Privacy Policy

Introduction

UTUA aims to share information and commercial proposals of interest to its Users, raising awareness about products and services that best suit their reality, according to their needs and preferences.

UTUA follows international and national security rules and standards for data storage, protection, privacy, and transmission.

By using UTUA’s services, the user confirms they have read, understood, and accepted the Terms and Policies applicable to the service provided by UTUA, including this Privacy Policy, and agrees to be bound by them, being aware that the controller of their personal data, that is, the company responsible for making decisions about the processing of their personal data, will be BE GROWTH BRASIL INTERNET S.A, a business company registered in the CNPJ/MF under No. 36.563.402/0001-41 established at Av. Afonso Pena, nº 3351, Serra, Belo Horizonte – MG, CEP: 30.130-008.

After reading this Privacy Policy, if you have any questions, complaints, wish to exercise your rights regarding your personal data, or communicate with UTUA about this matter, you can contact us through our customer service channels or contact our Data Protection Officer (DPO), Gabriel Machado Delgado, by e-mail compliance@begrowth.com.br

1. Application

This Privacy Policy applies to all UTUA users and anyone who, in any way, uses the services provided by this tool. We collect your personal data whenever you:

• Fill out the registration form available on the company’s website;
• Participate in surveys or promotions offered by UTUA;
• Report a problem to UTUA, requesting a solution from the company;
• Browse the UTUA website – https://utua.com.br/
• Contact us through our customer service channels;
• Subscribe to “Clube Utua” to participate in sweepstakes and specific promotions, as described in the specific Privacy Policy of this program.

This Privacy Policy is also applicable to other forms of personal data collection by UTUA, which allow the provision or improvement of our services. For example, we may collect information through partners or regarding our technologies, or even for participation in duly regulated sweepstakes, as in the case of Clube Utua.

The practices described in this Privacy Policy are subject to applicable local laws, highlighting Law No. 13.709/2018 (General Personal Data Protection Law, or “LGPD”).

2. What personal data is collected by UTUA

By using UTUA’s services, you provide us, and we collect, certain personal data related to you. From the moment you interact with UTUA, we collect your personal data. In some cases, you directly provide your personal data to UTUA, but we may also collect your data automatically when you browse the Utua website.

Furthermore, we also receive some personal data sent by partners we hire for specific purposes, so that we can comply with legal obligations or applicable regulations and others that will be detailed later.

By accepting the terms of this Privacy Policy, you expressly agree to provide only true, current, and accurate personal data and not to alter your identity or your personal data in any way when accessing and using our products or services. You will be solely responsible for the false, outdated, or inaccurate information you directly provide to UTUA.

These are your personal data processed by UTUA, divided by categories:

Personal data that may be requested and provided by the data subject:

• (i) Registration data: full name, telephone, e-mail, CPF, date of birth, address, gender, RG (number and issuing body), full name of the father and mother;
• (ii) Data about the intended negotiation: information related to the financial product or credit modality you wish to hire;
• (iii) Data on professional situation and banking information: information related to the user’s current or previous occupation, as well as possible transactions or balances in accounts linked to the FGTS and banking data provided to receive funds.
• (iv) Social security benefit data: profile (retiree, pensioner, civil servant, member of the armed forces, etc.); type of benefit received (retirement, pension, etc.); benefit amount; registration number; state, bank, account, and receiving branch;
• (v) Data about possible loan guarantees: if you own a vehicle or property in your name; value and address of the property to be used as a guarantee; and negative credit situation, if applicable;
• (vi) Data from information systems: SCR, Positive Registry, and Open Finance data, respecting applicable legal and regulatory limits.

Personal data we collect from third parties:

• Registration data, such as: name, date of birth, CPF, telephone number, and address;
• Data on financial restrictions, such as: negative credit records, amounts owed, and due dates;
• Information on credit history;
• Score generated by credit bureaus;
• Information on debts due or overdue, co-obligations, and guarantees;

Browsing and device data:

• IP address of the mobile device used to access UTUA services or products;
• Interactions performed and usage profile of the UTUA website;
• Technical data, such as URL information, network connection, provider, and device information;
• Cookies;
• Device attributes, such as ID, operating system, browser, and model;
• Device geolocation data if you authorize collection from your device;
• Application access logs;
• Date and time of application use;
• Browsing data, reflecting visited areas;

Personal data originating from the use of our services:

• Data on the contracting of our services;
• Data on the contracting of credit operations with partners, such as personal loans, negotiation of amounts owed, and debt installments;
• Credit history;
• Customer service history;

“UTUA does not collect or process sensitive data, such as racial or ethnic origin, religious or political conviction, union affiliation, or genetic or biometric data, unless strictly necessary and with a valid legal basis.”

