General Privacy and Data Protection Policy

Last Updated: 01/28/2023

1. Purpose

Aquiris Game Studio (“We” or “Aquiris”), in the performance of its activities, carries out personal data
processing operations, either directly or through its collaborators, partners or service providers. This General
Privacy and Data Protection Policy indicates our institutional commitment to respect and transparency with
regard to this matter. It also establishes the guidelines to be followed by Aquiris within the scope of its
personal data processing operations.

2. Guidelines

2.1 Applicability

This General Privacy and Data Protection Policy applies to everyone that somehow carries out any personal data
processing operation of behalf of Aquiris – collaborators, freelance professionals, service providers,
commercial agents, partners and others that may have access to information, data, services, systems and
resources owned by you (“Stakeholders”).

2.2. General operationalization:

2.2.1. Personal Data Processing Operations (OTDs):

Each and every new process, activity or operation carried out by Aquiris involving the processing of personal
data must be previously reported in writing, via the email address, to Aquiris’ Data protection Officer (“DPO”), who may
formulate compliance adjustment recommendations before an OTD is approved.

2.2.2. Relationship with third parties:

Before entering into agreements with any third parties, Aquiris must demand that all stakeholders involved:

  1. Have mapped out all their data processing operations, thus ensuring that no personal data is processed
    without complying with the applicable legal framework;
  2. Have the appropriate means to receive and respond, in a proper way, any requests and/or communications from
    data subjects.
  3. Implement best practices in order to ensure the security of all personal data processed;
  4. Have appointed an Officer dedicated to personal data processing;
  5. Have an Incident Prevention and Response Plan in case of data leaks.

Failure to comply with any of the aforementioned requirements must be documented in any agreement to be signed
so that Aquiris may be exempt from any civil, criminal or administrative liability that may be attributed to a
Third Party.

2.3. Specific operationalization: 

2.3.1. Processing of personal data:

Each and every personal data processing carried out at or on behalf of Aquiris must have a legitimate and
specific reason, and no personal data shall be processed for any purpose other than the one informed to the data

2.3.2. Notification to data subject:

Efforts must be made so that the data subject is appropriately aware of how its personal data is processed. In
cases where personal data must be shared with other companies, Aquiris shall guarantee the availability,
whenever requested by data subjects, of clear and ostensible information regarding this sharing, including its

2.3.3. Excessive processing of personal data:

Excessive processing of personal data is prohibited; on that note: (i.) each and every personal data processing
operation must be guided by the principle of necessity and carried out in the least invasive way possible for
the data subject; (ii.) a retention period must be established for each personal data processing operation; and
(iii.) a specific technical procedure on the retention and deletion of personal data must be created.

2.3.4. Privacy by design and by default:

Respect for privacy must be expressed “by design” and “by default”, so that every new product or service is,
from its conception, carefully analyzed in order to reduce risks to the protection of personal data, and the
granting of any right by the data subject cannot be presumed.

2.3.5. Processing data from children and teenagers:

Personal data from children and teenagers must always be processed in their best interest. When data from
children and teenagers are processed, there shall be an indication to that effect, informing the purpose of such
operation. Parental consent shall be required when processing data that are known to be from children. Such
processing may also take place as a result of a legal or regulatory obligation, in which case Aquiris shall
directly follow the provisions set forth in specific legislation.

2.3.6. Information technology and security:

Aquiris shall constantly seek to adopt best practices in terms of information technology and security, aiming
to guarantee the protection of personal data, including technical and organizational security measures to
protect personal data against unauthorized access, accidental or intentional manipulation, loss or destruction. 

2.3.7. Access management:

Access to all personal data collected shall be restricted to authorized collaborators that must process these
data in order to carry out their activities in the company. Collaborators that make undue or inappropriate use
of the data collected, in violation of this Policy, shall be subject to consequences of a disciplinary
proceeding. If, in order to make compliance with legal or contractual obligations feasible, there is need for
third parties (“Operators”) to process personal data, they shall be required to employ the same strictness
employed by Aquiris in its personal data processing operations.

2.3.8. Collection and storage of personal data:

The storage of information collected from users, whether such information was provided by the users themselves
or obtained automatically from Aquiris’s electronic systems, must comply with all security standards deemed
necessary for the preservation of confidentiality and integrity of personal data. 

2.3.9. Secure and centralized tools:

Every transmission of personal data through electronic systems must be carried out using secure connections and
the appropriate tools for this purpose. Data referring to users’ passwords and electronic signatures must be
stored in Aquiris’ databases and encrypted by algorithms that guarantee a high level of security. 

2.3.10. Right of access

Subject to legal exceptions, any employee, partner or service provider may obtain, upon request, information on
their own personal data. Additionally, they are entitled to revoke the consent previously provided for data
processing, subject to the exceptions provided for by law.

2.3.11. Processing data from collaborators and other persons:

Personal data from collaborators, partners and service providers shall only be used in order to provide support
to the company’s operations and to manage compensation programs, benefits and human resources, or whenever
necessary in order to comply with legal requirements. On an exceptional basis, it shall be necessary to obtain
consent from said data subjects in order to process data for purposes that differ from those described in this

3. Roles and Responsibilities

Aquiris shall inform on its official website the name and contact details of the Officer in charge of personal
data processing, who shall be responsible for:

  1. Receiving requests, complaints and communications in general from data subjects, managing their referral;
  2. Acting as point of contact with inspection authorities;
  3. Coordinating the preparation and update of the Data Processing Operations Registry (ROPA) in order to assess
    risks in the use of personal data and the company’s regulatory compliance, especially with regard to the
    development of new products, services and practices;
  4. Carrying out internal audits and proactively establish strategies in terms of compliance and the prevention
    of risks involving personal data;
  5. Mentoring and organizing training sessions to the company’s collaborators regarding best practices for
    protecting personal data;
  6. Coordinating incident response measures involving data leaks or theft of personal data, including reporting
    to the authorities or respective holders;
  7. Performing any other duties as determined by the controller or as established in complementary regulations,
    prioritizing the monitoring and adaptation of the company to legal compliance and requirements;
  8. Monitoring the development process of new products and services so that the Privacy by design (“PbD”) model
    may be ensured at all levels of innovation design in the company.
  9. Coordinating the review and update of the data privacy policies applicable to Aquiris’s data processing

4. Monitoring and Control

In order to ensure effective compliance with this General Privacy Policy, Aquiris reserves the right to
monitor, inspect or audit any information that is stored in computers owned by Aquiris or information
transmitted through the company’s network. 

5. Final Provisions

This Policy shall be reviewed every 12 months. The decision to review it can be based on the company’s own
criteria or based on one of the following events:

  1. Data leak incidents deemed significant;
  2. New vulnerabilities identified in the compan
  3. Changes in the company’s technical or organizational structure;
  4. Risk impact reports.

For your convenience, this Policy is available in Portuguese and in English. Should there be questions
regarding the interpretation of these two versions, the Portuguese version shall prevail for all intents and

The General Privacy Policy is a controlled document. Version control must be carefully observed. 

DateDescriptionPerson responsibleVersion
01/28/2023First Version of the General Privacy PolicyRaphael Baldi1