Privacy Policy

Welcome to Indigo Hive !

At Indigo Hive , your privacy is our top priority. We’ve created this policy to let you know what data we collect, why we collect it, how we use it, and what rights you have. Read it with peace of mind, we’re here to make sure you have full control over your information.

1. Introduction

INDIGO HIVE INFORMATION TECHNOLOGY CONSULTING LTDA , a limited liability company, registered with CNPJ no. 38.217.648/0001-97, with headquarters at Rua Haddock Lobo, no. 578, 4th floor, suite 41, Cerqueira César, CEP 01414-900, São Paulo/SP, hereinafter referred to as “INDIGO HIVE” , is committed to protecting your personal data and privacy in all our operations. This Information Privacy Management Policy ("Privacy Policy") reflects our commitment to transparency, ethics and security in the processing of personal data.

It is aligned with the General Law for the Protection of Personal Data (Law No. 13,709/2018), the Civil Rights Framework for the Internet (Law No. 12,965/2014) and our Information Security Policy (PSI), ensuring that data is treated responsibly and securely.

In accordance with the LGPD, INDIGO HIVE acts as the Controller of personal data when we collect information directly from you, whether in the provision of our technology and consulting products and services, or in other contexts involving the processing of personal data. In this role, we define the purposes and means of processing data, always respecting the current legal bases and ensuring the protection of your rights.

Depending on the nature of the business relationship with our partners, we may also act as a Personal Data Processor. In this role, we process data strictly in accordance with the purposes and instructions defined by our partners, as agreed in the contract, and it is the responsibility of these partners to determine the purposes of the processing and the applicable legal bases.

2. Objective

This Privacy Policy establishes the guidelines for the safe and responsible processing of personal data, in accordance with applicable laws. The Privacy Policy aims to guarantee the protection of the rights of data subjects, ensure compliance with legal and regulatory obligations and promote transparency in the use and management of personal data, regardless of its format, whether electronic, paper, audiovisual, or any other medium.

3. Scope

This policy applies to all personal data processed, including customers, suppliers, service providers, business partners, employees and any natural person whose information is processed. It covers all activities involving the collection, use, storage, sharing and disposal of personal data, whether carried out manually or automatically, in any environment or platform.

4. Terms and Definitions

For the purposes of this policy, the following definitions apply:

1. Processing Agents : The Controller and the Operator, responsible for the processing of personal data.

2. Anonymization : Use of reasonable technical means available at the time of processing, through which data loses the possibility of association, directly or indirectly, with an individual.

3. National Data Protection Authority – ANPD : Body of the direct federal public administration of Brazil, linked to the Presidency of the Republic, responsible for ensuring, implementing and monitoring compliance with Law No. 13,709/2018 (General Law on the Protection of Personal Data - LGPD).

4. Database : Structured set of personal data, established in one or more locations, in electronic or physical support.

5. Legal Basis : Legal basis that authorizes the processing of personal data, as provided for by the LGPD.

6. Blocking : Temporary suspension of any processing operation, by storing the personal data or database.

7. ID Code (IMEI) : A unique numeric identifier for mobile devices, used to identify and authenticate devices such as smartphones and tablets. The IMEI ( International Mobile Equipment Identifier) Identity ) is considered personal data as it can be linked to a specific individual.

8. Consent : Free, informed and unequivocal expression by which the holder agrees to the processing of his/her personal data for a specific purpose.

9. Controller : Natural or legal person, under public or private law, responsible for decisions regarding the processing of personal data.

10. Cookies : Files stored on the user's device while browsing the internet, collected by the browser, which record preferences and personalize access to the services of portals, websites, applications and other tools.

11. Anonymized Data : Data relating to the holder that cannot be identified, considering the use of reasonable technical means available at the time of processing.

12. Personal Data : Information relating to an identified or identifiable natural person.

13. Personal Data of Children and Adolescents : Personal data of children (up to 12 years old) or adolescents (between 12 and 18 years old). The LGPD requires consent from parents or guardians for the processing of this data.

14. Sensitive Personal Data : Personal data about racial or ethnic origin, religious belief, political opinion, membership of a trade union or organization of a religious, philosophical or political nature, data relating to health or sexual life, genetic or biometric data, when linked to a natural person.

15. Data Mapping : Process of identifying, inventorying and documenting where and how personal data is collected, stored, used and shared within an organization.

16. Deletion : Deletion of data or a set of data stored in a database, regardless of the procedure used.

17. Responsible : Person appointed by the controller and operator to act as a communication channel between the controller, data subjects and the ANPD.

