Last updated: February 2024

The privacy and protection of personal data are essential to the Senior Group. They are practiced effectively in all our business processes, by all our employees, and in our relationships with all our customers, suppliers, third parties, service providers, and business partners.

Therefore, we have developed this Privacy Statement to present to data subjects how we handle and protect personal data and guarantee the rights related to privacy and data protection. 

In addition to this Privacy Statement, the Senior Group maintains an internal Information Security and Data Protection governance program that includes the ongoing development and maintenance of an Information Security Policy and a Data Protection Policy.

1. WHO ARE WE?

We are the Senior Group, under ​CNPJ (National Register of Legal Entities) 80.680.093/0001-81, specialized in software for over 34 years in the market, with headquarters in Blumenau/SC.

2. GENERAL INFORMATION AND PRINCIPLES

In this Privacy Statement we comply with the privacy and data protection requirements set out in Law No. 13.709, of August 14, 2018 – General Data Protection Law.

The concepts, terms, and definitions we apply in this Privacy Statement are established in Art. 5 of Law No. 13.709, of August 14, 2018 – General Data Protection Law.

For the privacy and protection of personal data, the Senior Group complies with the following principles in this Privacy Statement and in its internal governance program for Information Security and Data Protection, following Law No. 13.709, of August 14, 2018 – General Data Protection Law:

1. Purpose: the processing of personal data can only occur after a clear purpose has been determined, duly recorded in the purpose statement, and with a stated legal basis.
2. Compliance: processing must be restricted to the defined purpose and not occur in a manner incompatible with that purpose.
3. Necessity: the information obtained must be restricted to the minimum necessary to achieve the previously defined purpose, covering only the data relevant to that purpose.
4. Free Access: personal data subjects must have a service channel that allows them to inquire about the form, processing, and security of their personal data.
   5. Data Quality: the data processed must be clear, accurate, relevant, and up-to-date about their respective specific purposes.
5. Transparency: personal data subjects must have a service channel that allows them to obtain clear and precise information about the processing carried out with their data, even the information concerning the processing agents involved.
6. Security: the Senior Group must plan, implement, maintain, critically analyze, and continuously improve technical and administrative information security management measures.
7. Preventive measures: technical and administrative information security management measures must also act to prevent incidents from occurring.
8. Non-discrimination: under no circumstances will the processing of natural persons’ data be used in discriminatory, unlawful, or abusive situations.
9. Responsibility and Accountability: the Senior Group must have controls and mechanisms to demonstrate the effectiveness of its information security and data protection measures.
   
   

3. FOR WHAT PURPOSES AND ON WHAT LEGAL BASES DO WE PROCESS PERSONAL DATA?

At the Senior Group, we only process personal data once we have established a specific purpose and legal basis.

In our internal Information Security and Data Protection governance program, we have a detailed mapping of all the purposes and legal bases we use for processing personal data through our Record of Processing Activities (RoPA), including definitions of categories of data used, resources involved (information systems used, for example), transfers abroad and sharing with other companies.

Simply put, we process personal data in the following cases and on the following legal bases:

If you wish to receive detailed information on the purposes and legal bases specifically related to the processing of your personal data, please refer to section 12 of this Privacy Statement.

4. HOW, WHEN, AND WHAT PERSONAL DATA DO WE COLLECT?

We only collect your data through our information systems and corporate channels duly approved by our data protection officer. In other words, the Senior Group does not collect personal data through any kind of personal resources (e-mail, WhatsApp, and others, for example) from its employees, suppliers, service providers, or business partners.

When we collect your data, we already have the definition of the specific purpose and legal basis for the data processing, duly designated in our Record of Processing Activities (RoPA), as mentioned in section 3 of this Privacy Statement.

