Economatica Privacy Policy and Data Governance

Economatica Software de Apoio a Investidores Ltda. (“Economatica”) is a company specialized in data and technology solutions for financial analysis, which handles information ethically and securely, in compliance with the Brazilian General Data Protection Law (Law No. 13.709/2018 - LGPD).

This Privacy Policy and Data Governance (“Policy”) aims to clearly explain how Economatica collects, uses, shares, stores, and protects personal data under its responsibility, and to guide employees, service providers, and partners regarding privacy and information security best practices.

Due to its B2B nature, Economatica processes minimal personal data, generally limited to professional contact information (name, corporate email, phone number, job title, and company) of representatives of clients, suppliers, partners, and service providers. It may also process employee and candidate data, as required by legal or contractual obligations.

Economatica primarily acts as a Data Controller, being responsible for decisions related to processing, and may also act as a Data Processor when processing is carried out under contractual instructions from institutional clients.

Processing activities are carried out based on the following predominant legal bases:

• Contract performance: to enable service delivery, technical support, commercial relationship management, and billing;
• Compliance with a legal or regulatory obligation: especially before public and tax authorities;
• Legitimate interest: for information security, service improvement, institutional relationship management, and B2B communications.

Economatica adopts technical and organizational controls compatible with its size and operational complexity, aiming to ensure the confidentiality, integrity, and availability of the data it processes. This Policy was prepared based on applicable Brazilian law and relevant best practices, with the main references being:

• Law No. 13.709/2018 (LGPD) and amendments introduced by Law No. 13.853/2019;
• Law No. 12.965/2014 (Marco Civil da Internet - Brazilian Internet Civil Rights Framework);
• Brazilian Federal Constitution of 1988 (privacy, private life, and secrecy of communications);
• Regulations and guidance issued by the ANPD and other regulators applicable to Economatica’s activities.

• ANPD - Agência Nacional de Proteção de Dados (Brazilian National Data Protection Authority), the regulator responsible for enforcing the LGPD.
• Anonymization - Process that prevents identification of the data subject, considering reasonable technical means.
• Controller - Legal entity responsible for decisions regarding personal data processing.
• Personal Data - Information relating to an identified or identifiable natural person (e.g., name, corporate email, phone number).
• Sensitive Data - Information about racial origin, religious belief, political opinion, health, sex life, or biometric/genetic data.
• DPIA (Data Protection Impact Assessment) - Impact assessment report prepared when processing may pose significant risks.
• DPO - Person appointed by Economatica as the communication channel between data subjects, the company, and the ANPD.
• Security Incident - Unauthorized access to, use of, or disclosure of personal data.
• LIA (Legitimate Interest Assessment) - Assessment that demonstrates the balance between the company’s legitimate interest and the data subject’s rights.
• LGPD - Brazilian General Data Protection Law (Law No. 13.709/2018).
• Processor - Legal entity that processes personal data on behalf of the Controller.
• RoPA (Record of Processing Activities) - Record of processing activities documenting internal processes.
• Data Subject - Natural person to whom the processed personal data relates.
• Processing - Any operation performed on personal data (collection, storage, use, sharing, deletion, etc.).

This Policy applies to all Economatica employees, directors, service providers, consultants, and partners in Brazil and other countries where the company operates or serves clients. Everyone is subject to the guidelines and procedures defined herein regarding the processing, protection, and privacy of personal data accessed or processed in their professional activities.

The target audience of this Policy includes clients, suppliers, service providers, business partners, and company employees. Economatica is the Controller of the personal data processed in its operations and contracts, ensuring processing grounded on lawfulness, necessity, and transparency.

Economatica maintains a data governance structure compatible with its size and operational complexity, ensuring that personal data processing activities are conducted ethically, securely, and in compliance with the LGPD and other applicable rules.

Privacy governance is the responsibility of Executive Management, the Data Protection Officer (DPO), the Ethics Committee, and Area Managers, with the support of all employees.

Executive Management is responsible for ensuring that Economatica has adequate resources, policies, and controls to comply with the LGPD and other rules related to data protection and information security.

Executive Management responsibilities:

• Approve this Policy and other data governance documents;
• Ensure personal data processing complies with the company’s legal and ethical principles;
• Provide institutional support and necessary resources to the DPO;
• Deliberate on relevant security incidents and related corrective measures;
• Promote a data protection and privacy culture at all organizational levels.

The Ethics Committee is a consultative, multidisciplinary body responsible for supporting Management and the DPO in decisions related to privacy and data governance.

Committee responsibilities:

• Support implementation and monitoring of the privacy and data protection program;
• Review high or critical risk situations related to personal data processing;
• Monitor and review, when necessary, DPIAs and LIAs;
• Support the DPO in incident response and communication with the ANPD;
• Promote communication, training, and awareness actions on ethics, privacy, and compliance best practices.

The Data Protection Officer (DPO) is the professional appointed by Economatica to act as the communication channel between the company, data subjects, and the ANPD.

