Privacy policy

1.

DEFINITIONS

1.1

Capitalized terms shall have the meaning defined in accordance with the Terms of Use or applicable legislation. Below are some definitions used throughout this Privacy Policy:

"User" or "You": any person, whether a legal entity or a natural person accessing the Platform on behalf of a legal entity, who inputs Personal Data on the Platform upon acceptance of the Terms of Use and this Privacy Policy;

"Client": companies that contract and use the Platform and the Product, sharing Anonymized Data of their employees, which will subsequently be integrated into the Product;

"Platform": the comp.vc website as well as any applications, widgets, software, tools, and other services offered by COMP to make the Product available;

"Product": a solution, accessed through the Platform, that instantly provides reliable and accurate information on compensation, benefits, and career plans for employees;

"Terms of Use": General Terms and Conditions of Use of the COMP Product available at https://trycomp.io/termos;

"Personal Data": data that identifies or makes identifiable a natural person;

"Sensitive Personal Data": Personal Data concerning racial or ethnic origin, religious conviction, political opinion, membership in a trade union or religious, philosophical, or political organization, data relating to health or sexual life, genetic or biometric data, when linked to a natural person;

"Anonymized Data": any data relating to a Data Subject who cannot be identified, considering the use of reasonable and available technical means at the time of Processing;

"Controller": a natural or legal person responsible for decisions regarding the Processing of Personal Data;

"Independent Controllers": two or more natural or legal persons with decision-making power over the Processing of Personal Data, where each Controller separately and independently defines the purposes and manner of Processing, each being responsible for the Processing carried out within their scope of activity;

"Processor": a natural or legal person that carries out the Processing of Personal Data on behalf of the Controller;

"Cookies": browsing files that temporarily store information about what the User is visiting on a particular website or application;

"Data Subject": the natural person to whom the Personal Data being Processed refers;

"Processing": any operation or set of operations performed on Personal Data or sets of Personal Data, whether by automated means or not, such as, but not limited to, collection, use, access, organization, consultation, production, alteration, reception, classification, utilization, reproduction, communication, transmission, distribution, processing, archiving, recording, structuring, storage, adaptation, retrieval, transfer, dissemination, combination, restriction, deletion, evaluation or control, modification, elimination, or extraction;

"Data Protection Legislation": while in effect, the Brazilian General Data Protection Law (Law No. 13,709/2018 or "LGPD"), its subsequent amendments, and any other laws and regulations relating to the Processing, protection, and privacy of Data that are applicable and, if applicable, all guidelines, rules, regulations, ordinances, and codes of practice and conduct issued by the National Data Protection Authority ("ANPD") or other relevant supervisory or data protection authority.

"Personal Data Breach": an information security breach that results in the accidental or unlawful destruction, loss, alteration, disclosure, or unauthorized access to Personal Data transmitted, stored, or otherwise Processed by COMP or by an authorized subcontractor;

"Consent": a free, informed, and unambiguous expression by which a natural person agrees to the Processing of their Personal Data for a specific purpose.

2.

WHAT DATA IS COLLECTED?

2.1

Data collected and data sets. COMP collects and processes various types of Personal Data when Users access, register, and use the Platform in accordance with the Platform's functionalities. Some of this data is (i) collected automatically by Us (such as information collected from the device used to access the Platform; geolocation information; access records, Platform usage information, Cookie information or similar technologies, statistical information, and aggregated data), (ii) provided directly by Users (such as registration and identification data, information entered by Users on the Platform, and information shared by Users when contacting us or interacting with other Users), and (iii) other data provided to Us by third parties, such as employee names for the provision of recognition cycle services, always in compliance with Data Protection Legislation. See here the Personal Data we collect:

2.2

Benchmark Product and other Products. It is the Client's responsibility to share their employees' data in a non-identifiable, i.e., anonymized form, it being certain that the following are not shared with COMP, including, without limitation, name, CPF (Brazilian individual taxpayer registry) and RG (Brazilian identity card) or any other document with a unique identity or that allows the identification of the Client's employee. COMP may use such anonymized data, provided through the Platform or in the context of providing any Product or Service, for statistical purposes, market intelligence generation, and composition of comparative benchmarks, provided that effective anonymization is guaranteed.

