DATA TREATMENT AND PRIVACY POLICY FOR THE
JOSÉ LUIZ EGYDIO SETÚBAL FOUNDATION (THE
“POLICY”)

1. INTRODUCTION

This Policy has the purpose of showing the commitment of the

JOSÉ LUIZ EGYDIO SETÚBAL FOUNDATION
(FUNDAÇÃO JOSÉ LUIZ EGYDIO SETÚBAL)  (“We”),
with head office at Avenida Angélica, 1987, 17th Floor, postcode 01228-200, São Paulo/SP, Brazil.
CNPJ: 61.213.674/0001-69

With the privacy and protection of Data, in a clear manner and according to laws currently in effect.

This Policy describes the main rules on Treatment of Personal Data when we attend You in our brick-and-mortar unit, or through our virtual environments (“Our Environments”), like the portal https://www.fundacaojles.org.br/.

To access and use the features available in Our Environments, You do hereby declare that you have fully and carefully read this Policy, being fully aware of the terms and conditions as set forth herein, including those terms related to the Treatment of Personal Data, carried out in line with the conditions as specified below.

We seek to provide you with the services, with the greatest possible efficiency and, for this, we are constantly making updates. For this reason, this Policy may be adjusted at any time, and You have the responsibility of checking it whenever possible through this electronic address.

Should there be any relevant changes in the way we treat your personal data, we shall inform You or the your legally responsible person or guardian, about the new additional conditions, through the means of contact that You have supplied.

At the end of the document, there is a Glossary for solving possible doubts regarding the expressions that have been defined in CAPITAL LETTERS.

1. SABOUT THE DATA WE COLLECT
   1. How we collect data. The Data, including Personal Data, may be collected when You send them, or when You interact with Our Environments and services, which include:

2.2   Data Necessary. Many of our services depend directly on some Data as informed in the table above, especially file data. If You decide not to supply some of this Data, we may not be able to provide You with some or all of our services.

2.3  Updating and Veracity of Data. You are the only party responsible for the precision, veracity or lack thereof, with regard to the Data that You supply, or for it being out of date. Pay attention, as it is your responsibility to make sure of the exactness of the data or keep it up to date.

2.3.1  In the same way, We are not required to treat any of your Data if we have reason to believe that this treatment of data could mean that we commit any violation of any applicable Law, of if Our Environments are being used for any purposes that are illegal, illicit, or go against good morals.

2.4  Database. The database that was formed through collection of Data is our property and is under our responsibility. When necessary, its use, as also the access thereto and sharing thereof shall always be made within the limits and purposes of the business activities as described in this Policy.

2.5  Use of Cookies. In order to improve navigability and experience within Our Environments, we make use of Cookies, which are digital files in text format that are collected and stored while browsing. To find out more about the Cookies we collect and why we collect them, please access our Cookies Policy, available at the following link [*].

2.5.1  Apart from Cookies, We can also make use of other technologies to make your experience in Our Environments much more efficient, which shall always follow legislation in force and the terms of this Policy.

2.5.2   All the Technologies used shall always respect the terms of legislation currently in force, and the terms of this Policy.

We shall not use any type of exclusively automated decision that would have an impact on You.

