This privacy notice on personal data processing (hereinafter, the “Privacy Notice”), is aimed at
 informing how Cirion, whose ID details as well as the domicile for service of process may be
verified according to the country where you are located (see Annex 1), conducts the processing
 of the personal data it collects in its capacity as controller through its webpage
www.ciriontechnologies.com (hereinafter, the “Webpage”) . This data is collected by navigating
and using the Webpage, filling virtual forms, and through different spaces on the Webpage for
entering personal data virtually. Additionally, this Privacy Notice shall apply to other data
collection channels when so informed thereby to the personal data subjects.

For these purposes, “Data Subject” shall refer to the person whose data is collected and
processed pursuant to the terms of the Privacy Notice. Only personal data for which due
consent has been obtained is processed, or data subject to other permissive conditions for
their processing, as established in the appliable country’s legislation.

2. Statement on Cirion Customer Personal Data

Some data protection laws distinguish between the activities a business conducts on behalf of
another business or person (sometimes referred to as a processor, third party or service
provider), and those activities that a business conducts on behalf of itself (sometimes referred
to as a controller or business). This Privacy Notice covers only those activities that Cirion
engages in as a controller of your personal data, including when you engage with our website,
or interact with us. It does not cover those activities Cirion engages in as a processor to its
customers.

Cirion provides digital infrastructure and technology solutions to business to business and
wholesale businesses (hereinafter, the “Services”). This means we may store or have access to
limited personal data on behalf of our customers. Where we process personal data as a
processor, we do so in accordance with our customers’ instructions, and this Privacy Notice
does not apply.

3. Regulatory Framework

This Privacy Notice is governed by the applicable country or state legislation, in particular,
when reference is made to “your country’s jurisdiction,” the “applicable regulation,” or
“your country’s current legislation”, it shall be understood as the regulation listed as Annex
2 to this Privacy Notice applicable to you based on the location from which you are interacting
 with us.

4. Retention Period

Personal data shall be retained as long as necessary to fulfill the purpose for which it was
collected and (if applicable) while the Data Subject has not revoked their consent, pursuant
to your country’s applicable legislation.

Upon fulfillment of said purpose, your personal data may continue to be processed by us for
the reasons indicated below:

• If there exists a statutory or contractual obligation on their retention.
• If necessary for research purposes, for auditing purposes, and/or for the regular exercise of
   our rights in judicial, administrative, or arbitration proceedings.

5. Personal Database

The personal data provided by the Data Subject shall be stored, pursuant to your legislation’s
requirements, in a personal database owned by Cirion, duly registered in the Registry of your
country (where applicable).

6. Collected Data and Purposes

Cirion collects personal data from three different sources as described below.

a. Collected Directly

Cirion collects personal data directly from the Data Subject when they interact with us for the
following purposes:

• To respond to your inquiries: to request a meeting with our experts, to be contacted to
  receive information about Cirion’s services, and to receive quotations, and, where
  applicable, for Cirion’s service provision, we may collect personal data of an identifying
  nature and contact personal data, such as first and last name, country, company,
  corporate e-mail, job title, telephone number and reason for your inquiry.
• Marketing: to contact you advertising the products and/or services offered by Cirion we
  may collect e-mail and your marketing preferences.
• To Communicate with you: with the valid consent of the Data Subject, which may be
  revoked at any time, Cirion may contact you via e-mail to send you notifications, surveys,
  and information about events and solutions.
• Transactions: to process payments.
• Security and video surveillance: to maintain physical security inside the facilities and
  guarantee the operation of services.

b. Collected Automatically

• Cirion collects certain usage data, or visitor data, automatically when using the website.
• Usage data may include information such as your device’s Internet Protocol (“IP) Address,
  browser type, browser version, device location, mobile operating system, the pages that
  you visited on our websites, the time and date of your visit, time spent on the page, and
  other diagnostic data.
• Cirion uses usage data to optimize your experience on our websites, to improve our
  services, to detect, prevent and respond to suspicious activities and for marketing activities.

For more information on how Cirion uses Cookies and other tracking technologies, and how to
 manage your preferences, see Use of Cookies on the Webpage.

c. Collected from Third Parties

Where permitted, Cirion may collect personal data from third parties, duly authorized to
transmit it in order to connect with the Data Subject, direct marketing, commercial referrals,
among others.

