Privacy Policy

1.1 This Policy aims to guide Embaré's performance in matters of protection of Personal Data of users of its products/services and third parties in general.

2.1 This Policy applies and integrates a set of actions aimed at the protection of Personal Data practiced by Embaré Ind. Alimentícias S/A.

3.1 Data Holder: natural person to whom the personal data used by the Company refers.
‍
3.2 Personal data: data that allow the identification, directly or indirectly, of the natural person.
‍
3.3 Data processing: any operation carried out using personal data.

4.1 Embaré carries out the activities of processing Personal Data observing the following principles:
‍
4.1.1 Purpose: Personal Data are used for legitimate, specific and explicit purposes, without the possibility of further processing in a way that is incompatible with the purposes for which the Data Subject was presented.

4.1.2 Adequacy: Personal Data are used in accordance with the purposes informed to the Data Subject and in the context of the treatment.

4.1.3 Necessity: the use of Personal Data is limited to the minimum necessary to achieve the purposes, being relevant and proportional to the treatment carried out.
‍
4.1.4 Free access: the Data Subject is guaranteed easy and free consultation of the list of Personal Data that are used by the Company.
‍
4.1.5 Quality of data: Personal Data will be updated as necessary and to fulfill the purpose of treatment.
‍
4.1.6 Transparency: the Data Subject is provided with clear, accurate and easily accessible information on the processing of Personal Data.
‍
4.1.7 Security: technical and administrative measures are used to protect Personal Data from unauthorized access and from accidental or unlawful situations of destruction, loss, alteration, communication or dissemination.

4.1.8 Prevention: measures are taken to prevent the occurrence of damage due to the processing of Personal Data.
‍
4.1.9 Non-discrimination: Personal Data is not used for discriminatory, illegal or abusive purposes.
‍
4.1.10 Accountability and accountability: effective measures are taken that are capable of proving compliance and compliance with personal data protection rules.

5.1 Personal Data Subjects covered by this Policy are: (i) employees (ii) future employees (iii) potential customers and/or customers;
(iv) visitors; (v) third parties in general who contact the Company through its service channels or in its physical establishments.

5.2 The services offered by Embaré are intended for people over 18 years of age or emancipated minors. The collection of Personal Data from children or adolescents is carried out in the context of complying with legal or regulatory obligations, and for the exercise of rights in administrative or judicial proceedings, respecting the legal requirements for the treatment of this Personal Data.

6.1 The Data Subject may exercise their rights directly or through a legally constituted representative.
‍
6.2 Data Subjects' rights consist of: (i) requesting confirmation of the existence of the processing of personal data; (ii) access to data; (iii) correction of incomplete, inaccurate or outdated data; (iv) anonymization; (v) blocking or deleting unnecessary, excessive or data treated in violation of current legislation; (vi) portability of data to another provider of services or products; and (vii) information about the public or private entities with whom your data is shared.
‍
6.3 Requests must be made through the service channel available on the Embaré portal.
‍
6.4 Inaccurate or outdated Personal Data will be corrected as soon as the Data Subject informs about the inconsistencies. These corrections will be kept in the Company's archive as historical confirmation of the change.

7.1 Personal Data may be collected both for and due to matters related to the provision of services, as well as to meet legal obligations of the employer and supplier.

8.1 Personal Data is mainly collected in the following ways:

• Sites - Consumer, customer and supplier-facing sites managed by or for Embaré, including sites that We operate under our own domains/URLs and business pages that we maintain on third-party social networks such as Facebook.
• Mobile sites/applications - Consumer, customer and supplier-facing mobile sites or applications managed by or for Embaré, such as Sou Camponesa and here it is Camponesa, Among others.
• E-mail, text messages and other electronic messages -Interactions that Embaré carries out with the Holders of Personal Data, such as electronic communications sent by the companies.
• SAC - Communications with our Customer Service.
• Offline Registration Forms - Printed or digital forms, and similar ways, by which we request your Personal Data, such as conventional mail, promotions or events, among others.
• Ad Interactions - Interactions with our advertisements (for example, if you interact with one or more of our advertisements on a third party website, Embaré may receive information about that interaction).
• Data “created” by Embaré – During interactions with Embaré, various other personal data may appear, such as, for example, your purchase record on Sou Camponesa.
• Data from other sources - Third party social networks (such as Facebook and Google), market research (if feedback is not provided anonymously), third party data aggregators, Embaré promotional partners and public sources.

9.1 Personal Data is processed for the following activities:

• Respond to requests made by the holder in person or via the Web.
• Register customers.
• Fulfill legal obligations.
• Prepare reports and plan business.
• Exercise rights or defend yourself in administrative and judicial proceedings.
• provide the services
• Carry out campaigns.
• Ensuring business relationship with customers.
• Ensuring employer-employee relationships
• Ensuring customer relationships with suppliers.

9.2 All Personal Data collected are used strictly for the purposes described in the previous sub-item, being treated as confidential and respecting the privacy of the Data Subject.

9.3 Personal Data is processed on the following legal bases:

• Consent – ​​used in processes in which the Data Subject can choose or not to carry out a certain action, for example, to contribute to one of the assistance institutes supported by the Company.
• Compliance with legal or regulatory obligations – aims to ensure compliance with legal requirements.
• Execution of Contracts – used for processes related to the supply of products, among others.
• Regular Exercise of Rights – aims to guarantee the exercise of the Company's representation in judicial and administrative discussions.
• Legitimate Interest – used in satisfaction surveys, public awareness campaigns and verification of irregularities in transmission lines, for example.
• Execution of public policies – used for the processing of Personal Data associated with partnership terms signed with the government.