18. P address : Numerical sequence that identifies a network device on the internet, considered personal data when linked to a specific individual.

19. Geolocation : Data indicating the geographic location of a device or individual, obtained through technologies such as GPS, mobile networks or Wi-Fi.

20. Corporate Governance : System through which companies and other organizations are managed, monitored and encouraged, covering relationships between partners, board of directors, management, supervisory and control bodies, and other interested parties.

21. Security Incident : Adverse event, confirmed or suspected, that compromises the confidentiality, integrity or availability of personal data.

22. LGPD (General Law for the Protection of Personal Data) : Law No. 13,709/2018, which regulates the processing of personal data in Brazil, protecting the fundamental rights of privacy and freedom of individuals.

23. Free Access : Guarantee to holders of easy and free consultation on the form and duration of the processing, as well as on the integrity of their personal data.

24. Internet Civil Rights Framework : Law No. 12,965/2014, which establishes principles, guarantees, rights and duties for the use of the internet in Brazil, regulating aspects such as privacy, security and freedom of expression on the network.

25. Operator : Natural or legal person, under public or private law, who processes personal data on behalf of the controller.

26. Privacy by Default : Principle that ensures that the default settings of systems and services guarantee maximum data protection, allowing minimal processing of personal information, unless the holder chooses to change them.

27. Privacy by Design : An approach that integrates data protection and privacy from the beginning of the development of processes, products and services, ensuring that privacy is a fundamental component at all stages.

28. Data Protection Impact Report : Document prepared by the controller that contains a description of the personal data processing processes that may generate risks to civil liberties and fundamental rights, as well as risk mitigation measures.

29. Data Holder or Owner : Natural person to whom the personal data being processed refers, such as employees, shareholders, suppliers and customers.

30. Treatment : Any operation carried out with personal data, such as collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, archiving, storage, elimination, evaluation or control of information, modification, communication, transfer, dissemination or extraction.

31. International Data Transfer : Sending personal data to a foreign country or international organization.

32. Shared Use of Data : Communication or interconnection of personal data between public and private entities.

33. Personal Data Breach : Security incident resulting in damage to the confidentiality, integrity or availability of personal data.

5. Roles and Responsibilities

The following responsibilities are assigned to ensure implementation and compliance with this policy:

General Responsibilities

INDIGO HIVE , as Controller and Operator , has distinct responsibilities:

1. As Controller:

   1. Define the purposes and means of processing personal data.

   2. Keep a record of personal data processing operations.

   3. Monitor compliance with this policy and adopt protective measures.

   4. Report any serious security incident to the ANPD .

   5. ANPD 's determinations and ensure the appointment of the Person in Charge (DPO) .

   6. Support the Data Protection Officer in promoting his/her duties and in developing data protection impact reports (DPIR).

   7. Include data protection clauses in concluded contracts.

   8. Implement and sponsor good governance and personal data protection practices.

   9. Do not allow discriminatory, illicit or abusive practices in data processing.

2. As an Operator

   1. Carry out the processing of personal data in accordance with the instructions of the controller.

   2. Keep a record of data processing operations carried out on behalf of the controller

   3. Adopt appropriate security measures to protect personal data.

   4. Inform the controller of any security incident.

   5. Comply with ANPD guidelines and determinations, as applicable.

   6. Ensure that contractual clauses with third parties comply with data protection requirements, as directed by the controller.

   7. Do not allow discriminatory, illicit or abusive practices in the processing of personal data under your responsibility.

Specific Responsibilities

Responsibilities assigned to different areas and agents:

1. Audit :

   1. Carry out periodic audits of data processing processes.

   2. Identify risks and failures in compliance with the LGPD and propose corrective actions.

   3. Verify the effectiveness of security controls.

   4. Support the Data Protection Officer (DPO) in preparing compliance reports.

2. Contributors:

   1. Treat personal data in accordance with company policies and procedures.

   2. Ensure the confidentiality and security of data when performing their duties.

   3. Immediately report any security incident or suspected data breach to the Data Protection Officer (DPO) or security team.

   4. Participate in training and development on data protection and information security.

3. Data Governance Committee (CSGI):

   1. Define and monitor data protection and privacy strategies.

   2. Review and approve data protection impact reports.

   3. Monitor the effectiveness of data protection practices and suggest continuous improvements.

   4. Coordinate efforts between different areas of the company to ensure an integrated approach to privacy and data protection.

