CONTENTS
1. PURPOSE
2. SCOPE
3. GUIDELINES
3.1. General Recommendations
3.2. Updates
3.3. General Guidelines
3.4. Applicability
3.5. Purposes of Using Personal Data
3.6. Sharing Personal Data
3.7. International Transfer of Personal Data
3.8. Rights
3.9. Important Notices
3.10. Personal Data Storage Time
3.11. Personal Data Protection
3.12. Contacting Assaí
3.13. Privacy policy alterations
4. PENALTIES
5. ATTACHMENTS
6. REFERENCES
6.1 The following are part of this Policy:
7. DEFINITIONS
8. VERSION HISTORY AND APPROVALS
9. PUBLICATION
1. PURPOSE
The purpose of this document is to establish guidelines for the protection, use and privacy of data obtained by Assaí.
2. SCOPE
This document covers all Assaí business areas
3. GUIDELINES
3.1. General Recommendations
On posting adhesion agreements through our website and/or application interface and functionalities, certain precautions are important means of safeguarding the validity and effectiveness of their terms and conditions. Without prejudice to other specific recommendations depending on each service and business model, the following practices are recommended and encouraged:
3.1.1. the documents must be easily located through website and/or application interfaces, using a specific section and, when possible, a direct link on all page footers;
3.1.2. the documents must be presented in a clear, easily understood and legible format and use font sizes no smaller than 12;
3.1.3. any clauses that involve limiting consumer's rights should be highlighted; and
3.1.4. if there are different versions of a document that has been updated over time, the company must have a page available on its website where different versions of previous documents may be accessed.
Obtaining appropriate user consent is crucial to ensure valid personal data processing when consent is the legal basis chosen to legitimize processing. If this is the case, it is of the utmost importance that Assaí adopt procedures that enable users to clearly and unambiguously identify their acceptance of our Privacy Policy and any means needed for obtaining the specific consent required for a specific data processing activity, including:
3.1.5. checkbox (empty, opt-in format) on the same page as registration or on a specific page, as a necessary condition for sending registration data and using the service and/or application;
3.1.6. the abovementioned checkbox must be accompanied by the phrase “I have read the Privacy Policy, understood it and agree with it”;
3.1.7. the full text of the Privacy Policy should preferably be posted above the checkbox and be available to users; and
3.1.8. as best practice, the company may also place a security call out just after the user submits the form, using mechanisms such as lightboxes containing this notice: "Are you confirming your agreement to the Privacy Policy?" and then offering, in this case, two options (yes/no).
Acceptance of Privacy Policy must be shown separately from acceptance of any other user terms and conditions or agreement to a product or service. In the case of checkboxes, this means that separate checkboxes should be available for each acceptance/confirmation by users. In all cases, the company must store specific check-box registration and acceptance data logs containing user IP and time accessed.
3.2. Updates
For any Privacy Policy updates:
3.2.1. send e-mail to the base of registered users, with reasonable advance notice, explaining the changes that will be made to the documents and offering users access to them;
3.2.2. after the initial effective date, show the date of the latest update on the page header; after initial effective date, a new acceptance of the Privacy Policy must be shown to users when they access the website or application, using a specific lightbox or disclaimer. If there are significant changes, double validation or granularized consent may be used - in these cases, we suggest consulting our office to figure out the best alternative for each specific case that may require obtaining new consent.
3.3. General Guidelines
Sendas Distribuidora S/A is a private legal entity enrolled with the National Corporate Taxpayers Register (CPNJ) under No. 06.057.223/0001-71 (“Assaí” or “We”). We operate a retail trade business selling goods in general, predominantly foods. Our supermarkets offer a wide range of items that includes groceries, foods, perishables, packaging, gift & specialty, personal care, beverages and cleaning products, as well as financial products such as our Passaí credit card, among others (together, "Services”). Some of our Services are also available on our digital platforms, our websites https://www.assai.com.br/, https://www.academiaassai.com.br and https://ww.aniversarioassai.com.br, and our mobile application “APP ASSAÍ CLIENTES”, (together, “Platforms")
When you use Assaí Services, you are entrusting your personal data to our care. We promise to respect and uphold that trust. Therefore this Privacy Policy (“Policy”) explains - using clear and accessible language - how we will collect, use, share and store your information and data.
