Our Commitment to Privacy and Data Security

At WKS, we believe that privacy and data protection are instrumental and fundamental pillars to building trust in technology services. This Privacy and Data Protection Policy explains how our WKS SYNC platform and information security management system processes, protects, and manages the data provided by our customers. It also outlines our approach which is designed to be transparent, responsible, and compliant with data protection regulations, including the Brazilian General Data Protection Law (LGPD), EU General Data Protection Regulation (GDPR) and other applicable legislation.

Who We Are

WKS is a technology company specialized in collection management and credit recovery solutions through our WKS SYNC platform. We operate as data processors for our customers, which are financial institutions and companies that need to manage their collection processes with intelligence and efficiency. Our headquarters is located in Campinas, São Paulo, Brazil.

Data Protection Officer (DPO):

• Name: Juan Martin Ghisini
• Email: [email protected]

---

1. Definitions

• Brazilian General Data Protection Law (LGPD) – means the General Data Protection Law, Federal Law No. 13,709, of August 14, 2018.
• National Data Protection Authority (or ANPD) – means the public administration body responsible for monitoring compliance with the provisions of the LGPD throughout Brazilian territory.
• Personal data – means information regarding an identified or identifiable natural person.
• Sensitive personal data – means the personal data concerning racial or ethnic origin, religious belief, political opinion, trade union or religious, philosophical or political organization membership, data concerning health or sex life, genetic or biometric data, when related to a natural person.
• Data subject – means a natural person to whom the personal data that are the object of processing refer to.
• Controller – means a natural person or legal entity of either public or private law in charge of making the decisions regarding the processing of personal data (i.e. our customers)
• Processor – means a natural person or legal entity of either public or private law that processes personal data in the name of the controller (i.e. WKS).
• Processing Agents – means jointly the controller and processor.
• Data protection officer – means a person named by the controller and processor to act as a channel of communication between the controller or processor, the data subjects and the ANDP.
• Processing – means any operation carried out with personal data, such as collection, production, receipt, classification, use, access, reproduction, transmission, distribution, processing, filing, storage, deletion, evaluation or control of the information, modification, communication, transfer, dissemination or extraction.

2. Our Platform and Data Processing

WKS SYNC is an advanced intelligence and operational execution platform for collection management, composed of integrated modules (NEXUS, PING, FLUX, VISTA, and ECHO) and technical data sets (HelixSeed, Trace Flow, and PayTrack).

2.1 Data Processing Model

Our platform works exclusively with data provided by our customers. We do not collect data directly from the public and do not sell or market data to third parties. Processing occurs as follows:

• Data Provision: Our customers provide us with specific data related to their collection operations through secure channels (SFTP/API)
• Secure Processing: We process this data using our proprietary technology to generate analyses, segmentations, and action strategies
• Results Return: The results are made available exclusively to the customer who provided the original data

2.2 Processing Responsibilities

• Processor: We primarily act as data processors, processing data on behalf of and according to the instructions of our customers, who are the controllers
• Shared Commitments: We work together with our customers to ensure compliance with data protection regulations
• Transparency with Data Subjects: This policy aims to inform data subjects about how their information is processed on our platform when provided by our customers

3. Types of Data Processed

We processes the following categories of data:

3.1 Data provided by our customers, and processed within our platform including:

3.1.1 Identification and Contact Data

• Basic information such as name, address, phone numbers, and email
• Identifiers such as CPF/CNPJ or other identity document numbers
• Contact data for collection-related communication

3.1.2 Financial and Contractual Data

• Information about contracts, outstanding balances, and payment history
• Data on agreements, renegotiations, and default status
• Financial indicators relevant to recovery strategies

3.1.3 Behavioral and Analytical Data

• History of contacts and responses to previous collection attempts
• Behavior patterns regarding payments and commitments
• Information about communication channel preferences

3.1.4 Contextual Data

• Information about geographic location for contact optimization
• Contextual data relevant to payment propensity analysis
• Socioeconomic indicators for contextualizing strategies

Important: All this data is provided exclusively by our customers. We do not collect, mine, or acquire data from public sources or directly from data subjects.

