PRIVACY POLICY

PRESENTATION:

In order to achieve our goals, Sonpex needs to process some personal data. As we always prioritize transparency in all our processes, we present this Privacy and Data Protection Policy to help you understand in a straightforward manner how we handle and treat your personal data. We ask you to read this policy carefully; our goal was to make it accessible and clear for your understanding. However, if you have any questions, do not hesitate to contact our Data Protection Officer via email: privacidade@sonpex.com

POLICY OBJECTIVE:

The purpose of this Privacy and Data Protection Policy is to demonstrate to you, the Data Subject, how Sonpex cares about your privacy and processes your data. We aim to transparently showcase our principles and values on this matter.

Sonpex has the mission of respecting and safeguarding your privacy. To achieve this, we comply with all applicable laws, especially the General Data Protection Law (Law 13.709), the Internet Civil Rights Framework (Law 12.965), the Consumer Protection Code (Law 8.078), the GDPR (General Data Protection Regulation), and other international laws. From now on, all matters related to the processing of personal data will be explained in a simplified manner.

PERSONAL DATA AND DATA PROCESSING:

What is personal data:

Personal data is any information related to a natural person that makes them identified or identifiable.

Identified personal data: These are directly linked to the person who owns them, allowing their identification. Examples include full name, passport ID, CPF, and many others.

Identifiable personal data: These data do not allow for direct recognition of the person who owns them. However, within a context of information, it is possible to identify them. For example, computer IP, profession, marital status, home address, and many others.

Data processing: Data processing refers to any operation performed involving personal data, including but not limited to: collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, archiving, storage, elimination, evaluation, or control of information, modification, communication, transfer, dissemination, or extraction.

PROCESSING AGENTS:

Controller: The controller refers to the company that processes personal data for its interest, defining what will be done with the data. In this Policy, the Data Controller is us, the company SONPEX AGENCIA MARITIMA LTDA, a private legal entity, registered with CNPJ under number 10.366.176/0001-15, headquartered at Rua Barão de Cotegipe, 443, rooms 805 and 807, Centro, CEP 96.200-290, Rio Grande/RS.

Operators: An operator refers to a third party that processes personal data on behalf of the controller. We, at Sonpex, engage with companies that ensure the application of necessary measures to protect the processed personal data. Additionally, we establish privacy rules for both parties during the business relationship.

Data Subjects: A data subject is the natural person to whom the personal data refers. In this case, it's you.

Data Protection Officer: The Data Protection Officer, also known as DPO or Data Protection Officer, is responsible for verifying the application of the law within the company and ensuring the privacy and security of information. They are also responsible for handling requests from Data Subjects and acting as a communication channel with the National Data Protection Authority (ANPD) or another designated Public Authority (situations beyond the scope of Brazilian laws).

PURPOSE OF DATA PROCESSING:

1 – Customer contact: We need to use personal data to serve our customers and provide our services.

2 – Content delivery: Sonpex publishes relevant content to its customers through our Blog, Instagram, Youtube, Email, and Telegram. To send this content, we need to process personal data of interested parties.

3 – Contact with potential customers and interested parties: Sonpex may contact people who participated in our campaigns or events, as well as recommendations that arise from them.

4 – Selection process: Sonpex conducts a selection process to choose the best candidates to join our team. Thus, we process the contact details of the candidates to communicate the results or invite them to a meeting. We also process data included in resumes to evaluate candidates.

DATA PROCESSED BY SONPEX:

For customer contact: To maintain a close relationship with our customers and better serve them, we need to use: Name; Email; Phone Number.

To provide service on the Official Website: we need to process the following personal data: Name; Phone Number; Email.

To promote our content and services, we use personal data to send communications. The processed data includes: Name; Phone Number; Email; Social media; Data that you entered in campaigns to receive more suitable content.

For selecting employees and interns in selection processes to join the Sonpex team, we use: Full Name; Email Address; Phone Number; Address; Professional experience; Academic background; Date of birth; Skills; Courses taken and certifications.

