1. DEFINITIONS

a) Personal Data: any information that can identify you, such as your name, tax ID (CPF), email, phone number, among others. b) Sensitive Personal Data: data related to racial or ethnic origin, religious beliefs, political opinions, union membership, affiliation with religious, philosophical or political organizations, health, sexual life, genetic or biometric data. c) Data Subject: the natural person to whom the personal data being processed refers. d) Controller: a natural or legal person, public or private, responsible for making decisions regarding the processing of personal data. e) Processor: a natural or legal person, public or private, who processes personal data on behalf of the controller. f) ANPD: a special federal regulatory authority responsible for overseeing, implementing, and enforcing the General Data Protection Law (LGPD) – Law No. 13,709, of August 14, 2018, across Brazil. g) Data Protection Officer (DPO): the person appointed by the controller or processor to serve as a communication channel between the controller, data subjects, and the National Data Protection Authority (ANPD).

Other relevant definitions for this policy and applicable legal requirements can be found in Article 5 of the LGPD (Law No. 13,709, August 14, 2018) and in ANPD regulations, guidelines, and manuals.

2. PRINCIPLES OF PERSONAL DATA PROCESSING

GRUPO LUME, in compliance with applicable legal requirements, observes the principles of purpose, adequacy, necessity, free access, data quality, transparency, security, prevention, non-discrimination, accountability, and reporting, as outlined by the LGPD, as well as additional principles recommended by the ANPD or required by law.

3. Personal Data Lifecycle

The personal data lifecycle refers to the stages through which personal information passes from collection to eventual deletion. Key stages include collection, processing, sharing, storage, and deletion. GRUPO LUME, as a controller and potentially as a processor, is responsible for personal data from collection to deletion.

3.1 Collection

GRUPO LUME limits the collection of personal data to what is relevant, proportionate, and necessary. We prioritize good faith, transparency, and compliance with applicable legal requirements. Data collection is based on the scenarios described in Article 7 of the LGPD (Law No. 13,709, August 14, 2018), including: a) with the consent of the data subject; b) to comply with legal or regulatory obligations; c) for research studies, with anonymization whenever possible; d) when necessary for contract execution or pre-contractual procedures, at the request of the data subject; e) for the regular exercise of rights in judicial, administrative, or arbitration proceedings; f) to protect the life or physical safety of the data subject or a third party; g) to safeguard health in procedures conducted by health professionals, services, or authorities; h) to meet legitimate interests of the controller or a third party, except when overridden by fundamental rights and freedoms of the data subject; i) for credit protection, as provided by applicable law.

Any amendments to the law or ANPD regulations will be observed by GRUPO LUME to ensure the legality of personal data processing.

3.1.1 Sources of Personal Data

Personal data may be collected from: • GRUPO LUME websites: consumer-oriented sites managed by or for GRUPO LUME, including our own domains and social media pages (Facebook, Instagram, LinkedIn, etc.). • GRUPO LUME mobile applications and websites: including www.lumegrupo.com.br, www.intelligentsupply.com.br, www.intelidente.com, www.comprove.com.br, among others. • Email: electronic communications sent by GRUPO LUME companies. • Customer Service: via atendimento@lumegrupo.com.br or suporte.is@lumegrupo.com.br. • Offline registration forms: printed or digital forms, promotions, contests, events, etc. • Resumes: submitted electronically or physically. • Ad interactions: interactions with GRUPO LUME ads on third-party websites. • Other sources: third-party social media, market research, third-party data aggregators, promotional partners, public sources, and data acquired through company acquisitions.

3.2 Processing and Sharing

Personal Data is processed primarily to enable business relationships, fulfill contractual and legal obligations, and promote GRUPO LUME.

GRUPO LUME may need to share personal information with other companies, such as subsidiaries and service providers, within or outside Brazil, directly involved in its business activities. Information may also be shared to comply with legal obligations. If GRUPO LUME acts as a processor, the client will be informed about any legal requests for disclosure. GRUPO LUME will reject any requests to share personal data that are not legally required, consulting the client before sharing.

The processing and sharing of personal data by GRUPO LUME is conducted as follows:

(Insert table or image here, as in the original Portuguese content)

Some cloud platforms are used, which may involve international sharing of personal data. GRUPO LUME ensures that such sharing is conducted according to applicable privacy laws in the relevant jurisdictions.

