No One is a well-established company with a collaborative approach, deep knowledge of human behavior, and an intense curiosity about the future. We translate user information and data into powerful resources. Personal data is the raw material that supports our work ecosystem. We value privacy and data protection and transparently demonstrate how we handle personal data through this Privacy Policy, respecting data subjects’ rights and the principles of applicable legislation. We may act as both a data processor and a data controller, depending on the purpose of data processing.

For any questions about this Policy, please contact our Data Protection Officer at lgpd@noone.is.

For the purposes of this Privacy Policy, the expressions adopted here must be interpreted as follows:

• Owner: natural person to whom the personal data that are subject to data processing refer, in this case employees and interns.
• Personal data: information about the identified or identifiable natural person from data used to form the behavioral profile of a particular natural person, if identified.
• Sensitive personal data: data about racial or ethnic origin, religious conviction, political opinion, membership in a trade union or organization of a religious, philosophical or political nature, data relating to health or sexual life, genetic or biometric data, when linked to a natural person.
• In charge: indicated by the controller and operator for communication with the holders and the National Data Protection Agency.
• Operator: natural or legal person, governed by public or private law that carries out the processing at the request of the controller.
• Controller: natural or legal person, governed by public or private law, responsible for decisions regarding the purpose and means of processing personal data.
• Platform: software with multiple functionalities.
• Controller: natural or legal person, governed by public or private law, responsible for decisions regarding the purpose and means of processing personal data.
• Privacy: It is the right to reserve personal information and one's own personal life, the right to respect for private life, the right to be protected from interference with personal matters.
• Treatment: any operation that involves the collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, archiving, storage, elimination, evaluation, or control of information, modification, communication, transfer, dissemination, or extraction.
• Pseudonymization: treatment in which the data loses the possibility of being associated, directly or indirectly, with an individual, which may be reversible through the use of additional information kept separately by the controller in a controlled and secure environment.
• Consent: free, informed and unambiguous statement by which the owner agrees to the processing of their personal data for a specific purpose.
• Elimination: deletion of data or of a set of data stored in a database.
• National authority: body responsible for overseeing, implementing, and supervising compliance with the Law.
• Shared use of data: communication, dissemination, international transfer, interconnection of personal data, or shared processing of personal databases in any relationship by public and/or private entities.

No One believes that it is necessary to be transparent with the data subject, so that they are fully aware of the processing of their data and can manage them in order to exercise their rights, when applicable. We respect the fundamental rights of privacy, as well as the protection of the personality attributes, in which personal data are inserted. As an educational method of this culture, we disseminate, train and empower the employees involved, enabling them to follow the good practices established by No One. It is part of our privacy culture: respect for privacy; informational self-determination; freedom of expression, information, communication, and opinion; the inviolability of privacy, honor, and image; economic and technological development and innovation; free initiative, free competition, and consumer protection; and human rights, the free development of personality, dignity, and the exercise of citizenship by natural persons. No One values 360° privacy in which it observes, guides and certifies that employees, collaborators, freelancers, interns, or third parties also follow data protection legislation.

Once access has been authorized, the use of any data or information is intended exclusively for the service performed at No One. If you consider that you are seeing information other than your profile, immediately activate Information Security: lgpd@noone.is.

Data subject

Natural person to whom the data refer. He is the owner of the collected data, which the LGPD seeks to protect. The rights of data subjects are:

• confirm the existence of processed data and know which and how they are being treated;
• request the modification of the data already collected;
• request that certain information collected not be used for a certain purpose;
• request the cancellation or revocation, as well as the deletion of your processed data;
• request the revocation of consent to carry out the treatment;
• object to the processing of certain data;
• and request clarification regarding the data processed.

Requests from the owners must be sent to the e-mail: lgpd@noone.is, which will be answered, after verifying the authenticity, directly to the owner or constituted attorney, within 15 (fifteen) business days, always respecting the company's confidential information.

It is possible for the holder to request the revocation of consent in the course of carrying out the research, and in this case they must return the amounts received in case of remunerated participation.

Treatment Agents

The controller The data controller is responsible for the decisions regarding the processing of personal data, the one who determines the objectives/purposes, the technical and organizational measures, and the means of the treatment.