DPO responsibilities:

• Oversee and coordinate Economatica’s privacy and data protection program;
• Implement and review controls, processes, and policies for personal data processing;
• Ensure adequate legal grounds for collection and processing;
• Receive, log, and respond to data subject requests within LGPD timeframes;
• Support RoPA updates and the execution of DPIAs and LIAs, when applicable;
• Support Management and the Committee in incidents and ANPD communications;
• Promote internal trainings and campaigns;
• Stay up to date on legislation, regulations, and best practices.

The Information Security Area is responsible for implementing and maintaining technological and operational safeguards for personal data processed by Economatica.

Information Security responsibilities:

• Develop and review security policies, controls, and procedures;
• Monitor and mitigate confidentiality, integrity, and availability risks;
• Support the DPO in incident investigation and management;
• Ensure controlled and auditable access;
• Promote best practices and guide employees on secure use.

Each Area Manager (Products, Technology, Sales, Support, Specialists, and other areas) is responsible for ensuring compliance with this Policy and privacy and security guidelines within their scope.

Area Manager responsibilities:

• Ensure ethical processing in compliance with the LGPD and this Policy;
• Keep RoPA and retention periods up to date;
• Inform the DPO of new processes involving personal data before they start;
• Support the preparation of DPIAs/LIAs when applicable;
• Immediately report incidents or data subject requests.

All Economatica employees and service providers have a duty to protect personal data under their responsibility and to act in accordance with the principles of this Policy and applicable law.

Each employee responsibilities:

• Process personal data only for legitimate and authorized purposes;
• Maintain confidentiality of accessed information;
• Follow guidance from the DPO and Area Managers;
• Immediately report incidents, misuse, or suspected breaches;
• Participate in trainings and awareness campaigns.

Economatica processes personal and business data exclusively for legitimate purposes related to service delivery, commercial relationships, legal obligations, and information security.

Personal data collection is limited and occurs mainly in B2B contexts, involving professional contact data of representatives of clients, suppliers, and partners. In addition, technical platform usage data and business data required to execute contracts may be processed.

Cookies and telemetry: Economatica may use cookies, SDKs, and telemetry tools to record technical events (e.g., performance, errors, authentication, security) and improve the user experience across platforms. Use is limited to strictly necessary, security, and service improvement purposes.

Minors: Economatica’s platforms and services are not intended for children. The company does not intentionally collect data from children and adolescents.

The processed data is used for legitimate purposes related to business activities. Processing operations are grounded on LGPD legal bases, predominantly:

• Contract performance (art. 7, V, LGPD): service delivery, technical support, billing, collections, and commercial relationship management;
• Compliance with a legal or regulatory obligation (art. 7, II, LGPD): tax, labor, social security, and regulatory requirements;
• Legitimate interest (art. 7, IX, LGPD): information security, database maintenance, service improvement, and B2B communications;
• Consent (art. 7, I, LGPD): when processing does not fit the bases above or involves optional communications.

Examples of processing purposes:

• Management and execution of service contracts;
• Registration and servicing of clients, suppliers, and partners;
• Technical support, maintenance, and platform monitoring;
• Compliance with tax, accounting, and regulatory obligations;
• Access control, logs, and security records;
• Institutional communications and relationship management with corporate clients;
• Selection and administration of employees and service providers.

Economatica observes LGPD principles and adopts practices proportional to its size and the nature of its activities:

• Purpose: only for legitimate, specific, and previously informed purposes.
• Adequacy: compatible with informed purposes and the collection context.
• Necessity: only strictly necessary data is collected and processed.
• Transparency: data subjects are informed about processing and their rights.
• Security: technical and administrative measures to protect against unauthorized access, loss, or alteration.
• Prevention: practices to prevent incidents and minimize risks.
• Accountability: employees and managers ensure compliance with policies and applicable law.

In addition, it is desirable that:

• Each area keeps its Record of Processing Activities (RoPA) up to date;
• DPIAs and LIAs are prepared whenever there is high risk to data subjects or when processing is based on legitimate interest;
• Processing is documented and periodically reviewed by the DPO and Executive Management.

Economatica makes reasonable efforts to ensure data accuracy and updates. Whenever outdated data is identified, the data subject or the corporate client should notify corrections to the DPO/relationship area.

Any new product, feature, or material process change involving personal data must be previously assessed by the DPO (and the area manager), with RoPA updates and, when applicable, an LIA/DPIA.

When acting as a Data Processor, performing processing on behalf of institutional clients or partners, Economatica will strictly follow the Controller’s instructions, pursuant to applicable contracts and the LGPD.

In such cases:

• Processing is limited to the purposes defined by the Controller;
• The same security and confidentiality measures adopted internally are observed;
• Use of data for any Economatica own purpose is prohibited;
• Security incidents are immediately communicated to the Controller and the DPO.

Economatica may share personal and business data with third parties only when there is a legal basis and a legitimate purpose, ensuring processing under the same security and confidentiality standards adopted internally.

Sharing may occur:

• With technical providers and partners (operations, hosting, support, infrastructure, and maintenance);
• With government and regulatory authorities when required by law (e.g., CVM, BACEN, Receita Federal, and ANPD);
• With legal, accounting, or external consultants (regular exercise of rights, audits, and legal obligations);
• In specific commercial or corporate transactions, with appropriate contractual safeguards;
• With institutional clients when Economatica acts as a Processor, following the Controller’s instructions.