We only collect strictly necessary data to fulfill the specific purpose defined in the Operations Register. The categories of data that may be collected, according to the need for each purpose, are:

1. Registration: a category involving basic information about a natural person. For example, Name, ID, ​CPF (Natural Person Register), telephone number, address, etc.
2. Administrative: category involving administrative information produced from registration data. For example, Contracts, forms, reports, etc.
3. Financial: category of data involving financial information related to a natural person. For example, billing bank slips, financial records, payments, etc.
   4. Sensitive – Medical: category to represent sensitive medical data such as medical records, test results, clinical information about the patient, genetic data, psychological information, diseases, and the like.
4. Sensitive – Other: category to represent sensitive, non-medical data such as racial or ethnic origin, religious conviction, political opinion, trade union membership or membership of a religious, philosophical, or political organization, data relating to sexual life, or biometrics data.
   6. Minors: this category is related to the others to point out that the related data may be from minors.
5. Multimedia: in this category, the data involves the processing of photos, videos, audio, images, voice, geolocation, and the like.
6. Digital Logs: category of data that includes cookies, IP addresses, and system logs denoting user behavior (browsing logs, for example).
7. Anonymized: a category used to indicate the existence of data that does not identify individuals.
8. Other: category to include exceptional data that does not fall into the previous categories. In such cases, the specific data type will be mentioned in the Record of Processing Activities (RoPA).

5. HOW DO WE STORE AND ACCESS PERSONAL DATA?

At the Senior Group, we only store and access personal data through duly approved corporate resources and after defining the specific purpose and legal basis in our Record of Processing Activities (RoPA). 

To protect the storage of and access to personal data, we use technical and administrative Information Security controls, which are outlined in our Information Security Policy and maintained through our internal information security and data protection governance program.

Personal data is stored strictly for the time necessary to fulfill its purpose and legal basis. After that, the data can be deleted, anonymized, or kept by establishing a new purpose and its respective legal basis, always in compliance with current legislation.

For more information on the storage and deletion of personal data, please refer to section 8 of this Privacy Statement.

6. WHEN DO WE TRANSFER PERSONAL DATA ABROAD?

Senior Group’s headquarters and internal operations take place in Brazil, but our suppliers, service providers and business partners may have headquarters and/or operations abroad. In these cases, we may need to transfer personal data abroad.

All the purposes and legal bases for transferring data abroad are duly mapped in our Record of Processing Activities (RoPA).

If you wish to receive detailed information about our transfers abroad specifically related to the processing of your personal data, please contact our Personal Data Officer as described in the “Contact Us” section of this Privacy Statement.

7. HOW, WHEN AND WHAT PERSONAL DATA DO WE SHARE WITH OTHER DATA CONTROLLERS?

Other data processors, such as operators or controllers, may receive personal data shared by the Senior Group. In these cases, personal data will only be shared for specific purposes and on clearly defined legal bases.

All situations regarding sharing personal data with other controllers and operators are duly established in our Record of Processing Activities (RoPA).

We will only share data with other processing agents when we have a formal relationship with said agent that justifies such sharing. This formal relationship can be determined through a contract or terms, declarations, or agreements between the parties.

Personal data will only be shared through formal resources and channels made available by the Senior Group or the processing agents. Therefore, no data exchange will happen through resources or channels not agreed between the parties.

Only personal data strictly necessary for fulfilling the specific purposes assigned to the processing agent, whether operator or controller, will be shared.

8. HOW LONG DO WE KEEP AND HOW DO WE DELETE PERSONAL DATA?

Personal data is kept only for as long as is necessary to fulfill the purpose for which it was collected. After this purpose has been fulfilled, the personal data may be:

1. Anonymized: in this case, personal data is kept in such a way as not to identify its owner and guarantee the irreversibility of the data, which means that it cannot be associated again with data that identifies the owner;
   2. Kept for another purpose: after the end of a purpose, the data may be kept when associated with another purpose and its respective legal basis. For example, at the end of a contract or consent, the data may still be kept for the fulfillment of legal obligations or the regular exercise of the Senior Group’s rights, always in compliance with the current legislation;
   3. Deleted: in this case, the data is deleted.

When we delete personal data, whether physical or logical, we do so in such a way that the data can no longer be recovered.

Some of our purposes, due to their particular characteristics, may have a specific retention period for personal data. In this case, this will be stated in our Record of Processing Activities (RoPA).

