CMA Consulting, Methods, Advisory, and Mercantile S/A (“CMA”),
registered under CNPJ No. 43.819.978/0001-92, with its headquarters in
the City of São Paulo, State of São Paulo, at Rua Prof. Filadelfo
Azevedo, No. 712, Bairro Vl. Nova Conceição, CEP 04508-011, and its
business units, “TROM,” “Agência Safras News,” and “Safras &
Mercado,” cares about the privacy and protection of your personal
data. For this reason, we have developed this Privacy Policy to inform
you about the collection, use, sharing, and generally how we process
your personal data under the General Data Protection Law (Law No.
13.709/18, “LGPD”).
We encourage you to read this document in full, as by
expressing your acceptance of this Policy, you agree and adhere to its
terms.
We encourage you to read this document in full, as by
expressing your acceptance of this Policy, you agree and adhere to its
terms.
1. TERMS AND DEFINITIONS
Every time you read a term starting with a capital letter in this
Policy, it means that it is a term with a specifically defined
meaning.
This Privacy Policy does not limit itself to individuals who
receive/use our services, that is, it extends to clients, legal
representatives, service providers, third parties, and any other
individuals who in some way relate to the company, when they, referred
to as the "Data Subject," provide their information and personal data
to CMA.
This Privacy Policy sets forth terms for the collection,
processing, and use of sensitive data from clients and other
individuals who access TROM websites (
www.cma.com.br
), Agência CMA (
www.agenciacma.com.br
) and SAFRAS & Mercado (
www.safras.com.br
) or any other digital communication channel, including their
respective social networks and landing pages.
Every time we
refer to the terms “CMA,” “we,” or “our,” we are referring to the
entire CMA group; similarly, every time we refer to the terms “you,”
“your,” “yours,” we are referring to the Data Subject.
The
practices described in this Privacy Policy apply solely to the
processing of your personal data in Brazil and are subject to local
laws, with a particular emphasis on Law No. 13.709/2018 (General Data
Protection Law, or “LGPD”).
Considering that there are some technical terms from the LGPD,
as well as to help you better understand this policy, we will apply
the same terms and definitions provided in Article 5 of the LGPD. If
you have any doubts about the terms used in this policy, we suggest
you consult the list below:
PERSONAL DATA:
Any information related to an identified or identifiable natural
person.
SENSITIVE PERSONAL DATA:
Special category of personal data related to racial or
ethnic origin, religious conviction, political opinion, union or
organization affiliation, related to health or sexual life, genetic or
biometric data of a natural person.
DATA SUBJECT:
Natural
person to whom the personal data refers, such as former, present, or
potential clients, employees, contractors, commercial partners, and
third parties.
CONTROLLER:
Legal entity, either public or private, responsible for
decisions regarding the processing of personal data.
PROCESSOR:
Legal entity, either public or private, that processes personal data
on behalf of the controller.
DPO (Data Protection Officer):
Person appointed by the Controller and Processor to act as a
communication channel between the Controller, Data Subjects, and the
National Data Protection Authority (ANPD).
CONSENT:
Free, informed, and unequivocal manifestation by which the Data
Subject and/or legal representative agrees to the processing of
personal data for a specified purpose.
PROCESSING:
Any operation carried out with personal data, such as collection,
production, reception, classification, use, access, reproduction,
transmission, distribution, processing, filing, storage, deletion,
evaluation or control of information, modification, communication,
transfer, diffusion or extraction.
ANONYMIZATION:
Process by which the data loses the possibility of being associated,
directly or indirectly, with an individual, considering the reasonable
and available technical means at the time of processing.
2. DATA COLLECTION
I. Browse the TROM website (
www.cma.com.br
);
II. Browse the Agência CMA website (
www.agenciacma.com.br
);
III. Browse the SAFRAS & Mercado website (
www.safras.com.br
);
IV. Hire or use any of our products or services;
V.