2.3

Recognition Cycle Product. The Client shares Personal Data of its employees with COMP, such as salary and job title, when contracting the recognition cycle platform service. Since this involves the sharing of Personal Data for use of the platform, the Client is responsible for all decisions regarding the Processing. In this regard, the Client is the Controller of the Personal Data and COMP acts as a mere Processor. Therefore, if you have questions about the use of your data by our Client, please refer to your employer's Privacy Policy.

2.4

Accuracy and Quality of Processed Personal Data. Users are solely responsible for ensuring the accuracy, clarity, relevance, and timely updating of the information provided, as needed, and COMP has no obligation to investigate the accuracy of the information submitted.

2.5

Confidentiality of Registration Personal Data. Users are co-responsible for the confidentiality of their Personal Data. Sharing access passwords, login credentials, and other Personal Data that enable access to their account on the Platforms violates this Privacy Policy and our Terms of Use.

3.

HOW IS THE DATA USED?

3.1

COMP will use the Personal Data described in the item above for the following purposes and in accordance with the applicable legal basis:

3.2

Data of minors under 18 years of age. COMP does not intentionally collect information from minors under 18 (eighteen) years of age, except with prior consent from the minor's legal guardian, in which case the processing will occur for the purpose indicated in the consent obtained. If You identify that Personal Data of a minor under 18 years of age is being displayed in content published on the Platform or that a User is under 18 years of age, we request that You notify COMP so that we can remove said content from the Platform and/or delete the User's account, as applicable.

3.3

Other Processing Activities. Regarding other Data Processing activities carried out by COMP, these will be based, as applicable to each case, on the following legal grounds: for the performance of a contract or preliminary steps; for compliance with legal or regulatory obligations; for the exercise and defense of COMP's rights and interests; or based on a legitimate interest of COMP, always considering and respecting the fundamental rights and guarantees assured to the Data Subject; or further, based on Consent, when expressly requested by the Platform.

4.

HOW WE STORE THE INFORMATION COLLECTED

4.1

Security. COMP will do everything possible to keep Personal Data secure at all times and will adopt security and protection measures, both technical and administrative, compatible with the nature of the Data collected, used, stored, or otherwise Processed by COMP, in accordance with appropriate market practices.

4.1.1

Exceptions. However, no method of electronic data transmission or retention is fully secure and may be subject to external attacks. Therefore, COMP cannot guarantee that such security measures are free from errors or not subject to interference by third parties (hackers, among others). By their nature, despite COMP's best efforts, any security measure may fail and any Data may become public. BY USING THE PLATFORM, USERS UNDERSTAND AND EXPRESSLY ASSUME THIS RISK AND AGREE THAT COMP SHALL NOT BE LIABLE FOR SUCH TYPE OF LEAK OR UNAUTHORIZED ACCESS TO DATA.

4.1.2

The security measures described above apply to User Data only from the moment COMP receives it and while it remains under COMP's custody. The operation and security of the device that Users use to access the Platform, as well as third-party networks through which data travels, are not the responsibility of COMP.

4.2

Servers. For the entire time that Users maintain their account on the Platform active, all collected information will be stored with high security standards on proprietary or third-party servers, located in Brazil and/or abroad. The User hereby acknowledges that COMP may store their Personal Data on servers outside Brazil and/or use service providers that are not located in Brazilian territory. In such cases, COMP will comply with the legal requirements for such international transfers, ensuring the same level of security applied to Processing carried out in Brazilian territory.

4.3

Storage period. Personal Data will be retained for as long as necessary for the purposes listed in this Privacy Policy. COMP adopts controls to ensure that Data is retained only for as long as it is actually necessary, being discarded whenever Processing has ended or no legal retention ground applies. In addition, data may be retained for a longer period, when necessary, for the eventual compliance with legal/regulatory obligations.

4.4

Data Deletion. When we no longer need to use Personal Data, it will be removed from our systems and records or anonymized, so that COMP can no longer be identified from such data, at COMP's sole discretion. COMP may retain some Personal Data to comply with legal or regulatory obligations, as well as to enable and ensure the regular exercise of our rights (for example, in judicial, administrative, or arbitral proceedings). For audit, security, fraud control, and rights preservation purposes, COMP may retain the history of Personal Data records for a longer period in cases where the law or regulatory rule so establishes or for the preservation of rights.

