1. Objective

This policy establishes the guidelines and norms for carrying out activities involving the treatment and guarantee of privacy and protection of Personal Data, that is, data of natural persons (“Holders”) with which ALLURE MOEMA relates to carry out its business activities.

All activities related to ALLURE MOEMA’s businesses that deal with Personal Data are guided by this policy, which aims to protect the fundamental rights of freedom and privacy and the free development of the personality of the natural person.

2. Compliance with Laws and Regulations

This Policy was prepared in order to meet the requirements of the law amended by law (LGPD or “Law”), known in Brazil as the “General Data Protection Law”, especially under the terms of its Article 50, which deals with good practices and of the governance of the security of Personal Data, copied below:

Art. 50. The controllers and operators, within the scope of their competences, for the processing of personal data, individually or through associations, may formulate rules of good practices and governance that establish the organizational conditions, the operating regime, the procedures, including complaints and petitions from holders, security rules, technical standards, specific obligations for the various parties involved in the treatment, educational actions, internal mechanisms for supervision and risk mitigation and other aspects related to the processing of personal data.

• 1 When establishing rules of good practices, the controller and the operator will take into account, in relation to the processing and data, the nature, scope, purpose and probability and severity of the risks and benefits arising from the processing of data of the holder.

• 2nd In the application of the principles indicated in items VII and VIII of the caput of art. 6 of this Law, the controller, subject to the structure, scale and volume of its operations, as well as the sensitivity of the data processed and the probability and severity of damage to data subjects, may:

I – Implement a privacy governance program that, at a minimum:

a) demonstrates the commitment of the controller to adopt internal processes and policies that ensure comprehensive compliance with rules and good practices related to the protection of personal data;

b) is applicable to the entire set of personal data under its control, regardless of how it was collected;

c) be adapted to the structure, scale and volume of its operations, as well as the sensitivity of the data processed;

d) establish adequate policies and safeguards based on a systematic assessment process of impacts and risks to privacy;

e) has the objective of establishing a relationship of trust with the holder, through transparent action and which ensures mechanisms for the holder’s participation;

f) is integrated into its overall governance structure and establishes and applies internal and external oversight mechanisms;

g) have incident response and remediation plans in place; It is

h) is constantly updated based on information obtained from continuous monitoring and periodic evaluations;

II – Demonstrate the effectiveness of its privacy governance program when appropriate and, in particular, at the request of the national authority or other entity responsible for promoting compliance with good practices or codes of conduct, which, independently, promote the compliance with this Law.

3º The rules of good practices and governance must be published and updated periodically and may be recognized and disclosed by the national authority.

3. Definitions of Personal Data and Personal Data Protection

Personal data is information relating to a living, identified or identifiable person. Also constituting personal data is the set of distinct information that may lead to the identification of a particular person.

According to the LGPD (Article 5.) and other similar references, it is considered:

I – PERSONAL DATA: information related to an identified or identifiable natural person.

II – SENSITIVE PERSONAL DATA: personal data about racial or ethnic origin, religious conviction, political opinion, union affiliation or religious, philosophical or political organization, data referring to health or sex life, genetic or biometric data, when linked to a natural person.

III – ANONYMIZED DATA: data relating to the holder who cannot be identified, considering the use of reasonable technical means available at the time of processing.

Personal Data is required in different business activities at ALLURE MOEMA. Personal Data can have various forms of representation, storage and transport, and their meaning and value depend on the context in which they are found, and may be, for example:

a) On paper: attendance lists, paper registration forms, reports, memos, letters, etc.

b) On digital media: digital files recorded on disks, SSDs, flash drives, tapes, CDs, etc.

c) In sound: recording of meetings and other activities, answering machine, etc.

d) In image: photos of people and their documents, videos containing people, etc.

The protection of Personal Data must guarantee fundamentals and basic rights of people, such as respect for privacy, dignity and self-determination; freedom of expression, information, communication and opinion; the inviolability of intimacy, honor and image; free enterprise and free competition; consumer protection and other human rights related to personality and the exercise of citizenship.

In order for the Personal Data protection objectives to be achieved, ALLURE MOEMA employees and service providers must follow the practices determined in this Personal Data Protection and Privacy Policy and in the operational procedures related to this document, which establish guidelines and standards for security for personal data.

