At XAVIER GAGLIARDI INGLEZ VERONA SCHAFFER (“XGIVS”), privacy and security are of utmost priority. Therefore, our commitment to transparency while processing users’ personal data is absolute.

This Privacy Policy establishes how collection, use, and transfer of client information or other users who access our website is performed (https://xgivs.com.br/ e https://xgivs.com.br/home- eng/, “Site”).

By using our services, the user agrees that we both collect and use their personal information in the ways described in this Policy, under 1988’s Federal Constitution Laws (art. 5o, LXXIX; and art. 22o, XXX – included in the Constitutional Amendment no 115/2022), Data Protection Regulation (Federal Law no 13.709/2018), consumerism provisions of Federal Law no 8.078/1990, and other applicable regulations of the Brazilian Legal System.

XGIVS legal representative will act in the role of Personal Data Controller and is bound to the provisions of this Privacy Policy.

General Information and Definitions

In order to bring greater understanding to this policy, please find below some general information as well as a brief explanation containing the definition of the main terms addressed:

User/Data Subjects: are considered to be individuals who will use or visit the website who are over the age of eighteen (18) or emancipated, and fully capable of performing civil life acts; or those who are absolutely or relatively incapable, duly represented or assisted.

Personal Data: Personal Data corresponds to information provided and/or collected by XGIVS, by any means and in any format, even public that (i) identifies an individual or that, when used in combination with other information handled by XGIVS, identifies an individual or (ii) by means of which an individual’s identification or contact information can be derived. Business phone numbers, business cell phone numbers, business addresses, and business email addresses are not included in the personal data category.

Sensitive Personal Data: is data that, due to its relevance and issues involving more sensitive/delicate personal details or information, is treated with greater care by the General Data Protection Law (GDPL).

Purpose: is the objective that XGIVS aims to achieve from each given personal information processing act.

Necessity: will be the reason why it is strictly necessary to collect personal data as a means of achieving the purpose, avoiding excessive collection.

Legal basis: is the name given to the legal grounds that authorizes personal data processing for a specific purpose by XGIVS.

Consent: is the express and unequivocal authorization given by the personal data holder for XGIVS to process such data for the previously described purpose in which the legal basis for the act requires express holder’s consent.

By accessing and/or using the XGIVS website, the User declares that he or she is eighteen (18) years of age or older, in addition to having full and express capacity to accept the terms of both this Privacy Policy and Consent Term for all legal rights.

XGIVS is based in an environment with physical access control, and the electronic database is essentially in the cloud, with access control, security software, and other measures that ensure restricted access only to authorized persons.

Processing and Sharing of Personal Information

XGIVS will not make collected Personal Data available either from its own or third party email lists without express User consent.

XGIVS may disclose Personal Data collected to third parties in the following situations and to the extent required and authorized by Law:

a) With its partners, whenever necessary and/or appropriate to the provision of related services;

b) With companies and individuals hired to perform certain activities and services on behalf of XGIVS;

c) With suppliers and partners to provide the services as required by XGIVS, such as Information Technology, accounting, safekeeping and archive of documents and others;

d) For administrative purposes such as research, planning, service development, security and risk management;

e) Whenever necessary due to legal obligation, determined by the competent authority, or in compliance with a legal decision.

In the event of the sharing of Personal Data with third parties, all persons mentioned in the above clauses must use the shared Personal Data in a consistent manner and in accordance with collection purposes (or purposes the User has previously agreed to), terms in this Privacy Policy, other website or privacy forms, and all applicable data privacy and protection regulations.

Processing of Personal Data

XGIVS shall process User’s personal data:

a) In order to send estimates, proposals, and contracts, we process as little personal data as possible. In case the User does not accept the proposal, we will keep the data stored in a secure environment with the sole purpose of facilitating contact and eventual response, should there be a new request from the data holder;

b) For customer assistance, using only necessary or indispensable personal data for the provision of the contracted services such as name, nationality, marital status and profession, email, telephone, Identification Card, and Individual Taxpayer Registration number, professional license registration number, name of parents, address, in addition to other data made public by the holder, or available in databases of both public agencies or entities. We commit ourselves to abiding by all GDPL principles, in consonance with Law n°12.527 of November 18, 2011 (Access to Information Law) and the Freedom of Information Act, established in article 220, §1° of the Federal Constitution as well as in article 5, in items IV, IX, and XIV;

c) Should the User wish to contact XGIVS, we shall collect the User’s name, Email, and Phone Number;

In addition to this data, even if indirectly, we inform the User of any eventual data processing:

a) By means of third party cookies and plugins sent to your browser;

b) Whenever strictly necessary for appropriate website operation, or to obtain default browser reports for continuous content improvement;

c) To comply with the legal obligation imposed by the Marco Civil of the Internet (art. 15), also known as the Brazilian Internet Bill of Rights, whenever the date, time, and IP address of website visitors are collected.

