PRIVACY POLICY

What data we collect

Data provided directly by the data subject. When you fill out a form, schedule a meeting, or get in touch, we may collect: name, corporate email address, phone number, company name, job title, country of residence, and the content of the message sent.

Navigation data collected automatically. When you access the website, we record: IP address, approximate location (country and region), device type, operating system, browser, pages visited, visit duration, traffic source, and cookie information (as described in our Cookie Policy).

We do not collect special categories of data (racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic, biometric, health data, or data concerning sexual life) through this channel.

Why we collect this data

We process personal data for the following purposes:

• Responding to contacts and commercial requests.
• Scheduling meetings and conducting the consultative sales process.
• Sending institutional communications where consent or legitimate interest applies.
• Complying with legal and regulatory obligations.
• Improving the browsing experience and website content.
• Protecting our systems against fraud and misuse.

Legal bases by applicable regime

Each processing activity is grounded in a specific legal basis, in accordance with the law applicable to the data subject. Below, in alphabetical order, are the main regimes we observe:

Brazil. General Personal Data Protection Law (LGPD, Law 13,709/2018). Applied legal bases: consent, contract performance, compliance with a legal obligation, regular exercise of rights, legitimate interest or credit protection, as applicable.

Spain. GDPR (EU Regulation 2016/679), supplemented by Organic Law 3/2018 on Personal Data Protection and Digital Rights Guarantee (LOPDGDD).

United States. Applicable state laws, including the California Consumer Privacy Act and California Privacy Rights Act (CCPA/CPRA), Virginia Consumer Data Protection Act (VCDPA), Colorado Privacy Act (CPA), Connecticut Data Privacy Act (CTDPA), and other applicable state legislation.

France. GDPR, supplemented by the Loi Informatique et Libertés.

Italy. GDPR, supplemented by the Personal Data Protection Code (Legislative Decree 196/2003, as amended).

The applicable legal bases under the GDPR include consent (art. 6(1)(a)), contract performance (art. 6(1)(b)), legal obligation (art. 6(1)(c)), and legitimate interest (art. 6(1)(f)), depending on the purpose of the processing.

International data transfers

As a global company, Chosing operates with infrastructure distributed across multiple jurisdictions. Personal data may be transferred to servers or service providers located in a country different from the data subject's country of residence, subject to the applicable legal requirements in each case.

For data subjects under LGPD. International transfers comply with Articles 33 to 36 of Brazilian legislation, based on an adequacy decision by the ANPD, specific contractual clauses, global corporate rules, or other applicable legal grounds.

For data subjects under GDPR. Transfers to countries outside the European Economic Area are carried out based on an adequacy decision by the European Commission or, in the absence thereof, through Standard Contractual Clauses approved by the European Union, accompanied by supplementary technical and organizational measures when required.

For data subjects under US state laws. We comply with the specific requirements of each applicable state law regarding transfers, disclosure, and service provider agreements.

Storage and security

Data is stored with providers that meet the requirements of the applicable legislation for each data subject. We use technical and administrative measures proportionate to the risk: encryption in transit and at rest, role-based access control, audit logging, and periodic review of security practices.

No system is completely immune to incidents. In the event of a personal data breach, Chosing will notify the affected data subjects and competent authorities within the deadlines required by the applicable legislation.

Retention

We retain personal data for as long as necessary to fulfil the purposes described, in compliance with the applicable legal retention periods in each jurisdiction. After this period, data is deleted or anonymized, unless required by law to be retained.

Data subject rights

You have specific rights over your personal data, in accordance with the law applicable to your country of residence. The main rights common to the legislation covered by this Policy are:

• Confirm the existence of data processing.
• Access the data we hold about you.
• Correct incomplete, inaccurate, or outdated data.
• Request the deletion of data, where applicable.
• Request the portability of data to another provider.
• Object to certain processing activities.
• Withdraw consent when it serves as the legal basis.
• Not be subject to automated decisions with significant legal effect, without human review.

The sections below detail specific rights by applicable legal regime, listed in alphabetical order.

Rights under the LGPD (Brazil)

Data subjects covered by the LGPD have the right to:

• Confirmation of the existence of processing.
• Access to data.
• Correction of incomplete, inaccurate, or outdated data.
• Anonymization, blocking, or deletion of unnecessary, excessive, or non-compliant data.
• Portability of data to another provider.
• Deletion of data processed on the basis of consent.
• Information about public and private entities with which Chosing has shared data.
• Information about the possibility of withholding consent and the consequences of refusal.
• Revocation of consent.

Rights under the GDPR

Data subjects covered by the GDPR have the right to:

• Access to personal data (art. 15).
• Rectification of incorrect data (art. 16).
• Erasure of data, known as the "right to be forgotten" (art. 17).
• Restriction of processing (art. 18).
• Data portability (art. 20).
• Objection to processing (art. 21).
• Not be subject to automated decision-making, including profiling (art. 22).
• Withdraw consent at any time, without prejudice to the lawfulness of processing before withdrawal.
• Lodge a complaint with the competent data protection authority in your country.

Rights under US state laws

Residents of US states with applicable privacy legislation have the right to:

• Know what categories of personal data we collect.
• Access the personal data we hold.
• Correct inaccurate data.
• Request deletion of personal data.
• Opt out of the sale or sharing of their data for cross-context behavioral advertising.
• Limit the use of sensitive personal information.
• Not suffer discrimination for exercising these rights.

California residents may exercise the right to "Do Not Sell or Share My Personal Information" via the link available in the website footer.

Competent authorities

You may lodge a complaint with the data protection authority in your country. The main competent authorities in the jurisdictions covered by this Policy are, in alphabetical order:

• Brazil: National Data Protection Authority (ANPD), www.gov.br/anpd.
• France: Commission Nationale de l'Informatique et des Libertés (CNIL), www.cnil.fr.
• Italy: Garante per la Protezione dei Dati Personali, www.garanteprivacy.it.
• Spain: Agencia Española de Protección de Datos (AEPD), www.aepd.es.
• United States: Competent state authority based on state of residence (e.g., California Privacy Protection Agency, cppa.ca.gov).

How to exercise your rights

To exercise any right provided for in this Policy, send a request to help@chosingdept.com, indicating your country of residence and the right you wish to exercise. We will respond within the deadline required by the applicable legislation.

We may request additional information to verify your identity before processing the request.