4.5

LIMITATION OF LIABILITY. NOTHING IN THIS PRIVACY POLICY IS INTENDED TO EXCLUDE OR LIMIT ANY CONDITION, WARRANTY, RIGHT, OR LIABILITY THAT CANNOT BE LEGALLY EXCLUDED OR LIMITED. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OF CERTAIN WARRANTIES OR CONDITIONS OR THE LIMITATION OR EXCLUSION OF LIABILITY FOR LOSSES AND DAMAGES. CONSEQUENTLY, ONLY THE LIMITATIONS PERMITTED BY LAW IN YOUR JURISDICTION SHALL APPLY TO YOU. IN CASES WHERE EXCLUSION OF LIABILITY IS NOT POSSIBLE, BUT LIMITATION OF LIABILITY IS LEGALLY APPLICABLE, COMP'S TOTAL LIABILITY SHALL BE LIMITED TO BRL 1,000.00 (ONE THOUSAND REAIS).

5.

RIGHTS OF DATA SUBJECTS

5.1

COMP provides tools for Data Subjects to exercise their legal rights over their Personal Data. In this section, we will describe these rights and how Data Subjects can exercise them.

5.1.1

Confirmation of the existence of processing: Data Subjects may confirm whether COMP is Processing their Personal Data;

5.1.2

Access to Personal Data: Data Subjects may access their Personal Data, including requesting a copy of the Processed Data;

5.1.3

Correction of incomplete, inaccurate, or outdated Data: Data Subjects may request the amendment or correction of their Personal Data that is found to be incorrect;

5.1.4

Anonymization, blocking, or deletion: Data Subjects may request the anonymization, blocking, or deletion of unnecessary, excessive, or non-compliant data under Data Protection Legislation;

5.1.5

Portability. Data Subjects may request the portability of their Data through the service channels indicated in this Privacy Policy;

5.1.6

Deletion of Personal Data. Data Subjects may request the deletion of their Personal Data processed by COMP when such data was collected and processed based on their consent, through the Platform itself or by request through the service channels indicated in this Privacy Policy;

5.1.7

Information about sharing. Data Subjects may request information about which public and private entities COMP has shared their Personal Data with, under the terms of this Privacy Policy;

5.1.8

Information about the possibility of not consenting. Data Subjects receive through this Privacy Policy and may request, through the service channels, information about the possibility of not consenting to the Processing of Personal Data and its potential consequences, including regarding the impossibility of COMP providing its services;

5.1.9

Revocation of Consent. Data Subjects may, at any time and at their discretion, revoke previously granted Consent for the Processing of Personal Data, with the processing carried out based on such consent remaining valid up to that point.

5.2

Exercise of rights. The rights mentioned above and others provided for in applicable legislation may be exercised by the Data Subject directly through the Platform, according to the functionalities made available therein (such as tools for accessing and editing Personal Data) or by sending a request to the email pedro@comp.vc. COMP reserves the right to request information or documents to verify the requester's claims.

5.3

Consequences of data deletion. It is important to note that, in some cases, upon fulfilling potential deletion requests, COMP may become unable to provide its services. Therefore, the request for deletion of Personal Data will result in the immediate deactivation of the User's account on the COMP Platform, with permanent loss of any such Data entered on the Platform. After the deletion of such Personal Data, COMP may continue to use it in a non-individualized and anonymized form, that is, without any personal identification, for the purposes set forth in this Privacy Policy.

5.4

Data retention. COMP may retain the Personal Data of certain Users for a period longer than the legal retention period, in compliance with potential orders from public authorities, to defend itself in judicial and/or administrative proceedings, and in cases where the Personal Data has been duly anonymized.