These purposes are necessary for the legal relationship between Cirion and the Data Subject,
and if the Data Subject does not provide this data, or provides erroneous or inaccurate data,
Cirion will not be able to fulfill this purpose.

Cirion reserves the right to make any type of automated decisions regarding their personal
data, pursuant to your country’s current legislation.

7. Transfer, Transmission, and Recipients

a. Transfers for a Business Purpose

• Business Transactions – if Cirion is involved in a merger, acquisition, or asset sale, Data
  Subjects’ personal data may be transferred to third parties involved in the transaction. If
  personal data is transferred and becomes subject to a different privacy notice, Cirion will
  provide notice to Data Subjects prior to the transaction.

• Law Enforcement – where required by law, Cirion may disclose personal data to law
  enforcement or to public authorities.

• To Comply with Legal Requirements – Cirion may disclose Data Subjects’ personal data if
   it is necessary to comply with its legal requirements; to protect and defend Cirion’s rights
  or property; to prevent or investigate possible wrongdoing; to protect the safety of others
  or the public; or to protect Cirion against legal liability.

• Fulfill Transactions – In order to fulfill a transaction, Cirion may disclose billing information
   with third parties to process payments on our behalf.

• Security – to protect the security of our systems, Cirion may use service providers to assist
   in monitoring and protecting against unauthorized or unlawful access to its systems.

b. Consent to Data Transfer

By accepting this Privacy Notice, the Data Subject authorizes their personal data to be
shared with service providers, who may be located in countries other than the Data
Subject’s country and that enable the fulfillment of the purposes described in this Privacy
Notice, or with third parties with whom Cirion has an obligation regarding information transfer.

f you do not want your personal data to be transferred, please send an e-mail to:
data.privacy@ciriontechnologies.com. The admissibility of the objections to data transfer shall
be assessed on a case-by-case basis.

In order to safeguard your privacy, we use contracts to guarantee that the third parties
receiving your personal data in our name provide the same level of protection as we do.

Whenever there is an international transfer of personal data under our responsibility, we
make sure that said transfer is made only to countries that offer a similar level of protection
to the one provided by the laws of the territories where we operate, or that these transfers
have been authorized by the subject and/or their data protection authorities, pursuant to your
country’s legislation.

8. Security Measures

Cirion adopts the necessary security measures to guarantee the protection of the Data
Subject’s information in order to avoid unauthorized or illegal alteration, loss, destruction,
damage, processing, disclosure thereof, and/or access thereto, taking into consideration the
nature of the information and the risks the data is exposed to. To protect the Data Subject’s
personal data, measures have been put in place, which at least imply the following:

• Control and registration of accesses and privileges, as well as verification thereof from time
   to time.
• Record of events, logical interactions.
• User identification and authentication through password use and management.
• Information copies and backups in a controlled and authorized manner.
• Security in personal data processing environments.

9. Confidentiality

Cirion agrees not to disclose or share the personal data provided by the Subject without their
consent, except for the following cases:

• When necessary for the purpose for which the information was collected.
• When the Information subject is duly notified before the disclosure or at the time of
  collection of the Information, and their previous and express consent is obtained.
• When consent is not a requirement pursuant to your country’s legislation.
• When the Information is required by public entities within their area of competence and in
  the exercise of their duties and powers.
• When the Information is required by public entities within their area of competence and in
  the exercise of their duties and powers.
• When it comes to access to Information by auditors, lawyers, and other professionals in
  exercise of their duties, who are subject to keep professional secrecy.
• In any other cases provided for and authorized by your country’s legislation.

If otherwise stated by your country’s jurisdiction in regard to these events, Cirion shall comply
with the provisions set forth in said legislation.

