IEST Privacy and Data Protection Policy

I. Introduction and Purpose

This policy guides the management of personal data processing activities within IEST Group and its related companies and forms an important element of our compliance with Brazil's General Data Protection Law (LGPD). Through this document we seek to ensure that all processing operations are lawful, transparent and oriented to the best interests of data subjects.

In its daily operations IEST Group may act either as a data controller or as a data processor, and we are committed to handling information responsibly in both roles. We therefore continuously interpret applicable regulations, identify risks and adjust internal processes so that they remain aligned with the law.

This policy should be read together with other internal rules and contractual obligations, such as the information security policy, confidentiality agreements and other documents dealing with privacy and data protection within IEST Group.

II. Terms and Definitions

• PERSONAL DATA: Information relating to an identified or identifiable natural person, including data that can be used to build a behavioural profile.
• SENSITIVE PERSONAL DATA: Data relating to racial or ethnic origin, religious belief, political opinion, trade union membership, health or sex life, as well as genetic or biometric data linked to a natural person.
• NATIONAL DATA PROTECTION AUTHORITY (ANPD): Public authority responsible for overseeing, implementing and enforcing the LGPD throughout Brazil.
• GENERAL DATA PROTECTION LAW (LGPD): Law nº 13.709/2018, which regulates the processing of personal data in digital or physical media by natural or legal persons, in both the public and private sectors.
• PROCESSING AGENTS: The data controller and the data processor.
• CONTROLLER: Natural or legal person who is responsible for decisions regarding the purposes and means of processing personal data.
• PROCESSOR: Natural or legal person who processes personal data on behalf of the controller.
• PROCESSING: Any operation carried out with personal data, such as collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, filing, storage, elimination, evaluation, communication, transfer or disclosure.
• ANONYMISATION: Use of technical means through which data can no longer be associated, directly or indirectly, with an individual.
• DATA SUBJECT: Natural person to whom the personal data that are processed refer.
• DATA PROTECTION OFFICER (DPO): Person appointed by the processing agent to act as a communication channel between the controller, data subjects and the ANPD.
• SUPPLIERS: Third parties or subcontractors engaged by IEST Group, individuals or legal entities that are not classified as business partners.

III. Scope of the Policy

This policy applies to IEST Group employees, to all third parties acting for or on behalf of the group in operations involving personal data, and to data subjects whose information is processed by the organisation.

The policy covers personal data relating to clients, records generated in the course of operations and information on employees or partners, regardless of whether they are stored on paper, in electronic systems or transmitted verbally.

Information may arise from the performance of contracts, legal obligations or the provision of services, and may include names, contact details, tax and banking information, among others. Additional privacy rules required for specific services will be set out in the respective contracts or documents.

IV. Privacy and Data Protection Principles

• Purpose limitation: data are processed only for legitimate, specific purposes that are informed to the data subject in advance.
• Adequacy: processing activities must be compatible with the purposes and the context in which the data were collected.
• Necessity: collection and use are limited to the minimum amount of data required to achieve the stated purposes.
• Free access: data subjects may easily consult information about the processing of their data and the respective retention periods.
• Data quality: stored data must be accurate, clear and kept up to date as necessary.
• Transparency: clear and accessible information is provided to data subjects about the processing and the parties involved.
• Security: technical and organisational measures are used to protect data against unauthorised access and incidents.
• Prevention: practices are adopted to proactively reduce the likelihood and impact of damage arising from processing.
• Non‑discrimination: data may not be used for unlawful or abusive discriminatory purposes.
• Accountability: IEST Group is committed to demonstrating the measures adopted to comply with data protection rules and to continuously improving privacy practices.

V. Guidelines

• 1. Initial provisions: IEST Group undertakes to safeguard privacy, ensure transparency, adopt good practices and implement measures to prevent and manage possible security incidents.
• 2. Information covered: includes all client data required to provide services and information about employees and partners collected to comply with legal or contractual obligations.
• 3. Data collection and purposes: information is collected by lawful and ethical means, stored in a controlled environment and shared with other companies only when necessary to perform contracts, comply with the law or with proper authorisation.
• 4. Third‑party relationships: all contracted third parties must comply with this policy and may only process data within the limits authorised by IEST Group.
• 5. Information security: the group adopts physical and logical security controls, continuously improves technologies and uses compliant systems and processes to protect data.
• 6. Cooperation with authorities: where disclosure of data is required by law or by regulators, we will provide information only within the necessary limits and will endeavour to inform the data subjects whenever possible.
• 7. Changes: this policy may be updated to meet legal requirements or operational needs, and the latest version will be published on our website. Continued use of our services implies agreement with the new terms.

VI. Cookie Policy

Cookies are small text files stored on your device when you visit a website. They are used to remember preferences, improve the user experience and perform statistical analysis.

IEST Group uses cookies to tailor content, measure campaign performance and support social media features. Users can adjust cookie settings in their browser, but disabling essential cookies may affect the functioning of the website.

• Strictly necessary cookies: ensure the basic functioning of the website and secure access to certain areas.
• Functional cookies: remember user preferences, such as selected language or custom settings.
• Performance cookies: collect statistics on website use and help identify errors, without storing information that directly identifies the user.
• Advertising and marketing cookies: personalise ads based on browsing behaviour and allow the creation of similar audiences; consent can be withdrawn at any time in the settings.

VII. Consequence Management

Anyone who identifies a breach may report it to rcorinti@iestgroup.com, with or without identification. Incidents involving personal and sensitive data must be promptly communicated to the Data Protection Officer (DPO).

VIII. Rights of Data Subjects

You may contact rcorinti@iestgroup.com to request correction or deletion of your data, or to report any improper use. Where legal or contractual obligations require us to retain information, we will continue to process it strictly for the authorised purposes.

IX. Responsibilities

All managers, employees and third parties must comply with this policy and consult the DPO whenever necessary. The Data Protection Committee is responsible for keeping this document up to date, answering queries and liaising with the ANPD and data subjects.

X. Complementary Documentation

• Article 5 of the 1988 Federal Constitution of Brazil;
• IEST Group's General Information Security Policy and its annexes;
• Internal regulations of the IEST Group Data Protection Committee;
• IEST Group service agreements and related clauses;
• Complementary Law nº 105/2001, Law nº 13.709/2018 and internal rules approved and continuously improved.

XI. General Provisions

The IEST Group Data Protection Committee may update this policy whenever necessary. This document takes effect on the date of its approval and revokes any previous provisions that conflict with it.