Privacy Policy and Personal Data Protection

1. Objective

This policy establishes the guidelines and rules for the conduct of activities involving the treatment and guarantee of privacy and protection of Personal Data, that is, data of natural persons ("Holders") with whom BOURBON relates to carry out its activities. business.

All activities related to BOURBON's business dealing with Personal Data are guided by this policy, which aims to protect the fundamental rights of freedom and privacy and the free development of the personality of the natural person.

2. Compliance with Laws and Regulations

This Policy was prepared in order to meet the requirements of the law amended by law (LGPD or "Law"), known in Brazil as the "General Data Protection Law", especially under the terms of its Article 50, which deals with good practices and of the governance of the security of Personal Data, copied below:

Art. 50. Controllers and operators, within the scope of their competence, for the processing of personal data, individually or through associations, may formulate rules of good practices and governance that establish the conditions of organization, the operating regime, the procedures, including complaints and petitions from data subjects, security rules, technical standards, specific obligations for the various parties involved in the treatment, educational actions, internal mechanisms for supervision and risk mitigation and other aspects related to the processing of personal data.

§ 1 When establishing good practice rules, the controller and the operator will take into account, in relation to the treatment and data, the nature, scope, purpose and probability and severity of the risks and benefits arising from data processing of the holder.

§ 2 In the application of the principles indicated in items VII and VIII of the caput of art. 6 of this Law, the controller, observing the structure, scale and volume of its operations, as well as the sensitivity of the data processed and the probability and severity of damages to the data subjects, may:

I - implement a privacy governance program that, at a minimum:

a) demonstrate the controller's commitment to adopting internal processes and policies that ensure comprehensive compliance with standards and good practices related to the protection of personal data;

b) is applicable to the entire set of personal data under its control, regardless of the way in which it was collected;

c) be adapted to the structure, scale and volume of its operations, as well as the sensitivity of the data processed;

d) establish appropriate policies and safeguards based on a process of systematic assessment of privacy impacts and risks;

e) has the objective of establishing a relationship of trust with the holder, through transparent action and ensuring mechanisms for the holder's participation;

f) is integrated into its overall governance structure and establishes and enforces internal and external oversight mechanisms;

g) has incident response and remediation plans; and

h) is constantly updated based on information obtained from continuous monitoring and periodic evaluations;

II - demonstrate the effectiveness of its privacy governance program when appropriate and, in particular, at the request of the national authority or other entity responsible for promoting compliance with good practices or codes of conduct, which independently promote the compliance with this Law.

§ 3 The rules of good practices and governance must be published and updated periodically and may be recognized and disseminated by the national authority.

3. Definitions of Personal Data and Personal Data Protection

Personal data is information relating to a living, identified or identifiable person. Personal data is also the set of distinct information that can lead to the identification of a particular person.

According to the LGPD (Article 5) and other similar references, it is considered:

I – PERSONAL DATA: information related to an identified or identifiable natural person.

II - SENSITIVE PERSONAL DATA: personal data about racial or ethnic origin, religious conviction, political opinion, affiliation to a union or organization of a religious, philosophical or political nature, data relating to health or sex life, genetic or biometric data, when linked to a natural person.

III – ANONYMIZED DATA: data relating to the data subject that cannot be identified, considering the use of reasonable technical means available at the time of its treatment.

Personal Data is required for different business activities at BOURBON. Personal Data may have various forms of representation, storage and transport, and their meaning and value depend on the context in which they are found, which may be, for example:

a) Paper: attendance lists, paper registration forms, reports, memos, letters, etc.

b) On digital media: digital files recorded on disks, SSDs, flash drives, tapes, CDs, etc.

c) In sound: recording of meetings and other activities, answering machine, etc.

d) In image: photos of people and their documents, videos containing people, etc.

The protection of Personal Data must guarantee the fundamentals and basic rights of people, such as respect for privacy, dignity and self-determination; freedom of expression, information, communication and opinion; the inviolability of intimacy, honor and image; free initiative and free competition; consumer protection and other human rights related to personality and the exercise of citizenship.

In order for the Personal Data protection objectives to be achieved, BOURBON employees and service providers must follow the practices determined in this Privacy Policy and Personal Data Protection and in the operational procedures related to this document, which establish guidelines and standards for security for the personal data.