3. How UTUA uses your personal data

UTUA uses your personal data to be able to offer you the best products and, additionally, in the case of Clube Utua, to allow you to participate in sweepstakes promoted under the terms of the respective Regulations.

UTUA is committed to continuously implementing physical, technical, and administrative information security measures in the processing of your personal data, in compliance with the best market practices. We seek, thus, to protect your data against unauthorized access, accidental or unlawful situations of destruction, loss, alteration, communication, or any form of inappropriate or unlawful processing.

We detail below the purposes for which we use your personal data:

Personal data provided by the data subject

Purposes:

• The correct and accurate identification of the user, ensuring greater security and protection for the users themselves;
• Access to the services and products made available by UTUA;
• The analysis of users’ profiles with the aim of indicating the best products and information according to their real need and reality;
• Identification, authentication, and verification of requirements for using UTUA’s services;
• Sending articles and texts related to partners’ products, which, in the case of Clube Utua, enables the accumulation of points for the User’s participation in sweepstakes regularly promoted by UTUA;
• Fulfillment of requests and answering questions;
• Contact by telephone, e-mail, SMS, WhatsApp, or other means of communication, including sending notifications or pushes regarding the use of UTUA’s services;
• Improvement of the services provided by UTUA, including the cross-referencing of information about contracted products to offer new products and services;
• Marketing, prospecting, market research, opinion polls, and promotion of products and services of our partners, including facilitating offers and sending information about products, services, news, features, content, news, and other relevant events to maintain the relationship with you;
• Credit protection, including credit granting and limit increase;
• Prevention and resolution of technical or security problems;
• Investigations and measures to prevent and combat illicit acts, fraud, financial crimes, and to ensure the security of UTUA clients and the financial system;
• Collaboration or compliance with a judicial order, competent authority, or regulatory body;
• Compliance with legal or regulatory obligations;
• Solving questions based on the collected information, to clear doubts, correct problems, and improve the system, enhancing the UTUA User experience.

Personal data we collect from third parties

Purposes:

• Improvement of our products and services;
• Marketing, prospecting, market and opinion research;
• Credit protection, including credit granting and limit increase;
• Prevention and resolution of technical or security problems;
• Investigations and measures to prevent and combat illicit acts, fraud, financial crimes, and to ensure the security of UTUA clients and the financial system;
• Compliance with legal or regulatory obligations, keeping your registration up to date, or fulfilling legal and/or regulatory obligations imposed on UTUA.

Browsing and device data

Purposes:

• Provision of services, offering contracted products, and improving the use and experience with the UTUA website;
• Operationalization of new products and services;
• Recommendation of new services, products, or features, including services from other partners that may interest you;
• Display of advertising, whether on our website, social networks, or third-party websites;
• Generation of statistics, studies, research, and surveys relevant to activities and behavior in the use of products or services;
• Credit protection, including credit granting and limit increase;
• Prevention and resolution of technical or security problems;
• Investigations and measures to prevent and combat illicit acts, fraud, financial crimes, and to ensure the security of UTUA clients and the financial system;
• Compliance with a judicial order, competent authority, or regulatory body;
• Compliance with legal or regulatory obligations;

Personal data originating from the use of our partners’ products and services

Purposes:

• Provision of services and offering of contracted products;
• Improvement of the services provided by UTUA, including the cross-referencing of information about contracted products to offer new products and services;
• Development of new products and services to be offered by UTUA partner companies and generation of knowledge for innovation or development of new products;
• Tests to improve UTUA’s models, services, and products;
• Marketing, prospecting, market research, opinion polls, and promotion of our partners’ products and services, including facilitating offers and sending information about products, services, news, features, content, news, and other relevant events to maintain the relationship with you;
• Credit protection, including credit granting and limit increase;
• Prevention and resolution of technical or security problems and monitoring the use and performance of UTUA services and products;
• Investigations and measures to prevent and combat illicit acts, fraud, financial crimes, and to ensure the security of UTUA clients and the financial system;
• Collaboration or compliance with a judicial order, competent authority, or regulatory body;
• Compliance with legal or regulatory obligations.

Public data

Purposes:

• Disclosure of products and services provided by UTUA on social networks, websites, applications, or institutional and advertising materials;
• Credit protection, including credit granting and limit increase;
• Investigations and measures to prevent and combat illicit acts, fraud, financial crimes, and to ensure the security of UTUA clients and the financial system;
• Regular exercise of UTUA’s rights;
• Compliance with legal and/or regulatory obligations imposed on UTUA.

