Privacy Policies for the Processing of Personal Data

Last Updated: February 1, 2023

1 - ABOUT CREDILINK

CREDILINK INFORMAÇÕES DE CRÉDITO LTDA, registered with CNPJ/MF under No. 02.581.711/0001-22, established at Praça Pio X, number 55, room 802, Centro, in the city of Rio de Janeiro, state of Rio de Janeiro (“CREDILINK”), has been operating for more than 30 (thirty) years in the credit protection and financial fraud prevention market, being considered the largest company in this segment in the national territory and duly qualified to carry out activities for credit protection, in accordance with current legislation.

With the aim of assisting its clients in fraud prevention, CREDILINK develops specific products and services and, to ensure that the solutions offered are effective, it monitors market trends and needs and, whenever necessary, promotes adjustments and/or renewal of said solutions.

Finally, among the principles that guide CREDILINK's operations are responsibility, security, and compliance with applicable legislation.

2 - ABOUT THE PRODUCTS OFFERED BY CREDILINK

Although the specific details of the different products offered by CREDILINK are contained in the specific Terms of Use, presented as soon as the user accesses the logged-in area, we highlight below general information about them.

- CREDI BATCH: prioritizing security, speed, and control in data exchange, Credi Batch ensures the possibility of uploading and downloading bulk data files in a secure environment, without the need for email exchanges and attachments. For such activities, it uses recent and high-level encrypted technology.

CONSULTA DE CRÉDITO: with the aim of ensuring security in transactions, the Credit Inquiry allows the verification of information related to customers and suppliers, enabling the qualification of customers, credit protection, and prevention of financial fraud.

CONFIRME ONLINE: with the aim of assisting in fraud prevention, Confirme Online allows for the location of customers, profile investigation, and time optimization. To this end, Confirme Online enables customized inquiries for individuals or legal entities and the confirmation of registration data.

CONSUMIDOR SEGURO: a free service that notifies the registered Holder whenever their CPF is queried.

DATA4YOU: With the aim of mapping and resolving issues of accuracy and diligence, CREDILINK analyzes a company's data and offers a holistic view - considered as the consolidation and synergistic correlation leading to a comprehensive understanding of an information scenario for better decision-making - of its Treatments.

ENRIQUECIMENTO ONLINE: with the aim of making information bases more secure and preventing financial fraud, offering the possibility of creating output layouts, multiple processing, and obtaining optimized reports, Online Enrichment allows the sending of batch files for processing, enrichment, and cleansing.

HISTÓRICO DE CRÉDITO: to expedite the risk analysis process, mitigate the risk of default, and protect credit, the service offers a quick search for information related to customers' consumption history, allowing verification of whether an individual is a good payer or not.

Q-CREDI: a fraud prevention technology service that simply connects CREDILINK's database with graphical link analysis tools. It enhances the development of investigations and fraud prevention.

WEBSERVICE: a service available for companies of various sizes that offers modernity and integration in credit analysis with validation of registration information and cross-referencing of multiple pieces of information through direct association between the company's system and CREDILINK's database.

The information bases used for the development and offering of the products listed above are formed by data obtained through contracts, agreements, public bases, and legacy bases, in compliance with the legal bases and purposes provided in Art. 7 of the General Data Protection Law.

3 - IMPORTANT CONCEPTS IN THE CONTEXT OF PERSONAL DATA PROCESSING

To ensure a perfect understanding of this document, please consider the definitions below:

  • "Data Processing Agents" are the Controller and the Operator in the context of Personal Data Processing.
  • "Cookies" are small digital text files stored on electronic devices, such as cell phones and laptops, when you access a website, including CREDILINK's. Cookies store information related to your preferences and other variables that the website developers consider relevant to make your experience more efficient.
  • "Personal Data" refers to information related to a Natural Person that can identify them or make them identifiable, such as, but not limited to, name, email, ID number, personal preferences, IP address, and geolocation.
  • "Sensitive Personal Data" refers to Personal Data concerning racial or ethnic origin, religious beliefs, political opinions, membership in a union or religious, philosophical, or political organization, health or sexual life, genetic or biometric data, when linked to a Natural Person.
  • "Controller" or "DPO" is the person who acts as a channel between the Controller, Operator, and ANPD.
  • "Sensitive Personal Data" refers to Personal Data concerning racial or ethnic origin, religious beliefs, political opinions, membership in a union or religious, philosophical, or political organization, health or sexual life, genetic or biometric data, when linked to a Natural Person.
  • "General Data Protection Legislation" or "LGPD" is federal law 13.709/18 that governs the processing of personal data in various media by natural or legal persons of public or private law and aims to protect the fundamental rights of Data Subjects. Ø "Platform" is the CREDILINK website available at https://www.credilink.com.br/
  • "Policy" or "Privacy Policy" is this document.
  • "Data Subject" or "Natural Person" is the individual to whom the Personal Data refers.
  • "Processing" is any activity/operation carried out with Personal Data, including but not limited to collection, transmission, archiving, and deletion.

