PRIVACY POLICY

1. PURPOSE

This Privacy and Personal Data Protection Policy aims to provide guidance on how to manage the various activities and personal data processing operations carried out at Synvia.

Through this document, the Synvia Group seeks compliance with the Brazilian General Data Protection Law (Law No. 13,709/2018 – “LGPD”) and other sector-specific laws on the subject.

This Policy establishes Synvia’s guidelines for safeguarding and using personal data processed in its activities, taking as reference the Brazilian General Data Protection Law, among other national and international rules relating to privacy and the protection of personal data.

2. DEFINITIONS

For the purposes of this Policy, the following definitions apply:

PERSONAL DATA PROCESSING AGENTS: The controller and the operator of personal data.

ANONYMIZATION: The use of technical means that are reasonable and available at the time of processing, by which personal data loses the possibility of association, whether direct or indirect, with an individual. Anonymized data is not considered personal data for the purposes of the LGPD.

NATIONAL DATA PROTECTION AUTHORITY (“ANPD”): The public administration body responsible for overseeing, implementing, and enforcing compliance with the LGPD throughout the national territory.

PERSONAL DATA CONTROLLER: A natural or legal person, governed by public or private law, who is responsible for decisions regarding the processing of personal data.

PERSONAL DATA: Information relating to an identified or identifiable natural person. Data used to build the behavioral profile of a given natural person is also considered personal data.

SENSITIVE PERSONAL DATA: Personal data concerning racial or ethnic origin, religious belief, political opinion, membership of a trade union or of a religious, philosophical, or political organization, data concerning health or sex life, and genetic or biometric data when linked to a natural person.

DATA PROTECTION OFFICER (“DPO”): A natural or legal person appointed by the Processing Agent to act as a communication channel between the Controller, data subjects, and the ANPD. The DPO is responsible for implementing the Compliance Program and conducting the activities related to data protection within Synvia’s Internal Controls and Compliance System.

SUPPLIERS: Within the context of Synvia, suppliers are other contracted and subcontracted third parties, whether natural or legal persons, who do not qualify as commercial partners.

BRAZILIAN GENERAL DATA PROTECTION LAW (“LGPD”): The legal instrument (Law No. 13,709/2018) that governs the processing of personal data in digital or physical media.

PERSONAL DATA OPERATOR: A natural or legal person, governed by public or private law, who processes personal data on behalf of the Controller.

COMMERCIAL PARTNERS: Contracted third parties (natural or legal persons) who act on behalf of Synvia, such as consultants, affiliated parties, and commercial agents.

THIRD PARTY: Any natural or legal person contracted by Synvia to develop or assist in the development of its activities (suppliers or commercial partners).

PERSONAL DATA SUBJECT (“DATA SUBJECT”): The natural person to whom the personal data being processed refers.

PROCESSING OF PERSONAL DATA (“PROCESSING”): Any operation carried out with personal data (collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, archiving, storage, deletion, evaluation, control, modification, communication, transfer, dissemination, or extraction).

3. APPLICABILITY

This Policy establishes guidelines and rules to ensure that its recipients understand and comply with the legislation governing the protection of personal data in all interactions with current and future data subjects, third parties, and personal data processing agents external to Synvia within the scope of its activities.

Beyond the concepts defined by the rules, the information covered by this Policy includes all data held, used, or transmitted by or on behalf of Synvia, in any type of media. This includes personal data recorded on paper, kept in computer systems or portable devices, as well as personal data transmitted orally.

4. SPECIFIC OBJECTIVES

The objectives of the Privacy and Personal Data Protection Policy are:

•        To establish Synvia’s guidelines and responsibilities that ensure and reinforce the Organization’s commitment to compliance with the applicable legislation;

•        To describe the rules to be followed in conducting the personal data processing activities and operations carried out by Synvia and by the recipients of this Policy.

This Policy must be read together with the obligations set out in the following documents:

•        Employment contracts of Synvia’s employees;

•        Information security policies and procedural standards;

•        All internal rules regarding the protection of personal data that may be developed and updated.

