Title SANEAGO'S PERSONAL DATA PRIVACY POLICY

Purpose To establish the guidelines by which the Company processes the personal data of customers, suppliers and other individuals, and indicates the responsibilities during this processing.

Application Applies to all customers, suppliers, partners or other data subjects who, in any way, have relationships with Saneago (except our Employees).


  1. INTRODUCTION

    1. The Data Privacy Policy of Saneamento de Goiás S/A - Saneago aims to protect and ensure the privacy of the personal data of customers, suppliers, service providers and other users. Such data collected and/or is processed, shared, transferred and stored in the Company.

    2. In order to conduct and improve best practices for the treatment and confidentiality of Saneago's personal data, the company has prepared and makes public this Personal Data Privacy Policy.

  2. APPLICABLE LAWS

    1. This Policy was designed to specifically comply with the Legislation:

      1. Federal Law No. 13.709/2018 (Brazilian General Personal Data Protection Law “LGPD”);

      2. Lei Federal Law No. 12.527/2011 (Access to Information Law);

      3. Lei Federal Law No. 12.965/2014 (Brazilian Civil Framework of the Internet);

      4. Federal Law No. 8.078/1990 (Consumer Defense Code), without prejudice to compliance with other applicable laws for the activities provided by Saneago.


  3. GLOSSARY


    Term

    Description

    Data processing agents

    The controller and operator of Personal Data;


    Data anonymization

    Use of reasonable technical means available at the time of processing, through which a data loses the possibility of association, directly or indirectly, with an individual;

    National Data Protection Authority

    Public administration body responsible for overseeing, implementing and monitoring compliance with this law throughout the Brazilian national territory.


    Block

    Temporary suspension of any processing operation, by keeping personal data or database;


    Consent

    Free, informed and unequivocal expression by which the data subject agrees to the processing of their personal data for a specific purpose;


    Controller

    Natural person or legal entity, of public or private law, who are responsible for decisions regarding the processing of personal data;

    Cookies

    Small text files stored on computers and Smartphones.

    Personal data

    Information related to an identified or identifiable natural person;


    Sensitive personal data

    Personal data on racial or ethnic origin, religious conviction, political opinion, membership of a union or organization of a religious, philosophical or political nature, data relating to health or sexual life, genetic or biometric data, when linked to a natural person;

    Public Data

    Data that is not subject to valid privacy, security or access control limitations.

    IP Address

    Numerical identifier assigned to each device connected to a computer network.


    Elimination

    Deletion of data or a set of data stored in a database, regardless of the procedure used;


    Person in charge of personal data

    Person appointed by the controller and operator to act as a communication channel between the controller, data subjects and the National Data Protection Authority (ANPD);


    Operator

    Natural person or legal entity, governed by public or private law, who processes personal data on behalf of the controller;


    Service providers

    Any service provider that provides Saneago with consulting, communications, storage and processing.


    Operational System

    Program or a set of programs whose function is to manage system features, providing an interface between the computer and the user.


    Push technology

    Internet-based communication style where the requisition for a given transaction is initiated by the publisher, in this case Saneago.


    Third Parties

    Refers to, but is not limited to, any and all natural person or legal entity with whom Saneago relates or will relate, service provider, supplier, consultant, customer, business partner, contractor or subcontractor third party, regardless of formal contract or not, including one that uses the Company's name for any purpose or provides services, provides materials, interacts with Public Officials, the Government or other Third Parties on behalf of Saneago.

    Data Subject

    Natural person to whom the personal data being processed refers;


    Data Processing

    Any operation carried out with personal data, such as those referring to collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, filing, storage, elimination, evaluation or control of information, modification, communication, transfer, dissemination or extraction;


    Shared use of data

    Communication, dissemination, international transfer, interconnection of personal data or shared processing of personal data banks by public bodies and entities in the fulfillment of their legal competences, or between these and private entities, reciprocally, with specific authorization, for one or more modalities of treatment permitted by these public entities, or between private entities;


    Users

    These are customers, suppliers and other individuals who, within the context of this Policy, access Saneago's digital platforms.


