Privacy Policy
1. Objective
The Data Protection and Privacy Policy (“Policy”) of RD Station (“RD”) aims to demonstrate RD’s commitment to transparency in processing Data Subjects’ Personal Data. It also expresses RD’s dedication to ensuring the security of the services provided in relation to the processing of its customers’ data.
This Policy is an integral component of RD Station’s Data Protection and Privacy Program, which also includes several documents, guidelines, standards, and procedures.
2. Scope
This Policy applies to all areas of RD, including Third Parties that process Personal Data on behalf of or at the request of RD. It also outlines the governance framework established by RD to address Personal Data protection issues. Compliance with this Policy is mandatory and aligns with applicable legislation and regulations concerning Data Protection Laws.
3. References
- Law No. 13,709/2018 – Brazilian General Personal Data Protection Law.
- Law No. 12,965/2014 – Brazilian Civil Framework for the Internet.
4. Definitions
Acquired: Companies that had their corporate control acquired by RD.
Processing Agent: The Controller or the Operator.
ANPD (Brazilian Data Protection Authority): A public administration body responsible for overseeing, implementing, and supervising compliance with the General Personal Data Protection Law (LGPD).
International Data Collection: The collection of the Data Subject’s Personal Data conducted directly by the Processing Agent located overseas.
Controller: A natural or legal person, governed by public or private law, who is responsible for making decisions regarding the processing of Personal Data. The Controller determines the purpose and means of carrying out this processing.
Personal Data: Any information related to an identified or identifiable natural person.
Sensitive Personal Data: Personal data regarding a natural person’s racial or ethnic origin, religious beliefs, political opinions, membership in trade unions or organizations of a religious, philosophical, or political nature, as well as data related to health, sexual orientation, genetic information, or biometric data when associated with a natural person.
DPA (Data Processing Agreement): A document designed to regulate the contractual relationship between processing agents when the primary contract involves the processing of Personal Data. This document outlines the limitations, methods, purposes, and all obligations that data processors must adhere to.
DPO – Data Protection Officer (or “Data Controller”): RD employee responsible for facilitating communication between RD, acquired companies, Personal Data Subjects, and the National Data Protection Authority (ANPD).
Supplier(s): Legal entities or individuals that provide goods or services to RD within a mutually agreed-upon timeframe.
LGPD – Brazilian General Data Protection Law: Law No. 13,709/2018 regulates the processing of Personal Data conducted within Brazilian territory. It also applies to entities that aim to provide goods or services to individuals located in Brazil, even if the Data subject to processing was collected in Brazil, regardless of where the data is stored.
Brazilian Civil Framework for the Internet – Law No. 12,965/2014 aims to delineate the rights and responsibilities of users, service providers, and other stakeholders involved in Internet usage in Brazil.
Operator: A natural or legal person, governed by public or private law, who processes Personal Data on behalf of the Controller.
Partners: Companies with which RD maintains contractual relationships to develop commercial activities.
Service provider(s): Individuals or legal entities that offer various types of services contracted by RD and Acquired.
Privacy by Default: Concept derived from Privacy by Design. It stipulates that a product or service, upon its market launch, must have all restricted privacy settings established during its development. Only the user has the authority to grant or deactivate access when necessary.
Privacy by Design: A principle for the development of services or products, including software, which requires the integration of best practices related to privacy from the outset. Consequently, any new processing activity must adhere to the principles, regulations, and standards established by the relevant legislation throughout its entire lifecycle.
Privacy and Data Protection Program: A structured set of policies, procedures, and organizational practices designed to safeguard the privacy and security of personal data collected, processed, and stored by RD and Acquired.
RDoer: It refers to every employee who works at RD.
RD or Company: RD Gestão e Sistemas S.A.
RoPA – Records of Processing Activities: A record for mapping the processing of Personal Data.
Data Protection Impact Assessment or DPIA: A document that provides a description of Personal Data processing activities that may pose risks to civil liberties and fundamental rights. It also outlines the measures, safeguards, and risk mitigation strategies implemented to address these risks.
Third parties: Individuals or legal entities engaged to carry out specific activities within a predetermined timeframe.
