01. OBJECTIVE

Define governance rules for Personal Data Privacy.

02. USERS
This policy applies to all Employees of the Solví Group (“Employees”), defined as all employees of Solvi and its direct and indirect subsidiaries, regardless of hierarchical level, as well as non-employees who occupy positions
in any corporate or governance body, including directors, officers and committee members.

03. TERMS AND DEFINITIONS
The processing of personal data under the LGPD can be carried out by two types of “processing agents”, namely:

• Controller and Operator:

“Controller” means a natural or legal person under public or private law who is responsible for decisions regarding the processing of personal data.

“Operator” means the natural or legal person who, in the name of the Contractor - who may be an individual or legal entity, will process Personal Data, under the terms of the Contract.

“Data Treatment” (including related terms, treat, treated, etc.) any operation performed with personal data, such as those referring to the collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, archiving, storage, deletion, evaluation or control of information, modification, communication,
transfer, diffusion or extraction. These treatment operations are highlighted below:

“Access” - the act of entering, transiting, knowing or consulting information, as well as the possibility of using
information from a body or entity, subject to any restrictions that may apply.

“ANPD” means the National Data Protection Authority in Brazil, as defined in the LGPD;

“Anonymization” is the data related to the holder that cannot be identified;

“Storage” - action or result of maintaining or conserving data in a repository;

“Archiving” - the act or effect of keeping a data registered, although it has already expired or expired;

"Inspection Authorities" means any authority, including judicial, competent to inspect, judge and apply the
pertinent legislation, including, but not limited to, the ANPD;

“Evaluation” - analyze the data with the objective of producing information;

“Classification” - way to order the data according to some established criteria;

“Collaborator (s)” means any employee, employee, regardless of hierarchical level, including subcontractors or
outsourced, representatives or agents, paid or unpaid, in full or partial regime, acting on behalf of
of the Parties and that has access to Personal Data;

“Collection” - collection of data for a specific purpose;

“Communication” - transmitting information relevant to action policies on the data.

We are a family owned and operated business.

“Control” - action or power to regulate, determine or monitor the actions on the data;

“Personal Data (s)” means any information that, directly or indirectly, alone or accompanied by other data,
identify or can identify an individual. Examples of personal data are: name, CPF, Internet Protocol number
(IP), email address, bank account number, financial profile, taxpayer identification, professional registration,
geolocation, among others. This concept includes Sensitive Personal Data (as defined below);

“Personal data (s). Sensitive (s) ”means (m) any information that reveals, in relation to an individual, the origin
racial or ethnic, political opinions, religious or philosophical beliefs, union membership and also genetic or
biometric data that uniquely identifies a person, health data, and sex or
sexual orientation;

"Controller's Personal Data (s)" means any Personal Data Handled by the Operator, including Personal Data
Sensitive under, or in connection with, the Contract;

“Elimination” - the act or effect of deleting or destroying stored databases;

“Security Incident” means any and all accidental or intentional, unlawful or unauthorized situations by the Controller,
practiced through fault or deceit, which causes, in relation to Personal Data: (i) destruction, (ii) loss (iii) alteration, (iv)
communication and dissemination, or (v) access to Third Parties;

“Data Protection Laws and Regulations” means any law and / or regulation, including any published decision
by any competent Supervisory Authority, applicable to the Treatment of the Controller's Personal Data.
"LGPD" means Law No. 13,709, of August 14, 2018 (General Data Protection Law, and its respective amendments
posterior);

“Privacy” is an individual's fundamental right and, therefore, must be safeguarded with the utmost care, efficiency and
quality;

“Services” means the services and other activities that will be provided or performed by or on behalf of the Operator for the
Controller, under the terms of the Agreement;

“Sub Operator” means any natural or legal person who, on behalf of the Operator, will handle Personal Data on behalf of
the Controller, under the terms of the Agreement;

“Transfer” is the change of data from one storage area to another, or to a third party;

“International transfer” means the movement of data outside the national territory by any means,
including access to data from outside the country where it was collected, and the use of cloud data storage technology;

“Transmission” - movement of data between two points by means of electrical, electronic, telegraphic devices,
telephone, radio, electric, pneumatic, etc;

"Use" - act or effect of using the data;

Any obligations in this document that refer to the requirements present only in the LGPD will apply with the
entry into force of the LGPD.

We are a family owned and operated business.

04. DESCRIPTION

4.1. INTRODUCTION

This document provides good practice guidelines for Personal Data Processing operations and needs to be understood in the light of legal restrictions, information security and privacy requirements in line with Law No. 13,709, of August 14, 2018 - Law General Protection of Personal Data (LGPD).

We are a family owned and operated business.

4.2. PRINCIPLES

4.2.1. ADEQUACY

The Processing of Personal Data must be compatible with the purpose informed by the company / holder.

4.2.2. GOAL
The Processing of Personal Data must be done for specific, legitimate, explicit and informed purposes to the Personal Data Holder.

4.2.3. FREE ACCESS
The data subject individual has the right to consult, in a simple and free way, all data that the company holds the
your respect.

4.2.4. NON-DISCRIMINATION
The Processing of Personal Data can never be used to discriminate or promote abuse against its holders.

