PRIVACY POLICY

This policy applies to the processing of Personal Data (any information that identifies or could identify a natural person) collected by Oxxy2 Limited, directly or indirectly, from all individuals, including but not limited to current, future or potential job candidates, employees, professionals, clients, suppliers, business partners, shareholders, subcontractors, or any third parties.

Personal Data includes any information that identifies or could identify a natural person, such as names, identification numbers, identification codes, addresses, among others.

This document sets forth the rules, principles, and values that should guide the attitudes, behaviours, and decision-making of all Employees, members of the Board of Directors, the Executive Board, as well as those in managerial roles, employees and interns, clients, suppliers, business partners, shareholders, subcontractors, or any third parties, in compliance with Personal Data protection laws, including but not limited to Law No. 13,709/2018 (General Data Protection Law – LGPD) and Law No. 13,853/2019, as well as the best practices adopted in international standards, such as the General Data Protection Regulation (GDPR) in force in the European Union.

DATA PROCESSING
All and any operations with data performed by a natural person or by a public or private legal entity, such as data collection, production, receipt, classification, use, access, reproduction, transmission, distribution, processing, archiving, storage, deletion, evaluation or control of information, modification, communication, transfer, dissemination or extraction.

PURPOSE
Personal Data should only be used for the legitimate and specific purposes for which it was collected and properly disclosed to the data subjects. Any processing incompatible with the specific purpose is prohibited, as well as processing for discriminatory, illegal or abusive purposes.

Examples of purposes for processing Personal Data by Oxxy2 include recruitment management, human resources management, accounting and financial management, treasury and tax management, risk management, provision of IT tools or internal websites and any other digital solutions or collaborative platforms, IT support management, occupational health and safety management, information security management, client/partner relationship management, sales and marketing management, supply management, internal and external communication, event management, compliance with anti-corruption obligations or any other legal requirements, data analysis operations, corporate legal management, implementation of compliance processes, among others.

DATA MINIMISATION
Only the minimum Personal Data necessary to fulfil the specific purpose defined by law should be collected.

ACCURACY
Personal Data will be maintained accurately by Oxxy2 and updated as necessary to meet the purpose of its processing.

MINIMUM RETENTION
Where possible, Personal Data should be deleted from Oxxy2’s database after fulfilling the specific purpose.

SECURITY
Oxxy2 implements appropriate technical and administrative measures to protect Personal Data against accidental or unlawful alteration or loss, as well as from unauthorised use, disclosure, or access.

Employees will receive access passwords for various work tools, such as email, intranet, payroll systems, systems with information on job titles, salaries, and benefits, among others, according to their role.

All passwords are personal and non-transferable. Access passwords are granted to the individual in a demonstration of trust and must not be transferred or provided to others to access Personal Data or any other confidential information.

The following actions are strictly prohibited:

Copying Personal Data to personal devices, sending or forwarding Personal Data or emails containing Personal Data to any person not expressly authorised by Oxxy2 to receive such data.
Disclosing or publishing any Personal Data of Employees or Third Parties through Computing and Communication Resources.
Searching for, viewing, or saving on computing resources, such as computers, phones, emails, video conferencing, or any type of document containing Personal Data, voicemail, text messages or emails containing Personal Data without a legitimate purpose in line with their role.
Providing or using personal passwords belonging to third parties or other Employees.
DISCLOSURE
In the normal course of business, Oxxy2 may share Personal Data with authorised Employees and Third Parties to maximise the quality and efficiency of its services and business operations.

Oxxy2 may also be required to disclose Personal Data to Government Authorities, courts, and governmental agencies as required by law, regulation, or legal process, or to defend the interests, rights, or property of Oxxy2 or related third parties.

Oxxy2 will not share Personal Data with other individuals or entities unless the relevant data subject has requested or given prior approval for such sharing.

ANONYMISATION
Oxxy2 is committed to preserving the privacy, intimacy, and image of data subjects. As such, Personal Data should be converted into Anonymised Data whenever possible.

CONSENT
Consent, one of the legal bases for processing Personal Data, should be obtained by the free, informed, and unequivocal expression of the data subject, who must agree to the Processing for a specific and determined purpose.

Oxxy2 will not treat data differently from what was disclosed, and if initial purposes are changed, new consent must be obtained from the data subject.

