Dear owner, your privacy is important to us.
This privacy notice will provide you with information on how we handle your Personal Data.
We, at CHORUS CALL BRASIL (“CHORUS CALL”), are responsible for operating various solutions for remote meetings and information sharing through audio conferencing, videoconferencing, webcasting and collaborative tools (“Services”). Thus, in some situations, we need to collect and process users' personal data (“Data”) in a legitimate way in order to offer these services.

CHORUS CALL BRASIL, a company headquartered in the United States of America, can transfer and store personal data on servers located at the headquarter, adopting the appropriate requirements for the security and privacy of the holders, detailed in its internal regulations.

It is worth mentioning that this notice should be considered together with the CHORUS CALL Privacy Policy, available on the https://choruscall.com.br website. If you still have questions after reading this Notice, please feel free to contact us through the service channel dpo-brazil@choruscall.com.

The collection of your personal data will depend on how you interact with our Services. For example, we need to collect your Data when you register on our platform and contract our services or when you browse the website. In this way, we highlight below the main situations that may involve the processing of your data:

Navigation Data

The information systems and software procedures used to operate this website acquire personal data as part of their standard operation; the transmission of such data is an inherent feature of Internet communication protocols.

This information is not collected to relate it to identified data subjects, however, it may allow the identification of the user itself after being processed and compared with data from third parties.

This category of data includes IP addresses and/or domain names of computers used by any user connecting to this website, the Uniform Resource Identifier (URI) addresses of requested resources, the time of such requests, the method used to send a given request to the server, size of the file returned, a numerical code relating to the server's response status (successful, error, etc.) and other parameters related to the user's operating system and computer environment.

These datas are only used to extract anonymous statistical information about the use of the website, as well as to verify its operation; they are deleted immediately after being processed. The data may be used to determine responsibilities in case of computer crimes committed against the website and may be displayed to the Judicial Authorities, if they expressly request it.

Data provided voluntarily by users

The sending of e-mail messages to the addresses mentioned on this website, which is done at a freely chosen, explicit and voluntary option, implies the acquisition of the sender's address, necessary to respond to any request, as well as from the additional personal data. contained in the message, as well as the data collected through the data collection forms dedicated to the online services offered by our company (such as audio or videoconferencing services).

Personal data are processed with automated tools for the time strictly necessary to achieve the purposes for which they were collected.

Specific summary information notices will be shown and/or displayed on pages that are used to provide on-demand services.

CHORUS CALL ensures the ownership of your personal data, guaranteeing the fundamental rights of freedom, intimacy and privacy. In this way, any and all observations on these aspects must be reported immediately to the Data Processing

Officer, via the e-mail dpo-brazil@choruscall.com.

It is worth mentioning that you have the right to obtain at any time and upon the request requested from the Data Processing Officer of CHORUS CALL:

• Access to Personal Data stored;
• Correction of Personal Data;
• Anonymization, blocking or deletion of Personal Data;
• Request data portability;
• Request information about the sharing of Data;
• Revocation of Consent;
• Request review of automated decisions;
• Oppose the processing of Personal Data; among others.

If you believe that your personal data may have been used in a way that is incompatible with this Privacy Notice or with your choices as a holder of this Data, or if you have any other questions, comments or suggestions regarding this Notice, please contact with us. We have a Data Protection Officer who is available at dpo-brazil@choruscall.com.

In view of the need for continuous improvement and the care we take when handling personal data, we are always looking to improve our products and services, this Privacy Notice may be updated to reflect the improvements made. Therefore, we recommend that you periodically visit this page so that you are aware of the changes made.

PRIVACY POLICY AND PROTECTION OF INDIVIDUAL DATA

Introduction

CHORUS CALL BRASIL ("CHORUS CALL") understands that the processing of personal data, including in digital media, must be protected based on the fundamental rights of freedom and privacy, as provided for in Law No. 13.709, of August 2018 - General Personal Data Protection Law – LGPD.

Through this policy, but not limited to the document, CHORUS CALL establishes guidelines related to privacy and
protection of personal data in the Company's environment.

Purpose

Through this policy, CHORUS CALL aims to establish the principles, concepts and guidelines relating to the privacy and protection of personal data in the Company's environment, regardless of the means or country in which the data is located.

Scope

The privacy policy and protection of personal data apply to all personal data collected in the national territory (Brazil), whose holder is found there at the time of collection.

It is noteworthy that the LGPD does not apply to the processing of personal data carried out for the exclusive purposes of public security, national defense, State security or investigation and prosecution of criminal offenses. However, the processing of data for the purposes highlighted must comply with specific legislation, containing proportional and strictly necessary measures to serve the public interest, observing due legal process, the general principles of protection and the rights of the holder provided for in the LGPD, under the guardianship of a legal entity governed by public law.

