Privacy Policy and Personal Data Protection of the Clervix Platform

Last Updated Date: 11/30/2025

Preamble and Initial Considerations

This Privacy Policy and Personal Data Protection ("Privacy Policy" or "Policy") establishes the terms, conditions, guidelines, practices, procedures and commitments of CLERVIX INOVA SIMPLES (I.S.), a private legal entity, registered under CNPJ No. 63.252.137/0001-53, with headquarters in the Federative Republic of Brazil ("Clervix", "we", "our", "us", "data controller" or "data processor"), regarding the collection, processing, use, storage, protection, sharing, transfer, retention and deletion of personal data and information of users ("User", "you", "your", "data subject" or "holder") of the digital artificial intelligence platform for team training and business knowledge base management ("Platform" or "Services").

This Privacy Policy has been prepared in strict compliance with the General Data Protection Law (Law No. 13.709/2018 - "LGPD"), the Civil Framework of the Internet (Law No. 12.965/2014), the Consumer Defense Code (Law No. 8.078/1990), the General Data Protection Regulation of the European Union (EU Regulation 2016/679 - "GDPR"), and other applicable legislation, regulations, rules, guidelines and best practices applicable to personal data protection and privacy, both in Brazil and internationally.

By accessing, browsing, using, registering or in any way interacting with the Clervix Platform, the User expressly declares that they have read, understood, agreed and accepted, fully and unconditionally, all terms, conditions, practices, procedures and provisions established in this Privacy Policy, as well as expressly authorizes Clervix to collect, process, use, store, process, share and perform all other operations with their personal data as established herein and in compliance with applicable legislation.

Clervix is deeply committed to protecting the privacy, confidentiality and security of Users' personal data, implementing robust technical, organizational, administrative and legal measures to ensure adequate, secure and compliant treatment with applicable legislation.

1. Definitions and Interpretation

For the purposes and effects of this Privacy Policy, the following definitions and interpretations must be considered, in compliance with LGPD and other applicable legislation:

1.1. Personal Data: Refers to any information related to an identified or identifiable natural person, including, but not limited to: name, surname, email address, phone number, physical address, tax identification number (CPF, CNPJ), biometric data, location data, internet protocol address (IP), online identifiers, navigation data, usage data, behavioral data, communication data, transaction data, financial data, professional data, educational data, health data, genetic data, biometric data and any other information that may identify or make identifiable a natural person, directly or indirectly.

1.2. Sensitive Personal Data: Refers to personal data about racial or ethnic origin, religious conviction, political opinion, affiliation to a union or organization of a religious, philosophical or political nature, data relating to health or sexual life, biometric or genetic data, when linked to a natural person, in accordance with LGPD.

1.3. Personal Data Processing: Refers to any operation performed with personal data, including, but not limited to: collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, archiving, storage, elimination, evaluation or control of information, modification, communication, transfer, diffusion or extraction, in accordance with LGPD.

1.4. Data Subject: Refers to the natural person to whom the personal data that are subject to processing refer, that is, the Platform User.

1.5. Data Controller: Refers to the natural or legal person, of public or private law, to whom decisions regarding personal data processing belong, being, in this case, Clervix.

1.6. Data Processor: Refers to the natural or legal person, of public or private law, who performs personal data processing on behalf of the controller, including payment processors, accounting services, law firms and other service providers that process data on behalf of Clervix.

1.7. Data Protection Officer (DPO): Refers to the person indicated by the controller and processor to act as a communication channel between the controller, data subjects and the National Data Protection Authority (ANPD).

1.8. Consent: Refers to the free, informed and unequivocal manifestation by which the data subject agrees with the processing of their personal data for a specific purpose, in accordance with LGPD.

1.9. Legal Basis: Refers to the legal hypotheses that authorize personal data processing, as established in LGPD, including, but not limited to: consent, compliance with legal or regulatory obligation, execution of public policies, studies by research bodies, contract execution, regular exercise of rights, protection of life or physical integrity, health protection, credit protection and legitimate interest.

