Aegea seeks to ensure the highest level of transparency and ethics in its activities, and its commitment also extends to the processing of personal data.
If you are one of our customers, suppliers, service providers, business partners, job applicants, administrators, or employees of Aegea, or if your personal data is processed by Aegea in any way, this Privacy and Personal Data Protection Policy (“Privacy Policy”) contains information about the collection, use, retention, transfer, storage, disposal, and processing of your personal data. It also explains how and for what purposes Aegea collects, uses, retains, transfers, stores, processes, and disposes of personal data, how it protects personal data, and what your rights are regarding such data.
Your personal data is processed in compliance with applicable privacy and data protection laws, including, but not limited to, Law No. 13.709/2018 (General Data Protection Law – LGPD) and the Brazilian Internet Civil Framework (Marco Civil da Internet). Aegea considers the controls recommended by ISO 27701 – Privacy Information Management System.
What is Personal Data?
Personal data is any information related to an identified or identifiable natural person. This means that, for example, your name, CPF (taxpayer ID), RG (identity card), address, phone number, date of birth, as well as cookies and other types of electronic identifiers, are considered personal data insofar as they can be linked to a natural person, in this case, you.
What is Personal Data Processing?
Personal data processing is any operation or set of operations performed with your personal data or sets of personal data, such as collection, recording, organization, storage, consultation, use, sharing, deletion, destruction, or disposal.
Which Personal Data is Processed?
Aegea may collect and process your personal data when you provide it to us or authorize us to do so, when sent by one of our business partners, or when available in public databases.
In general, Aegea may collect and process your full name/company name; CPF; RG; mother’s name; date of birth; age; gender; address; marital status; phone number; IP address; and email address, among others.
If you are our customer, in addition to the data above, Aegea may collect and process more specific data related to the provision of our services, such as account/hydrometer number; consumption; billed amount; negotiations, renegotiations and outstanding balances; default data; credit bureau score; property purchase and sale agreement; property tax (IPTU); lease agreement; visit history; and photograph.
If you are a business partner or third party, the personal data collected and processed about you may also include, for example, information regarding corporate shareholdings; establishment information; bank account; payment information; and articles of association of legal entities.
If you are a job applicant for a position on our team, Aegea may also collect and process, in addition to the above, your profession, education level, and other data relevant to the recruitment process.
In addition to the cases mentioned above, in specific situations, Aegea may process data related to family income; family structure; government social program registration; biometric data; health data; race/color; political opinions; union or political organization affiliation; work address; event schedules; incident data, among others.
What are the Purposes for the Processing of Personal Data?
Aegea may, through its various areas and units, collect and process your personal data for, among other purposes, depending on your relationship with us:
i. Remittance of mailings and communications;
ii. Integrity assessments, investigations, and other measures related to complaints in the ethics channel, evaluation of requests for donations and sponsorship;
iii. Preparation, analysis, and validation of legal documents, participation in legal proceedings, interaction with regulatory agencies, among other legal activities;
iv. Stakeholder management to design relationship strategies and respond to requests from the granting public authority;
v. Development and monitoring of social projects and provision of benefits to the community;
vi. Control of visitors to our premises;
vii. Training and development of people, in line with our guidelines;
viii. Fraud prevention, revenue control, and auditing;
ix. Management, enrichment, and cleansing of registration data;
x. Management of the collection rule, including collection via telephone, WhatsApp, and/or SMS, reporting of defaulters, and management of service cuts;
xi. Treasury and collection management, including activities with banks, payment processing, write-offs, reviews, refunds, among other financial activities;
xii. Recruitment and selection of candidates, union negotiations, compensation studies, job positions and salaries, among other activities related to human resources;
xiii. Insurance contracting and claims management involving Aegea;
xiv. Performance of purchases for Aegea, including receiving internal requests, negotiating with suppliers, purchasing processes, registering suppliers in SAP, among other related activities;
xv. Operationalization of our systems, ensuring the availability of data for use by our various areas;
xvi. Provision of services and supplies to customers and customer service in our service stores and call center, including receiving, registering, and executing customer requests;
xvii. Conduction of visits to buildings/water meters and re-registering customers;
xviii. Assurance of access to our websites and/or applications, as well as ensuring the functioning of all available features, which may be used to improve our services;
xix. Development, maintenance, and improvement of the features and functionalities of our websites and/or applications;
xx. Analysis of the performance and audience of our websites and/or applications;
xxi. Analysis of users’ browsing habits on our websites and/or applications, how they arrived at the website and/or application page (e.g., through links from other websites, search engines, or directly through the address), evaluation of statistics related to the number of visits and use of the websites and/or applications, their resources and features;
xxii. Analysis of the security of our websites and/or applications;
xxiii. Improvement of users’ browsing experiences on our websites and/or applications;
xxiv. Provision of services that are more personalized and tailored to the needs of users of our websites and/or applications;
xxv. Communication between us and users of our websites and/or applications, including through the sending and receiving of emails and mailings; and
xxvi. Continuous improvement of the services we provide.