Additionally, the LGPD does not apply to the processing of personal data carried out by a natural person for exclusively private and non-economic purposes.

CHORUS CALL is a company that provides solutions for remote meetings and information sharing through audio conferencing, videoconferencing, webcasting and collaborative tools (“Services”).
Therefore, it is important to highlight that personal data, as well as the content that may be in records of conversations, documents, files, voice and video recordings, among other data that may be kept on behalf of customers, as well as any other information that customers may upload to their accounts when using the Services offered is the responsibility of the Customer. In this way, we will treat the Client's content only to provide the provision of our services.

For recordings, CHORUS CALL will endeavor to apply the best information security practices.

Fundamentals and principles

The General Law for the Protection of Personal Data is based on those mentioned in its article 2. Personal data processing activities must observe good faith and the following principles mentioned in article 6 of the General Data
Protection Law:

- Purpose
- Adequacy
- Need
- Free access
- Data quality
- Transparency
- Security
- Prevention
- Non-discrimination
- Accountability

Thus, CHORUS CALL's actions, control mechanisms, procedures and instructions are based on the fundamentals and principles indicated by the Law.

Guidelines

The guidelines indicated in this policy are known and accepted by all employees belonging to the scope and applicability of this regulation. CHORUS CALL employees are committed to professional secrecy beyond the employment contract, as well as access to personal data is restricted to what is necessary.

Requirements for the processing of personal data

The processing of personal data can only be carried out in the following cases:

- Upon provision of consent by the holder;
- For compliance with a legal or regulatory obligation by the controller;
- To carry out studies by a research body, ensuring, whenever possible, the anonymization of personal data;
- When necessary for the execution of a contract or preliminary procedures related to a contract to which the data subject is a party, at the request of the data holder;
- For the regular exercise of rights in judicial, administrative or arbitration proceedings;
- For the protection of the life or physical safety of the owner or third party;
- For the protection of health, exclusively, in a procedure performed by health professionals, health services or health authority;
- When necessary to meet the legitimate interests of the controller or third party, except where fundamental rights and freedoms of the holder that require the protection of personal data prevail; or
- For credit protection, including the provisions of relevant legislation.
Note that the processing of personal data whose access is public must consider the purpose, good faith and public interest that justified its availability.

The processing of personal data must be carried out only for legitimate purposes, considered from concrete situations, which include, but are not limited to:

- Support and promotion of controller activities; and
- Protection, in relation to the holder, of the regular exercise of their rights or provision of services that benefit them, respecting their legitimate expectations and fundamental rights and freedoms.

Additionally, when the processing is based on the legitimate interest of the controller, only personal data strictly necessary for the intended purpose may be processed and the process must be submitted to risk assessment by the DPO of
CHORUS CALL.

When data is processed by partners, such as suppliers, service providers, etc. CHORUS CALL shall adopt measures to ensure the transparency of data processing based on its legitimate interest.

Data Processing Activity

The following activities are considered as personal data processing:

- Collection;
- Production;
- Reception;
- Classification;
- Use;
- Access;
- Reproduction;
- Transmission;
- Distribution;
- Processing;
- Encryption;
- Storage;
- Elimination

Purpose of data processing

CHORUS CALL handles the processing of personal data to fulfill its legal and contractual obligations, principal or acessory, including administrative and regulatory activities, arising from the exercise of its activities.

Processing of personal data

Operations carried out with personal data by CHORUS CALL include:

- Procedures related to the hiring of employees and service providers, as well as the routines related to the collection and fulfillment of the respective obligations;
- Identification of customers and suppliers, considering their representatives in contractual relationships or preliminary procedures related to the contract;
- Attendance and demonstration of compliance with legal or regulatory obligations before public entities, especially health, environmental, labor and tax authorities;
- Carrying out service, screening, resolution and response to questions and requests from actual or potential customers;
- Processing sales, issuing invoices, contracts, among others; and
- Procedures related to physical and logical security of environments and information security of service platforms offered by CHORUS CALL.

In order to carry out these assignments, CHORUS CALL may share data with third-party business partners, authorized for this purpose, adopting the appropriate physical, technical and organizational measures regarding the privacy and protection of personal data.

