1. General information

This Privacy Policy contains information about how we treat, in whole or in part, automated or not, the personal data of users of customer service or communication channels of CITROLEO GROUP.

The objective is to clarify the interested parties about the types of data that are collected, the reasons for collecting them and how the user will be able to update, manage or delete this information.

This Privacy Policy was prepared in accordance with the General Data Protection Law (Federal Law n. 13.709, of August 14, 2018).

By using our Services, the user accepts and agrees with all the terms and conditions set out in force on the date.

We warn you that these terms and conditions of use may be modified at any time by CITROLEO GROUP, due to changes in legislation or services, as a result of the use of new technological tools or, even, whenever, at the sole discretion of CITROLEO GROUP, such changes may be necessary.

The use of the online Services made available by CITROLEO GROUP by any user will imply express acceptance of these Terms and Conditions of Use.

2. User rights

CITROLEO GROUP undertakes to comply with the rules provided for in the General Data Protection Law, in compliance with the following principles:

• The user’s personal data will be processed in a lawful, fair and transparent manner (lawfulness, loyalty and transparency);
• The user’s personal data will only be collected for specific, explicit and legitimate purposes, and may not be further processed in a way that is incompatible with these purposes (purpose limitation);
• The user’s personal data will be collected in an adequate, relevant and limited way to the needs of the purpose for which they are processed (data minimization);
• The user’s personal data will be accurate and updated whenever necessary, so that inaccurate data will be erased or rectified when possible (accuracy);
• The user’s personal data will be kept in a way that allows the identification of the data subjects only for the period necessary for the purposes for which they are processed (retention limitation);
• The user’s personal data will be treated securely, protected from unauthorized or unlawful processing and against accidental loss, destruction or damage, adopting the appropriate technical or organizational measures (integrity and confidentiality).
• The user has the following rights, granted by the General Data Protection Law:
• Right of confirmation and access: it is the user’s right to obtain confirmation that the personal data concerning him or her are or are not the object of processing and, if this is the case, the right to access his personal data;
• Right of rectification: it is the user’s right to obtain, without undue delay, the rectification of inaccurate personal data concerning him;
• Right to data deletion (right to oblivion): it is the user’s right to have their data deleted from the site’s systems or database;
• Right to limit the processing of data: it is the user’s right to limit the processing of their personal data, and may obtain it when they dispute the accuracy of the data, when the processing is unlawful, when CITROLEO GROUP no longer needs the data to the proposed purposes and when you have opposed the processing of data and in case of unnecessary data processing;
• Right of opposition: it is the user’s right, at any time, to object, for reasons related to his particular situation, to the processing of personal data concerning him, and may also object to the use of his personal data to define marketing profile (profiling);
• Right of data portability: it is the user’s right to receive the personal data concerning him/her that he/she has provided to the system or on the website, in a structured format, commonly used and automatically read, and the right to transmit this data to another application;
• Right not to be subjected to automated decisions: it is the user’s right not to be subject to any decision taken solely on the basis of automated processing, including the definition of profiles (profiling), which produce effects in their legal sphere or that affect them significantly in a similar way.

The user may exercise their rights by means of written communication sent by email with the subject “LGPD- “, specifying:

• Full name or company name, CPF number (Individual Taxpayer Registration, Federal Revenue Service of Brazil) or CNPJ (National Legal Entity Register, Federal Revenue Service of Brazil) and e-mail address of the user and, if applicable, case, from your representative;
• Right you want to exercise with the system;
• Order date and user signature;
• Any document that can demonstrate or justify the exercise of your right.

The request must be sent to the e-mail: lgpd@citroleogroup.com, or by post, to the following address:

CITROLEO GROUP
Highway SP 197, Km 18
Torrinha/SP – Brazil
CEP: 17360-000

All requests will be received, analyzed and, if necessary, forwarded to the controller responsible for the processed data (usually a CITROLEO GROUP business partner) who must respond without due delay or within the deadline established by the national supervisory authority.

3. Duty not to provide third party data

During the use of our service channels, in order to safeguard and protect the rights of third parties, the user must provide only their personal data, not those of third parties.

4. Information collected

The collection of user data will be in accordance with the provisions of this Privacy Policy and will depend on the user’s consent, which is dispensable only in the cases provided for in art. 11, item II, of the General Data Protection Law.