4. Sharing of personal data

UTUA may share your data in some situations. The sharing of your data may be done with companies within UTUA’s economic group, service providers, and with authorities and regulatory bodies for different purposes, when necessary. Whenever performed, data sharing will be carried out within the limits and purposes of our business and in accordance with what is authorized by applicable legislation.

Additionally, personal data may be shared with Assertiva Tecnologia da Informação LTDA, always respecting the applicable legal basis, LGPD principles, and the legitimate chain of data processing, with due commitment to confidentiality, security, and compliance. At any time, the User will have free access to their personal data, either through Be Growth’s or Assertiva Tecnologia da Informação LTDA’s customer service channel, and may exercise all their rights provided for in this Policy and in applicable legislation, especially the General Data Protection Law (LGPD).

Below we have prepared a summary divided by categories with the types of suppliers with whom we share your personal data:

Business partners, service providers, and other third parties

Sharing purposes:

• Improvement of our services and website, as well as operationalization of new products or services;
• Contact by telephone, e-mail, SMS, WhatsApp, push notification, or other means of communication;
• Assistance in the development and offering of our services and the sweepstakes promoted by Clube Utua;
• Marketing, prospecting, market research, opinion polls, and promotion of our products and services;
• Credit protection, including credit granting and limit increase;
• Prevention and resolution of technical or security problems;
• Investigations and measures to prevent and combat illicit acts, fraud, financial crimes, and to ensure the security of UTUA clients and the financial system;
• Regular exercise of UTUA’s rights;
• Compliance with a judicial order, competent authority, or regulatory body;
• Compliance with legal or regulatory obligations;
• Verification and improvement of the UTUA client’s credit line, through the cross-referencing of information and analysis with data obtained from partners and credit bureaus;

Authorities and regulatory bodies

Sharing purposes:

• Investigations and measures to prevent and combat illicit acts, fraud, financial crimes, and to ensure the security of UTUA clients and the financial system;
• Regular exercise of UTUA’s rights, including presenting documents in judicial and administrative proceedings, if necessary;
• Compliance with a judicial order, fulfilling a request from a competent authority or regulatory body;
• Compliance with legal or regulatory obligations.

Furthermore, when browsing our website, you may be redirected to third-party websites or applications. Once you are redirected to a third-party website or application, privacy practices will be governed by the privacy policies and terms of use of those third parties. We cannot control or be held responsible for the privacy practices and content of third parties. Please read the applicable privacy policies carefully to understand how they collect and process your data.

All third parties with whom UTUA shares personal data must sign contracts containing data protection clauses compatible with the LGPD.”

5. Retention and deletion of your personal data

As long as you are a Client or Prospect of UTUA, during the use of our services and for the entire period in which UTUA stores your personal data, they will be kept in a secure and controlled environment.

When applicable, and even after the termination of the use of UTUA’s or its partners’ services, we may store your personal data for an additional period for auditing purposes, compliance with legal or regulatory obligations, for the regular exercise of UTUA’s rights, or also for the necessary term according to the legal basis justifying the retention of the data. In the absence of a legal basis justifying data retention, they will be deleted from the UTUA database after a period of 5 (five) years, counting from the termination of your relationship with UTUA.

6. Your rights as a personal data subject

Since the entry into force of the LGPD, you, as a personal data subject, can exercise your rights against the controllers of your personal data, such as UTUA.

We provide the mechanisms detailed below so that you can clearly and transparently understand how to exercise your rights, and our team will be ready to fulfill any requests.

Confirmation of the existence of personal data processing

The fact that you are a user of UTUA’s services already means that we process your personal data, even if this processing is, among others, the storage of personal data in a secure and controlled environment. In this sense, you can request UTUA to confirm if it processes your personal data.

Access to personal data

You can request UTUA to inform and provide the personal data it holds regarding you.

Correction of incomplete, inaccurate, or outdated personal data

If you verify that your personal data is incomplete, inaccurate, or outdated, you can request UTUA to correct or supplement it. For this, you will need to send a document that proves the correct and current form of the personal data.

Anonymization, blocking, or deletion of unnecessary, excessive data, or data processed in noncompliance with the LGPD

If, eventually, any personal data is processed unnecessarily, excessively for its intended purpose, or in noncompliance with the LGPD, you can request UTUA to anonymize, block, or delete this data, provided that the excess, lack of necessity, or noncompliance with the law is effectively proven.

Deletion of personal data processed with consent

If you have given consent for the processing of your personal data for specific purposes, you may, at any time, request the deletion of this personal data.

Information of the companies with which UTUA shared or from which it received your personal data

You can request UTUA to inform you with which third parties it shared or from whom it received your personal data.