2. Information Collected and Categories of Personal Data

Clervix collects, processes and processes various categories of Users' personal data, as necessary for the provision of Services, compliance with legal obligations and legitimate interests. The information collected is categorized and described below:

2.1. Personal Identification Data: We collect information that allows identifying the User, including, but not limited to: (i) full name; (ii) surname; (iii) valid and active phone number, including landline and mobile phone numbers; (iv) valid and active email address, including personal and corporate emails; (v) physical or postal address, when necessary; (vi) tax identification number (CPF for individuals or CNPJ for legal entities); and (vii) any other identification information that may be necessary or requested during the registration process, identity verification or subsequently.

2.2. Business and Organizational Data: We collect information related to the User's company or organization, including, but not limited to: (i) corporate name or full legal name; (ii) trade name or business name, if applicable; (iii) business tax identification number (CNPJ); (iv) type of tax identification (CNPJ, CPF or others, as the case may be); (v) corporate or business email address; (vi) corporate or business phone number; (vii) company physical or postal address; (viii) currency used (BRL, USD, EUR or others); (ix) information about the sector of activity, company size, number of employees and other relevant business information; and (x) any other business or organizational information that may be necessary or requested.

2.3. Usage and Platform Interaction Data: We collect information about how the User uses and interacts with the Platform and Services, including, but not limited to: (i) documents, files, materials and content sent, uploaded, transmitted or made available on the Platform; (ii) conversations, interactions, messages, queries and communications made with the chatbot and intelligent virtual assistant; (iii) metrics, statistics and usage data, including access frequency, time spent, pages visited, functionalities used, navigation patterns and usage behavior; (iv) engagement, participation and interaction levels with Services; (v) access logs, activity records, action history, transactions and operations performed; (vi) User preferences, settings, customizations and choices; (vii) performance, effectiveness and results data of trainings and qualifications; (viii) information about team members, access permissions, authorization levels and organizational relationships; and (ix) any other information related to use, interaction and User behavior on the Platform.

2.4. Technical and Connectivity Data: We collect technical and connectivity information related to Platform access and use, including, but not limited to: (i) internet protocol address (IP address), including static and dynamic IP addresses; (ii) device information used, including device type, model, manufacturer, operating system, operating system version, unique device identifiers; (iii) browser information, including browser type, version, settings, installed plugins and extensions; (iv) connectivity information, including connection type, internet service provider, network information; (v) geolocation data, when available and authorized; (vi) timestamps, dates, times and time zones of access and use; (vii) information about errors, failures, exceptions and technical problems encountered; and (viii) any other technical information relevant to Platform operation, security and improvement.

2.5. Cookies and Similar Technologies: The Platform uses cookies, web beacons, pixels, tags, scripts, local storage, session storage and other similar information tracking and storage technologies ("Cookies and Similar Technologies") to collect, store and process information about User access, navigation, use and interaction with the Platform. These technologies are used for various purposes, including, but not limited to: session authentication and security, essential Platform functionalities, experience personalization, usage and behavior analysis, Service improvement, security and fraud prevention, and other purposes related to Platform operation and optimization. The User can manage preferences related to Cookies and Similar Technologies through browser settings, however, disabling certain cookies may impact the functionality and availability of some Platform features.

2.6. Communication and Correspondence Data: We collect information related to communications, correspondence, interactions and contacts between the User and Clervix, including, but not limited to: (i) email communications, including content, attachments, timestamps and metadata; (ii) communications through Platform communication functionalities; (iii) customer service, technical support and relationship records; (iv) feedback, comments, suggestions, complaints and evaluations provided by the User; and (v) any other information related to communications and interactions.

2.7. Aggregated and Anonymized Data: Clervix may collect, process, use and share aggregated, anonymized, pseudonymized or de-identified data that does not allow individual User identification, for analysis, research, development, Service improvement, statistics, reports and other legitimate purposes, without need for additional consent, provided that such data cannot be used to reidentify the User.