10. Use of Cookies on the Webpage

Cookies are small text files from websites that are stored in your computer, smartphone, tablet,
 or any other Internet access device, in order to collect some specific information on your
navigation experience and your preferences. Cookies cannot damage your computer or device,
 and they are very useful as they help us identify and resolve errors.
The Webpage uses its own cookies and third-party cookies, which may be classified as follows
and for the following purposes:

• Preference cookies: These cookies enable the webpage to remember information that
  changes the way it behaves or looks, such as your preferred language or the region that
  you are located in.
• Statistical cookies: These cookies help website owners understand how visitors interact
  with webpages by collecting and providing information anonymously.
• Marketing cookies: These cookies are used for tracking webpage visitors. They are aimed
  at displaying relevant adds that are appealing to the individual user, and therefore, more
  valuable for editors and third-party advertisers.
• Targeting cookies: These cookies are established by our advertising partners. These
  companies may use a profile of your interest and display relevant adds in other websites.
  They exclusively identify your browser and your Internet device.
• Performance cookies: These allow for counting visits and traffic sources in order to
  measure and improve our website performance. They help us know which webpages are
  the most and the least popular and see how visitors navigate the website. All the
  information collected by these cookies is aggregated.
• Functional cookies: These cookies enable the website to offer improved functionality and
  customization. They may be established by Cirion or by third-party service providers whose
   services we have added to our webpages.
• Necessary cookies: These cookies help us build a usable webpage by activating basic
  features like webpage navigation and access to webpage safe areas. The webpage cannot
  work properly without these cookies.

You may accept or reject the use of cookies that are not necessary through the message
regarding cookies displayed when you visit the Webpage for the first time. If you accept
third-party cookies, you can delete them, if you wish to do so, directly through the cookie
management options of your browser.

Additionally, you may allow, block, or delete the cookies installed in your computer or device
through the cookie settings of the browser installed in your computer or device.

However, please note that the use of cookies enables us to provide you with a better
experience concerning the use of our services. If you change the cookie settings, your
navigation experience may not be optimal.

Do Not Track Signals. Some web browsers allow you to turn on Do Not Track (“DNT”), which
sends signals to websites you visit, telling those sites that you do not want your online activities
 to be tracked. Our websites currently are not designed to respond to DNT signals received from
web browsers.

11. Exercise of Rights

You may have certain rights under applicable data protection laws, depending on the country
from which you are interacting with us.

a. LATAM Rights

The Data Subject may exercise the right of processing confirmation, access to, rectification,
correction of incomplete, inaccurate, or outdated data, opposition, cancellation, anonymization,
 blocking or deletion of unnecessary or excessive data, revocation, portability, information on
the processing, suppression, deletion, updating, inclusion, annulation, limitation of the
processing, the right not to be subject to decisions made only based on automated assessments,
 the right of limitation of use, disclosure of personal data, and further rights enshrined in the
applicable law, by means of a request that can be sent through the personal data protection
channel available at www.ciriontechnologies.com or by sending an email to the following e-mail
address: data.privacy@ciriontechnologies.com. Additionally, Data Subjects may exercise their
rights in person at the addresses set out in Annex No. 1 to this Privacy Notice.

b. Additional Rights for California Residents

The California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act
 (hereinafter “CCPA”), requires that we disclose the privacy rights applicable to California
residents regarding their personal data (or Personal Information). We have defined the rights 

applicable to California Residents below:

Access and Know:

You may have the right to know the categories of Personal Information collected about you,
the purposes for Processing your Personal Information, and to know whether your Personal
Information is disclosed / Sold and to whom. You may also have the right to access certain
pieces of your Personal Information and to receive a copy of your information.

Data Portability:

You may have the right to request the transfer of your Personal Information to you or to a
third party. We will provide to you, or a third party you have chosen, your Personal Information
 in a structured, commonly used, machine-readable format. Note that this right only applies to
automated information which you initially provided consent for Us to use or where we used the
 information to perform a contract with you.

Deletion:

You also may request that we erase your information. You also have the right to ask us to
delete or remove your Personal Information where you have successfully exercised your right
to object to Processing (see below), where we may have processed your information unlawfully
 or where we are required to erase your Personal Information to comply with local law. Note,
however, that we may not always be able to comply with your request of erasure for specific
legal reasons which will be notified to you, if applicable, at the time of your request.

Limit Use and Disclosure of Sensitive Personal Information:

You may have the right to direct Company to limit our use of your sensitive Personal
Information to that use which is necessary to perform the services, and which is reasonably
expected by the average consumer requesting the services. For the avoidance of doubt,
“Sensitive Personal Information” as used in this Privacy Policy shall have the same meaning as
 “sensitive personal information” under the California Consumer Privacy Act of 2018 as
amended (CCPA).