DATA COLLECTION METHODS:

Through the customer themselves

Marketing campaigns

Data manifestly made public

Filling out our contact form on the Website

Registration in our content download

Registration in the selection process

LEGAL BASES:

Legal bases are the hypotheses that allow organizations to process personal data. Sonpex only processes personal data that is duly supported by legal bases, according to Article 7 of the General Data Protection Law (Lei Geral de Proteção de

Dados 13.709/18). The legal bases used by the company are:

Contract – Article 7, Item V
Consent – Article 7, Item I
Controller's Legitimate Interest – Article 7, Item IX
Compliance with Legal Obligation – Article 7, Item II
Regular exercise of rights - Article 7, Item VI

Additionally, regarding the General Data Protection Regulation, Sonpex uses the legal bases present in Article 6, as processing will be lawful only if and to the extent that at least one of the following conditions applies:

Consent of the data subject.
Contract performance.
Legal obligations.
Protection of vital interests.
Public interest or exercise of official authority
Legitimate interest.

PRINCIPLES:

Sonpex is committed to following the principles of the General Data Protection Law and the General Data Protection Regulation. We adhere to the guidelines of "Privacy by Design," meaning that all our services are designed with user privacy in mind at every stage, and "Privacy by Default," ensuring that the most secure configuration for users is always applied by default.

We follow the principles of the LGPD and GDPR in all data processing. To make you more aware of these values and to ensure compliance, we include them in this Privacy and Data Protection Policy. The principles are:

Purpose
Need
Adequacy
Security
Prevention
Accountability and Transparency
Transparency
Free access
Quality
Non-discrimination

COOKIES:

What are cookies: Cookies are small files downloaded to your computer or mobile device to improve your experience when you access a website. We use the term "cookie" for any file that collects information in this way.

Why use them: We use Cookies to enable efficient navigation between our web pages, remember preferences, and improve the user experience. They can also help ensure that the online ads you see are more relevant to you and your interests.

Which ones we use: In addition to cookies strictly necessary for the operation of our pages, we also use analytics tools, which are reliable and secure analysis methods to help us understand how you use the website and how we can improve your browsing experience. We at Sonpex have developed a specific policy on the use of Cookies for you to fully understand the use of this tool. You can access it on our official website.

INFORMATION SECURITY:

Sonpex is responsible for maintaining security measures, both technical and administrative, capable of protecting personal data from unauthorized access and accidental or unlawful situations of destruction, loss, alteration, communication, or any form of inappropriate or unlawful processing. We regularly maintain all software, licensed and updated, through the regular application of security patches. In addition to following all the guidelines of the Security Policies of the partner company, we also have internal Good Practices regulations for all those involved in data processing. All our employees, partners, and staff have received training on the General Data Protection Law. Furthermore, there is restricted access to information according to each sector of the company. All computers and networks used have antivirus and firewall configurations.

DATA SHARING:

During the processing of personal data carried out by Sonpex, the data may be shared or transferred to third parties, in Brazil or abroad, in order to adequately fulfill the purposes listed in this policy. Data will be shared only in the following situations:

With the customer relationship management systems we use
With cloud storage providers contracted by the company
With analysis tools for the performance of our Blog, Website, and Communication Channels, as detailed in our cookie policy
With marketing tools used for content delivery.

In all circumstances, Sonpex is committed to sharing only personal data strictly necessary for the fulfillment of the specific purpose. For more information on which companies fall into the above situations, you can contact us requesting clarification at the email: privacidade@sonpex.com Sonpex guarantees that, under no circumstances, does it commercialize the information of the Data Subjects. Additionally, we may share the personal data of Data Subjects with constituted authorities, in strict compliance with the law.

DATA SUBJECT RIGHTS AND ACCESS TO THE PRIVACY PORTAL:

With the aim of making you, the Data Subject, more aware of your rights as a citizen, we list below all the Data Subject Rights brought by the LGPD.

- Confirmation of the existence of personal data processing:

You have the right to confirm with the Controllers whether they have your personal data. If you are a Sonpex customer, this means that we process your data.

- Access to personal data

You can request from the Controller that they inform and provide the personal data they have in relation to you.

- Correction of incomplete, inaccurate, or outdated personal data

You have the right to request the correction or supplementation of your data from the Controller.

- Anonymization, blocking, or deletion of unnecessary, excessive, or processed data in non-compliance with the LGPD

If any personal data is processed unnecessarily, in excess for the purpose it serves, or in non-compliance with the LGPD, you can request that the Controller anonymize, block, or delete this data.

- Deletion of personal data processed with consent

If you have given consent for the processing of your personal data, you can request the deletion of this data.