4. Rights of Owners:

Data Subjects collected and processed by BOURBON have the following rights in relation to their Personal Data processed by the Group.

a) Confirmation of the existence of processing of your Personal Data.

b) Free access to consult your Personal Data.

c) Correction of your Personal Data, when the data is incomplete, inaccurate or out of date.

d) Deletion of your Personal Data, when the data is unnecessary, excessive or treated in violation of the Law, including when there is consent on the part of the holder, provided that the personal data are not used to comply with legal and regulatory obligations.

e) Portability of your Personal Data to another service or product provider, upon express request from the holder.

f) Information on the public and private entities with which the Group has shared your Personal Data.

g) Information about the possibility of not providing consent for the processing of your Personal Data.

h) Revocation of consent for the processing of your Personal Data.

5. Collection, Use and Processing of Personal Data

BOURBON collects, uses and processes Personal Data to meet the Group's legitimate interests, committing to comply with all applicable legislation in relation to the protection of Personal Data, ensuring that it is collected, used and treated in accordance with the provisions of the GDPR and other applicable laws and regulations, if any.

Personal Data is not collected and processed without a purpose. Collection may take place, when necessary, to establish the business relationship between BOURBON and its employees, customers and business partners, for the performance of a contract or for the fulfillment of a legal obligation to which BOURBON is subject.

When collecting Personal Data, BOURBON will inform in advance, transparently, clearly and unequivocally, what are the purposes for the processing of that personal data and for how long they will be retained and processed, when it is possible to establish this time.

In all cases where the personal data collected is not anonymized and the collection is not for the purposes of (i) compliance with a legal or regulatory obligation, (ii) execution of a contract or preliminary procedures related to a contract to which the holder is a party, (iii) regular exercise of rights in judicial, administrative or arbitration proceedings, and (iv) credit protection, BOURBON must request the express consent of the data subject, and this consent must be registered and filed in digital or printed media.

Whenever there are changes in the purpose, BOURBON must previously inform the holder about the changes and ask for new consent, and the holder may revoke consent if he disagrees with the changes.

When the processing of personal data is a condition for BOURBON to provide a product or service, or for the exercise of their right, the holder will be informed about this fact and about the means by which they can exercise the rights listed in the Law.

5.1. New projects and processes of changes in Personal Data

Any new activity of processing Personal Data must be duly communicated by the Owners to the Person in Charge of the PD, including involving the latter in the planning of new projects that may involve the collection and processing of Personal Data, so that the risks to the protection of Personal Data are fully evaluated and treated.

In the normal business operation processes, any and all changes in Personal Data must be communicated to the Person in Charge of the DP, either manually or automatically (systemic integration), so that he/she can update the records in his/her tool(s) (s) of control. This communication/integration process includes both changes in the data structure and in the records, for example:

• New Personal Data collected in current systems/processes.Changes, correction or deletion of Personal Data records in current systems/processes.Changes in the structure of Personal Data bases of existing systems/processes.

6. Disposal of Personal Data

When the period of use has ended or when the purpose for which certain Personal Data were collected and processed has ended, PD Owners must delete the related Personal Data, using secure disposal methods, or in an anonymized form, for statistical purposes. Whenever possible, these discards should be evident.

In cases where BOURBON is unable to delete Personal Data to comply with legal requirements or for some other legitimate need, Personal Data must be securely archived, isolated from any further processing, until deletion is possible.

7. Communication processes with holders and with the ANPD

BOURBON must establish a communication channel so that the ANPD and the holders can contact the Group whenever they wish to exercise their rights.

The person responsible for operating this communication channel is the Person in Charge of Personal Data.

This communication channel must be published on the Internet and/or in other means that facilitate disclosure to holders and the ANPD.

Additionally, whenever required, the Person in Charge of the DP must also respond to requests for information, issue an impact report to the ANPD and the occurrence of incidents, among other legal demands that may be regulated by the ANPD in the future.

8. Protection Measures

8.1. Protection of Personal Data on Paper:

For the correct protection of sites that contain Personal Data on paper, the following controls must be in place:

a) Adequate physical structure against impacts, floods or fires.

b) Restricted and monitored physical access.

c) Entry into the site and use of photographic and other equipment that allow unauthorized copying of documents must be controlled.