IN COMPLIANCE WITH APPLICABLE LEGISLATION OR COURT ORDERS, COMP MAY RETAIN CERTAIN PERSONAL DATA FOR A PERIOD OF NO LESS THAN 6 (SIX) MONTHS AFTER YOUR DELETION REQUEST. SUCH DATA WILL NOT BE ANONYMIZED OR DESTROYED BY COMP BEFORE THE CONCLUSION OF THIS PERIOD. COMP WILL STORE YOUR DELETION REQUEST AND, SUBJECT TO THE MANDATORY LEGAL RETENTION PERIOD FOR CERTAIN DATA, WILL PROCEED WITH THE DESTRUCTION OR ANONYMIZATION, AT COMP'S SOLE DISCRETION, OF INFORMATION CAPABLE OF IDENTIFYING THE USER. IF THE USER REQUESTS THE DELETION OF THEIR INFORMATION BUT STILL HAS ANY PENDING OBLIGATION WITH COMP, THEIR INFORMATION WILL NOT BE DELETED AND WILL REMAIN STORED FOR THE PURPOSE OF ENABLING THE RESOLUTION OF THE PENDING MATTER AND THE ADOPTION OF APPROPRIATE MEASURES.

5.5

Failure to provide consent in cases where it is required may prevent COMP from providing its services or certain functionalities of the Platform from being used by the User.

6.

CONTACT WITH COMP

6.1

In case of questions, suggestions, complaints, or clarifications regarding this Privacy Policy or the Processing of Personal Data by COMP, or to request the exercise of any of the rights described in this Privacy Policy or in the Data Protection Legislation, the User may contact COMP via the email: pedro@comp.vc. COMP will be happy to clarify any questions and/or fulfill your request.

7.

DATA SHARING WITH THIRD PARTIES

7.1

Processing Operators. COMP may engage third parties to assist in providing its services, such as cloud storage servers and payment processing platforms. Currently, COMP shares your Data with infrastructure providers (servers, hosting, and cloud services) for the proper functioning of the Platform, IT service providers, and partners related to payment processing, which providers, however, may be replaced at any time, provided that adequate data security and confidentiality standards are maintained. COMP, as the Data Controller, will require such Operator partners to maintain adequate levels of security and confidentiality.

7.2

Third-Party Services. During the use of the Platform, Users may use other services, channels, products, and platforms provided, maintained, and/or operated by third parties, used as channels or means of support for the services provided by COMP, but without any relationship with COMP ("Third-Party Services"). These Third-Party Services may include, for example, payment platforms, file-sharing tools, among others. When COMP's services use such Third-Party Services, the processing of Personal Data will also be subject, in addition to this Privacy Policy, to the privacy policies and terms of use of such Third-Party Services, over which COMP has no control or authority. In such cases, COMP and the third party will be Independent Controllers of Personal Data, each being responsible for the Processing of Personal Data carried out within their scope of activity. With respect to COMP, even when Personal Data is received by such Third-Party Services, such Personal Data will always be processed in accordance with this Privacy Policy. However, we encourage the User to learn about the policies applicable to such Third-Party Services, since COMP has no authority over the relationship between the User and such Third Parties and is not responsible for the use made by such Third Parties of the User's Personal Data entered by Users in the Third-Party Services.

7.3

Other Third Parties. In addition to the situations already mentioned in this Privacy Policy, Personal Data may also be transferred to third parties, including in the capacity of Controllers, in the following cases:

7.3.1

New Business. Personal Data may be transferred to and between COMP affiliates and/or in the context of acquisition, sale, merger, corporate reorganization, or any other corporate change of COMP. In such cases, COMP will ensure that the person, natural or legal, who accesses or assumes control over the Processed Data, under the terms of this Privacy Policy, is also bound by it, ensuring the continuity of Personal Data protection, and notifying Users in advance if such transfer entails any change to the Privacy Policy.

7.3.2

Regular exercise of rights through administrative, judicial, or extrajudicial means. COMP may share Personal Data with third parties such as law firms, consultancies, collection agencies, accounting firms, and similar entities, for the purpose of exercising its own rights or ensuring the compliance with and enforcement of this Privacy Policy and the Terms of Use.

7.3.3

Judicial or Administrative Request. COMP may share Personal Data in the event of a judicial or administrative request.

7.3.4

Compliance with legal or regulatory obligation. COMP may share Personal Data with governmental bodies, authorities, and other public entities, as well as with natural or legal persons of a private nature, in compliance with legal or regulatory obligations.

7.3.5

With the User's authorization. In other cases, where there is a need to share information, we will send the User a notification requesting their Consent.

7.4

Legal basis for sharing. The sharing of Data with such third parties will always be carried out with the User's Consent or (i) for the regular exercise of COMP's rights, (ii) for compliance with legal obligations, (iii) for the performance of a contract, or (iv) based on COMP's legitimate interest (in the latter case, excluding the User's Sensitive Data), or any other applicable legal basis.

