Privacy Policy

The DESKBEE Platform Privacy Policy (“Policy”) was created to demonstrate the commitment of DESKBEE LTDA., a company registered under CNPJ No. 09.591.453/0001-04 (herein referred to as “Deskbee”, “we” or “our”), with the security and privacy of the information collected from Users of the DESKBEE platform (“Platform”).

The Policy clarifies the general conditions for the collection, use, storage, and other forms of treatment and protection of personal data that the Platform may have access to, with the treatment being carried out in accordance with the Brazilian legislation currently in force regarding privacy and protection of personal data in Brazil, including, but not limited to, Law No. 12.965, of April 23, 2014, and Decree No. 8771, of May 11, 2016 (“Marco Civil da Internet”), Law No. 13.709, of August 14, 2018 (“General Data Protection Law” or “LGPD”), and other Ordinances and Resolutions issued by the National Personal Data Protection Authority (ANPD).

The data that Deskbee obtains comes from a contract signed between an individual or legal entity (“Subscriber Customer”) and Deskbee, whose object is to contract the Platform, which allows users to interact with the infrastructure and offers of the Subscriber Customer’s workspace, optimizing the use of resources and respecting health and safety rules.

The information entered on the Platform may be related to the Subscriber Customer’s employees (“Employees”) and the Subscriber Customer’s guests (“Guests”), who are, together, the holders of the personal data (“Holders”, “Users”, “Users” or simply “you”). In addition to the Subscriber Customer, Collaborators and Guests will also interact with the Platform, and may enter their personal or third-party data. To learn more, read our Terms of Use available on the Platform.

To maintain direct contact with you, a communication channel has been designated. If you have any questions and comments regarding this Policy, please send an email to our Personal Data Protection Officer at [email protected], for the attention of Luiz Gustavo Garrido (“Person”).

By using our Platform, you freely, unequivocally, expressly, and fully express your agreement with this Policy. We recommend that you read it carefully.

Summary

• 1. Coverage
• 2. Information We Can Collect
• 3. Legal Basis for the Processing of Personal Data
• 4. Purpose of Data Collection
• 5. Sharing Personal Data
• 6. Rights of the Personal Data Subject
• 7. How We Store and Process Personal Data
• 8. International Transfer of Personal Data
• 9. Information Retention Time
• 10. Term and Changes
• 11. Information about GDPR and UK GDPR
• 12. Communication Policy
• 13. Links to Other Websites

1. Coverage

This Policy applies to all Users of our Platform, and your personal data is collected whenever you interact with the Platform or if the Subscriber Client enters your information on the Platform.

Our Subscriber Clients can be natural or legal entities, established anywhere in the world, but Users will always be individuals or generic users created to link to environments, devices, or things. Below, we list the types of Platform Users:

• Registered Deskbee User
• Deskbee Contributor User or Admin
• Guest Deskbee User

2. Information We Can Collect

In order to use the Platform, Deskbee may process the following personal data that you or the Subscriber Client inform us of:

Information regarding the Registered Deskbee User:

Information regarding Employee or Admin Users: full name and e-mail. It is at the sole discretion of the Subscriber Customer to attach an account profile picture for each User, as well as assigning a GROUP to the User, for the purposes of training TEAM and work TEAMS. (e.g. Marketing Team, IT, etc). User and password data for access are created by the Admin User of the account or via SSO integration with Microsoft AD or Google G Suite, via SAML 2.0 protocol.

Information regarding the guest users: full name, e-mail, identification document (Drivers License, Personal ID or passport), and photo.

Information regarding third-party users: full name and e-mail. It is at the sole discretion of the Subscriber Customer to attach an account profile picture for each third-party User, as well as assign a GROUP to the User, for the purposes of training TIMES and work TEAMS. (e.g.: Cleaning, Concierge, etc).

Furthermore, if the Subscriber Customer chooses to contract the Deskbee MobileID functionality, the User's location data will be collected, as such information is used to enable the system to operate exclusively within company premises, using Bluetooth Low Energy (BLE) technology to communicate with internal devices. It is important to highlight that Deskbee does not collect, use or store the User’s latitude and longitude data. This data is only used to ensure proper detection of nearby BLE devices without any tracking or collection of specific geographic information. Therefore, given that the Subscriber Customer will process the data, the latter must be responsible for observing data protection standards for the aforementioned processing of personal data.

Deskbee may also automatically collect the data listed below for audit control and log failed login attempts to identify improper login attempt behavior. These data, when linked to information that identifies the user, will be treated as personal data in accordance with the law:

• Log data and information of your device: IP address, access dates and times, hardware and software information, device information, and device name.
• Cookies and similar technologies: in accordance with our Cookie Policy.

Please note that the personal data listed above will be collected by Deskbee and further processed only as necessary to achieve the purposes set out herein.

3. Legal Basis for the Processing of Personal Data

The classification of the legal basis of the data stored and processed by Deskbee listed in Section 2 takes place by analyzing the specific context in which we collect them.

