General External Privacy Notice
EXTERNAL PRIVACY NOTICE
PERSONAL DATA PRIVACY AND PROTECTION GOVERNANCE PROGRAM
Summary
- INTRODUCTION
- PERSONAL DATA HANDLED
- WHY DO WE NEED YOUR INFORMATION?
- HOW LONG DO WE KEEP YOUR INFORMATION?
- HOW IS YOUR DATA SHARED?
- WHAT ARE YOUR RIGHTS AND HOW TO EXERCISE THEM?
- HOW DO WE PROTECT YOUR PERSONAL DATA?
- UPDATE OF THIS PRIVACY NOTICE
- CONTACT AND QUESTIONS
1. INTRODUCTION
Linx respects your privacy. For Linx, ensuring your privacy and the security of your information is a priority. Therefore, aiming to guarantee transparency in its activities and allow you to become aware of the Information Handling carried out, this Privacy Notice (“Notice”) has been prepared.
Linx mainly acts as a retail software and solutions provider, offering a wide range of products and services to companies with which you have a direct relationship (“Linx Clients”).
However, Linx may also act as a Controller in some situations, when, for example, it offers services directly to you. In these cases, the Handling of Personal Data is performed by the following companies:
LINX SISTEMAS E CONSULTORIA LTDA.
CNPJ (EIN): 54.517.628/0001-98
Address: Av. Doutora Ruth Cardoso, 7221, Conjunto 401 Bloco A Departamento 17, Conjunto 501 Bloco A Departamento 18, Conjunto 601 Bloco A Departamento 19, Conjunto 701 Bloco A Departamento 20, Conjunto 1501 Bloco A Departamento 06, Edifício Birmann 21, Pinheiros – São Paulo/SP – CEP 05.425-902.
LINX PAY MEIOS DE PAGAMENTO LTDA.
CNPJ (EIN): 27.547.510/0001-30
Address: Av. Doutora Ruth Cardoso, 7221, Conjunto 1401, Bloco A, Departamento 20, Sala 03, Edifício Birmann 21, Pinheiros – São Paulo/SP – CEP 05.425-902
2. PERSONAL DATA HANDLED
Linx may collect your Personal Data in several ways during the performance of its operations, including, without limitation, direct supply by you, by completing registration or forms on Linx websites and/or applications, or when you engage a service provided by Linx.
During your relationship with Linx, you will be able to provide several Personal Data to enable the provision of services, the offering of benefits and the fulfillment of obligations provided for in specific laws or regulations.
This information can be actively provided by you when contacting, requesting a quote, contracting services or support, or being collected automatically when using Linx online services, as data linked to your connection.
For these purposes (and other Purposes, pursuant to item 3 below), this data may include:
- Qualification and demographic data: Name, Social Security Number (CPF), ID (RG), sex, date of birth, marital status, nationality, signature;
- Contact details: Email, address and telephone;
- Behavioral data: Nature of the relationship with Linx and recordings and data from calls with Linx, profile classification (client, shareholder, supplier, etc.);
- Financial data: Credit data, credit score, credit card number, bank details (bank, branch and checking account), number of shares held, amounts receivable;
- Professional data: corporate email and professional board membership number (such as CRC);
- Connection data: Device used, IP address and browsing cookies (date and time of access, browsing history, preferences and user name);
- Procedural data: personal data linked to a lawsuit (value of the case, number of the lawsuit and facts described).
Not all Personal Data described above are actually collected. This will depend on several factors, such as the contracted service, the nature of the relationship you have with Linx, your choice of data provision (not all is mandatory, and you may refuse to provide certain data), among others.
In addition to these factors, Linx may receive other personal data from Linx Clients, within the commercial relationship it has with them for the supply of the software or the contracted solution. In these cases, as Linx acts on behalf of the Linx Client and according to his or her instructions, it only has the role of Data Operator.
3. WHY DO WE NEED YOUR INFORMATION?
When in the position of Controller, Linx will handle the data collected to mostly execute the contracts signed with you, provide support to the contracted services, exercise the rights provided for performance and defense in lawsuits, comply with legal obligations and allow the performance of internal processes related to Linx services and organization.
Furthermore, the information collected may be used for advertising purposes, such as sending communications about products that are of interest to you, safeguarding your right to request the interruption of such sending.
When acting as an Operator, Linx will ensure that the Handling is done only based on the instructions provided by Linx Clients.
During your relationship with Linx, the data collected may be used for several Purposes, such as:
I. execute the contract and fulfill the purpose for which you provided the information, either by creating user profiles in the systems or fulfilling contractual reporting obligations;
II. fulfill requests and provide the necessary support when using the services;
III. expand marketing offers and promote other Linx products and services that may be of interest to you, via email, telephone or application;
IV. improve Linx products and services even more;
V. meet existing legal requirements to which Linx is subject;
VI. allow Linx to exercise its regular rights, as well as the defense in any judicial, administrative or arbitration proceedings;
VII. carry out internal organization procedures, prepare internal productivity, sales and billing reports, and prepare client satisfaction studies;
Aiming to carry out such Handling, Linx will rely on the authorizing assumptions brought by the General Data Protection Law (“LGPD”), such as your Consent, Linx’s legitimate interest, the need to execute a contract of which you are a part, comply with any legal obligation to which Linx is subject, among others. When Linx carries out Personal Data Handlibng based on a legitimate interest, this will always occur within the limits of your expectation, and never to the detriment of your fundamental interests, rights and freedoms.
