Evolua Etanol Evolua Etanol

Privacy Policy

1. Introduction

ECE S.A. (“EVOLUA ETANOL”), through this Personal Data Privacy Policy, reaffirms its commitment to the security and protection of Personal Data, in compliance with applicable privacy and data protection legislation, particularly Brazil’s General Data Protection Law – Law No. 13,709/2018 (“LGPD”).

EVOLUA ETANOL is an ethanol trading company operating as an integrated ethanol commercialization platform, open to producers, distributors, and other participants across the value chain.

2. Applicable Definitions

For the purposes of this Policy, the following definitions apply in accordance with Law No. 13,709/2018 – General Data Protection Law (LGPD):

  • Data Subject: A natural person to whom the personal data being processed relates.
  • Personal Data: Information relating to an identified or identifiable natural person.
  • Sensitive Personal Data: Personal data concerning racial or ethnic origin, religious belief, political opinion, trade union membership or membership in religious, philosophical or political organizations, health or sex life data, genetic or biometric data.
  • Controller: A natural or legal person responsible for decisions regarding the processing of personal data.
  • Processor: A natural or legal person who processes personal data on behalf of the Controller.
  • Data Protection Officer (DPO): The individual appointed by EVOLUA as the communication channel between the Controller, Data Subjects, and the National Data Protection Authority (ANPD).
  • Consent: A freely given, informed, and unambiguous indication by which the Data Subject agrees to the processing of their personal data for a specific purpose.
  • Anonymization: The use of reasonable and available technical means at the time of processing through which data loses the possibility of direct or indirect association with an individual.
  • Blocking: Temporary suspension of any processing operation through the retention of personal data or databases.
  • Deletion: Removal of personal data or datasets stored in a database, regardless of the procedure used.
  • Data Sharing: Communication, dissemination, international transfer, interconnection, or joint processing of personal databases by public or private entities.
  • International Data Transfer: Transfer of personal data to a foreign country or international organization of which Brazil is a member.
  • Personal Data Security Incident: A confirmed adverse event related to a breach of personal data security that may pose risk or significant damage to Data Subjects.
  • Legal Basis: Legal grounds authorizing the processing of personal data.
  • Processing of Personal Data: Any operation performed with personal data, such as collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, archiving, storage, deletion, evaluation, control, modification, communication, transfer, dissemination, or extraction.
  • Purpose of Processing: The legitimate, specific, explicit, and informed objective that guides the processing of personal data.
  • Data Subject Rights: Rights guaranteed under the LGPD, including confirmation of processing, access, correction, anonymization, portability, deletion, information on sharing, objection, and withdrawal of consent.

3. Principles Applicable to the Processing of Personal Data

EVOLUA observes the principles set forth in the LGPD in all activities involving the processing of personal data. These principles guide how we conduct our operations and interact with Data Subjects.

In practice, EVOLUA:

  • Purpose: Processes personal data for legitimate, specific, and informed purposes.
  • Adequacy: Ensures compatibility between processing activities and the informed purposes.
  • Necessity: Collects and uses only data strictly necessary for the intended purposes.
  • Free Access: Guarantees Data Subjects simple and free access to their data.
  • Data Quality: Maintains personal data accurate, clear, relevant, and up to date.
  • Transparency: Provides clear and accessible information about data processing practices.
  • Security: Adopts technical and administrative measures to protect personal data against unauthorized access, loss, destruction, alteration, or improper processing.
  • Prevention: Implements controls aimed at preventing damage resulting from data processing.
  • Non-Discrimination: Does not process personal data for discriminatory, unlawful, or abusive purposes.
  • Accountability: Adopts effective measures to demonstrate compliance with data protection regulations.