Non-Discrimination / Non-Retaliation:

You may have the right not to receive discriminatory treatment by the Company because you
exercise your privacy rights.

Opt Out of the Sale or Sharing:

You may have the right to opt out of the Sale of your Personal Information, to the extent
applicable. Company does not engage in the Sale of Personal Information. You may also have
 the right to request that we do not share your Personal Information with third parties.

Opt Out of Profiling and/or Cross Context Behavioral Advertising:

You may have the right to opt out of the Processing of your Personal Information for the
purposes of Cross Context Behavioral Advertising, or Profiling which is used in furtherance of
decisions that produce legal or similarly significant effects. “Profiling” means any automated
processing of Personal Information to evaluate, analyze, or predict aspects concerning an
individual’s economic situation, health, personal preferences, interest, reliability, behavior,
location or movements.

Request Correction:

You may have the right to request correction of the Personal Information that we hold about
you. This enables you to have any incomplete or inaccurate data we hold about you corrected,
 though we may need to verify the accuracy of the new data you provide to us.

c. Making a Request, Verification, Reviewing Requests, and Appeals

Cirion strives to make Data Subject requests simple and free. pursuant to the provisions set
forth in your country’s legislation.

Notwithstanding the foregoing, Cirion may retain some specific information of the Data
Subject requesting cancellation, to be used as evidence in the event of a potential claim. The
retention term shall not exceed the statute of limitations of said responsibilities pursuant to
law. If any information on the user’s logical interactions with the Webpage cannot be deleted
due to technical limitations, this data shall be anonymized so it cannot be used to identify the
Subject or to make them identifiable.

12. Personal Data Portability

Upon express request of the Data Subject, Cirion may return the personal data collected on
them, in a compatible, updated, structured, common, interoperable, and mechanical-reading
format, preserving its characteristics, or it may deliver it to a person duly appointed by the
 Data Subject for said purpose.

Data Subject’s data portability will not apply for information inferred, created, generated,
obtained, or resulting from any analysis or processing conducted by Cirion.

13. Personal Data Protection Delegate

Cirion has appointed an individual responsible for the fulfillment of the personal data protection
 policies adopted for each one of the jurisdictions where it operates. For more information on
this appointment, please visit the company’s website or send an e-mail to
data.privacy@ciriontechnologies.com.

14. California Shine the Light Notice

California Civil Code Section 1798.83, also known as the “Shine The Light” law, permits our
Data Subjects who are California residents to request and obtain from us, once a year and free
 of charge, information about categories of personal information (if any) we disclosed to third
parties for direct marketing purposes and the names and addresses of all third parties with
which we shared personal information in the immediately preceding calendar year. If you are
a California resident and would like to make such a request, please submit your request in
writing to us using the following e-mail address: data.privacy@ciriontechnologies.com.

15. Children’s Privacy

Cirion’s website is not intended for use by anyone under the age of eighteen (18). In
accordance with the Children’s Online Privacy Protection Act (“COPPA“). Cirion does not
knowingly request or solicit personal data from anyone under the age of eighteen (18). In the
event that we receive actual knowledge that we have collected such personal data without
parental consent, we will take steps to permanently delete that information from our personal
database.

16. Brazilian General Data Protection Law

Cirion processes personal data in accordance with the guidelines of the Brazilian General Data
 Protection Law – Law 13,709/2018 (“LGPD”) and other relevant legislation.

In that sense, it is possible to point out that in its processes there are treatments that involve:

• Personal data (Art. 5, I, LGPD): Information relating to an identified or identifiable natural
  person. Cirion collects information from its customers at the time of prospecting,
  contracting, or using services, through service channels or an electronic form available on
   the website of the company.
• Sensitive Personal Data (Art. 5, II, LGPD): Data related to racial or ethnic origin, religious
  belief, political opinion, affiliation to a union or an organization of religious, philosophic or 
• political nature, data related to health or sexual habits, genetic or biometric data, when
  connected to a natural person. The sensitive personal data collected by Cirion is from our
  employees, to comply with a legal or regulatory obligation.
• Children and teenager personal data (Art. 14, LGPD) – The data is collected by Cirion to
  comply with a legal or regulatory obligation due to benefits extended to the dependents of
   Cirion employees, as well as the young apprentice program. Cirion does not collect data
  from minors for other purposes.
• Personal data publicly available (Art. 7, § 3, LGPD) – data manifestly made public by the
   Data Subject.