1. HOW WE SHARE DATA AND INFORMATION
   1. Hypotheses for Data Sharing. The Data collected and the activities as recorded can be shared, always respecting the sending of the minimum information as necessary to reach the proposed goals:
      1. With partner companies and service providers as necessary for the execution of our services, always requesting that such companies follow the guidelines of data protection and security;
      2. With Sabará Children’s Hospital and the PENSI Institute, whenever this is necessary to that the provision of services may become feasible, and so that administrative transactions may be allowed, through the adoption of technical and organizational measures to make sure of data security and protection
      3. With the competent judicial, administrative or Governmental authorities, whenever there is a legal requirement, request, or Court order; and
      4. Automatically, in the case of corporate activities such as mergers, acquisitions, and takeovers.
   2. Anonymization of Data. For statistical purposes, with regard to qualitative and quantitative characteristics of the public that visits Our Environments, the data that You have supplied may be shared in an anonymous manner, meaning that there is no way of your identification being possible.
2. HOW WE PROTECT YOUR DATA AND HOW YOU CAN PROTECT IT TOO
   1. Measures that we take. We make every effort to maintain privacy and security of information through the adoption of technical, physical and administrative measures for security:
      1. technical measures, like transmission of personal data through a secure Internet page, storage of data on electronic media with high standards of security, and use of a system with controlled access;
      2. physical measures, such as access restricted to authorized personnel, kept in locations that include security tools available on the market; and
      3. administrative measures, including the adoption of Security Standards and Policies, training and awareness building for collaborators; confidentiality agreements.
   2. Care that You must take. It is very important that You protect your Data against unauthorized access to your devices. We never send electronic mail messages to request confirmation of data or with attachments that could be executed (extensions: .exe, .com, among others) or links for possible downloads.  Our e-mails have the purpose of bringing information about the services we provide and the other information that You have requested.
   3. Access to Personal Data, proportionality and relevance. Internally, the Personal Data as collected is accessed only by duly authorized professional people, with respect for the principles of proportionality, necessity and relevance for the purposes of our business activities, as well as a firm commitment to confidentiality and preservation of privacy as per the terms of this Policy.
   4. External Links. When You use Our Environments, You could be led, through a third-party portal or platform link (like our social networks) that can collect your information and have your own Privacy Policy and Treatment of Data.
      1. You shall have the responsibility of reading the Policies for Privacy and Treatment of Data, for such portals or platforms outside our environment, also having the responsibility to accept it or reject it. We do not take responsibility for Policies of Privacy and Treatment of Data, or for content, contained in any websites or other services that are connected to environments other than ours.
      2. Partner Services. We have commercial partners that could possibly offer services through functionalities or sites that can be accessed through Our Environments. The Data that you have supplied to these partners shall be their responsibility, thus being subject to their own practices for collection and use of data.
   5. Processing by third parties, following our guidelines. In the event that third-party companies carry out the Treatment in our name, involving any Personal Data that we collect, then these shall respect the conditions as here stipulated and the information security standards, mandatorily.
   6. Communication by electronic mail. To optimize and improve our communication, when we send You an e-mail we can receive a notification about when such messages are open, provided this possibility is available. It is very important for you to keep your eyes open, as the e-mails are sent exclusively through the domains: fundacaojles.org.br.
3. HOW WE STORE YOUR PERSONAL DATA AND RECORDS OF ACTIVITIES
   1. The Personal Data as collected and the records of activities are stored in a safe and controlled environment, for a minimum period of time which follows the table below:

5.2    Longer storage periods. We can keep the track record of your Data for a longer period whenever the Law or regulatory standards require this, or for the preservation of rights.

The Data collected shall be stored on our servers in Brazil, as also in an environment of use of resources or servers in cloud computing, which could require a transfer and/or processing of this Data outside Brazil.

5.3    Records of recordings. We can also keep records of CCTV recordings for short periods, in compliance with our policies for security and monitoring of physical environments to protect You, our collaborators, and Our Environments.

