PRIVACY POLICY

Amended March 19, 2021.

1. INTRODUCTION

This Policy is intended to demonstrate the commitment of

CAIO – INDUSCAR INDÚSTRIA E COMÉRCIO DE CARROCERIAS LTDA. (“We”, “Us”),
having its principal place of business at Rod. Marechal Rondom, w/o No., km 252.2; Zona Industrial, in the city of Botucatu/SP, CEP/Postal Code: 18.607-810
CNPJ/Corporate Taxpayer ID No.: 02.907.841/0001-02

to your privacy and the protection of your Data, in a clear and transparent manner, in accordance with the applicable laws, particularly Law No. 13.709/2018 (“General Personal Data Protection Law”).

This Policy outlines the primary rules on processing your Data, particularly Personal Data, when You use the features existing on our institutional website, available at the link www.caio.com.br (“Website”).

As a condition for accessing and using the features provided by our Website, You must declare that You have read this Policy thoroughly and carefully, fully acknowledging the terms provided for herein, thus giving your free and express consent to such terms, including the collection of Data referred to hereunder, as well as their processing for the purposes specified below.

We strive, at all times, to provide You with the services and features as efficiently as possible, keeping ourselves up to date to that end on a regular basis. Accordingly, this Policy may be amended at any time, and You are responsible for verifying it whenever possible through this email address.

2. ABOUT DATA WE COLLECT

2.1. How We collect Data

Data, including Personal Data, may be collected when You submit it or when You interact with our Website and services, which includes:

Registration data

What do we collect?

  • Full name
  • Email
  • Contact phones (home or mobile)

What do we collect for?

  1. To identify and authenticate You;
  2. To comply with the obligations arising from the use of our services and features, including to comply with legal and regulatory provisions;
  3. To improve your experience with us, managing your queries and requests;
  4. To allow You to contact us, including our press office and ombudsman;
  5. To ensure the portability of registration Data to another Controller operating in the same field as us, if requested by You, complying with the obligation of article 18 of the General Personal Data Protection Law;
  6. To protect You with regard to preventing fraud and related risks, in addition to complying with legal and regulatory obligations;
Professional data

What do we collect?

  • Company You belong to
  • Communication channel of which You are a representative

What do we collect for?

  1. To enable identifying the company You belong to, so that we can be more assertive when clarifying your doubts and answering your requests made thought our Contact Us channels and Press Room available at our Website;
  2. To identify the communication channel You are a representative in order to promote contact with our press office;
Digital identification data

What do we collect?

  • Source IP Address and Logical Port
  • Device (operating system version)
  • Time and date records of every action You take
  • Screens You accessed
  • Session ID
  • Cookies

What do we collect for?

  1. To identify and authenticate You; and
  2. To comply with legal record keeping obligations provided for by the Brazilian Civil Rights Framework for the Internet (“Marco Civil da Internet”) - Law No. 12.965/2014.
2.2. Required data

The provision of our services and features available at the Website directly depends on certain Data referred to in the table above. If You choose not to provide some of this Data, We may be unable to provide part of our services and features at our Website.

2.3. Data update & veracity

You are solely responsible for the accuracy, veracity or lack thereof in relation to the Data You provide or for its outdatedness. Please be aware that it is your responsibility to ensure accuracy or keep the data up to date.

2.3.1. Likewise, We are not required to process any of your Data if there are reasons to believe that such processing may constitute a violation of applicable law, or if You are using our Website for any illegal, unlawful or unethical purposes.

2.4. Database

The database created through the collection of Data is our property and under our responsibility, and its use, access and sharing, when necessary, shall be made within the limits and business purposes outlined in this Policy.

2.5. Technologies used

We use the following technology(ies):

  1. Cookies, used to improve the functionality of our Website, in accordance with the information available in the Cookie Policy. At any time, You may block the use of Cookies through your Web browser settings, in which case some features of our Website may be limited;
  2. Google Analytics, for non-identifiable browsing logs for analysis;
  3. Google Tag Manager, for dynamic navigation tag management; and
  4. Global Website Tag, for logging events while browsing.