3.2 Data of visitors to our website:

Data of individuals -regardless of whether they are customers or not- who access our website. This data will be processed in accordance with our Cookies and Website Terms. We act as the controllers of this information, with the exception of personal data provided by a company or individual about someone else and for commercial purposes.

3.3 Contact details for commercial or service-related purposes:

Data of individuals who voluntarily provided it to us, requesting for services, quotes or information. We act as the controllers of this information, with the exception of personal data provided by a company or individual about someone else and for commercial purposes.

4. How We Use Data

The data processed on our platform is used exclusively for the following purposes:

4.1 Predictive Analysis and Segmentation (NEXUS)

• Transformation of raw data into strategic scoring and segmentation
• Creation of propensity groups and tactical rules to optimize recovery
• Prioritization of actions based on risk, profile, and estimated return

4.2 Contact Optimization (PING)

• Organization of channels and leads by effectiveness based on historical evidence
• Development of personalized multi-channel activation strategies
• Identification of the best times and means for effective contact

4.3 Operational Execution (FLUX)

• Transformation of analytical intelligence into executable action plans
• Distribution of tasks adjusted to operational capacity
• Prioritization of actions based on the strategic value of each group

.4 Monitoring and Reporting (VISTA)

• Generation of dashboards and reports for performance tracking
• Transformation of operational data into strategic insights
• Continuous monitoring for optimization and accountability

Important: The data is used exclusively within the scope of the service contracted by our customers. We do not use the data for our own purposes unrelated to the contracted collection service.

5. Legal Bases for Processing

As the Processor we rely on the Controllers’ specific Legal Basis for Processing. Data processing on our platform is likely based on one or more of the following legal bases provided in the LGPD:

5.1 Contract Execution

• We process data to fulfill contractual obligations between our customers and data subjects
• Processing is necessary for the execution of credit, financing, or service contracts

5.2 Legitimate Interest

• Processing is necessary for our customers' legitimate interest in credit recovery
• We request customers to conduct -and we conduct our own- proportionality assessments to ensure that interests do not override the rights of data subjects

5.3 Credit Protection

• Processing necessary for credit protection, as provided for in the LGPD
• Analysis and segmentation to assess risk and recovery strategies

5.4 Compliance with Legal Obligation

• When processing is necessary to comply with legal or regulatory obligations
• Maintenance of records as required by applicable legislation

Important Note: As processors, we trust that our customers (controllers) obtain the appropriate legal basis for the processing of the data they provide to us. We establish in our contracts the obligation for customers to only provide us with data that can be legally processed, and to notify us if this ever changes. When we act as a Controller the purposes will be either based on your consent to process you data; our legitimate interest, with the respective legitimate interest impact assessment; compliance with legal Obligations, if the processing is necessary to comply with legal or regulatory obligations.

6. Security and Protection Measures

We implement robust technical and organizational measures to protect the data processed on our platform:

6.1 Technical Security

• Encryption: All data is encrypted in transit and at rest
• Access Controls: Implementation of role-based access control (RBAC), following the principle of least privilege
• Data Segregation: Logical isolation of each customer's data to prevent cross-access
• Monitoring: Threat detection systems and continuous monitoring to identify suspicious activities
• Security Testing: Regular vulnerability assessments and penetration tests

6.2 Organizational Measures

• Team Training: Regular information security awareness and training programs
• Policies and Procedures: Formal information security policies and documented procedures
• Incident Management: Structured process for identification, response, and mitigation of security incidents
• Internal Audit: Periodic assessments of compliance with policies and regulatory requirements
• Employee Contracts: Confidentiality and data protection clauses in all contracts

6.3 Incident Management

In case of a security incident that may affect the processed data:

• We investigate and mitigate the incident according to our incident response protocol
• When applicable, we notify affected customers within the contractually established timeframe
• We cooperate with our customers so they can fulfill their notification obligations to authorities and data subjects, when applicable

7. Data Sharing

7.1 Non-Commercialization Principle

We do not sell or market the data processed on our platform to third parties. The data is used exclusively to provide the services contracted by our customers.