4. Holders’ Rights:

The Holders of data collected and processed by ALLURE MOEMA have the following rights in relation to their Personal Data processed by the Group.

a) Confirmation of the existence of processing of your Personal Data.

b) Free consultation access to your Personal Data.

c) Correction of your Personal Data, when the data is incomplete, inaccurate or out of date.

d) Elimination of your Personal Data, when the data is unnecessary, excessive or treated in violation of the Law, including when there is consent from the holder, provided that the personal data is not used to comply with legal and regulatory obligations.

e) Portability of your Personal Data to another service or product provider, upon express request by the holder.

f) Information from public and private entities with which the Group has shared its Personal Data.

g) Information about the possibility of not providing consent for the processing of your Personal Data.

h) Revocation of consent to the processing of your Personal Data.

5. Collection, Use and Processing of Personal Data

ALLURE MOEMA collects, uses and processes Personal Data to meet the legitimate interests of the Group, committing to comply with all applicable legislation regarding the protection of Personal Data, ensuring that they are collected, used and treated in accordance with the provisions of the LGPD and other applicable laws and regulations, if any.

Personal Data is not collected and processed without a purpose. The collection may occur, when necessary, to establish the commercial relationship between ALLURE MOEMA and its employees, customers and business partners, for the execution of a contract or for the fulfillment of a legal obligation to which ALLURE MOEMA is subject.

When collecting Personal Data, ALLURE MOEMA will previously inform, transparently, clearly and unequivocally, what are the purposes for processing that personal data and for how long they will be retained and processed, when it is possible to establish this time.

In all cases where the personal data collected is not anonymized and the collection is not for the purposes of (i) compliance with a legal or regulatory obligation, (ii) execution of a contract or preliminary procedures related to a contract to which the holder is a party, (iii) regular exercise of rights in judicial, administrative or arbitration proceedings, and (iv) credit protection, ALLURE MOEMA must request the express consent of the data subject, and this consent must be registered and filed in digital or printed media.

Whenever there are changes in the purpose, ALLURE MOEMA must inform the holder in advance about the changes and ask for a new consent, and the holder may revoke the consent, in case he disagrees with the changes.

When the processing of personal data is a condition for ALLURE MOEMA to provide a product or service, or for the exercise of its right, the holder will be informed with emphasis on this fact and on the means by which he can exercise the rights listed in the Law.

5 .1. New projects and processes for changes in Personal Data

Any new Personal Data processing activity must be duly communicated by the Owners to the Person in Charge of the DP, including involving the latter in the planning of new projects that may involve the collection and processing of Personal Data, so that the risks to the protection of Personal Data are fully evaluated and addressed.

In the normal business operation processes, any and all changes in Personal Data must be communicated to the Person in Charge of the DP, manually or automatically (systemic integration), so that he can update the records in his (s) tool ( s) of control. This communication/integration process includes both changes in the data structure and in the records, for example:

New Personal Data collected in current systems/processes.

Alteration, correction or deletion of Personal Data records in current systems/processes.

Changes in the structure of the Personal Data bases of existing systems/processes.

6. Disposal of Personal Data

At the end of the period of use or when the purpose for which certain Personal Data was collected and processed ends, the DP Owners must delete the related Personal Data, using secure disposal methods, or in anonymized form, for statistical purposes. Whenever possible, these discards should be evident.

In cases where ALLURE MOEMA cannot delete Personal Data to comply with legal requirements or for some other legitimate need, Personal Data must be securely archived, isolated from any further processing, until deletion is possible.

7. Communication processes with holders and the ANPD

ALLURE MOEMA must establish a communication channel so that the ANPD and the holders can contact the Group whenever they wish to exercise their rights.

The person in charge of operating this communication channel is the Person in Charge of Personal Data.

This communication channel must be published on the Internet and/or in other means that facilitate disclosure to holders and the ANPD.

Additionally, whenever required, the DP Person in Charge must also respond to requests for information, issuing an impact report to the ANPD and the occurrence of incidents, among other legal demands that may be regulated in the future by the ANPD.

8. Protection Measures

8.1. Protection of Personal Data on Paper:

For the correct protection of places that contain Personal Data on paper, the following controls must be implemented:

a) Adequate physical structure against impacts, flooding or fire.

b) Restricted and monitored physical access.

c) The entry into the site and the use of photographic equipment and others that allow unauthorized copying of documents must be controlled.

Paper documents that contain Personal Data and that are under the responsibility of ALLURE MOEMA cannot be removed from the Group’s premises without prior express authorization from the Owner of the DP of that specific process and the Person in Charge.

8.2. Protection on Personal Devices and Systems:

The use of personal devices and systems (notebooks, tablets, smartphones, portable data storage media, cloud messaging and group work systems, etc.) may pose risks to the security of Personal Data.