Economatica does not sell personal data and uses contractual clauses and due diligence to ensure that third parties observe ethical and legal standards.

Sub-processors: When contracted third parties engage sub-processors, they must comply with the same security, confidentiality, retention, and disposal obligations set forth in this Policy and the contract, and Economatica remains responsible for oversight.

Economatica may perform international data transfers, especially when using cloud storage services or tools from foreign providers (e.g., hosting and security).

Such transfers will occur only when:

• The destination country provides a level of protection compatible with the LGPD; or
• There are specific contractual clauses, additional safeguards, or the data subject’s consent, as required by law.

Economatica requires international suppliers and partners to implement contractual safeguards ensuring adequate protection of transferred data.

We respect and ensure data subjects can exercise the rights provided by the LGPD. Data subjects may, at any time and upon request to the DPO, exercise the following rights:

Channel and response timeframe: Requests must be sent to the Data Protection Officer (DPO) via email: incidente@economatica.com.br. Economatica will promptly acknowledge receipt and respond within 15 (fifteen) calendar days, and may request additional information to verify identity.

Economatica adopts technical and administrative measures proportionate to its size and complexity to protect personal and business data against unauthorized access, loss, alteration, or improper disclosure.

Main practices and controls:

• Secure infrastructure, with dedicated servers and certified cloud providers (ISO 27001, SOC 2);
• Encryption in transit (SSL/TLS) and, when applicable, at rest;
• Individualized access control, user authentication, and logs;
• Daily automated backups in redundant environments;
• Continuous monitoring of integrity and availability;
• Periodic security updates and patches;
• Permission management and periodic access reviews;
• Internal training on security, phishing, and digital best practices.

Employees and service providers are directly responsible for protecting the information they access and must follow guidance from the DPO and the IT area regarding the secure use of systems, devices, and passwords.

Economatica maintains an Incident Response Procedure with steps for cases of actual or suspected breaches involving personal data, business data, or systems.

In any situation (e.g., unauthorized access, loss, leakage, or accidental deletion), the employee or service provider must immediately notify the DPO through the official channel.

Steps of the internal protocol:

1. Identification and containment: initial assessment, isolation of the source, and prevention of spread;
2. Analysis and logging: root cause review, impact assessment, affected data categories, and corrective measures;
3. Communication: notification to Management and, if applicable, to the ANPD and data subjects, depending on risk and legal requirements;
4. Correction and mitigation: corrective actions and recurrence prevention;
5. Documentation and learning: detailed record, lessons learned, and control improvements.

Failure to comply with security guidelines or omission in reporting incidents may result in disciplinary measures, depending on severity.

This section defines internal guidelines for retention, storage, and secure disposal of personal and business data, in line with data governance and protection best practices adopted by Economatica.

Data must be kept only for as long as necessary for the purposes for which it was collected, or for the period required by legal, regulatory, or contractual obligations.

Retention may occur:

• For as long as the contractual relationship with clients, suppliers, or partners lasts;
• While platform access remains active;
• During statutory limitation periods for the defense of rights (art. 205 of the Brazilian Civil Code - up to 10 years);
• For legal and tax periods (e.g., accounting and tax documents - 5 years);
• In anonymized form, when full deletion is not technically possible or when there is a legitimate interest in statistical/historical data.

Personal data of employees and candidates follows labor, social security, and document retention legal deadlines established by law.

Once the applicable retention period ends, data must be securely deleted or anonymized according to technical standards that prevent reconstruction or re-identification.

Guidelines:

• Deletion is conducted by the IT area under the DPO’s supervision;
• Systems, databases, and backups must be included in the process;
• When applicable, data will be anonymized while preserving statistical or aggregated information;
• Physical documents must be shredded and properly disposed of;
• Disposal operations must be recorded (date, responsible party, and data type deleted).

Third parties and processors that handle data on Economatica’s behalf must follow the same retention and disposal rules described in this Policy, formalized through specific contractual clauses.

Typical contractual safeguards:

• Deletion or return of data upon contract termination;
• Proof of secure disposal when requested;
• Confidentiality and prohibition of use for other purposes.

The DPO, with support from Executive Management, will conduct an annual review of retention periods and disposal procedures to keep alignment with legal requirements and the company’s operational reality.

For questions about personal data processing, data subject rights requests, or reporting security incidents, the official contact channel with the DPO is: incidente@economatica.com.br.

This Policy becomes effective on the date it is approved by Executive Management and may be updated at any time by publishing a new version. Economatica will keep the date of the latest update visible in the document and will communicate material changes when necessary.

In case of conflict between this Policy and specific contractual terms signed with clients or partners, the contractual terms shall prevail, provided they are compatible with the LGPD and other applicable rules.

Non-compliance with this Policy may subject the offender to disciplinary measures and other applicable legal and contractual actions.

This Policy will be reviewed at least annually (or whenever there is a relevant regulatory change), coordinated by the DPO and approved by Executive Management.

Back to table of contents