Policy
Privacy and Security

In order for us to offer an excellent service both from the point of view of the effectiveness of the treatment and the quality of care, we need to collect, store and process some types of data. Therefore, our primary aspect is the privacy and protection of personal data, so that we effectively preserve them in all our business processes by all our employees, as well as in the relationship with all our customers, suppliers, third parties, service providers and business partners. In order to present to data subjects how we treat and protect their personal data and how we guarantee their rights related to privacy and data protection, as we understand how great the trust of our customers and future customers is, we have developed this Privacy Statement. But not just that. I'M FREE  maintains an internal governance program in Information Security and Data Protection that includes the continuous development and maintenance of an Information Security Policy and a Data Protection Policy.

We always ask you to accept our policies  by registering on the Site;  when you submit information to us for the first time; and/or  every time we update them. Furthermore, we ask that you accept our provisions regarding cookies when accessing the Site through a new device. Thus, by accessing or subscribing to any activity through the Site and agreeing to proceed, you declare that you have read, understood and agree to be bound by this Privacy Policy, the Terms and Conditions of Use, the Delivery Policy, the Privacy Policy Exchanges and Returns, as well as any additional terms related to the Site

IF YOU DO NOT FULLY AGREE WITH ALL AGREEMENTS, DO NOT USE THE SITE OR PURCHASE ANY PRODUCT THROUGH THE SITE.

​

1. GENERAL INFORMATION AND PRINCIPLES
In this Privacy Statement we emphasize the privacy and data protection requirements defined in Law n.13.709 of August 14, 2018 – General Data Protection Law. Therefore, the concepts, terms and definitions that we apply in this Declaration are defined in article 5 of the referred law.
For the privacy and protection of personal data, I'm free  emphasizes in this Declaration, as well as in its internal governance program in Information Security and Data Protection, the following principles, in accordance with Law n.13.709 of August 14 2018 - General Data Protection Law:

1.      Purpose: the processing of personal data can only occur after a clear purpose has been defined, duly registered in the purpose map and with a defined legal basis.

2.      Adequacy: the treatment must be restricted to the defined purpose and must not occur in a way that is incompatible with that purpose.

3.      Necessity: the information obtained must be restricted to the minimum necessary for the achievement of the previously defined purpose, covering only the relevant data for that purpose.

4.      Free Access: holders of personal data must have a service channel that allows them to consult on the form, treatment and security of their personal data.

5.      Data Quality: the processed data must be clear, accurate, relevant and updated in relation to their respective specific purposes.

6.      Transparency: holders of personal data must have a service channel that allows them to obtain clear and precise information about the treatment carried out with their data, including in relation to the treatment agents involved.

7.      Security: i'm free must plan, implement, maintain, critically analyze and continuously improve technical and administrative information security management measures.

8.      Prevention: technical and administrative information security management measures must also act to prevent incidents from occurring.

9.      Non-Discrimination: Under no circumstances will the processing of personal data be used in discriminatory, illegal or abusive situations.

10.  Responsibility and Accountability: i'm free must have controls and mechanisms to demonstrate the effectiveness of its information security and data protection measures.

2. FOR WHAT PURPOSES AND LEGAL BASIS DO WE PROCESS PERSONAL DATA?
i'm free only processes personal data after defining a specific purpose and legal basis for it.
In our internal governance program in Information Security and Data Protection, we have a detailed mapping of all the legal purposes and bases that we use for the processing of personal data, through our Personal Data Processing Operations Registry (RoPA-Record of Processing Activities), including definitions of categories of data used, resources involved (for example, information systems used), transfers abroad and sharing with other companies.
In short, we process personal data in the following cases and on the following legal bases:

Case of Purpose and Legal Basis

1.      Administrative and operational processes for the fulfillment of contracts signed with our clients.
Personal data

2.      Administrative and operational processes, when requested by customers explicitly through consent.
Personal data
Sensitive Personal Data

3.      Internal procedures of legitimate interest that enable customer service, at their request via contract or consent, always with the legitimate objective of better serving the customer’s interests.
Personal data

4.      Internal procedures for complying with legal obligations, in accordance with the cases and needs provided for by law.
Personal data
Sensitive Personal Data