4. Personal Data We Collect

The personal data we may collect varies according to the nature of the relationship established with EVOLUA. Below are the main categories of Data Subjects and the data collected in each situation:

  • Employees: we collect personal data for the fulfillment of labor and contractual legal obligations. Examples: full name, CPF (Brazilian Individual Taxpayer Registry), address, telephone number, email address, banking details, job title, employment history, and other information required by law.
  • Employees’ Dependents: we collect personal data only when necessary for voluntary enrollment in benefits offered by the company. Examples: name, date of birth, CPF, and family relationship.
  • Directors: we collect personal data necessary for the legitimacy of corporate acts, execution of contracts, and compliance with legal and regulatory requirements. Examples: name, CPF, ID number (RG), contact details, and corporate information.
  • Visitors: at the reception of our facilities, we collect identification data for security and access control purposes. Examples: name, identification document, company represented, time of entry and exit.
  • Third Parties, Suppliers, and Partners: we collect personal data for the performance of assumed contractual obligations (obligation to perform, deliver, provide services, etc.). Examples: name, job title, email address, telephone number, and banking details for payment, when applicable.
  • Drivers, Shippers, and Cargo Recipients: due to the nature of the services provided by EVOLUA, we collect data necessary for logistics, security, and compliance with contractual, legal, and regulatory obligations. Examples: full name, identification document, driver’s license (CNH), telephone number, company represented, and information regarding delivery or receipt of cargo.
  • Legal Representatives of Legal Entities: we collect personal data necessary for validation of contracts and business acts. Examples: name, CPF, email address, telephone number, and banking details when payment confirmation is required.
  • Users of Our Websites and Digital Platforms: we collect browsing and usage data, including history of accessed pages, preferences, cookie permissions, IP address, operating system version, device type, browser type, geolocation, as well as access logs and technical system usage records.

In general, the personal data processed by EVOLUA includes: registration data (name, CPF, RG, address, email, telephone number), professional data (job title, company), financial data (banking details when applicable), digital identification data (IP address, cookies, access logs), and other information necessary to fulfill the purposes described herein, always in compliance with applicable legislation.

5. Purpose of Processing

The personal data collected by EVOLUA is processed for the following purposes:

i. Conducting business activities, fulfilling contractual, legal, and regulatory obligations, as well as providing the services set forth in our corporate purpose.

ii. Registration and general updating of Data Subjects’ records, including employees, directors, legal representatives, partners, suppliers, and clients.

iii. Sending institutional information regarding products and services, marketing communications, questionnaires, forms, and registrations, always within contractual and legally permitted limits.

iv. Improving internal processes and EVOLUA’s operational performance, aiming at greater efficiency in serving clients, suppliers, partners, and employees.

v. Evaluating the performance of communication campaigns and personalizing institutional messages.

vi. Correcting and resolving technical issues related to the functionality of services, products, and systems.

vii. Improving the browsing experience on our websites and applications, ensuring their proper functioning across different devices and browsers.

viii. Processing payments or service receipts, including validation of banking details of suppliers and partners, when applicable.

ix. Complying with legal and regulatory obligations or responding to requests from public or judicial authorities.

x. Exercising rights in administrative, judicial, or arbitral proceedings, including filing or defending against claims.

xi. Mitigating risks of abuse, unauthorized access, and preventing and detecting fraud and information security incidents.

xii. Protecting the life or physical integrity of Data Subjects or third parties.

xiii. Collecting and using technical records resulting from the use of EVOLUA’s digital systems, such as IP addresses, access logs, device type, and browser type, for information security, fraud prevention, and continuous service improvement purposes, always in compliance with applicable legal provisions.

6. Applicable Legal Bases

The processing of personal data by EVOLUA is carried out based on the legal grounds provided for in the LGPD, including primarily:

i. Performance of a contract or preliminary procedures related thereto.

ii. Compliance with a legal or regulatory obligation.

iii. Exercise of rights in judicial, administrative, or arbitral proceedings.

iv. Legitimate interest of the Controller, respecting the fundamental rights and freedoms of the Data Subject.

v. Consent of the Data Subject, when required by law.

