PRIVACY POLICY.

This Policy applies to all personal data processed by our company — including data of the businesses that engage our services, data of their employees and contacts that we encounter in delivering administrative support, and data of third parties that appears in documents and correspondence we manage on behalf of clients.

Office management and administrative support services involve processing data on behalf of clients as part of their normal business operations. This creates two distinct roles under the LGPD: we act as controller for our own business data (our client contacts, billing, website), and as operador (processor) for client business data that we handle in delivering our services. Both roles are addressed below.

We process data in two distinct capacities:

A. As controller (our own business data):

• Client identification data: Company name, CNPJ and the name, role, phone number and email of the responsible contact — collected when businesses engage our services or request quotations.
• Billing data: Company name and CNPJ for NFS-e issuance — in compliance with SEFAZ-SP and ISS/Prefeitura de Cotia requirements.
• Contact and enquiry data: Messages via WhatsApp, telephone or online form.
• Technical website data: IP address, browser type, pages visited and access times.

B. As operador — data processed on behalf of clients:

• Client business data: Documents, correspondence, data records, supplier and customer files and all the business information that forms part of the administrative services we provide — processed only as instructed by the client and within the agreed service scope.
• Employee and contact data (client's): Names, roles, contact details and scheduling information of the client's employees and business contacts — encountered in delivering reception, scheduling and communications management services.
• Third-party data in documents: Personal data of third parties appearing in client documents, contracts or correspondence that we process as part of document management services.

We do not sell or commercially exploit client data or any data processed on behalf of clients. Sharing occurs only in the following situations:

• Client businesses (service delivery): Administrative outputs, processed documents, reports and all deliverables are returned to the commissioning client as the result of service delivery. This is the purpose for which the service was engaged.
• Third parties instructed by clients: Where a client instructs us to send correspondence, file documents or communicate with a third party as part of our administrative service — data is shared only as instructed.
• SEFAZ-SP / Receita Federal: Tax data for NFS-e issuance and applicable federal and state tax compliance (our own fiscal obligations).
• Prefeitura de Cotia (ISS): For ISS/ISSQN obligations on administrative service activities.
• PROCON-SP: When required in a consumer dispute mediation under the CDC.
• Legal authorities: When required by a competent judicial or administrative order.

Our services operate within Brazil. Primary storage of all data — our own and data processed on behalf of clients — is in Brazil. Any technology platforms used for document management, communications or administration that operate on international servers do so only under the guarantees of Art. 33 of the LGPD or recognised adequacy mechanisms. Data processing agreements with clients will specify transfer requirements where applicable.

• NFS-e and fiscal records: Minimum 5 years under federal and state tax legislation (CTN, Art. 174; SEFAZ-SP).
• Client contract and account records: Duration of the service relationship plus 5 years for contractual, fiscal and dispute documentation.
• Client business data processed as operador: Retained for the period specified in the data processing agreement with each client. On termination of the service relationship, client business data is returned or deleted as instructed — unless a longer period is required by applicable law or the client's own regulatory obligations.
• Contact and enquiry data: Up to 1 year from last interaction if no contract was established.
• Website analytics: Aggregated and anonymised after 12 months.

• Client business data and documents accessible only to GPO staff directly involved in delivering the contracted service — strict need-to-know access controls;
• Client data kept logically separated per client — one client's data is never accessible to or shared with another client;
• Document management systems protected with access controls and encryption at rest and in transit;
• Encryption in transit (HTTPS) for website and digital communications;
• PCI-DSS certified payment platforms — card data never retained by the company;
• As a Ltda, formal internal data handling and access control protocols maintained;
• Data processing agreements available with clients that require formal DPA documentation;
• Incident response procedures and breach notification per LGPD Art. 48.

• Confirmation and Access (Art. 18, I–II): Confirm whether we hold your data and receive a copy.
• Correction (Art. 18, III): Request correction of inaccurate data.
• Anonymisation / Blocking / Deletion (Art. 18, IV): Request restriction or deletion — subject to fiscal retention and contractual obligations.
• Portability (Art. 18, V): Receive your data in a structured format.
• Deletion of consent-based data (Art. 18, VI): Request deletion of data processed by consent.
• Information on sharing (Art. 18, VII): Find out which entities your data has been shared with.
• Withdrawal of Consent (Art. 8º, §5º): Withdraw consent at any time.
• Complaint to the ANPD (Art. 18, §1º): Lodge a complaint at www.gov.br/anpd.

We respond within 15 business days. For requests relating to data processed on behalf of a client business (as operador), we will forward the request to the relevant client controller as appropriate under LGPD Art. 39.

Our website may use cookies for essential functionality and aggregated performance analysis. We do not use behavioural tracking cookies for advertising without prior consent. Preferences can be managed through browser settings.

Our office management and administrative support services are engaged by businesses — adults acting in a professional capacity. We do not intentionally collect personal data from children under 13. Where client business documents we handle contain data relating to minors — for example in certain regulatory or legal filings — we process this data solely in our operador capacity on the client's instructions and apply the same security standards as all other personal data.

In our own right (as controller), we do not collect sensitive personal data as defined in LGPD Art. 5º, II. However, client business documents and correspondence that we manage as operador may in some cases contain sensitive data — health information in HR files, financial data in accounts documents, legal information in contracts, or other sensitive categories.

Where client data contains LGPD Art. 5º, II sensitive categories, we:

• Apply the heightened handling requirements of LGPD Art. 11 to that data;
• Flag this to the client in our service agreement so the appropriate legal bases are in place;
• Restrict access to that data to the minimum number of staff necessary.

This Policy may be updated to reflect changes in our activities, the LGPD, ANPD guidance or applicable tax legislation. Material changes will be communicated via our website or directly to active clients by email or WhatsApp.

All privacy requests, questions and complaints should be directed to our Data Protection Officer (Encarregado — LGPD Art. 41):