Privacy Notice

1. INTRODUCTION

This Notice describes how we process the personal data collected. We explain how it is used and shared, and what your rights are regarding your data.

The Coordinates collect various data and information, in both online and offline environments, and recognize that your personal data and privacy are very important! Therefore, we adopt the best practices and existing solutions to protect them.

Any changes to our Notice will be duly informed in this space. Therefore, we recommend reading it periodically and checking for any updates before proceeding with the use of our services. We are available to address any questions regarding how we handle your personal data.

2. SCOPE

This Notice applies to all users of our website (https://ciacoordenadas.com.br/), as well as to any individuals who interact with Coordenadas and its operational units through any form of contact, resulting in a need for the Processing of Personal Data.

This Notice must also be adhered to by all employees and contractors in any operation involving the processing of Personal Data, aiming to ensure transparency, privacy, and the security of personal data processed by Coordenadas, whether related to customers, service providers, suppliers, third parties, partners, or job applicants.

3. DEFINITIONS

Firstly, we would like to clarify some important concepts for understanding our Notice.

• Anonymization: use of reasonable and available technical means at the time of processing, through which data loses the possibility of association, directly or indirectly, with an individual.
• ANPD – National Data Protection Authority: a federal public administration body, part of the Presidency of the Republic, whose main functions include: (i) ensuring the protection of personal data; (ii) safeguarding the observance of commercial and industrial secrets while respecting data protection and information confidentiality; (iii) supervising and applying sanctions in case of data processing conducted in violation of legislation, through an administrative process that ensures the right to contradict, broad defense, and the right to appeal; (iv) handling petitions from the data subject; among others.
• Legal bases: are the legal hypotheses that authorize us to Process Personal Data, which may be through your consent, or as a result of fulfilling a contract or legal obligation, for example.
• Cookies: are small files that we transfer to your browser or mobile device (such as a cellphone or tablet) that allow us to know how and when the pages and the Platforms are visited, as well as how many people access our and other related platforms. They can be useful for, for example, improving your browsing experience and better understanding your preferences so that we can offer you more efficient Products, Businesses, and Experiences.
• Controller: a natural or legal person, of public or private law, to whom decisions regarding the processing of personal data are attributed.
• Personal Data: Information related to an identified or identifiable natural person (individual), present in physical or digital form (e.g., name, CPF).
• Sensitive Personal Data: Personal data related to racial or ethnic origin, religious belief, political opinion, membership in a union or organization of a religious, philosophical, or political nature, data related to health or sexual life, genetic or biometric data when linked to a natural person.
• Elimination: the complete deletion of personal data from the Coordinates' database, although in certain cases, the LGPD, as defined below, may prevent its execution. In such cases, you will be informed clearly and transparently.
• Data Protection Officer (“DPO”): the person designated by Coordinates to act as a communication channel with any personal data subject and competent governmental authorities.
• General Law for the Protection of Personal Data (“LGPD”): Law No. 13,709, dated August 14, 2018, which provides for the processing of personal data, including in digital media, by natural persons or legal entities of public or private law, aiming to protect fundamental rights of freedom and privacy and the free development of the natural person's personality. Consider subsequent amendments to the publication, related regulations, as well as guidance, standards, rules, ordinances, regulations, and codes of practice and conduct issued by the ANPD.
• Operator: a natural or legal person, of public or private law, that performs the processing of personal data on behalf of the controller, which may also subcontract this activity (Sub-operator).
• Data subject: any identified or identifiable natural person to whom the processed personal data refers.
• Processing: Any operation performed with personal data, such as those related to collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, storage, archiving, elimination, evaluation or control of information, modification, communication, transfer, dissemination or extraction, among other acts, performed with personal data under the custody of Coordinates.

4. WHO IS RESPONSIBLE FOR PROCESSING YOUR PERSONAL DATA?

Coordenadas, along with the other operational units of the Group, is solely responsible for processing your personal data in all processing activities related to this site.

If you have any questions, please contact our Data Protection Officer, who will handle your request to exercise your rights regarding the protection of your personal data.