5. PRIVACY AND DATA PROTECTION PRINCIPLES

Synvia shall comply with the following principles when processing personal data:

•        PURPOSE: Processing only for legitimate, specific, explicit purposes that are informed to the data subject, with no possibility of subsequent incompatible processing.

•        ADEQUACY: Processing that is compatible with the purposes informed and in accordance with the context.

•        NECESSITY: Processing limited to the minimum necessary (relevant, proportional, and non-excessive data).

•        FREE ACCESS: Facilitated and free consultation regarding the form, duration of processing, and completeness of the data.

•        DATA QUALITY: Assurance of accuracy, clarity, relevance, and currency of the data.

•        TRANSPARENCY: Clear, accurate, and easily accessible information about the processing and the processing agents.

•        SECURITY: Technical and administrative measures suitable to protect personal data.

•        PREVENTION: Adoption of measures to prevent the occurrence of harm.

•        NON-DISCRIMINATION: Impossibility of processing for unlawful or abusive discriminatory purposes.

•        ACCOUNTABILITY: Demonstration of the adoption of effective measures to comply with the rules.

6. LEGAL BASES FOR THE PROCESSING OF PERSONAL DATA

All processing operations shall have a legal basis that legitimizes their performance. Synvia may process personal data:

•        Upon the provision of consent by the data subject;

•        For compliance with a legal or regulatory obligation;

•        For conducting studies by a research body;

•        When necessary for the performance of a contract or preliminary procedures;

•        For the regular exercise of rights in judicial, administrative, or arbitration proceedings;

•        To protect the life or physical safety of the data subject or a third party;

•        For health protection (in a procedure carried out by health professionals/health authorities);

•        When necessary to meet the legitimate interests of Synvia or third parties;

•        For credit protection.

Synvia shall keep records of its processing operations, which may be consulted by the data subject and the competent public authorities.

7. LEGAL BASES FOR THE PROCESSING OF SENSITIVE DATA

Synvia is committed to safeguarding and exercising special care regarding the processing of sensitive personal data and financial data. Data of children and adolescents shall be processed with the same level of care.

The processing of sensitive data may only be carried out:

With consent: When the data subject or legal guardian consents in a specific and highlighted manner.

Without consent: In cases where it is indispensable for:

•        Compliance with a legal or regulatory obligation;

•        Conducting studies (ensuring anonymization whenever possible);

•        The regular exercise of rights (contract, judicial, administrative, or arbitration proceedings);

•        Protection of life or physical safety;

•        Health protection;

•        Ensuring fraud prevention and the security of the data subject (identification and authentication in systems).

8. RIGHTS OF PERSONAL DATA SUBJECTS

Synvia reinforces its commitment to respecting the rights of data subjects:

•        RIGHT TO CONFIRMATION: To confirm the existence of processing of their data.

•        RIGHT OF ACCESS: To request and receive a copy of the data collected.

•        RIGHT TO CORRECTION: To request the correction of incomplete, inaccurate, or outdated data.

•        RIGHT TO DELETION: To request the deletion of data (unless there is a legitimate reason to retain it).

•        RIGHT TO SUSPEND UNLAWFUL PROCESSING: To request the anonymization, blocking, or deletion of unnecessary or excessive data.

•        RIGHT TO OBJECT: To object to processing not based on consent (assessed according to the LGPD criteria).

•        RIGHT TO PORTABILITY: To request that data be made available to another supplier.

•        RIGHT TO WITHDRAW CONSENT: To withdraw previously given consent (without affecting the legality of prior processing).

9. DUTIES FOR THE APPROPRIATE USE OF PERSONAL DATA

Duties of Data Subjects

•        To communicate to Synvia any changes to their personal data (e.g., change of address).

•        To notify via email: dpo@synvia.com.

Duties of Synvia’s Employees

•        The sharing of data among Synvia Group companies is permitted only if the purpose, legal basis, and necessity principle are respected.