4.2.5. NEED
The Processing of Personal Data must be carried out in a restrictive manner, giving priority to the treatment of personal data strictly
necessary to fulfill the intended purpose, without excessive collection.

4.2.6. PREVENTION
Measures must be taken to prevent damage to the holder of personal data, such as
regular audits, periodic audits, training, etc.

4.2.7. ACCOUNTABILITY AND ACCOUNTABILITY
The person responsible for the Treatment of Personal Data (Controller or Operator) must demonstrate good governance practices, with
rules and principles that prove compliance with the rules on protection of personal data and even the effectiveness of these
measures.

4.2.8. DATA QUALITY
Holders' data must be kept up to date, clear and accurate.

4.2.9. SAFETY
The Processing of Personal Data must be carried out in such a way as to guarantee due security and confidentiality, with due
adoption of adequate technologies for the prevention, detection and mitigation of intrusions to the computational environment, as well as the use of
of event management technologies and security devices up to date with security features.

4.2.10. TRANSPARENCY
Guarantee to Personal Data Holders of the right to clear, accurate and easily accessible information about the treatment
data and the respective processing agents.

4.3. LEGAL BASIS FOR PROCESSING PERSONAL DATA
4.3.1. HOLDER'S CONSENT
It is the rule of the autonomy of the will. It is the free and unequivocal manifestation by which the holder agrees with the treatment of
your personal data for a specific purpose.
The data subject is free to authorize, deny or revoke the authorization previously granted for processing data.
your personal data.

4.3.2. COMPLIANCE WITH LEGAL OR REGULATORY OBLIGATION
The Operator or Controller is entitled to custody of the Processing of Personal Data, except for the cases for compliance with legal or regulatory obligation and does not depend on the consent of the holder.

We are a family owned and operated business.

4.3.3. CONTRACT EXECUTION
This is a situation in which the processing of personal data occurs without the need for express consent, for the purpose of
specific for the handling of personal data necessary for the performance of a contract where the Data Subject is
integral. In this case, the Data Subject cannot revoke his supply, since the Controller or Operator
will be protected by the LGPD to be able to maintain the data provided by the holder for the duration of the contract,
as provided for in item 4.5.1.3.

4.3.4. JUDICIAL, ADMINISTRATIVE OR ARBITRAL PROCEDURES
Hypothesis of processing personal data for the regular exercise of rights in judicial, administrative or arbitration proceedings.

4.4. TREATMENT OF PERSONAL DATA
4.4.1. SPECIFICITIES FOR THE PROCESSING OF SENSITIVE PERSONAL DATA
The Solvi Group ensures that sensitive personal data will be processed in accordance with the special requirements established in the
(LGPD) laws.

The Treatment of Sensitive Data must occur in the following cases:
i. When processing is necessary for the purposes of executing the specific obligations and rights of the Data Controller
in the field of labor law and within the scope of applicable legislation for adequate protections;
ii. When treatment is carried out in the regular exercise of rights, including in contract and in judicial, administrative proceedings
and arbitration, the latter under the terms of Law No. 9,307, of September 23, 1996 (Arbitration Law);
iii. When the treatment is related to Sensitive Data that have been made public by the Data Subject;
iv. Treatment is otherwise permitted under its own law or when the holder or his legal guardian
specific and highlighted form, for specific purposes.

4.4.2. SPECIFICITIES FOR DATA PROCESSING OF CHILDREN AND ADOLESCENTS
The Solví Group ensures that for the processing of data on children and adolescents it is essential to request consent
of a parent or legal guardian and that the data will be processed only in the holder's best interest.

4.5. COLLECT
Collection is one of the treatment operations referred to in art. 5th, item X of the LGDP. Considering that the Treatment of
data can be represented by a life cycle, this operation represents the initial step for obtaining personal data
the data subject.

The collection operation can only be carried out by complying with treatment hypotheses,
security, principles, 'respect for the rights of the holder and other rules provided by the LGPD.
The entire content of this document aims precisely to guide the Solví Group towards care when collecting and processing personal data,
in order to ensure the privacy of data subjects.

This document provides guidance on the incorporation of privacy as a standard for the Treatment of Personal Data, indicating the
limitation of collection as one of the practices to be adopted.

4.5.1. DATA ACCESS
Under the terms of the applicable legislation, the Data Subject may at any time request access to the data that they tell him
respect, as well as its rectification, elimination or limitation of use of personal data. You may also require portability
your data, or even oppose its treatment, except in cases provided for by law. You can exercise these rights upon a written request sent to dpo@solvi.com.

We are a family owned and operated business.

4.5.1.1. ANONIMIZATION
The failure to identify the relationship between the data and its owner results from the use of the anonymization technique, in order to
make the association between them impossible, either directly or indirectly. This process, according to the legislation in force, must
be used, whenever possible, by applying reasonable and available technical means when
Dice.

4.5.1.2. DATA SHARING
The Solví Group may transmit personal data to contracted companies, which in some way need to act for operation and
management of services, requiring its contractors to adhere to applicable regulations.