4. Protection Officer (DPO ):

   1. According to the second paragraph of article 41 of the LGPD, the activities of the Data Protection Officer (DPO) consist of:

      1. Accept complaints and communications from data subjects, provide clarifications and take necessary measures.

      2. Receive communications from ANPD and take the relevant measures.

      3. Guide employees and contractors on best practices for protecting personal data.

      4. Perform other tasks determined by the controller or established in supplementary standards.

   2. Additionally, the DPO is responsible for:

      1. Support, advise, monitor and supervise those responsible for processing personal data, internally or externally, on behalf of the organization.

      2. Monitor the maintenance and annual review of the organization's privacy and data protection standards and policies, ensuring the generation of history and evidence necessary for certification and auditing of processes.

      3. Ensure that internal biannual and external annual audits are carried out and monitored for the management of privacy and protection of personal data.

      4. Monitor compliance with the organization's privacy policies and standards.

      5. Keep up to date on the applicable regulatory landscape and interact with the Information Security team on data protection and incident monitoring.

      6. Keep senior management informed about internal aspects of privacy and personal data management.

      7. Monitor and follow up on the handling of privacy and personal data incidents.

      8. Monitor, track and propose corrective measures for processes associated with data subjects’ rights.

      9. Review, monitor and approve personal data processing records.

      10. Drive privacy culture in the organization through awareness, interaction with departments and promotion of specific activities.

      11. Participate in area meetings, when required, and provide legal support on data protection matters whenever requested.

      12. Monitor compliance with contractual requirements related to data processing and ensure that third parties involved in the processes also follow data protection standards.

      13. Determine, monitor and review internal and external factors relevant to the organization's context that affect its ability to achieve the intended results of its privacy and data protection management program.

5. Information Technology Team (ITS):

   1. Ensure that systems and applications comply with privacy and data protection policies, ensuring that they follow the requirements established by the LGPD and the company's internal policies.

   2. Implement appropriate technical and organizational measures to guarantee the integrity, confidentiality and availability of personal data processed by INDIGO HIVE .

   3. Establish and maintain security standards for the protection of personal data, ensuring that data is adequately protected against unauthorized access, breaches and other threats .

   4. Respond promptly to security incidents related to the processing of personal data and adopt the necessary corrective measures.

   5. Collaborate with the Data Protection Officer (DPO) to ensure that security measures are aligned with data protection standards and best market practices.

6. Partners, Third Parties and Suppliers

   1. Process personal data in accordance with the definitions and instructions provided, without using them for different purposes.

   2. Comply with the obligations established in the contract, which include responsibilities and penalties, to ensure the protection of the rights of data subjects.

   3. Ensure that the processing of personal data complies with our policies and best security and governance practices.

   4. Undergo periodic assessments and monitoring to verify compliance with our security policies and standards.

   5. Take responsibility for any personal data breach that originates from your operating environments.

7. Data Subjects:

   1. The holder is responsible for ensuring that the personal data provided to INDIGO HIVE is correct and up to date, avoiding the provision of false or insufficient information that could compromise the proper processing of the data.

   2. The holder must promptly inform any change in his/her personal data to ensure that the information held by INDIGO HIVE is accurate and up-to-date.

   3. Data subjects must be aware of their rights and obligations under the LGPD and ensure that their interactions with INDIGO HIVE comply with legal requirements.

   4. The holder must observe and respect the policies established by INDIGO HIVE to guarantee the protection and security of their personal data.

6. Guidelines

The following guidelines aim to detail the principles and practices that guide the processing of personal data. They aim to ensure compliance with applicable legislation, ensuring that data collection, use, storage and disposal operations are carried out responsibly, protecting the privacy of data subjects and complying with established legal obligations.

How We Treat Your Data

Personal data is processed responsibly and in accordance with current legislation. In this section, we present the principles that guide the processing, the purposes for which the data is used, the legal bases that support these operations and how the data is collected and managed throughout the life cycle.

Our Principles

We are deeply committed to protecting the privacy and security of personal information under our responsibility. All activities involving the use of personal data strictly follow the principles established by the LGPD and the Privacy Policy. by Design . Our priority is to ensure that information is treated in an ethical, transparent and responsible manner, reinforcing our commitment to the integrity and trust of data subjects.

1. LGPD Principles :

   1. Purpose: Data is used exclusively for legitimate, specific and explicit purposes, previously informed to the holder.

   2. Adequacy: The use of data is compatible with the purposes stated, taking into account the context and needs of the process.

   3. Necessity: We limit the use of data to what is essential to fulfill the established purposes, avoiding the collection and use of unnecessary information.