•        Not to provide access to data to unauthorized persons.

•        To obtain the necessary authorization and documents demonstrating the competence to carry out the processing.

•        To comply with information security rules.

Duties of All Recipients

To contact Synvia’s Data Protection Officer in the event of suspicion or occurrence of:

•        Processing without a legal basis;

•        Processing without authorization;

•        Non-compliance with the Information Security Policy;

•        Unauthorized deletion/destruction of data;

•        Any other violation of this Policy.

10. RELATIONSHIP WITH THIRD PARTIES

Considering the joint and several liability set out in the LGPD, Synvia shall use its best efforts to ensure that third parties comply with the applicable legislation.

All contracts with third parties must contain clauses regarding the protection of personal data, which shall be reviewed and submitted for approval by the Data Protection Officer and the technical team.

11. INFORMATION SECURITY

The security rules are contained in Synvia’s Information Security Policy. The organization is committed to employing appropriate technical and organizational measures to protect data against unauthorized access, loss, destruction, and improper sharing.

12. INTERNATIONAL DATA TRANSFER

Synvia may transfer data to other countries under the following conditions:

Without consent (when authorized to process data under another legal basis):

•        A country with an adequate level of protection (as determined by the ANPD or by an Adequacy decision of the European Commission/GDPR); or

•        The offering of safeguards (Codes of Conduct, Standard Contractual Clauses, Seals/Certificates).

With consent:

•        Obtaining explicit and highlighted consent for the international transfer.

Synvia shall inform data subjects of the occurrence of international transfers, designating the dataset, the purpose, and the destination.

13. MONITORING AND UPDATING

Synvia is committed to revisiting this Policy periodically. All changes made shall be communicated in a timely manner through the Organization’s official channels.

14. COMMUNICATION VIA WHATSAPP

Synvia uses WhatsApp as an official communication channel with data subjects who have provided their telephone number through the Organization’s channels (volunteer registration, website forms, in-person service, or at the data subject’s own initiative through direct contact with Synvia’s official number).

14.1. Purposes. The messages sent via WhatsApp have the following purposes: (i) transactional communications related to clinical studies, including confirmations, reminders, pre-study guidance, and follow-ups; and (ii) disclosure of new studies under recruitment and Synvia’s institutional campaigns.

14.2. Legal basis. The processing of personal data for sending messages via WhatsApp is carried out on the basis of the data subject’s consent (Art. 7, I, of the LGPD), collected in a specific and highlighted manner within the channel itself, through express confirmation by the data subject (response “YES” or equivalent to a confirmation message previously sent by Synvia).

14.3. Optional nature and withdrawal. The provision of consent is optional. The data subject may withdraw it at any time, at no cost, by means of:

•        Sending the keywords EXIT, CANCEL, STOP, UNSUBSCRIBE, or STOP to Synvia’s official number;

•        Activating the unsubscribe button present in the message templates;

•        A request sent to the Data Protection Officer at dpo@synvia.com.

The withdrawal of consent immediately stops the sending of new messages, without prejudice to the legality of the processing carried out prior to the withdrawal.

14.4. Consent record. Synvia maintains, in its internal messaging system (Connect), an auditable record of consent and withdrawal operations, containing, at a minimum: identification of the data subject, telephone number, date and time of opt-in, channel of origin, version of the accepted text, current status, and, where applicable, the date and origin of the withdrawal.

14.5. Retention period. The consent record is kept for the period during which the data subject remains active as a message recipient and, after withdrawal, for up to 5 (five) years, for the purposes of complying with legal and regulatory obligations and the regular exercise of rights.

14.6. Questions. For questions regarding the processing of data through the WhatsApp channel, the data subject may contact Synvia’s Data Protection Officer at dpo@synvia.com.

15. MOBILE APPLICATIONS AND SOFTWARE

Synvia provides its own mobile applications and software to support its activities in clinical research, bioequivalence, toxicology, and diagnostics. This section explains, in a transparent manner, how we process personal data through these applications.

