Privacy Policy

1. General Information

H Bergamo Administração e Empreendimentos Ltda, registered under Tax ID No. 50.717.000/0001-85, headquartered at R Demosthenes Madureira Pinho, 415 - Ap T 302, Recreio dos Bandeirantes, Rio de Janeiro - RJ, ZIP 22795-090, is committed to protecting the personal data of its clients, partners, and website visitors, in compliance with the Brazilian General Data Protection Law (LGPD - Law No. 13.709/2018).

This Privacy Policy describes how we collect, use, store, and protect your personal and business information in the context of holding company management and strategic business services.

2. Data Collected

We may collect the following information:

• Identification data: Full name, Tax ID (CPF), Company Tax ID (CNPJ), date of birth, nationality
• Contact data: Email, phone number, business address, residential address
• Business data: Company information, corporate structure, ownership details, board composition
• Financial data: Portfolio information, investment data, asset valuation, financial statements
• Strategic data: Business plans, growth strategies, merger and acquisition information
• Governance data: Board meeting minutes, corporate policies, compliance records
• Legal documentation: Shareholder agreements, partnership contracts, corporate bylaws
• Professional data: Executive profiles, credentials, professional experience
• Transaction data: Investment transactions, asset transfers, corporate restructuring
• Browsing data: IP address, browser type, pages visited

3. Purpose of Data Processing

The collected data is used to:

• Provide holding company management services
• Conduct portfolio oversight and monitoring
• Perform corporate governance activities
• Manage strategic planning and execution
• Facilitate mergers, acquisitions, and partnerships
• Provide financial planning and analysis
• Conduct due diligence and valuation
• Ensure regulatory compliance and reporting
• Manage stakeholder relations
• Process service payments and fees
• Provide advisory and consulting services
• Maintain corporate records and documentation
• Comply with legal and regulatory obligations

4. Legal Basis for Processing

Data processing is performed based on:

• Consent: When you expressly authorize the use of your data
• Contract execution: To fulfill holding management and advisory contracts
• Legal obligation: To comply with corporate law, securities regulations, and tax obligations
• Legitimate interest: For portfolio management, strategic planning, and business development

5. Data Sharing

H Bergamo does not sell or commercialize personal or business data. We may share data only with:

• Portfolio companies: For governance and oversight purposes
• Regulatory authorities: Securities and Exchange Commission (CVM), tax authorities
• Financial institutions: Banks, investment firms for transaction processing
• Legal advisors: For legal counsel and corporate structuring
• Auditors: For financial audits and compliance reviews
• Business partners: For strategic partnerships and joint ventures (with consent)
• M&A advisors: For transaction advisory services
• Service providers: Secure data management, IT infrastructure
• Insurance providers: For director and officer liability insurance
• Legal authorities: When required by law or court order

6. Data Security

We implement rigorous technical and organizational measures to protect your sensitive business data:

• End-to-end encryption of strategic and financial data
• Secure data centers with enterprise-grade security
• Multi-factor authentication for all system access
• Access controls limited to authorized personnel
• Confidentiality agreements with all staff and partners
• Secure communication channels for sensitive information
• Regular security audits and penetration testing
• Incident response and data breach protocols
• Physical security for corporate documents
• Professional indemnity insurance
• Compliance with corporate governance best practices

7. Your Rights as Data Subject

Under LGPD, you have the following rights:

• Confirmation and access: Confirm the existence of processing and access your data
• Correction: Request correction of incomplete, inaccurate, or outdated data
• Anonymization, blocking, or deletion: Request removal of unnecessary data (subject to legal retention requirements)
• Portability: Request data portability in structured format
• Deletion: Request deletion of data processed with consent (subject to legal and contractual obligations)
• Information: Obtain information about data sharing and processing
• Revocation: Revoke consent (subject to contractual and legal obligations)
• Opposition: Object to processing in specific circumstances

8. Cookies and Similar Technologies

We use cookies to improve your browsing experience and website functionality. You can configure your browser to refuse cookies.

9. Data Retention

We retain your data for the time necessary to:

• Fulfill the purposes described in this policy
• Duration of the service relationship
• Corporate records: as required by corporate law (generally 5-10 years)
• Financial records: minimum 5 years as required by tax law
• Shareholder agreements and contracts: duration of agreements plus prescription periods
• Board meeting minutes: permanent retention for corporate governance
• M&A documentation: as required for legal and tax purposes
• Legal prescription periods
• Securities regulations compliance
• Professional liability requirements
• Exercise of legal rights and defense against claims

After these periods, data will be securely deleted or anonymized, except where longer retention is required by law.

10. International Data Transfer

Your data is primarily stored and processed in Brazil. When we use services with international infrastructure, we ensure adequate data protection measures and compliance with LGPD requirements for international transfers.

11. Minors

Our services are intended for business entities and individuals over 18 years of age. We do not intentionally collect data from minors.

12. Changes to This Policy

This Policy may be updated periodically to reflect changes in our practices or legal requirements. Significant changes will be communicated by email or written notice.

13. Data Protection Officer (DPO)

We have appointed a Data Protection Officer responsible for ensuring LGPD compliance and managing data protection inquiries.

14. Contact

To exercise your rights or clarify questions:

We will respond to your requests within 15 calendar days, extendable by another 15 days with justification.

15. Applicable Law and Jurisdiction

This Policy is governed by the laws of the Federative Republic of Brazil, especially Law No. 13.709/2018 (LGPD), corporate law (Law No. 6.404/1976), and securities regulations. The jurisdiction of Rio de Janeiro/RJ is elected to resolve any disputes.

Last updated: December 2025