3. Purposes and Legal Bases of Personal Data Processing

Clervix processes Users' personal data for various legitimate purposes, always based on adequate legal bases as established in LGPD and other applicable legislation. The main purposes and legal bases of processing are:

3.1. Service Provision and Execution: We process personal data to provide, execute, supply, operate, maintain and improve Services offered by the Platform, including: (i) user account creation, management and maintenance; (ii) authentication, authorization and access control; (iii) document and content processing, storage and organization; (iv) artificial intelligence and chatbot operation, configuration and personalization; (v) provision of Platform functionalities, resources and capabilities; (vi) communication with User about Services; and (vii) technical support and customer service. Legal Basis: Contract execution, compliance with legal obligation and legitimate interest.

3.2. Artificial Intelligence Training, Configuration and Enhancement: We process personal data, especially User Content and usage data, to train, configure, personalize, enhance, develop and optimize algorithms, models, systems and artificial intelligence, natural language processing and machine learning technologies used on the Platform, allowing the virtual assistant to provide more accurate, contextualized and relevant responses, guidance and information. Legal Basis: Contract execution, legitimate interest and consent (when applicable).

3.3. Analysis, Metrics, Analytics and Reports: We process personal data to collect, process, analyze, generate and present metrics, statistics, analytics, reports, insights and information about Platform usage, usage patterns, engagement levels, training effectiveness, areas of interest, knowledge gaps and other relevant indicators for management, optimization and improvement of training and development processes. Legal Basis: Contract execution, legitimate interest and consent (when applicable).

3.4. Security, Fraud Prevention and Protection: We process personal data to ensure security, integrity, confidentiality and protection of the Platform, Services, User data and third parties, including: (i) detection, prevention and mitigation of fraud, suspicious activities, unauthorized access, hacking attempts, cyber attacks and other security threats; (ii) authentication, identity verification and access control; (iii) security monitoring, log analysis and anomaly detection; (iv) implementation of technical and organizational security measures; and (v) compliance with information security obligations. Legal Basis: Legitimate interest, compliance with legal obligation and contract execution.

3.5. Communication and Relationship with User: We process personal data to communicate with the User about: (i) Services, functionalities, resources, updates, improvements and Platform news; (ii) important information about account, security, policies and terms; (iii) responses to requests, questions, issues and User communications; (iv) notifications about activities, events and relevant occurrences; and (v) marketing communications, promotions and offers (when authorized by User). Legal Basis: Contract execution, compliance with legal obligation, legitimate interest and consent (for marketing).

3.6. Compliance with Legal, Regulatory and Normative Obligations: We process personal data to comply with legal, regulatory, normative, tax, accounting, labor and other obligations imposed by laws, regulations, rules, decrees, ordinances, court decisions, orders from competent authorities and other applicable legal provisions, including, but not limited to: data retention obligations, reporting obligations, tax obligations, labor obligations, data protection obligations and other legal obligations. Legal Basis: Compliance with legal or regulatory obligation.

3.7. Service Development, Research and Improvement: We process personal data, especially in aggregated, anonymized or de-identified form, to: (i) research, develop, test, implement and improve Services, functionalities, resources and Platform technologies; (ii) conduct analyses, studies, research and development of new products, services and solutions; (iii) identify trends, patterns, improvement opportunities and innovation; and (iv) optimize user experience, performance, efficiency and Service effectiveness. Legal Basis: Legitimate interest and consent (when applicable).

3.8. Dispute, Claim and Litigation Resolution: We process personal data to: (i) resolve disputes, claims, controversies and litigations; (ii) enforce rights, obligations and contractual terms; (iii) defend ourselves in proceedings, legal actions, investigations and legal procedures; (iv) comply with court orders, decisions, sentences and determinations from competent authorities; and (v) protect rights, legitimate interests and intellectual property. Legal Basis: Compliance with legal obligation, contract execution and legitimate interest.