15.1. Types of User

Synvia’s applications may be used by three categories of user:

•        Clinical study participants, who are the subjects of the health data, in the case of ePRO;

•        Research professionals, namely investigators, sub-investigators, monitors, and regulatory staff;

•        Synvia’s internal administrative team and/or that of its partners.

15.2. Personal Data Collected by the Applications

Synvia’s applications are divided into two categories with respect to the collection of personal data, according to the user profile for which they are intended.

15.2.1. ePRO Application — used directly by the participant

The ePRO is intended for direct use by the clinical study participant. The application does not request identification data from the participant, since access is carried out through credentials previously provided and linked to the participant’s registration in the study, in accordance with the protocol approved by the Research Ethics Committee and other competent regulatory bodies.

The data collected by the ePRO are exclusively those provided for in the forms of the clinical study protocol in which the participant takes part. As defined in each protocol, this data may include:

•        Responses to validated clinical questionnaires (such as, for example, quality-of-life, pain, fatigue, and function scores, among others);

•        Reported symptoms (such as, for example, presence, intensity, frequency);

•        Medication adherence (such as, for example, times, doses, occurrences);

•        Adverse events reported by the participant;

•        Diaries of symptoms and habits relevant to the protocol;

•        Self-reported vital signs, where applicable to the protocol;

•        Other specific information provided for in the study protocol.

This data is classified as sensitive personal data (Articles 5, item II, and 11 of the Brazilian General Data Protection Law) because it concerns the health of the data subject. The association of the data with the participant occurs in Synvia’s internal systems through the participant’s unique identifier in the study (participant code), without the application requesting from the data subject any direct identification information such as name, taxpayer ID (CPF), email, or telephone contact.

15.2.1.1 Pseudonymization of Data

Whenever possible, the data collected through the ePRO will be processed in a pseudonymized manner, using a participant code or a unique study identifier. Information that allows the direct identification of the participant remains segregated in a controlled environment accessible only to authorized professionals.

15.2.2. Study management applications — used by Synvia’s internal team and/or partners

These applications are intended for use by Synvia’s research professionals (such as, for example, investigators, sub-investigators, monitors, coordinators, and other members of the regulatory and administrative team) for the conduct, management, and documentation of studies.

The personal data processed in these applications may include:

Data of the professional users of the application:

•        Full name;

•        Corporate email;

•        Role and activities performed in the study;

•        Unique user identifier in the system;

•        Audit records of use (date, time, and action performed).

Data of study participants, processed by the internal team:

•        Identification data collected during recruitment and screening for the study, in accordance with the approved clinical study protocol, which may include name, taxpayer ID (CPF), date of birth, contact information, and demographic data;

•        Health data of the participant collected by the Synvia team in accordance with the clinical study protocol (such as, for example, clinical history, test results, biomarkers, pharmacokinetic bioequivalence parameters, among others);

•        Unique identifier of the participant in the study (participant code).

15.2.3. Technical usage data (all applications)

All applications collect, in a transparent manner, the minimum technical data necessary for operation, security, and auditing:

•        Device identifier, for authentication and prevention of session duplication;

•        Date and time of access and actions performed in the application (audit record);

•        Application version, device model, and operating system, for technical support;

•        IP address, for security purposes;

•        Crash reports;

•        Application performance and diagnostic records;

•        Security and authentication events.

15.2.4. Data not collected

Unless expressly provided for in a specific addendum per application, Synvia does not collect in its applications: precise location (GPS), except when expressly provided for by the research protocol and previously informed to the participant; audio, video, or image recording, except when explicitly provided for by the clinical study protocol; the device’s contact list; browsing history; messages; or the user’s financial data.