Below, we provide the contact information for our Data Protection Officer:

Data Protection Officer: Arthur Godinho de Lacerda

Email: lgpd@ciacoordenadas.com.br

5. HOW CAN WE COLLECT AND USE YOUR PERSONAL DATA?

We use your Personal Data to provide our services satisfactorily. Additionally, they are also important for maintenance and implementation of improvements, as we use the information to ensure everything works as expected, as well as to develop services more suited to your needs.

As established by the LGPD, we conduct the Processing of Personal Data in accordance with the principle of purpose, ensuring that it is carried out for legitimate, specific, and explicit purposes, always previously informed to you, without the possibility of later Processing incompatible with these purposes.

Below (table) we list the situations in which we collect your personal data, as well as the purposes of data processing carried out by Coordenadas.

In addition to the information above, you also need to know that:

Through our website and blog, you may be directed to other portals, sites, and domains, including when you access our social networks from them, such as LinkedIn®, YouTube®, Instagram®, Facebook®, and WhatsApp®. The responsibility for processing personal data on these other channels lies solely with their maintainers. You should always read the privacy notices/policies of these channels before registering or logging in.

Finally, as the "Intranet" has exclusive access for employees, the processing of personal data is addressed in our specific Privacy Policy for employees.

And don't forget: you are fully responsible for the accuracy and updating of the data provided to Coordenadas de Transportes.

6. CHILDREN AND ADOLESCENT DATA

Coordenadas does not knowingly collect personal data from children and adolescents without the due consent of their legal guardian. Therefore, if you are under 18 years old, you should not provide us with any personal data or register on our website. In cases where it is found that such collection was mistakenly done, we will promptly and securely delete such data as soon as we identify them.

For purchasing bus tickets online, through our site for example, it must be carried out by the parent or legal guardian of the minor.

Children and adolescent data are processed by us for granting benefits to the dependents of our employees, interns, and young apprentices, to whom our Internal Privacy Policy applies.

7. WHAT DATA SHARING CAN WE DO WITH YOUR INFORMATION?

No matter who our partners are with whom we may eventually share your data, they will all be independent or joint data controllers or processors.

We require everyone with whom we may eventually share your personal data to comply with data protection rules and the determinations of the General Data Protection Law (LGPD), including those related to disposal, the exercise of data subjects' rights, confidentiality obligations, information security rules, among others.

Your data may be accessed by our employees to carry out data processing activities performed by us, as well as when necessary to respond to any request from you or which you are part of, and by third-party companies that help us maintain the website and application functioning and provide technical support, as well as with third-party companies that help us provide services to meet the scope you contract us for.

Your Personal Data may be shared with third-party partners, competent judicial, administrative, or governmental authorities, and regulatory bodies for different purposes, when necessary and provided that the sharing is supported by an appropriate legal basis.

We may possibly share your data with professionals delegated by us and necessary for fulfilling the scope of the contract entered into between us, such as lawyers, accountants, and auditors.

We may share your data with information technology service providers, financial institutions for processing payments and other financial issues, with third-party companies that help us maintain our website's functionality and provide some technical support, with internet and information system companies (ERP, servers, software, backups, among others) for the execution of our activities, with companies conducting satisfaction surveys, assisting us in selling our products and services and other third parties, with the primary purposes of the sharing listed in this document.

If you are a dependent of our employees, your data will be shared with Coordinates' partners such as health, dental, and life insurance plan operators to benefit you.

Besides these cases, if you are a bus ticket client and are registered on the Ecobonuz site or app, when using our transportation and informing, if you wish, your user code for the loyalty program, it will be shared with Ecobonuz so that your points will be recorded, and you can redeem rewards through Ecobonuz. If you are an urban ticket client and are registered with the Ecobonuz loyalty program, your card usage data will be automatically shared with Ecobonuz via database so that your points are recorded, and you can redeem rewards through Ecobonuz.