Paper documents that contain Personal Data and that are under the responsibility of BOURBON cannot be removed from the Group's facilities without the express prior authorization of the Owner of the PD of that specific process and the Person in Charge.

8.2. Protection on Personal Devices and Systems:

The use of personal devices and systems (laptops, tablets, smartphones, portable data storage media, cloud messaging and group work systems, etc.) may pose risks to the security of Personal Data.

Employees who need to use any resource not provided by the Group for the processing of Personal Data must request prior authorization from the IT area and the Person in Charge who, in turn, if they understand that the use is indeed required, will assess the context and must implement the necessary protective measures.

The review and authorization process should consider:

a) The need to use the resource.

b) The risks to the protection of Personal Data arising from the use of this resource.

c) Carrying out the activities only after ensuring the adoption of the necessary protections.

8.3. Protection of Personal Data in electronic media

8.3.1 Access Controls

Access to BOURBON's systems and networks that contain Personal Data must be granted through processes of identification, authentication and certification of login and password, and the need for access to perform the activities must be proven.

It is up to the Owner of each Personal Data base to determine the appropriate controls for the right of access, granting of privileges and management of the access granted to the Personal Data under its management.

8.3.2 Use of software

The installation of software not approved by BOURBON or changing the configuration of information technology equipment (computers, notebooks, printers, etc.) must be prohibited to users who do not have this attribution.

8.3.3 External access

External access to systems and equipment should only be granted to personnel who actually require this resource, in cases of real need to carry out business activities and which do not entail high risks for the protection of Personal Data.

External access should consider that:

a) The person at the service of BOURBON (employee, consultant, service provider, temporary staff and other third parties) must obtain specific authorization for the remote use of equipment with access to personal data.

b) Equipment with personal data cannot be left unprotected in public areas, and must always be transported by its users.

c) Devices and portable computers should be carried as hand luggage and opportunely de-characterized so as not to draw unwanted attention, whenever possible.

d) Care about the security of Personal Data should be reinforced whenever they are handled in areas with less physical security (for example, outside administrative offices).

e) Any problem regarding the protection of Personal Data must be reported immediately to the Person in Charge (DPO) and the respective DP Owner (Data Owner).

8.4. Protection in the transfers of Personal Data

As the risks of information leakage are greater in processes that involve transfers between different equipment and/or systems, aiming at the security and protection of Personal Data, the following guidelines must be followed by all employees and service providers:

a) The use of connections to the Internal Network and Internet systems is permitted for all purposes and purposes of BOURBON's business, support, services and specific purposes. Use of these features for other purposes is prohibited.

b) Any computer owned by BOURBON or owned by service providers at the service of BOURBON, which is connected to the Internal Network or to the Internet, must be properly configured with protection systems against the infestation of viruses or malicious software.

c) All computers, networks, systems and software must be subject to monitoring and, therefore, BOURBON may, at its discretion, maintain the history of accesses and transactions carried out through the connections of the Corporate Network (internal) or the Internet (external ).

d) Prospecting, scanning or any other form of invasion attempt through testing mechanisms cannot be carried out without due and express authorization, thus configuring a threat and attempt to misappropriate Personal Data.

e) All connections between BOURBON's Internal Networks and other External Networks, including the Internet, must be franchised by a specific, configured and approved firewall system.

f) The workstations must be enabled with specific programs, approved and configured for access to the Internal Network and the Internet, and this or that access may be inhibited in response to the formal request of the manager of the interested department, the Owner or the Person in Charge of the DP , or for maintaining the security levels of Personal Data.

g) E-mail, remote connection and file transfer services should preferably be disabled for users who have functions that do not require these services.

h) The connection of users to networks (Internal and External) must occur, solely and exclusively, through processes of identification, authentication and certification of the access key and password.

i) Control and security devices (Proxy Server, Firewall and similar) must be implemented to guarantee the confidentiality and integrity of Personal Data in transit through these networks.

j) Do not download non-approved software, as they may contain malicious code and generate threats to the security of Personal Data.

k) Keep file sharing options, automatic connection on Wi-Fi and Bluetooth networks disabled.

l) In any situation, regardless of what has been previously mentioned, any and all files coming from external networks or users must, mandatorily, be scanned by systems to protect against viruses and malicious software.