Data Subjects: Natural persons to whom the Personal Data pertains.
International Data Transfer: The transfer of personal data conducted by a Processing Agent located in Brazil to a foreign country or an international organization of which Brazil is a member.
5. Guidelines
5.1. Classification as a Processing Agent
It is RD’s priority to protect, preserve, and respect the privacy and rights of Personal Data Subjects in accordance with the LGPD.
RD adopts the best business practices and ethical conduct, aiming to maintain and enhance compliance with processes related to the protection of Personal Data in order to meet the needs of Customers, Partners, Suppliers, and RDOERS.
5.2. Acting as a Processing Agent
RD may process Personal Data independently or share it with other Processing Agents. Depending on the processing activity conducted, RD may be classified as either a Controller or an Operator of Personal Data:
– As the Controller, RD implements technical security and privacy measures to ensure the availability, integrity, and confidentiality of the Personal Data it processes, either independently or in collaboration with third parties. To achieve this, RD maintains a Privacy and Data Protection Program, in which all participants, without exception, are required to engage.
Corporate processes that manage personal data across all areas are documented and assessed for the risks and impacts they pose to Data Subjects and the Company. Evaluations are conducted periodically by the departments responsible for business processes, under the supervision of the TOTVS Data Governance team and the Legal Department, using the Records of Personal Data Processing Activities (RoPAs). In certain cases, depending on the risk associated with the process or to meet legal obligations, a Data Protection Impact Assessment (DPIA) is prepared. This report provides a detailed description of the risks and the mitigation measures implemented for the process.
– As the Operator, RD must comply with all contractual guidelines established by the Controllers (its customers) to process Personal Data while implementing robust security practices verified by independent audits. Additionally, RD incorporates Personal Data protection clauses (through DPAs) in all contracts where it acts as the Operator, clearly delineating RD’s responsibilities. DPAs specify the processing activities that RD performs on behalf of the Controller.
Registration and authentication: For RD Station CRM customers who choose to insert contact data (such as name, email, phone, and job title) from their Google accounts, we use an integration with Google that allows this data to be imported (via Google API). With this tool, it is possible to securely ensure the authentication and reading of the contact data that will be imported from Gmail to RD Station. Users are allowed to remove app usage permissions in their Google account settings.
For users who authorize the import of contacts from their Google account with their email account, the use of the data involved will comply with the additional requirements of Google Restricted Scopes, listed under Google API Services: User Data Policy.
5.3. Collection and Use of Personal Data
As the Controller, RD processes Personal Data in the following ways:
- Collected from the Personal Data Subjects themselves, either provided directly by them or automatically gathered from their interactions.
- Received through sharing by third parties, partners, or group companies; and
- Produced by RD through the processing of other Personal Data.
Personal Data may be processed by RD for the following purposes:
- Offer and market products and services more personalized and aligned with customers’ needs.
- Provision of services.
- Meeting customer requests.
- Operation and management of websites.
- Compliance with legal and contractual obligations.
- For the regular exercise of the controller’s rights.
- Communication and marketing activities.
- Defense of the rights of Data Subjects.
- The analysis of statistical data aims to study the improvement of product and service performance while ensuring the de-identification of sensitive and personal information.
As the Operator, RD uses Personal Data as defined by the Controller (customer) to fulfill contractual obligations.
RD may process data transacted by customers through the use of its products, which can identify data subjects without any direct relationship with RD. Subject to customer guidelines for processing, the purposes and protective measures implemented by RD products are outlined in RD’s Privacy Notice and Terms of Use.
5.4. Sharing Personal Data
RD responsibly manages the Personal Data of its customers, RDOERS, and third-party employees who provide services to RD.
RDOERS may share Personal Data to fulfill: (i) current legal obligations and to defend the rights of Data Subjects; (ii) contractual obligations with RDOERS; and (iii) the benefits provided to RDOERS.
Regarding clients, RD may share Personal Data to fulfill: (i) requests made by the customer themselves; and (ii) legal obligations arising from the business relationship.
RD may also share Personal Data with Third Parties, in compliance with the LGPD, including: (i) Service Providers; (ii) Partners; (iii) Government Authorities; and (iv) Group Companies.
