1. Personal Data Processing
Milênio understands the importance of the privacy of a User’s Personal Data, the trust they have shown by sharing their Personal Data and their responsibility regarding this process and its transparency. Thus, Personal Data Processing shall be performed only in the cases allowed by the LGPD, with special mention to Milênio fulfilling legal or regulatory obligation, or the need for Consent to be given by the Holder of the Personal Data.
Other possibilities that may give rise to Personal Data Processing by Milênio relate to executing contracts or preliminary procedures related to contracts to which the Data Holder is a party, regular exercising of rights in judicial, administrative or arbitration proceedings, protecting the life or physical safety of the Holder or third parties, to meet the legitimate interests of the Controller or third parties, except in the case of the Holder’s fundamental rights and freedoms that require protecting their Personal Data, in addition to relating to credit protection, prevail. Furthermore, Milênio may use Personal Data to analyze the performance of its Website, measure the number of visits, verify Users’ browsing habits, improve Users’ browsing experiences on the Website, allow and facilitate communication with Users, including sending and receiving emails, sending marketing communications through previously authorized means, such as email and social media, or, in the case of investors or business partners, by sending regular reports on the investment vehicles managed by Milênio.
The Processing Agents shall keep records regarding the Personal Data Processing they perform.
2. Data Holder’s Consent for Processing
Under the terms of the LGPD, it is important to point out that, in the case of Sensitive Personal Data, Personal Data of children, as well as international Data transfer operations, the Consent requirements are treated more strictly, so that the Holder’s manifestation is requested in a specific and prominent way, for specific purposes and, in the case of children, the Consent of a parent or guardian shall be obtained.
For cases in which User Consent is required for Data collection to occur, the request shall be made via email or Website, including: (i) specific Data Processing purpose, form and duration; (ii) the Controller’s identification and contact information, which in this case is Milênio; (iii) entities and respective responsibilities with whom the Data will be shared, if applicable; and (iv) rights of Data Holders, as provided for in the relevant legislation.
In the event of any change regarding the purpose of Processing the collected Personal Data, its form and/or duration, Milênio shall inform the Data Holder, who must assess whether or not to maintain their Consent.
Additionally, it should be noted that the Data Holder shall always have the option to revoke their Consent so that their Personal Data are no longer processed, at any time, through their clear expression under the terms set forth herein, by means of a free procedure and ensuring that their Processed Personal Data is deleted, unless the said Data are duly anonymized.
3. Personal Data Collection
Milênio shall collect the Personal Data entered or forwarded when, for example, the User: (i) accesses Milênio channels (Website or social media), as well as makes contact through the Website or through the contact email provided therein; (ii) sends their resume for participating in a recruitment process; (iii) has a contractual, labor or corporate relationship with Milênio; or (iv) completes registrations, proposals, simulations, contracts, expressions of interest in Milênio products or services, and others.
Personal Data Provided Directly by the User
It is important to clarify, initially, that Milênio collects Personal Data from 4 (four) sources, namely: (i) Data provided by the User; (ii) Data provided by third parties; (iii) those that are operational in scope, collected during the use of any product or service offered by Milênio; and (iv) those that are publicly available or made public by the User.
Personal Data Provided by Third Parties
Milênio may receive Personal Data through third parties, whether partners or service providers, who have some relationship with the User, such as, but not limited to, the following cases: (i) receipt of necessary documentation for analyzing investments from managed vehicles, such as corporate information of partners, service providers, as well as debtors and related parties of invested operations, and Data of its employees, such as directors, board members, partners, employees, and interns; (ii) receipt of information from investors, with the respective steps, as the case may be, for internal registration: and (iii) individual drawees/debtors of credit rights acquired by investment funds under management by Milênio.
Personal Data Under the Operational Scope
Milênio shall Process the Personal Data collected as a result of provision of services or its products, as well as from User interaction via the Website, social media, or other service channels.
Public Personal Data
It is also possible that Milênio collects Data from public databases, made available by authorities or bodies (such as the CVM, Boards of Trade or Federal Revenue, for example) or by third parties, or even Data made public on websites or social media, always respecting privacy and confidentiality.
4. Personal Data Sharing
Milênio shall not share User’s Personal Data with third parties, except: (i) to comply with necessary measures under the terms of applicable laws, rules, regulations or self-regulations; (ii) in view of the existence of a disclosure obligation; (iii) for legitimate interest that requires disclosure; or (iv) at the User’s request, upon their express Consent.
In the case of data sharing, Milênio shall make every effort to ensure that third parties, which have access to the User’s Personal Data, are aware of the criticality of their activity and the individual privacy rights of the Holder and, also, that they comply with all relevant data protection laws.
The third parties considered here, who may have access to Users’ Personal Data are: (i) specialized service providers, such as consultants, auditors, legal services, debt collection companies, and others; (ii) courts, controlling bodies, regulatory authorities and self-regulatory entities; (iii) payment service providers and/or banking institutions, for generating and controlling payments; (iv) any person or company, provided they have the Owner’s consent; and/or (v) agents involved in activities related to managing investment funds, such as administrator, custodian, investment advisor distributor, and others.
