Request the portability of personal data to another service or product provider, as regulated by the National Data Protection Authority (ANPD) (Art. 18, V).

7. Deletion of Data Processed Based on Consent: Request the deletion of personal data processed based on consent, except in situations where the retention of the data is permitted by other legal bases, such as:

   • a. Compliance with a legal or regulatory obligation (Art. 16, I);

   • b. Studies by research bodies, with due anonymization of the data, when applicable (Art. 16, II);

   • c. Transfer to third parties in an authorized manner, respecting legal requirements (Art. 16, III);

   • d. Exclusive use by the controller, with anonymization, access by third parties being prohibited (Art. 16, IV).

To exercise any of these rights, you can contact us through the service channels indicated in this policy. Our Data Protection Officer (DPO) is available to handle your requests, ensuring the transparency and compliance of our processes with the LGPD.

When We Act as an Operator

In situations where INDIGO HIVE acts as an operator of personal data on behalf of another organization (controller), the exercise of data subjects' rights must be directed to the responsible controller. In this role, INDIGO HIVE processes personal data in accordance with the instructions and purposes established by the controller, in compliance with the agreements and applicable legislation.

If we receive a request to exercise rights in cases where we act as an operator, we will forward the request to the competent controller and inform the data subject about this procedure. In this way, we ensure that all rights are met in accordance with the LGPD guidelines.

How to Contact Us

If you have any questions about this Privacy Policy, wish to make a request related to your rights as a personal data subject, or wish to file a complaint about the processing of your data, please contact our Data Protection Officer (DPO) or use the service channels available on our website:

• Primary DPO: Rômulo Mateus Castro Prates

• Alternate DPO: Lucas Silva de Sena

• Phone: +55 (11) 9 6419-8127

• Email: dpo@indigohive.com.br

Every effort will be made to respond to the data subject's requests in the shortest possible time. When the request involves additional inquiries or greater complexity, the response period may be up to thirty (30) days.

Please note: in order to ensure your identity and the legitimacy of your request, we may request that you provide some personal data and documents for the authentication process. This data will be stored in our databases to meet possible legal and regulatory demands, proving that your request was made and fulfilled. We will not use your data for any other purposes.

7. Applicable Law and Dispute Resolution

This Privacy Policy will be governed by and interpreted in accordance with the laws of the Federative Republic of Brazil, in particular the General Data Protection Law (Law No. 13,709/2018).

Any disputes or controversies related to the processing of personal data, as described in this Policy, must be resolved amicably, seeking consensual solutions between the parties. Should an agreement not be possible, the parties elect the jurisdiction of the District of Brasília/DF as the competent venue to settle any matters arising from this Policy, expressly waiving any other, however privileged it may be.

8. Validity and Review

1. This policy comes into effect on the date of its approval and publication by the Integrated Management System Committee (CSGI).

2. This policy will be reviewed every 1 year or as necessary, following the procedures established in the guidelines of this policy.

3. Any changes will be formally communicated to everyone involved, ensuring they are kept up to date on the new guidelines.

Revision 02. Date: 11/07/2025