The operator or processor is the one who processes personal data on behalf of the controller and following the instructions provided by him. You will respond together with the controller if you may cause harm to others as a result of the exercise of personal data processing activities.

The suboperator or subprocessor is a third party, linked to the operator, and who is authorized to process personal data.

Data Officer

Person appointed by No One to act as a communication channel between the company, the data subjects and the National Data Protection Authority (ANPD), acting as Data Processor. Its activities consist of:

• Accept complaints and communications from the owners, provide clarifications and take action;
• Receive communications from the national authority and take action;
• Advise the entity's employees and contractors regarding the practices to be taken in relation to the protection of personal data;
• Map significant threats to the environment and risk of information exposure; and
• Perform the other duties determined by No One or established in complementary regulations.

No One elects Marcelo Quinan, email lgpd@noone.is, to perform the position of Data Protection Officer.

Customer Data

Customer data (data from their representatives and representatives) are necessary to maintain a communication channel between the customer and No One, as well as for compliance with legal obligations, contractual execution or regular exercise of rights. This data will remain archived as long as it is essential, and the customer may request access or update by email forwarded to lgpd@noone.is. Customer data will be deleted when it is unnecessary, keeping only what is imperative for compliance with legal obligations, resolving differences, maintaining security, preventing fraud or abuse, and ensuring compliance with contracts. Any and all documents and information relating to No One customers are confidential and are exclusively accessible to our employees and representatives in accordance with current legislation.

Data from Third Parties and/or Collaborators

Third parties and/or collaborators (service providers for carrying out the surveys) are carefully chosen because we are concerned about our reputation in the market and following good privacy and data protection practices. Just as customer data is collected, so is the case with our partners. This data is necessary for communication maintenance, for compliance with legal obligations, contractual execution or regular exercise of rights. This data will remain archived as long as it is essential, and the third party may request access or update by e-mail forwarded to lgpd@noone.is. The data will be deleted when it is unnecessary, keeping only what is imperative for compliance with legal obligations, resolving differences, maintaining security, preventing fraud or abuse, and ensuring compliance with contracts.

Research Participant Data

No One collects personal and sensitive data from data subjects who are part of the target audience of the research it carries out, with the collaboration of the participants to carry out their activities. The participant's personal and sensitive data are treated in such a way as to guarantee privacy and data protection, subject to the purpose of preparing the study, the interests of the clients and of No One, and the principles provided for in current legislation. Examples of data that make up the collection of information are: name, address, contact, behavioral and consumer profile, race or ethnicity, image and sound of voice captured in photos, videos and possible transcription of these, as well as any information necessary for the preparation of research, respecting the principle of limiting collection only to essential data. Personal identification data (full name, address, ID, CPF) will not be shared with No One customers, unless there is a regulatory or contractual provision to the contrary. Once the research has been carried out, the data of the holder will undergo anonymization or fragmentation processes to mitigate the risk of identifying the participant, keeping only what is necessary for the purposes set out in this Privacy Policy, in accordance with what was agreed in the contract. Third parties and service providers are not authorized to disclose and market research participants' data. In case of non-compliance, they will be responsible for such violations.

If you have witnessed something unrelated to what is contained in this Policy, please let us know through the channel lgpd@noone.is to take appropriate action.

Access Policies

No One adopts as its access policy the Principle of Least Privilege methodology for greater protection of the data of all users that circulate through the company, which means that access is released gradually and employees only have access to essential data and for specific purposes. We understand that transparency with the data subject is important so that they have control over which of their data were collected and how they will be treated, in accordance with the rights referred to in current legislation.

COLLECTION

The data is received by No One in two ways:

• Typeform: search form, and the No One team is responsible for configuring the form and forwarding it for a response from the data subject. The response is stored with viewing and editing permissions only for people who are necessary to finalize the project and when necessary to keep it, at an appropriate time, anonymization is performed. Sending a list by the customer: the customer forwards the contact list so that No One can carry out the contracted activity. No One has Google Workspace: as a tool to guarantee the security of the data that travels through its network. Thus, the data that is necessary for the execution of the project is meticulously mapped and tracked by the platform itself, ensuring the efficiency of birth until the end of its cycle. No One applies access controls and the Principle of Least Privilege, stressing that project managers and collaborators cannot access confidential information without the explicit authorization of the owner.
• Recording of interviews: No One records the interviews to improve the quality of the research, collecting consent for this purpose through appropriate documentation, and confirmation of the participants' consent is reiterated in an interview with the data subjects.

