Aware of the importance of privacy and protection of personal data, CONCESSÃO SISTEMA RODOVIÁRIO PONTE SALVADOR ILHA DE ITAPARICA S.A. ("CPSI", "we", "our", "our" or "us"), with headquarters at Rua Frederico Simões, nº 2539, Caminho das Árvores, Edf. CEO Corporate, Torre Nova York, Room 1101, Salvador/BA, CEP 40.301-155, special purpose company (SPC), delegate of the Public Power, responsible for the execution of the Concession Agreement No. 001/2020-SEINFRA, has prepared this Privacy Policy ("Policy").

1. Introduction

In the context of this Policy, CPSI is a controller of personal data ("Controller"), responsible for decisions regarding the processing of personal data, as provided for in Article 5, VI of Federal Law No. 13,709/2018 ("General Personal Data Protection Law" or "LGPD"). For this reason, the CPSI has several responsibilities, such as ensuring the security, privacy and protection of personal data, adopting effective measures capable of attesting compliance with standards on the subject, and guiding its employees and contractors who are in the position of operators regarding the practices to be adopted with regards to the protection of personal data.

The purpose of this Policy is to provide clear and precise information on how we handle the personal data you share with us, in accordance with article 9 of the LGPD. Our aim is to ensure that there is no doubt that we comply with current regulations.

This Policy applies to any processing of personal data carried out by CPSI to enable the exercise of its commercial activities and the hosting of the institutional website www.pontesalvadoritaparica.com.br/en-us and other linked applications.

2. Method for Collecting Information

The following methods may be used to collect personal data:

    • CPSI institutional website www.pontesalvadoritaparica.com.br
  • • To ensure the correct functioning of the website and provide you with a better experience, we may collect information from you through a standard data collection feature found in your Internet browser called a Cookie. For additional information, please refer to our [Terms and conditions] .
  • • We offer a dedicated 'Work With Us' section on our website where you can share your registration data and CV with us. The information collected in this form will be used to keep you informed of future job opportunities based on our and/or your legitimate interests or the consent you have provided. Your registration will be stored for as long as you are interested in joining our team. If you are no longer interested, please contact us at [email protected].
    • E-mail and other electronic messaging tools may be used for exchanging messages.
  • • CPSI may have access to your personal data, including your first and last name, and other information that you share, for various purposes such as managing data protection requests.
    • Third-party sources may also be utilized.
  • Occasionally, we may gather information about you from public sources or third parties. This is done to facilitate the completion of a contract in which you or your affiliated company is involved, to comply with legal or regulatory obligations, or in other necessary cases as permitted or required by current legislation.

In addition to the methods described above, we may also collect your information through market research. CPSI ensures that your personal data will only be processed for legitimate, specific, explicit, and previously informed purposes.

3. Information Collected

In the situations described in item 2 of this Policy, we may collect the following categories of personal data:

    • Registration data: We may collect certain registration information necessary to handle your demands through our contact channels, such as the Ombudsman section available on our institutional website.
  • • Professional life. You may share information about your professional status, academic training, and awards through your CV, particularly in the Work with Us section of our institutional website.
  • • Data related to the internet. We may collect information about your use of CPSI institutional websites through the use of cookies. For more information, please refer to our [Terms and conditions] .

In addition to the categories of data outlined in this Policy, please note that we may collect other information that is necessary to comply with legal, regulatory, or contractual obligations, to exercise our rights, to safeguard our or your legitimate interests, or to achieve any purpose permitted by applicable law.

4. Purposes of Data Processing

The personal data that you provide to us or that we may collect, directly or indirectly, will be processed for the purposes indicated below, in accordance with applicable legislation. In general, we may use the collected data for the following purposes:

  • • To enable access to our institutional website or other services, we comply with contracts, your legitimate interests, or your consent;
  • • To receive, manage, and respond to your questions, suggestions, and requests through various channels, such as the Ombudsman section, in compliance with contracts signed with you or applicable legislation, based on our or your legitimate interests or with your consent, if applicable;
  • • To conduct market research, we may do so based on our legitimate interests or with your consent, if applicable;
  • • To comply with legal or regulatory obligations;
  • • To execute contracts or preliminary procedures for contracts in which you are a party;
  • • To enable us to exercise our rights in legal, administrative, or arbitration proceedings;
  • • To meet our or your legitimate interests, in accordance with current legislation;
  • • By means of a court order served on CPSI;
  • • In other situations, as permitted or required by applicable regulations.
5. Information Sharing