Processing of sensitive personal data

The processing of sensitive personal data can only take place in the following cases:

- When the holder or his/her legal guardian consents, in a specific and prominent way, for specific purposes;

- Without providing the holder's consent, in cases where it is essential to:

— Compliance with a legal or regulatory obligation by the controller;
— Shared processing of data necessary for the execution, by the public administration, of public policies provided for in laws or regulations;
— Carrying out studies by a research body, ensuring, whenever possible, the anonymization of sensitive personal data;
— Regular exercise of rights, including in contracts and in judicial, administrative and arbitration proceedings, the latter under the terms of Law No. 9,307, of September 23, 1996 (Arbitration Law);
— Protection of the life or physical safety of the owner or third party;
— Protection of health, exclusively, in a procedure performed by health professionals, health services or health authority;
— Guarantee of fraud prevention and security of the holder, in the processes of identification and authentication of registration in electronic systems, safeguarding the rights mentioned in art. 9 of this Law and except where fundamental rights and freedoms of the holder that require the protection of personal data prevail.

It is noted that the communication or shared use of sensitive personal data between controllers in order to obtain economic advantage may be subject to prohibition or regulation by the national authority, after consultation with the sectorial bodies of the Public Power, within the scope of its competences.

Communication or shared use between controllers of sensitive personal data relating to health in order to obtain economic advantage is prohibited, except in the cases related to the provision of health services, pharmaceutical assistance and health assistance, including auxiliary diagnostic services and therapy, for the benefit of the interests of data owners, and to allow:

— Data portability when requested by the holder; or
— Financial and administrative transactions resulting from the use and provision of the services referred to in this
paragraph.

It is noteworthy that anonymized data is not considered personal data for the purposes of the LGPD, except when the anonymization process to which it was submitted is reversed, using its own means exclusively, or when, with reasonable efforts, it can be reversed. It should be noted that the determination of what is reasonable must take into account objective factors, such as the cost and time required to reverse the anonymization process, according to available technologies, and the exclusive use of their own means.

Personal data, for the purposes of the LGPD, are also considered to be those used to form the behavioral profile of a particular natural person, if identified.

End of data processing

The termination of the processing of personal data occurs in the following cases:

- Verification that the purpose has been achieved or that the data is no longer necessary or relevant to the achievement of the specific intended purpose;
- End of treatment period;
- Communication from the holder, including the exercise of their right to revoke consent;
- Determination of the national authority, when there is a violation of the provisions of the Law.

Personal data must be deleted after the end of its treatment, within the scope and technical limits of the activities, authorized to be preserved for the following purposes:

- Compliance with a legal or regulatory obligation by the controller;
- Study by a research body, ensuring, whenever possible, the anonymization of personal data;
- Transfer to a third party, provided that the data processing requirements set out in this Law are respected; or
- Exclusive use of the controller, its access by a third party prohibited, and provided that the data is anonymized.

Right of holders

CHORUS CALL ensures the ownership of your personal data, guaranteeing the fundamental rights of freedom, intimacy and privacy. Therefore, any and all observations on these aspects must be reported immediately to the Data Processing
Officer, via e-mail dpo-brazil@choruscall.com.

It is noteworthy that the holders have the right to obtain, at any time and upon request made to the Data Processing Officer of CHORUS CALL:

- Confirmation of the existence of treatment;
- Access to data, stored in a way that favors the exercise of access. Additionally, if the processing originates from the holder's consent or from a contract, the holder may request the electronic copy and the integration of his personal data, in a format that allows its subsequent use, including in other processing operations;
- Correction of incomplete, inaccurate or outdated data;
- Request the review of decisions taken solely on the basis of automated processing of personal data that affect the holder's interests, including decisions aimed at defining the personal, professional, consumer and credit profile or aspects of his personality.
- Anonymization, blocking or deletion of unnecessary, excessive or processed data in disagreement with the provisions of the LGPD;
- Data portability to another service or product provider, upon express request, in accordance with the regulations of the national authority, observing commercial and industrial secrets. Note that data that have already been anonymized by the controller are not included in the portability;
- Elimination of personal data processed with the consent of the holder;
- Information on public and private entities with which the controller shared data;
- Information about the possibility of not providing consent and about the consequences of denial;
- Revocation of consent;
- Right to petition in relation to your data against the controller before the national authority, which can be exercised before the consumer protection bodies;
- Oppose the treatment carried out based on one of the cases of waiver of consent;

Note that the rights will be exercised upon express request of the holder or legally constituted representative, to the processing agent.

In case of impossibility of immediate adoption of the measure referred to, the controller will send the holder the answer in which he can:

- Communicate that you are not a data processing agent and indicate, whenever possible, the agent; or
- Indicate the factual or legal reasons that prevent the immediate adoption of the measure.

Additionally, the requirements will be attended by CHORUS CALL, at no cost to the holder and confirmations will be provided, in a simplified format, immediately or by means of a clear and complete statement, containing the origin of the data, the lack of registration, the criteria used and the purpose of the treatment, provided within 15 (fifteen) days from the date of request by the holder. The information and data may be provided by electronic means, secure and suitable for this purpose or in printed form.