When sharing is necessary, RD implements appropriate measures to ensure that the shared information is processed solely for specific purposes.
5.5. Protection of Personal Data
RD implements stringent measures to ensure the integrity and security of Personal Data. Access to this data is authorized only for designated areas to fulfill their operational requirements and to facilitate potential support procedures. Additionally, RD has established protocols to guarantee that internal departments and RD Operators process Personal Data in compliance with the protection and privacy guidelines set forth by RD.
In addition, RD invests in awareness programs for RDOERS, Third Parties, and Partners. The Privacy and Data Protection Program aims to promote best practices that should be adopted in the processing of Personal Data.
Aiming to ensure the privacy and security of its customers’ personal data, RD implements the best information security and secure development practices available in the market. The company designs products and services that enable customers to manage their information directly and securely.
5.6. Retention of Personal Data
The Personal Data required to comply with the Brazilian Civil Framework for the Internet is stored in a secure and controlled environment for a minimum period of six (6) months, subject to change based on the type of contracts with customers.
Personal Data is stored on third-party servers contracted for this purpose, whether located in Brazil or abroad, in accordance with applicable legislation. Additionally, it may be stored using emerging technologies that may develop in the future, all aimed at enhancing and improving services.
RD processes Personal Data for the duration strictly necessary to fulfill predetermined purposes, including compliance with legal or contractual obligations, requests from competent authorities, or as long as the Data Subject’s registration remains active in its environment.
Customer account information will be retained for as long as the account remains active. If the customer requests cancellation, the account data will be deleted within sixty (60) days after the request. Even after an account deletion request is submitted, RD will maintain a backup of the customer’s account information for 72 hours for security and compliance purposes. In the case of personal data related to RD contacts (leads), information regarding customer interactions with RD will be stored for a period of five (5) years.
With respect to data processing conducted based on the Data Subject’s consent, RD will conclude the processing of Personal Data, when applicable, if the Data Subject objects to or revokes their consent. If you have any questions regarding the duration for which RD will process Personal Data following the termination of the contractual relationship, please contact our DPO at [email protected] to obtain information relevant to your specific case.
To establish the appropriate retention period for personal data, we evaluate several factors: the volume, nature, and sensitivity of the personal data; the potential risk of harm arising from unauthorized use or disclosure; the purpose of processing the data; and whether these purposes can be achieved through alternative means. Additionally, we take into account the relevant legal requirements.
5.7. Rights of the Data Subject
The Subject of Personal Data has rights and guarantees concerning their personal information. The mechanisms outlined below are available at RD to ensure that the Data Subject has clarity and transparency regarding the exercise of these rights. Whenever necessary, the Data Subject may contact RD to request information about their rights through our Help Center, where they can obtain information and submit requests related to their rights:
– Confirmation of Processing: RD processes the Personal Data of its customers, RDOERS, visitors, Suppliers, Partners, and others, ensuring that this data is stored in secure and controlled environments. The Data Subject may request confirmation regarding the processing of their Personal Data.
– Access to Data: At any time, the Data Subject may request that RD inform them of which Personal Data is being processed.
– Correction of Incomplete, Inaccurate, or Outdated Personal Data: If the Data Subject discovers that the information is incomplete, inaccurate, or outdated, they may request the correction or addition of the missing or inaccurate Personal Data, as applicable.
– Anonymization, blocking, or elimination of unnecessary, excessive, or improperly processed Personal Data in non-compliance with the LGPD: The Data Subject may request the anonymization, blocking, or elimination of Personal Data that RD is processing when there is no legal basis justifying such processing. However, if RD has a legal or regulatory justification for retaining the data, it will be kept for the duration necessary to fulfill the legal obligation or to uphold the right of defense in judicial, administrative, or arbitration proceedings. Additionally, in certain situations, RD may retain the data in pursuit of its legitimate interests, such as preventing violations and fraud.
– Portability of Personal Data to another service or product provider upon the express request of the Data Subject: The Data Subject may request that RD transfer their Personal Data to another service or product provider. If applicable, RD will fulfill the Data Subject’s request as promptly as possible.
