Privacy Notice

Updated March 11, 2024.

1. Privacy Statement

CARDENAS knows how important it is to know and be confident about the use of personal data in its possession. Therefore, we take care to clarify and explain our Privacy Notice.

We recognize the need to protect and properly manage personal information collected on our website. This Privacy Notice will help you understand what types of information we may collect, how this information may be used, with whom the information may be shared and what rights holders have regarding the protection of their personal data.

2. What personal information do we collect

The personal information we obtain may be collected in the following ways:

Site: Personal information is collected when the user interacts on our website by filling out a contact form. This personal information includes, among others, name, email and telephone number. The user of our portal is under no circumstances obliged to provide any personal data to browse the website pages, except in the case of purchasing products, so any information is provided freely and spontaneously. Basic data collection is only necessary when the user wishes to get back in touch. All personal information is collected in a fair and non-invasive manner, with your voluntary consent. The personal information collected is accessible only to those who need to know it to carry out relevant activities, respecting the purpose for which it was provided.

Register: Personal information is also collected for registration and access to the customer area. The data is necessary to identify the user and allow him to purchase products through our website, as well as to issue an electronic invoice. Personal data is collected so that we can process, manage, deliver your purchases, exchange or send back a product if the customer so wishes. The data collected for registration are Individual Taxpayer Registry Identification / National Registry of Legal Entities, name, surname, email, telephone and address. If the holder chooses to fill out, the date of birth and gender may be collected.

Personal data may be collected according to the chosen payment method, such as credit or debit card number, Individual Taxpayer Registry Identification, full name and billing address. Credit card information is not stored in our systems and data processing for approval is done directly by card administrators and banks. Other personal data related to the customer's bank account may also be collected, if there is a need to refund the amounts paid.

We emphasize that the user will not be able to purchase products through the website without registering. Therefore, collecting information is a condition for providing our products through e-commerce. When registering, the user may voluntarily include their email address to receive electronic messages containing information, promotions and news. You can unsubscribe from newsletters at any time by clicking on the unsubscribe link contained in the body of the emails.

Service channels: The user can contact us physically, by telephone, email or WhatsApp. Personal data is collected with thepurpose of identifying the user, as well as to fulfill their request. These may include, among others, name, email and telephone number. In addition to these, we collect any personal data that is spontaneously reported by the user.

Contract: When the customer purchases our products, we collect the data necessary to create the contract and/or issue an invoice. This data is, among others, the email for contact and sending of electronic invoice, name, Individual Taxpayer Registry Identification, National Registry of Legal Entities, company name, full name of the person responsible, telephone, complete business address with zip code, neighborhood, city and state and registration State, when applicable.

Sharing: We may have access to personal data shared by our commercial representatives necessary for drafting a contract and/or issuing an invoice.

Cookies: Personal data may be collected through cookies. For more information, see our Cookies Policy.

Job candidates:We may have access to personal information about job applicants, such asfull name, telephone number, email address and any otherinformation voluntarily provided by the candidate.

Employees: Regarding the personal data collected from our employees, these are necessary for employee registration to be carried out, in compliance with labor legislation and execution of the employment contract.

Monitoring of networks provided by CARDENAS:We collect personal data from all users of the wired and Wi-Fi network provided by CARDENAS, based on our legitimate interests, for the purposes of internal and/or external monitoring of the artificial environment made available by us.

Exceptionally, CARDENAS will process sensitive personal data, in which case the provisions of the Brazilian General Data Protection Law will be duly observed.

3. Social Media

CARDENAS also uses Social Media to communicate and interact with its customers and consumers through third-party websites such as Facebook, Twitter, YouTube and Instagram. These third-party websites are an Internet-based technology that is not operated or controlled by CARDENAS. By interacting, sharing or “Like” the CARDENAS page on Facebook, Instagram, YouTube, Twitter, or other social media, you may reveal certain personal information to CARDENAS or third parties.

We use “social buttons” to allow our users to share or bookmark web pages. These are buttons on third-party social media sites that may record information about your activities on the internet, including this site. Please review the respective terms of use and Privacy Notices of these platforms to understand exactly how they use your information, how to opt out or delete such information.

The amount of personal information visible will depend on your own privacy settings on Facebook, Twitter, Instagram, YouTube and other social media.

4. Purposes and legal bases

We list below the purposes and legal bases of CARDENAS' data processing:

Purposes

Legal base

Comply with terms and conditions established in the contract

Necessary for the execution of a contract to which the holder of personal data is a party.

Facilitate communication with you (including in cases of emergency and to provide you with requested information).

It is justified based on our legitimate interests in ensuring adequate communication and emergency management within the organization.

Comply with legal requirements.

Necessary to comply with a legal obligation to which we are subject.

Monitor your use of our systems (including monitoring your use of our website and any applications and tools you use).

It is justified based on our legitimate interests to avoid non-conformities and protect our reputation.

Social listening (identifying and analyzing what is being said about CARDENAS on social media [publicly accessible content only] in order to understand sentiment, intent, mood and trendsmarket, in addition to the needs of our stakeholders to, in this way,, improve our services.)

It is justified based on our legitimate interests in protecting our assets and brand on social media.

Improve the security and operation of our website, networks and information.

It is justified based on our legitimate interests in ensuring that you have an excellent user experience and that our networks and information are secure.

Offer our products and services to you (unless you have objected to such processing).

It is justified based on our legitimate interests in promoting our business.

Manage employee benefits

It is justified based on the employee's consent, if it is in their interest to receive a certain benefit.

Identification and authentication for access to the premises of CARDENAS units through images and recordings of third parties, collaborators and visitors

It is justified in protecting the life or physical safety of holders or third parties.