4.1. Types of data collected

The information we collect includes, but is not limited to:

• Full Name;
• Email address;
• City;
• State;
• Telephone numbers;
• Curriculum data: Work Experience, School and Academic Education;
• Preferences and behaviors related to our services;
• Device operating system and browser information;
• IP address;
• Services accessed and interactions performed.

4.1.1. Sensitive data

Sensitive data from users will not be collected, thus understood as those defined in arts. 11 et seq. of the General Data Protection Law. Thus, among others, the following data will not be collected:

• Data that reveals the user’s racial or ethnic origin, political opinions, religious or philosophical beliefs, or union membership;
• Genetic data;
• Biometric data to uniquely identify a person;
• Data relating to the user’s health;
• Data relating to the user’s sexual life or sexual orientation;
• Data relating to criminal convictions or offenses or related security measures.

 4.1.2. Data collection not expressly provided

Occasionally, other types of data not expressly provided for in this Privacy Policy may be collected, provided they are provided with the user’s consent, or even if the collection is permitted or imposed by law.

4.2. Legal basis for the processing of personal data

By using CITROLEO GROUP’s services, the user is consenting to this Privacy Policy.

The user has the right to withdraw his consent at any time, without compromising the lawfulness of the processing of his personal data before the withdrawal.

Withdrawal of consent can be done by emailing lgpd@citroleogroup.com .

The consent of the relatively or absolutely incapable, especially of children under 16 (sixteen) years old, can only be done, respectively, if properly assisted or represented.

The processing of personal data without the user’s consent will only be carried out for reasons of legitimate interest or for the cases provided for by law, that is, among others, the following:

• For compliance with a legal or regulatory obligation by the controller;
• For studies carried out by a research body, guaranteed, whenever possible, the anonymization of personal data;
• When necessary for the execution of a contract or preliminary procedures related to a contract to which the user is a party, at the request of the data subject;
• For the regular exercise of rights in judicial, administrative or arbitration proceedings, the latter pursuant to Law No. 9,307, of September 23, 1996 (Arbitration Law);
• For the protection of the life or physical safety of the data subject or third party;
• For the protection of health, in a procedure carried out by health professionals or health entities;
• When necessary to meet the legitimate interests of the controller or third party, except where fundamental rights and freedoms of the data subject that require the protection of personal data prevail;
• For credit protection, including the provisions of relevant legislation.

4.3. Purposes of processing personal data

Under the General Data Protection Law, CITROLEO GROUP processes your personal data for specific purposes and in accordance with the legal bases provided for in the respective Law, such as:

• Properly identify and authenticate users
• Properly respond to user requests and queries;
• Keep the registration updated for contact purposes by phone, email, SMS, direct mail or other means of communication;
• Hiring and recruiting new employees;
• Execution of employment contract;
• For the proper fulfillment of legal and regulatory obligations, for the regular exercise of rights and for the protection and recovery of credit, as well as whenever necessary for the execution of contracts signed with its customers or to meet the legitimate interests of CITROLEO GROUP, of its customers or third parties.
• Facilitate, streamline and fulfill the commitments established with our business partners who have contracts already established with the holder.
• Share and transfer the collected data to business partners, provided that for the specific purpose of enriching your database and preventing the occurrence of fraud and associated risks.
• Customize the content offered to the user, as well as subsidize the system or website to improve the quality and functioning of its services.
• For any other purpose, for which the holder’s consent must be collected, the treatment will be subject to the holder’s free, informed and unambiguous expression.

The processing of personal data for purposes not provided for in this Privacy Policy will only occur upon prior notice to the user, and, in any case, the rights and obligations set forth herein will remain applicable.

4.4. Storage of personal data

Data are stored in a secure and controlled environment and may be stored on our own servers or those of a third party hired for this purpose, whether they are located in Brazil or abroad, in accordance with the criteria of applicable legislation, and may also be stored by means of Cloud Computing technology and/or other technologies that may appear in the future, always aiming at the improvement of our services.

4.5. Period of retention of personal data

The user’s personal data will be kept for a period not exceeding that required to fulfill the purposes for which they are processed,

The data retention period is defined according to the following criteria:

• Data will be stored by our systems for the duration of the contract with the customer and after cancellation, the data will be deleted.
• The data collected on the website through the contact form will be used to establish a business relationship with the person or company who made the contact. The data will be deleted after the return to the person responsible for the contact has been negotiated.
• The personal data of users can only be saved after the end of their treatment in the following cases:
• For compliance with a legal or regulatory obligation by the controller;
• For study by a research body, guaranteed, whenever possible, the anonymization of personal data;
• For transfer to a third party, provided that the data processing requirements set out in the legislation are respected;
• For the exclusive use of the controller, its access by a third party is prohibited, and provided that the data is anonymized.

