PRIVACY POLICY.

This Policy applies to all personal data processed by our engineering services company — including business clients who commission engineering consulting or technical services, individual project contacts at those businesses, website visitors and anyone whose data is processed in connection with our engineering activities. Our services are primarily B2B — we work with companies, facility operators and project developers, not directly with end consumers.

In connection with our engineering services activities, we process the following categories of data:

• Client identification data: Company name, CNPJ and the name, role, phone number and email of the responsible contact or project manager at the commissioning business — collected when clients engage our services or request quotations.
• Project and site data: Facility or project site address, project description, technical scope and applicable regulatory requirements — collected to assess, quote and execute the commissioned engineering service. Site addresses are project locations, not necessarily the personal address of any data subject.
• Billing data: Company name and CNPJ for NF-e issuance — in compliance with SEFAZ-SP and ISS/Prefeitura de São Paulo requirements.
• ART and CREA data: For engineering activities requiring an ART (Anotação de Responsabilidade Técnica) — the technical data and responsible engineer information required for filing with CREA-SP under Lei 6.496/1977.
• Contact and enquiry data: Messages via WhatsApp, telephone or online form.
• Technical website data: IP address, browser type, pages visited and access times.

• SEFAZ-SP / Receita Federal: Tax data for NF-e issuance and applicable federal and state tax compliance.
• Prefeitura de São Paulo (ISS): For ISS/ISSQN obligations on engineering service activities.
• CREA-SP / CONFEA: ART data required for the legal filing of engineering responsibility annotations under Lei 6.496/1977 for all applicable engineering activities.
• Regulatory authorities (project-specific): Where an engineering project requires submission of technical reports or compliance documentation to AVCB, CETESB, INMETRO, Vigilância Sanitária or other regulatory bodies — client and project data is shared only to the extent required for the specific regulatory submission, as instructed by the client.
• PROCON-SP: When required in a consumer dispute mediation under the CDC.
• Legal authorities: When required by a competent judicial or administrative order.

Our engineering services operate primarily within Brazil. Primary storage of client and project data is in Brazil. Any technology platforms used for communication or document management that operate on international servers do so only under the guarantees of Art. 33 of the LGPD or recognised adequacy mechanisms.

• NF-e and fiscal records: Minimum 5 years under federal and state tax legislation (CTN, Art. 174; SEFAZ-SP).
• ART records: ART filings and associated technical documentation are retained for a minimum of 5 years — in alignment with CREA-SP and CONFEA guidance on engineering responsibility documentation. For projects with structural, safety or environmental implications, longer retention may be appropriate under applicable technical standards.
• Engineering project records: Technical reports, inspection records, calculations and project documentation retained for 5 years — to support any regulatory enquiry, liability claim or technical dispute arising from the engineering work.
• Client account records: Duration of the client relationship plus 5 years for contractual, fiscal and dispute documentation.
• Contact and enquiry data: Up to 1 year from last interaction if no project was commissioned.
• Website analytics: Aggregated and anonymised after 12 months.

• Access to client project records, technical documentation and site data restricted to the engineering principals and authorised project staff directly involved;
• Technical project data and engineering reports treated as commercially and technically confidential — not disclosed externally without client authorisation;
• WhatsApp and email communications handled with discretion — project technical details not shared beyond those involved in delivery;
• Encryption in transit (HTTPS) for website and digital communications;
• PCI-DSS certified payment platforms — card data never retained by the company;
• As a Ltda, formal internal data handling and access control protocols are maintained;
• Incident response procedures and breach notification in accordance with LGPD Art. 48.

• Confirmation and Access (Art. 18, I–II): Confirm whether we hold your data and receive a copy — including project records and ART documentation.
• Correction (Art. 18, III): Request correction of inaccurate data.
• Anonymisation / Blocking / Deletion (Art. 18, IV): Request restriction or deletion — subject to ART, fiscal and engineering project record retention obligations.
• Portability (Art. 18, V): Receive your data in a structured format.
• Deletion of consent-based data (Art. 18, VI): Request deletion of data processed by consent.
• Information on sharing (Art. 18, VII): Find out which entities your data has been shared with.
• Withdrawal of Consent (Art. 8º, §5º): Withdraw consent at any time.
• Complaint to the ANPD (Art. 18, §1º): Lodge a complaint at www.gov.br/anpd.

We respond within 15 business days. Deletions of engineering project records and ART documentation are subject to mandatory regulatory retention requirements that override deletion requests during the applicable retention period.

Our website may use cookies for essential functionality and aggregated performance analysis. We do not use behavioural tracking cookies for advertising without prior consent. Preferences can be managed through browser settings.

Our engineering services are engaged by businesses — adults acting in a professional and corporate capacity. We do not intentionally collect personal data from children under 13. All contracts and service engagements are with adults legally authorised to represent the commissioning organisation.

In the ordinary course of engineering services, we do not collect or process sensitive personal data as defined in LGPD Art. 5º, II (race, health, biometrics, religion, political affiliation, etc.). The data we hold relates to business contacts and project technical information.

Where engineering projects involve facilities with security implications — industrial plants, critical infrastructure or classified environments — we apply additional access controls to project data as required by the client's security protocols and any applicable regulatory requirements.

This Policy may be updated to reflect changes in our activities, the LGPD, ANPD guidance, CREA-SP/CONFEA regulations or applicable tax legislation. Material changes will be communicated via our website or directly to active clients by email or WhatsApp.

All privacy requests, questions and complaints should be directed to our Data Protection Officer (Encarregado — LGPD Art. 41):