Any and all transfers of Personal Data to systems and people outside BOURBON, through any communication resources, must take place in a secure manner considering the following controls:

a) Avoid sending Personal Data through email messages or other messaging services. Ideally, Personal Data should be accessed and transferred only using the Group's own management systems and applications.

b) If it is not possible to transfer Personal Data through the systems that store them, transfers of Personal Data through messages (such as attachments in emails, for example) can only occur if these files are encrypted or anonymized.

c) Do not use public networks (for example, public wi-fi) to exchange or send Personal Data, unless you are adopting security and encryption features in this communication (for example, SSL and VPN).

9. Use of personal data and profiles for decision making

BOURBON does not employ techniques for automated decision-making based on the electronic processing of Personal Data, which have legal effects or significantly affect the holders.

10. Communications in the event of incidents

A security incident can be any event that violates the protection of Personal Data and Sensitive Personal Data.

According to the Law, BOURBON must notify the ANPD and the holder of the occurrence of a security incident that may cause significant risk or damage to holders.

The DPO must carry out monitoring, alert, accountability, response, communication between those involved, documentation and recording of incidents, covering the following activities:

a) The monitoring and management of security incidents related to Personal Data, that is, covering the databases of systems, files and network locations containing Personal Data.

b) The treatment and recording of responses to incidents and the respective corrections applied.

c) Communication to those responsible for the protection of Personal Data, the Person in Charge and the respective Owners of the PD, of any and all occurrences related to the loss or misappropriation of Personal Data.

It will be up to the Person in Charge of Personal Data (DPO) to analyze the severity of the incidents, with the support of the respective Data Owners and the Board of Directors. If an incident is understood to cause damage to the data subjects and impact on their privacy, the Person in Charge of Personal Data must prepare and carry out the proper communication to the ANPD and the data subjects, following the respective operational process implemented at BOURBON.

As provided for in the Law, the communication must contain, at a minimum, the following data about what happened:

a) A description of the nature of the personal data affected.

b) Information on the holders involved.

c) Indication of the technical and security measures used for data protection, observing commercial and industrial secrets.

d) The risks related to the incident.

e) The reasons for the delay, in case the communication was not immediate.

f) The measures that have been or will be adopted to reverse or mitigate the effects of the damage.

11. Policy Update

BOURBON may, at any time, make timely revisions or updates to this policy. Updates to this policy will take effect as soon as they are published on the Group's institutional website.

12. Glossary

• Anonymization: use of reasonable technical means available at the time of treatment, through which data loses the possibility of association, directly or indirectly, with an individual.ANPD: National Data Protection Authority - indirect public administration body responsible for to ensure, implement and monitor compliance with the LGPD.Database: structured set of data, which may contain personal data, in electronic or physical media.Blocking: temporary suspension of any processing operation, upon storage of personal data or the database .Consent: free, informed and unequivocal expression by which the data subject agrees to the processing of their personal data for a specific purpose. Controller: natural or legal person responsible for determining the purpose and means of processing the Personal Data carried out by the Group itself or by the Operator.Anonymized Data: data relating to the holder that cannot be identified, considering the use reasonable technical means available at the time of processing.Personal Data: information related to an identified or identifiable natural person.Sensitive Personal Data: personal data about racial or ethnic origin, religious conviction, political opinion, union membership or organization of religious, philosophical or political nature, data relating to health or sex life, genetic or biometric data, when linked to a natural person.Elimination: deletion of data or a set of data stored in a database, regardless of the procedure employed. Personal Data: BOURBON function indicated to act as a communication channel between the Group, the data subjects and the ANPD.Law: the same as LGPD.LGPD: General Law for the Protection of Personal Data, Law 13.709/2018 external service provider, outsourced, that performs the collection, and/or use, and/or treatment of Personal Data of which BOURBON is the controller. Personal Data Portability is: transfer of PD treatment to another service or product provider, upon express request from the data subject. Personal Data Owner: person or group of people responsible for collecting and processing personal data. Data Subject: natural person to whom refer to the personal data that are the object of treatment. Treatment: any operation carried out with personal data, such as those referring to collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, archiving, storage, elimination, evaluation or control of information, modification, communication, transfer, dissemination or extraction.

To request more information about our data processing practices, or to contact the Bourbon Data Protection Officer, click here.