PRIVACY POLICY

1. OBJECTIVE

This Privacy and Personal Data Protection Policy aims to provide guidance on how to manage the various activities and operations involved in the processing of personal data at Synvia.

Through this document, the Synvia Group seeks compliance with the General Data Protection Law (Law No. 13.709/2018 - “LGPD”) and other sector-specific laws on the subject.

This Policy establishes the guidelines for the protection and use of personal data that may be processed in its activities, referencing the General Data Protection Law, among other national and international standards related to privacy and personal data protection.

2. DEFINITIONS

For the purposes of this policy, the following definitions apply:

• PERSONAL DATA PROCESSING AGENTS: The controller and the processor of personal data.

• ANONYMIZATION: The use of technical means, reasonable and available at the time of processing personal data, through which a data point loses the possibility of being associated, directly or indirectly, with an individual. Anonymized data is not considered personal data for the purposes of the LGPD.

• NATIONAL DATA PROTECTION AUTHORITY (“ANPD”): A public administration agency responsible for ensuring, implementing, and monitoring compliance with the LGPD throughout the national territory.

• PERSONAL DATA CONTROLLER: A natural or legal person, of public or private law, who makes decisions regarding the processing of personal data.

• PERSONAL DATA: Information related to an identified or identifiable natural person. Personal data also includes data used to form the behavioral profile of a particular natural person.

• SENSITIVE PERSONAL DATA: Personal data about racial or ethnic origin, religious conviction, political opinion, union or religious, philosophical, or political organization affiliation, data regarding health or sexual life, genetic or biometric data when linked to a natural person.

• DATA PROTECTION OFFICER (“DPO”): A natural or legal person appointed by the Processing Agent to act as a communication channel between the Controller, data subjects, and the ANPD. They will be responsible for implementing the Compliance Program and conducting activities related to data protection within the SYNVIA Internal Controls and Compliance System.

• SUPPLIERS: In the context of SYNVIA, considered suppliers are other hired and subcontracted third parties, natural or legal persons, not classified as business partners.

• GENERAL DATA PROTECTION LAW (“LGPD”): A regulatory diploma (Law No. 13.709/2018) that provides for the processing of personal data in digital or physical means.

• PERSONAL DATA PROCESSOR: A natural or legal person, of public or private law, who processes personal data on behalf of the Controller.

• BUSINESS PARTNERS: Hired third parties (natural or legal persons) who act on behalf of Synvia, such as: Consultants, Partners, and Sales Agents.

• THIRD PARTY: Any natural or legal person hired by Synvia to develop or assist in the development of its activities (suppliers or business partners).

• DATA SUBJECT (“SUBJECT”): A natural person to whom the personal data being processed refers.

• PROCESSING OF PERSONAL DATA (“PROCESSING”): Any operation carried out with personal data (collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, filing, storage, deletion, evaluation, control, modification, communication, transfer, dissemination, or extraction).

3. APPLICABILITY

This Policy establishes guidelines and rules to ensure that its recipients understand and comply with the laws regarding personal data protection in all interactions with current and future data subjects, third parties, and external personal data processing agents outside Synvia within its activities.

Beyond the concepts defined by the standards, the information covered by this Policy includes all data held, used, or transmitted by or on behalf of Synvia, in any type of media. This includes personal data recorded on paper, maintained in computer systems or portable devices, as well as personal data transmitted orally.

4. SPECIFIC OBJECTIVES

The objectives of the Privacy and Personal Data Protection Policy are:

1. To establish Synvia's guidelines and responsibilities that ensure and reinforce the Organization's commitment to comply with applicable laws;

2. To describe the rules to be followed in conducting the activities and operations of personal data processing carried out by Synvia and the recipients of this Policy.

This Policy must be read in conjunction with the obligations set forth in the following documents:

• Employment contracts of Synvia employees;

• Information security policies and standard operating procedures;

• All internal regulations regarding personal data protection that may be drafted and updated.

5. PRIVACY AND DATA PROTECTION PRINCIPLES

Synvia will comply with the following principles when processing personal data:

• PURPOSE: Processing only for legitimate, specific, explicit purposes that are informed to the data subject, without the possibility of subsequent incompatible processing.

• COMPATIBILITY: Processing compatible with the informed purposes and in accordance with the context.

• NECESSITY: Processing limited to the minimum necessary (relevant, proportional, and not excessive data).

• FREE ACCESS: Facilitated and free consultation regarding the form, duration of processing, and completeness of the data.

• DATA QUALITY: Assurance of accuracy, clarity, relevance, and up-to-date status of the data.

• TRANSPARENCY: Clear, precise, and easily accessible information about the processing and the processing agents.