    Website

    Collection of Saneago's Internet pages, used to provide services and communicate with society in general, investors, governments and third parties.


  4. DATA PROCESSING AGENT

    1. Saneago, headquartered at Avenida Fued José Sebba nº 1245 – Jd. Goiás, Goiânia – GO, Brazil, Zip Code: 74805100 and CPNJ: 01616928/0001-02, as the controller, in accordance with Law 13709/2018 – General Data Protection Law, is therefore responsible for the processing of the personal data explained herein.

  5. COLLECTION OF PERSONAL DATA

    1. Saneago collects personal data from customers, suppliers, partners or other data subjects whenever they:

      1. Use the Saneago application for Smartphones;

      2. Use the digital services, whether making transactions with your account or browsing the company's website www.saneago.com.br;

      3. Contact Saneago through the available service channels, whether by telephone or on-site;

      4. Participate in surveys or sweepstakes conducted by Saneago.

    2. The practices described herein apply to the processing of personal data in Brazil and abroad and are subject to applicable local laws, in particular Law No. 13.709/2018 (Brazilian General Personal Data Protection Law, or “LGPD”). This is your personal data processed by Saneago, divided into categories:

      1. Data informed by the data subject

        1. Registration data such as full name, identification documents, address, gender, marital status, among others;

        2. Contact data, such as telephone and e-mail;

        3. Biometric data, such as photo and/or videos of the ID document and face.

      2. Navigation and device data

              1. Personal data is also collected when the customer, supplier, partner or other data subject (i) uses the services made available and/or provided by the company; (ii) fill in forms, participate in online events, perform searches and other interactions with the services; and (iii) accesses the services via computer and/or Smartphones. Personal data collected from accessing the services may include:

                1. IP address of the device used to access Saneago's services;

                2. Interactions performed and usage profile of the website, portals and Saneago app;

                3. Technical data, such as URL, network connection, provider, and device information;

                4. Cookies;

                5. Device attributes such as ID, operating system, browser and model.

              2. When interacting with certain Company services, we may request access to the photo gallery, camera and location. In such situations, prior authorization will always be requested for the collection of said data.

      3. Public data

        5.2.3.1. Personal data obtained by the Company in the application of public policies or through publicly available sources, in accordance with applicable legislation.

  6. USE OF PERSONAL DATA

    1. The personal data collected by Saneago is obtained to achieve specific purposes and only in the presence and support of a legal basis (or requirement for data processing) provided for in Law No. 13.709/2018 – General Data Protection Law.

      1. Legal Base

        1. The authorization of the personal data subject, consenting to the processing in a free, specific, informed and unequivocal manner;

        2. If there is a legal or regulatory obligation to process personal data;

        3. Execution of a contract in which the personal data subject is a stakeholder or for the execution of measures adopted at their request;

        4. In the regular exercise of rights in judicial, administrative or arbitration proceedings;

        5. By the public administration, for the processing and shared use of personal data required for the execution of public policies provided for in laws and regulations or supported by contracts, agreements or similar instruments;

        6. By the presence of the legitimate interest of Saneago.

      2. Goal

        1. Maintenance of the customer account, issuance of invoices and execution of services;

        2. Compliance with contractual obligations, in particular the execution of the terms of the service agreement with Saneago;

        3. Compliance with applicable legal and/or regulatory requirements;

        4. Notification of any changes in the provision of services or provision of benefits;

        5. Answer any questions when the personal data subject contacts Saneago;

        6. Strengthen security and data protection procedures, aiming at providing a safer and more effective service;

        7. Detection, prevention, mitigation and verification of illegal or fraudulent activities regarding services provided on digital platforms;

        8. Conduct internal operations, including customer support, troubleshooting, data analysis, testing, research and statistics;

        9. Improve and enhance the services provided by the Company, ensuring that they are presented in the most effective manner to customers, users and personal data subjects;

        10. Produce evidence and assist in the conduct of legal, administrative or arbitration proceedings, as well as assist in the fulfillment of other legal requirements;

        11. Make automated decisions regarding the use of the services provided by Saneago.

              1. The provision of personal data by the customer, supplier, partner or other data subjects is required in all cases where: (i) the processing is carried out on the basis of a legal obligation or: (ii) to execute a contract to which the customer, supplier, partner or other data subject is a stakeholder, or (iii) to implement measures taken at their request. Any refusal by the customer, supplier, partner or other data subject may prevent Saneago from proceeding with the purpose for which the data is collected.