   4. Free Access: We guarantee holders the right to easily access their information, offering free and easy consultation.

   5. Quality of Information: We keep personal data correct, clear and up-to-date, ensuring its accuracy and relevance.

   6. Transparency: We provide clear and accessible information about how data is used and the agents involved.

   7. Security: We adopt technical and administrative measures to protect personal information against unauthorized access and security incidents.

   8. Prevention: We implement preventive measures to avoid any harm resulting from the use of information.

   9. Non-Discrimination: Personal information is never used for discriminatory, unlawful or abusive purposes.

   10. Accountability and Responsibility: We demonstrate compliance with legislation and ensure the effectiveness of measures adopted to protect personal information.

2. Privacy Principles by Design :

   1. Proactivity and Prevention: Our approach involves identifying and preventing privacy risks from the beginning of projects, not just when problems arise.

   2. Privacy by Default ( Privacy by Default): We ensure that privacy protection measures are automatically applied in all projects.

   3. Total Functionality: We seek a balance between the protection of personal information and the efficiency of processes, ensuring that privacy does not compromise the functionality of operations.

   4. End-to-End Security: Personal information is protected throughout its lifecycle, from collection to disposal or anonymization.

   5. Visibility and Transparency: We maintain full transparency regarding activities involving data and the protection measures adopted, providing clear and accessible information to data subjects.

   6. Respect for the Data Subject's Privacy: Our commitment is to ensure that personal information is treated responsibly and securely, respecting the interests and rights of the data subjects.

Why We Process Your Data

We are a technology company that operates in several areas and, in order to provide our products and services efficiently and securely, we need to use personal data in several essential activities. We use this information responsibly and in compliance with applicable legislation, always with the aim of providing the best experience for our customers and stakeholders.

The main purposes include:

1. Formalize and fulfill contracts, ensuring the delivery of agreed products and services.

2. Manage relationships with customers and stakeholders, maintaining efficient communication, resolving complaints, queries and requests, and offering the necessary support to ensure everyone's satisfaction.

3. Send you relevant communications, including service updates, maintenance, policy changes, and other important information.

4. Manage candidate and employee data across processes such as recruitment, payroll, benefits and performance, in compliance with legal requirements.

5. Comply with legal and regulatory obligations by processing data to meet tax, accounting and legal requirements.

6. Prevent fraud and illicit activities by implementing identity verification and monitoring suspicious transactions.

7. Ensure information security, protecting our systems and networks against cyber attacks, fraud and unauthorized access.

8. Monitor access and surveillance at our facilities, ensuring security through access control and surveillance cameras.

9. Manage payments and billing, processing financial transactions, issuing invoices and ensuring financial obligations are met.

10. Respond to access and correction requests, ensuring that data subjects can review, correct or delete their data as permitted by law.

11. Conduct satisfaction surveys, collecting feedback to improve our services and ensure they meet expectations and regulatory requirements.

12. Develop new products and services, using anonymized or pseudonymized data to better understand our customers' needs.

13. Respond to demands from the ombudsman, ensuring compliance with legal requirements in sensitive or formal cases.

14. Exercise the right of defense in judicial or administrative disputes, using data as necessary to protect our legal interests.

Our Legal Bases  

For each activity involving the use of personal data, an appropriate legal basis is assigned, as established by the LGPD . Below, we present the legal bases that support these operations, applied in accordance with the purposes described above:

Legal BasisApplication (Purpose)LGPDContract ExecutionUse of data for the formalization and fulfillment of contracts, agreements and pre-contractual obligations.Art. 7, VCompliance with Legal or Regulatory ObligationNecessary to meet applicable tax, labor, legal, regulatory and other obligations.Art. 7, IILegitimate InterestApplicable to the recruitment and selection of candidates, product improvements, services, security and fraud prevention, as long as the rights of the holder are respected.Art. 7, IXConsentNecessary for sending newsletters and marketing communications, or for recruitment and selection, with the explicit authorization of the holder.Art. 7, IRegular Exercise of RightsNecessary for defense in judicial, administrative or arbitration proceedings.Art. 7, VIProtection of Life or Physical SafetyNecessary to protect the life or physical integrity of the holder or third parties in emergency situations.Art. 7, VIIHealth GuardianshipUse of employee data to meet occupational health and safety obligations.Art. 7, II and Art. 11, II, "f"Scientific ResearchConducting scientific research or studies with anonymized or pseudonymized data.Art. 7, IVCredit ProtectionApplicable in actions related to collection and default, in accordance with the Positive Registration Law.Art. 7, X

How We Obtain Your Consent

If consent is the legal basis for the processing of your personal data, it will be obtained freely, in an informed, specific and unequivocal manner. If there is any change in the purpose, form or duration of the processing, or in any aspect that differs from what was initially agreed, we will inform you, and you may revoke your consent at any time. We respect all your rights as a data subject and guarantee the possibility of exercising them, as described in the topic " Your Rights and How to Exercise Them ". Contact instructions are available in " How to Contact Us ".