7. Sharing of Personal Data

7.1. Sharing Scenarios

EVOLUA ETANOL may share personal data with its subsidiaries and parent companies, as well as with suppliers, partners, and third parties, whenever necessary for the execution of its operations, fulfillment of contractual obligations, pursuit of legitimate purposes, or compliance with legal and regulatory duties, including but not limited to the following categories:

i. Providers of administrative support services essential to the operationalization of the company’s activities;

ii. Providers of infrastructure and information technology services, including hosting, systems, information security, and technical support;

iii. Marketing and advertising service providers, when applicable and subject to the relevant legal bases;

iv. Payment processing companies, strictly to enable financial transactions and receivables management;

v. Judicial, administrative, or law enforcement authorities, upon formal request or for compliance with legal or regulatory obligations.

7.2. Sharing Due to Legal Obligation

Under certain circumstances, and always in accordance with applicable legislation, EVOLUA may be legally required to share personal data to comply with requests, orders, or determinations from competent authorities, limiting the sharing to the minimum necessary to fulfill the obligation.

7.3. Governance, Roles, and Contractual Safeguards

EVOLUA adopts minimum governance criteria for the sharing of personal data, which include:

a) Selection Criteria and Due Diligence

Before authorizing sharing, EVOLUA proportionally assesses the integrity, technical capacity, and privacy and information security practices of the suppliers, partners, or third parties involved.

b) Definition of Roles in Data Processing

Whenever applicable, EVOLUA defines and formalizes, through contractual or documentary instruments, the roles of Controller and Processor of personal data, observing the responsibilities established by the LGPD and the guidance of the ANPD.

c) Contractual Instruments and Periodic Review

All third parties with access to personal data are bound by specific contractual clauses that ensure, at a minimum:

  • confidentiality;
  • information security;
  • purpose and access limitation;
  • compliance with applicable legal bases;
  • duty of cooperation in responding to Data Subject rights requests;
  • adoption of appropriate technical and administrative measures.

These contractual instruments are periodically reviewed or whenever relevant changes occur in operations, associated risks, or applicable legislation.

d) International Transfers (when applicable)

In the event of sharing or international transfer of personal data, EVOLUA shall adopt appropriate contractual, technical, and organizational safeguards, in accordance with Brazilian data protection legislation and ANPD guidelines.

8. Security of Your Data

EVOLUA adopts appropriate technical and administrative measures to protect personal data against unauthorized access and accidental or unlawful situations of destruction, loss, alteration, disclosure, or any form of improper or unlawful processing. In processing personal data, EVOLUA implements security measures such as:

i. profile- and credential-based access controls;

ii. encryption of sensitive data;

iii. segregation of environments;

iv. monitoring and access logging;

v. backup management; and

vi. incident response plan, including communication to Data Subjects and the ANPD when required by law.

Additionally, EVOLUA maintains internal information security standards, periodically reviewed, conducts training with its employees and strategic suppliers, and adopts risk prevention and mitigation procedures to reduce the likelihood of incidents and ensure continuity of essential services.

9. Data Subject Rights

EVOLUA ensures Data Subjects all rights provided for under the LGPD in relation to information processed as a result of its activities.

The Data Subject may, at any time and upon request through EVOLUA’s official channel, exercise the following rights:

  • Confirmation of the existence of processing.
  • Access to personal data under the company’s responsibility.
  • Correction of incomplete, inaccurate, or outdated data.
  • Anonymization, blocking, or deletion of unnecessary, excessive, or unlawfully processed data.
  • Portability of personal data to another service or product provider, in accordance with ANPD regulations.
  • Deletion of personal data processed based on consent, except where legal retention is authorized or required.
  • Information about public or private entities with whom EVOLUA shares personal data.
  • Withdrawal of previously granted consent, free of charge and without affecting prior lawful processing.
  • Objection to processing carried out on legal grounds other than consent, in case of non-compliance with the LGPD.