4.6. Recipients and transfer of personal data

In certain circumstances, CITROLEO GROUP may share or transfer personal data, to the extent necessary or appropriate, to government agencies, business partners and other third parties in order to comply with applicable law or with a court order or subpoena, or even if CITROLEO GROUP believes in good faith that such action is necessary to:

• Comply with legislation that requires such disclosure;
• Investigate, deter or take action relating to suspected or actual illegal activities or to cooperate with public bodies or to protect national security;
• Execution of your contracts;
• Investigate and defend against any claims or allegations of third parties;
• Protect the security or integrity of services (for example, sharing with companies that are experiencing similar threats);
• Exercise or protect the rights, property and safety of CITROLEO GROUP and its related companies;
• Protect the rights and personal safety of its employees, users or the public;
• In case of sale, purchase, merger, reorganization, liquidation or dissolution of CITROLEO GROUP.

CITROLEO GROUP will inform the respective users of any legal demands that result in the disclosure of personal information, under the terms of the foregoing, unless such notification is prohibited by law or prohibited by court order, or if the request is an emergency. CITROLEO GROUP may contest these demands if it deems that the requests are excessive, vague or made by incompetent authorities.

5. Roles and responsibilities

5.1. The data controller (Controller)

The Controller, responsible for the processing of the user’s personal data, is the natural or legal person, public authority, agency or other body that, individually or together with others, determines the purposes and means of processing personal data.

According to the General Data Protection Law, CITROLEO GROUP is considered “Controller” of the data it collects.

5.2. From the Data Protection Officer (Data Protection Officer)

The Data Protection Officer is the professional in charge of informing, advising and controlling the person responsible for processing the data and the subcontracted data processor, as well as the workers who process the data, regarding the obligations under the Personal Data Protection Act and other data protection provisions present in national and international legislation, in cooperation with the competent supervisory authority.

The Data Protection Officer of CITROLEO GROUP is Mr. Juliano Della Coletta, who can be contacted by email lgpd@citroleogroup.com or at the address:

CITROLEO GROUP
Highway SP 197, Km 18
Torrinha/SP – Brazil
CEP: 17360-000

6. Security in the processing of the user’s personal data

CITROLEO GROUP undertakes to apply controls to protect personal data from unauthorized access and from situations of destruction, loss, alteration, communication or disclosure of such data.

To guarantee safety, solutions will be adopted that take into account: the appropriate techniques; application costs; the nature, scope, context and purposes of the processing; and the risks to the user’s rights and freedoms.

The ways we do this include:

• Use of encryption when collecting or transferring information. Our systems use SSL (Secure Socket Layer) certificates that guarantee that personal data are transmitted in a secure and confidential way, so that the transmission of data between the server and the user takes place in a fully encrypted or encrypted way.
• Implementation of Information Security Policies, Training and Awareness of all employees regarding the Security and Privacy of information and personal data.
• Defining our data security safeguards to ensure the continued security, integrity, availability and resiliency of processing systems and services.
• Limitation of physical access to our facilities.
• Limiting access to information we collect.
• Verification and monitoring that our business partners have appropriate technical and organizational security measures in place to keep your personal information secure.
• Destruction or anonymization of personal information, when required by law or formal request by the Controller. Destruction is irreversible and will be done using DiskWipe mechanism of the structured or unstructured data.

CITROLEO GROUP disclaims liability for the sole fault of a third party, such as in the case of a hacker or cracker attack, or the sole fault of the user, as in the case where he himself transfers his data to third parties.

However, CITROLEO GROUP also undertakes to notify the user within an adequate period of time if there is any type of violation of the security of their personal data that could cause them a high risk to their personal rights and freedoms.

A breach of personal data is a breach of security that causes, accidentally or unlawfully, the destruction, loss, alteration, disclosure or unauthorized access to personal data transmitted, stored or subject to any other type of processing.

Finally, CITROLEO GROUP undertakes to treat the user’s personal data with confidentiality, within legal limits.

If outsourced companies carry out the processing of any data collected by our services, they must comply with the conditions stipulated herein and our Information Security standards, obligatorily.

