Introduction

The ISH Group, respecting the commitment to the Brazilian legal regulations, as well as the basic principles of information security of those who access its digital platforms, reaffirms its commitment to respect the privacy and protection of the personal data of whoever it may be.

Thus, seeking to demonstrate our commitment, we present our Privacy Policy, which aims to provide clear and precise information about the collection, processing and control of personal and sensitive data performed by the ISH Group when anyone uses its products, portals, websites, services and applications.

Personal Data Collection

ISH only collects the information that you agree to provide when you use our products, portals, websites, services and applications, for example, by filling out the forms we make available for registration, directly in our relationship channels or through the use of any of our products or security tools.

1.1. REGISTRATION INFORMATION

By using ISH products you share the Information below:

a) Registration data: personal information necessary for us to identify you and thus offer our products and services. It can be: name, last name, profession, CPF, RG, address, telephone, e-mail, etc.

At any time you can check the full list of the Registration Information that ISH collects using the specific link in the menu "Privacy Service". At this link you can also request a copy of all the data we have about you, exercising your legal right to change it, adjust it or even request its deletion.

Remember that some of this information can be obtained through public sources or even through the sharing of your personal data carried out by the social networks and consented to by you there, when you made your registration and allowed the networks to share them with third parties, especially when this expedites authentication, characterizes behaviors, answers surveys and others.

1.2. NAVIGATION INFORMATION

In order to enhance the experience of those who use our digital platforms, improving the performance of the applications, customizing the offer of possible products or services, sending alerts or notifications regarding your profile, if already known in our environment, ISH may collect, upon your clear and unequivocal consent, the company's legitimate interest in your data, with due legal protection, or by determination regulated by law in Brazil, the following information:

a) Traffic Data: (i) geolocation and telemetry, if using a mobile device, (ii) date and time of access, (iii) dwell time on a given information page, (iv) SMS sending, for cases of double degree of authentication, (v) volume of data trafficked in the accesses, (vi) data on the level / quality of services (occurrence of failures, intermittence, etc.), (vii) protocols, including internet protocols (IP), with their addressing and ports used, (viii) browser type, (ix) resources and devices used, (x) functionalities accessed, etc;

b) Voice Data: when there is contact through one of the Customer or Employee Service channels, with recording of the service;

c) Profile Data: preferences for specific products, services and activities, such information being either provided by the user himself or deducible from the way the products and services are used or accessed;

d) Browsing Data: browsing history, as well as search terms and links used, aiming at the eventual offer and personalized recommendations when there is the user's consent, by collecting the categories of the websites/services/applications, all provided by means of the mobile device, computer, TV or other compatible device used in browsing).

1.3. USE OF COOKIES

Cookies are files that store some basic information about you and about what you access on our digital platforms, or about some advertising. They are temporarily stored on the devices you use to browse or access our platforms so that when you return in the future we know it is you.

The use of cookies helps ISH to provide you with a personalised and responsive service based on your previous choices, and also allows us to analyse trends to improve your experience on our platforms.

To learn more about how ISH Group uses cookies, as well as your right and ability to reject this feature, please check our Cookie Policy available at ish.com.br/politica-de-cookies

1.4. THIRD-PARTY WEBSITES AND APPLICATIONS

Some ISH Group services and products may be contracted and/or provided through different applications, operating systems or platforms, including those of third parties, such as social networks and search platforms (provider).

An example of this is the possibility of connecting to ISH Group websites and social networks through authentication to existing accounts on the application provider of your choice, such as social media registration accounts and internet search engines (activity where there will be cross-publishing and cross-service authentication features).

In such cases, information from your Provider that you have spontaneously agreed to share will be passed to ISH when used for identification or authentication in our environment, such as Registration Information, for verification and access assurance purposes, and Consumer Information, for continuous improvement of the experience of those using our platforms.

You need to be aware that the information GRUPO ISH receives has been shared by you, according to your Provider's Privacy Policies and, only after receiving and storing it, we become responsible for its safekeeping, care and commitment to your privacy, ensuring that it is only used with your consent and for the purpose for which it was collected.

Thus, it is recommended that you consult the respective privacy policies of your provider's websites and applications to be properly informed about the use of your personal information and, in case you do not agree, you can check the existence of resources made available by the provider to control your privacy.

1.5. DATA ON MINORS

ISH Group may carry out the collection and processing of personal data of minors (persons under the age of 18) upon specific and outstanding consent by at least one parent or legal guardian and are used to ensure ongoing access to services and products in the minor's area of interest, such as supervised school placements, knowledge of innovative products and entries in prizes promoted by the company etc.

At any time you can check the complete list of data collected from the minor using the specific link on the menu "Privacy Service". In this link the parents and/or legal guardian can request a copy of all the data that we have on the minor, exercising their legal right to control access, change, adjustments or even request deletion of the data collected.

It is also worth noting that the ISH Group does not use data of minors for marketing purposes and/or offering products and services.

Processing of personal data

ISH Group may carry out the processing of personal data collected to:

a) execution of projects and marketing activities and offer of products and services, customized or not;

b) execution of relationship activities and customer service;

c) sale of products and/or services;

d) execution of marketing activities aimed at attracting new customers;

e) profiling;

f) analysis of indicators and metrics;

g) granting benefits or discounts on products and services for loyalty or navigation on the platforms;

h) execution of the contractual activities related to the acquired products and/or services;

i) compliance with legal and regulatory obligations;

j) risk analysis;

k) to meet the requests of clients, former clients, prospects, and other requesting contacts;

l) improve the products and services offered;

m) comply with the determinations of competent authorities, such as the National Data Protection Authority or other authorities legitimized by law;

ISH Group may also use the information collected in an anonymised form, i.e. without the possibility of associating it, directly or indirectly, with specific persons who use our platforms, with the aim of improving and personalising the products and/or services we provide.