5. International Transfer of Personal Data
Users’ Personal Data may be transferred and processed in other countries, in accordance with the cases provided for in the LGPD and applicable legislation, for the purposes provided for in this Policy. Any transaction that involves physically or virtually transmitting or sending Personal Data to a company or individual that is located in a place other than the Brazilian territory shall be considered an International Data Transfer.
As an example, Data may be transferred: (i) when stored on cloud computing servers located outside Brazil; (ii) to comply with legal and regulatory obligations; (iii) for regularly exercising rights in administrative, judicial or arbitration proceedings; and (iv) for investigating crimes and other illicit acts.
To this end, the requirements set forth by current legislation are observed, and leading security and privacy practices are adopted, thus ensuring integrity and confidentiality of Users’ Personal Data.
6. Security Measures
Milênio adopts security, technical and administrative measures to ensure protection of Personal Data confidentiality and integrity from unauthorized access and from accidental or unlawful occurrences of destruction, loss, alteration, communication or any other form of inappropriate or illicit Processing. Information security is also one of the pillars to be respected and ensured by Personal Data Processing Agents.
7. Personal Data Storage
Milênio shall keep Personal Data for the period in which it is required for meeting the specific purposes for which it was collected, in compliance with LGPD principles. Without prejudice, Milênio shall store Personal Data in a Database for possible legal and regulatory compliance, for 5 (five) years after the end of the contractual or commercial relationship.
From time to time, Milênio technically analyzes the appropriate retention period for each type of collected Personal Data, considering its nature, need for collection and the purpose for which it will be Processed.
Cookies are small text files stored in the User’s browser or device. Cookies have different functions. They particularly enable the User to easily navigate through the pages and store their preferences, optimizing the experience. These cookies may be stored on the User’s machine for identifying their preferences and settings.
If a User wishes to refuse the installation of these cookies on their device and/or opts for removing the cookies, that User may do by configuring their browser. These cookies can be “temporary” or “persistent”, where a temporary cookie is automatically deleted when the User closes the browser, while a persistent cookie is stored on the User’s terminal for a certain period of time.
9. Users’ Rights
As defined by the LGPD, every individual is guaranteed the ownership of their Personal Data and guaranteed the fundamental rights of freedom, intimacy and privacy.
Additionally, Users, as Holders of Personal Data, have the right to obtain the following from the Controller, regarding their Processed Personal Data, at any time and upon express request:
- Access to and confirmation of the existence of Personal Data Processing;
- Updating and correcting incomplete, inaccurate or outdated Data;
- Anonymizing, blocking or eliminating unnecessary, excessive Data that has been Processed in violation of the provisions of the legislation;
- Data Portability, subject to applicable rules and commercial and industrial secrets;
- Information regarding the public and private entities with which the Controller performed Data usage sharing;
- Information about the possibility of not providing Consent and about the consequences of denial;
- Revoke the Consent for Personal Data Processing, which may be done at any time and free of charge, upon express request;
- Request deletion of Personal Data Processed with Consent, except in cases where keeping the Data is necessary or permitted by law;
- Opposition to Processing based on other legal grounds, in the event of non-compliance with the legislation, noting that there may be situations in which the Processing shall continue and the request for opposition is refused; and,
- Request a review of decisions made solely on the basis of Automated Processing of Personal Data that affect them, such as credit decisions.
It is important to note that in certain situations, Personal Data Processing shall be maintained, even in the event of a Holder requesting Data deletion, opposition, blocking or anonymization. This occurs: (i) to comply with legal, contractual and regulatory obligations; (ii) to protect and exercise Milênio’s and Users’ rights; and/or (iii) for preventing illegal acts and in judicial, administrative and arbitration proceedings, including the questioning of third parties about their activities, and in other cases provided for in the legislation.
Data Protection Officer – DPO
In case of doubts, comments and suggestions related to this Policy or, even for exercising any of the rights listed above or suspicion of improper use of their Personal Data, Users should contact Milênio through the firstname.lastname@example.org email. For exercising rights, Milênio may request additional information and documents, in order to avoid fraud, as well as to follow the applicable legal provisions and ANPD guidelines.
Thus, Milênio may fail to comply with a User’s request regarding exercising the rights listed above if there are legitimate reasons for doing so. Examples of legitimate reasons are: (i) if the disclosure of information violates Milênio’s or third party’s business secrets; (ii) if the request for Data anonymizing, blocking or deletion is contrary to the legal, regulatory or self-regulatory obligation applicable to Milênio or makes it impossible to fully and unrestrictedly defend Milênio’s or third parties’ rights, including in disputes of any kind. Also, it should be noted that some requests may require a longer response period, due to their complexity or impacts.
Policy’s Term and Updates