In situations where we act as a processor, we process personal data under the instructions of the company with which you have a contract, the controller. All decisions regarding consent (such as review, update or revocation) are the responsibility of that company. Therefore, any request regarding consent must be directed directly to the controller, which is responsible for managing these requests.

How We Collect and Receive Your Data

We collect your personal data directly from you in an ethical and responsible manner, requesting only the information strictly necessary to fulfill specific purposes. Following the principle of data minimization, we ensure that the volume and type of information collected is adequate and limited to what is essential for the execution of services, compliance with legal obligations or to meet legitimate interests, always respecting your rights.

1. The types of data we collect directly may include:

   1. Identification Data: Name, surname, CPF, ID, date of birth, age, marital status, place of birth, nationality, filiation.

   2. Contact Information: Email, address, telephone numbers.

   3. Financial Data: Used for payment processing.

   4. Login Data: Username and password (for authentication on systems or platforms).

   5. Technical Data: Recording of IP address, device type, operating system used and geolocation (latitude and longitude, for security and fraud prevention purposes).

   6. Navigation Data: Pages visited, time spent, usage statistics and interaction with our websites and platforms, as well as cookies (including third-party cookies for analytics and marketing).

   7. Interaction Data: Recordings of interactions with our customer support, such as phone calls or chat history, where applicable.

2. Additionally, we may receive your data from authorized third parties or public sources, always in compliance with applicable law. Such data may include:

   1. Registration Information: Provided by partners or service providers.

   2. Data from Public Sources: For identity verification or other legitimate purposes.

In situations where we act as a Processor, we process your personal data in accordance with the instructions and purposes defined by the company with which you have entered into a contract, the Controller. In such cases, we have no control over the types of data provided, receiving only the information necessary to fulfill the purposes established by that company.

Sensitive Data

We are committed to ensuring that Sensitive Personal Data is processed with the highest possible security and in a manner that is restricted to the minimum necessary. In some situations, such as protecting our facilities or authenticating to confirm a person’s identity, the use of sensitive data, such as biometric or medical data, is essential to meet operational and legal purposes.

1. Biometric Data : Information such as facial and fingerprint data, used to control access to facilities or for authentication in systems, when it is necessary to confirm identity.

Whenever the processing of Sensitive Personal Data is necessary, you will be informed of the purpose and, where applicable, your consent will be obtained clearly, specifically and in accordance with current legislation.

Children and Adolescent Data

Although we do not offer products or services directly to children and adolescents, the processing of personal data from this group may occur in some specific situations:

In the case of young apprentices and interns, in addition to complying with legal obligations, formal consent from parents or guardians is required, as provided for in the Apprenticeship Law (Law No. 10,097/2000).

In other contexts, the processing of data from children and adolescents will be carried out with the specific and highlighted consent of at least one of the parents or legal guardian, in accordance with the requirements of the LGPD.

Who We Share Your Data With

In order to offer our products and services efficiently, it may be necessary, in some situations, to share personal data with trusted business partners who help us ensure the quality and agility of our operations.

We may share your personal data with:

1. Service Providers: We share your personal data with service providers we contract to facilitate, promote and optimize our activities. These service providers are contractually prohibited from using the data for any purposes not previously agreed upon by us. Our contracts clearly specify their responsibilities and penalties, ensuring that your rights are protected.

2. Authorities and regulatory bodies: When required by law, regulation or court order, your data may be shared with government authorities and regulatory bodies, always respecting privacy and data protection requirements.

3. Companies in the same economic group: For internal administrative purposes, auditing or process optimization, your data may be shared between companies in the same economic group, always with guarantees of security and confidentiality.

4. Mergers, acquisitions or corporate reorganizations: In the event of a merger, acquisition or sale of assets, your data may be shared with the entities involved, in compliance with privacy and data protection requirements.

5. External law firms: Your data may be shared with law firms to act in extrajudicial, judicial, administrative or arbitration proceedings, when necessary to protect our rights, prevent fraud or comply with legal obligations.