If you feel uncomfortable and no longer wish to receive any information or targeted communications from Linx, you can contact Linx by the email privacidadededados@linx.com.br at any time, expressing your opposition.
It is important to highlight that not necessarily all the Purposes described herein will apply to all Data Subjects. This will depend on the product/service contracted. To learn more about the Purposes applicable to you, please contract Linx DPO/Person in Charge through the channels indicated in item 9 of this Notice.
Finally, it is important to stress that the Purposes described above will apply to the relationships in which Linx is the Data Controller. For situations in which Linx acts as an Operator, you must contact the Controller (Linx Client) to request the desired information.
The non-exhaustive list of Linx Clients can be found at: /clientes.
4. HOW LONG DO WE KEEP YOUR INFORMATION?
In general, your Personal Data will be deleted by Linx when they is no longer useful for the purposes that motivated its supply and is no longer necessary to fulfill any legal obligation.
This information is stored on the company’s servers, both owned and from third parties, which may be located outside of Brazil.
Aiming to protect the privacy of its clients, Personal Data handled by Linx will be deleted when it is no longer useful for the purposes for which it was collected, unless the maintenance of the data is expressly authorized by applicable law or regulation.
When Linx processes the data as an Operator, it will keep that data only for as long as the Controller indicates and will delete it according to the instructions sent. To request the deletion of this data, you must contact the Controller.
5. HOW IS YOUR DATA SHARED?
Aiming to enable the supply of products and the provision of contracted services, Linx may share your Personal Data with suppliers of essential services for its activities, and government authorities/bodies due to legal, regulatory obligations or to comply with a specific court order.
Thus, for the Purpose described above, and, when necessary, to perform the services contracted by you, your information may be shared with:
- Acquired/merged companies comprising Linx’s corporate structure, to perform the contracted service or offer and provide new products and services;
- Consulting, audit and compliance companies;
- Payment companies, such as card administrators and acquirers, for validation and approval of purchases, as well as security companies, for fraud prevention procedures;
- Research institutes (anonymized and/or statistical data, when possible);
- Credit protection agencies, such as Serasa;
- Government agencies, such as Finance and Federal Revenue Departments;
- External law firms, to act in extrajudicial, judicial, administrative or arbitration claims or proceedings; and
- Companies that provide services to Linx, such as technology companies and software vendors.
Moreover, your data may be shared in the following cases, not necessarily for the performance of a contract:
I. With authorities, governmental entities or other Third Parties, for the protection of Linx’s interests, in any type of conflict, including lawsuits and administrative proceedings;
II. In the case of transactions and corporate changes involving Linx, in which case the transfer of information will be necessary for the continuity of services; or,
III. By court order or at the request of administrative authorities that have legal competence for its request.
Furthermore, it is possible that some of the transfers indicated above occur outside the Brazilian territory, for example, for the storage of data on servers located in the United States.
In any case, Linx will take all necessary measures so that the sharing of your Personal Data takes place safely and in compliance with the applicable legal provisions.
Moreover, as an Operator, Linx can share data when the Controller instructs it. Even in these cases, Linx will ensure that the data will be shared only with companies that comply with the LGPD rules and principles.
6. WHAT ARE YOUR RIGHTS AND HOW TO EXERCISE THEM?
According to the LGPD, you have several rights, such as the right to confirm the Handling, to access the Personal Data we have, to revoke your Consent, among others.
Your rights can be exercised through the following email address: privacidadededados@linx.com.br.
You, as a Data Subject, have the following rights regarding your Personal Data:
a)Confirm the existence of the Handling by Linx or by any company within the group;
b)Request access to Personal Data handled by Linx or any company within the group;
c)Correct, update and/or complete your data;
d)Require the anonymization, blocking or deletion of unnecessary, excessive or illegally handled data;
e)Request data portability from another service or product provider, upon express request;
f)Request deletion of data handled with your consent;
g)Know who Linx shares your data with;
h)Revoke your Consent, when your Personal Data is handled under this hypothesis;
i)Receive information about the consequences of not giving your consent;
j)Revoke the consent or interrupt the handling of personal data for which we do not request your consent;
k)Review or request an explanation of decisions made based on automated handling performed by us.
Additionally, you can exercise any other right provided for by law.
To send requests related to your rights, you must contact the DPO/Person in Charge of Linx through the email privacidadededados@linx.com.br.
In specific cases, it is possible that your request will not be answered. In these cases, Linx will explain the reasons that justified the non-reply. For example, requests related to operations in which Linx acts as Operator may, depending on the specific case, not be answered, and must be sent directly to the Data Controller.