Sharing of Personal Data

The ISH Group may share personal information contained in its database with other companies in its economic group, service providers or business partners, provided that the consent of the data subject is obtained; or based on the legitimate interest of the ISH Group for the execution of contractual activities or legal obligations and that the information can be protected and safeguarded by those who will receive it.

In addition to the hypotheses foreseen above, the ISH Group may share personal data by court order and/or legal or regulatory determination, and in these cases it will not be necessary to collect your consent to do so.

Contracting and Provision of Databases

The ISH Group may hire third-party databases in order to enrich its own database, completing it with information that will help us offer our services and products in a more personalized way to you. In this case, we will guarantee that such contracting is based on the most perfected and competent procedures of adherence to the Brazilian legislation of data protection.

The ISH Group may also make its database available to third parties, provided that the information in this database is aggregated and anonymised (for example, the country of origin of a particular navigation on our platform) and that the third party uses the information for legitimate purposes, such as checking competitors, conducting research, etc.

In this way, we make it clear that the ISH Group does not commercialize the information belonging to you (holder's personal data), but only shares with third parties, non-identifiable information, that is, that there is no possibility of association, direct or indirect, to an individual.

Users' Rights in relation to Personal Data

The holder of personal data, a user of the ISH Group's digital platforms, may at any time, and free of charge, exercise the following rights:

a) Access: by choosing to exercise the right of access, you will be able to view the data that the ISH Group handles about you, and you can generate a file and export it for your use.

b) Portability: by choosing to exercise the right of portability, you will receive a report of the registration data that the ISH Group handles about you to share with the third party you wish;

c) Rectification/Updating: due to the need for evaluation and supervision of the data to be rectified or updated, and also in view of the scope and complexity of the products and services offered by the ISH Group to its clients, we have opted to standardize the process of rectifying/updating user data, in such a way that you can request that we send you the data that the ISH Group has about you and then, after adjusting it, request that it be rectified/updated using our contact telephone number or e-mail.

d) Explanation: you may opt to receive information about the origin, purpose and form of the data processing, as well as possible sharing with third parties.

e) Explanations on Automated Decision: By choosing to exercise this right, you will receive explanations on automated decisions, such as the use of robots to gather data for the creation of online marketing campaigns, and you may request their review.

f) Deletion: by selecting this option, you may request the elimination of the personal data processed by the ISH Group. This request will be subject to a feasibility study, due to a series of applicable legal and/or regulatory deadlines for the exclusion of data, and the data will only be effectively eliminated after the expiration of such deadlines, without prejudice to any possible legal obligations that the ISH Group may have under Brazilian legislation governing the matter.

g) Anonymization: by selecting this option, the ISH Group will evaluate the feasibility of your request, due to a series of legal and/or regulatory deadlines applicable to the anonymization of data, as well as the elimination of data, and the data will only be effectively anonymized after these deadlines have been exceeded, without prejudice to any possible legal obligations that the ISH Group may have under Brazilian legislation governing the matter.

h) Blocking: as with Anonymization, when you select this option you will be redirected to the Delete option.

i) Revocation of consent: by selecting this option, you can have explanations about the consent (confirmation given to collect and process your data) and your confirmation to revoke it.

j) Preferences for receiving marketing: you may select the option to continue or not to receive communications from promotional campaigns and/or offers for ISH Group products and services. You may access the form available for this purpose through the ISH Group portal, menu "Institutional", "Integrity System", item "06-Holder's Rights", or click directly on ish.com.br/my-rights/

To exercise any of these rights, the user can access the specific link from the "Privacy Service" menu in the ISH Group Privacy portal.

Duties of Users

You have the responsibility to share only truthful information with ISH Group, as well as to protect the confidentiality of login(s) and password(s) to access the services and products of ISH Group digital platforms, including to prevent their unauthorized use, and must not share them with third parties.

You should also be aware that the contracts entered into with the ISH Group also contain clauses regarding the collection, processing and sharing of personal data.

Storage of Personal Data

The ISH Group stores and processes personal data collected in a secure location, often on its own servers in the Group's datacenter or through cloud technology, always aiming for improvements in the processes and delivery of products and services.

As provided in this Privacy Policy, in the records of use of the services and in the current and applicable legislation, the storage periods will be:

a) for application records (profile information and content shared on the websites and applications of the ISH Group's digital platforms): 6 months;

b) for any types of collected information (used for legal purposes or requested by public authorities according to the legal and/or regulatory retention period): between 5 and 20 years.

Security of Personal Data

ISH Group uses:

a) solutions and appropriate technical security measures to ensure confidentiality, integrity and inviolability of the data, such as antivirus, firewall, network protection, encryption and other technical and process measures minimally compatible with international standards and the use of good market practices;

b) security measures appropriate to the risks, such as against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access;

c) access controls to the stored information, delimiting the permission and access privileges according to the responsibilities involved.

Changes in Privacy Policy

ISH Group reserves the right to modify this Privacy Policy at any time, keeping it updated and available at ish.com.br/privacy-policy

In this case, the user will be informed of any substantial changes made, as required by applicable law, and it is highly recommended that the user periodically reads this Privacy Policy in its entirety.