GRIAULE LTDA, a legal entity governed by private law, registered with the CNPJ under no. 05.248.770/0001-71, with its registered office at Avenida Doutor Romeu Tortima, no. 1448, Cidade Universitária, in the city of Campinas/SP, CEP 13.083-897, ("GRIAULE"), hereby presents the Privacy Policy relating to its website located at the electronic address https://griaule.com/ and subdomains, under the terms of Law no. 13.709/2018. Use of the website or the content displayed on it subjects the user to observing and complying with the conditions set out below.

1. OBJECTIVES OF THIS POLICY:

In order to guarantee total transparency regarding the processing of personal data carried out by Griaule, this Privacy Policy aims to explain in a clear and accessible way how your information is collected, used, stored and protected when you access our official website or interact with our platforms.

This Policy applies to the processing of personal data carried out by Griaule in relation to:

Visitors and Website users	Persons who access the various Griaule websites, including the domains at griaule.com, software applications (for computers or mobile devices) and official pages on social networks that link to this Privacy Policy (collectively referred to as the "Sites").
Participants from Events	Participants in events organized or sponsored by Griaule.
Customers and Representatives	Current customers, potential customers and their respective representatives who interact with Griaule.
Suppliers and Partners of Business	Suppliers, commercial partners and their representatives who have a relationship with Griaule.
Candidates for Opportunities	People who apply or show interest in professional opportunities at Griaule, with data processed in the context of online and offline recruitment processes.

By interacting with our Sites, you may be directed to third-party platforms, services, social networks, applications or resources that are not controlled by Griaule. Activating these features may allow other organizations to collect and process information about you.

Griaule has no control over the privacy practices of these third parties and recommends that you read their privacy policies carefully before using these resources.

By using our website and platforms, you acknowledge and agree to the processing of your personal information as described in this Policy, in accordance with Law No. 13,709/2018 (General Data Protection Law - LGPD) and other applicable rules.

2. GRIAULE'S ROLE IN DATA PROCESSING:

Griaule clarifies that, in certain situations, it will act as the controller of the personal data collected and, in other cases, it will act as the data operator:

• Controller of the personal data collected: Griaule itself directly defines how the personal data will be processed, from collection to deletion;
• Operator of personal data collected: when Griaule processes personal data on behalf of a third party (e.g. a client company), in accordance with the instructions agreed between the parties;

In both cases, Griaule undertakes to adopt the necessary measures to guarantee the protection and security of personal data in accordance with applicable laws and regulations, always aiming for the privacy and confidentiality of the data processed.

3. WHAT TYPES OF PERSONAL INFORMATION WE PROCESS AND FROM WHAT SOURCES:

Griaule may process information about you collected offline and online.

Offline information about you originates from our interactions with you during personal meetings or at Griaule events, conferences, workshops or meetings;

Online information originates from the performance of technical support services and from your activities on our websites, for example in relation to your Griaule accounts, (pre-)sales inquiries or from your interactions with Griaule via electronic communication tools such as email or telephone. Information about you may also be provided by third-party sources, such as data aggregators that may not have a relationship with you.

We process personal information that you provide directly to us, such as when you apply for a job vacancy on the websites or at a recruitment event, or when we conduct an interview. We may also receive personal information about you from other sources, such as referrers, people who referred you for a position, in connection with background and employment checks, and from third-party recruitment sources, including websites. Websites include, without limitation, social sites where you have created a public page or profile or otherwise given permission for recruiters to access your information on those sites. They may also include supplier websites where Griaule has invited you to participate in online assessments, reviews or interviews. Online video interviews are subject to privacy terms.

Information about you that Griaule may collect and process includes:

Type of Information Staff	Description / Examples	Legal Basis (LGPD)
Data from Personal Identification	Full name, physical address, e-mail addresses and telephone numbers, date of birth, CPF, digital copies of personal identification documents.	Art. 7, point V - Execution of contract or preliminary procedures. Art. 7, II - Compliance with a legal or regulatory obligation.
Attributes Demographics	Demographic information linked to data that can identify you personally.	Art. 7, item IX - Legitimate interest of the controller. Art. 7, item I - Consent of the owner (where applicable).
Biometric Data	Facial recognition biometrics and other biometric data collected.	Art. 7, point V - Execution of contract or preliminary procedures.
Images and Testimonials	Photographs, videos and testimonials provided voluntarily.	Art. 7, point I - Consent of the owner. Art. 7, item IX - Legitimate interest of the controller.
Research and Information Public	Data from research and publicly available information	Art. 7, item IX - Legitimate interest of the controller.
Identifiers Unique	Cookie ID in the browser.	Art. 7, point I - Consent of the holder
IP address and Location	IP address and derived information, such as approximate geographical location.	Art. 7, item IX - Legitimate interest of the controller.
Training and Experience Professional	Educational background, professional experience and qualifications, eligibility for	Art. 7, point V - Execution of contract or
	the job (nationality, country of residence and visa or immigration status). It also includes information about vacancies for which you have shown interest, a CV, transcripts and supporting documents (such as certificates and diplomas).	of preliminary proceedings.
Information from Personal assessment	Data related to personality, skills, abilities and suitability for a particular position or role.	Art. 7, point V - Carrying out preliminary procedures related to the contract. Art. 7, item IX - Legitimate interest of the controller.
Verification of Background	Information obtained through background checks, including checks on educational background, professional experience and other relevant information, in accordance with Griaule policies and applicable laws.	Art. 7, item IX - Legitimate interest of the controller.