4 - DATA PROCESSING AGENTS

As we have seen above, the Controller and the Operator are considered Data Processing Agents. Since responsibilities are defined according to the role played by each agent in the context of Personal Data Processing, we highlight below points to be considered for the correct identification of the position occupied by the Data Processing Agents.

  • The "Controller" is the natural or legal person, public or private, who is responsible for the decisions regarding the Processing of Personal Data. Among its main characteristics are (i) the ability to identify/determine the legal basis that legitimizes the Processing activity; (ii) determining the information to be processed, by what means, and for what purpose; (iii) being liable for any damages caused, except when falling under a legal exception; and (iv) ensuring that the Data Subjects' rights are observed.
  • In turn, the "Operator" is the natural or legal person, public or private, who performs the Processing on behalf of the Controller. Among its main characteristics are: (i) limited autonomy in the context of Processing; (ii) acting according to the orders received from the Controller; and (iii) may be jointly liable for damages.

There is also the possibility of involving more than one Controller in a given Processing activity. In this case, in a simplified manner, we can consider Joint Controllers those who jointly determine the main aspects of the Processing and Singular Controllers when they process the same set of Personal Data for different purposes.

5 - PERSONAL DATA PROCESSED BY CREDILINK

When the Data Subject accesses the Platform and interacts with it – including filling out the forms we provide – they provide Personal Data to CREDILINK. Below, we indicate where and what information is Processed:



 

Update: It is the responsibility of the Data Subject to ensure the accuracy, truthfulness, or updating of the Personal Data provided to CREDILINK. It is not obliged to process Personal Data if there are reasons to believe that such Processing may imply an infringement of any applicable law, or if the Platform is being used for any illegal, unlawful, or immoral purposes.

Database: The database formed through contracts, agreements, and public bases, in accordance with the LGPD, under the legal permissions provided in Art. 7 of Law No. 13.709/18.

Registration Personal Data: CREDILINK processes data categorized as registration data that support and sustain the credit protection cycle and fraud prevention, such as name, CPF, address, phone number, email, and corporate participation. These data are collected in compliance with and respect for all guidelines imposed by the LGPD and other current legislation.

Technologies used: CREDILINK uses session cookies on its Platform. If the Data Subject is not interested in keeping them, they should configure their internet browser to block them; however, we emphasize that some functionalities may be limited.

6 - SHARING OF PERSONAL DATA

When necessary, access to and/or sharing of the CREDILINK's proprietary database is carried out within the limits and purposes of its business - as described in this policy.

It is also possible that the information will be shared with competent judicial, administrative, or governmental authorities whenever there is a legal determination, request, requisition, or court order, or automatically in case of corporate movements such as mergers, acquisitions, and incorporations.

In any case, only the information necessary to fulfill the intended activities will be shared, and whenever possible, measures will be taken to safeguard the information and adopt best practices.

For potential market intelligence activities, data dissemination to the press, and advertising, Personal Data will be shared in an anonymized manner, i.e., in a way that does not allow for identification.

If you have any questions about with whom we share your Personal Data, please contact us through the support channels provided in this Policy, and we will assist you in clarifying the points.

7 - MEASURES TAKEN TO PROTECT PERSONAL DATA

Once again, recognizing the importance of Personal Data, we highlight below the measures taken by CREDILINK to protect this type of information:

- Security and Governance Practices: To safeguard the privacy of Data Subjects and protect their Personal Data, CREDILINK has a governance program that includes best practices, internal policies, and procedures, which establish organizational conditions, training, educational actions, and mechanisms for supervision and risk mitigation related to the Processing of Personal Data.

- Access to Personal Data, proportionality, and relevance: Internally, the collected Personal Data is accessed only by professionals duly authorized by CREDILINK, respecting the principles of proportionality, necessity, and relevance to the objectives of our business, in addition to the commitment to confidentiality and preservation of your privacy under the terms of this Policy.