It is important for you to know that if you are interested in participating in the Ecobonuz loyalty program, upon registering on the site or app of this company, you should read and analyze the Privacy Policy and the Terms of Use available at https://www.ecobonuz.com, and in case you have any request regarding the loyalty program and the data they process, you should contact Ecobonuz directly.

All sharing is conducted within the limits and purposes of our services and in strict compliance with the General Data Protection Law.

Under no circumstances do we sell or exchange your personal data. All data, information, and content about you may be shared with third parties, when and to the extent strictly necessary, in negotiations that Coordinates is part of. All sharing is done securely, always preserving your privacy.

8. HOW DO WE KEEP YOUR DATA SECURE?

Coordinates employs strict procedures to ensure the security of your data to prevent any security incidents that may result in loss, unauthorized access, alteration, or any other form of improper handling. To this end, we adopt technical, administrative, and organizational security procedures, including but not limited to:

• Good governance practices;
• Access control to personal data, both in physical and digital environments;
• A structured information security system;

Our priority is to protect your data. We will always strive to act with diligence and responsibility, but it is important to clarify that no security system is completely immune to attacks by third parties such as “hackers” or “crackers.” Therefore, Coordinates cannot be held responsible for the complete failure to intercept, nor for any damages that may arise from the leak of Personal Data due to breaches or violations of the security barriers in place, provided that it has taken all feasible measures to prevent or mitigate them. Thus, if you suspect that your data may be misused within our environment, please contact our Data Protection Officer via email at lgpd@ciacoordenadas.com.br

SURVEILLANCE SYSTEM

To ensure everyone's safety, Coordinates utilizes surveillance cameras in its facilities as well as on its bus fleet. This processing is solely intended to ensure your and our security. The collected images will remain stored for approximately 30 (thirty) days, in compliance with the LGPD.

9. COOKIES

Cookies are files stored on the hard drive of any of your mobile devices, designed to provide you with a personal and interactive experience on our platforms and enhance our products and services, taking into account your interests and needs.

Cookies are also used to collect your personal data, which will then be aggregated into profiles so that we can distribute targeted advertising tailored to your interests, limiting the number of times you see an ad.

Additionally, we use cookies to perform statistical analyses that allow us to understand how people use our website. This helps us improve not only our structure and content but also the effectiveness of advertising campaigns from ourselves and third parties.

You also have the option to disable some of these Cookies, but disabling them may affect your browsing experience.

9.1. Necessary
These are essential for the proper functioning of the website and its tools. These Cookies ensure basic functionalities and site security features, anonymously.

9.2. Functional
They help perform certain functionalities like sharing site content on social media platforms, collecting feedback, and other third-party features.

9.3. Performance
Used to understand and analyze the website's key performance indicators, which helps provide a better user experience for visitors.

9.4. Analytics
Used to understand how visitors interact with the website. These Cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.

9.5. Advertising/Marketing
Used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to deliver personalized ads.

9.6. Others
They do not fall into a specific category but are used to improve the user experience.

10. FOR HOW LONG CAN WE STORE YOUR DATA?

Coordenadas stores documents for as long as necessary to fulfill the purposes for which they were collected, and when there is any other reason to maintain them, such as to ensure contract enforcement, to comply with legal and regulatory obligations, to exercise rights in administrative, judicial, and/or arbitration proceedings, always respecting the rights of the data subject and in accordance with applicable regulations.

Data of job candidates are stored for 12 (twelve) months if the candidate is not approved in the selection process, so that candidates who were not selected can potentially have new opportunities.

When personal data is disposed of, we do so carefully, ensuring elimination and protecting the rights of its owners, always in accordance with guidelines for the secure disposal of storage media.

11. CAN YOUR DATA BE TRANSFERRED OUTSIDE OF BRAZIL?

In certain situations, Coordenadas may store your data on servers located in other countries, such as in cases of cloud storage, for example. In these situations, we require that our partners adhere to the controls required by the destination country and comply with the international transfer requirements as stipulated by applicable Brazilian legislation.