The Solví Group may also transmit personal data of Employees to third parties when such data communications are made.
become necessary or appropriate (i) in light of the applicable law, (ii) in the fulfillment of legal obligations / court orders, (iii) by
determination of the National Data Protection Authority or other competent supervisory authority, or (iv) for
respond to requests from public or government authorities.

4.5.1.3. DATA CONSERVATION
The Solví Group will keep Personal Data in accordance with current legal terms and for the period strictly necessary to
ensure compliance with contracts. In the event of a pending dispute, the data may be kept until a final decision by the
decision.

4.5.1.4. DATA RECTIFICATION
The Solví Group will guarantee the holder, at any time, the right to obtain, without undue delay, the rectification of Personal Data
inaccurate about you and / or the right to have incomplete personal data completed. Employees and third parties
they must always keep their personal data up to date.

4.5.1.5. DATA DELETION
Under the terms of the LGPD, the Solví Group, without undue delay, will end the processing of Personal Data in the following
hypotheses:
(i) exhaustion of the purpose for which the data was collected or when it is no longer necessary or pertinent
to achieve this purpose;
(ii) end of the treatment period;
(iii) revocation of consent or at the request of the holder, safeguarding the public interest;
(iv) determination of the national authority in the face of violation of the provisions of the Law;
(v) elapsed legal term.

4.5.1.6. WITHDRAWAL OF CONSENT
The Solví Group guarantees the right to revoke the consent to the processing of Personal Data, which may be revoked by the
Holder, at any time, as provided for in item 4.5.1.

4.6. IMPACT REPORT ON THE PROTECTION OF PERSONAL DATA
The Personal Data Protection Impact Report (RIPD) represents a fundamental document in order to demonstrate the Data
Personnel that are collected, treated, used, shared and what measures are taken to mitigate the risks that may
affect civil liberties and fundamental rights of data subjects. The recording of processing activities in
In relation to personal data, it will use good governance practices to specify the nature, scope, context and purpose of the treatment.

We are a family owned and operated business.

4.7. THE LIFE CYCLE OF THE PROCESSING OF PERSONAL DATA

The life cycle of the processing of personal data begins from its collection through the definitions of retention,
processing and the final destination, which may be the transfer or the final disposal. Each phase of the life cycle has
correspondence with treatment operations defined in the LGPD.

Privacy must be protected continuously throughout the domain and throughout the data processing life cycle
question. There should be no gaps in protection or accountability. The “Security” principle has special relevance because,
in essence, without security, there can be no privacy.

4.8. INTERNATIONAL DATA TRANSFER
The transfer of Personal Data from one jurisdiction to another must be done in such a way as to comply with the requirements of
data protection in both the home and destination jurisdictions.

The Solví Group must ensure that the international transfer of data is carried out in accordance with the legislation
national and international regulations, regulations and standards, with the consent given by the Data Subject, or
use of appropriate contractual clauses and, when required by applicable national law, upon obtaining authorization
prior authorization from the National Data Protection Authority or other competent privacy regulatory authority.

4.9. RESPONSIBLE FOR PRIVACY AND DATA PROTECTION
The Solví Group is the entity responsible for the processing of personal data
Company: Solvi Participações SA
Address: Rua Gonçalo Madeira, 400, Fr., Jaguaré
CEP: 05348-902 - São Paulo / SP
Phone: (11) 3124-2200
www.solvi.com | email: dpo@solvi.com

4.10. DISCLOSURE
The disclosure of the Personal Data Privacy Policy must be in accordance with the processes already adopted by the Solví Group
dissemination of other documents and policies. Everyone involved in the implementation of the Data Privacy Policy
Personnel, including senior management, management, employees and third parties, must understand, be aware of and commit to the
Policy content.

5 - GENERAL PROVISIONS
All matters described in this Policy are the property of Solví, and should not be disclosed or made available to
any other persons, firms, entities and / or external parties, except in cases previously analyzed and formally
approved.

This Policy cancels and replaces all previous guidance on the subject, verbal or written. This Policy takes effect
on the date of its publication. The leaders of the controlled and jointly controlled companies must, at any time, make suggestions for improving this Policy whenever they detect a detachment between the best practices, current legislation and / or regulations, which have not been included in the current version of this Policy.

6 - REPORTING CHANNELS

The Solví Group encourages its Employees and Third Parties to report to the Whistleblower Channel in a safe manner and, if desired,
anonymous, any conduct contrary to this Policy. The Reporting Channel can be accessed through the following channels:

Website: codigodecondutaSolví.com
Brazil: 0800 721-0742
Argentina: 0800 333 0776
Bolivia 800 100 146
Peru 0800 555 89
E-mail: comite.conduta@Solví.com
Letter: Addressed to Solví - Conduct Committee: PO Box 31.256 - São Paulo - SP

Employees and Third Parties are guaranteed confidentiality, not to be retaliated for using the right to denounce and secrecy
as far as possible, both the identity and the content of the communication formalized through the Reporting Channel.
Grupo Solví employees must collaborate in internal investigations of conduct violations, as well as collaborate with the
Public Authority in any investigation of suspected irregularities or violation of the law, assisting in obtaining information and
documents that support its occurrence.