Internal monitoring of company facilities

Justified based on our legitimate interests

Delivery of necessary information to government bodies

To comply with a legal obligation

 

We only rely on our legitimate interest for specific purposes. These processing of personal data do not override in any way the interests, rights and freedoms of the holders of personal data.

5. About sharing and transferring information

CARDENAS does not have the practice of disclosing information that can identify the user and never shares information or sells and rents this personal data to third parties. This data is for the exclusive internal use of the company to achieve the purposes expressed in the previous item.

Data may be shared with third parties only under the following conditions:

  • Upon court decision or request by government oversight bodies;
  • Data transferred to public bodies to comply with current legislation, for example personal data contained in electronic invoices and respective XMLs, or data from our employees necessary for the payments provided for in labor and forecasting legislation;
  • Data transferred to accounting or human resources service providers, to meet tax and labor obligations;
  • Data transferred to financial institutions to provide payment options to our customers, or to pay salaries to our employees and providers;
  • Data shared with partners, operators and service providers, representatives, international distributors and who participate, directly or indirectly, in the development of CARDENAS' commercial activities, such as billing, payment processes, online payment platforms, sales platforms (e- commerce), customer service services, sending emails, advertising and marketing, security and performance monitoring, processing and fulfillment of orders and transactions, verification of consumer registration information, research, data storage, auditing and processing of data;
  • Data transferred for the purpose of executing the contract, as well as for the protection of CARDENAS' interests in any type of conflict, including legal actions;
  • In the event of corporate transactions such as merger, acquisition, transformation, spin-off, or a partial or total sale of assets, we may share, disclose or transfer all data of the holders to the successor organization.

 

Some of the service providers mentioned above may be located abroad and, in this case, CARDENAS adopts additional safeguards to guarantee an adequate level of protection of personal data, in accordance with the relevant Brazilian legislation.

In operations involving sharing your personal data with Data Processors, we will require that they be treated in accordance with our instructions, as the controlling agent of this information, including before other processing agents that intervene in the data processing chain, including Subprocessors.

6. Information security

To ensure that your personal information is secure, we communicate our privacy and security guidelines to CARDENAS employees and business partners and strictly follow precautionary measures regarding privacy within the company.

We strive to protect your Personal Information, and that entrusted to us by our customers, through physical, technical and organizational measures that aim to reduce the risks of loss, misuse, unauthorized access, disclosure and improper alteration of this data.

7. Rights of Holders

Personal data holders have certain rights with regard to their personal data and can exercise them by accessing the Data Request Form (DSAR) or via email:  dpo@cardenas.com.br.

The rights of holders are:

  • Confirmation of the existence of personal data processing;
  • Access to personal data, in accordance with applicable legislation;
  • Correction of incomplete, inaccurate or outdated personal data;
  • Portability of personal data;
  • Deletion of personal data, when they are processed based on the holder's consent or when the data is unnecessary, excessive or processed in non-compliance with applicable legislation;
  • Request for information about the shared use of personal data;
  • Revocation of consent, when applicable.

CARDENAS will always evaluate the best way to comply with the request to exercise any of your rights. However, CARDENAS may fail to comply with your request, in whole or in part, in specific situations protected by law, such as, for example, to comply with a legal obligation or a contract it maintains with you.

We emphasize the importance of keeping your personal data accurate and up to date. To this end, always keep CARDENAS informed if your personal data changes or is incorrect.

For security reasons, for requests made via email dpo@cardenas.com.br, the request will be fulfilled when we are certain of the user's identity. Therefore, we may request additional data or information to confirm the identity and authenticity of the holder. This data and information will be protected during the storage period and deleted as soon as the purpose of confirming the identity of the holder has been exhausted.

8. Termination of treatment

This Privacy Notice applies to the circumstances mentioned above throughout the period in which CARDENAS stores personal data. We store and maintain your information: (a) for as long as required by law; (b) until the end of the processing of personal data, as mentioned below; or (c) for the time necessary to protect CARDENAS’ rights. Therefore, we will process your data, for example, during the applicable statute of limitations or as long as necessary to comply with a legal or regulatory obligation.

The termination of the processing of personal data will occur in the following cases: (a) when the purpose for which the personal data was collected has been achieved, and/or the personal data collected are no longer necessary or relevant to achieving such purpose; (b) when the Owner requests the deletion of their data; and (c) when there is a legal determination in this regard.

In cases of termination of the processing of personal data, except in the cases established by applicable legislation or this Privacy Notice, personal data will be deleted.

9. Personal Data Officer (DPO)

CARDENAS provides below the contact details of the Data Protection Officer (DPO), who is responsible for responding to any and all requests from data subjects or the National Authority, which are related to personal data.

For any questions, requests or complaints regarding the processing of personal data, please contact our Personal Data Officer:

DPO EXPERT® (www.dpoexpert.com.br) - contact:dpo@cardenas.com.br

If, despite our commitment and efforts to protect your data, you feel that your data protection rights have not been met, we ask that you contact our DPO. Furthermore, you have the right, at any time, to register a complaint directly with the National Data Protection Authority, if you believe that the rights to your personal data have been infringed.

                                                                     

                                                                                                                       10. Changes to the Privacy Notice

Although our Privacy Notice has been presented in a clear, concise and objective manner, do not hesitate to consult the CARDENAS DPO if you have any doubts about this important document or even about the personal data processing activities we carry out.

CARDENAS reserves the right to update or modify this Notice at any time and without prior notice. However, we will always publish the new revised version on our website. If there are changes in the way we process personal data, you will be informed to check whether you intend to continue using our services.