4. Sharing of Personal Data with Third Parties

Clervix may share Users' personal data with third parties in various circumstances and for various legitimate purposes, always in compliance with LGPD, this Privacy Policy and other applicable legislation. The main sharing scenarios are:

4.1. Payment Processors and Financial Services: We share personal data, especially company data and responsible party data, with payment processors, financial institutions, payment gateways, payment service providers and other financial service providers ("Payment Processors") for: (i) processing, authorizing, processing and settling payments, financial transactions and charges related to Services; (ii) managing subscriptions, renewals, cancellations and refunds; (iii) performing identity verification, information validation and financial fraud prevention; (iv) complying with legal, regulatory and normative obligations related to financial transactions; and (v) providing support related to payments and financial matters. All Payment Processors are contractually obligated to process personal data securely, confidentially and in compliance with LGPD and this Privacy Policy.

4.2. Outsourced Accounting Services and Tax Advisory: We share personal data, especially financial data, business data and transaction data, with outsourced accounting service providers, accounting offices, tax advisory services, accounting consultancies and other accounting and tax service providers ("Accounting Services") for: (i) provision of accounting services, including bookkeeping, calculation, reconciliation and accounting reports; (ii) provision of tax services, including tax calculation, tax return preparation, compliance with accessory obligations and tax advisory; (iii) compliance with legal, regulatory and normative obligations related to accounting and tax matters; (iv) preparation of financial reports, financial statements and financial analyses; and (v) advisory and consultancy on accounting, tax and financial matters. All Accounting Services providers are contractually obligated to process personal data securely, confidentially and in compliance with LGPD and this Privacy Policy.

4.3. Law Firms and Legal Services: We share personal data with law firms, law offices, lawyers, legal consultants and other legal service providers ("Legal Services") when necessary for: (i) legal advisory, legal consultancy and guidance on legal matters; (ii) preparation, review and negotiation of contracts, terms, policies and legal documents; (iii) compliance with legal, regulatory and normative obligations; (iv) resolution of legal matters, disputes, controversies and litigations; (v) defense in judicial proceedings, actions, investigations and legal procedures; (vi) compliance with court orders, decisions, sentences and determinations from competent authorities; (vii) protection of rights, legitimate interests and intellectual property; and (viii) other activities related to legal services and legal advisory. All Legal Services providers are contractually obligated to process personal data securely, confidentially and in compliance with LGPD, professional secrecy and this Privacy Policy.

4.4. Service Providers and Suppliers: We share personal data with service providers, suppliers, partners, contractors and other third parties that provide services to Clervix, including, but not limited to: hosting services, information technology infrastructure, cloud services, security services, technical support services, development services, marketing services, communication services and other services necessary for Platform and Services operation, maintenance, development and improvement. All service providers are contractually obligated to process personal data securely, confidentially and in compliance with LGPD and this Privacy Policy, and are used exclusively for authorized and necessary purposes for the provision of contracted services.

4.5. Analytics and Data Analysis Services: We share personal data, especially in aggregated, anonymized or de-identified form, with analytics, data analysis, business intelligence, metrics and reporting service providers ("Analytics Services") for: (i) usage, behavior and Platform usage pattern analysis; (ii) generation of metrics, statistics, analytics and reports; (iii) identification of trends, improvement opportunities and optimization; and (iv) Service development and improvement. The main Analytics Services providers include, but are not limited to: Google Analytics, Facebook Analytics (Meta Pixel) and Cloudflare. These services may collect data according to their own privacy policies, and the User can manage preferences related to these services through appropriate settings.

4.6. Competent Authorities and Legal Obligations: We may share personal data with competent authorities, government bodies, regulatory agencies, courts, security forces and other authorities when: (i) required by law, regulation, rule, decree, ordinance or applicable legal provision; (ii) necessary to comply with court order, decision, sentence or determination from competent authority; (iii) necessary to respond to investigations, proceedings, legal actions or legal procedures; (iv) necessary to protect rights, legitimate interests, public security or national security; or (v) necessary to comply with legal, regulatory or normative obligations.

4.7. Business Transfers: In case of merger, acquisition, restructuring, asset sale, business transfer or any other business transaction that results in the transfer of control or ownership of Clervix or a significant portion of its assets, Users' personal data may be transferred as part of the transaction assets, always in compliance with LGPD and this Privacy Policy.