This document should be read together with all regulations, terms, rules and other agreements related to the use of Assaí's products and services. If you have any questions or need to discuss any matter related to this Policy, please contact us at this e-mail address: dpo.assai@assai.com.br.
3.4. Applicability
This Policy applies to personal data collected and processed by Assaí to carry out its Services. Personal Data means any information that directly or indirectly identifies someone (“Personal Datum” or “Personal Data”), such as their name, ID number, e-mail address, IP address and home address.
Processing means any operation performed with Personal Data (“Processing”), including the collection, storage, disposal and sharing of this type of information.
Assaí processes Personal Data in order to provide its Services and improve them. For example, we collect certain Personal Data to assess your satisfaction with our customer service or to create and evaluate offers that may be of interest to you. These are examples that show how and why we need to use Personal Data to provide our Services.
3.5. Purposes of Using Personal Data
Since we operate in retail trade of goods in general, with a predominance of food products - supermarkets, our Services usually involve in particular information related to legal entities. However, for some of the Services, as in the case of financial products such as the Passaí card, or when our customer is an individual, we process Personal Data that is directly provided by these customers. Since we prioritize transparency and protection of your privacy, the purposes for which Assaí processes Personal Data are listed below.
| Purpose | Personal Data Used |
|---|---|
| Registration and use of our app known as Assaí Clientes APP | Registration data: Name, address, ID, e-mail, telephone, occupation, taxpayer No.(CPF), gender and date of birth. Browsing data: activity on the APP, data from activities, dates and times of activities. |
| Participation in Assaí's birthday campaign | Registration data: Name, sex, address, CPF, ID, date of birth, e-mail, telephone, occupation. |
| Registration and use of Academia Assaí | Registration data: Name, sex, date of birth, city, state, business name, which products/services they offer, current income and other business information and future vision for business. Browsing data: activity on APP, data from activities, dates and times of activities. |
| Sales | Name, CPF, telephone, address, e-mail, Bank details, name of bank, branch and account, truncated card details and means of payment. Other data: purchase ticket. |
| Evaluate stores and customer experience | Registration data: Name, address, gender, telephone, income, occupation. Other data: answers to questions about store experience. |
| Chargeback amounts paid | Registration data: Name, address, CPF, telephone number to contact, bank details and purchase ticket Bank details: branch and account numbers. Other data: purchase ticket size. |
| Offer products and manage sales | Registration data: name, telephone, corporate or individual taxpayer no. (CNPJ or CPF). |
| Issue Invoice (Nota Fiscal) | Registration data: name, CPF, address. Other data: purchase ticket size. |
| Issue Passaí credit card requested by customer | Registration data: name, ID, CPF, ID with photo, proof of address |
| Credit limit analysis for customers whose relationship involves financial risk | Registration data: articles of incorporation, Federal Tax Authority data and creditworthiness or credit bureau data |
| Register on Platforms | Registration data: CPF, name, e-mail, telephone, date of birth, address, city, state, neighborhood and postcode. |
| Improve our Services and Platforms, including through statistical analyses | Automated Data Collection. data from interactions made with Platforms, such as browsing, pages and content accessed, whether browsing history, how the user accessed sites (whether search engine or directly from URL), search term used on websites, time on website pages, language, country and city, browser, operating system and service provider, screen resolution, device type (desktop or mobile), cellphone device model. |
| Messaging (SMS, WhatsApp, e-mail etc.) | Registration data: name, address, gender, telephone, income, occupation |
| Physical security for our stores and Distribution Centers: | Closed Circuit TV: capturing images from security cameras. |
| Customer service channels for complaints, suggestions or compliments | Data collected vary if a consumer has already registered on our systems - in which case their CPF is requested - or whether they are making a new contact. In the latter case, data processed will as a rule be name, CPF, address, and e-mail. |
| Other customer service channels: these are channels through which customers may complain indirectly (Procon, Consumidor.gov and ReclameAqui) | Data collected vary if a consumer has already registered on our systems - in which case their CPF is requested - or whether they are making a new contact. In the latter case, data processed will as a rule be name, CPF, address, and e-mail. |
| Monitoring press and social networks: responding to customer demands received by the press/media outlets or through social networks | Data collected will vary depending on the customer's issue, opinion or compliant - we will collect contents of the client's messages or posts involving Assaí and try to solve the issues raised by contacting the customer and analyzing data related to their complaint, depending on each case. |
3.6. Sharing Personal Data
Assaí works in conjunction with a network of partner companies to enable the best possible Services so in some cases, we need to share some Personal Data with these companies. We will in all cases adopt mechanisms for the protection of your Personal Data in order to safeguard your privacy;
Since we value transparency and protection of your privacy, we are listing the situations in which we may share your Personal Data with third parties:
3.6.1. Suppliers: we employ other companies to do jobs on our behalf and we need to share your Personal Data with them to provide our Services. For example, we hire companies that administer satisfaction questionnaires, so they will have access to our customers' Personal Data. Our suppliers are authorized to use Personal Data only for the specific purposes for which they were hired, therefore they will not use your Personal Data for purposes other than providing contractually stipulated services.
