Política de Privacidade

Effective date: [06/10/2025]

Data controller: GLOBAL SOLUTION 360 RECURSOS HUMANOS LTDA, CNPJ 33.561.668/0001-67, with its principal place of business at Rua Casa do Ator, No. 1,117, Suite 101, Vila Olímpia, São Paulo, SP, Postal Code 04546-004, Brazil (hereinafter “GS360” or the “Controller”).

Preamble

GS360 acknowledges the importance of privacy and the protection of the personal data of individuals with whom it interacts — including job applicants, corporate clients, suppliers, and visitors to its website. This Privacy Policy sets out, in a clear and accessible manner, the personal data processing activities carried out by GS360 in connection with its recruitment and executive search services, including processing performed via the website gs360.com.br, application platforms, applicant tracking systems (ATS), forms, social networks, and other electronic or physical channels used by the Controller.

GS360 conducts such processing in compliance with Federal Law No. 13,709/2018 (General Personal Data Protection Law — LGPD), observing the principles of purpose, necessity, transparency, minimization, security, data quality, and accountability. Where applicable, GS360 also implements internationally recognized best practices in the recruitment and selection industry while preserving the confidentiality inherent to executive search processes.

1. Introduction — Scope and Principles

1.1. Scope. This Policy applies to all processing of personal data carried out by GS360 within the national territory of Brazil and to operations involving international data transfers when performed by the Controller. It covers data collected from: (i) applicants; (ii) representatives of corporate clients; (iii) website visitors; (iv) suppliers and service providers; and (v) other data subjects with whom GS360 interacts. It applies to data collected directly (forms, applications, email) and indirectly (cookies, logs, analytics tools), as well as to data received from third parties (for example, clients who forward candidate profiles).

1.2. General Purposes: This Policy applies to all processing of personal data carried out by GS360 within the national territory of Brazil and to operations involving international data transfers when performed by the Controller. It covers data collected from: (i) applicants; (ii) representatives of corporate clients; (iii) website visitors; (iv) suppliers and service providers; and (v) other data subjects with whom GS360 interacts. It applies to data collected directly (forms, applications, email) and indirectly (cookies, logs, analytics tools), as well as to data received from third parties (for example, clients who forward candidate profiles).

1.3. Categories of Data Collected: Depending on the purpose, GS360 collects and processes the following categories of personal data, without prejudice to other information voluntarily provided by the data subject during the relationship:

• Candidate Data: full name, email address, telephone number, address, resume/CV, professional history, qualifications, salary expectations, and other information voluntarily provided during selection processes.

• Corporate Client Data: name, job title, email and telephone number of representatives, information regarding positions to be filled, and other data necessary to conduct the recruitment process.

• Browsing Data: IP address, browser type, device, pages visited, cookies and similar technologies.

* GS360 expressly states that it does not sell personal data. Disclosures are limited and carried out only when necessary for the purposes described and in accordance with the LGPD (for example: sharing a candidate’s resume with clients for recruitment purposes).

1.4. Legal Bases and Principles: The processing operations described in this Policy rely on the legal bases provided for in the LGPD, including: performance of a contract or pre-contractual measures; compliance with a legal or regulatory obligation; legitimate interest (where applicable and following an appropriate balancing test); and consent, in cases provided by law or when required for certain processing activities, particularly for sensitive personal data or marketing purposes. GS360 will observe, in all cases, the principles set forth in the LGPD and will inform data subjects of the applicable legal bases.

1.5. Contact Channel and Exercise of Rights: Data subjects who wish to obtain information about the processing of their personal data, exercise their rights, or submit questions or complaints may contact the data protection officer (DPO) by email at dpo@gs360.com.br or by telephone at +55 11 93235-5165. If GS360 maintains a fixed-line phone number, it will be provided in this Policy and in official contact channels. Operational procedures for recording, analyzing and responding to data subject requests are described in the corresponding sections of this Policy.

1.6. Cookies and Tracking Technologies: The website gs360.com.br uses cookies and similar technologies to ensure technical functionality, enhance user experience, collect performance metrics and, where applicable, support marketing purposes. Information about cookie categories, purposes, retention periods and means to opt out will be available in the Cookies section of this Policy and in the consent banner/panel displayed to visitors.

