1. Introduction

This Privacy Policy defines how the company IYS It works to guarantee the protection and privacy of personal data processed within the scope of its activities. This policy expresses the commitment of... IYS to act in accordance with applicable legislation and internal regulations related to the security and privacy of personal data, such as General Data Protection Law (LGPD), Law No. 13.709. This Privacy Policy uses the terms and definitions provided by the LGPD (Brazilian General Data Protection Law), such as the concept of data subject.

The company IYS It develops and applies technical and organizational measures to protect personal data against unauthorized or unlawful processing, as well as accidental loss, alteration, disclosure, access, destruction, accidental damage, and other situations related to the confidentiality, availability, and integrity of personal data under its control.

In situations where the company IYS Whether our employees act as data processors or not, we operate in accordance with applicable legislation, data privacy best practices, and the instructions provided by the relevant controller. To this end, we conduct training and awareness campaigns to disseminate data privacy best practices to all our employees, in order to promote compliance with applicable legal obligations.

When making purchases at IYS, In other words, by registering, you agree to this Privacy Policy. Therefore, it is very important that, if you have any questions, you contact us via email: sac@iyscosmetics.com

2. Your personal data and how we use it.

2.1 Collection

In general, the personal data processed by the company's employees is collected directly from the data subjects themselves, who have a contractual relationship or have shown interest in developing a relationship with us. With the exception of information required by law and applicable internal policies to ensure compliance with legal obligations and the execution of services provided, the data subject's decision to provide us with their personal data is voluntary. However, it is important to emphasize that failure to provide the data subject's data may prevent the processing of this data, given the nature of the related activities.

In other situations, personal data may be sought from other sources, such as publicly available data or data provided by public authorities, suppliers, contracted parties, other business partners and related sources, always in accordance with the legal basis required for processing this data and its respective applicable legislation.

Data collection can occur directly and indirectly. Directly, when registering to receive information, making business contacts, filling out forms, sending job resumes, participating in recruitment and selection processes, preparing and signing contracts, among other actions related to the execution of our activities. Indirectly, when collected through the technology available on our website and applications, to provide a more positive user experience.

If personal data of third parties is provided, according to the existing relationship between the parties, but also in various cases such as job postings and resume submissions, the person who provided the personal data of this third party is responsible for ensuring that the data subject is aware of the information contained in this Data Privacy Policy. Consequently, the person who provides personal data of a third party must have the express consent of the respective person, the data subject, to share their information with us.

2.2 What data do we collect?

Regarding the personal data processed within the scope of our activities, we highlight:

2.2.1 Registration details: Registrations may include name, email address, address, CPF (Brazilian tax identification number), telephone number, unique device ID, image, photo, audio, among other data related to the purpose of the registration in question and any associated legal or contractual obligations (Employee Profile, Supplier Registration, Customer Portfolio, Selection Process Participants, Visitor Registration, among others).

2.2.2 Contact details: Information obtained through questions, requests, and interactions conducted via our contact forms and communication channels, commercial and relationship activities, among others.

2.2.3 Financial transaction data: Regarding transactions made through our Services, including the purchase of products and/or services. Transaction data may include your address, CPF (Brazilian tax identification number), financial and banking information, and credit card number, among others.

2.2.4 Computing Data refers to data relating to the use of our websites, products, cloud services and applications, and through the use thereof: The use of this data may include your IP address, cookies, geographic location, browser type and version, operating system, time of visit to our websites, number of uses of the Services, date of visit, among others.

The collection of sensitive data occurs for clear purposes and with a legal basis, such as compliance with legal obligations, of which we highlight the Employee Record, and legitimate interest in the operation of our activities, of which we highlight biometric timekeeping and periodic examinations. Other purposes may be applied, provided that a specific term is applied for your knowledge and/or acceptance of the processing in question.

It is important that you are aware of how we process your personal data; in other words, for what purpose your data is collected and on what legal basis, that is, on what grounds your personal data is processed. We highlight the following purposes and legal bases for processing.

Personal data is processed for the purposes and in accordance with the bases mentioned above, including but not limited to, such as any specific term applied for the knowledge and/or acceptance of the processing in question by the data subject in the case of processing sensitive data.

Either electronic or physical acceptance of this Privacy Policy by the data subject implies the data subject's consent to the processing of their personal data, in accordance with legal requirements, as provided by law, and other internal regulations related to data security and privacy.

Personal data will remain under the company's control and will not be used for purposes incompatible with those informed to the data subject, except as provided by law. Should other personal data be collected and processed, this document will be updated and disclosed as required by law.

3. Transfer of data to third parties

We may disclose your personal data to members of our group of partner companies; this means we may share personal data with subsidiaries, controllers, and operators of the company. IYS , in order to process data. The company's partners, with whom we share personal data, are not necessarily physically present in Brazil and may be located in other countries. In the data transfer process, we consider the necessity of transferring personal data for the purpose of processing it, as well as the applicable purposes and legal bases.

We may disclose your personal data to our insurance companies and/or professional advisors to the extent reasonably necessary for the purposes of obtaining or maintaining insurance coverage, managing risks, obtaining professional advice, or initiating, exercising, or defending administrative, arbitration, and/or legal actions. Furthermore, we may disclose your data to our suppliers and service providers to the extent reasonably necessary to provide you with our products and/or services and to ensure the security of their use and the use of your personal data, such as suppliers, software companies, marketing and customer service providers, network providers, and cloud service providers. Such third parties may be located in other countries or have their servers in different regions.

