General Data Protection Policy (LGPD)

Last updated: July 1, 2025

1. Objective and Commitment

This General Data Protection Policy ("Policy") aims to establish a high standard of compliance and transparency, formalizing the commitment of IDGN IT Solutions to the privacy and protection of personal data collected and processed within its business activities. This document sets forth the guidelines, principles, and responsibilities that guide data processing, in strict compliance with Law No. 13,709/2018, the Brazilian General Data Protection Law (LGPD).

The Senior Management of IDGN IT Solutions reaffirms its commitment to the continuous improvement of security and privacy, ensuring the necessary resources for maintaining an effective Information Privacy Management System.

2. Scope

This policy applies to all personal data processing operations carried out by or on behalf of IDGN IT Solutions, covering data from:

• Employees: Individuals with an employment or similar relationship.
• Clients: Business contacts, users, and representatives of legal entities that contract our services.
• Partners and Suppliers: Individuals or representatives of legal entities who maintain a business relationship with us.
• Candidates: Individuals participating in our selection processes.
• Visitors: Users who browse our website or visit our physical facilities.

3. Fundamental Principles

All personal data processing operations at IDGN IT Solutions are governed by the following LGPD principles:

• Purpose: Processing carried out for legitimate, specific, explicit, and informed purposes for the data subject.
• Adequacy: Compatibility of the processing with the informed purposes.
• Necessity: Limitation of processing to the minimum necessary to achieve its purposes.
• Free Access: Guarantee of easy and free consultation for data subjects on the entirety of their data and the form of processing.
• Data Quality: Guarantee of accuracy, clarity, relevance, and updating of data.
• Transparency: Provision of clear, precise, and accessible information about the processing and the agents involved.
• Security: Use of technical and administrative measures to protect data from unauthorized access and illicit situations.
• Prevention: Adoption of measures to prevent damage due to data processing.
• Non-Discrimination: Impossibility of processing for illicit or abusive discriminatory purposes.
• Accountability and Reporting: Demonstration of the adoption of effective measures to prove compliance with data protection regulations.

4. Our Data Processing Activities

Below, we detail how we process personal data in our main processes:

• For Our Website Visitors:
  • Data Collected: IP address, geolocation data, device information, browser, and navigation data collected via cookies.
  • Purpose: Website performance analysis, user experience improvement, and targeted marketing.
  • Legal Basis: Legitimate interest and, for non-essential cookies, your consent.
• For Business Contacts (Leads and Clients):
  • Data Collected: Name, email, phone number, job title, company.
  • Purpose: To respond to requests, send commercial proposals, carry out marketing communications, and manage the business relationship.
  • Legal Basis: Execution of pre-contractual procedures, legitimate interest, and, for marketing, your consent.
• For Clients (Service Provision):
  • Data Collected: Registration data (name, CPF, address, email), financial data, and, as a Processor, access to data contained in the client's systems.
  • Purpose: To execute the service provision contract, perform billing, provide technical support, and comply with legal obligations.
  • Legal Basis: Execution of a contract and compliance with a legal obligation.
• For Employees:
  • Data Collected: Complete registration data, personal documents, bank details, dependent information, and health data (for occupational exams).
  • Purpose: To comply with the obligations of the employment contract, manage benefits, and comply with labor and social security legislation.
  • Legal Basis: Execution of a contract and compliance with a legal obligation.

5. Rights of Data Subjects and Service Procedures

IDGN IT Solutions ensures the full exercise of your rights. To make a request, the data subject must contact our DPO via email at dpo@idgn.com.br.

• Procedure: The request must be clear and contain information that allows the identification of the data subject and the specification of the right they wish to exercise. We may request additional information to confirm the applicant's identity.
• Deadlines: Requests will be answered within 15 (fifteen) days from the date of the request, or in a shorter period, according to applicable regulations.
• Gratuity: The exercise of rights is free of charge.

6. Data Sharing and International Transfer

We do not sell personal data. Sharing occurs only when necessary for the execution of our activities, with partners and suppliers who are contractually obligated to follow our security and privacy standards.

We may use cloud infrastructure services located outside of Brazil (international data transfer). In such cases, we ensure that our suppliers provide a degree of data protection adequate to that provided for in the LGPD, either by being located in countries with adequate data protection legislation or through specific contractual clauses.

7. Information Security

Data security is a priority. We implement a comprehensive information security program, detailed in our Information Security Policy (ISP), which includes technical and organizational controls to protect data against any form of improper or illicit processing.

8. Data Protection Impact Assessment (DPIA)

For processing operations that may pose a high risk to civil liberties and fundamental rights, IDGN IT Solutions undertakes to prepare a Data Protection Impact Assessment (DPIA). This document will contain the description of the processing processes, the analysis of necessity and proportionality, the identification of risks, and the safeguard and mitigation measures adopted.

9. Records of Processing Activities (ROPA)

We maintain a detailed record of all our personal data processing operations (ROPA), containing, at a minimum, the purpose, legal basis, description of data subjects, data categories, recipient categories, retention periods, and applied security measures.

10. Data Retention

Personal data is retained for the time strictly necessary to fulfill the purpose for which it was collected, observing the retention periods established by applicable law (e.g., data for tax, labor, and billing purposes). After the retention period ends, the data is securely deleted.

11. Data Protection Officer (DPO)

IDGN IT Solutions has appointed a Data Protection Officer to oversee our privacy program and act as a communication channel with data subjects and the ANPD.

• Officer (DPO): Legal Department
• Contact Email: dpo@idgn.com.br
• Mailing Address: Alameda Xingu, 350, Sala 1802, 18º Andar, Alphaville, Barueri, SP, CEP 06455-911, Brazil

12. Policy Review

This policy is reviewed annually or whenever there are relevant changes, ensuring its continued adequacy.

13. Glossary

• ANPD (National Data Protection Authority): Federal public administration body responsible for overseeing, implementing, and enforcing compliance with the LGPD.
• Controller: Processing agent responsible for decisions regarding the processing of personal data.
• Processor: Processing agent that carries out the processing of personal data on behalf of the controller.
• Processing: Any operation performed with personal data.