7. Navigation data (cookies)

Cookies are small text files sent by the application to the user’s computer and stored on it, with information related to the application’s navigation.

Through cookies, small amounts of information are stored by the user’s browser so that our server can read them later. Data can be stored, for example, about the device used by the user, as well as their location and access time to the application.

Cookies do not allow any file or information to be extracted from the user’s hard drive, and it is not possible, through them, to access personal information that did not come from the user or the way he uses the application’s resources .

It is important to point out that not every cookie contains information that allows the user to be identified, and certain types of cookies can be used simply for the application to load correctly or for its functionalities to work as expected.

The information that may be stored in cookies that make it possible to identify a user is considered personal data. Thus, all rules provided for in this Privacy Policy also apply to them.

7.1 Management of cookies and browser settings

The user may object to the registration of cookies by the application, simply by disabling this option in their own browser, device.

Disabling cookies, however, can affect the availability of some tools and system features, compromising their correct and expected functioning. Another possible consequence is the removal of user preferences that were eventually saved, damaging your experience.

Below, there are some links to the help and support pages of the most used browsers, which can be accessed by the user interested in obtaining more information about the management of cookies in his browser:

• Internet Explorer: //support.microsoft.com/pt-br/help/17442/windows-internet-explorer-deletemanage-cookies
• Safari: //support.apple.com/pt-br/guide/safari/sfri11471/mac
• Google Chrome: //support.google.com/chrome/answer/95647?hl=pt-BR&hlrm=pt
• Mozila Firefox: //support.mozilla.org/pt-BR/kb/ative-e-desative-os-cookies-que-os-sites-usam
• Opera: //www.opera.com/help/tutorials/security/privacy/

7.2 Essential Cookies

These cookies are strictly necessary for the website to function and provide consistent and relevant content that cannot be disabled on our systems. They are generally set only in response to actions you take that amount to a request for services, such as setting your privacy preferences, filling out forms, keeping your items in your cart, or displaying content in your preferred language. You can set your browser to block or alert you to these cookies, but some parts of the website will not work. We use the following cookies:

• Google Analytics

7.3 Analytical Cookies

These cookies allow us to account for visits and traffic sources so that we can measure and improve the performance of our website. They help us know which pages are the most or least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies, we will not know when you have visited our website and we will not be able to monitor your performance. We use the following cookies:

• Hotjar

It is saved until expiration date: 1 year.

7.4 Marketing Cookies

These cookies may be set through our website by our advertising partners. They can be used by these companies to create a profile of your interests and show you relevant advertisements on other websites. They do not store directly personal information, but are based on the unique identification of your browser and internet device. If you block these cookies, you will get less targeted advertising. We use the following cookies:

• Bing Ads
• Facebook
• Google Ads
• Linkedin

8. Complaint to a supervisory authority

Without prejudice to any other means of administrative or judicial recourse, all data subjects are entitled to file a complaint with a supervisory authority. The complaint may be made to the National Data Protection Authority (ANPD), from the user’s country of habitual residence, from his place of work or from the place where the alleged infringement was committed.

9. Of changes

It is recommended that this document receive annual reviews. However, the editor reserves the right to modify, at any time, these rules, especially to adapt them to the evolution of the systems or the website, either by making new functionalities available, or by suppressing or modifying existing ones.

The user will be explicitly notified on our website if this policy changes.

By using the service after any changes, the user demonstrates their agreement with the new standards. If you disagree with any of the changes, you must present your reservation to the customer service, if you wish.

10. Applicable law and jurisdiction

For the settlement of disputes arising from this instrument, Brazilian law will be fully applied.

Any disputes must be filed in the jurisdiction of the district where the headquarters of CITROLEO GROUP is located.

11. Reference documents

• LGPD: General Data Protection Law (Federal Law No. 13.709, of August 14, 2018).
• ISO 27001 Standard (Requirements for an Information Security Management System)
• ISO 27002 Standard (Code of practices and controls for implementing an Information Security Management System)

12. Validity and Control

This document is valid from the date of its publication.

The owner of the document is the Manager Responsible for Information Security, who must check and, if necessary, update the document at least once a year.

When evaluating the effectiveness and adequacy of this document, the following criteria should be considered:

• Occurrence of incidents in the processing and processing of personal data;
• Non-compliance with laws and regulations, contractual obligations and other internal documents of the organization;
• Ineffectiveness of ISMS maintenance and implementation;

 

Last update: October/2021.