The data processed by Deskbee will only be collected for the execution of the contract signed between the Subscriber Customer and Deskbee provided for in article 7, item V of the General Data Protection Law.

It will be up to the Subscriber Customer, controller of the data entered on the Platform, to choose the appropriate and consistent legal bases, in accordance with the General Data Protection Law.

4. Purpose of Data Collection

The collection of information has the sole and exclusive purpose of providing, maintaining, and improving the services provided to offer you a better experience. In this way, as necessary, the information collected will be used for the following purposes:

• Provide the service contracted by the Subscriber Customer
• Meet your eventual Platform support requests
• Send communications about activities on the Platform
• To defend against legal claims or as required by law
• Investigate, deter, or take action related to illegal activities, suspected fraud or situations involving potential threats to the physical and technological security of anyone and Deskbee, or if otherwise legally required, within the limits permitted by applicable law
• For auditing and logging failed login attempts to identify improper login attempt behavior

5. Sharing Personal Data

When necessary to achieve the purposes described in Section 4, Deskbee may share your personal data with the third parties listed below for the correct provision of the services offered, the security of storage of your personal data, and a better experience with Deskbee. Data sharing will be carried out within the limits and purposes of our business, in accordance with the purpose of the processing of personal data and in accordance with what is authorized by applicable law. In this way, your data can be shared with:

• For audit control and registration of failed login attempts, in order to identify the behavior of outsourced service providers hired only by the Subscriber Client, the in order to guarantee the execution of your requests on the Platform
• Software platforms and tools for the purpose of managing the provision of services offered by Deskbee, including: CRM (CONSTANT CONTACT, APOLLO), MAILING (CONSTANT CONTACT), SUPORTE (AGIDESK), CUSTOMER SUCCESS (CUSTOMER X). All this data is mapped in our Data Mapping to fulfill requests for editing, removal or access
• Tax authorities and government, police, public and judicial bodies for the purpose of responding to complaints, investigations, judicial measures, and legal proceedings, if requested, provided that they are equipped with an adequate instrument to request information (e.g. court order) as well as complying with legal, regulatory, and tax obligations; improper login tactics

6. Rights of the Personal Data Subject

Under the terms of the LGPD, the controller and the operator of personal data are processing agents, the controller being the natural or legal entity responsible for the decisions regarding the processing of personal data and the operator the natural or legal entity who carries out the data processing on behalf of the controller.

Considering that the Subscriber Customer is the Controller of personal data, under the terms of the LGPD, requests must be directed to him, and he must fulfill his request considering the deadlines and terms provided for in the applicable legislation.

In the form and within the limits of the applicable legislation, you, as the subject of personal data, may contact the Personal Data Controller to exercise your rights, in order to request:

• Confirmation of the existence of processing of your personal data
• Access to your data
• Correction of your incomplete, inaccurate or outdated data
• The anonymization, blocking or deletion of your data that are unnecessary, excessive, or treated in non-compliance with the provisions of applicable legislation
• The portability of your data to another service or product provider, subject to commercial and industrial secrets
• The elimination of your personal data, except in the cases provided for in the applicable legislation, to exercise rights pertaining to Deskbee and to comply with legal requirements
• Information from public and private entities with which Deskbee has shared its data
• Information about whether you may not provide consent and the consequences of your denial
• The revocation of your consent, when you have provided it, safeguarding the public interest that may justify the continuity of the treatment or the existence of another legal basis that authorizes it
• Opposition to any processing of personal data based on one of the cases in which their consent is waived, as long as there has been non-compliance with the provisions of applicable legislation and safeguarding the public interest that may justify the continuity of processing

Deskbee is not responsible for the correctness, veracity, authenticity, completeness and updating of the data provided by the User and the Subscriber Customer, not even for any possible misuse of published information or for fraud.

It is your sole responsibility to provide only correct, true, authentic, complete, and updated information, as well as to ensure the confidentiality of your password, not disclosing it to third parties.

7. How We Store and Process Personal Data

Deskbee maintains in a controlled and secure environment the personal data collected in order to serve specific purposes, as explained in Section 4.

The stored data uses “secure socket layer” (SSL) and is stored with AES-256 encryption. In addition, we follow all PCI-DSS requirements and implement additional generally accepted industry standards. Login data is stored encrypted using the Bcrypt tool and we perform PENTEST penetration tests every 180 days on our software.

All our software infrastructure is stored in a state-of-the-art, high-performance/security datacenter at Oracle CLOUD, owned by the American company ORACLE INC., headquartered in Redwood City, California, USA. The terms of privacy and data security can be accessed through the ORACLE CLOUD website.

Furthermore, all our employees who can access data from Subscriber Customers sign a Term of Responsibility on any problems with misuse, leakage or change of software settings, and may be penalized as co-responsible together with Deskbee if responsibility for part of our team.

