PRIVACY POLICY STATEMENT 

1. Haganá Group companies are aware of and in line with the principles of the Data Protection
General Law. In this sense, Haganá Group companies will take the necessary measures, hence,
will follow all procedures in order to ensure that all their employees, contractors, third parties,
consultants, partners and others, which for this purpose will, hereinafter, be called Data
Operators, who may have access to any Personal Data held by or on behalf of the Haganá
Group companies are fully aware that they must comply with their obligations in accordance
with the terms established by the Data Protection General Law;

2. Haganá Group companies respect the privacy rights of any person who may entrust them with
the custody of their personal data, simply because Haganá Group respects and complies with
the legislation that regulated the protection of personal data. Haganá Group in centered in
properly treating any person’s personal data, following the legal and appropriate dictates. It
considers the preservation and safe custody of any information to be of utmost importance,
whether for the continuance of its activities or the application of any information to carry out
its operations, as well as to maintain the loyalty and trust that must exist with those with
whom we maintain any type of relationship. In this sense, it is our understanding that this
Policy encompasses all personal data collected, processed, shared or used by Haganá Group;

3. Haganá Group, in the exercise of its activity, may have the need to collect and use information
concerning the people with whom it maintains any type of relationship, be it commercial or
labor, in order to operate and carry out its activities. This procedure includes all people,
whether they are public, current, former and potential employees, customers and suppliers, as
well as people who make direct or indirect use of the services we perform. These personal data
must be processed, regardless of how they are collected, recorded and used, whether on
paper, computer records or obtained by any other means.

4. Managers of each Department of Haganá Group companies are responsible for
observing this Policy within their area of expertise and functional or commercial responsibility,
to lead by example and provide guidance to all their subordinates who are, for all legal
purposes, recognized as Data Operators who must report to their respective superior. For all
purposes, all Data Operators are responsible for observing the principles and rules established
in this Policy and must recognize whether they are collecting, processing, sharing or making
use of personal data. Data Operators must be aware of the general privacy requirements and
principles that govern personal data and know when to refer problems to the Data Protection
Officer (DPO).

5. This Policy explains the data privacy principles considered sensitive for the protection of
personal data and how these principles should be implemented.

6. The Data Protection General Law establishes the rules for the processing of any personal data.
In addition, it distinguishes between personal data and sensitive data. In short, it is our
understanding that personal data can be defined as any information relating to an identified or
identifiable individual. In other respects, data considered sensitive are defined as personal data
consisting of information about:

• Racial or ethnic origin;
• Political opinion;
• Religious / philosophical beliefs;
• Union affiliation;
• Health or physical or mental condition;
• Sexual life or sexual orientation; and,
• Biometric data.

7. All personal data processed by data operators must comply with the following processing
steps. The steps that must be followed consist of personal data being:
• Processed legally, fairly and transparently relating to the holders of the collected data;
• Collected for specified, explicit and legitimate purposes and not processed in a
manner incompatible with the intended purposes;
• Maintained in such a way that it is possible to identify data holders for no longer than
necessary in order to guarantee adequate security of personal data. That includes
protection against unauthorized or illegal processing and against accidental loss,
destruction or damage, using appropriate technical or organizational measures and
acting in accordance with the rights of data holders in agreement with the Data
Protection General Law.

8. Data operators of Haganá Group companies must:

• Collect and use personal data only with a legal justification that may include
legitimate commercial and operational interests of the Haganá Group. The Data
Protection General Law, for example, may require the Holder’s explicit consent prior
to the collection of Personal Data; 

• Notify people of how their personal data will be used before collecting the
information (“Privacy Notice”), with the proviso that this does not mean that it is
necessary to inform people personally, but they need and should be aware of where
the notice in question was duly and publicly disclosed; 

• Collect only the necessary personal data for a specific commercial and/or operational
purpose;
• Be aware of any contractual obligations in relation to the processing of personal
data; 

• Use personal data only for the specific commercial and/or operational purposes and
duly described in the Privacy Notice or Consent Form, or in the manner that a person
would reasonably expect; 

• Be aware of the meaning of the word “Consent”, which is defined as any indication
given in a free, unambiguous, revocable manner that expresses the person’s
agreement regarding the processing of their personal data; 

• The Privacy Notice means an oral or written statement provided to Holders when
their personal data is collected. The Privacy Notice describes who is collecting
personal data, the reason why personal data is being collected, how it will be used,
shared, stored and any other relevant information that the person should be aware
of; 

• Use Personal Data in ways that do not have an adverse effect on the person in
question, unless such use is justified by law; 

• Anonymize personal data whenever possible and appropriate in order to assure the
necessary protection of personal and sensitive data alike.