Alternatively, if you are a direct client of Linx, you can exercise some of these rights, such as the data update right, directly through the website /portal-da-privacidade/.
Furthermore, you can request Linx to stop sending marketing emails directly in the email received, through the link “click here” at the end of the email, right after “if you do not want to receive messages like this”.
7. HOW DO WE PROTECT YOUR PERSONAL DATA?
Aiming to ensure the security of your information, Linx uses the best security techniques available on the market, both in technical solutions through systems, and in relation to the adoption of policies and procedures related to the protection of information.
To this end, Linx adopts several precautions, in compliance with the guidelines on safety standards established in applicable laws and regulations, such as:
a)Strict control of Personal Data Handling, including limitation of access, respecting the definitions of functions and the concept of least privilege, as well as password protected access;
b)Access authentication mechanisms, including double authentication systems that ensure the individualization of records;
c)Detailed inventory of the connection logs, including the time, duration, identity of the person responsible and the file accessed;
d)Vulnerability Management Program, comprising proactive testing of IT environments and the application of corrections, aiming to identify and correct any failures;
e)Cyber intelligence service, with the purpose of proactively monitoring possible undue data exposures for rapid mitigation;
f)Encryption of data at rest and in transit, ensuring the confidentiality and integrity of data handled in Linx’s technological environments;
g)Records management solutions using techniques that guarantee the data inviolability, including encryption or equivalent protection measures, without prejudice to the adoption of other technical standards later provided for by the competent authorities.
In addition to technical efforts, Linx also adopts institutional measures aimed at protecting Personal Data, so that it maintains a privacy governance program applied to its activities and governance structure, which is constantly updated.
Access to the information collected is restricted to Linx employees and authorized persons. Those who misuse said information in violation of the internal policies adopted will be subject to appropriate administrative, disciplinary and legal sanctions.
Although Linx uses its best efforts to preserve your privacy and protect your Personal Data, no transmission of information is fully secure. Therefore, Linx cannot fully guarantee that all information it receives and/or sends is not subject to unauthorized access by means of methods developed to obtain information improperly, such as technical failures, viruses or database invasions.
Anyway, in the remote event of incidents of this nature, Linx guarantees the full effort to remedy the consequences of the event.
8. UPDATE OF THIS PRIVACY NOTICE
This Privacy Notice may be amended at any time, aiming to guarantee the commitment to maximum transparency with you, when situations of changes in the products, Handling or Purposes are identified, when required by the competent authority or based on specific situations involving questions from users, for the sake of clarity.
However, rest assured that you will be notified via the email registered with Linx when changes and/or updates are made.
9. CONTACT AND QUESTIONS
If you have any doubt, suggestion or request that involves this document, contact the DPO/Person in Charge of Linx, Deborah Renata de Oliveira Moterani, through the following email address: privacidadededados@linx.com.br.
Attention: conflict between information contained in this Privacy Notice and in another document with the same purpose, specifically related to any product, service or application, may occur. In that event, the specific information in the other document must prevail over the information in this Notice.
GLOSSARY
If you have any questions about the terms used in this Notice, we suggest consulting the definitions below:
Linx Client(s): companies that act as Data Controllers, with which Linx has a commercial relationship for the supply of products or services and that have a direct relationship with the Data Subject.
Consent: free, informed and unequivocal manifestation of the Data Subject authorizing the Handling of his or her Personal Data for a specific Purpose.
Controller: individual or legal entity responsible for decisions related to the Handling of Personal Data, such as what data to collect, from whom to collect, what is the Purpose of the Handling, with whom to share, among others.
Personal Data: any information related to a natural person, directly or indirectly, identified or identifiable.
Sensitive Personal Data: special category of Personal Data referring to racial or ethnic origin, religious belief, political opinion, union membership or organization of a religious, philosophical or political nature, related to health or sexual life, genetic or biometric data related to the natural person.
DPO (Data Protection Officer)/Person in Charge: person assigned by Linx to be responsible for ensuring compliance with your rights and clarifying doubts about the Handling of your Personal Data.
Purpose: reason why the personal data will be handled, or objective that is intended to be reached with the Handling of the data.
Operator: individual or legal entity who handles the data on behalf of a Controller, in accordance with its instructions.
Third party(ies): refers to, but is not limited to, any individual or legal entity with whom Linx is related or will be related, service provider, supplier, consultant, client, business partner, Third party contracted or subcontracted, lessee, assignee of commercial space, regardless of a formal contract or not, including one that uses the name of the Company for any purpose or that provides services, provides materials, interacts with Public Officials, with the Government or with other Third Parties on behalf of the Company.
Data Subject: Natural person to whom the Personal Data refer, such as clients (in the capacity of his or her partners, administrators and collaborators), employees, contractors and you.
Handling: Any operation performed with Personal Data within its life cycle, such as the collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, archiving, storage, deletion, evaluation or control of information, modification, communication, transfer, diffusion or extraction.