– Obtaining information about the public or private entities with which RD shares the Data Subject’s Personal Data: The Data Subject may contact RD through the designated rights service channel to obtain information regarding the entities with whom their Personal Data has been shared.
– Information regarding the possibility of the Data Subject not providing consent for the processing of Personal Data, as well as the consequences of such a refusal: If the Data Subject chooses not to consent to the specific processing required by RD, RD will clarify whether it is feasible to provide the requested services or software without processing their Personal Data. Additionally, RD will inform the Data Subject of the implications of their decision not to consent.
– Revocation of Consent: When the processing of Personal Data is based on the consent of the Data Subject, the Data Subject may revoke their consent and request the deletion of their Personal Data at any time. Revocation of consent may result in the Data Subject being unable to use the services provided by RD. The interruption of the processing of Personal Data will not be effective if the Data is: (i) anonymized; or (ii) necessary for RD and/or Third Parties involved in the provision of services for judicial, arbitral, or administrative defense purposes, as well as for compliance with legal and regulatory obligations.
– Deletion of Data: In certain instances, the Data Subject may request the deletion of their personal information.
RD, acting as the Operator, is not responsible for defining data processing activities. This responsibility lies with the customer, who acts as the Controller, as stipulated in the contract. The customer must ensure that all instructions directed to RD comply with Data Protection and Privacy Legislation concerning Personal Data Subjects.
RD is dedicated to fulfilling all requests from Data Subjects as promptly as possible, in accordance with the deadlines established by the ANPD.
5.8. International Data Transfer and Collection
Personal Data processing activities conducted by RD may involve the international transfer of data, particularly to the United States.
For the provision of services that involve the international sharing of Personal Data, RD prioritizes processing conducted in countries that provide protection for personal data equivalent to that of the LGPD. Alternatively, RD may establish standard contractual clauses suitable for facilitating this transfer. Additionally, RD requires the involved providers to ensure that Data Subjects receive the expected level of protection. In exceptional circumstances, RD may conduct International Data Transfer through other means authorized by the LGPD.
Likewise, the potential International Transfer of RDoers’ Personal Data is outlined in their employment contracts.
Some RD products may be marketed and made available by partner companies overseas. In such instances, International Data Collection may be applicable. The RD framework extends the protections afforded to Data Subjects under the International Data Transfer guidelines.
In instances where RD processes personal data that is not protected by the LGPD—either because it falls outside the legal territorial limits or because it meets one of the exclusion criteria defined in the law—RD commits to ensuring the security and protection of the involved Data Subjects’ Personal Data and privacy. Furthermore, RD will comply with the exercise of rights established by the LGPD, within reasonable limits and capabilities, if such requests are made through its official data subject service channels.
5.9. Partners
RD establishes partnerships with companies to leverage technologies and processes that enhance its range of services. These Partners must adhere strictly to all contractual security guidelines outlined in this Policy, ensuring that all customer and employee Personal Data is treated as confidential.
5.10. Companies acquired by RD
As part of its inorganic growth strategy, RD may acquire other companies that process Personal Data. These companies may have operating structures, methodologies, and safeguards for protecting Personal Data that differ from those employed by RD. In such cases, RD must ensure that the guidelines outlined in this Policy are strictly followed throughout the integration process. Additionally, RD may need to implement practices that provide enhanced protection for the Data Subjects, depending on the specific circumstances.
5.11. Inquiries
Questions regarding RD’s Protection and Privacy Policy, or any inquiries related to the security and protection of Personal Data, should be directed to the following contact addresses:
Address: Rodovia Virgílio Várzea, 587, 3rd Floor, Room 302.
Saco Grande, Florianópolis, Santa Catarina, Zip Code: 88032-001.
Email: [email protected]
6. Responsibilities
RD employees and outsourced workers are responsible for the following tasks:
- Ensure strict adherence to the guidelines outlined in this Internal Data Protection Policy, as well as the RD Privacy and Security Standards and Procedures.
- Complete the mandatory Privacy and Security training provided by RD.
- Protect information from unauthorized access, modification, destruction, disclosure, and misuse by RD.
- Ensure that the personal data in your possession is used solely for the purposes that have been predetermined and approved by RD.