9. Responsible management of personal data is necessary to protect privacy rights, following the
dictates of the Data Protection General Law.

10. The Haganá Group, when collecting, using or maintaining personal data, must take the
following and appropriate measures to:

• Maintain personal data accurate and updated throughout the entire life cycle of
information (from collection to destruction) and only for as much time as necessary
for the respective purpose or for the period required by law;

• Protect personal data from being shared with others who do not have a valid and
relevant commercial and/or operational reason to access such information personal data; 

• Prevent the misuse of Personal Data for a purpose that is not compatible with the
original purpose for which the data was collected; 

• Ensure the traceability of personal data throughout its life cycle. “Traceability”
follows the information life cycle so that it is possible to track all accesses and
modifications made to personal data, as well as their location, in order to
demonstrate our transparency, agreement and compliance with current legislation; 

• Report any breach of data privacy in accordance with the terms of the Incident
Response Plan. Data privacy violation means any unauthorized disclosure,
acquisition, access, destruction or modification of, or any similar action involving
personal data, or any other incident where the confidentiality, integrity or availability
of personal data may have been compromised. 

11. In the event of any doubt as to whether personal data may be used for a purpose other than
that for which it was collected, or in the event of any other matter relating to the
management of personal data, the interested party should contact the designated Data
Protection Officer (DPO) by e-mail dpo@hagana.com.br. 

12. According to the Data Protection General Law, article 7, there are 10 (ten) legal basis for the
treatment and protection of data, namely: 

• Upon the provision of consent by the Holder; 

• For the fulfillment of legal or regulatory obligation by the controller; 

• By public administration, for the treatment and shared use of data necessary for the
execution of public policies foreseen in laws and regulations, or supported by
contracts, agreements or similar instruments; 

• For the undertaking of studies by research institutions, assuring, whenever possible,
the anonymization of personal data; 

• When necessary, for the implementation of a contract or of preliminary procedures
relating to a contract to which the holder is a party, at the request of the data holder; 

• For the regular exercise of rights in judicial, administrative or arbitration proceedings,
the latter under the terms of Law 9,307/1996 (Arbitration Law); 

• For the protection of life or physical well-being of the holder or third party; 

• For the protection of health, exclusively, in a procedure performed by health
professionals, health services or health authority namely the protection of personal data; 

• For credit protection, including the provisions of the relevant legislation. 

13. For the exclusive exercise of its activities, the data processing of Haganá Group companies is
carried out according to the following principles and grounds: 

• Processing is necessary for the execution of a contract of which the data holder is a
party; 

• Processing is necessary to fulfill our legal obligations; 

• Processing is necessary for the purposes and commercial and/or operational
interests of the Haganá Group companies; 

• Data processing shall take place after explicit consent is given relating to the data
collected and the purposes for which the data are used, and a record of that consent
must be kept. 

14. It is possible that personal data collected will be shared among the companies of Haganá
Group, as well as their respective branches, government agencies and third parties for
legitimate commercial and/or operational reasons or as permitted or required by law. In the
event that personal data are shared with third parties, they must ensure that they have the
ability and intent to protect personal data in accordance with the standards and principles
contained in this Policy. This is possible through third party due diligence, risk assessment
and/or a confidentiality agreement (NDA). If risks are identified, appropriate requirements
(including technical safeguards and organizational measures) should be defined to ensure the
adequate protection of personal data. A specific contract for such purpose shall be signed
whenever a third party receives access to the personal data to process such personal data on
behalf of the Haganá Group companies. 

15. Inquiries regarding the requirements for the disclosure of personal data to third parties
should be addressed to the Data Protection Officer (DPO) by email dpo@hagana.com.br. 

16. For all situations relating to the proper management of personal data, any interested party
who becomes aware of a possible violation of applicable laws and/or this Policy should notify
the Data Protection Officer (DPO) immediately by email dpo@hagana.com.br