12. WHAT ARE YOUR RIGHTS?

The LGPD ensures that you, as the data subject, can exercise your rights in relation to the Controllers of your information at any time and upon request. We provide the references below so you can clearly and transparently understand how to exercise some of the applicable rights and the means for us to assist you.

a. Confirmation of the existence of Processing and Access to Personal Data: It is your right as the data subject to request that Coordenadas confirms the processing of your personal data and, if applicable, informs you what information they hold about you. Coordenadas will demonstrate the categories of personal data and the duration of personal data storage.

b. Information about the entities with whom Coordenadas needs or needed to share data: It is your right to request the information regarding the sharing of your personal data with third parties.

c. Correction of incomplete, inaccurate, or outdated data: If you find that your personal data are incomplete, inaccurate, or outdated, you can request the correction or completion of your personal data.

d. Information about the possibility of not providing consent: If consent is the applicable legal basis for data processing, you can ask Coordenadas to clarify whether it is possible to carry out the respective Processing activity without your consent, or what the consequences of not providing consent are in this case.

e. Anonymization, blocking, or deletion of unnecessary, excessive, or unlawfully processed data: If there is any treatment of data that is unnecessary, non-compliant with the LGPD, or excessive for the intended purpose, you can request that Coordenadas anonymizes, blocks, or deletes such data, provided it is effectively confirmed the excess, the lack of necessity, or the non-compliance with the law.

f. Withdrawal of consent: When the legal basis for processing is consent, it is your right as the data subject to withdraw your consent for the processing of your data at any time through a formal request to Coordenadas. We will take all necessary measures to stop the processing of information as requested by the data subject. Withdrawing consent may result in the termination of the services provided but does not prevent the use of anonymized data and data whose processing is based on another legal basis as provided by the LGPD.

g. Deletion of Personal Data: If you have given consent for the Processing of your personal data for specific purposes (and not necessary for the provision of our services or delivery of our products), you may request the deletion of such Personal Data. Note that if the retention/storage of Personal Data is due to situations such as legal or regulatory obligations, this data may be retained/stored regardless of your consent, as an exceptional case of Processing.

h. Objection to Processing, if irregular: You may object to the Processing of your Personal Data if it is found to be irregular. Coordenadas will take appropriate measures without undue delay in the event of a challenge to the Processing of Data, in whole or in part.

i. Review of automated decisions: You can challenge decisions made solely based on Personal Data processed in an automated manner that affects your interests, such as decisions intended to define your personal, professional, consumption, and credit profile or aspects of your personality, as well as find out what criteria and procedures are used for automated decision-making, when such processing occurs, observing commercial and industrial secrets.

Any requests related to the rights guaranteed to the data subject should be sent to our Data Protection Officer by completing the Personal Data Rights Exercise Form available at the link https://www.ciacoordenadas.com.br/lgpd

Your request will be reviewed and responded to within 15 (fifteen) days, as regulated by the General Data Protection Law (LGPD). In special cases, a longer period may be required, which will be communicated by Coordenadas along with the reason for the delay.

When you send us a request, we will need to verify your identity. Therefore, we may request additional documents and/or information for this purpose. If, eventually, we cannot fulfill your request, even partially, we will clarify the reason.

13. STILL HAVE ANY QUESTIONS ABOUT OUR PRIVACY NOTICE?

If you still have any unresolved questions about our Notice, please contact our Data Protection Officer via the email address lgpd@ciacoordenadas.com.br, and we will respond to your inquiries.

14. CHANGES TO THIS NOTICE

This Notice may be changed by Coordenadas whenever necessary, which is why we recommend that all our users periodically review this Notice.

This Notice was last updated in March 2023.

Exercise of Personal Data Rights Form

ATTENTION! This form should be used exclusively to exercise your rights as a personal data holder and not for inquiries, complaints, suggestions, or criticisms related to our products and services. In these cases, you can always contact our Customer Service (SAC) via email at sac@ciacoordenadas.com.br or by phone at 0800 029 5000. To properly address your request, we need to verify your identity and understand which category of personal data holder you fall into. If your data cannot be securely confirmed, personal data information will not be provided to prevent any kind of data leakage. Please fill out the form below.