Information about the possibility of not providing consent and about the consequences of denial

If your consent is necessary to access or use a certain product or service, you can ask UTUA to clarify if it is possible to provide this product or service without your consent for the processing of your personal data, or what are the consequences of not providing consent for this case.

Revocation of consent

If you have given your consent for the processing of your personal data, you can request the revocation of this authorization. Revoking consent may result in the impossibility of using some features provided by UTUA, or even in the termination of the services provided, but it does not prevent the use of (i) anonymized data; and (ii) data whose processing is based on another legal hypothesis provided for in the LGPD.

Automated decisions

You can request the review of decisions made solely based on automated processing of personal data that affect your interests and the indication of the criteria used for these decisions. For reasons of trade secrets, protection of confidential information, and preservation of competition, UTUA does not inform how these automated systems work.

7. Activity log / Collected Data

We may log the activities you perform when using our website, creating, when possible and applicable, logs (records of activities carried out on the websites and applications and services) that will contain: the IP address, access, and actions performed by you on the service provided, date and time of each action performed, and information about the device used, such as the operating system version, browser, and geolocation.

We may also use certain technologies, our own or from third parties, to monitor the activities performed while you access our website, such as:

Cookies: are internet files that temporarily store what you are visiting on the network. UTUA has cookies on its website and also receives information from partners regarding cookies inserted on their respective websites. Cookies can be used for various purposes, including remembering you and your preferences, persisting information related to your activities on the visited site, or collecting information that can be used to offer content in a personalized way.

The user may, at any time, change the acceptance or not of cookies in their browser settings, noting that by disabling navigation cookies, some of UTUA’s features may be impaired.

We have third-party cookies enabled on our website. Privacy practices will be governed by the privacy policies and terms of use of these third parties, so we cannot control or be held responsible for the privacy practices and content of third parties. Therefore, we emphasize that you can, at any time, block the use of cookies by activating a setting in your internet browser, and your ability to limit cookies will be subject to your browser’s settings and limitations. You can also delete existing cookies through the same settings of your internet browser. If you choose to disable cookies, you may continue browsing the sites, but some features may stop working.

Web beacon: A web beacon is a technique that allows mapping who is visiting a specific web page, identifying their behavior with different websites or web servers.

Google Adsense DART Cookie: UTUA displays ads served by the GOOGLE ADSENSE Network. Google uses Cookies to display ads on the sites that publish its ads. The DART Cookie allows ads to be displayed based on the user’s preferences and browsing habits. Users may opt to disable the DART Cookie on the page containing the privacy policy of the Google ad and content network. If the user does not agree with Google’s Cookies and wishes to disable them, simply access the official Google page to control how Google uses the Cookies collected in its ad network: http://www.google.com/ads/preferences/

Analytics tools: These tools can collect information such as how you visit a website, including which pages and when you visit such pages, in addition to other websites that were visited before, among others.

All technologies used by us will always respect the terms of this Privacy Policy.

The activity logs will be stored for at least 6 months, according to article 15 of the Brazilian Civil Rights Framework for the Internet (Marco Civil da Internet), and may be kept for a longer period for auditing or security purposes.

8. International transfer of personal data

Some of your personal data, or all of it, may be transferred abroad, for example when it is stored by UTUA and Assertiva Tecnologia da Informação LTDA on cloud computing servers located outside Brazil. For this, both observe all the requirements established by current legislation and adopt the best security and privacy practices to guarantee the integrity and confidentiality of your personal data.

9. Security measures

UTUA uses various types of security measures to ensure the integrity of your personal data, such as information security standards practiced by the industry when collecting and storing personal data.

We treat the security of your personal data with the utmost care, using standards and best practices adopted in the market. We have a highly qualified team responsible for ensuring that UTUA adopts the best security practices, among them:

• Multi-factor authentication for access to information;
• Security as code, in order to enable automations and fast and efficient responses to security events in the technological environment;
• Encryption for data at rest, in transit, and in use, to guarantee the integrity of information;
• Continuous environment monitoring;
• Continuous information security analysis and testing in our systems, done by internal and external teams;
• Periodic audits.

“In addition to internal analyses, UTUA may hire specialized external audits to verify the effectiveness of its security controls.”

10. Consent

Throughout this Privacy Policy, we inform you that some personal data will only be collected by UTUA with your consent. Likewise, this personal data may only be processed with authorization and for the described purposes.

By reading this Privacy Policy and clicking, at the end, on “I have read, am aware of the processing conditions of my personal data and provide my consent, as described in this Privacy Policy.”, you consent to the processing of personal data in the ways indicated here.