Financial transactions related to our services and the purchase of our products and/or services are handled by our financial service providers. We share transaction data with our payment service providers only to the extent necessary for processing payments, issuing refunds, and handling complaints and inquiries related to these matters.

In addition to the specific disclosures of personal data set out in this section, we may disclose your personal data whenever such disclosure is necessary to comply with a legal and/or regulatory obligation to which the company is subject, as well as to protect your vital interests or the vital interests of another data subject. Before sharing, we will take the necessary precautions to ensure that the related personal data will have adequate protection as required by applicable law.

The company IYS We have offices and facilities in various locations, as well as suppliers in other countries (website hosting, cloud services, payment gateways, technical support, development, modeling, customization, among others). Therefore, we may transfer your data outside of Brazil for the purposes indicated above. Furthermore, we adopt appropriate measures and enter into the necessary contracts with our suppliers and offices to ensure that the processing of personal data outside of Brazil is carried out in accordance with the General Data Protection Law (LGPD) and in compliance with internal policies.

By agreeing to this Privacy Policy, the data subject consents to their personal data being transferred to or accessible by operators in other countries, considering the terms of applicable international laws and regulations.

4. Storage and deletion of personal data

We store personal data only for the necessary time, according to specific procedures for record retention and management: During the relationship with the data subject, during the period necessary to comply with our legal and contractual obligations and the regular exercise of rights, as long as the data subject's consent remains in effect.

We retain your personal data in accordance with the appropriate legal bases provided for by law. Given the nature of the business model, in some cases it will not be possible to specify in advance the storage period for your personal data, considering the existing relationship between the parties. In these cases, we will determine the storage time for your personal data based on the following criteria:

a) Existence of a specific law or regulation requiring a defined period for data retention;

b) Existence of judicial, administrative or arbitration proceedings;

c) Requests for information made by government authorities; and

d) Internal policies.

5. How can I exercise my rights?

The data subject may exercise the following rights regarding their personal data:

a) Right of access;

b) Right of rectification;

c) Right to object to data processing;

d) Right to data portability;

(e) Right to litigate before the competent authorities; and

f) Right to withdraw consent.

The data subject may exercise their rights by sending a written notification to the Data Protection Officer (DPO). The DPO's identity and contact information are available on our website at iyscosmetics.com. If you have any questions or require clarification regarding this Privacy Policy, please contact us at the following email address: sac@iyscosmetics.com.

The data subject may confirm the existence of the processing of their personal data; furthermore, the data subject has the right to access their personal data. A copy of their personal data will be provided to the data subject, provided that the rights and freedoms of third parties are not affected in this process. The data subject may request the deletion of their personal data, without undue delay, in the following situations:

a) When your personal data is no longer necessary for the purpose of data processing.

b) When the data subject withdraws their consent for the processing of data that is legally based on consent, such as sensitive data, data of minors, and data transfers, under the terms and definitions provided for by the LGPD;

c) When your personal data is used for marketing purposes; and d) When personal data is processed unlawfully.

It is important to emphasize that there are exceptions regarding the exercise of the data subject's right to object to the processing of their data. These exceptions occur when the processing of personal data is necessary for compliance with legal and/or regulatory obligations, for the exercise of rights in judicial, administrative or arbitration proceedings, and lastly, in the exercise of the legitimate interest of the company. IYS, providing justification regarding the legal basis and purposes under the LGPD (Brazilian General Data Protection Law).

The data subject may file a complaint with the National Data Protection Authority (ANPD), requesting that the company immediately stop the processing in question, if they consider that the processing of their personal information violates the data protection legislation (LGPD).

6. Data on children and adolescents

We do not collect data from children and adolescents, that is, individuals under the age of 18.

7. Cookies, identifiers, trackers and third-party information

We use cookies on our website, insofar as these cookies are strictly necessary for browsing our website and/or providing our services. We will ask you to agree to the use of cookies when you visit our website for the first time. Blocking all cookies will have a negative impact on the usability of many websites. If you block cookies, the features available on our portals and electronic applications may have their functionality compromised.

Cookies typically do not contain personally identifiable information; however, personal information that we store about you may be linked to information obtained from cookies. We use cookies for the following purposes:

the) Authentication : Identifies when a user utilizes our online portals and applications;

b) Status: It helps determine if the user is logged into our online portals and applications;

w) Customization: It stores information about your preferences in order to personalize services for the user;

d) Security : A security element used to protect user accounts, including preventing the fraudulent use of login credentials, to protect our portals, electronic applications, and services in general.

and) Advertising: It helps determine and display ads that will be relevant to the user experience;

f) Analysis: It helps us analyze the usage and performance of our website and services;

g) Cookie consent : stores user preferences regarding the use of cookies.

Our service providers use cookies, which may be stored on your computer when you use our online portals and applications. Most browsers allow you to refuse to accept cookies and to delete them; the methods for doing so vary from browser to browser and from version to version. Blocking all cookies will negatively impact the use of many websites and may compromise their proper functioning.

In addition to identifiers and cookies, we also use web beacons to manage the content of our websites. Web beacons are associated with the sending of emails and other communications that the user receives from the company and our offices. Web beacons help us track user responses and interests in order to provide relevant content and services.

We may use third-party services, such as open search tools and social networks, to obtain information about the user in order to enrich their personal data by obtaining publicly available information about them, such as their job title, employment history, and contact information.

8. Updates to the Data Privacy Policy

The company IYS We may update this Privacy Policy. Updates will be published on our website and other related platforms, and can be checked online at any time. We recommend that you periodically check our communication channels for any changes to this Privacy Policy. In the event of significant changes to this privacy policy, we may notify you of such changes via email and specific messages on our communication platforms.