Contact us through our service channels;
VI. Contact and
navigate our social networks (Instagram, Facebook, YouTube, Twitter,
LinkedIn, Telegram, and other social networks that may eventually
arise).
PERSONAL DATA:
Information - Full name; Email addresses; DDD and phone numbers;
Social media profiles; Profession; Company and market segment in which
you work; Professional interests; Date of birth;
Purpose - Used to identify and confirm the identity for purposes of:
offering news, newsletters, bulletins, market information, and CMA
service demonstrations to interested parties; assisting and answering
questions, notifications, compliance with legal and regulatory
requirements to authorities; marketing; market research; preventing
and resolving technical issues;
DIGITAL PERSONAL DATA:
Information - IP address of the mobile device used to access CMA
services; Interactions and website usage profile; Technical data such
as URL, network connection, provider, and device; Cookies; Device
attributes, such as ID, operating system, browser, and model. I.
Customer service history; Access and use history of products and
services;
Purpose - Used for identification and identity confirmation in order
to optimize and/or personalize service, support, user experience, and
product sales.
Data collection and/or receipt occurs when:
You directly provide us with information through: registrations,
forms, email, and/or phone.
We receive your data from legitimate sources, such as business
partners you already engage with.
3. THE OPTION TO NOT PROVIDE YOUR PERSONAL DATA
CMA emphasizes the importance of providing personal data, as they are
essential for the provision/realization of our services. Personal data
processing is a condition for using our services, but we ensure that
the collection of these data is limited to the minimum necessary.
We highlight our compliance with the General Data Protection
Law – Law 13.709/2018 (“LGPD”) and guarantee that the provision of our
services is based on confidentiality and privacy.
4. THE NEED FOR CONSENT
The LGPD establishes legal bases for data processing, i.e., different
situations in which we are allowed to process personal data without
the need for the Data Subject’s consent.
When you opt for one of our services and/or platforms, we may
collect and process your data without your consent (provided there is
a legal basis under the LGPD authorizing us), for purposes such as:
contract execution, compliance with legal and/or regulatory
obligations, and legitimate interest.
If consent is legally required for processing personal data, we
will request it explicitly, and the Data Subject may withdraw consent
at any time, provided this does not affect the lawfulness of
processing based on prior consent and does not harm the same case
where it is mandatory.
To revoke your consent, you can contact us through our official
communication channel: privacidade@cma.com.br
5. CONSENT FOR THE PROCESSING OF SENSITIVE PERSONAL DATA
Sensitive personal data refers to information about racial or ethnic
origin, religious conviction, political opinion, union affiliation, or
membership in a religious, philosophical, or political organization,
as well as health or sexual life data, genetic or biometric data of an
individual.
When processing sensitive data, in addition to complying with
the other rules provided in this Policy, the consent must:
Occur in a specific manner, directed solely at the processing
of such information;
Be inserted in a manner distinct from other terms and
authorization requests.
6. SHARING OF PERSONAL DATA
CMA does not sell or commercially exploit personal data. The collected
and/or received information may be shared with: internal departments;
partner companies; companies within the same group; judicial,
administrative, and/or government authorities whenever legally
required; auditing companies when the audit is conducted on CMA’s
operations; eventual compliance with legal or regulatory obligations.
7. STORAGE OF PERSONAL DATA
The collected personal data is stored in a secure environment. To do
so, CMA uses local servers as well as cloud environments (cloud
computing) that may require transmission and/or processing outside
Brazil. These transfers occur only with companies that demonstrate
compliance with applicable laws and maintain the level of compliance
required by Brazilian legislation.
8. HOW LONG WILL WE KEEP YOUR DATA.
CMA will keep your data, mainly but not limited to, for the time
necessary to fulfill legal and regulatory obligations, as well as for
the time needed to eventually exercise rights, including before the
Judiciary.