6. Business partners: In specific circumstances, we may share your data with business partners for the execution of contracts or to offer complementary products and services. This sharing will always be based on the purposes previously informed and, when necessary, with the consent of the holder.

To ensure the protection of your data, all third parties with whom we share information undergo rigorous assessments and ongoing monitoring, ensuring compliance with our policies and best security and governance practices. In addition, these third parties are held liable for any personal data breaches that occur within their environments.

Where We Store Your Data

We store the personal data we collect or receive from third parties securely using a combination of data centers, cloud services and servers owned or operated by partners. All storage environments adhere to strict security standards and comply with data protection legislation.

We use the following forms of storage:

1. Own servers , located on the company's premises or at partners (data centers), with exclusive management by our team.

2. Cloud services , managed by us, with infrastructure maintained by partners who follow the same security standards established in our policies. These servers may be located in other countries, and we contractually guarantee that our partners maintain data in countries that offer adequate levels of protection as required by law or adopt appropriate security measures, regardless of location.

3. Partner servers , managed by these partners and monitored by us, with security controls and data protection guaranteed by contracts.

How Long We Keep Your Data  

The personal data we collect or receive is retained for as long as necessary to fulfill the purposes described in this policy and to meet legal, contractual and regulatory requirements. The retention period varies depending on the nature of the information and the purpose of the processing. We periodically review our policy to ensure that data is not retained for longer than necessary.

After the need for data has ended, it is securely and irreversibly deleted or anonymized. Retention follows the following principles:

1. Compliance with Legal or Regulatory Obligations : Data may be retained for as long as necessary to comply with tax, labor, accounting obligations or for litigation and investigation purposes.

2. Contractual Obligations : Data is retained as long as necessary for the fulfillment of contractual obligations, including warranties and limitation periods related to the contract.

3. Legitimate Interest : In situations justified by legitimate interest, the data is kept until the purpose is achieved, as long as this does not infringe the rights of the holder.

4. Deletion Request by the Holder : If the holder requests the deletion of the data, we will proceed with the secure disposal, provided that there is no other legal basis that justifies the retention.

5. Controller Instructions : In cases where we act as an operator on behalf of another organization (controller), we follow the retention period defined by the controller, complying with specific instructions for deletion or anonymization of data at the end of the established purpose.

Use of Cookies

To provide an improved experience with our services and products, we use cookies. But what are cookies? Cookies are small files saved on the user's device during navigation, stored in their browser, which help to personalize access and remember preferences.

For details on how it works, see our Cookie Policy.

We use cookies to collect, process, store and/or share browsing information (with partner companies) for the following purposes:

1. Make navigation more agile and efficient;

2. Improve your experience and interaction with our services, products, websites, applications and communications;

3. Offer more relevant content and offers aligned with your interests;

4. Increase the effectiveness and continuity of our communication with you;

5. Respond to queries and requests;

6. Conduct marketing and relationship research to improve our products and services, as well as to obtain general statistical data.

You can, at any time, set your browser to warn you about the use of cookies or disable them if you prefer. Disabling non-essential cookies may limit your experience and affect some functionality.

To deactivate, please consult the specific settings of each browser:

Internet Explorer / Firefox / Google Chrome / Safari / Microsoft Edge

Use of Third Party Links and Platforms

Our websites and platforms may contain links to third-party websites or services. The presence of these links does not represent an endorsement or sponsorship of these platforms, which are subject to their own terms of use and privacy policies, over which we have no control or responsibility. We recommend that you read the terms and privacy policies of these websites before providing any personal data.

If you choose to contact us through third-party platforms (such as LinkedIn, Instagram, Telegram or WhatsApp), the processing of your data will also follow the terms and privacy policies of these platforms, and is the sole responsibility of these companies. We assume no responsibility for the use of information shared on these external platforms.

Use of Automated Decisions

In certain situations, INDIGO HIVE may employ automated technologies to process personal data in order to make decisions more quickly and efficiently. This may include, but is not limited to, customer profiling, process optimization, personalized recommendations or security screening.

Automated decisions based on these technologies will be conducted in a transparent manner, allowing data subjects to understand the criteria used. When these decisions affect the rights or interests of the data subject, the data subject will have the right to request a review of these decisions by a natural person, as provided for in article 20 of the General Data Protection Law (LGPD).

To exercise this right, the holder can contact us through the service channels indicated in this policy.

International Transfers  

We use cloud services and technologies to store data, which may be located in Brazil or in other countries. When data is stored outside of Brazil, this constitutes an "International Data Transfer", according to national legislation.

