Privacy and Personal Data Protection Policy

No: LGPD-03  |  Revision: 03  |  Date: June 04, 2025  |  Type: Policy  |  São Paulo

The need to ensure that administrative activities within ILLIX, hereinafter referred to as the “Controller”, are conducted in compliance with Law No. 13,709/2018, also known as the General Data Protection Law (LGPD), enacted with the objective of protecting the fundamental rights of freedom and privacy, as well as establishing rules on the collection, use, storage, and sharing of data.

For questions, we recommend reading: General Data Protection Law

Principles

Always in the performance of legitimate and specific purposes, we process Personal Data based on the following principles:

• respect for privacy;
• informative self-determination;
• freedom of expression, information, communication, and opinion;
• inviolability of intimacy, honor, and image;
• economic and technological development and innovation;
• free initiative, free competition, and consumer protection;
• human rights, the free development of personality, dignity, and the exercise of citizenship by natural persons.

General Principles of LGPD

• Purpose: We process Personal Data for legitimate, specific, and informed purposes;
• Suitability: We process Personal Data in a manner compatible with the informed purposes and provided for by law;
• Necessity: We limit Processing to the minimum necessary to achieve the purposes;
• Free access: We guarantee facilitated and free consultation on the processing of Personal Data;
• Quality: We guarantee accuracy, clarity, and updating of data;
• Transparency: We provide clear and accessible information to Data Subjects;
• Security: We adopt technical and administrative measures to protect Personal Data;
• Prevention: We adopt measures to prevent damage in the processing of Personal Data;
• Confidentiality: We apply hierarchical access only to authorized persons;
• Integrity: We focus on the accuracy and updating of information;
• Availability: We guarantee access to information whenever necessary;
• Non-discrimination: We do not practice or tolerate any form of discrimination;
• Accountability: We adopt effective measures to prove compliance with data protection standards.

Rights of Data Subjects

• Confirmation of the Existence of Processing;
• Access to data;
• Correction of incomplete, inaccurate, or outdated data;
• Anonymization, blocking, or elimination of unnecessary, excessive data or data processed in non-compliance;
• Information about entities with which we carry out shared use of data;
• Information on the possibility and consequences of refusal or withdrawal of consent;
• Withdrawal of consent;
• Review of automated decisions;
• Data Portability (awaiting regulation from ANPD).

Processing of Personal Data

We exercise typical activities of a Controlling Treatment Agent and Operator. When the action of an Operating Agent is necessary, we establish a written contract defining the object, purpose, and obligations in accordance with the LGPD.

• Registration: name, e-mail, phone, address, vehicle license plate;
• Contact: name, surname, Tax ID, full address, mobile, WhatsApp, e-mail;
• Sending notices: name, e-mail, phone;
• WhatsApp: name, e-mail, and phone.

Sharing of Personal Data

ILLIX does not sell Personal Data and only shares it for legitimate and specific purposes.

With whom we share:

• Microsoft Azure – Platform and database management.
• Google – APIs for data transformation.
• Zamzar – Document conversions in various formats.

Data Retention

Data from customers, employees, and third parties will be retained for up to 5 years after departure or termination. After this period, data will be deleted or, in the case of physical documents, shredded.

How to Talk About Your Data

If you believe your personal data has been processed in a manner incompatible with this Policy, contact us through the privacy portal: https://www.helloethics.com/illix/lgpd or via email at dpo@illix.com.br.