Employees who need to use any resource not provided by the Group for the processing of Personal Data must request prior authorization from the IT area and the Person in Charge of the DP who, in turn, if they understand that the use is in fact required, will assess the context and shall implement the necessary protective measures.

The analysis and authorization process should consider:

a) The need to use the resource.

b) Risks to the protection of Personal Data arising from the use of this resource.

c) Carrying out the activities only after guaranteeing the adoption of the necessary protections.

8.3. Protection of Personal Data in electronic media

8.3.1 Access Controls

Access to ALLURE MOEMA systems and networks that contain Personal Data must be granted through processes of identification, authentication and certification of login and access password, and the need for access to perform activities must be proven.

It is up to the Owner of each Personal Data base to determine the appropriate controls for access rights, granting privileges and managing access granted to the Personal Data under their management.

8.3.2 Use of software

The installation of software not approved by ALLURE MOEMA or changing the configuration of information technology equipment (computers, notebooks, printers, etc.) must be prohibited to users who do not have this attribution.

8.3.3 External access

External access to systems and equipment should only be granted to personnel who actually require this resource, in those cases of real need to carry out business activities and that do not entail high risks for the protection of Personal Data.

External access must consider that:

a) The person working for ALLURE MOEMA (employee, consultant, service provider, temporary workers and other third parties) must obtain specific authorization for the remote use of equipment with access to personal data.

b) Equipment with personal data cannot be left unprotected in public areas, and must always be carried by its users.

c) Portable devices and computers should be carried as carry-on luggage and timely mischaracterized so as not to draw unwanted attention, whenever possible.

d) Care must be taken to ensure the security of Personal Data whenever they are handled in areas with less physical security (for example, outside administrative offices).

e) Any problem relating to the protection of Personal Data must be reported immediately to the Person in Charge (DPO) and the respective DP Owner (Data Owner).

8.4. Protection of Personal Data Transfers

As the risks of information leakage are greater in processes involving transfers between different equipment and/or systems, aiming at the security and protection of Personal Data, the following guidelines must be followed by all employees and service providers:

a) The use of connections to the Internal Network and Internet systems is allowed for all effects and purposes of business, support, services and specific objectives of ALLURE MOEMA. The use of these resources for other purposes is prohibited.

b) Any computer owned by ALLURE MOEMA or owned by service providers serving ALLURE MOEMA, which is connected to the Internal Network or the Internet, must be properly configured with protection systems against the infestation of viruses or malicious software.

c) All computers, networks, systems and software must be subject to monitoring and, therefore, ALLURE MOEMA may, at its discretion, maintain the history of accesses and transactions carried out through the connections of the Corporate Network (internal) or the Internet ( external).

d) Prospecting, sweeps or any other form of attempted invasion through testing mechanisms cannot be carried out without due and express authorization, thus configuring a threat and attempt at misappropriation of Personal Data.

e) All connections between ALLURE MOEMA’s Internal Networks and other External Networks, including the Internet, must mandatorily be through a specific, configured and approved firewall system.

f) The workstations must be enabled with specific programs, homologated and configured for access to the Internal Network and the Internet, and this or that access may be inhibited in compliance with the formal request of the manager of the department concerned, the Owner or the Person in Charge of the DP , or to maintain Personal Data security levels.

g) E-mail, remote connection and file transfer services should preferably be disabled for users who have functions that do not require these services.

h) The connection of users to networks (Internal and External) must occur, solely and exclusively, through processes of identification, authentication and certification of the access key and password.

i) Control and security devices (Proxy Server, Firewall and similar) must be implemented to guarantee the confidentiality and integrity of Personal Data in transit through these networks.

j) Do not download non-approved software, as they may contain malicious code and pose threats to the security of Personal Data.

k) Keep file sharing options, automatic connection to Wi-Fi and Bluetooth networks disabled.

l) In any situation, regardless of what has been previously mentioned, each and every file originating from networks or external users must, obligatorily, be checked by protection systems against viruses and malicious software.

Any and all transfer of Personal Data to systems and people external to ALLURE MOEMA, through any communication resources, must occur in a secure manner, considering the following controls:

a) Avoid sending Personal Data via email messages or other messaging services. Ideally, Personal Data should be accessed and transferred using only the resources of the Group’s management systems and applications.

b) If it is not possible to transfer Personal Data through the systems that store them, transfers of Personal Data through messages (such as attachments in emails, for example) can only occur if these files are encrypted or anonymized.

c) Do not use public networks (for example, public wi-fi) to exchange or send Personal Data, except if you are adopting security and encryption resources in this communication (for example, SSL and VPN).