5.      Situations related to credit protection when so identified, applicable and always in accordance with the law.
Personal data

6.      Situations related to our regular exercise of rights, when identified, applicable and always in accordance with the law.
Personal data
Sensitive Personal Data

7.      Compliance with requirements for public policies, when so identified, applicable and always in accordance with the law.
Personal data
Sensitive Personal Data

8.      Fulfillment of requirements for research bodies, when so identified, applicable and always in accordance with the law.
Personal data
Sensitive Personal Data

9.      Situations related to the protection of life, when so identified, applicable and always in accordance with the law.
Personal data
Sensitive Personal Data

10.  Situations related to health protection, when so identified, applicable and always in accordance with the law.
Personal data
Sensitive Personal Data

11.  Situations related to the prevention of fraud and security of the holder, always observing the fundamental rights and freedoms of the holder.
Sensitive Personal Data

If you would like to receive detailed information about the purposes and legal bases specifically related to the processing of your personal data, please consult section 12 of this Privacy Statement.

3. HOW, WHEN AND WHAT PERSONAL DATA DO WE COLLECT?
Your data is collected considering the principle of minimization, that is, we only collect what is necessary and if we have a specific purpose for it. Also, your data is only collected through our information systems and corporate channels duly approved by our data protection officer, that is, i'm free does not collect personal data through any type of personal resources of its employees, suppliers, service providers or business partners.
It is also important that information such as the type of browser you are using, IP address, device type, language preference, operating system and mobile network information be collected so that we can analyze problems that are found and correct errors more efficiently. appropriate.
At the time we collect your data, we already have the definition of the specific purpose and legal basis for data processing, duly defined in our Personal Data Processing Operations Registry (RoPA), as mentioned in section 2 of this Privacy Statement . As mentioned, we collect only the data that is strictly necessary to carry out the specific purpose defined in the Operations Log.
The categories of data that can be collected according to the need for each specific purpose are:

1.      Registration – category that involves basic information on individuals. Examples: Name, RG, CPF, telephone, address, etc.

2.      Administrative – category involving administrative information produced from registration data. Examples: Contracts, forms, reports, etc.

3.      Financial – category of data involving financial information when related to individuals. Examples: collection slip, financial history, payments, etc.

4      Multimedia – in this category, data involves the treatment of photos, videos, audios, image, voice, geolocation and the like.

5.      Digital Logs – category of data that includes cookies, IP addresses and system logs that denote user behavior. Example: navigation logs.

6.      Anonymized – category used to indicate the existence of data that does not personally identify

7.  Others – category to represent exceptional data that did not fit into the previous categories, in this case the specific type of data will be mentioned in the Registry of Personal Data Processing Operations (RoPA).

4. HOW DO WE STORE AND ACCESS PERSONAL DATA?
i'm free stores and accesses personal data only through duly approved corporate resources and only after defining the specific purpose and legal basis in our Registry of Personal Data Processing Operations (RoPA).

The personal information collected will be stored using cloud service providers who are concerned about privacy and data protection. This information is stored for the minimum period necessary to deliver the resources proposed by the BLiP platform, taking into account the data retention period determined by the applicable legislation. If you decide to delete your account and erase your data, they will be anonymized or permanently deleted. It is important to emphasize that the data will be erased to comply with a legal obligation or to regularly exercise rights in judicial or extrajudicial proceedings.
For the protection of storage and access to personal data, we use technical and administrative controls of Information Security which are defined in our Information Security Policy and are maintained through our internal program of governance in information security and data protection .
Personal data are stored strictly for the time necessary to fulfill the purpose and legal basis, and after this time, the data may be deleted, anonymized or maintained by defining a new purpose and its respective legal basis, always in compliance with the current legislation.



5. HOW LONG DO WE RETAIN AND HOW DO WE DELETE PERSONAL DATA?
Personal data is retained only for the time necessary to perform the purpose for which it was collected. After performing this purpose, personal data may be:

1.      Anonymized: in this case, personal data are kept in such a way as not to identify the holder and in order to guarantee the irreversibility of the data, that is, they cannot be again associated with data that identify the holder;

2.      Kept for another purpose: after the end of a purpose, the data may be kept when associated with another purpose and its respective legal basis. For example, at the end of a contract or consent, data may still be kept for the fulfillment of a legal obligation or for the regular exercise of i'm free's rights, always observing compliance with current legislation;

3.      Deleted: in this case the data is deleted.

When we delete personal data, we will do so in such a way that the data can no longer be retrieved.
Some of our purposes, due to their specific characteristics, may have a specific retention period for personal data. In this case, such definition will appear in our Registry of Personal Data Processing Operations (RoPA).