The processing of your personal data is only processed when there is a legal basis for doing so. Legal bases include: (i) consent (i.e., when you give us your consent), (ii) contract (i.e., when processing is necessary to enter into or perform a contract); (iii) compliance with a legal or regulatory obligation; (iv) the exercise of our rights; (v) the protection of your life or physical safety or the life and physical safety of third parties; (vi) execution of public policies provided for in laws and regulations or supported by contracts, agreements, or similar instruments; (vii) health protection; (viii) our legitimate interests; and (ix) credit protection.
In cases where the processing of your personal data is based on your consent, you have the right to withdraw it at any time, which does not affect (i) the lawfulness of the processing of your personal data based on your consent prior to revocation; or (ii) the lawfulness of the processing of your personal data based on other legal grounds.
Aegea may process your personal data based on legitimate interests, provided that your fundamental rights and freedoms prevail. If and when applicable, your personal data is processed based on legitimate interests to ensure the provision of services that benefit you, perform internal analyses, as well as to support, carry out, and promote our activities.
Processing of Sensitive Data
Depending on your relationship, Aegea may process sensitive personal data such as, for example, biometric registration for access to its physical premises; health data or other sensitive personal data involved in insurance management; in cases of relationships with public figures or public agents (e.g., community leaders, city councilors, deputies, secretaries), especially with regard to political/party orientation data; in the case of social programs and projects and for the creation and management of such projects, such as data related to ethnic origin/color; sensitive personal data that may be included in legal proceedings, contracts, or investigations of complaints to the ethics channel, among other purposes.
The processing of sensitive personal data is restricted and only carried out in one or more of the following legal cases:
i. Compliance with legal and/or regulatory obligations;
ii. Implementation of public policies provided for in laws or regulations;
iii. Regular exercise of rights, including in contracts and in judicial, administrative, and arbitration proceedings;
iv. Protection of your life or physical safety or the life and physical safety of third parties;
v. Health protection, exclusively in procedures performed by health professionals, health services, or health authorities; or
vi. assurance of the prevention of fraud or of the safety in the processes of identification and authentication of registration in electronic systems, safeguarding the rights mentioned in the applicable legislation and in this Policy, except in cases where your fundamental rights and freedoms that require the protection of personal data prevail.
Aegea may also process sensitive personal data based on your consent. You have the right to withdraw your consent at any time, which does not affect (i) the lawfulness of the processing of sensitive personal data based on your consent prior to withdrawal; or (ii) the lawfulness of the processing of sensitive personal data based on other legal grounds.
Children and Adolescents
Aegea does not process personal data of children (under 12 years of age) or adolescents (between 12 and 18 years of age), with the exception of employees’ children; in the context of legal or arbitration proceedings involving children or adolescents; for the recruitment of new talent for our team (in the case of young apprentices or interns) or, for example, to offer specific courses and activities to this audience.
Cookies and Other Tracking Technologies
Cookies are small files that may or may not be added to your computer or device when you use Aegea’s websites and/or applications and that allow us to store and recognize your browsing data.
Aegea’s websites and/or applications may use four (4) types of cookies:
i. Authentication Cookies: used to recognize a specific user, enabling access to and use of our websites and/or applications with restricted content and/or services and providing more personalized browsing experiences.
ii. Security Cookies: used to activate security features on our websites and/or applications, with the purpose of assisting in the monitoring and/or detection of malicious activities or activities prohibited by the applicable terms of use, as well as protecting your information from access by unauthorized third parties.
iii. Research, Analysis, and Performance Cookies: the purpose of this type of cookie is to help us understand the performance of our websites and/or applications, measure their audience, check the browsing habits of users on our websites and/or applications, as well as how they arrived at the website and/or application page (for example, through links from other websites, search engines, or directly through the address).
iv. Advertising Cookies: used to present relevant advertising to users of our websites and/or applications, both inside and outside our websites and/or applications or those of partners, as well as to find out whether users who viewed the advertising visited the websites and/or applications after seeing the advertising. Advertising Cookies may also be used to remember any searches performed by users on our websites and/or applications and, based on the searches performed by users on our websites and/or applications, to present users with advertisements related to their interests.
For the purposes described above, Aegea may collect, store, process, and use the following information regarding your browsing on our websites and/or applications, which are part of the “Browsing Records”:
i. Geographic location;
ii. Operating system used by the user;
iii. Browser and its respective versions;
iv. Screen resolution;
v. Java (programming language);
vi. Flash player installed;
vii. IP address;
viii. ID code (IMEI) of the mobile device through which the user accessed our websites and/or applications;
ix. Information regarding the date and time of use of our websites and/or applications by a given user, from a given IP address;
x. Information regarding the number of clicks and attempts to use our websites and/or applications, as well as pages accessed by the user.