We guarantee that, regardless of where your personal data is stored, it will be subject to the same strict protection and security measures applied in Brazil. Transfers of personal data to other countries will only occur to destinations that offer a level of protection compatible with that provided for in the LGPD, or to companies that commit, through contracts, to adopt the same security and compliance standards.

All international transfers will follow ANPD guidelines, in compliance with applicable regulations, ensuring that legal and regulatory requirements are respected and that your data is protected.

Data Protection Impact Statement (DIR)

At INDIGO HIVE, we have adopted the Data Protection Impact Report (DPIR) as an essential tool for assessing and managing the risks associated with the processing of personal data. The DPIR ensures that our practices comply with data protection legislation and allows us to identify possible impacts on the rights and freedoms of data subjects, in accordance with the principles of the General Data Protection Law (LGPD).

RIPD is drawn up whenever a project, system or process involves a high potential risk to privacy, especially in cases such as:

1. Implementation of New Technologies : Risk assessment when new tools, platforms or systems are incorporated into the processing of personal data.

2. Processing of Sensitive Data : Identification of risks and security measures when the processing includes sensitive personal data, such as biometrics, health data or financial information.

3. Continuous Monitoring and Automated Decisions : Impact analysis in situations involving constant monitoring of data subjects or the use of automated processes that may significantly affect the rights of individuals.

4. International Data Transfers : Assessment of the protections applied when transferring personal data to other countries, ensuring compliance with the requirements of the LGPD.

Each RIPD includes a detailed description of the processing processes, the risks identified, the security measures applied and the corrective actions recommended to mitigate these risks. The report is documented and reviewed regularly, with the support of our security team and the Data Protection Officer (DPO), ensuring that INDIGO HIVE remains compliant with the best practices in privacy and data protection.

How We Keep Your Data Safe  

At INDIGO HIVE, we prioritize the protection and respect for the security and privacy of our customers’ personal data. We act as data controllers and operators, guided by our Information Security Policy and our commitment to privacy. These guidelines ensure solid and transparent practices to protect information, in accordance with the principles of confidentiality, integrity, availability and privacy.

Our main practices include:

1. Information Security and Privacy Policy : Our policy defines strict practices to ensure the protection of personal data in all processes, following the highest security standards and legal requirements.

2. Data Encryption and Privacy : We use advanced encryption to protect data, both at rest and in transit, reinforcing security against unauthorized access.

3. Access Controls and Training : We adopt role-based access controls and conduct ongoing security and privacy training to ensure that only qualified professionals access sensitive information.

4. Constant Monitoring and Auditing : We conduct ongoing monitoring and regular audits to verify compliance with our policies, promptly correcting any vulnerabilities.

5. Privacy Protection with Anonymization and Pseudonymization : Where applicable, we employ anonymization and pseudonymization techniques to preserve data privacy and reduce the impact of potential security incidents.

6. Incident Response and Privacy Protection Plans : We maintain a security incident response plan, which includes actions to protect data privacy and mitigate any impacts.

7. Third Party Agreements : We establish strict privacy and confidentiality agreements with third parties that may have access to data, requiring that their processes meet the same protection and privacy standards adopted by INDIGO HIVE.

Security Incident Notification  

We adopt strict measures to protect our customers' personal data, acting both as data controller and data processor, with the aim of preventing security incidents. However, in the event of an incident that compromises the confidentiality, integrity or availability of personal data, we have a Personal Data Breach Incident Management Plan to manage and mitigate the impacts, following the guidelines of the General Data Protection Law (LGPD).

In the event of a security incident, we commit to following the steps defined in our plan:

1. Incident Identification and Assessment : Once identified, the incident will be analyzed by the security team to determine its severity, possible causes and impact on the personal data and systems involved.

2. Containment and Mitigation Measures : Immediately after detection, we will implement actions to contain the incident and reduce risks to data subjects, including blocking access, correcting vulnerabilities and continuous monitoring of affected systems.

3. Notification to Data Subjects : In cases where there is a relevant risk to the rights and freedoms of data subjects, we will notify affected individuals promptly, providing clear information about the nature of the incident, the potentially compromised data, the measures adopted and guidance to minimize the effects.

4. Notification to Competent Authorities : In compliance with the LGPD, we will notify the National Data Protection Authority (ANPD), whenever necessary, with details on the extent and nature of the incident, as well as the containment and remedial actions taken.