              2. The mandatory or optional nature of providing personal data will be specified at the time of collection. If the customer, supplier, partner or other data subject does not agree with the processing that require consent, there will be no consequences for the processing of data required for the execution of the contract, compliance with legal or regulatory obligations, or for defense in legal proceedings.

      3. Activity Record

              1. To make the visit to the Saneago website more pleasant and to allow the use of certain available features, “cookies” may be used on various pages.

              2. Some of the cookies used by Saneago are deleted after the browser session ends. Other cookies remain on the device and allow the Company to recognize the browser on the next visit. However, the customer, supplier, partner or other data subject can configure their browser so that they are informed about the configuration of cookies separately and individually decide on their acceptance or exclude the acceptance of cookies in certain cases or in general. For further information, it is recommended to refer to the Internet browser's help function. It should be noted that if cookies are not accepted, the functionality of the Saneago website and application may be limited.

              3. For further information about how Saneago uses cookies, the customer, supplier, partner or other holder can consult the “What are and how Saneago uses Cookies” section of this Policy.

  7. PERSONAL DATA STORAGE

    1. Personal data may be transferred, stored and processed in Brazil and/or abroad, abiding to the best practices and security and confidentiality procedures.

    2. By agreeing with this Policy, the customer, supplier, partner or other holder consents that their personal data may be transferred, stored and processed in Brazil and/or abroad by Saneago or partners. Wherever personal data is transferred, stored or processed by Saneago or its partners, knowing that the necessary technical and organizational security measures will be taken to ensure an adequate level of data protection.

    3. For further information on how Saneago protects personal data, see the “Personal Data Security” section of this Policy.


8. COOKIES

    1. Definition and use

      1. Cookies are files or information that may be stored on electronic devices when the customer, supplier, partner or other holder visits the website or uses Saneago's online services. Generally, a cookie contains the name of the website that originated it, its lifetime and an informational value, which is randomly generated.

      2. Saneago uses cookies to facilitate use and better adapt the website and applications to the interests and needs of both users and the Company, as well as to assist and improve structures and contents. Cookies can also be used to speed up future activities and experiences on the various services available. The Company uses different types of cookies on its website. For a better understanding of the types of cookies and their uses, observe the following information:


        Types

        Description

        Impact


        Cookies Required

        They are essential for the Saneago website to load properly and allow the user to navigate correctly, as well as make use of all available features. To use the cookie tool, authorization from the customer, supplier, partner or other holder will always be requested during the first access to the website, or on other pages or Portals.


        The user can configure their browser to block or warn them to the existence of cookies, but parts of the website may not function properly.


        Analytical Cookies

        Cookies that allow us to count the number of visits and traffic sources in order to measure and improve the performance of the Company's website. They help to know which pages are most and least visited and how visitors navigate the website. All the information these cookies collect is aggregated and therefore anonymous.

        If the user does not allow these cookies, Saneago will not know when the user has visited its website, making it difficult to generate statistics that could promote improvements.


        Functional Cookies

        These cookies allow the user to provide advanced features and customizations such as: videos and real-time chat. They can be assigned by Saneago itself or by its partners whose services are added to their Internet pages.

        If the user does not allow these cookies, it is possible that some or all of the features will work properly.

    2. Blocking cookies.

      1. Modern browsers allow some control of most cookies through their settings. However, if the customer, supplier, partner or other holder applies browser settings to block all cookies (including strictly necessary cookies), they may not be able to access all or part of the website.

    3. Changing cookie settings.

      1. The menu for changing cookie settings is usually found in your browser's 'options' or 'preferences'. To understand these settings, the following links may be helpful. Otherwise, the user should use the ‘Help’ option in their internet browser for more details.