15.3. Purpose of Processing

The data collected by the applications is processed exclusively for:

•        Collection, recording, and analysis of clinical research data in accordance with the clinical study protocol approved by the Research Ethics Committee (CEP) and other competent regulatory authorities;

•        Compliance with the requirements of national regulatory authorities, such as the Brazilian Health Regulatory Agency (ANVISA) and, where applicable, international agencies such as the FDA, EMA, and PMDA;

•        Communication with participants and study teams (such as, for example, reminders, guidance, follow-ups);

•        Ensuring the integrity, traceability, and auditability of the data (Good Clinical Practice — GCP);

•        Technical support for the use of the applications;

•        For the purpose of complying with contractual obligations entered into by Synvia with third parties.

15.4. Legal Basis

The processing of personal data by Synvia’s applications is based on the following legal bases:

For non-sensitive personal data:

•        Performance of a contract or preliminary procedures (Art. 7, item V, of the Brazilian General Data Protection Law), in the case of contracted research professionals;

•        Compliance with a legal or regulatory obligation (Art. 7, item II, of the Brazilian General Data Protection Law), especially for records required by ANVISA;

•        Consent of the data subject (Art. 7, item I, of the Brazilian General Data Protection Law), when the data subject is the study participant;

•        Protection of the life or physical safety of the data subject or a third party (Art. 7, item VII, of the Brazilian General Data Protection Law), when the data subject is the study participant.

For sensitive personal data (including health data of the participant):

•        Specific and highlighted consent of the data subject (Art. 11, item I, of the Brazilian General Data Protection Law), collected through the study’s Informed Consent Form (ICF), approved by the Research Ethics Committee and other competent regulatory bodies, and reinforced within the application itself upon first access;

•        Where applicable, compliance with a legal or regulatory obligation (Art. 11, item II, subitems “a” and “c”, if necessary, of the Brazilian General Data Protection Law).

15.5. Device Permissions

Synvia’s applications may request access to features of the user’s device. Each permission is justified as described below and is only collected after explicit authorization by the user at the time of use (there is no automatic collection in the background):

Application Permissions

For the proper functioning and security of the study, the application may request the following permissions on your device:

•        The notifications permission is used to send reminders to complete questionnaires, as well as communications related to the study.

•        The storage permission allows your responses to be saved locally on the device before submission, enabling the use of the application even without an internet connection (offline mode).

•        The camera permission is requested exclusively for capturing documents or images provided for in the study protocol, and is activated only when such functionality is applicable.

•        The biometrics/authentication permission is used to ensure secure user access to the application, through features such as facial recognition (Face ID) or fingerprint reader.

All permissions are used strictly for the purposes described above and can be managed at any time in your device’s settings.

Biometric authentication (Face ID, fingerprint) is processed and stored exclusively on the user’s own device. Synvia does not collect, transmit, or store biometric data on its servers.

The user may revoke any permission at any time in the device’s operating system settings. Revoking essential permissions may affect the application’s functionality (for example, without notification permission, the participant will not receive reminders to complete questionnaires).

15.6. Data Sharing

The data collected by Synvia’s applications may be shared with:

•        Clinical study sponsor: a natural or legal person, governed by public or private law, who supports the research through funding, infrastructure, human resources, or institutional support; the Sponsor is therefore the holder of the study and the primary recipient of the data;

•        Contract Research Organization (CRO): a legal person or organization contracted by a sponsor to perform one or more tasks and functions related to the clinical study;

•        Research site: the location where the activities related to the clinical study are conducted;

•        National System of Ethics in Research with Human Beings (SINEP), composed of the Research Ethics Committee (CEP) and the National Research Ethics Body (INAEP), in the exercise of their duties;

•        Regulatory authorities: ANVISA, FDA, EMA, PMDA, and equivalents, when required by law or by formal request;

•        Technology infrastructure providers (cloud computing, hosting, backup), subject to contracts with data protection clauses;

•        Judicial and administrative authorities, upon specific legal order.

Synvia does NOT share the data from the applications for advertising purposes, third-party marketing, sale of lists, credit scoring, or commercial behavioral profiles.

Part of the sharing described in item 15.6 may involve the transfer of personal data outside Brazil, such as, for example, when responding to international regulatory authorities (FDA, EMA, PMDA) or when using technology infrastructure providers located abroad.