Users can disable cookies through the configuration options of their respective browser. In this case, it is possible that our websites and/or applications will not perform all of their functions.
Links and Third-Party Platforms
Aegea’s websites and/or applications may contain links to third-party websites. The existence of these links does not constitute an endorsement or sponsorship of third-party websites, which are subject to the terms of use and privacy policies of the respective website(s) and are not under Aegea’s responsibility. We recommend that you also read these terms and policies.
If you choose to contact Aegea through third-party platforms (such as, but not limited to, Facebook, Instagram, and WhatsApp), the processing of your data will also be subject to the terms of use and privacy policies of such platforms, and Aegea will not be liable under any circumstances.
Personal Data Retention Period
Personal data may be processed and stored:
i. For the time necessary to fulfill the purposes for which it was collected, limited to what is necessary for the identified purpose;
ii. In accordance with the retention periods required by applicable law; or
iii. Until a request to withdraw the consent for the processing is made, as applicable.
Aegea may retain your personal data to comply with legal or regulatory obligations, to protect the company’s rights, to comply with an order issued by a competent authority, if it is in Aegea’s legitimate interest, provided that it is permitted by applicable law, or also for the necessary period in accordance with the legal basis that justifies the retention of your data.
Sharing, Transfer, and Disclosure of Personal Data
Aegea may share your personal data and other information with other stakeholders to achieve the purposes described in this Policy. Such stakeholders include, but are not limited to, public offices and notaries (including the granting public authority), financial institutions, our business partners, personal data processors, credit bureaus, technology service platforms, service providers (such as collection companies, re-registration and data enrichment/cleaning companies, event promoters/organizers, press offices, law firms, accounting firms, insurance brokers and insurers, companies, consultancies and other specialized services, marketing agencies, and document scanning companies), among others.
Aegea may also transfer your personal data abroad within the scope of the processing purposes described in this Policy, in accordance with applicable law, adopting all appropriate safeguards and security measures to ensure an adequate level of security and protection of personal data. In particular, there may be international transfers of personal data when the software and applications we use are based outside Brazil.
In principle, Aegea transfers personal data (i) to countries that provide a level of personal data protection adequate to that provided for in applicable law; or based on (ii) your consent, (iii) for the preparation and management of contracts, (iv) in compliance with a legal or regulatory obligation, or (v) to protect your life or physical safety.
Methods of Processing Personal Data
Aegea may process your personal data by electronic or automated means and appropriate computerized tools, or manually and in printed copy, exclusively for the purposes for which it was collected, and ensuring the security, confidentiality, availability, and integrity of any processed information, through appropriate measures to prevent unauthorized alteration, cancellation, destruction, access, or unauthorized processing, or any processing that is not in accordance with the purpose of collection and the terms of this Policy.
Security
Aegea adopts technical, physical, and administrative security measures designed to provide reasonable protection of personal data against loss, misuse, unauthorized access, disclosure, and modification. Security measures include, among others, firewalls, encryption, physical and logical access controls, and information access authorization controls. While Aegea protects its systems and services, you are responsible for protecting and maintaining the privacy of your registration information and for verifying that your personal data held by Aegea is accurate, complete, and up to date.
What are Your Rights?
If you are one of Aegea’s customers, business partners, job applicants, administrators, or employees, or if you have or believe that you have personal data processed by Aegea as a personal data controller, you may exercise the rights listed in Article 18 of the LGPD, as of its effective date. These rights are:
i. Request confirmation of the existence of the processing of your personal data;
ii. Access your personal data;
iii. Request the correction of your incomplete, inaccurate, or outdated personal data;
iv. Request the anonymization, blocking, or deletion of your personal data that is unnecessary, excessive, or processed in breach with the provisions of the LGPD;
v. Request the portability of your personal data to another service or product provider, upon express request, in accordance with the regulations of the national authority, observing commercial and industrial secrets;
vi. Request the deletion of your personal data processed with your consent, except in the cases provided for in this Policy and in Article 16 of the LGPD;
vii. Request information from public and private entities with which we share data;
viii. Obtain information about the possibility of not providing consent and the consequences of refusal; and
ix. Withdraw your consent, pursuant to §5 of Article 8 of the LGPD.
The exercise of any of these rights does not affect the legality of any processing of your personal data carried out prior to the exercise of such right. If you have any requests related to your personal data or if you wish to exercise any of your rights, Aegea provides the contact details of the Data Protection Officer on its website and provides a dedicated channel through the website https://canalconfidencial.com.br/lgpdaegeasaneamento for matters related to personal data.
When you make a request to exercise any of your rights, Aegea needs to use your personal data to process the request and provide you with a response.
Other Privacy Policies
Aegea may establish specific privacy policies applicable to certain websites and/or applications, situations, or specific personal data subjects, which may supplement and/or prevail over this Privacy Policy.
Aegea always keeps its Privacy and Personal Data Protection Policy updated on its website.