7.2 Limited Sharing

We may share data in specific and limited circumstances:

• Service Providers: With vendors who assist us in operating our technological infrastructure, always with contracts, assessments and monitoring that ensure adequate protection
• Legal Requirements: If required by law, court order, or legal process
• Customer Instructions: With the express authorization of our customer, respecting the limits of the service requirements and the customer instructions

7.3 Sharing Guarantees

When we share data with service providers, we implement the following safeguards:

• Contracts with specific data protection and confidentiality clauses
• Prior security and compliance assessment of vendors
• Access limitation only to strictly necessary data
• Continuous monitoring of vendor activities

8. International Transfers

8.1 Processing Location

The data on our platform is predominantly processed in data centers located in Brazil.

8.2 Occasional Transfers

In specific situations, data may be transferred internationally:

• For cloud infrastructure services with data centers outside Brazil
• For specialized technical support from international vendors
• For analytical or operational tools hosted internationally

8.3 Protection Mechanisms

When we perform international transfers, we use the following mechanisms:

• Transfers only to countries with an adequate level of protection recognized by the ANPD
• Standard contractual clauses approved by the ANPD
• Impact assessment of transfers and implementation of supplementary measures when necessary

9. Data Retention

9.1 Retention Period

We retain the data processed on our platform, for no longer than what it is necessary, and according to:

• The period specified in contracts with our customers
• The time necessary to fulfill the purpose of processing
• Applicable legal or regulatory requirements

9.2 Deletion Process

When the retention period ends:

• We securely delete the data or return it to the customer, as contractually agreed
• We implement deletion techniques that prevent data recovery
• We maintain deletion certification records for audit purposes

When a data subject requests the deletion of their personal data:

• We inform our customer about the deletion request exercised
• We explain our customers that the requested deletion will be performed within the legal timeframes, unless they argue a valid reason to retain it for longer
• We maintain deletion certification records for audit purposes

9.3 Anonymization

In some cases, we may irreversibly anonymize data for statistical purposes and to improve our algorithms, ensuring that it is no longer possible to identify the data subjects.

10. Data Subject Rights

10.1 Exercise of Rights

As data processors, we do not have a direct relationship with data subjects. However, we recognize and respect the rights of data subjects according to the LGPD:

• Right to confirmation and access
• Right to correction
• Right to deletion
• Right to portability
• Right to information
• Right to object
• Right not to be subject to automated decisions

10.2 How to Exercise Your Rights

Data subjects should contact the Company (our customer) that provided their data to our platform directly. However, we are committed to:

• Supporting our customers in responding to data subject requests efficiently
• Implementing technical mechanisms that allow our customers to fulfill data subject requests
• Cooperating with our customers to ensure that data subject rights are respected

10.3 Our Commitment

Although controllers (our customers) are primarily responsible for handling data subject requests, we commit to:

• Promptly responding to our customers' requests related to data subject requests
• Keeping our platform technically prepared to meet data subject rights
• Providing all necessary assistance to our customers to fulfill their obligations to data subjects

11. Changes to this Policy

11.1 Updates

We may periodically update this policy to reflect:

• Changes in our data processing practices
• Changes in applicable legislation
• Improvements in our security measures
• Evolution of our platform and services

11.2 Communication of Changes

When we make significant changes to this policy:

• We will publish the updated version on our website
• We will inform our customers about the changes
• We will update the "Last Updated" date at the beginning of this policy

11.3 Version History

We maintain a history of previous versions of this policy, which can be requested through our DPO.

12. Contact Us

We value transparency and are available to clarify any questions about our data protection practices.

12.1 Contact Channels

Data Protection Officer (DPO):

• Name: Juan Martin Ghisini
• Email: [email protected]

Corporate Support:

• Email: [email protected]
• Phone: +55 11 99807-6198

12.2 Complaints

If you believe your data has been processed inappropriately on our platform:

1.Contact the organization that provided your data to our platform

2.If necessary, contact us through the channels above for additional clarification

3.You also have the right to file a complaint with the National Data Protection Authority (ANPD)

This Privacy and Data Protection Policy was developed to be clear and transparent about how the WKS SYNC platform processes the data provided by our customers. Our commitment is to security, legal compliance, and respect for the rights of data subjects.