These transfers are carried out in accordance with Articles 33 to 36 of the Brazilian General Data Protection Law. In such cases, Synvia adopts sufficient contractual and technical safeguards to ensure that the transferred data receives protection compatible with that required by Brazilian legislation.

15.7. Retention Period

The data collected by Synvia’s applications in the context of clinical studies will be retained for the following periods:

•        Primary study data (including ePRO responses and eCRF records): a minimum of 20 (twenty) years from the conclusion of the study, in compliance with Art. 41 of ANVISA Resolution RDC No. 9/2015, and, where applicable, another period may be required depending on international standards, observing the minimum period legally required for the retention of the study’s essential documentation;

•        Audit and traceability data: the same period as the primary data;

•        Technical application usage data (session logs, error telemetry): up to 24 (twenty-four) months after collection;

•        Data of research professionals (such as, for example, investigators, monitors): for the term of the contractual relationship with the study, plus the applicable limitation period.

15.8. Security

Synvia’s applications implement specific technical security measures, including:

•        Client-server communication via TLS 1.2 or higher (encryption in transit);

•        Encrypted local storage (encryption at rest) with keys linked to the user’s device;

•        Authentication by username/strong password or biometrics (Face ID / fingerprint);

•        Session control with automatic expiration due to inactivity;

•        Audit records of all relevant actions;

•        Periodic security updates distributed through the official stores (Google Play, Apple App Store).

15.9. Updates to the Applications and to This Section

Synvia may publish periodic updates to the applications and to this section. Material changes to this section will be notified to users through a prominent notice within the application itself, with a request for new consent when required by the Brazilian General Data Protection Law.

15.10. Your rights and how to exercise them

Under Article 18 of the Brazilian General Data Protection Law, the data subject may request, among other things, confirmation of the existence of processing, access to the data, the correction of incomplete or outdated data, portability, and information about sharing. In the context of clinical research, the exercise of certain rights may be limited by regulatory obligations (for example, the mandatory retention described in item 15.8).

To exercise your rights or clarify questions about the processing of data in the applications, contact Synvia’s Data Protection Officer (DPO): dpo@synvia.com. In addition to this email, study participants may also contact the study team as indicated in the Informed Consent Form (ICF).

PRIVACY POLICY


1. OBJECTIVE

This Privacy and Personal Data Protection Policy aims to provide guidance on how to manage the various activities and operations related to the processing of personal data at Synvia.

Through this document, the Synvia Group seeks compliance with the General Data Protection Law (Law No. 13.709/2018 - "LGPD") and other sectoral laws on the subject.

This Policy establishes Synvia's guidelines for safeguarding and using personal data that may be processed in its activities, referencing the General Data Protection Law and other national and international norms related to privacy and protection of personal data.


2. DEFINITIONS

For the purposes of this policy, the following definitions apply:

  • DATA PROCESSING AGENTS: The controller and the operator of personal data.

  • ANONYMIZATION: Use of technical means that are reasonable and available at the time of processing personal data, through which data loses the possibility of association, directly or indirectly, with an individual. Anonymized data is not considered personal data for the purposes of the LGPD.

  • NATIONAL DATA PROTECTION AUTHORITY (“ANPD”): Public administration agency responsible for ensuring, implementing, and supervising the compliance with the LGPD throughout the national territory.

  • CONTROLLER OF PERSONAL DATA: Natural or legal person, public or private, to whom the decisions related to the processing of personal data belong.

  • PERSONAL DATA: Information relating to an identified or identifiable natural person. Data used to form the behavioral profile of a particular natural person is also considered personal data.

  • SENSITIVE PERSONAL DATA: Personal data regarding racial or ethnic origin, religious conviction, political opinion, affiliation to a union or religious, philosophical, or political organization, data related to health or sexual life, genetic or biometric data when linked to a natural person.