1.7. Transparency and Updates: GS360 may update this Policy periodically to reflect legal, regulatory, operational or technological changes. The most recent version will always be made available at https://www.gs360.com.br, together with an indication of its effective date.

2. Detailed Purposes and Applicable Legal Bases

2.1. Screening and Conducting Selection Processes

a) Purposes: receipt of applications, resume/CV review, initial contact, interview scheduling, administration of technical/psychometric assessments, reference-check diligence, and presentation of candidates to clients.

b) Categories of data: full name; email address; telephone number; address; resume/CV; professional history; qualifications; salary expectations; interview records; attachments voluntarily provided.

c) Legal bases: pre-contractual measures and legitimate interest for the management and efficiency of the selection process, provided that a balancing test is completed and documented (Legitimate Interests Assessment — LIA). When processing sensitive personal data, specific consent or another applicable legal basis will be obtained.

d) Operational notes: candidates will be informed, at the time of collection, about the forwarding of their profile to clients and about any retention in a talent database. Disclosure to third parties (clients) will occur only when there is tacit/express authorization from the data subject or when the presentation is essential to the pre-contractual purpose disclosed.

2.2. Provision of Services for Corporate Clients

a) Purposes: preparation of dossiers, assessment reports, mapping, selection recommendations, and coordination of the hiring process.

b) Categories of data: corporate contact details (name, job title, email and telephone), job requirements and descriptions, and relevant contractual documents.

c) Legal bases: performance of a contract and pre-contractual measures; subsidiary lawful basis for activities related to service improvement and communications connected to contractual performance.

d) Operational notes: GS360 may process candidate data in the context of contractual performance with the client, observing the limitations set forth in this Policy and in any co-controller agreement or data-sharing arrangement.

2.3. Resume Database / Talent Pool

a) Purposes: maintenance of a database for future contact about suitable opportunities; professional relationship-building and employer branding activities when authorized.

b) Categories of data: resume/CV, professional history, contact details and consents related to remaining in the database.

c) Legal bases: consent for storage for the purpose of future contact; legitimate interest where documented and in accordance with the LIA.

d) Data subject option: the candidate may revoke consent at any time to remain in the database or may request deletion.

2.4. Communication and Relationship Management

a) Purposes: sending institutional or contractual communications, operational confirmations, notifications about processes, and responses to requests.

b) Categories of data: email address, telephone number, correspondence records.

c) Legal bases: performance of a contract, legitimate interest and/or consent, depending on the nature of the communication.

2.5. Website Operation and User Experience

a) Purposes: site management, security, usage analysis, navigation personalization, and fraud prevention.

b) Categories of data: browsing data (IP address, user agent, device type, pages visited), cookies and technical identifiers.

c) Legal bases: legitimate interest and consent for non-essential cookies; anonymization of data whenever possible for analytical purposes.

2.6. Compliance with Legal, Tax and Accounting Obligations

a) Purposes: compliance with tax, labor, social security and other legal obligations.

b) Categories of data: tax documents, payment receipts, bank details when required for invoicing.

c) Legal basis: compliance with a legal or regulatory obligation.

2.7. Security, Fraud Prevention and Legal Defense

a) Purposes: investigation and mitigation of security incidents, preservation of evidence, defense in litigation and compliance with court orders.

b) Categories of data: log records, communications, evidentiary documents.

c) Legal bases: legitimate interest and compliance with a legal obligation, as applicable.

3. Data Sharing and Limitations

3.1. General principle: GS360 does not sell personal data. Disclosures are made only to the extent strictly necessary to fulfill the purposes described in this Policy and are subject to contractual and technical safeguards.

3.2. With clients (forwarding of profiles)

• Disclosure occurs solely for recruitment and selection purposes and is limited to the minimum necessary (data minimization principle).

• Candidates will be informed at the time of collection about the forwarding of their profile and may request that certain information not be shared.

• Clients sign confidentiality agreements and terms that restrict the use of the data received to the selection process.

3.3. With service providers and processors

• Types: applicant tracking systems (ATS), cloud providers, assessment platforms, analytics tools, email and security providers.

• Contractual conditions: mandatory confidentiality clauses, prohibition on using data for other purposes, obligation to implement security measures, procedures for data return or deletion, and subcontracting only upon authorization.