- Report any non-compliance or violations of this Policy to the Privacy Team immediately via email at [email protected].
- Report on Privacy risks.
- Report any information security incidents that involve Personal Data.
- In the event of purchasing new tools or software, submit them for approval by the Privacy and Security teams.
The Data Protection Officer (DPO) is responsible for the following:
- Take charge of managing Data Protection activities at RD.
- Receive complaints and communications from Data Subjects, address requests for clarification, and implement the appropriate corrective and preventive measures.
- Receive and take appropriate action in response to communications directed to the ANPD.
- Advise RD employees and contractors on the practices to be adopted for the protection of Personal Data.
- Respond to inquiries from internal RD departments concerning questions related to the Processing and Protection of Personal Data.
- Perform the tasks specified by RD or outlined in supplementary Data Protection regulations.
- Report on the management of Data Protection activities to the DPO of the TOTVS Group.
- Report any security incidents to the DPO of the TOTVS Group.
It is the responsibility of the Privacy team:
- Manage RD’s Corporate Privacy and Data Protection Program.
- Supervise and ensure compliance with the standards, regulations, and obligations set forth by the LGPD.
- Guide RD on the adoption of best practices in compliance with data protection laws.
- Define measures and indicators for effectively managing the RD privacy program.
- Define and manage a framework of policies, standards, guidelines, and procedures pertaining to privacy and personal data protection.
- Develop and implement an awareness policy to promote a culture of privacy and educate employees on best practices for protecting personal data.
- Ensure the implementation of governance measures and practices related to privacy and personal data protection.
- Monitor compliance with official RD determinations concerning the processing of personal data, Privacy by Design principles, Privacy Reviews, and best practices.
- Monitor and recommend solutions for mitigating privacy-related risks.
- Manage the response to information security incidents that involve personal data.
- Communicate any legislative changes that require adjustments to the Privacy and Security Policies and regulations.
- Prepare quarterly reports for the RD executive team regarding the aforementioned activities.
- To serve as the communication liaison between the RD team, data subjects, and government authorities.
- Ensure that this Policy is kept up to date.
The Information Security department is responsible for:
- Ensure comprehensive dissemination and review of the Information Security Policy, Standards, and Procedures for all employees and outsourced personnel.
- Promote awareness initiatives on Information Security for all employees.
- Propose and manage projects and initiatives related to RD information security management.
- Manage and monitor the systems and controls implemented by RD and its customers’ Information Security departments.
- Propose and manage projects and initiatives related to information security management for RD customers.
- Actively collaborate with the Privacy team to manage security incidents involving personal data.
It is the responsibility of the IT department:
- Manage and monitor the systems and controls implemented within the RD IT department.
- Propose and manage projects and initiatives related to IT security management within the RD software stack.
The Ethics Team is responsible for:
- Analyze reported instances of violations of Privacy and Security Policies and guidelines, as well as their consequences when applicable, while respecting the Audit Committee’s responsibilities concerning Information Security Risk indicators.
- Recommend adopting either legal or non-legal measures to address practices that violate current legislation.
- Request checks on equipment and systems from the Information Security department.
- Direct incidents to the appropriate Managers or Leaders so that necessary measures can be implemented.
The Legal team is responsible for:
- Review and validate the Policies to ensure compliance with current legislation, under the guidance of the Privacy team regarding specific issues related to privacy and data protection.
- Provide support to other teams, particularly the Ethics Team, in managing cases of non-compliance with Privacy and Security Policies and regulations. This includes proposing legal measures when appropriate.
- Support other departments in implementing containment measures in the event of data misuse incidents.
7. Consequence Management
In the event of non-compliance with this Policy, measures will be implemented to address labor, civil, criminal, and administrative consequences that may apply to those responsible for the violations. This includes the potential for dismissal for just cause and termination of contracts for just cause in the case of Third Parties.
8. Amendments to the Privacy Policy
As we continually strive to enhance our services, this Privacy Policy may be subject to updates. Therefore, we recommend that you periodically visit this page to stay informed about any changes. If we implement any significant modifications that require your renewed consent, we will publish the update and request your consent accordingly.
Updated on 2024-10-14
Version: 01.02 - 2024-10-14