It is worth remembering that the processing of your personal data is a necessary condition for us to provide our services to you. If you have questions about any of the terms explained here, we are available on our customer service channels to help you.

11. Additional Relevant Information

UTUA does not send e-mails to its Users requesting payments, or confirmation of personal data. Therefore, if you receive any e-mail with this intent, we indicate that it should be immediately disregarded and reported as spam.

UTUA may share your personal data with partner companies in order to be able to indicate products and services that best suit your needs or to provide products and/or services requested by the user.

Articles on the UTUA website may include embedded content from other websites, such as, for example, videos, images, articles, etc. Embedded content from other websites behaves exactly in the same way as if the visitor were visiting the other website. These websites may collect data about you, use cookies, embed additional third-party tracking, and monitor your interaction with this embedded content, including your interaction with the embedded content if you have an account and are logged in to that website.

12. Changes to this Privacy Policy

UTUA may change this Privacy Policy at any time. Whenever any relevant condition of this Privacy Policy is changed, these changes will be valid, effective, and binding after the new version is published on our website or sent to you by e-mail.

We always value transparency: whenever a relevant change is made, we will highlight the information on our main page https://utua.com.br/. By continuing to use our products and services after a change in the Privacy Policy, you will agree to the new conditions, although you can always express your disagreement through our customer service channels, if applicable.

13. Contact with the DPO

According to Law No. 13.709/2018, UTUA is considered the “Controller” of your personal data. If after reading this Privacy Policy you still have any questions, or for any reason need to communicate with us regarding matters involving your personal data, you can contact our data protection officer:

• Data Protection Officer (DPO): Gabriel Machado Delgado
• E-mail: compliance@begrowth.com.br
• Address: Av. Afonso Pena, nº 3351, Serra, Belo Horizonte – MG, CEP: 30.130-008.
• Attributions: Article 41, §2º, of the LGPD

I – accept complaints and communications from data subjects, provide clarifications, and adopt measures;

II – receive communications from the national authority and adopt measures;

III – guide the entity’s employees and contractors regarding the practices to be taken in relation to personal data protection; and

IV – execute the other attributions determined by the controller or established in complementary norms.

14. What are the rights of data subjects?

The General Data Protection Law – LGPD guarantees data subjects certain rights in relation to them, making it possible to exercise them at any time and upon express request made by the data subject, via the e-mail compliance@begrowth.com.br

You can exercise your rights as defined by the LGPD, which are:

• Right of confirmation and access (Art. 18, I and II): You can request at any time, confirmation that your data is being processed in our environments. If yes, you can request access to it, in addition to the possibility of requesting a complete electronic copy of this information, or in a format that allows its use.
• Right to rectification (Art. 18, III): You can also request the correction of your personal data that is incomplete, inaccurate, or outdated.
• Anonymization, blocking, or deletion of your personal data (Art. 18, IV): Allied to the rights listed above, you also have the right to request UTUA to anonymize, block, or delete your personal data, if you consider that they are being processed excessively to the purpose or without observing the General Data Protection Law – LGPD.
• Right to object (Art. 18, § 2º): It is the user’s right to object to data processing at any time and for reasons related to their particular situation, provided it is based on one of the hypotheses of waiver of consent or in case of non-compliance with the provisions of the General Data Protection Law.
• Right to revocation of consent (Art. 18, IX): You can, at any time, revoke the consent you have given to Utua. It is important to remember that revocation of consent will not always be able to occur, since the processing of data and its storage may meet, in their majority, provisions set forth by law.
• Right not to be subject to automated decisions (Art. 20, LGPD): The data subject has the right to request a review of decisions taken solely on the basis of automated processing of personal data affecting their interests, including decisions intended to define their personal, professional, consumer, and credit profile or aspects of their personality.

15. FINAL PROVISIONS

In case of doubt regarding the provisions contained in this Privacy Policy, the User may contact through UTUA’s customer service channels or through our Personal Data Protection Officer, whose details were provided above.

If outsourced companies carry out the processing of any data collected by UTUA, they must respect the conditions stipulated here and the Platform’s information security rules.

If any provision of this Privacy Policy is considered illegal or illegitimate by a local authority, the remaining conditions will remain in full force and effect.

The User acknowledges that all communication carried out by e-mail (to the addresses informed in their registration), SMS, instant communication applications, or any other electronic means, such as digital platforms or instant messaging applications, are also valid, effective, and sufficient for the disclosure of any matter referring to the services provided by the Platform, as well as the conditions of its provision or any other matter addressed therein, except for the expressly different provisions set forth in this Privacy Policy.