GENERAL PRIVACY AND DATA PROTECTION POLICY 

1. PURPOSE 

Aquiris Game Studio (“We” or “Aquiris”), in the performance of its activities, carries out personal data processing operations, either directly or through its collaborators, partners or service providers. This General Privacy and Data Protection Policy indicates our institutional commitment to respect and transparency with regard to this matter. It also establishes the guidelines to be followed by Aquiris within the scope of its personal data processing operations.

2. GUIDELINES

2.1 Applicability

This General Privacy and Data Protection Policy applies to everyone that somehow carries out any personal data processing operation of behalf of Aquiris - collaborators, freelance professionals, service providers, commercial agents, partners and others that may have access to information, data, services, systems and resources owned by you (“Stakeholders”). 

2.2. General operationalization: 

2.2.1. Personal Data Processing Operations (OTDs): Each and every new process, activity or operation carried out by Aquiris involving the processing of personal data must be previously reported in writing, via the email address dpo@aquiris.com.br, to Aquiris’ Data protection Officer (“DPO”), who may formulate compliance adjustment recommendations before an OTD is approved. 

2.2.2. Relationship with third parties: Before entering into agreements with any third parties, Aquiris must demand that all stakeholders involved: 

1. Have mapped out all their data processing operations, thus ensuring that no personal data is processed without complying with the applicable legal framework;
2. Have the appropriate means to receive and respond, in a proper way, any requests and/or communications from data subjects.
3. Implement best practices in order to ensure the security of all personal data processed;
4. Have appointed an Officer dedicated to personal data processing;
5. Have an Incident Prevention and Response Plan in case of data leaks.

Failure to comply with any of the aforementioned requirements must be documented in any agreement to be signed so that Aquiris may be exempt from any civil, criminal or administrative liability that may be attributed to a Third Party. 

2.3. Specific operationalization:  

2.3.1. Processing of personal data: Each and every personal data processing carried out at or on behalf of Aquiris must have a legitimate and specific reason, and no personal data shall be processed for any purpose other than the one informed to the data subject.

2.3.2. Notification to data subject: Efforts must be made so that the data subject is appropriately aware of how its personal data is processed. In cases where personal data must be shared with other companies, Aquiris shall guarantee the availability, whenever requested by data subjects, of clear and ostensible information regarding this sharing, including its purpose.

2.3.3. Excessive processing of personal data: Excessive processing of personal data is prohibited; on that note: (i.) each and every personal data processing operation must be guided by the principle of necessity and carried out in the least invasive way possible for the data subject; (ii.) a retention period must be established for each personal data processing operation; and (iii.) a specific technical procedure on the retention and deletion of personal data must be created.

2.3.4. Privacy by design and by default: Respect for privacy must be expressed “by design” and “by default”, so that every new product or service is, from its conception, carefully analyzed in order to reduce risks to the protection of personal data, and the granting of any right by the data subject cannot be presumed.

2.3.5. Processing data from children and teenagers: Personal data from children and teenagers must always be processed in their best interest. When data from children and teenagers are processed, there shall be an indication to that effect, informing the purpose of such operation. Parental consent shall be required when processing data that are known to be from children. Such processing may also take place as a result of a legal or regulatory obligation, in which case Aquiris shall directly follow the provisions set forth in specific legislation.

2.3.6. Information technology and security: Aquiris shall constantly seek to adopt best practices in terms of information technology and security, aiming to guarantee the protection of personal data, including technical and organizational security measures to protect personal data against unauthorized access, accidental or intentional manipulation, loss or destruction. 

2.3.7. Access management: Access to all personal data collected shall be restricted to authorized collaborators that must process these data in order to carry out their activities in the company. Collaborators that make undue or inappropriate use of the data collected, in violation of this Policy, shall be subject to consequences of a disciplinary proceeding. If, in order to make compliance with legal or contractual obligations feasible, there is need for third parties (“Operators”) to process personal data, they shall be required to employ the same strictness employed by Aquiris in its personal data processing operations.

2.3.8. Collection and storage of personal data: The storage of information collected from users, whether such information was provided by the users themselves or obtained automatically from Aquiris’s electronic systems, must comply with all security standards deemed necessary for the preservation of confidentiality and integrity of personal data.  

2.3.9. Secure and centralized tools: Every transmission of personal data through electronic systems must be carried out using secure connections and the appropriate tools for this purpose. Data referring to users’ passwords and electronic signatures must be stored in Aquiris’ databases and encrypted by algorithms that guarantee a high level of security.  

2.3.10. Right of access: Subject to legal exceptions, any employee, partner or service provider may obtain, upon request, information on their own personal data. Additionally, they are entitled to revoke the consent previously provided for data processing, subject to the exceptions provided for by law. 

2.3.11. Processing data from collaborators and other persons: Personal data from collaborators, partners and service providers shall only be used in order to provide support to the company’s operations and to manage compensation programs, benefits and human resources, or whenever necessary in order to comply with legal requirements. On an exceptional basis, it shall be necessary to obtain consent from said data subjects in order to process data for purposes that differ from those described in this Policy.

3. ROLES AND RESPONSIBILITIES 

Aquiris shall inform on its official website the name and contact details of the Officer in charge of personal data processing, who shall be responsible for:

(i) Receiving requests, complaints and communications in general from data subjects, managing their referral;

(ii) Acting as point of contact with inspection authorities;

(iii) Coordinating the preparation and update of the Data Processing Operations Registry (ROPA) in order to assess risks in the use of personal data and the company’s regulatory compliance, especially with regard to the development of new products, services and practices;

(iv) Carrying out internal audits and proactively establish strategies in terms of compliance and the prevention of risks involving personal data;

(v) Mentoring and organizing training sessions to the company’s collaborators regarding best practices for protecting personal data;

(vi) Coordinating incident response measures involving data leaks or theft of personal data, including reporting to the authorities or respective holders;

(vii) Performing any other duties as determined by the controller or as established in complementary regulations, prioritizing the monitoring and adaptation of the company to legal compliance and requirements;

(viii) Monitoring the development process of new products and services so that the Privacy by design (“PbD”) model may be ensured at all levels of innovation design in the company.

(ix) Coordinating the review and update of the data privacy policies applicable to Aquiris’s data processing processes.

4. MONITORING AND CONTROL

In order to ensure effective compliance with this General Privacy Policy, Aquiris reserves the right to monitor, inspect or audit any information that is stored in computers owned by Aquiris or information transmitted through the company's network. 

5. FINAL PROVISIONS

This Policy shall be reviewed every 12 months. The decision to review it can be based on the company’s own criteria or based on one of the following events:

(i) Data leak incidents deemed significant;

(ii) New vulnerabilities identified in the company;

(iii) Changes in the company’s technical or organizational structure;

(iv) Risk impact reports.

For your convenience, this Policy is available in Portuguese and in English. Should there be questions regarding the interpretation of these two versions, the Portuguese version shall prevail for all intents and purposes.

The General Privacy Policy is a controlled document.

Version control must be carefully observed.