- Information about the organizations with which the Controller shared personal data

You can request that the Controller inform you which companies have shared your personal data.

- Information about the possibility of not providing consent and about the consequences of refusal

- Consent revocation

If you have given your consent for the processing of your personal data, you can request the revocation of this authorization.

- Automated decisions

You can request a review of decisions made solely based on automated processing of personal data that affect your interests.

- Portability

You can request the portability of your personal data to another service provider.

- Support for ANPD

You have the right to receive support from the Controller if you want to file a complaint with the National Data Protection Authority.

- Agreement with opposition to processing, if irregular

You have the right to receive agreement from the Controller to abstain from continuing data processing if it is irregular.

You, as the Data Subject, can exercise your rights against Sonpex. We commit to fulfilling all requests; therefore, we provide a specific platform to meet your requests through our Privacy Portal. Also, if you prefer, you can request directly via our DPO's email: privacidade@sonpex.com

RIGHTS OF DATA SUBJECTS UNDER THE GENERAL DATA PROTECTION REGULATION (GDPR)

With the aim of making you, the Data Subject, more aware of your rights as a citizen, we list below all the Rights of Data Subjects brought by the GDPR.

Transparency

Transparency, communication, and targeted information: informs the right of the data subject to receive clear, transparent, and easily understandable information about how their personal data is processed.

Information Collection

Information to be provided when data is collected from the data subject: defines the specific details that the data controller must provide when collecting data directly from the data subject.

Data Not Collected Directly from the Data Subject

Information to be provided when data is not obtained from the data subject: informs the specific details that the data controller must provide when data is not obtained directly from the data subject, including when obtained from third parties.

Right of Access

Establishes the right of the data subject to obtain confirmation of the existence of the processing of their personal data and to access this data, as well as other information related to the processing.

Data Correction

Allows the data subject to request the correction of inaccurate or incomplete personal data.

Data Deletion

Offers the data subject the right to request the erasure of their personal data, in certain circumstances.

Restriction of Processing

Establishes the right of the data subject to temporarily restrict the processing of their personal data, under certain conditions.

Obligation to Notify

Mandatory notification regarding the rectification or erasure of personal data or restriction of processing: the data controller is obliged to notify third parties of any rectification, erasure, or restriction of personal data of the data subject.

Data Portability

Allows the data subject to receive their personal data in a structured, commonly used, and machine-readable format and, if applicable, transmit this data to another data controller.

Right to Object

Offers the data subject the right to object to the processing of their personal data in certain situations, including processing for direct marketing purposes.

Automated Decisions

Automated individual decisions, including profiling: the data subject has the right not to be subject to a decision based solely on automated processing of personal data that significantly affects or has legal effects on the data subject.

POLICY MODIFICATION

All personal data processed by Sonpex will comply with this Privacy and Data Protection Policy. The company reserves the right to change this Policy in whole or in part at any time, inserting the last update date as indicated below. We ask that you consult our Privacy Policy to check for any changes. Nevertheless, we will update our clients and contacts when we have important changes, via email.

DATA PROTECTION OFFICER (DPO) AND CERTIFICATIONS

Our Data Protection Officer can be contacted at any time via email: privacidade@sonpex.com. Additionally, you can request in-person assistance at our headquarters, Rua Barão de Cotegipe, 443, rooms 805 and 807, Centro, CEP 96.200-290, Rio Grande/RS.

Our DPO holds the following certifications:

EXIN Privacy and Data Protection Essentials

EXIN Information Security Foundation based on ISO/IEC 27001

EXIN Data and Privacy Protection Foundation

EXIN Privacy and Data Protection Practitioner

EXIN Data Protection Officer

Their profile with certifications is available at the link: https://app.exeed.pro/holder/profile/54851

CONTACT

If after reading this Privacy and Data Protection Policy you still have any questions, you can contact us in the following ways:

"Privacy Portal" section through our official website.

Via email to our Data Protection Officer (DPO): privacidade@sonpex.com

We are always available to clarify your doubts!

REVISION AND PUBLICATION

This Policy will be reviewed within a maximum period of 1 year but may be revised/changed at any time if necessary, following the company's approval procedure. The updated version of this policy will be duly made available whenever changed. Date of publication of this Privacy and Data Protection Policy on the website: November 2023.