To ensure maximum privacy and security of your personal data, CPSI's institutional policy prohibits sharing personal data with third parties, except as provided for in this Policy. As permitted by current legislation, we may share and transfer your personal data in the following situations:

  • • With CPSI group companies. Your personal data may be shared or transferred to our controllers and their subsidiaries, as long as it is strictly necessary and within legal limits.
  • • With third parties. To enable or assist CPSI in carrying out its commercial activities, providing the institutional website, and fulfilling the obligations established in our contracts and the law, we may share certain personal data with third-party partners, suppliers, or service providers. As operators, these third parties will process personal data following the instructions provided by CPSI. CPSI will require the conclusion of confidentiality agreements and/or the provision of strong and sufficient guarantees that they will comply with personal data protection standards.
  • • With authorities and public bodies. To comply with legal and regulatory obligations or court orders applicable to CPSI, we may share or transfer personal data to competent authorities, such as the Federal Revenue Service of Brazil, State and Municipal Departments of Finance, bodies of the Judiciary, and law enforcement agencies, among others.

In addition to the hypotheses mentioned, CPSI may share your personal data in other situations where necessary, as long as applicable legislation authorizes or requires it.

It is important to note that any sharing or transfer mentioned in this Policy will be carried out in compliance with all best practices and personal data protection requirements provided for in applicable legislation and regulations.

6. International Flow of Information

The Concession for the Salvador-Ilha de Itaparica Highway System is held by two major Chinese groups, leaders in the construction and infrastructure industry, with a global presence in over 150 countries. As a result, your personal data may be processed in locations where our controllers operate or conduct business, within the bounds of current legislation.

Additionally, CPSI may store your personal data in a cloud system or similar technology that allows for the storage of large amounts of information on servers located both domestically and internationally. In such cases, we implement technical and contractual safeguards to ensure the security of information subject to cross-border transfer.

We want to clarify that we will only conduct international transfers of personal data that are strictly necessary and for specific and informed purposes. We will take all necessary precautions and safeguards required by law, including the adoption of standard clauses and/or global corporate standards as detailed in regulations.

Recognizing that our commercial activities and services may become unfeasible without international data flow, you acknowledge that your personal data may be processed outside your country of residence in accordance with this Policy and current legislation.

7. Information Retention

Your personal data will be processed until the purpose of the processing has been achieved or until the data is no longer necessary or relevant to achieving the specific purpose sought.

However, we may retain your personal data to comply with our legal or regulatory obligations, to protect us legally, or for the regular exercise of our rights in judicial, administrative, or arbitration proceedings, while observing legal and/or regulatory deadlines.

As explained in item 9 of this Policy, your personal data may be deleted, blocked, or anonymized upon your request, under the terms and limits set out in current privacy and data protection regulations. To do so, please contact us at [email protected]

8. Security Measures

To ensure the confidentiality of your personal data, CPSI, as the controller of the personal data mentioned in this Policy, implements all necessary technical and administrative security measures to protect against unauthorized access or accidental or unlawful situations of destruction, loss, alteration, communication, or any other form of inappropriate or unlawful processing.

Among the measures adopted, we emphasize controlling and tracking user access to our internal systems, including user and password requests and log records. We have also implemented software protections such as antivirus and firewalls, backup databases, and provided appropriate instructions to our employees.

However, even the most effective security measures cannot guarantee complete impenetrability. Therefore, we ask for your support in enhancing the protection of your personal data. Please avoid accessing suspicious websites and report any suspected security incidents to us.

9. Rights of the personal data holder

CPSI is dedicated to safeguarding all your rights related to privacy and data protection, as outlined in legislation, including article 18 of the LGPD. These rights include confirmation, access, rectification, anonymization, blocking, or deletion of your personal data. Additionally, you have the right to request information about the public and private entities with whom we share your data, as well as the ability to revoke any previously provided consent and understand its consequences, if applicable.

To exercise these rights, in accordance with applicable legislation and regulations, please contact us at [email protected]

10. Policy Updates

CPSI reserves the right to update or revise this Policy to reflect technological innovations, changes in the law and in our business practices, or as otherwise deemed necessary or appropriate. For this reason, we encourage you to visit this page periodically.

11. Contact Us

To clarify any doubts or submit suggestions, complaints, or requests related to privacy and data protection, please contact our Person in Charge of Personal Data Processing at[email protected]