3.6.2. Financial Institutions: Passaí is an Assaí financial product that offers credit cards to our customers in conjunction with Banco Itaú. In addition, in some cases for payment processing purposes, Assaí needs to share Personal Data with Financial Institutions. Therefore, in order to provide Services, Assaí needs to share Personal Data with financial institutions in order to evaluate availability and issuance of Passaí cards or to process payments via electronic media, for instance.
3.6.3. Credit Bureaus. We also partner credit bureaus with which we may share Personal Data to analyze the financial health of a specific customer, thus promoting credit protection and fraud prevention for Assaí's financial transactions and our business.
3.6.4. To comply with the law, safeguard and protect rights: Assaí reserves the right to access, read, preserve and disclose any Personal Data that it believes are necessary to comply with a legal obligation or court order; to enforce this Policy, the regulations, terms, rules and other agreements related to the use of Assaí's products and services; or protect the rights, property and security of Assaí, its employees, users and others, in all cases in accordance with applicable legislation.
When we share your Personal Data with third parties with which we have contractual relations, we share only the Personal Data required for them to carry out their work and we contractually ensure that the abovementioned Personal Data are used only to the extent required to provide the services on our behalf or to comply with legal requirements. Likewise, we require third parties with whom we share Personal Data to ensure the same level of protection and privacy for your Personal Data that Assaí would have had if we processed them directly; this includes the obligation to not use your Personal Data for any purpose other than contractually stipulates purposes, in addition to confidentiality and data security rules, among other legal requirements applicable to contracts of this nature.
3.7. International Transfer of Personal Data
Although Assaí is headquartered in Brazil and the Services and Platforms are intended for people located in Brazil, so Brazilian laws related to Personal Data protection apply, the Personal Data we collect may be transferred to the United States of America, Canada and countries belonging to the European Union. Data are transferred mainly for the purpose of hosting on Assaí's cloud servers, which is carried out by companies Assaí outsources for this purpose.
3.8. Rights
Brazilian law guarantees rights related to privacy and protection for your Personal Data. We want you to have access to and knowledge of all rights related to processing your Personal Data, which are as follows:
| Right | Explanation |
|---|---|
| Confirm processing of your Personal Data | This right allows you to request and receive confirmation of the fact that your Personal Data is being processed. |
| Access to Personal Data | This right allows you to request and receive a copy of Personal Data processed by Assaí. |
| Correction of incomplete, inaccurate or outdated Personal Data | This right allows you to request correction and/or rectification of Personal Data if you find that some of them are incorrect. |
| Anonymizing, blocking or deleting unnecessary, excessive or incorrectly handled or processed Personal Data | This right allows you to request anonymization, blocking or deletion of personal data in Assaí's database. Your data may be anonymized, blocked or deleted from servers when so requested or when no longer needed or relevant for the provision of the Services, unless there is any other reason for retaining them, such as any need to retain data for compliance with a legal obligation or for the protection of Assaí or third parties. |
| Personal Data Portability | Assaí allows you or third parties you have designated to obtain access to Personal Data processed by Assaí in a structured and interoperable format, as long as this does not violate our intellectual property rights or our business secrets. |
| Not provide or revoke consent at any time | You have the right to deny consent when requested. Likewise, after consenting, you also have the right to revoke your consent, however, dong so will not affect the legality of any previous processing. If a user does not provide or revoke their consent, Assaí and its partners may be unable to supply you with certain products or services. |
| Object to certain cases of data processing | You also have the right to object to certain purposes of data processing. In some cases, Assaí may prove that it has legitimate reasons for it or its partners to process Personal Data, which may override their objection to processing, for example, if said data are strictly essential to provide the Services, to fulfill legal or regulatory obligations, or to protect the rights of Assaí or third parties. |
3.9. Important Notices
For your security, whenever you submit a request to exercise your rights, Assaí may request some additional information and/or documents so that we can be sure of your identity in order to prevent fraud. We do this to ensure security and privacy for everyone. In some cases, Assaí may have legitimate reasons for failing to respond to a request to exercise rights. These situations include cases in which disclosure of specific information could violate Assaí or third-party intellectual property rights or business secrets, as well as cases in which requests to delete data cannot be agreed to because of Assaí's obligation to retain data, either to comply with legal or regulatory obligations or to enable Assaí or third parties to defend their record in disputes of any nature. In addition, some requests may not be answered immediately, but Assaí undertakes to respond to all requests within a reasonable period in accordance with applicable law.