If GRUPO LUME acts as a Processor, the company may inform the client about cross-border transfers and any planned changes. Documentation of countries and international organizations receiving personal data will be provided, where contractually applicable.

GRUPO LUME maintains a record of personal data shared with third parties, including what data, with whom, and when. These records are retained according to legal and contractual requirements.

3.2.1 Subcontractors

Personnel contracted to process personal data on behalf of GRUPO LUME must comply with all applicable data protection laws and company policies. Contracts include privacy clauses, requiring subcontractors to implement adequate technical and administrative safeguards to ensure confidentiality and security.

If GRUPO LUME is a Processor, it commits to informing the client before using subcontractors and to allow the client to object to changes. Subcontractor management will follow contract agreements, not this policy.

3.3 Storage and Deletion

GRUPO LUME stores personal data only as long as necessary to fulfill the purposes for which it was collected. After this period, data is deleted according to Law 12,305/2010, and ISO/IEC 27001:2013 and ISO/IEC 27701:2019 controls.

Personal data lifecycle ends either by authority order, completion of the purpose, or data subject request. Upon request, GRUPO LUME will delete or anonymize data according to law. Once data is permanently deleted or anonymized, recovery is impossible. GRUPO LUME may deny deletion if compliant with Article 16 of the LGPD, using only necessary data for these purposes.

Data retention periods are illustrated as in the original content.

3.3.1 Temporary Files

Temporary files generated during processing will be deleted promptly. File management follows GRUPO LUME’s information management policies, available to interested parties.

3.3.2 Anonymization

An anonymized data set is one that cannot be traced back to a data subject. Once anonymized, LGPD does not apply.

GRUPO LUME may anonymize personal data for internal use only, ensuring no third-party access (Article 15, IV, LGPD).

Anonymization methods include:
a) Data suppression: complete removal of identifiable data, e.g., phone numbers or names.
b) Character masking: replacing certain characters with symbols or placeholders, preserving relevant parts.
c) Generalization: replacing precise data with broader categories, e.g., age ranges instead of exact ages.

4. DATA SUBJECT RIGHTS

Data subjects may exercise their rights by emailing dpo@lumegrupo.com.br. According to Articles 9, 18, and 19 of LGPD, they have the right to: – Access, correct, anonymize, block, delete, and port their data; – Be informed about processing purposes, sharing, and entities involved; – Withdraw consent when applicable; – Exercise rights free of charge within regulatory deadlines.

If GRUPO LUME is a Processor, the same rights are guaranteed through the respective controllers. Any updates to LGPD or ANPD regulations will be fully observed.

5. DATA PROTECTION AND SECURITY

GRUPO LUME prioritizes the privacy and protection of personal data. Measures include: a) Compliance with ISO/IEC 27001:2013 for Information Security Management Systems. b) Compliance with ISO/IEC 27701:2019 for Privacy Information Management Systems. c) An Information Security Policy available on GRUPO LUME’s website, detailing internal security practices.

6. COOKIES, SIMILAR TECHNOLOGIES, AND LOG FILES

6.1 What are Cookies?

Cookies are small text files stored on your device during site visits, retaining preferences and usage data. They do not contain sensitive personal information or banking data.

6.2 Why We Use Cookies

Cookies improve site functionality, help understand user behavior, optimize user experience, and communicate effectively.

6.3 Types of Cookies

By ownership: – First-party cookies: defined by us or on our behalf. – Third-party cookies: defined by trusted third parties.

By lifespan:

Session cookies: expire when the browser closes.

Persistent cookies: remain for a specified period until deletion.

By purpose:

Functional cookies: essential for site functionality.

Analytics cookies: collect anonymized usage data.

Advertising cookies: serve ads based on user interests.

6.4 Cookies Used

*(Insert table/image of cookies as per original content)*

Other tracking technologies may include IP addresses, log files, and web beacons.

6.5 Cookie Management

Cookie installation requires user consent. Users can block, accept, or manage cookies via their browser settings. Initial site access triggers a consent banner. Revocation may limit certain features.

Tutorials:

• Internet Explorer: link • Firefox: link • Safari: link • Chrome: link • Edge: link

Download Information Security Policy

This policy was revised on April 1, 2025.