Remember that Griaule does not control the content you may publish on Griaule's community forums or social networks. In some cases, the content may be made publicly available on the Internet. You should think carefully about whether you want to send personal information to these forums or social networks and whether you want to make your profile available to other users, as well as adapting any content you may send.

4. PURPOSE OF DATA COLLECTION:

We may use personal information for the following purposes:

Purpose of Treatment	Description
Communication and Service	Contact and respond to your requests, questions and queries addressed to Griaule.
Operation and Website maintenance	Offer functionalities, guarantee the technical and functional management of the sites and ensure their full operation.
Management of Relationships Commercial	Participating in transactions with customers, suppliers and business partners, as well as processing orders for Griaule products and services.
Analysis and Improvement Continuous	To analyze, develop, improve and optimize the use, performance and functionality of our websites, products and services.
Security Information	Managing and protecting the security of the sites, networks, systems and data under Griaule's responsibility.
Legal Compliance and Regulatory	Comply with laws, regulations and legal or contractual obligations applicable to Griaule's activities.
Marketing and Relationships Commercial	Promote and market Griaule products and services, as well as related products and services, adapting campaigns and communications to your interests or those of your company.
Technical support and Customer Service	Provide technical support and assistance services related to Griaule products, solutions and platforms.
Recruitment and Selection	Communicating with candidates, analyzing applications, carrying out assessments, background checks and hiring processes.
Development Organizational	Analyzing, developing and improving recruitment practices, as well as improving Griaule's products, services and internal processes.

 

5. COOKIES:

Griaule may process personal data indirectly through the use of third-party cookies and plug-ins.

We clarify that some cookies and plug-ins are essential for the correct functioning and security of our website, ensuring that you can navigate and use its functionalities properly.

Other cookies are used to analyze browsing patterns, improve the user experience and optimize the performance of our services and content.

For detailed information on the types of cookies used, their purposes and how you can manage your preferences, please consult our Cookie Policy.

6. WITH WHOM WE SHARE YOUR DATA:

The data collected on the website while we act as controller is shared only with indispensable third parties for the purposes expressly mentioned in this Policy.

Griaule may share information with: 

• Third party service providers (e.g. IT service providers, lawyers, auditors, credit card processing services, order fulfillment, analytics, event/campaign management, website management, information technology and related infrastructure provision, customer service, email delivery, auditing and other similar service providers) for such service providers to perform business functions on behalf of Griaule;
• Griaule distributors or resellers for additional follow-up related to your interests, specific partners offering complementary products and services or with third parties to facilitate interest-based advertising;
• Relevant third parties in the event of a reorganization, merger, sale, joint venture, assignment, transfer or other disposition of all or any portion of our business, assets or stock (including in connection with bankruptcy or similar proceedings);
• National Data Protection Agency (ANPD) and government control bodies, exclusively in cases of legal request, and only when acting as data controller.
• By court order or at the request of administrative authorities that have the legal power to requisition them.

Where third parties have access to personal information, we will take appropriate contractual, technical and organizational measures designed to ensure that personal information is processed only to the extent that such processing is necessary, consistent with this Privacy Policy and in accordance with applicable law.

8. INTERNATIONAL DATA TRANSFER:

Griaule uses the necessary tools to achieve the objectives of the activity, which make use of servers located in other countries. 

We use Google tools to store the information and its server is located in the United States in the us-east1 region. 

As well as Griaule's application, which uses servers contracted from Amazon AWS in its Northern Virginia/USA location. 

9. DATA ON CHILDREN AND ADOLESCENTS:

The content of the Griaule website is not intended for children or adolescents. The information on our website is aimed at people over the age of eighteen (18). Therefore, the company does not knowingly solicit, collect, process, store or share personal data from children and adolescents.

We would like to point out that we have taken the necessary measures to ensure that no data is collected from children and adolescents on our website without adequate justification. If we discover any unintentional handling of such data, we will remove that child's or teenager's personal data from our records as soon as possible.

10. DATA RETENTION AND DELETION PERIOD:

The data provided on the website will be stored by Griaule with the appropriate guarantee of confidentiality and level of security of the environment. All personal data processed in accordance with this Policy will be kept by Griaule for as long as necessary for the respective purposes. We may also retain information as required by law or regulation or for the regular exercise of rights, or in circumstances where there is a legitimate purpose on the part of Griaule or a third party.