9. HOW WE ENSURE THE SECURITY OF YOUR PERSONAL DATA.
We know it is impossible to guarantee 100% security of information,
but in order to minimize risks and provide greater security, our
actions are aligned with the best practices, techniques, and
administrative measures to protect your Personal Data from
unauthorized access, accidental and illegal destruction, loss,
alteration, communication, or any other form of inappropriate or
illegal processing, from the conception of our platform to its
respective execution. To achieve this, we use and apply
internationally recognized standards and best practices, such as:
Continuous environment monitoring; Continuous security assessments and
tests on our systems, conducted by internal and external teams;
periodic audits, as well as the establishment of a Data Security and
Privacy Committee (CSIPD), and a Governance, Risk, and Compliance
(GRC) team.
10. YOUR RIGHTS RELATED TO YOUR PERSONAL DATA.
With the enactment of the LGPD, you, as the data subject, can exercise
your rights before the controllers of your personal data. Below, we
detail how you can exercise your rights clearly and transparently, and
our team will be ready to address any requests.
I. Confirmation of the existence of personal data processing.
We process your personal data, including the storage of personal data
in a secure and controlled environment. You can ask us to confirm
whether we process your personal data.
II. Access to personal data.
You can ask us to inform you and provide the personal data we hold
regarding you.
III. Correction of incomplete, inaccurate, or outdated personal data.
If you find that your personal data is incomplete, inaccurate, or
outdated, you can request its correction or supplementation. For this,
you will need to provide a document that proves the correct and
updated form of the personal data.
IV. Anonymization, blocking, or deletion of unnecessary, excessive, or
non-compliant data with the LGPD.
If any personal data is processed in an unnecessary, excessive, or
non-compliant manner with the LGPD, you can request that CMA
anonymize, block, or delete such data, provided that the excess, lack
of necessity, or non-compliance with the law is effectively confirmed.
V. Deletion of personal data processed with consent.
If you have given consent for the processing of your personal data for
specific purposes (and not necessary for the provision of our services
or delivery of our products), you can request the deletion of such
personal data.
VI. Information about the companies with which CMA shared or from
which it received your personal data.
You can request information about which third parties we have shared
your personal data with or from whom we have received your personal
data.
VII. Information about the possibility of not providing consent and
the consequences of refusal.
If your consent is required to access or use a specific product or
service, you can ask us to clarify whether it is possible to provide
this product or service without your consent for the processing of
your personal data, or what the consequences are for not providing
consent in this case.
VIII. Revocation of consent.
If you have given your consent for the processing of your personal
data, you can request the revocation of this consent. Revocation of
consent may result in the termination of the provided services, but
does not prevent the use of (i) anonymized data; and (ii) data whose
processing is based on another legal basis under the LGPD.
To exercise any of these rights, please contact us by email at
privacidade@cma.com.br. To effectively carry out your rights, we may
ask for proof of your identity as a security measure, authentication,
and fraud prevention.
11. INCIDENT NOTIFICATION.
Privacy and Data Protection incidents will be communicated through the
company's official website (
www.cma.com.br
).
12. ADDITIONAL INFORMATION.
This document may be changed at any time as per CMA's discretion. To
maintain transparency, every time this document is amended, it will be
validated and will come into full effect upon:
Publication/disclosure in CMA's physical and digital locations.
13. Any questions? Contact Us!
If after reading this Privacy Policy you still have any questions, or
for any reason need to communicate with us regarding your personal
data, you can contact our Data Protection Officer:
Email: privacidade@cma.com.br
13. ACCEPTANCE OF THE PRIVACY POLICY.
By accepting this Privacy Policy, the CLIENT consents to receive
notifications, communications, and alerts regarding the services
provided by CMA. The CLIENT may revoke their consent at any time by
expressing their desire through the email address dpo@cma.com.br.
We hope we have helped you better understand how we handle your data,
and we are available to clarify any doubts and continue our work with
integrity and transparency!
CMA Group