10.1 Personal Data will be kept for the duration of Embaré's contractual relationship with the Data Subject and, after this relationship is terminated, for (i) compliance with legal or regulatory obligations by the controller, (ii) study by a research body, guaranteed, whenever possible, the anonymization of personal data, (iii) transfer to a third party, provided that the data processing requirements set forth in this Law are respected; or (iv) – exclusive use of the controller, its access by a third party being prohibited, and provided that the data is anonymized.

10.2 Technical protection measures and solutions are used to ensure the availability, confidentiality and integrity of your data. In addition, we also have risk-appropriate security measures and access control to stored information.

10.3 After the end of the purpose of processing Personal Data, the information will be discarded or anonymized, following appropriate procedures and policies for this purpose.

11.1. Sharing with third parties will occur when:

• there is formal consent from the Data Subject.
• the transfer is necessary due to the fulfillment of legal obligations.
• the transfer is necessary for the regular exercise of rights in judicial or administrative and arbitration proceedings.
• necessary for the performance of a contract.
• necessary to meet the legitimate interests of the Data Subject or Embaré.

11.2 Embaré may share the Personal Data of its customers with public bodies by virtue of specific agreements signed for this purpose.

11.3 Exceptionally, if the Data Subject represents foreign companies or the fulfillment of the contract requires it, Embaré may transfer the Personal Data abroad. In this case, Embaré will ensure adequate safeguards to ensure the protection of Personal Data, requiring them contractually.

11.4 The Personal Data of Data Subjects is not sold to third parties under any circumstances.

12.1 A cookie is a file that contains an identifier (a sequence of letters and numbers), stored by the browser. The identifier is sent back to the server each time the browser requests a page from the server. Cookies do not normally contain information that personally identifies a user, but personal information stored about the user may be linked to that stored and obtained from cookies.

12.2 The Company's websites may use cookies of the following types:

• Essential cookies: necessary for the website to function, allowing you to browse and use its features. Without them, the website would not function as intended and the Data Subject would not be able to use some services or resources.
• Analytical cookies: collect information about the use of the website, allowing it to improve its operation. For example, analytical cookies show which pages are most visited on the website and help to record any difficulties users experience while browsing.
• Marketing Cookies: These are advertising cookies used for marketing purposes.

12.3 The Data Subject may configure his browser to block the use of non-essential cookies during his navigation.

13.1 In order to keep your personal information secure, we use physical, electronic and managerial tools aimed at protecting your privacy. We apply these tools taking into account the nature of the personal data collected, the context and purpose of the treatment and the risks that any violations would generate for the rights and freedoms of the data subject collected and processed.

13.2 Among the measures we have adopted, we highlight the following:

• Only authorized people have access to your personal data.
• Access to your personal data is only done after the confidentiality commitment
• Your personal data is stored in a safe and sound environment.
• Embaré employees who handle personal data are constantly trained in the best privacy management practices.

13.3 Embaré is committed to adopting the best postures to avoid security incidents. However, it is necessary to point out that no virtual system is XNUMX% safe and risk-free. It is possible that, despite all our security protocols, problems may occur exclusively due to third parties, such as cyber attacks by hackers, or also as a result of the negligence or recklessness of the user/customer.
‍
13.4 In the event of security incidents that may generate risk or relevant damage to you or any of our users/customers, we will communicate to those affected and the National Data Protection Authority about what happened, in line with the provisions of the General Protection Law. of Data.

14.1 The current version of the Privacy Policy was formulated and last updated on: March 15, 2021.
‍
14.2 We reserve the right to modify this Privacy Policy at any time, mainly depending on the adequacy of any changes made to our website or in the legislative scope. We recommend that you review it frequently.
‍
14.3 Any changes will take effect as of their publication on our website and we will always notify you of the changes.
‍
14.4 By using our services and providing your personal data after such modifications, you consent to them.

15.1 Embaré provides for the liability of agents who work in the data processing processes, in accordance with articles 42 to 45 of the General Data Protection Law.
‍
15.2 We undertake to keep this Privacy Policy updated, observing its provisions and ensuring compliance. In addition, we are also committed to seeking technical and organizational conditions that are safely able to protect the entire data processing process.
‍
15.3 If the National Data Protection Authority requires the adoption of measures in relation to the processing of data carried out by Embaré, we undertake to follow them.

As mentioned in Topic 13, although we adopt high security standards in order to avoid incidents, there is no system that is entirely risk-free. In this sense, Embaré is not responsible for:
‍
I – Any consequences arising from the negligence, recklessness or malpractice of users in relation to their individual data. We guarantee and are only responsible for the security of the data processing processes and the fulfillment of the purposes described in this instrument. We emphasize that the responsibility regarding the confidentiality of the access data lies with the user.

II – Malicious actions by third parties, such as hacker attacks, unless Embaré's culpable or deliberate conduct is proven. We emphasize that in the event of security incidents that may generate risk or relevant damage to the Data Subject or any of our users/clients, we will communicate to those affected and the National Data Protection Authority about what happened and we will comply with the necessary measures.

III – Inaccuracy of the information entered by the user/client in the records necessary for the use of Embaré's services. Any consequences arising from false information or entered in bad faith are entirely the responsibility of the user/customer.