8.

INTERNATIONAL TRANSFERS

8.1

In order to optimize the efficiency, performance, and security of the Platform, COMP may use a global-scale technical infrastructure and have service providers not only in Brazil but also abroad. Therefore, your Personal Data, including Sensitive Personal Data, may be transferred to other countries for Data Processing and storage, in accordance with the terms and purposes defined in this Privacy Policy, as well as for the provision of the services requested by You. COMP may transfer your Personal Data to service providers, who will Process Personal Data on behalf of COMP and in accordance with our instructions.

8.2

Laws on privacy and Personal Data protection vary from country to country, and data protection standards in other countries may differ from those existing in Brazil. Nevertheless, COMP will make every effort to ensure the level of data protection stated in this Privacy Policy, in accordance with applicable laws.

9.

COOKIES

9.1

COMP may use Cookies and similar technologies, such as pixels and tags, to ensure that the services provided meet quality standards. Cookies collect only statistics and will not be used for purposes other than those expressly provided for in this Privacy Policy.

9.2

What are Cookies and what are they for? A Cookie is a small file added to your device or computer to provide a personalized experience when accessing the Platform. COMP may use Cookies:

9.2.1

Necessary: Cookies that enable the use of the Platform and without which the Platform may not function properly. As such Cookies are necessary, they are used based on the performance of the contract between COMP and the User.

9.2.2

Functional: Cookies that activate additional functions or enable access to certain specific sections of the Platform. The use of such Cookies is not absolutely necessary for using the service, but if you choose to disable them, the User may have reduced functionality, so the use of these Cookies is based on your consent when activating such functions.

9.2.3

Performance: Cookies used to measure and improve the performance of a particular web page and specific content contained on the page.

9.2.4

Third-Party Cookies: The Platform uses plugins from websites, applications, and other third-party services. Cookies used by these third parties may be stored in the User's browser. Each third-party website has its own privacy policy and personal data protection policy, and the natural or legal persons that maintain them are responsible for the Data collected and the privacy practices adopted. The User may research, on third-party websites, information about how their Personal Data is Processed.

COMP HAS NO CONTROL OR AUTHORITY OVER THESE THIRD-PARTY WEBSITES AND SHALL NOT BE RESPONSIBLE FOR THE CONTENT, PRACTICES, AND SERVICES OFFERED BY ANY THIRD PARTIES, NOR FOR THE PROCESSING OF YOUR PERSONAL DATA BY THESE WEBSITES, EVEN WHEN THE LINKS ARE PRESENT ON THE COMP PLATFORM.

9.3

Is it possible to limit the use of Cookies? Browsers generally allow the disabling of Cookie collection. Therefore, if you do not change the Cookie collection policies of your browser, the User may object to such Processing by adjusting their browser settings to reject Cookies.

10.

USER'S RESPONSIBILITY IN PROTECTING THEIR DATA

10.1

Notwithstanding our keeping Personal Data confidential, in accordance with the terms of this Privacy Policy, it shall be each User's responsibility to keep their login credentials and account access password on the Platform secure and confidential.

10.2

If the User believes that their login credentials and account access password on the Platform have been improperly accessed by third parties or are known to other unauthorized persons, for any reason, the User must immediately notify COMP via the email pedro@comp.vc, without prejudice to immediately changing the password through the Platform.

11.

PRIVACY POLICY UPDATES

11.1

COMP may, at any time, amend this Privacy Policy at its sole discretion. Any changes will be communicated with 30 (thirty) days' notice, through the Platform itself and/or the email provided by the User, and/or we will highlight these changes at the top of these Terms of Use and provide, for a reasonable period, a prominent link to such changes. The User should check this page and review this Privacy Policy periodically to ensure they agree with the modifications.

11.2

Except when express Consent is required, if the User continues to use the Platform and/or does not object to the changes and new terms communicated by COMP after 30 (thirty) days from the publication of the new version of the Privacy Policy, it will be understood that they are fully aware of and agree to the new terms applicable to the Processing of Personal Data. If the User does not agree with the changes to the Privacy Policy, they must refrain from using the Platform and may request the cancellation of their account, in accordance with the Terms of Use.