4.8. User Consent: We may share personal data with third parties in other circumstances when the User provides express and specific consent for such sharing, after being properly informed about the purposes, recipients and consequences of sharing.

All personal data sharing is performed based on contracts, agreements or legal instruments that ensure adequate protection of personal data, compliance with LGPD, implementation of appropriate security measures and data processing exclusively for authorized and necessary purposes.

5. Security Measures and Data Protection

Clervix implements robust, comprehensive and multi-layered technical, organizational, administrative and legal measures to protect the security, integrity, confidentiality, availability and privacy of Users' personal data, in compliance with information security best practices, industry standards and applicable legal requirements. The main security measures implemented include:

5.1. Encryption: We implement robust, industry-standard encryption to protect personal data both in transit (during transmission through networks) and at rest (during storage), using modern encryption algorithms, advanced security protocols and securely managed encryption keys.

5.2. Access Controls: We implement rigorous access controls, including multi-factor authentication when appropriate, role-based authorization, principle of least privilege, periodic access review, access revocation when necessary and access activity monitoring.

5.3. Infrastructure Security: We implement security measures in our information technology infrastructure, including firewalls, intrusion detection and prevention systems, continuous security monitoring, DDoS attack protection, network segmentation, environment isolation and other infrastructure security measures.

5.4. Monitoring and Threat Detection: We implement security threat monitoring, detection, analysis and response systems, including continuous monitoring of suspicious activities, log analysis, anomaly detection, security alerts and incident response procedures.

5.5. Backup and Recovery: We implement robust backup, replication, recovery and business continuity procedures to protect against data loss and ensure Service availability.

5.6. Vulnerability Management: We implement vulnerability management processes, including identification, assessment, prioritization, correction and monitoring of security vulnerabilities.

5.7. Training and Awareness: We provide regular training and awareness programs on information security and data protection for our employees, collaborators and service providers.

5.8. Audit and Compliance: We conduct regular security audits, compliance assessments, penetration tests and security reviews to identify and correct vulnerabilities and ensure compliance with security standards.

5.9. Incident Management: We implement robust security incident management procedures, including detection, containment, eradication, recovery, communication and lessons learned.

5.10. Standards Compliance: We seek compliance with recognized information security and data protection standards, including, but not limited to: ISO/IEC 27001, NIST Cybersecurity Framework and other applicable standards.

Despite the security measures implemented, no security system is infallible or 100% secure. Clervix cannot guarantee absolute security against all threats, attacks, vulnerabilities or security failures. The User acknowledges and accepts the inherent risks of using digital systems and the internet.

6. Rights of Personal Data Subjects

As established in LGPD and other applicable legislation, Users, as personal data subjects, have various rights regarding the processing of their personal data. Clervix is committed to respecting, protecting and facilitating the exercise of these rights. The main rights of data subjects are:

6.1. Right of Confirmation and Access: The User has the right to obtain from Clervix confirmation of the existence of processing of personal data concerning them and, if applicable, access their personal data, including information about: (i) the origin of data; (ii) the absence of registration; (iii) the criteria used; and (iv) the objectives of processing.

6.2. Right of Correction: The User has the right to request correction of incomplete, inaccurate or outdated personal data, by request to Clervix.

6.3. Right of Anonymization, Blocking or Elimination: The User has the right to request anonymization, blocking or elimination of unnecessary, excessive or personal data processed in non-compliance with LGPD.

6.4. Right of Portability: The User has the right to request portability of personal data to another service or product provider, by express request, in accordance with national authority regulation, observing commercial and industrial secrets.

6.5. Right of Elimination of Personal Data Processed with Consent: The User has the right to request elimination of personal data processed based on consent, except in cases provided for in LGPD.

6.6. Right to Obtain Information about Sharing: The User has the right to obtain information about public and private entities with which Clervix has shared personal data.

6.7. Right to Obtain Information about the Possibility of Not Providing Consent: The User has the right to obtain information about the possibility of not providing consent and about the consequences of refusal.

6.8. Right to Revoke Consent: The User has the right to revoke their consent at any time, by express manifestation, through a free and facilitated procedure, ratified before the controller.