Information storage

All information, files, and data collected during the research process are stored on the No One drive on Google Workspace within the specific project folder, so that no file is kept in a local environment or removable media.

Sharing

Data is shared with third parties and/or collaborators through a drive in Google Workspace and through ClickUp. Only the files necessary for the purpose described in this Policy are shared, and access is revoked after the completion of the activity. No One provides access to Google Workspace to all its employees, in order to enable file communication and storage and especially security. We use the Principle of Minimum Privilege as a methodology. After authorized access, the use of any data or information is intended exclusively for the services performed on No One.

Customer Reports

The reports are delivered through Google Workspace through a folder shared with the No One client, keeping only the files being transferred at that time. The permission to access the folder is revoked upon receipt of the files by the client and its files are deleted, except as otherwise provided in a contract.

Anonymization

The personal data of the participants, which make up those deliverable to the client, are treated and anonymized, using currently available technologies, removing the link between the holder and the data collected, so that identification is not possible, except when the participant is a specialist in a certain topic, thus considered professionals with notorious recognition in their field of activity. Thus, since no terms or contracts provide for the identification of data and opinions, they will be anonymized so that they can no longer identify the data subject, such as: CPF, ID, telephone number, address details (building number, apartment), workplace details, etc.

Disposal and deletion of data

After the completion of the project, the collected/generated personal data will be discarded. If there is an agreement providing for the maintenance of any type of personal data, these are delivered to the client by the No One project manager upon formalization. No One will make sure that all file shares held outside have been removed by the project manager.

No One signs contracts that authorize and establish rules for carrying out international transfers, whether by third parties, collaborators, research participants, or clients. The transfer only takes place by ensuring that the place of destination, the means of transfer and the processing agent observe the same level of guarantee provided for in the applicable data protection legislation. No One data is stored through Google Drive, and there is a possible international transfer of personal data when there is absolute unavailability of the server at the storage location, in order to ensure the safety of the stored data.

No One is always aware of full compliance with the LGPD and any laws on data protection, so in the event of a security incident, the following measures will be adopted:

• Adoption of internal measures already passed on to all employees;
• Reporting the incident to the controllers; and
• When you understand that there is a risk of material damage, notify the ANPD and the data subject, informing the plan to restore the security of your data.

We also count on you to report a possible incident that you are aware of, informing us as soon as possible by contacting lgpd@noone.is.

In order to provide greater security and convenience to interested parties, No One will update this Policy whenever its content changes, or to comply with applicable legislation.

Rest assured, you will be notified! Before protecting the data of third parties, we are all data subjects and we want our privacy to also be respected, so that, when viewed and consented to, it is for mutual, legitimate and transparent benefit.

Financial

Data retention by the financier only occurs when there is a remunerated contractual relationship. If a specific Term has been signed, the information will be collected to make the payment. Thus, the data of clients, collaborators, third parties and research participants are necessary for contractual execution, as well as compliance with current legislation regarding the issuance of notes, declarations and the like. The data will be kept as long as there is a valid and current contract, and the owner, customer, collaborator or third party may request access or update of their data by means of an e-mail sent to lgpd@noone.is. The data will be deleted when they are unnecessary or when the contractual relationship ceases, and only what is strictly essential to comply with legal obligations, resolve differences, maintain security, prevent fraud or abuse, and ensure compliance with contracts.

Contracts

No One contracts are reviewed and negotiated on a continuous and periodic basis for the best agreement and transparency in the relations it maintains with third parties, collaborators, clients and research participants, always in accordance with current legislation and observing, especially, the LGPD. The relationship maintained with the research participants is transparent and objective, establishing a Consent Form, confidentiality, and assignment of image rights, in addition to confirmation of signature of the Term at the time of the interview.