8.5. Cookies

Strictly Necessary Cookies:

a) Some cookies are necessary to ensure better navigation or usability of the website. It is possible to set your browser to block or alert you about these cookies, but this may prevent some parts of the website from working. These cookies will not store any type of personally identifiable data.

b) Performance Cookies:

The role of these cookies is to measure and improve the services provided by the website as a whole. It tells us which pages are accessed the most or least and the time visitors spend on each one.

c) Advertising Cookies:

We may use cookies to target advertisements and advertisements that are most relevant to the website user. These cookies may be set through our website by our advertising partners.

9. Use of data and personal profiles for decision making

ALLURE MOEMA does not employ techniques for automated decision-making based on the electronic processing of Personal Data, which have legal effects or significantly affect data subjects.

10. Communications in case of incidents

A security incident can be any event that violates the protection of Personal Data and Sensitive Personal Data.

According to the Law, ALLURE MOEMA must inform the ANPD and the holder of the occurrence of a security incident that may pose a risk or relevant damage to the holders.

The DPO must carry out monitoring, alert, accountability, response, communication between those involved, documentation and recording of incidents activities, including the following activities:

a) The monitoring and management of security incidents relating to Personal Data, i.e. covering system databases, files and network locations containing Personal Data.

b) The treatment and recording of responses to incidents and the corresponding corrections applied.

c) Notification to the persons responsible for the protection of Personal Data, the Person in Charge and the respective Owners of the DP, of any and all occurrences related to the loss or misappropriation of Personal Data.

It will be up to the Person in Charge of Personal Data (DPO) to analyze the severity of the incidents, with the support of the respective Data Owners and the Board of Directors. If an incident is understood to cause damage to the holders and impact on their privacy, the Person in Charge of Personal Data must prepare and carry out the appropriate communication to the ANPD and the holders, following the respective operational process implemented in ALLURE MOEMA.

As provided for in the Law, the communication must contain, at a minimum, the following data about what happened:

a) A description of the nature of the affected personal data.

b) Information on the holders involved.

c) An indication of the technical and security measures used to protect data, observing commercial and industrial secrets.

d) Risks related to the incident.

e) The reasons for the delay, in case the communication was not immediate.

f) The measures that have been or will be adopted to reverse or mitigate the effects of the loss.

11. Policy Update

ALLURE MOEMA may, at any time, promote opportune revisions or updates to this policy. Updates to this policy will take effect as soon as they are published on the Group’s institutional website.

12. Glossary

Anonymization: use of reasonable technical means available at the time of treatment, through which data loses the possibility of direct or indirect association with an individual.

ANPD: National Data Protection Authority – indirect public administration body responsible for ensuring, implementing and supervising compliance with the LGPD.

Database: structured set of data, which may contain personal data, electronically or physically.

Blocking: temporary suspension of any treatment operation, by keeping personal data or the database.

Consent: free, informed and unequivocal statement by which the holder agrees with the processing of his personal data for a specific purpose.

Controller: natural or legal person responsible for determining the purpose and means of processing Personal Data carried out by the Group itself or by the Operator.

Anonymized Data: data relating to the holder who cannot be identified, considering the use of reasonable technical means available at the time of processing.

Personal Data: information related to an identified or identifiable natural person.

Sensitive Personal Data: personal data about racial or ethnic origin, religious conviction, political opinion, union affiliation or religious, philosophical or political organization, data referring to health or sex life, genetic or biometric data, when linked to a natural person.

Deletion: deletion of data or a set of data stored in a database, regardless of the procedure used.

Person in charge of Personal Data: function of ALLURE MOEMA indicated to act as a communication channel between the Group, the data subjects and the ANPD.

Law: Same as LGPD.

LGPD: General Personal Data Protection Law, Law 13.709/2018

Operator: outsourced external service provider that collects and/or uses and/or processes Personal Data for which ALLURE MOEMA is the controller.

Portability of Personal Data: transfer of PD processing to another service or product provider, upon express request by the data subject.

Owner of Personal Data: person or group of persons responsible for the collection and processing of personal data.

Data Subject: natural person to whom the personal data that are subject to processing refer.

Treatment: all operations carried out with personal data, such as those referring to the collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, archiving, storage, elimination, evaluation or control of information, modification, communication , transfer, diffusion or extraction.

To request more information about our data processing practices, or to contact Allure Moema’s Data Protection Officer, click here .

ALLURE MOEMA is a registered trademark of UNACORP SPE 002 DESENVOLVIMENTO IMOBILIARIO LTDA – CNPJ 30.616.727/0001-69.