Whenever personal data is indirectly processed, XGIVS shall not be able to directly identify the User/personal data holder from this information.

User Rights

As holder of your personal data (namely, your name, email, IP address, geolocation, default browser, etc.), the User has the right to self-determination over them. The Marco Civil of the Internet (Brazilian Internet Bill of Rights) and the other laws regulating the matter already guarantee that you have clear information about collection, use, storage, and protection of personal data on the internet (article 7o, VIII). The GDPL extends these rights to ensure that the User can:

a) Confirm the existence of the processing;

b) Access data;

c) Correct incomplete, inaccurate or outdated data;

d) Anonymize, block or delete, either unnecessary, excessive data, or those processed in nonconformity with the General Data Protection Law;

e) Right to data portability to another service or product provider, by express request, in accordance with the regulations of the National Authority, respecting business confidentiality;

f) Delete personal data processed upon data subject consent, except in the event of compliance cases under legal or regulatory obligation by the controller, and study by a research entity, ensuring the anonymization of personal data whenever possible;

g) Transfer to a third party, as long as the data processing requirements set forth in the General Data Protection Law are respected, or for the exclusive use of the controller, with no access by a third party, and as long as the data are anonymized;

h) Be informed about the public and privates entities with which the controller has shared data use;

i) Be informed about the possibility of refusing consent and the consequences of such refusal;

j) Revoke consent, through a no cost and facilitated procedure, ratifying all the processing performed under protection of the previously granted consent;

Storage Term

XGIVS retains all the data provided, including Personal Data, as long as the User’s registration is active, and as needed to provide its services. The data mentioned in this Privacy Policy shall be kept and stored until a request for deletion is made or according to the statute of limitations, legal or regulatory obligations, or a legitimate interest of either the firm or the data subject.

XGIVS may keep your Personal Data, even after receiving your exclusion request or beyond the aforementioned time limits, should the compliance with legal obligations, dispute resolution, data security, fraud and misuse prevention, and contract specifications be necessary.

International Transfer of Personal Data

Some of the third parties with whom we share your data may be located or have facilities located in foreign countries. Nevertheless, under such conditions, your personal data shall be subject to the General Data Protection Law and other Brazilian data protection legislation.

In this regard, XGIVS is committed to adopting cyber and data security standards at all times, using its best efforts to both ensure and comply with legislative requirements.

By agreeing to this Privacy Policy, you consent to such sharing which shall occur in accordance with the purpose described herein.

Responsibility

XGIVS is held liable for the agents acting in the data processing, in accordance with articles 42 to 45 of the General Data Protection Law.

We undertake the responsibility to keep this Privacy Policy up to date, under its provisions and ensuring compliance.

We also undertake the commitment to seek both technical and organizational conditions that are certainly capable of protecting the entire data processing.

Should the National Data Protection Authority demand the implementation of measures in regard to the data processing performed by XGIVS, we undertake to abide by such demands, under reasonable and adequate time conditions.

Disclaimer

Although we adopt high security standards in order to avoid incidents, no website is entirely risk-free. In this regard, XGIVS is not responsible for:

a) Any consequences stemming from negligence, imprudence or user malpractice with respect to his or her individual data. We undertake the responsibility solely for the security of the data processing and the fulfillment of the purposes specified herein. We emphasize that the User is responsible for data access confidentiality.

b) Malicious actions by third parties such as hacking attacks, unless proven that XGIVS is at fault or has acted deliberately. We emphasize that in case of security incidents that may generate relevant risk or damage to you or any of our users/clients, we shall notify those affected and the National Data Protection Authority of the occurrence as well as take the necessary measures.

c) Inaccuracy of the information entered by the User/client in the records required to use the services of (trade name); any consequences arising from false information or bad faith are entirely of the responsibility of the user/client.

How to Contact XGIVS

To clear any doubt about XGIVS Privacy Policy, the processing of your personal data, or to exercise your rights as a personal data subject, the data subject or legal representative may contact XGIVS at contato@xgivs.com.br.

Inquiries from the holder of personal data shall be answered in a timely manner. However, to complete the request, further confirmatory information may be required, and the request may be eventually denied due to legal or regulatory data maintenance authorization.

Data Protection Officer

XGIVS provides the following means for you to contact us to exercise your rights as a holder: contato@xgivs.com.br.

Confidentiality and Professional Privacy

XGIVS undertakes confidentiality and information and privacy of its users and clients, focusing on appropriate technical, legal, and administrative measures to ensure such.

Changes to Privacy Policy

Any modification of the Privacy Policy shall be readily visible on the XGIVS website, which reserves the rights to make changes to its privacy policy at any time. The updated version shall be made available at www.xgivs.com.br.

This Privacy Policy shall be governed, interpreted, and executed in accordance with the Laws in Brazil, and the Courts of the District of São Paulo shall be elected to settle any disputes arising herein.

Effective Date

This Privacy Policy shall take effect as of June 1st, 2023.