5. Post-Incident Monitoring and Reporting : Following an incident, we will conduct a detailed analysis to identify opportunities for improvement in our security controls to prevent recurrences. We will document and store all reports regarding the incident, as provided for in our security and privacy policies.

Our Personal Data Breach Incident Management Plan is reviewed periodically to ensure that measures are always aligned with best practices and in compliance with legal obligations.

Periodic Audits  

We conduct regular audits to ensure that the processing of personal data complies with this policy and the LGPD. These audits verify the correct application of internal guidelines and identify improvements where necessary.

Your Rights and How to Exercise Them

At INDIGO HIVE, we are firmly committed to transparency and respect for your privacy rights. We know how important it is for you to have control over your personal data and to be able to decide how it is used. In compliance with the General Data Protection Law (Law No. 13,709/2018 - LGPD), we guarantee you a series of rights that can be exercised directly with us, as described below:

1. Confirmation and Access : Request confirmation of the existence of processing and obtain access to the personal data we hold about you (Art. 18, I and II).

2. Data Correction : Request the correction of information that is outdated, incorrect or incomplete (Art. 18, III).

3. Blocking, Anonymization or Deletion : Request the blocking, anonymization or deletion of data considered unnecessary, excessive or processed in non-compliance with the law (Art. 18, IV).

4. Opposition to Processing : Object to the processing of personal data, especially in the event of non-compliance with legal provisions (Art. 18, IX).

5. Revocation of Consent : Revoke the consent previously provided for the processing of personal data, interrupting the use of the data under this legal basis (Art. 18, IX).

6. Data Portability : Request the portability of personal data to another service or product provider, as regulated by the National Data Protection Authority (ANPD) (Art. 18, V).

7. Deletion of Data Processed Based on Consent : Request the deletion of personal data processed based on consent, except in situations where data retention is permitted by other legal bases, such as:

   1. Compliance with legal or regulatory obligation (Art. 16, I);

   2. Studies by research bodies with due anonymization of data, when applicable (Art. 16, II);

   3. Transfer to third parties in an authorized manner, respecting legal requirements (Art. 16, III);

   4. Exclusive use by the controller with anonymization, access by third parties prohibited (Art. 16, IV).

To exercise any of these rights, you can contact us through the service channels indicated in this policy. Our Data Protection Officer (DPO) is available to respond to your requests, ensuring transparency and compliance of our processes with the LGPD.

When We Act as an Operator

In situations where INDIGO HIVE acts as a personal data processor on behalf of another organization (controller), the exercise of data subjects’ rights must be directed to the responsible controller. In this role, INDIGO HIVE processes personal data according to the instructions and purposes established by the controller, in compliance with the agreements and applicable legislation.

If we receive a request to exercise rights in cases where we act as a data processor, we will forward the request to the competent controller and inform the data subject about this procedure. In this way, we ensure that all rights are met in accordance with the LGPD guidelines.

How to Contact Us

If you have any questions about this Privacy Policy, wish to make a request related to your rights as a data subject, or wish to file a complaint about the processing of your data, please contact our Data Protection Officer (DPO) or use the service channels available on our website:

• DPO Name: Lucas Silva de Sena

• Telephone: +55 (11) 9 6419-8127

• Email: dpo@indigohive.com.br

Every effort will be made to respond to the data subject's requests as quickly as possible. When the request involves additional queries or greater complexity, the response period may be up to thirty (30) days.

Please note: in order to ensure your identity and the legitimacy of your request, we may request that you provide some personal data and documents for the authentication process. This data will be stored in our databases to meet possible legal and regulatory demands, proving that your request was made and fulfilled. We will not use your data for any other purposes.

7. Applicable Law and Dispute Resolution

This Privacy Policy will be governed by and interpreted in accordance with the laws of the Federative Republic of Brazil, in particular the General Law on the Protection of Personal Data (Law No. 13,709/2018).

Any disputes or controversies related to the processing of personal data, as described in this Policy, must be resolved amicably, seeking consensual solutions between the parties. If an agreement is not possible, the parties elect the jurisdiction of the District of Brasília/DF as the competent court to settle any issues arising from this Policy, expressly waiving any other, however privileged it may be.

8. Validity and Review

1. This policy comes into effect on the date of its approval and publication by the Integrated Management System Committee (CSGI).

2. This policy will be reviewed every 1 year or as necessary, following the procedures set out in the guidelines of this policy.

3. Any changes will be formally communicated to everyone involved, ensuring they are kept up to date with the new guidelines.

Revision 01 Date: 04/06/2025