1. WHAT ARE YOUR RIGHTS AND HOW CAN THEY BE EXERCISED
   1. Your basic rights. You may request the confirmation of existence of treatment of Personal Data, as well as the exhibition or correction of Personal Data, through the Service Channels.
   2. Limitation, opposition, portability, and exclusion of data. Through the Service Channels, You can also request:
      1. Limitation on the use of your Personal Data;
      2. The right to express your opinion and/or revoke this consent, with regard to the use of Personal Data;
      3. The portability of file Data for another Controller from the same line of activity as our business; or
      4. Request the exclusion of your Personal Data as We have collected.
      5. If You withdraw your consent for essential purposes with regard to the regular operation of Our Environments and services, then such services may then become unavailable to You.
      6. If You request the exclusion of your Personal Data, then it could occur that the Data must be maintained for a period longer than the period of exclusion, as according to the terms of Article 16 of the General Law for Protection of Personal Data, for the purposes of (i) compliance with obligations set by laws or regulations; (ii) study by research institution; and (iii) transfer to third person (while respecting the requirements for treatment of data, as set forth in the same Law). In all cases, through anonymization of Personal Data, provided this is possible.
      7. At the end of the maintenance period and legal needs, the Personal Data shall be excluded with use of secure disposal methods, or anonymously used for statistical purposes.
2. INFORMATION ON THIS POLICY
   1. Inapplicability. Should any point in this Policy be considered inapplicable by a National Authority for Data Protection or by court decision, then the remaining conditions shall remain in full effect.
   2. Electronic Communication. You recognize that any communication that We make by e-mail (to the addresses as informed on your file), as also by SMS, instant communication apps, or any other digital means, are also valid, efficient and sufficient for disclosure of any issue referring to the services that we provide, as also to the Data, conditions of provision of such services or any other issue as addressed therein, with the sole exception being anything that this Policy sets out as such.
   3. Service Channels. In case of any doubts with regard to the contractual terms in this Policy, You may get in touch through the service channels mentioned as follows, that are open from Monday to Friday, from 7 am to 6 pm:
      1. Telephone: (11) 2155-9358;
      2. Email: contato@fundacaojles.org.br;
      3. You may also get in touch directly through our Data Protection Officer, who is accessible by e-mail at DPO@fundacaojles.org.br.
   4. Applicable Law and Forum. This Policy shall be interpreted in line with Brazilian Legislation, in the Portuguese language, with the law courts of their domicile being selected to sort out any doubts that this document may involve, with the exception of a specific reservation of personal, territorial or functional competence by the applicable legislation.
      1. If You, do not have a regular place of abode in Brazil, and due to the fact that our services are only offered within Brazil, you will be subject to Brazilian Legislation, therefore agreeing that, in the event of any litigation to be solved, then the action shall be proposed at the Law Courts of São Paulo, State of São Paulo.
3. GLOSSARY
   1. For the purposes of this Policy, one shall consider the following definitions and descriptions, for better understanding:
      1. Anonymization: Use of reasonable technical means as available at the moment of Treatment, through which an item of data loses any possibility of direct or indirect association to any specific individual person.
      2. National Data Protection Authority: A Government institution that is responsible for compliance with the General Law for Protection of Personal Data.
      3. CCTV: “Closed Circuit Television. This is a camera-based monitoring and surveillance system that sends the pictures in real time to a video recorder and/or monitoring center, through a cabled system or IP.
      4. Cloud Computing: This is a kind of service virtualization technology constructed based on the interconnection of more than one server, through a common information network (like the Internet), seeking to reduce costs while increasing the availability of the services sustained.
      5. Cookies: These are small files sent by the platform, saved in their devices, which store preferences and some other information, in order to personalize your browsing according to your profile. To have access to other information, please access our Cookies Policy, through the link https://fundacaojles.org.br/politica-de-cookies/
      6. Data: Any information that has been inserted, treated, or transmitted through Our Environments.
      7. Personal Data: Data that is related to a natural person that is or can be identified.
      8. Decisions that have been uniquely automated: These are decisions that affect a user and which were programmed to operate automatically, without any need for human operation, based on an automated treatment of personal data.
      9. Data Protection Officer (DPO): The DPO is a person that We have appointed to be a kind of communication channel between the controller, the owners of the data, and the National Data Protection Authority (ANPD)
      10. José Luiz Egydio Setúbal Foundation: The company with the trade name of FUNDAÇÃO JOSÉ LUIZ EGYDIO SETÚBAL, registered on the National Corporation Register (CNPJ) under No. 61.213.674/0001-69, with head office at Avenida Angélica, 1987, 17th floor, postcode 01228-200, São Paulo/SP, Brazil.
      11. Session ID: Identification of the user session when there is access to Our Environments.
      12. IP: Abbreviation of Internet Protocol. This set of alphanumeric characters identifies the devices of Internet users.
      13. Owner of Data: A natural person to whom the Personal Data as objects of Treatment refer.
      14. Treatment: All operations carried out with Personal Data and Sensitive Personal Data, such as those referring to collection, production, classification, use, access, reproduction, transmission, distribution, processing, filing, storage, elimination, appraisal or control of information, modification, communication, transfer, diffusion, or extraction.
      15. You: The Owner of the personal data, which means the people who visit Our Environments and other Internet users.