Cirion declares its commitment to the principle of data quality, ensuring that the personal data
 collected and processed is accurate, relevant, and specific.

a. Legal hypotheses applicable to the processing of personal data carried out by Cirion

Cirion supports its data processing operations with the following legal hypotheses:

• Compliance with a legal or regulatory obligation: data processing is justified by the
  obligation to comply with applicable laws.
• Contract execution or preparation: the processed data is used specifically for the
  preparation of the contract and throughout the performance of the contract.
• Regular exercise of rights: the data may be used in judicial, administrative or arbitration
  proceedings.
• Consent:the consent provided by the Data Subject is the free, informed, and unequivocal
   manifestation by which the Data Subject has agreed to the processing of his/her personal
   data for a specific purpose.
• Legitimate interest: the legitimate interest of the Controller may base the processing for
  legitimate purposes, judged on the basis of concrete situations, which include, but are not
   limited to: (i) Support and promotion of the Controller’s activities; (ii) Protection, in relation
   to the Data Subject, of the regular exercise of his/her rights or provision of services that
   benefit him/her, respecting his/her legitimate expectations and fundamental rights and
   liberties.

b. Rights of Data Subjects

Upon request to Cirion, as provided for in article 18 of LGPD, Data Subject may exercise the
following rights:

• Confirmation of processing existence – the Data Subject will obtain information on the
  existence or not of personal data in the Cirion database;
• Data access – the Data Subject may obtain a report of all the data contained in the Cirion
  database, with information on the origin, forms of processing and sharing with third parties;
• Data correction – the Data Subject may request the correction of incomplete, inaccurate,
  or outdated personal data;
• Data portability – the standard for portability will still be defined by the National Data
  Protection Authority (ANPD);
• Deletion of personal data – the Data Subject may request the deletion of the personal
  data processed by Cirion, the request for which will be subject to a feasibility assessment,
  in accordance with the law;
• Information on sharing – The Data Subject may request specific information about the
  sharing of data with public and private entities;
• Anonymizing or blocking – The Data Subject will have the request registered for execution,
   within the legal deadline. Important: anonymized data is that relating to a Data Subject
  who cannot be identified, considering the use of reasonable technical means available at
  the time of its processing;
• Automated Decision – The Data Subject will receive explanations about automated
  decisions, such as the use of robots to collect data for the creation of online marketing
  campaigns, and may request their review;
• Objection to data processing – The Data Subject may object to certain types of
  processing and purposes;
• Revocation of consent – The Data Subject may receive explanations about the consent
  (confirmation given for the collection and processing of their data) and request its revocation;
  
  • 1º If the Data Subject withdraws consent for purposes that are fundamental to the
    regular functioning of this website, some environments and services may be
    unavailable for the use by the Data Subject.
  • 2º Even if the Data Subject requests the deletion of his/her Personal Data, there are
     hypotheses in which such data may be kept stored, due to the provisions of article 16
    of the LGPD: (i) compliance with a legal or regulatory obligation by the Controller; (ii)
    study by a research body, ensuring, whenever possible, the anonymization of personal
     data; and (iii) transfer to a third party, provided that the data processing requirements
     set forth in the LGPD are respected; or (iv) exclusive use by the Controller, with no
    access by third parties, and provided that the data is anonymized.

Cirion´s Data Protection Officer will receive the request from the Data Subject via the portal
available at www.ciriontechnologies.com or by e-mail to the following address:
data.privacy@ciriontechnologies.com, and will take the necessary steps to return within the period
provided for by law, up to 15 days after receiving the request.

17. Changes to the Privacy Notice

Cirion may modify, update, or supplement the Privacy Notice at any time. Any modification,
update, or addition in regard to this notice shall be immediately communicated through the
Webpage, and through any other channels that may be determined, requesting the approval
of the new conditions where applicable.

Last update: February, 2025