  • DATA PROTECTION OFFICER (“DPO”): Natural or legal person designated by the Processing Agent to act as a communication channel between the Controller, data subjects, and the ANPD. Responsible for implementing the Compliance Program and conducting activities related to data protection in Synvia's Internal Controls and Compliance System.

  • SUPPLIERS: In the context of SYNVIA, suppliers are considered other contractors and subcontractors, whether natural or legal persons, not classified as commercial partners.

  • GENERAL DATA PROTECTION LAW (“LGPD”): Normative diploma (Law No. 13.709/2018) that provides for the processing of personal data in digital or physical means.

  • OPERATOR OF PERSONAL DATA: Natural or legal person, public or private, that carries out the processing of personal data on behalf of the Controller.

  • COMMERCIAL PARTNERS: Third parties contracted (natural or legal persons) who act on behalf of Synvia, such as: Consultants, Partner Organizations, and Commercial Agents.

  • THIRD PARTY: Any natural or legal person contracted by Synvia to develop or assist in the development of its activities (suppliers or commercial partners).

  • DATA SUBJECT (“SUBJECT”): Natural person to whom the personal data being processed refers.

  • PROCESSING OF PERSONAL DATA (“PROCESSING”): Any operation carried out with personal data (collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, filing, storage, deletion, evaluation, control, modification, communication, transfer, dissemination, or extraction).


3. APPLICABILITY

This Policy establishes guidelines and rules to ensure that its recipients understand and comply with the legislation regarding personal data protection in all interactions with current and future data subjects, third parties, and external data processing agents to Synvia in the scope of its activities.

In addition to the concepts defined by the standards, the information covered by this Policy includes all data held, used, or transmitted by or on behalf of Synvia, in any type of media. This includes personal data recorded on paper, maintained in computer systems or portable devices, as well as personal data transmitted orally.


4. SPECIFIC OBJECTIVES

The objectives of the Privacy and Personal Data Protection Policy are:

  1. To establish the guidelines and responsibilities of Synvia that ensure and reinforce the Organization's commitment to complying with applicable legislation;

  2. To describe the rules to be followed in conducting activities and operations for processing personal data carried out by Synvia and the recipients of this Policy.

This Policy must be read in conjunction with the obligations set forth in the following documents:

  • Employment contracts of Synvia employees;

  • Information Security policies and procedures;

  • All internal norms regarding the protection of personal data that may be developed and updated.


5. PRINCIPLES OF PRIVACY AND DATA PROTECTION

Synvia will comply with the following principles when processing personal data:

  • PURPOSE: Processing only for legitimate, specific, explicit, and informed purposes to the subject, without the possibility of incompatible subsequent processing.

  • COMPATIBILITY: Processing compatible with the informed purposes and according to the context.

  • NECESSITY: Processing limited to the minimum necessary (pertinent, proportional, and non-excessive data).

  • FREE ACCESS: Facilitated and free consultation regarding the form, duration of processing, and completeness of the data.

  • DATA QUALITY: Guarantee of accuracy, clarity, relevance, and up-to-date information of the data.

  • TRANSPARENCY: Clear, precise, and easily accessible information about processing and the processing agents.

  • SECURITY: Technical and administrative measures capable of protecting personal data.

  • PREVENTION: Adoption of measures to prevent the occurrence of harm.

  • NON-DISCRIMINATION: Inability to process for illicit or abusive discriminatory purposes.

  • ACCOUNTABILITY: Demonstration of the adoption of effective measures to comply with the regulations.


6. LEGAL BASES FOR PERSONAL DATA PROCESSING

All processing operations will have a legal basis that legitimizes their execution. Synvia may carry out the processing of personal data:

  1. By providing consent from the subject;

  2. For compliance with legal or regulatory obligation;

  3. For conducting studies by a research agency;

  4. When necessary for the execution of a contract or preliminary procedures;

  5. For the regular exercise of rights in judicial, administrative, or arbitral processes;

  6. For the protection of life or physical integrity of the subject or third party;

  7. For the protection of health (in procedures performed by health professionals/health authority);

  8. When necessary to meet the legitimate interests of Synvia or third parties;

  9. For the protection of credit.

Synvia will maintain records of its processing operations, which may be consulted by the data subject and competent public authorities.


