A STRONG CLOUD CLOUD SERVICES (“STRONG CLOUD”) created this Privacy Notice in order to inform all procedures necessary to ensure the security and privacy of our clients' data, our employees, our business partners, and other interested parties that make up the company's operational ecosystem, while complying with the General Data Protection Law (Law 13.709/19 – LGPD).

By establishing this Privacy Notice, we describe the actions that STRONG CLOUD takes to ensure the security of your data and respect for your privacy; we also reinforce our commitment to ensure that you are in control of your personal data.

Important definitions

Controller: a natural or legal person, either public or private, who is responsible for decisions related to the handling of personal data; the purposes and means of this handling are determined by legislation, by the data handler, or by specific criteria. STRONG CLOUD SERVICES LTDA, registered under CNPJ 53.380.585/0001-89, is the data controller of the data voluntarily provided by its clients, suppliers, employees, and users of its web platform.

Operator: a natural or legal person, either public or private, who processes personal data on behalf of the controller.

Personal data is defined as: Information related to an identified or identifiable natural person (“data subject”); an identifiable singular person is one who can be identified, directly or indirectly, by information such as a name, identification number, location data, or specific factors such as physical, biological, genetic identity, mental, economic, cultural, or social characteristics;

Processing means: Any operation carried out with personal data, such as collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, filing, storage, elimination, assessment or control of information, modification, communication, transfer, dissemination, or extraction;

Controller or Operator

In the situations where STRONG CLOUD collects data for its own purposes, for the regular performance of its activities, it acts as a Controller. In this role, the company provides systems, applications, or environments owned or provided by third parties and manages personal data that is necessary for conducting its business.

In situations where collection occurs due to services contracted and defined by its Clients, STRONG CLOUD acts as an Operator. As an Operator, STRONG CLOUD has its share of responsibility for data protection, as agreed with its respective Client, but it does not have the authority or decision-making power to process data that does not comply with the processes and flows agreed with the Client.

Controller or Operator

The collection of personal data must respect the following principles:

•   purpose: carrying out processing for legitimate, specific, explicit, and informed purposes to the data subject, without the possibility of subsequent processing incompatible with these purposes;

•   adequacy: compatibility of processing with the purposes informed to the data subject, according to the context of processing;

•   necessity: limitation of processing to the minimum necessary for achieving its purposes, with coverage of relevant, proportional, and non-excessive data in relation to the purposes of data processing;

•   free access: guaranteeing data subjects facilitated and free consultation about the form and duration of processing, as well as about the completeness of their personal data;

•   quality of data: guaranteeing data subjects accuracy, clarity, relevance, and timeliness of the data, according to the need and for fulfilling the purpose of their processing;

•   transparency: guaranteeing data subjects clear, precise, and easily accessible information about the processing and the respective processing agents, observing commercial and industrial secrets;

•   security: using technical and administrative measures capable of protecting personal data from unauthorized access and accidental or illegal situations of destruction, loss, alteration, communication, or dissemination;

•   prevention: adopting measures to prevent the occurrence of damage resulting from the processing of personal data;

•   non-discrimination: impossibility of performing processing for illicit or abusive discriminatory purposes;

•   accountability and accountability: demonstrating, by the agent, the adoption of effective measures capable of proving compliance with personal data protection standards and the effectiveness thereof.

Types of data collected and purposes

We may collect data necessary for entering into a commercial agreement or a partnership, for Contract Execution or preliminary procedures for contract execution, as well as to provide our products and services, including updates, security, and troubleshooting, as well as providing support. This also includes sharing data when necessary to provide the service or carry out the transactions you request. Exclusively for executives and employees of STRONG CLOUD, copies of documents for compliance with Legal or Regulatory Obligations may be requested from external entities.

For other purposes involving our Legitimate Interest, Judicial Request, Defense of Rights, and Credit Protection, we may process necessary data for performing our activities. This data may be processed without your consent. When we request Consent for collecting and processing data, the information collected and the intended processing will be communicated.

If there is a need to process information for other purposes, we will send a notification requesting your prior and express consent. If you declare disapproval, we will not process your data.

By determination of Federal Law 12.965/2014 (Marco Civil da Internet), access records of users of our website will be collected (date, time, and IP) and stored for a minimum period of 6 (six) months or 1 (one) year, depending on the type of access performed.

Directly, STRONG CLOUD may collect and process data of children and adolescents in Personnel Administration processes, with specific consent from at least one parent or legal guardian, with the commitment that the Personal Data of children and adolescents will always be processed according to their best interest.

Indirectly, the processing (storage) of data of children and adolescents may be carried out by our clients - Controllers. In this case, the responsibility for collection and any other treatments lies with them.

Collection and processing of personal data without consent
In addition to the above-mentioned hypotheses, we may occasionally process data for the Protection of Life, in cases where we need to share data of the employee(s) involved in an accident at work.

Purpose of data processing while we are the Controller
In each situation of consented data acquisition, the data subject will be informed:

•   Specific purpose of processing;

•   Form and duration of processing;

The controller in these cases is STRONG CLOUD.