9. DO WE USE COOKIES OR OTHER TYPES OF DIGITAL TRACKING?

The Senior Group’s websites, systems, portals, and applications may use cookies and other types of digital traces. Digital traces can be of the following types:

• Essential or Necessary: these are cookies and digital traces needed for the basic functioning of websites, systems, portals, and applications. In this case, the traces will be used strictly for the operation of the respective systems;
• 
  Optional: these are cookies and digital traces that are optional for the websites, systems, portals, and applications operation. Some examples are marketing traces, statistics, and personalized experience. In these cases, consent will be requested for using cookies and digital traces for their specific purposes.

All purposes and legal bases for the use of cookies and digital traces are defined in our Record of Processing Activities (RoPA).

10. HOW DO WE PROTECT PERSONAL DATA THROUGH INFORMATION SECURITY MANAGEMENT?

We at the Senior Group are committed to planning, executing, and monitoring actions, to critical analysis, and to continuous improvement in an Information Security Management System. To this end, we use as a basis the guidelines set out in ABNT (Brazilian National Standards Organization) NBR (Brazilian Regulatory Standard) ISO/IEC 27001 – SGSI-Information Security Management System, together with Tracker Segurança da Informação’s information security management methodologies.

We keep an Information Security Policy (internal document) with the necessary and appropriate controls to guarantee the confidentiality, integrity, and availability of the information under our supervision.

We also work more directly at data privacy and protection management, based, in this case, on the precepts defined in ABNT NBR ISO/IEC 27701 – SGPI-Information Privacy Management System, together with Tracker Segurança da Informação’s data privacy and protection management methodologies.

We keep a Data Protection Policy (internal document) with the necessary and appropriate controls to guarantee the privacy and protection of personal data under our supervision.

The Information Security Policy and the Data Protection Policy, along with their derivative documents (specific policies, standards, and procedures), comprise our internal Information Security and Data Protection program, which is continuously monitored and updated in our company.

11. WHAT ARE THE DATA SUBJECT RIGHTS AND HOW CAN THEY BE EXERCISED?

The following personal data subjects’ rights are preserved and duly made available by the Senior Group:

1. Confirmation: confirm that your personal data is being processed.
2. Access: access your personal data.
3. Rectification: request to correct incomplete, outdated, or incorrect data.
4. Anonymization, blocking, or deletion: request anonymization, blocking, or deletion in the case of personal data that is unnecessary, excessive, or processed in non-compliance with the LGPD (General Data Protection Law). This option includes deletion even after consent has been given.
5. Portability: request the transfer of personal data to another supplier, service, or product.
6. Sharing: request information on the public and private entities with which the controller has shared personal data.
7. Revoking Consent: revoke consent to the usage of your personal data at any time.
8. Automated decision review: request review and information on what criteria and processes are used in automated decision making, where applicable.
9. Explanation: obtain information about the possibility of not consenting to the processing of personal data and the consequences of refusing. This option includes any other explanations or requests demanded by data subjects.

Should you wish to exercise your rights, whether those mentioned above or any others relating to privacy and the protection of personal data, please contact our Data Protection Officer, as outlined in section 12 of this Privacy Statement.

12. CONTACT OUR DATA PROTECTION OFFICER.

The Senior Group’s Data Protection Officer (DPO) is Mr. Jean Carlo Corrêa Gomes.

The contact for the Data Protection Officer, as well as the channel for requests about privacy and data protection, is encarregado@senior.com.br.

Should you wish to exercise any of your rights or receive detailed information specifically about the processing of your personal data, please contact our personal data protection officer.

The officer’s activities consist of:

• accepting complaints and communications from holders, provide clarification, and taking action;
• receiving communications from the national authority and taking action;
• advising employees and contractors about the practices to follow for the protection of personal data;
• monitoring compliance with data protection by implementing administrative and technical data protection controls.

13. ON UPDATES TO THIS PRIVACY STATEMENT.

We are continuously improving the privacy and protection of personal data. Therefore, this Privacy Statement may be updated at any time with immediate effect. 

We recommend that you consult this privacy statement from time to time in order to keep up to date with the latest version available.

This Privacy Statement is in version 2.0, made available on December 29, 2022.