You may ask any related questions or exercise these rights at any time, by e-mailing dpo.assai@assai.com.br.
3.10. Personal Data Storage Time
Assaí will store Personal Data only for as long as required to fulfill the purposes for which they were collected, including for the purpose of complying with any legal or contractual duties, for accountability or due to a requisition issued by competent authorities.
In order to determine the appropriate retention period for Personal Data, Assaí weighs their quantity, nature and sensitivity, the potential risk of damage arising from unauthorized use or disclosure of your Personal Data, the purpose of processing and any possibility of accomplishing these purposes by other means, and applicable legal requirements.
Assaí may retain Personal Data for longer periods than shown above in order to comply with legal obligations that may be applicable on the terms stipulated by the pertinent legislation, such as consumer rights and tax obligations. Your Personal Data may also be retained for longer periods if needed to protect the rights of Assaí or third parties, especially if these are necessary for defenses in disputes or litigation of any nature.
In the case of Assaí's birthday campaign, we will keep your Personal Data stored to enable you to participate in our campaigns in subsequent years or in campaigns around other themes. if you wish to opt out of future campaigns, please tell us of your objection by e-mailing app.clientes@assai.com.br or using the customer channels on our websites
3.11. Personal Data Protection
Assaí endeavors to protect the privacy of the accounts and Personal Data of users that are held in out records. We have procedural, technical and physical safeguards in place to help us prevent loss, misuse or unauthorized access, disclosure, alteration or destruction of Personal Data provided by users. Of the measures we take, we would highlight control of access and encryption of data in transit (SSL and TSL) among other measures.
However, we cannot guarantee that all transmissions of Personal Data over the Internet are completely secure. Third parties that are not under our control may illegally intercept or gain access to transmissions or Personal Data. Therefore, since it is not possible to guarantee the complete security of the Personal Data transmitted to our website, we ask for your cooperation to help us ensure a safe environment for everyone. If you identify or learn of anything that compromises the security of your Personal Data, please contact Assaí using this channel dpo.assai@assai.com.br.
3.12. Contacting Assaí
If you believe your Personal Data have been used in a way that breaches the Policy stated herein or does not reflect your choices, or if you have any other questions, comments or suggestions related to this Policy, please contact us through the following channels:
• DPO (data protection officer): Sadik Sarkis
• E-mail: dpo.assai@assai.com.br
Privacy Policy
3.13. Privacy policy alterations
Since Assaí is constantly looking to improve its Services, this Policy may be updated. Therefore we suggest that you periodically visit this page to learn of any changes. If there are material alterations that require new consent, we will publish this update and request new consent.
4. PENALTIES
Any employee witnessing a breach of any of the above rules, has the duty of reporting this breach through our Ombudsman Channel. In addition, as per our Code of Ethics guidelines, failing to comply with the rules and instructions required herein may be deemed a serious breach and be subject to the application of appropriate disciplinary sanctions.
5. ATTACHMENTS
N/A.
6. REFERENCES
6.1 The following are part of this Policy:
6.1.1. Assaí Code of Ethics
7. DEFINITIONS
N/A.
8. VERSION HISTORY AND APPROVALS
| Version/ Year | Changes | Reviewers (position/business area) | Approved by (position/business area) |
|---|---|---|---|
| 00/2020 | First version of document | Sadik Sarkis. Assaí DPO | Daniela Sabbag. Marly Yamamoto. Rodrigo Callisperis. |