Purpose of data processing while we are the Operator

In this role, for the execution of services available in our portfolio and in specific cases where we act as operational support, STRONG CLOUD does not perform data processing on its own initiative. All processing stems from definitions of collection and processing established by the respective Clients.

As an Operator, STRONG CLOUD cannot act directly on personal data of the data subject on its own initiative. All processing is defined with and by its Clients, and only they can request actions aimed at processing or exercising the rights of the data subject.

Processing period

The storage of your data will occur for the period required by law or as long as necessary for the purpose of processing, according to the nature of the operation. In case of pending litigation, data may be retained for up to 2 years from the final judgment of the decision, according to art. 975 of the Civil Procedure Code.

Information security

STRONG CLOUD is concerned about the security of its data, which is why all involved professionals were properly oriented and trained to maintain confidentiality of information and handle registered data on our website securely, as well as data contained in physical and systemic records.

Our website has the HTTPS protocol, which encrypts all your information during the traffic between the servers and the user's browser, thus ensuring that your data is accessed only by individuals authorized by STRONG CLOUD and for the intended purpose, and external unauthorized sharing of information is prohibited.

The data obtained from the data subject may be stored on our own server or on a third-party server contracted for this purpose, whether they are located in Brazil or abroad, and may additionally be stored using cloud computing technology, always aiming at improving and enhancing the company's activities. The LGPD allows for the international transfer of Personal Data to countries or international organizations that provide an adequate level of personal data protection, and the controller must ensure compliance with the principles and rights of data subjects as provided in the Law.

Whenever personal information is stored in our systems, this information is protected against unauthorized access or use by third parties. Furthermore, this information is kept on servers protected against unauthorized access.

If your information is stored by third parties, STRONG CLOUD will not have any responsibility regarding its custody and security, considering that they have specific controls and their own privacy and data security policies.

In the event of a security breach that results in accidental or illegal destruction, loss, alteration, unauthorized disclosure, or access to personal data, STRONG CLOUD will promptly assess the risk to the rights and freedoms of individuals and, if appropriate, notify the breach to the competent authority or data subject in accordance with our Information Security Incident Policy.

Use of cookies

Cookies are small pieces of data stored in your browser when you visit our site, generally used to track selected user settings and their browsing activities. STRONG CLOUD does not use cookies and other similar technologies to provide its services, and upon accessing the company's website, we give you the possibility to choose which type of Cookies you will use.

Data subject's rights

As defined in the General Data Protection Law, the data subject has the following rights:

•   Confirmation of the existence of processing: to know whether your data is or not the subject of processing by STRONG CLOUD, in the capacity of Controller.

•   Access to data: if processing is confirmed, the data subject has the right to access it in a controlled manner, in order to prevent access to their data by others.

•   Correction of incomplete, inaccurate, or outdated data: subject to legal restrictions for record maintenance, your data may be corrected. Depending on how they are processed, it may be necessary to provide documentation that substantiates the update, completeness, or correction.

•   Anonymization: Transformation that prevents the identification of the data subject when it is not necessary.

•   Limitation of processing: This is the right of the data subject to limit the processing of their personal data, which can be obtained when they contest the accuracy of the data, when the processing is unlawful, when STRONG CLOUD no longer needs the data for the proposed purposes, and when they have opposed the processing.

•   Deletion of unnecessary, excessive or improperly processed data under the LGPD: This is the right to the deletion of the data, except under the conditions provided for in the same.

•   Data portability: at the time of publication of this policy, it was still pending regulation by the national authority.

•   Deletion of data or right to be forgotten: represents the right to have your data deleted from the systems of STRONG CLOUD, except under the conditions provided for therein.

•   Information on sharing: to be informed about the sharing of their data, and with which entity/entities.

•   Non-consent: when consent is requested for the collection and processing of data, the consequences of non-consent will be communicated.

•   Revocation of consent: Revocation can be requested at any time by express manifestation of the data subject. The revocation does not annul previous processing.

The data subject has the right to request free of charge the review of decisions made solely based on automated processing of personal data that affect their interests, including decisions aimed at defining their personal, professional, consumption, and credit profile or aspects of their personality.

To make a request, we have a Privacy Portal available through the website www.portaldaprivacidade.com or through the Data Protection Officer's email, privacy@alg-group.com.br, or by written correspondence sent to Av. Yojiro Takaoka, 4384 – Sala 701 – Alphaville, Santana de Parnaíba, state of São Paulo. All requests will be treated free of charge and will be subject to a preliminary evaluation of your identity and the feasibility of the request, in order to comply with any obligations that may prevent the complete fulfillment of requests from data subjects. We will respond to your requests within 15 (fifteen) days from the date of your request.

Data Protection Officers: ALG Consulting. STRONG CLOUD acknowledges all rights provided to the data subject by the LGPD.

If STRONG CLOUD is approached by a data subject for the exercise of their rights, STRONG CLOUD may, provided it holds such information, respond only with information regarding who the Controller of such data and processing is.

Update of this policy

In case of changes to how we process your Personal Data, we will update this Policy, reserving the right to make changes to our practices and this Policy at any time, whether for internal adjustments or in response to any legal or regulatory changes.

 Version_02 20012025.