Procedure for Handling Requests

To exercise their rights, the Data Subject must submit a request to EVOLUA’s privacy channel at: dpo@evoluaetanol.com.br.

Requests will undergo screening and technical analysis to ensure traceability, organization, and appropriate response.

As a security measure, EVOLUA may request additional information to validate the identity of the Data Subject, in a proportional and strictly necessary manner, to prevent unauthorized access, fraud, or data breaches.

Responses will observe applicable legal and regulatory deadlines. EVOLUA commits to providing a response within a reasonable timeframe, considering the complexity of the request, the nature of the data involved, and any legal or contractual obligations that may impact full or immediate compliance.

Data Processing in the B2B Context

In the context of business-to-business (B2B) operations in which EVOLUA operates, personal data processed is generally related to professional activities of employees, legal representatives, suppliers, drivers, partners, and directors of contracting legal entities.

In such cases, the exercise of Data Subject rights will be balanced with EVOLUA’s legal, regulatory, and contractual obligations, as well as the regular exercise of rights and continuity of business operations.

10. Cookies

10.1. What Are Cookies

Cookies are small data files stored on the device you use to access our websites, applications, or digital services. They enable the proper functioning of the platforms, as well as the continuous improvement of the user experience.

10.2. Categories of Cookies Used

We use cookies classified into the following categories:

a) Necessary (Essential) Cookies

These are indispensable for the proper functioning of the website and its basic functionalities, such as secure browsing, user authentication, and access to restricted areas. These cookies cannot be disabled, as without them the website may not function properly.

b) Analytical or Performance Cookies

Used for statistical and continuous improvement purposes, they allow us to understand how users interact with our websites and applications, including pages visited, browsing time, and possible errors. The information collected is used in aggregated form whenever possible.

c) Preference or Functionality Cookies

These allow us to remember choices made by the user, such as language, region, browser type, and other preferences, providing a more personalized and efficient experience.

d) Marketing or Advertising Cookies (when applicable)

These may be used to present more relevant content to the user, measure the effectiveness of campaigns, and limit the repetition of advertisements. Such cookies will only be used upon consent, when applicable.

10.3. Purposes of the Use of Cookies

Cookies may be used to:

  • Facilitate navigation and improve website usability;
  • Personalize user content and preferences;
  • Analyze service usage and performance metrics;
  • Conduct version testing and functional improvements;
  • Ensure session security, authentication, and integrity;
  • Obtain indicators regarding user experience on our websites and applications.

10.4. Preference Management and Consent

Users may, at any time, manage, review, or revoke their cookie preferences through the consent banner or cookie management tool made available on the website, when applicable. Acceptance or refusal of non-essential cookies does not affect access to basic functionalities; however, it may impact certain personalized experiences.

10.5. Browser-Based Cookie Control

In addition to the website’s cookie management tool, users may view, delete, or block cookies directly through their browser settings. Below are links with guidance from the most commonly used browsers:

Google Chrome

Mozilla Firefox

Safari

Internet Explorer

Microsoft Edge

10.6. Third-Party Cookies

Certain cookies and analytical tools may be provided by third parties, exclusively for statistical, analytical, or continuous improvement purposes related to Evolua’s tools and services, subject to applicable legal bases and, where required, user consent.

11. Data of Minors

11.1. EVOLUA does not directly collect personal data from children or adolescents for its own purposes. However, it may process data of employees’ dependents exclusively when necessary to comply with legal obligations and upon manifestation of intent by their legal guardians.

11.2. Outside of these specific situations, EVOLUA does not knowingly collect personal data from individuals under the age of 16.

11.3. If parents or legal guardians identify that personal data of their children under the age of 16 has been provided to EVOLUA without authorization, they may request its deletion by emailing: dpo@evoluaetanol.com.br.

11.4. If EVOLUA becomes aware that it has collected personal data of individuals under the age of 16 outside the legally permitted circumstances, it will adopt reasonable measures to remove such data from its records, ensuring secure deletion and notifying the legal guardians when applicable.