  1. SHARING PERSONAL DATA

    1. For Saneago to provide the services in compliance with the aforementioned purposes, the personal data of the customer, supplier, partner or other holder may be made available to:

      1. Saneago employees who have been authorized within their duties;

      2. Service providers located inside and/or outside Brazil;

      3. Outsourced companies that carry out personal data processing activities on behalf of Saneago, as operator (for example: companies that provide basic services such as reading, cutting and new connections, companies hired for the preparation of projects and construction of works, banks, billing offices, among others);

      4. Public bodies in the execution of public policies, whenever a request is made in this regard;

      5. Communication and dissemination to bodies and institutes for scientific research purposes, statistics or public information.

  2. PERSONAL DATA RETENTION PERIOD

    1. The personal data collected by Saneago will be processed as long as the relationship of the customer, supplier, partner or other holder with the Company is maintained. And also respecting the deadlines of the temporality table of the documents, the fiscal needs and rendering of accounts with the inspection and control bodies, after the respective deadlines have elapsed, the personal data will be automatically deleted from the servers when it is no longer useful for the purposes to which it was collected.

    2. Without prejudice to the personal data subjects, the information may also be kept for longer periods than the time table for attention and compliance with regulatory obligations or for defense in judicial, administrative or arbitration proceedings, provided that the personal data processing requirements are abided.

  3. PERSONAL DATA SECURITY

    1. Saneago adopts the best practices and technologies in line with the technical and regulatory standards of the market, as well as controls that are always reviewed and improved.

    2. Saneago uses measures to preserve personal data against unauthorized access, use, alteration, disclosure or destruction. These include the physical and logical protection of assets, encrypted communications, access management, adherence to secure software development and internal compliance policies, which include security in the life cycle of the services provided by the Company.

    3. Employees who come into contact with the information undertake to maintain confidentiality regarding personal data.

    4. Saneago has teams prepared to detect and respond promptly, in case of any event or incident that compromises the security of personal data or its services.

    5. Saneago keeps records indicating the time, duration, identity of the employee or person responsible for access and the file object of access, based on connection and application access records.

    6. Saneago adopts, among other aspects, the best technical and organizational efforts, in order to preserve the privacy of users/holders' personal data. However, no digital platform is completely secure. Aware of this circumstance, Saneago cannot individually and fully ensure that all information that goes through its systems will not be subject to unauthorized access, caused by techniques developed to obtain information improperly. For this reason, the company encourages the customer, supplier, partner or other data subject to take appropriate measures to protect themselves, such as, for example, maintaining strict custody, confidentiality and protection of all user names and passwords relating to themselves.

  4. RIGHTS OF PERSONAL DATA SUBJECTS

    1. As the personal data subject, the customer, supplier, partner or other data subject may contact Saneago at any time and through any of the available means of access, to make use of their rights. The rights of data subjects are:

      1. Receive information about the processing of personal data and obtain a copy of the data processed;

      2. Rectify inaccurate or incomplete personal data;

      3. Erase personal data, except that required for legal compliance;

      4. Request anonymization, blocking or deletion of unnecessary, excessive or processed data in violation of the LGPD;

      5. Withdraw a given consent at any time to stop processing data based on their consent;

      6. Oppose the data processing;

      7. Submit a complaint to the National Data Protection Authority.

  5. ADDITIONAL DOCUMENTS

    1. Saneago's Personal Data Privacy Policy has a corporate character and its elaboration, its structure provides for the following complementary documents/platforms:

      1. Privacy Notices;

      2. Privacy Portal.

  6. TALK TO SANEAGO

    1. If, after reading this Personal Data Privacy Policy, the customer, supplier, partner or other data subject still has any questions, or for any reason needs to communicate with Saneago, to deal with matters involving personal data, they may contact the Data Protection Officer, via email: privacidade@saneago.com.br.

  7. UPDATE

    1. This Policy will be updated whenever there is a change in the use of personal data;

      15.1.1. Any updates to this Policy will be immediately and widely disseminated, either by means of a notice on the Company's Website, in the Customer Services, by sending an email or instant notification of the application (push type).

  8. APPROVAL

    1. This Policy was approved by the Board of Directors of Saneago, on 10/14/2021, recorded in Minutes 453.