• SECURITY: Technical and administrative measures capable of protecting personal data.

• PREVENTION: Adoption of measures to prevent harm from occurring.

• NON-DISCRIMINATION: The impossibility of processing for illicit or abusive discriminatory purposes.

• RESPONSIBILITY AND ACCOUNTABILITY: Demonstration of the adoption of effective measures to comply with the norms.

6. LEGAL BASES FOR THE PROCESSING OF PERSONAL DATA

All processing operations will have a legal basis legitimizing their execution. Synvia may process personal data:

1. With the provision of consent by the data subject;

2. To comply with a legal or regulatory obligation;

3. For the performance of studies by a research body;

4. When necessary for the execution of a contract or preliminary procedures;

5. For the regular exercise of rights in judicial, administrative, or arbitral proceedings;

6. For the protection of life or physical safety of the data subject or a third party;

7. For health protection (in proceedings conducted by health professionals/public health authority);

8. When necessary to meet the legitimate interests of Synvia or third parties;

9. For the protection of credit.

Synvia will keep records of its processing operations, which may be consulted by data subjects and competent public authorities.

7. LEGAL BASES FOR THE PROCESSING OF SENSITIVE DATA

Synvia is committed to exercising special care and protection regarding the processing of sensitive personal data and financial data. Data of children and adolescents will be handled with the same level of care.

The processing of sensitive data may only be performed:

• With consent: When the data subject or legal guardian consents specifically and distinctly.

• Without consent: In cases where it is essential for:

  • Compliance with a legal or regulatory obligation;

  • Conducting studies (guaranteeing anonymization whenever possible);

  • Regular exercise of rights (contract, judicial, administrative, arbitral proceedings);

  • Protection of life or physical safety;

  • Health protection;

  • Ensuring prevention against fraud and security of the data subject (identification and authentication in systems).

8. RIGHTS OF PERSONAL DATA SUBJECTS

Synvia reaffirms its commitment to respecting the rights of data subjects:

• RIGHT TO CONFIRMATION: Confirm the existence of processing of their data.

• RIGHT OF ACCESS: Request and receive a copy of the collected data.

• RIGHT TO RECTIFICATION: Request correction of incomplete, inaccurate, or outdated data.

• RIGHT TO ERASURE: Request the deletion of data (unless there is a legitimate reason for retention).

• RIGHT TO SUSPEND ILLEGAL PROCESSING: Request anonymization, blocking, or deletion of unnecessary or excessive data.

• RIGHT TO OBJECT: Object to processing not based on consent (assessed according to LGPD criteria).

• RIGHT TO PORTABILITY: Request the availability of the data to another supplier.

• RIGHT TO WITHDRAW CONSENT: Withdraw previously granted consent (without affecting the legality of prior processing).

9. DUTIES FOR THE PROPER USE OF PERSONAL DATA

Duties of Data Subjects

• Notify Synvia of any changes to their personal data (e.g., change of address).

• Notify via email: protecaodedados@synvia.com.

Duties of Synvia Employees

• Sharing data among Synvia Group companies is permitted only if the purpose, legal basis, and principle of necessity are respected.

• Do not provide access to data for unauthorized persons.

• Obtain the necessary authorization and documents that demonstrate the competence for processing.

• Comply with information security standards.

Duties of All Recipients

Contact the Synvia DPO in case of suspicion or occurrence of:

1. Operation without legal basis;

2. Processing without authorization;

3. Non-compliance with Information Security Policy;

4. Unauthorized deletion/destruction of data;

5. Any other violation of this Policy.

10. RELATIONSHIP WITH THIRD PARTIES

Considering the joint liability provided for in the LGPD, Synvia will make every effort to ensure that third parties comply with the applicable laws.

All contracts with third parties must contain clauses regarding the protection of personal data, being reviewed and submitted for approval by the DPO and technical team.

11. INFORMATION SECURITY

The security standards are contained in the Information Security Policy of Synvia. The organization commits to employ adequate technical and organizational measures to protect data against unauthorized access, loss, destruction, and improper sharing.

12. INTERNATIONAL DATA TRANSFER

Synvia may transfer data to other countries under the following conditions:

Without consent (when authorized to process data under another legal basis):

• Country with an adequate level of protection (by the ANPD or adequacy decision by the European Commission/GDPR); or

• Provision of safeguards (Codes of Conduct, Standard Contractual Clauses, Seals/Certificates).

With consent:

• Obtaining explicit and distinct consent for the international transfer.

Synvia will inform data subjects about the occurrence of international transfers, designating the set of data, the purpose, and the destination.

13. MONITORING AND UPDATING

Synvia commits to periodically revisiting this Policy. All changes made will be communicated in a timely manner through official channels of the Organization.