Information Security: Specifically to preserve the value that information holds for CREDILINK, particularly its integrity, availability only to people who need to know it, and authenticity, the following technical measures are observed by CREDILINK:

  • Protection of database information through encryption and access limitation.
  • Linking between the user's IP and access logs.
  • Protection of database information through encryption and access limitation.
  • Use of VPN with two-factor authentication for employees.
  • Kaspersky antivirus is installed and maintained on all computers to control the workstations accessing the CREDILINK platform.
  • Important information, such as individuals' income, is protected by encryption.
  • The Credilogs tool, currently in development, will be used to provide the DPO with access to all system logs. Currently, the tool already enables the identification of who accessed information about a specific CPF.
  • A next-generation Sophos firewall has been implemented.
  • Access via VPN between sites, AWS, Oracle, and Azure.
  • There is a regulation for the development of activities in a home office regime by our employees, as well as the signing of a confidentiality agreement and a commitment to comply with the provisions of the General Data Protection Law.
  • Directories in AD named DBA on the local network and in the AWS S3 drive are maintained for bases generated for specific individuals.
  • The data processed by CREDILINK is kept in a repository located in Brazil, specifically in a tier3 data center.
  • Conducting Pentests.

– Processing of Personal Data by Third Parties under CREDILINK's guidelines: CREDILINK carefully evaluates those who provide services to it and establishes contractual obligations with them regarding information security and the protection of Personal Data, aiming to protect you.

8 - MEASURES TO BE TAKEN BY PERSONAL DATA SUBJECTS

As we have seen above, CREDILINK does its best to ensure the security of the activities it carries out. Below, we highlight the measures to be taken by the Data Subject:

Sharing Credentials: You are responsible for keeping your Personal Data confidential and should always be aware that sharing passwords and access data violates this Policy and may compromise the security of your Personal Data and the CREDILINK Platform. If you identify or become aware of any security breach of Personal Data, please contact our Data Protection Officer through the support channels provided in this Policy.

External links: While browsing the Platform, it is possible that the Data Subject will be directed, via link, to other sites, portals, or platforms that may collect Personal Data and should have their own privacy policy. It is your responsibility to read these policies and decide whether to accept or reject them. CREDILINK is not responsible for third-party privacy policies or the content of any websites or services linked to other environments.

9 - RIGHTS GUARANTEED TO DATA SUBJECTS

Even though CREDILINK processes Personal Data, the information remains the property of the respective Data Subjects. To protect these individuals, the General Data Protection Law grants them a series of rights.

Prioritizing transparency in its relationships, observing the provisions of the law, and committed to ensuring the legality and security of the activities it carries out, CREDILINK highlights below the prerogatives of Data Subjects and, at the end of this Policy, the contact channel that can be used to exercise rights.

Confirmation and access: The Data Subject can request confirmation about the existence of Processing and access to their Personal Data, including by requesting copies of records that CREDILINK may have about the individual.

Correction: The Data Subject can request the correction of their Personal Data that is incomplete, inaccurate, or outdated.

Anonymization, blocking, or deletion: The Data Subject can request the anonymization of their Personal Data so that it can no longer be related to them, the blocking of their Personal Data, temporarily suspending the possibility of Processing for certain purposes, or the deletion of their Personal Data.

Portability: The Data Subject can request that CREDILINK provide their Personal Data in a structured and interoperable format for transfer to a third party, respecting our intellectual property or trade secrets.

Information about Sharing: The Data Subject can request information about third parties with whom CREDILINK shares their Personal Data, limiting this disclosure to information that does not violate CREDILINK's intellectual property or trade secrets.

Withdrawal of Consent: The Data Subject can choose to withdraw consent for any purpose previously consented to. This withdrawal will not affect the legality of any Processing carried out prior. If the Data Subject withdraws consent for purposes essential to the proper functioning of the Platform and services, they may become unavailable.

Objection: The Data Subject can object to the Processing of their Personal Data if they disagree with any purpose.

We emphasize that the exercise of rights is not unlimited; CREDILINK may, in specific cases authorized by law, decline to fulfill a request. If this occurs, the Data Subject will be informed of the reason for the refusal.

10 - GENERAL INFORMATION

CREDILINK may change the content of this Policy at any time, according to its purpose or need, as well as for legal compliance and conformity with laws or regulations of equivalent legal force, and it is your responsibility to review it whenever you access the Platform.

If any point of this Policy is considered unenforceable by the National Data Protection Authority or by judicial authority, the other conditions will remain in full force and effect.

This Policy will be interpreted according to Brazilian law, in the Portuguese language, with the forum of the district of Rio de Janeiro in the state of Rio de Janeiro being chosen to resolve any disputes involving this document, except for specific personal, territorial, or functional jurisdiction by applicable law.

11 - SUPPORT CHANNELS – TALK TO THE DPO

If you have any questions regarding the provisions of this Policy or to exercise your rights as a Personal Data Subject, you can contact our Data Protection Officer in the following ways:

- By filling out the form available in the "Talk to the DPO" tab, available on the Platform's homepage (www.credilink.com.br/en/talk-to-the-dpo);