2.5.1 All technologies used will comply, at all times, with applicable law and the provisions of this Policy.

2.6. We do not use any type of solely automated decision that impacts You.

3. HOW WE SHARE DATA AND INFORMATION

3.1. Assumptions of Data Sharing

Data collected and activities logged can be shared, observing at all times that the minimum amount of information necessary is sent to achieve such purposes:

  1. With competent judicial, administrative or governmental authorities, whenever there is a legal order, requirement, requisition or court ruling;
  2. Automatically, in the event of corporate changes, such as consolidations, acquisitions and mergers;
  3. With partner companies and service providers necessary for the provision of our services and features, whereas such organizations are at all times required to comply with the security and data protection guidelines, as per item 4.5 of this Policy.

4. HOW WE PROTECT YOUR DATA AND HOW YOU CAN PROTECT IT TOO

4.1. Measures We take

We use our best efforts to maintain the privacy and security of information by adopting technical, physical and administrative security measures:

  1. Technical measures, such as transmission of Personal Data through a secure website, data storage in electronic media maintaining high security standards, use of a system, the access of which is controlled;
  2. Physical measures, such as restricted access to authorized persons maintained in facilities which include use of market security tools; and
  3. Administrative measures, including the adoption of Security Policies and Standards, training/awareness of employees, non-disclosure agreements.
4.2. Care You must take

It is very important that You protect your Data from unauthorized access to your device. It is also very important that You know that We will never send emails requesting confirmation of data or with attachments that can be run (extensions: .exe, .com, among others) or even links to any downloads. Our contacts are intended to bring information about your queries and requests, as well as other information that You may have requested at our Website.

4.3. Access to Personal Data, proportionality and relevance.

Internally, the Personal Data collected is accessed only by duly authorized professionals, observing the principles of proportionality, necessity and relevance for our business purposes, in addition to the commitment to confidentiality and preservation of your privacy provided for in this Policy.

4.4. External links

You use our Website, You may be led via a link to other websites or platforms, including our social media channels and job vacancy websites, which may collect your information and have their own Data Processing Policy.

4.4.1. You are responsible for reading the Privacy and Data Processing Policies of such websites or platforms outside the environment of our Website, and it is your responsibility to accept or reject it. We are not responsible for the Privacy and Data Processing Policies of third parties, nor for the content of any websites, content of services connected to environments other than ours.

4.4.2. Partner services We have business partners which, from time to time, may provide services through features or websites that can be accessed from our Website. The Data provided by You to these partners will be their responsibility and will be subject to their own data collection and use practices accordingly.

4.5. Processing by third parties under our directive

If outsourced companies carry out the Processing on our behalf of any Personal Data We collect, they shall mandatorily comply with the conditions provided for hereunder and the information security rules.

4.6. Communication by email

Stay tuned: We only send emails through the domain: @caio.com.br.

5. HOW WE STORE YOUR PERSONAL DATA AND ACTIVITY LOG

5.1. The Personal Data collected and activity logs are stored in a secure and controlled environment for a minimum period subject to the table below:

STORAGE PERIOD LEGAL GROUNDS
As long as the relationship lasts and there is no request for deletion or revocation of consent Art. 9, item II of the General Personal Data Protection Law
5 years after the relationship is terminated Arts. 12 and 34 of the Consumer Protection Code
3 years after the relationship is terminated Art. 206, paragraph 3, item V of the Civil Code
6 months for Digital Identification Data Art. 15 of the Brazilian Civil Rights Framework for the Internet (“Marco Civil da Internet”)

5.2. Longer storage periods. For purposes of auditing, security, fraud control and preservation of rights, We may keep the registration history of your Data for a longer period in the event that the law or any regulation so provides or for the preservation of rights.

