1. INTRODUCTION

This Privacy and Personal Data Protection Policy reaffirms the commitment of WTECH INDÚSTRIA E COMÉRCIO LTDA, registered under CNPJ No. 13.971.968/0001-07, to the protection and ethical, transparent, and secure processing of personal information necessary for its business activities. The fundamental right to data protection, enshrined in Article 5, item LXXIX, of the Federal Constitution, guides all institutional actions, integrating the organizational culture and corporate governance practices.

This document reflects the organization's commitment to human dignity, privacy, information security, good faith, transparency, necessity, and accountability. All data processing operations are conducted in accordance with current legislation, especially Law No. 13.709/2018 (LGPD), the Brazilian Civil Rights Framework for the Internet, the Consumer Protection Code, the Industrial Property Law, Resolutions CD/ANPD No. 4/2023 and No. 19/2024, as well as other guidelines issued by the National Data Protection Authority.

To ensure ongoing compliance, the company maintains a Structured Privacy Governance Program, comprised of internal policies, technical and administrative controls, periodic audits, impact reports, monitoring mechanisms, and cybersecurity measures, including the role of a Data Protection Officer (DPO) and specific channels for assisting data subjects. The purpose of this Policy is to reinforce transparency and demonstrate the institutional commitment to the responsible, secure, and ethical use of personal data under its custody.

2. GUIDING PRINCIPLES

The processing of personal data constantly observes the principles set forth in Article 6 of the LGPD (Brazilian General Data Protection Law). All operations are based on legitimate, specific purposes that are previously informed to the data subject, respecting the adequacy between the stated objective and the effective use of the information. Collection and processing are restricted to the minimum necessary, avoiding excesses and ensuring proportionality.

Data subjects have easy and free access to information about the processing of their data. The company ensures the accuracy, clarity, updating, and relevance of the information, in addition to adopting rigorous technical and administrative measures to prevent unauthorized access, loss, destruction, alteration, or disclosure.

A preventative approach involves internal policies, risk management, regular audits, ongoing training, and incident response plans. Any discriminatory, abusive, or unlawful treatment is expressly prohibited. The organization assumes full responsibility for its processing operations, demonstrating compliance through documentation, evidence, and formal reports.

3. COLLECTION OF PERSONAL DATA

Data collection is carried out ethically, transparently, and in accordance with the LGPD (Brazilian General Data Protection Law) guidelines, always linked to legitimate purposes previously informed. Information may be provided directly by the data subject when filling out registration forms, signing contracts, participating in selection processes, training, events, sales interactions, or when interacting via email, telephone, applications, websites, or social networks. It may also be collected indirectly through public databases, official records, authorized partners, digital platforms, corporate systems, and automated technologies such as cookies, logs, and browsing data.

When data is forwarded by third parties, these parties are responsible for its accuracy and legitimacy, as well as for adequately informing the data subject. The company may reject data whose origin is not proven or that represents a legal or reputational risk.

The data collected varies according to the established relationship, encompassing registration, financial, tax, digital, professional, human resources information, and sensitive data strictly necessary for compliance with legal obligations related to occupational health and safety. Each operation is recorded and analyzed for necessity, adequacy, and applicable legal basis. When legitimate interest is used, the company prepares specific documentation in accordance with ANPD (Brazilian National Data Protection Authority) guidelines.

4. PURPOSES OF TREATMENT

The processing of personal data is carried out to enable the execution of business activities and the fulfillment of legal and contractual obligations. The information allows for the management of contracts, communications, technical support, invoicing, deliveries, payments, and other essential operations. It is also used to comply with legal, tax, labor, environmental, health, and regulatory requirements, as well as to facilitate the administration of records, audits, purchases, sales, credit, commercial relationships, and institutional services.

The information also contributes to physical and digital access control, environmental monitoring, system authentication, and asset protection. In the area of human resources, it enables recruitment, selection, hiring, payroll, benefits administration, time tracking, occupational health exams, training, performance evaluations, and terminations.

For institutional purposes, communications such as newsletters, invitations, notices, and other informative content may be sent, respecting the right to opt-out. Data may be used in inspections, audits, investigations, and administrative or judicial proceedings. For information security, monitoring mechanisms, fraud prevention, incident identification, and preservation of the integrity, confidentiality, and availability of systems are employed. Anonymized information may be used for internal analyses, indicators, and process improvement.

Should a new purpose arise, the data subject will be informed in advance and, when required by law, new consent will be requested.

5. Information Security and Incident Management

The company adopts security controls based on international best practices, especially the ISO/IEC 27001 standard, the LGPD (Brazilian General Data Protection Law), and Resolution CD/ANPD No. 15/2023. Technical and administrative measures compatible with the degree of risk of the processing are implemented, including multifactor authentication, encryption, continuous monitoring, environment segregation, secure backups, vulnerability management, access policies, and periodic training of teams.

Incident management follows a structured methodology according to ISO/IEC 27035, encompassing identification, recording, impact analysis, containment, mitigation, documentation, and subsequent evaluation. In the event of incidents that may cause significant risk or harm to data subjects, timely notifications will be made to the ANPD (Brazilian National Data Protection Authority) and the affected data subjects.

Security controls are continuously evaluated and improved.

6. RIGHTS OF THE HOLDERS

Data subjects may exercise, at any time, the rights provided for in the LGPD (Brazilian General Data Protection Law), including confirmation of the existence of processing, access to data, correction of information, anonymization, blocking or deletion of unnecessary data, portability, deletion of data processed with consent, information on data sharing, revocation of consent, objection to processing, and filing a complaint with the ANPD (National Data Protection Authority).

Requests should be sent to the Data Protection Officer (DPO) via email at [email protected]. For security reasons, identity verification may be required. Responses will adhere to legal deadlines.

7. DATA ON CHILDREN AND ADOLESCENTS

The processing of personal data of minors under 18 years of age is not carried out intentionally, except when strictly necessary and authorized by law, with the specific consent of the legal guardian and in compliance with the principle of the best interests of the child and adolescent.

8. COOKIES AND TRACKING TECHNOLOGIES

Automatic data collection technologies, such as cookies, may be used to ensure functionality, improve performance, personalize the user experience, and support marketing activities. Users can manage their preferences in the cookie panel or browser settings. Third-party cookies may be used, and it is recommended to consult their respective policies.

9. UPDATES AND EFFECTIVE DATE

This Policy comes into effect on June 23, 2021, and may be updated whenever necessary to reflect normative, regulatory, or organizational changes. Significant changes will be communicated through institutional channels.