With regard to personal data processed while Griaule is acting as controller, they may be subject to a request for deletion by means of a written request sent by e-mail to or on the Data Subject Service Form, specifying which data are to be deleted.

In all cases of exclusion, Griaule may retain information as required by law or regulation or for the regular exercise of rights, or in circumstances where there is a legitimate purpose of Griaule or third parties. It is important to note that, as required by law and in cases of request by the National Data Protection Agency (ANPD), this information must be kept for a minimum period of 5 (five) years. Therefore, it is not possible for us to delete personal data before the 5-year period when the legal basis for its processing is compliance with a legal obligation, performance of a contract and/or any other legal basis that justifies the need for such data. 

After the end of this period, the data will be duly expunged from Griaule's database, guaranteeing its complete deletion.

11. HOW WE KEEP YOUR DATA SAFE:

Any information provided by the User will be collected and stored in accordance with the strictest security standards, such as NIST and ISO 27001.

To this end, Griaule adopts a number of precautions, in compliance with the guidelines on safety standards established in the applicable laws and regulations, such as:

• Griaule uses the latest methods available on the market to anonymize your personal data when necessary;
• Griaule has protection against unauthorized access to its systems;
• Griaule only authorizes specific employees to access the place where your personal information is stored, provided that this access is essential to the development of the intended activity;
• Griaule guarantees that those agents and collaborators who process personal data must undertake to maintain the absolute confidentiality of the information accessed, as well as to adopt the best practices for handling this information, as determined in internal policies and procedures;
• Griaule performs regular backups. Software activity is checked consistently to protect the information you provide. Sophisticated protection systems are used and activity is monitored.

In addition to technical efforts, Griaule also adopts institutional measures aimed at protecting personal data, such that it maintains a privacy governance program applied to its activities and a governance structure that is constantly updated.

Access to the information collected is restricted to employees and authorized persons. Those who misuse this information, in violation of this Privacy Policy, Information Security Policy and internal policies, will be subject to the appropriate administrative, disciplinary and legal sanctions.

Although Griaule makes every effort to preserve your privacy and protect your personal data, no transmission of information is completely secure, so Griaule cannot fully guarantee that all the information it receives and/or sends will not be subject to unauthorized access perpetrated by methods designed to obtain information improperly, such as technical failures, viruses or invasions of the software database.

In any case, in the unlikely event of such an event, Griaule guarantees to make every effort to remedy the consequences of the event.

12. CUSTOMER SERVICE FOR DATA SUBJECTS

Griaule is committed to guaranteeing the rights of personal data subjects and facilitating the exercise of these rights. In accordance with the provisions of the General Data Protection Law (Law 13.709/2018 - "LGPD"), data subjects have the right to: 

Confirm that we are processing your personal data;

Access your personal data;

Request the correction of personal data that is incomplete, inaccurate or out of date;

Request the anonymization, blocking or deletion of personal data that is unnecessary, excessive or processed in breach of the provisions of the LGPD;

Request the portability of your personal data to another service or product provider, with due regard for our commercial and industrial secrets, after regulation by the National Data Protection Authority;

Request the deletion of personal data processed on the basis of their consent, except in the case of the retention of personal data provided for in the LGPD;

Request information about who we share your personal data with;

Revoke your consent to the processing of your personal data, when processing has been carried out on the basis of your consent;

 

In order to exercise these rights or obtain further information on the processing of their personal data by Griaule, data subjects may contact the Data Protection Officer - DPO hereby represented by the private legal entity IT2S Group through the following channel: DATA SUBJECT SERVICE FORM.

Our DPO is responsible for conducting all the activities required by the LGPD and the ANPD, including:

1. Accept complaints and communications from data subjects, provide explanations and adopt measures;
2. Receive communications from the ANPD and adopt data protection measures

necessary;

• Guide our employees and contractors on practices to be taken in relation to the protection of personal data;

Important: In the event of a request where Griaule is acting as the data controller, the data subject must make their request directly to the contractor of Griaule's services. In these cases, Griaule will cooperate with the data controller as far as possible to comply with legal obligations relating to the rights of data subjects.

13. INFORMATION AND QUESTIONS

If after reading this Policy you have any questions, you can contact our privacy team or our Officer via this e-mail: dpo.griaule@it2sgroup.com.

14. UPDATING THIS POLICY

Griaule reserves the right, at its sole discretion, to modify, alter, add or remove parts of this policy at any time. We recommend that you check this policy every time you browse the site.

By accessing the Griaule website, the user expresses their free acceptance of the terms of this Privacy Policy, authorizing the collection of the data and information mentioned herein, as well as its use. If you continue to use the Griaule website, it will be considered as your unequivocal consent and irrevocable and irreversible acceptance of all the terms and conditions contained in the amended Privacy Policy.

This Policy and its respective updates shall prevail over all policies, proposals, contracts, previous understandings and agreements, oral or written, that may exist between the parties dealing directly or indirectly with the subject of privacy.