6.9. Right of Opposition: The User has the right to oppose personal data processing when processing is performed based on legitimate interest or for direct marketing purposes.

6.10. Right of Review of Automated Decisions: The User has the right to request review of decisions made solely based on automated processing of personal data that affect their interests, including decisions intended to define their personal, professional, consumer and credit profile or aspects of their personality.

To exercise any of these rights, the User must contact Clervix through the communication channels made available, especially through email [email protected], providing sufficient information for identification and identity verification. Clervix commits to responding to User requests in a timely manner, within deadlines established by LGPD, using its best efforts to facilitate the exercise of data subject rights.

7. Retention and Deletion of Personal Data

Clervix retains Users' personal data for the period necessary to fulfill the purposes for which they were collected, as established in this Privacy Policy, and to comply with legal, regulatory, normative, contractual obligations and legitimate interests. Retention criteria consider:

7.1. Retention Period During Active Use: While the User's account is active and Services are being used, personal data will be retained to allow continuous provision of Services and fulfillment of established purposes.

7.2. Retention Period After Cancellation: After account cancellation, termination or inactivity, personal data may be retained for an additional period necessary for: (i) compliance with legal, regulatory and normative obligations, including data retention obligations; (ii) resolution of disputes, claims and litigations; (iii) enforcement of rights and contractual obligations; (iv) protection of rights, legitimate interests and intellectual property; (v) maintaining records for accounting, tax and legal purposes; and (vi) other legitimate and necessary purposes.

7.3. Data Deletion: After the end of the applicable retention period, personal data will be deleted, anonymized or blocked securely and permanently, using methods that prevent data recovery or reconstruction, except when retention is necessary to comply with legal obligations or when data are anonymized in a way that does not allow identification of the data subject.

7.4. Exceptions to Deletion: Certain data may be retained for longer periods when: (i) required by law, regulation or court order; (ii) necessary to comply with legal, regulatory or normative obligations; (iii) necessary to resolve pending disputes, claims or litigations; or (iv) data are anonymized in a way that does not allow identification of the data subject.

8. International Transfers of Personal Data

Clervix may transfer Users' personal data to other countries, including countries that may not have data protection laws equivalent to those of Brazil, when necessary for Service provision, Platform operation or compliance with contractual obligations. All international transfers of personal data are performed in compliance with LGPD and this Privacy Policy, implementing adequate protection measures, including, but not limited to: standard contractual clauses, certifications, codes of conduct and other recognized protection mechanisms.

9. Minors

The Clervix Platform Services are intended for businesses, organizations and professionals. We do not intentionally collect personal data from minors under 18 (eighteen) years of age without adequate consent from parents or legal guardians, as required by applicable legislation. If we become aware that we have collected personal data from minors without adequate consent, we will take measures to delete such data immediately.

10. Changes to this Privacy Policy

Clervix may modify, update, alter, revise or supplement this Privacy Policy at any time, at its sole discretion, to reflect changes in our practices, Services, applicable legislation or for other reasons we deem appropriate. When we make significant modifications, we will make reasonable efforts to notify Users through notice on the Platform, email notification or other appropriate means. Continued use of the Platform after modifications constitutes acceptance of changes. It is the User's responsibility to periodically review this Privacy Policy to be aware of any modifications.

11. Data Protection Officer (DPO) and Contact

For questions, doubts, requests, exercise of rights, complaints or communications related to this Privacy Policy, personal data processing or data protection, the User may contact Clervix through the following channels:

Email: [email protected]

Company: CLERVIX INOVA SIMPLES (I.S.)
CNPJ: 63.252.137/0001-53

Clervix commits to responding to User communications in a timely manner, within deadlines established by LGPD, using its best efforts to provide adequate support, facilitate the exercise of rights and resolve issues efficiently and satisfactorily.

This Privacy Policy complies with the General Data Protection Law (LGPD - Law No. 13.709/2018) and the General Data Protection Regulation (GDPR - EU Regulation 2016/679).

---

END OF PRIVACY POLICY AND PERSONAL DATA PROTECTION