Privacy Policy

1. PRESENTATION AND COMMITMENT TO PRIVACY

SLIIC Sistemas de Segurança Viária e Ambiental Ltda, registered with the CNPJ under No. 17.097.591/0001-60, headquartered at Rua Padre Raposo, 29, room 502, Mooca, São Paulo/SP, reaffirms its commitment to the protection of personal data, information security and respect for privacy. This Privacy Policy was prepared in accordance with the General Law for the Protection of Personal Data (LGPD - Law No. 13,709/2018), the Civil Rights Framework for the Internet (Law No. 12,965/2014), the Consumer Protection Code, the CLT and other related rules.

This policy applies to all personal data processed within the scope of the services offered by SLIIC, including its technological platforms (web, mobile, APIs), as well as in administrative, commercial and operational processes.

2. WHAT SLIIC DOES WITH YOUR DATA

The personal data processed by SLIIC is for the purpose of:

• Perform the contracted services, operating the platform's functionalities;
• Ensure the tracking, control and monitoring of logistics routes and events;
• Ensure the security of the operation and prevent fraud or improper access;
• Allow auditing of deliveries, performance analysis and reporting;
• To meet requests from holders and contractual obligations from customers;
• Comply with legal, regulatory and tax obligations;
• Respond to judicial, administrative or ANPD requests;
• Support internal or external investigations, when necessary;
• Generate usage metrics, performance indicators and technical logs for information security control and incident analysis;
• Ensure the traceability of critical activities and history of relevant modifications in the system;
• Improve functionality, fix bugs, and apply continuous improvements in infrastructure and security.

3. PRINCIPLES OF PROCESSING PERSONAL DATA

SLIIC strictly observes the principles set forth in the LGPD, ensuring that data processing is carried out with:

• Legitimate, explicit and informed purpose;
• Fitness for the informed purpose;
• Necessity, limiting oneself to the minimum necessary;
• Free access and transparency to the holder;
• Data quality;
• Safety and damage prevention;
• Accountability and accountability.

4. ROLES IN DATA PROCESSING

SLIIC may act as:

• Personal data operator: when it carries out processing on behalf of and on the instructions of its customers (controllers), in the context of the provision of the contracted services;
• Controller of personal data: when it processes data related to the management of its own employees, suppliers, partners and support users.

5. CATEGORIES OF PERSONAL DATA PROCESSED

Depending on the purpose and relationship with the data subject, SLIIC may process the following categories of data:

• Registration data: name, CPF, RG, CNH, telephone, e-mail, function, related company;
• Vehicle data: license plate, model, fleet identifiers;
• Geolocation data: positioning points on routes and operational stretches;
• Operational data: routes traveled, deliveries made, logistics events;
• Technical and digital data: IP, browser type, operating system, access logs, sessions and clicks;
• Administrative data: access profiles, permission history, and account settings;
• Contractual and financial data: in the case of providers, suppliers and employees with a direct relationship.

6. LEGAL BASES

The legal hypotheses that authorize the processing include:

• Execution of contract or preliminary procedures (art. 7, V, LGPD);
• Compliance with a legal or regulatory obligation (art. 7, II);
• Regular exercise of rights (art. 7, VI);
• Legitimate interest (art. 10);
• Credit protection and fraud prevention (art. 7, X).

7. CONSENTS

As a rule, SLIIC does not process data based on consent. However, when the processing depends on the manifestation of the data subject, he will be informed in a clear and prominent manner about the purpose, the possibility of revocation and the consequences of the refusal.

8. SHARING OR DISCLOSURE OF PERSONAL DATA

Personal data may be shared:

• With controlling customers, for operational and contractual purposes;
• With service providers and suppliers under specific contractual clauses;
• With public bodies, legal or judicial authorities, through legal obligation;
• With technology, support and data hosting partners;
• With external consulting and legal advice, if necessary;
• With the ANPD or other inspection bodies, when formally requested.

9. COOKIES AND SIMILAR TECHNOLOGIES

The SLIIC platform may use cookies and similar technologies to:

• Memorize user preferences;
• Collect statistical data on the use of the features;
• Increase navigation safety;
• Facilitate login and session management.

The user can configure their browser to block cookies, although this may affect some functionality.

10. DATA RETENTION AND DISPOSAL

SLIIC observes specific retention rules:

• Geolocation data: stored for up to 60 days, considering the purpose of logistics tracking and operational monitoring of delivery segments. After this period, they are automatically eliminated, unless they are linked to a specific contractual obligation;
• Operational data: stored for up to 3 years, according to article 206, paragraph 3, item V, of the Civil Code, considering actions of a contractual nature and civil liability;
• Technical logs and access records: kept for up to 1 year, according to article 15 of the Brazilian Civil Rights Framework for the Internet, and may be extended upon request by a competent authority or proven need for auditing;
• Data linked exclusively to the contract: may be stored for up to 6 months after the contractual termination, for the purposes of operational closure and eventual auditing.

After the defined deadlines, the data is deleted or anonymized, except when there is a legal obligation or legitimate interest duly documented for retention.

11. RIGHTS OF DATA SUBJECTS

Data subjects can exercise their rights provided for in article 18 of the LGPD, such as:

• Confirmation of treatment;
• Access to personal data;
• Correction of incomplete or outdated data;
• Deletion of excessive data;
• Sharing Information.

Requests can be sent to the DPO by email or physical address indicated below.

12. INFORMATION SECURITY

SLIIC adopts measures such as:

• Encryption of sensitive data;
• Access control with robust authentication;
• Monitoring logs and actions per user;
• Regular backups in a secure environment;
• Internal information security and incident response policies;
• Registration and traceability of data access by different profiles;
• Communication channel with authorities and the ANPD.

13. CUSTOMER RESPONSIBILITIES

Customers, as data controllers, should:

• To ensure the veracity and legality of the data provided;
• Request the cancellation of access of disconnected users;
• Keep permissions and access profiles up to date;
• Respond to requests from holders of its base;
• Ensure the legal basis for the data collected on your behalf;
• Adopt measures to prevent the misuse of access credentials by former employees or unauthorized third parties.

14. DPO (PERSON IN CHARGE OF THE PROCESSING OF PERSONAL DATA)

Data Officer (DPO)

Aristides Palhares Neto
E-mail: dpo@sliic.com.br
Address: Rua Padre Raposo, 29, sala 502, Mooca, São Paulo/SP, CEP 03118-000

15. POLICY CHANGES

This Policy may be updated from time to time. Every new version will be published on the SLIIC platform, highlighting the date of its last update.

16. REGISTRATION OF PROCESSING OPERATIONS (RoPA)

SLIIC keeps its Register of Personal Data Processing Operations (RoPA) up to date, in accordance with article 37 of the LGPD. This record documents the processing activities carried out, including categories of data processed, purposes, security measures applied, and corresponding legal hypotheses.

RoPA is used for governance, transparency, and accountability purposes, and can be made available to the National Data Protection Authority (ANPD), whenever requested.

This document is for internal and confidential use by SLIIC Sistemas de Segurança Viária e Ambiental Ltda, prepared in accordance with the General Data Protection Law (LGPD – Law No. 13,709/2018) and related information security standards.

Reproduction, disclosure or sharing, in whole or in part, without the express authorization of the Board of Directors is prohibited. Failure to comply with the rules established herein may result in internal disciplinary measures, contractual termination and civil and criminal liability, depending on the seriousness of the infraction.