DATA OF CHILDREN AND ADOLESCENTS
The Processing of Personal Data related to children and adolescents will be carried out by Oxxy2 solely for the provision of services or benefits directly to a child or adolescent, provided that prior, specific, and highlighted consent is obtained from at least one parent or legal guardian, in accordance with applicable legislation.

SENSITIVE DATA
Sensitive Data will only be processed with the specific and highlighted consent of the data subject for specific purposes.

Unless necessary for compliance with legal or regulatory obligations; regular exercise of rights, including in administrative, judicial or arbitration contexts; or ensuring protection against fraud and safeguarding the data subject’s security, Oxxy2 will not process any type of Sensitive Data.

RIGHTS OF DATA SUBJECTS
Oxxy2 is committed to ensuring the protection of Personal Data in accordance with applicable laws. Below are the rights of Personal Data subjects:

Confirmation of the existence of data processing: Upon request, Oxxy2 will confirm the existence of Personal Data processing as per applicable law.
Access to Personal Data: You may request access to your Personal Data collected and stored by Oxxy2.
Correction of incomplete, inaccurate, or outdated data: You may modify and edit your Personal Data at any time by sending an email.
Information on data sharing: You may access information on the potential sharing of your Personal Data under this Policy.
Withdrawal of consent: You may withdraw consent given to Oxxy2 for the processing of your Personal Data at any time through an express statement. It is important to note that the withdrawal request will not imply deletion of previously processed Personal Data or that retained by Oxxy2 based on other legal grounds.
Right to file a complaint with the appropriate officer: If the data subject has a privacy-related complaint against Oxxy2, they should contact Oxxy2’s Data Protection Officer.
INTERNATIONAL DATA TRANSFER
Oxxy2 may share your Personal Data internationally with third parties and business partners to enable the provision of services to Users, in accordance with applicable law, for the specific purpose of providing services to Oxxy2. In all cases of international data transfer, Oxxy2 is committed to taking all necessary measures to ensure the security and protection of your Personal Data.

DATA PROTECTION OFFICER
Oxxy2 will appoint an Employee or a Third Party as the Data Protection Officer, who will have the duties defined in Law No. 13,709/2018 and in this Policy.

PROCEDURES IN CASE OF DATA BREACH
Any Data Breach or potential breach must be urgently and immediately reported to the Data Protection Officer via email at hello@oxxy2.com, who will be responsible for the initial analysis and immediate adoption of preventive and corrective measures necessary to preserve data and information security.

The Data Protection Officer will prepare an incident report detailing the facts and protective and corrective measures taken on an emergency basis. Based on this report, an internal investigation procedure will be initiated to identify potential security rule violations, as well as assess the effectiveness of the emergency measures taken and any actions to be taken with internal and external bodies.

Third parties that may store or process Personal Data on behalf of Oxxy2 must, in the event of a Data Breach or potential Data Breach, promptly notify Oxxy2, identifying the Personal Data that has been or may have been compromised and following Oxxy2’s instructions regarding the procedures to be taken.

In cases of Data Breach involving Personal Data, the Data Protection Officer must assess the need to notify the Data Breach to the competent Government Authorities, especially if the breach could cause harm or risk to the rights and freedoms of individuals.

The Data Protection Officer will be responsible for keeping a record of any Data Breaches, including their effects and the actions taken by Oxxy2 in response to them. This record must always be available for verification by Government Authorities as required by law.

NON-COMPLIANCE
Violation of any provisions described in this Policy may result in disciplinary actions as described in Oxxy2’s other standards and policies, as well as sanctions in accordance with current legislation. In applying any disciplinary actions and/or sanctions, Oxxy2 will consider the severity of the violation, the damage and/or harm caused, and the degree of fault or bad faith of the responsible Employee or Third Party.

VALIDITY
This Policy is effective from the date of its publication and will remain valid until it is revoked or new provisions are added.

APPLICATION AND AMENDMENTS
This Privacy Policy applies to all our services. This Personal Data Protection Policy may be updated. We therefore recommend visiting this page periodically to stay informed about any changes.

QUESTIONS AND COMPLAINTS
This Policy should be read and interpreted in conjunction with the Oxxy2 Code of Ethics and Conduct and should be used as a consultation mechanism in case of doubts about internal, commercial, and contact conduct with competitors, partners, third parties, and government authorities.

In case of questions, doubts, or requests, please contact Oxxy2’s DPO