5.3 The Data collected may be stored on servers located outside Brazil, as well as in a cloud-based environment of use of resources or servers (cloud computing), which may require aninternational transfer and/or processing of Data.

6. WHAT ARE YOUR RIGHTS AND HOW TO EXERCISE THEM

6.1. Your basic rights

You may request confirmation of the processing of Personal Data, in addition to the display or rectification of your Personal Data, through the Service Channels, pursuant to item “7.4”.

6.2. Limitation, opposition and deletion of Data

Through the Service Channels, You may also request:

  1. Limiting the use of your Personal Data;
  2. Expressing your opposition and/or withdrawing your consent to the use of your Personal Data; or
  3. Requesting the deletion of your Personal Data that has been collected by Us.

6.2.1. If You request the deletion of your Personal Data, the Data may need to be kept for a period longer than the request for deletion, pursuant to article 16 of the General Personal Data Protection Law, to (i) comply with a legal or regulatory obligation, (ii) study by a research body, and (iii) transfer to a third-party (observing the data processing requirements provided for in the same Law). In all cases through the anonymization of Personal Data, where applicable.

6.2.2. Once the storage period elapses and the legal requirement ceases, the Personal Data will be deleted using secure disposal methods or used anonymously for statistical purposes.

7. ABOUT THIS POLICY

7.1. Change of content and update

You acknowledge our right to change the content of this Policy at any time, according to the purpose or need, such as for the adequacy and legal compliance of a provision of law or regulation having equivalent legal force, and You are responsible for verifying it whenever You access our Website or use our services and features.

7.1.1. In the event of updates to this document requiring your consent to be given again, You will be notified through the contact channels You provide.

7.2. Severability

If any provision of this Policy is held to be unenforceable by the Data Authority or court, the remaining provisions will remain in full force and effect.

7.3. Electronic communication

You acknowledge that any communications carried out by email (to the addresses provided in your registration), text messages, instant messaging applications or any other digital form, are also valid, effective and sufficient for the disclosure of any matter relating to the features that We provide at our Website, your Data, as well as any other subject discussed, except for what this Policy does not provide as communication.

7.4. Service Channels

If You have any doubts regarding the provisions under this Privacy and Data Processing Policy, You may also contact our Officer directly through the service channels indicated below:

  1. Email: dpo@essencialprivacidade.com.br
7.5. Applicable law and jurisdiction

This Policy shall be interpreted in accordance with Brazilian law, in the Portuguese language, whereas the jurisdiction of the Judicial District of Botucatu, State of São Paulo, will be elected to settle any controversies arising from this document, except for specific reservations of personal, territorial or functional jurisdiction under the applicable law.

8. GLOSSARY

8.1 For the purposes of this Policy, the following definitions and descriptions should be considered for better understanding:

  1. Anonymization: Use of reasonable technical means available at the time of Processing, whereby data loses the possibility of association, directly or indirectly, with an individual.
  2. Cloud Computing: Service virtualization technology built from the interconnection of more than one server through a common information network (e.g., the Internet), with the objective of reducing costs and increasing the availability of supported services.
  3. Cookies: Small files sent by our Website, saved on your devices, which store preferences and other minimal information, in order to customize your browsing according to your profile.
  4. Data: Any information entered, processed or transmitted through our Website.
  5. Personal Data: Data relating to an identified or identifiable individual.
  6. Exclusively automated decisions: Decisions affecting a user that have been programmed to work automatically, without the need for human operation, based on automated processing of Personal Data.
  7. Officer (Data Protection Officer - DPO): Person appointed by Us to act as the point of contact between Us, the Personal Data subjects and the Brazilian Data Protection Authority (ANPD).
  8. Session ID: User session identification when accessing our Website.
  9. IP: Stands for Internet Protocol. It is an alphanumeric set that identifies users’ devices on the Web.
  10. Processing: Any operation performed with Personal Data, such as those relating to the collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, archiving, storage, deletion, evaluation or control of information, modification, communication, transfer, dissemination or extraction.