CHORUS CALL will immediately inform the processing agents with whom it shared the use of data the correction, deletion, anonymization or blocking of data, so that they repeat the same procedure, except in cases where this communication is proven to be impossible or entail disproportionate effort.

Whenever requested, CHORUS CALL will provide clear and adequate information regarding the criteria and procedures used for automated decision-making.

It is noteworthy that the personal data referring to the regular exercise of rights by the holder cannot be used in their losses.

Data transfer

Personal information may be transferred, archived or processed in a country other than the one where it was collected and from which the data subjects originate, in the following cases:

- When countries or international organizations provide an adequate level of protection of personal data, provided for in the Law;
- When the controller offers and proves guarantees of compliance with the principles, the rights of the holder and the protection regime, through specific contractual clauses for the transfer; standard clauses; corporate standards, seals, certificates and codes of conduct, to be assessed by the national authority.
- When the transfer is necessary for legal cooperation and protection of life;
- When the transfer is necessary for the execution of public policy or legal attribution of the public service;
- When the holder has provided their specific consent for the transfer;

In such cases, data transfer must be carried out in accordance with the requirements of the LGPD (General Data Protection Law). When the transfer of personal data is carried out to a country outside Brazil, adequate guarantees will always be provided through the use of binding rules with legal force, such as clauses similar to those approved by Brazilian legislation. When the transfer is made to other Group companies, it is always carried out in accordance with the Group's privacy policy and in the event that they exist, based on Corporate rules, binding on data controllers and subcontractors.

Treatment agents

CHORUS CALL keeps a record of the personal data processing operations carried out and periodically prepares the impact report on the protection of personal data, including sensitive data, referring to its data processing operations.

The Data Processing Officer must be publicly disclosed, in a clear and objective manner, preferably on the CHORUS CALL website.

The Data Processing Officer must:

- Accept claims from holders, provide clarifications and take measures;
- Receive communications from the national authority and take action;
- Guide the entity's employees and contractors about the practices to be taken in relation to the protection of personal data; and
- Perform other assignments determined by the controller or established in complementary rules.

Additionally, the processing agents or any other person who intervenes in one of the processing phases undertakes to guarantee the security of the information in relation to personal data, even after its termination.

The controller will notify the national authority and the holder of the occurrence of a security incident that may cause relevant risk or damage to the holders. Note that the communication must be made within a reasonable time and mention at least:

- A description of the nature of the affected personal data;
- Information about the holders involved;
- Indication of the technical and security measures used for data protection, observing commercial and industrial secrets;
- The risks related to the incident;
- The reasons for the delay, in case the communication was not immediate; and
- The measures that have been or will be taken to reverse or mitigate the effects of the loss.

Data security and confidentiality

CHORUS CALL adopts security, technical and administrative measures capable of protecting personal data from unauthorized access and from accidental or unlawful situations of destruction, loss, alteration, communication or any form of inappropriate or unlawful treatment, as indicated in the "Information Security Policy".

It should be noted that the systems used for the processing of personal data must be structured in order to meet the security requirements, the standards of good practices and governance and the general principles provided for in the
Law.

Responsibility

All employees or professionals who carry out their activities on behalf or for the economic benefit of CHORUS CALL must read, understand and ensure compliance with this regulation and the “Information Security Policy” of CHORUS CALL.

The managers of the CHORUS CALL departments, in addition to the responsibilities already mentioned, must identify situations where personal data is processed and ensure that the data about their management follow the guidelines indicated in these regulations.

Professionals related to the Information Technology, Information Security and Legal departments, in addition to the aforementioned responsibilities, must provide support and solutions to comply with the guidelines mentioned in this policy.

The Data Processing Officer, together with the administration of CHORUS CALL, in addition to the aforementioned responsibilities, have to develop monitoring mechanisms to ensure that the guidelines indicated in this policy are in compliance, as well as follow the standards and techniques indicated by the national authority.

Non-compliance

CHORUS CALL considers non-compliance the violation, omission, attempt or failure to comply with the guidelines, procedures or concepts indicated in the Privacy Policy, voluntarily or involuntarily.

Cases identified as suspected non-compliance must be promptly reported to the Data Processing Officer, through the email dpo-brazil@choruscall.com.

Omissive Cases

In case of doubt, users of this standard should promptly seek the Technology, Legal and/or Information Security department of CHORUS CALL for clarification.

Reviews

This regulation must be reviewed annually or at any time that Management deems necessary.

Reference documents

- Law 13.709/18 - General Data Protection Law;
- Law 13.853/19 – Provision on LGPD and Creation of ANPD;
- Information Security Policy;

Standard management

The Personal Data Treatment Policy, approved by the Senior Management, will come into effect from the date of its approval.