• Audit and due diligence: critical providers will be assessed prior to engagement and periodically thereafter.

3.4. With public authorities

• GS360 will disclose data only in strict compliance with a court order, tax subpoena, or other demonstrated legal obligation.

3.5. International transfers

• International transfers are exceptional and will only be carried out upon: (i) an adequacy decision; (ii) appropriate contractual safeguards; or (iii) the data subject’s specific consent. Prior to any international transfer, risk assessments and technical measures (e.g., encryption, contractual clauses) will be applied and documented.

3.6. Joint control (co-controller relationships)

• Where GS360 acts jointly with a client as a joint controller, GS360 will formalize responsibilities and contact channels, specifying which party is responsible for which obligations towards data subjects.

4. Retention Periods and Deletion Criteria

4.1. Principle: We retain personal data only for as long as necessary for the purposes described herein, considering legal obligations and evidentiary needs.

4.2. Typical retention periods

• Unselected applications: 24 months from the last interaction.

• Hired candidates (documents with tax effects): in accordance with applicable tax law, usually 5 years or another legally required term.

• Contracts and commercial documents: 5 years or the applicable statute of limitations.

• Operational logs: 90 to 180 days (production logs), except where retention is necessary for incident investigation.

4.3. Secure deletion

• When a retention period expires or upon a valid deletion request, GS360 will delete, anonymize or block the data using appropriate technical methods (logical deletion, cryptographic overwriting, physical destruction when applicable) and will keep records of material deletions for audit purposes when necessary.

5. Rights of Data Subjects and Detailed Operational Procedure

5.1. Rights Guaranteed

• Data subjects have the right to: confirmation of processing; access; rectification; anonymization, blocking or deletion; portability; withdrawal of consent; information regarding disclosures; objection to processing; and information about automated decision-making.

5.2. Official channel and responsibilities

• Primary channel: dpo@gs360.com.br

• Telephone: +55 11 3181-3977

5.3. Approximate internal workflow

a) Receipt and acknowledgment: automatic generation of a protocol/ticket and confirmation to the requester within up to 5 business days.

b) Identity verification: request of minimal documentation to prove data subject status, proportional to the nature of the request.

c) Legal/technical analysis: identification of the applicable legal basis and assessment of any restrictions (for example, the need to retain data due to a legal obligation).

d) Decision and execution: response and execution within approximately 15 to 30 calendar days, indicating clearly the measures taken or the grounds for any partial or full denial. In complex cases, the data subject will be informed of any extension and the reason for it.

e) Recordkeeping and retention of the process: the request, decision and actions taken will be recorded and retained for a period compatible with audit and accountability needs.

f) Internal appeal: possibility of reassessment and escalation to the DPO; the data subject will be informed of the right to lodge a complaint with the National Data Protection Authority (ANPD).

5.4. Fees

• Standard handling is free of charge. Fees will be charged only in exceptional cases if provided for by law and duly justified.

6. Information Security and Incident Response

6.1. GS360 implements reasonable technical and organizational measures to protect personal data against unauthorized access, loss, destruction or improper alteration. The measures applied are commensurate with the nature of the information processed and the risks associated with recruitment and selection activities.

6.2. In the event of a security incident that may result in a risk of significant harm to data subjects, GS360 will assess the severity of the incident, implement containment and remediation measures, and, where applicable, notify affected data subjects and the National Data Protection Authority (ANPD) in accordance with applicable law.

6.3. Any notification will clearly provide essential information about the incident, including the nature of the potentially affected personal data, the measures adopted, guidance for data subjects, and the contact details of GS360’s Data Protection Officer (DPO).

7. Revisions, Amendments and Versioning

7.1. This Policy may be updated periodically for operational, regulatory or technological reasons. The current version will be made available at https://www.gs360.com.br, together with an indication of its effective date.

7.2. Material changes that affect data subjects’ rights will be communicated in a prominent manner (for example, by email to data subjects where applicable).

8. Contact and Business Information

• Website: https://www.gs360.com.br

• Data Protection Officer (DPO) email: dpo@gs360.com.br

• Telephone: +55 11 3181-3977

• Note: GS360 expressly states that it does not sell personal data. Any disclosures are restricted to the purposes described herein and are carried out subject to contractual and technical safeguards.