12. International Data Transfers

12.1. Scenarios and Criteria for International Transfer

In the event that an international transfer of personal data becomes necessary, EVOLUA will adopt governance and control measures to ensure that the processing of data outside national territory occurs strictly in compliance with Brazilian personal data protection legislation.

International transfers shall only be carried out when necessary to fulfill legitimate processing purposes, cumulatively observing:

  • the existence of a valid legal basis;
  • the assessment of the level of protection of the destination country, prioritizing locations with legislation providing a level of protection compatible with that established by the LGPD; and
  • the adoption of appropriate contractual, technical, and organizational safeguards, as provided in this Policy and Section 7.3, when applicable.

12.2. Approval, Recordkeeping, and Applicable Safeguards

The execution of international transfers of personal data is subject to prior internal approval, in accordance with EVOLUA’s privacy governance framework, involving, as applicable, the areas responsible for the contract, information technology, information security, and the Data Protection Officer (DPO).

All international transfers shall be formally recorded to ensure traceability and transparency, including, at a minimum, information regarding:

  • the purpose of the transfer;
  • the categories of personal data involved;
  • the countries or destination organizations;
  • identification of the supplier, partner, or processor;
  • the applicable legal basis; and
  • the safeguards adopted.

EVOLUA shall maintain an updated inventory of international personal data transfers, integrated into its internal processing records (such as the ROPA), which shall be periodically reviewed or updated whenever relevant changes occur in operations, suppliers, or applicable legislation.

In cases of international transfer, EVOLUA undertakes to engage exclusively with suppliers and data processors that adopt practices compatible with the LGPD, using, when required or recommended:

  • standard contractual clauses approved by the ANPD; or
  • other equivalent safeguards, such as specific data protection clauses, certification mechanisms, codes of conduct, or appropriate technical and organizational measures.

13. Storage of Personal Data

EVOLUA will store personal data for the period necessary to fulfill the specific processing purposes, as well as for as long as there is a valid legal basis justifying its retention, including, but not limited to, compliance with legal or regulatory obligations, performance of contracts, exercise of rights in judicial, administrative, or arbitral proceedings, and fulfillment of duly assessed legitimate interests.

Retention periods may vary depending on the category of data, the nature of the processing, and the associated purpose, and are defined in accordance with objective criteria approved by EVOLUA, which observes legal and regulatory requirements and good information governance practices.

Once the purposes have been fulfilled and in the absence of a legal basis authorizing continued processing, personal data shall be securely deleted, anonymized, blocked, or disposed of through appropriate technical and administrative procedures capable of preventing unauthorized access, re-identification, or misuse.

EVOLUA designates internal responsible parties for managing the personal data lifecycle, including application of retention periods, execution of secure disposal, and maintenance of records and evidence demonstrating the adoption of such measures, such as deletion logs, anonymization records, disposal reports, or internal validation minutes, as applicable.

To ensure transparency, EVOLUA maintains a communication channel accessible to Data Subjects, through which the rights provided under applicable legislation may be exercised, including requests for information regarding retention periods and the final destination of their personal data, subject to legal and regulatory limitations.

14. Contact Channel

For additional clarification regarding the processing of personal data, Data Subjects may contact EVOLUA’s Data Protection Officer (DPO) through the following channels:

  • Email: dpo@evoluaetanol.com.br
  • Address: Av. das Nações Unidas, 14,261, Wing A1 – 13th Floor, Vila Gertrudes, São Paulo/SP – ZIP Code 04794-000 – Brazil

Data Protection Officer (DPO): Juliana Haddad Pereira Marrone

15. Changes to Our Privacy Policy

We may occasionally make changes to our Privacy Policy.

Material changes will be communicated through EVOLUA’s official channels, such as the institutional website (https://www.evoluaetanol.com.br/en/privacy-policy/) and, when applicable, through direct communications to its clients, partners, and suppliers.