6. DO WE USE COOKIES OR OTHER TYPES OF DIGITAL TRACES?
The website,   may make use of cookies and other types of digital traces. Digital footprints can be of the following types:

·         Essential or Necessary: these are cookies and digital traces required for the basic functioning of websites, systems, portals and applications. In this case, the tracks will be used strictly for the operation of the respective systems;

·         Optional: these are cookies and digital traces that are optional for the functioning of websites, systems, portals and applications. Examples are marketing trails, statistics, and personalized experience. In these cases, consent will be requested for the use of cookies and digital traces for their specific purposes.

In our Registry of Personal Data Processing Operations (RoPA), all the purposes and legal bases that make use of cookies and digital traces are defined.

7. HOW DO WE PROTECT PERSONAL DATA THROUGH INFORMATION SECURITY MANAGEMENT?
i'm free is always committed to the planning, execution and monitoring of actions, as well as critical analysis and continuous improvement in an Information Security Management System.
For this purpose, the precepts defined in ABNT NBR ISO/IEC 27001 – ISMS-Information Security Management System are used as a basis, together with the information security management methodologies of Tracker Security of Information.
We maintain an Information Security Policy (internal document) with the necessary and adequate controls to guarantee the confidentiality, integrity and availability of the information under our control.
We also act more specifically in the management of privacy and data protection, in this case, based on the precepts defined in ABNT NBR ISO/IEC 27701 - SGPI-Information Privacy Management System, together with the privacy management and data protection methodologies data from Tracker Security of Information.
We also maintain administrative, technical and physical safeguards to support the protection of the personal information you share with us. These actions are associated with efforts to prevent loss, misuse and unauthorized access, disclosure, alteration and destruction. We know that no transmission over the internet is 100% secure, so it's important that you protect data such as your email and password used for authentication. In this way, we prevent other people from being able to access your resources.
However, we have a Data Protection Policy (internal document) with the necessary and adequate controls to guarantee the privacy and protection of personal data under our control.
The Information Security Policy and the Data Protection Policy, together with their derivative documents (specific policies, standards and procedures) form our internal Information Security and Data Protection program, constantly maintained and updated in our company.

8. WHAT RIGHTS DO THE HOLDER OF PERSONAL DATA HAVE AND HOW TO EXERCISE THEM?
The following rights of holders of personal data are observed and duly made available by i'm free:

1.      Confirmation: confirm the existence of processing of your personal data.

2.      Access: access your personal data.

3.      Correction: request that incomplete, outdated or incorrect data be corrected.

4.      Anonymization, blocking or deletion: request anonymization, blocking or deletion in the case of unnecessary, excessive or processed personal data in breach of the LGPD. This includes deletion even after consent.

5.      Revocation of Consent: revoke your consent to the use of your processed personal data at any time.

6.      Automated decision review: request review and information on what criteria and processes were used in automated decision making, where applicable.

If you wish to exercise your rights, whether those mentioned above or any others related to privacy and protection of personal data, please contact our Data Protection Officer in accordance with section 12 of this Privacy Statement.

9. TALK TO OUR DATA PROTECTION OFFICER
The activities of the person in charge consist of: accepting complaints and communications from holders, providing clarifications and adopting measures; receive communications from the national authority and take action; guide employees, contracted companies regarding the practices to be taken in relation to the protection of personal data and monitor compliance with data protection through the implementation of administrative and technical controls for data protection.   Therefore, if you wish to exercise any of your rights or receive detailed information specifically about the processing of your personal data, please contact our call center

10. ABOUT UPDATES TO THIS PRIVACY STATEMENT
i'm free is always improving privacy and personal data protection. Accordingly, this Privacy Statement may be updated at any time with immediate effect. We recommend that you periodically check this section to stay up-to-date with the latest version available. This Privacy Statement is at version 1 made available on December 28, 2022.