7. LEGAL BASES FOR PROCESSING SENSITIVE DATA

Synvia is committed to safeguarding and taking special care in the processing of sensitive personal data and financial data. Data of children and adolescents will be treated with the same level of care.

The processing of sensitive data may only be carried out:

  • With consent: When the subject or legal representative consents, specifically and prominently.

  • Without consent: In cases where it is indispensable for:

    • Compliance with legal or regulatory obligation;

    • Conducting studies (ensuring anonymization whenever possible);

    • Regular exercise of rights (contract, judicial, administrative, arbitral processes);

    • Protection of life or physical integrity;

    • Health protection;

    • Guaranteeing the prevention of fraud and security of the subject (identification and authentication in systems).


8. RIGHTS OF PERSONAL DATA SUBJECTS

Synvia reaffirms its commitment to respecting the rights of data subjects:

  • RIGHT TO CONFIRMATION: Confirm the existence of processing of their data.

  • RIGHT OF ACCESS: Request and receive a copy of the collected data.

  • RIGHT TO CORRECTION: Request correction of incomplete, inaccurate, or outdated data.

  • RIGHT TO DELETION: Request the deletion of data (unless there is a legitimate reason for maintenance).

  • RIGHT TO SUSPEND ILLEGAL PROCESSING: Request anonymization, blocking, or deletion of unnecessary or excessive data.

  • RIGHT TO OBJECT: Object to processing not based on consent (analyzed according to LGPD criteria).

  • RIGHT TO PORTABILITY: Request availability of the data to another supplier.

  • RIGHT TO WITHDRAW CONSENT: Withdraw previously given consent (without affecting the legality of prior processing).


9. DUTIES FOR APPROPRIATE USE OF PERSONAL DATA

Duties of Data Subjects

  • Notify Synvia of any modifications to their personal data (e.g., change of address).

  • Notify via email: protecaodedados@synvia.com.

Duties of Synvia Employees

  • Data sharing between companies of the Synvia Group is only permitted if the purpose, legal basis, and principle of necessity are respected.

  • Do not provide access to data for unauthorized persons.

  • Obtain the necessary authorization and documents that demonstrate the competence for processing.

  • Comply with information security standards.

Duties of All Recipients

Contact the Synvia DPO in case of suspicion or occurrence of:

  1. Operation without legal basis;

  2. Processing without authorization;

  3. Non-compliance with the Information Security Policy;

  4. Unauthorized deletion/destruction of data;

  5. Any other violation of this Policy.


10. RELATIONSHIP WITH THIRD PARTIES

Considering the joint liability provided for in the LGPD, Synvia will make the best efforts to ensure that third parties comply with applicable legislation.

All contracts with third parties must contain clauses related to the protection of personal data, being reviewed and submitted for approval by the appointed person and technical team.


11. INFORMATION SECURITY

The security standards are contained in the Information Security Policy of Synvia. The organization is committed to employing appropriate technical and organizational measures to protect data against unauthorized access, loss, destruction, and improper sharing.


12. INTERNATIONAL TRANSFER OF DATA

Synvia may transfer data to other countries under the following conditions:

Without consent (when authorized to process data on another legal basis):

  • Country with an adequate level of protection (by the ANPD or adequacy decision of the European Commission/GDPR); or

  • Provision of safeguards (Codes of Conduct, Standard Contractual Clauses, Seals/Certificates).

With consent:

  • Obtaining explicit and prominent consent for the international transfer.

Synvia will inform the data subjects about the occurrence of international transfers, designating the set of data, the purpose, and the destination.


13. MONITORING AND UPDATING

Synvia is committed to revisiting this Policy periodically. All changes made will be communicated promptly through the Organization's official channels.

Operational Procedure List

Standard Operating Procedures (SOPs)