Privacy Policy

Personal Data Protection

Scope and Coverage:

Springs Capital is committed to preserving the privacy of personal and sensitive data that is collected or accessed through the use of the website or the performance of its activities, and to complying with applicable laws and regulations.

Therefore, it has established the guidelines, principles, and rules set forth in this Policy, which will serve as a guide for the collection, recording, processing, storage, use, sharing, and deletion of personal data, providing the framework for the correct treatment and protection of personal data in its possession.

These guidelines, principles, and rules apply to all Springs Capital employees and encompass personal data stored in any medium, covering any and all forms of processing that may be employed and are available to Springs Capital.

It is important to note that the scope of personal data protection within Springs Capital is largely limited to the personal data of its employees and individuals and legal entities with whom it has established legal relationships, with particular mention of compliance with regulations applicable to the management of third-party assets. This protection also covers data of job applicants at the Asset Management company, suppliers, and others with whom Springs Capital has maintained contact to address any relevant and specific need.

It is worth noting that all processing of personal data carried out by Springs Capital is based on the requirements of Article 7 of Law 13.709/2018 (“LGPD”), as well as the premises of Article 11 of the same Law, when applicable.

Guiding Principles:

Springs Capital is committed to obtaining personal data in a fair and legal manner, and its actions will be guided by the principle of good faith and the principles listed below, which are outlined in Article 6 of the LGPD (Brazilian General Data Protection Law):

I - Purpose : carrying out the processing for legitimate, specific, explicit purposes, informed to the data subject, without the possibility of subsequent processing in a manner incompatible with those purposes;

II - adequacy : compatibility of the processing with the purposes informed to the data subject, according to the context of the processing;

III - Necessity: limiting the processing to the minimum necessary to achieve its purposes, encompassing relevant, proportionate, and non-excessive data in relation to the purposes of the data processing;

IV - Free access: guaranteeing data subjects easy and free access to information about the form and duration of the processing, as well as the completeness of their personal data;

V - Data quality : guaranteeing data subjects the accuracy, clarity, relevance, and timeliness of their data, in accordance with their needs and for the fulfillment of the purpose of its processing;

VI - Transparency : guaranteeing data subjects clear, accurate, and easily accessible information about the processing and the respective data controllers, while respecting commercial and industrial secrets;

VII - Security: the use of technical and administrative measures capable of protecting personal data from unauthorized access and from accidental or unlawful situations of destruction, loss, alteration, communication or dissemination;

VIII - Prevention: adopting measures to prevent the occurrence of harm due to the processing of personal data;

IX – non- discrimination: the impossibility of carrying out treatment for unlawful or abusive discriminatory purposes;

X – Accountability and transparency: demonstration, by the agent, of the adoption of effective measures capable of proving the observance and compliance with personal data protection regulations and, including, the effectiveness of these measures.

Rights:

In accordance with the fundamental rights of freedom, intimacy, and privacy, and also with the provisions of Article 18 of the LGPD (Brazilian General Data Protection Law), the holder of personal data has the right to request from Springs Capital, in relation to their data, at any time and by means of an express request, the following.

a) confirmation of the existence of treatment;

b) access to data;

c) correction of incomplete, inaccurate or outdated data;

d) anonymization, blocking or deletion of unnecessary, excessive or processed data in violation of the provisions of Law 13.709/2018;

(e) portability of data to another service or product provider, upon express request, in accordance with the regulations of the national authority, respecting commercial and industrial secrets;

f) deletion of personal data processed with the consent of the data subject, except in certain situations and respecting the technical limits of the activities, as determined by law;

(g) Information on the public and private entities with which the controller has shared data;

h) information about the possibility of not providing consent and about the consequences of refusal; and

i) revocation of consent, in accordance with the Law.

Springs Capital provides a communication channel, through the email address compliance@springscapital.com, through which its Data Protection Officer will receive any requests, inquiries, communications and/or statements from data subjects regarding the exercise of the rights stipulated in the General Data Protection Law, in accordance with its Privacy Policy. The Data Protection Officer, also known as the Data Protection Officer (DPO), is responsible for assisting data controllers in complying with their legal obligations regarding privacy. In this way, the DPO acts as a bridge. between Springs Capital, the data subjects (natural persons ) and the ANPD.

Personal Data Storage Period:

Personal data will be stored by Springs Capital for the time necessary to achieve the purposes for which it was collected. In any case, this period may be extended to comply with a legal, regulatory or contractual obligation, in which case the minimum storage period will be 5 (five) years.

Cooperation with Authorities:

The disclosure of personal data for compliance with law, court order, regulatory order, or order from a competent authority to which Springs Capital is subject will only occur strictly within the terms and limits required to fulfill the obligation. Data subjects will be notified of such disclosure to the extent possible, provided it does not constitute an infringement, breach of contract, or cause harm to Springs Capital, so that they can take appropriate action.

Additionally, Springs Capital will cooperate with the ANPD (National Data Protection Authority) on any issue related to data protection, within the limits established by the LGPD (Brazilian General Data Protection Law) and other relevant regulations, without waiving any available defenses and/or remedies.

Governance:

Matters relating to personal data, confidential data, and their processing will be presented by the Data Protection Officer for deliberation by the Risk Management and Compliance Committee.

Reporting Obligation:

Employees are required to immediately report to the Data Protection Officer any suspicion or indication of an event that may have compromised personal data held by Springs Capital for proper investigation. If necessary, the Data Protection Officer will notify the ANPD (National Data Protection Authority), as well as all those who may have been affected by said event, within a timeframe commensurate with the severity of the event .

Event Log:

Reported events that have been investigated and found to have resulted in the compromise of personal data will be recorded in the Internal Controls Report and the Personal Data Protection Impact Assessment Report, including sensitive data, in accordance with Article 38 of the LGPD (Brazilian General Data Protection Law).

Training:

Springs Capital will train its employees on the protection of personal and confidential data in accordance with its Employee Training and Retraining Policy.