Even so, the Owner must be aware that no Internet security system is guaranteed against unwanted intrusions, and Deskbee’s commitment is limited to the adoption of recommended protection measures in accordance with the current state of the art.

8. International Transfer of Personal Data

Deskbee does not carry out international transfer of your data to other countries or international bodies, and all personal data that you may have access to due to the Platform is stored on servers located in Brazil.

Thus, we make you aware that your personal data will be shared and stored on the following servers:

9. Information Retention Time

We store and maintain your information: (i) for as long as required by law or (ii) until the end of the processing of personal data, as mentioned below. Thus, we will treat your data, for example, during the applicable statute of limitations or as necessary to comply with a legal or regulatory obligation.

The termination of the processing of personal data will occur in the following cases:

• When the purpose for which the Data Subject’s personal data were collected is achieved and/or the collected personal data are no longer necessary or relevant to the achievement of such purpose
• When the Subscriber Client requests data deletion from Deskbee
• When there is a legal determination in this regard

Observing the principle of necessity, some data sent through the Platform may be deleted from our records by maintaining routine records, as contractually stipulated with the Subscriber Customer. We are under no obligation to store personal data indefinitely and we disclaim any liability arising out of or related to the destruction of such personal data.

Upon termination of the processing of your personal data, except in the cases established by applicable law or by this Privacy Policy, the Subscriber Customer must download the personal data, if desired, which will be deleted from the Deskbee database. If deletion is not possible in the first instance, the data will be securely stored and isolated from further processing until deletion is possible.

10. Term and Changes

Our Platform, in its entirety or in each of its tabs and sections, may be unilaterally terminated, suspended or interrupted by Deskbee, or upon request of the Subscriber Client, at any time and without prior notice.

This Privacy Policy may be updated or changed at any time, with the changes being prominently informed on the Platform.

11. Information about GDPR and UK GDPR

If you are under the jurisdiction of the General Data Protection Regulations (“GDPR”) of the European Union and the United Kingdom, this topic applies to you in addition to the rest of this Privacy Policy.

Pursuant to Article 27 of the GDPR, Deskbee has appointed Luiz Mário Verdi as its Representative to the European Union. To get in touch about issues related to the GDPR, send an e-mail to [email protected].

Pursuant to Article 27 of the UK GDPR, Deskbee has appointed Luiz Mário Verdi as its Representative to the European Union and the United Kingdom. To contact us about UK GDPR issues, send an email to [email protected].

11.1. Legal Basis for the Treatment of Your Data in the GDPR and in the UK GDPR

Deskbee is the Operator of Personal Data processed under the jurisdiction of the European Union and the United Kingdom. In this sense, your Personal Data is processed only in the circumstances authorized by the GDPR and the UK GDPR and under the orders of the Subscriber Client, and the Subscriber Client, the Controller, is responsible for the decision to choose the most appropriate legal basis, in accordance with its Data processing purpose.

11.2. International Data Transfer

To facilitate our global operations, Deskbee may transfer and store your Personal Data in Brazil. The applicable law in Brazil differs from the data protection laws applicable in your country of residence, therefore, Deskbee adopts measures in accordance with the requirements of the GDPR and UK GDPR, such as the insertion of standard contractual clauses with the Subscriber Customer.

If any information in this topic conflicts with the rest of this Policy, the provisions of this topic will prevail.

12. Communication Policy

We seek to prevent the sending of unsolicited emails by restricting communications with you to matters that are relevant or of specific interest to you.

If you prefer not to receive any more information from us, you can request to unsubscribe via the unsubscribe link contained in the email or in the message received, or uncheck the option that authorizes the sending of emails and promotional messages (opt out) present on your registration page.

You should be aware that many fraudsters try to use reputable brands to obtain personal information such as passwords and financial data. Deskbee WILL NEVER REQUEST YOUR FINANCIAL DATA VIA E-MAIL OR PHONE CONTACT. IN THE EVENT OF ANY OTHER SUSPECTED ATTITUDE, SEND YOUR QUESTION OR ALERT BY E-MAIL TO [email protected].

13. Links to Other Websites

Our Platform may contain links or frames from other websites. These links or frames seek to provide additional benefits to the content and services offered to the User.

We clarify that the inclusion of these links on our Platform does not mean that Deskbee is aware of, agrees with or is responsible for the content of such links and frames. It is important to emphasize that our objective is to only provide links or frames of reputable and trustworthy companies, and Deskbee is not responsible for the information, products and services obtained by the User on these sites, nor for the commercial practices and privacy policies adopted by these companies, and Deskbee cannot be held responsible for any losses and damages or loss of profits suffered as a result of the use of these resources.

To the extent that the linked sites are not part of our Site, we do not control, recommend or endorse these sites and their content, products, services, policies, and their privacy practices; we do not have access to their personal data collected and processed by them and their advertising policies, cookies, and terms of use. Therefore, we recommend that you carefully read these documents from third-party sites.