Privacy and Cookies Policy

CORIUM QUÍMICA, a private legal entity headquartered in Novo Hamburgo/RS, hereby establishes this Privacy Policy regarding personal data and sensitive data as defined by the Brazilian General Data Protection Law (LGPD) provided by you (“User”) when using our company’s websites and services (both offline and online). This Privacy Policy serves to establish which data are necessary to provide for the faithful fulfillment of its purpose, as well as to define the moment when such data may be used.

This Policy covers all products offered by the company and complies with the principles of purpose, adequacy, necessity, free access, data quality, transparency, security, prevention, non-discrimination, and accountability in the processing of personal data.

DATA PROCESSING AGENTS:

Whenever CORIUM has decision-making authority over how data will be processed, it will act as the data controller and will only share data with third parties upon the User’s authorization, except when such sharing is required by judicial order, legal obligation, or for the provision of contracted services.

The Controller is responsible for decisions regarding data processing, including the appointment of the Operator responsible for data processing.

HOW DATA IS COLLECTED:

CORIUM may process data entered by the User when filling out registration forms (voluntarily provided data). It may also process data collected automatically during the use of its web pages and network (IP address, connection date and time, etc.).

Automatically collected data: The company also collects certain information automatically, such as device characteristics, browser type, IP address (with date and time), IP origin, among others. CORIUM uses standard technologies such as cookies to improve the User’s browsing experience.

Regarding cookies, Users can disable automatic data collection through their browser settings or via our website. However, by disabling cookies and/or other technologies, the User is aware that some site features may not function properly.

Whenever data processing is intended for advertising (marketing) purposes, SPECIFIC CONSENT will be required to authorize the processing.

Collected data may be shared with: (i) partner companies to ensure proper service delivery; (ii) to protect CORIUM’s interests in any conflicts; (iii) upon judicial order; (iv) as required by regulatory authorities or other competent entities.

Data may also be shared to serve CORIUM’s legitimate interests to ensure proper service provision, including but not limited to technology infrastructure providers, payment intermediaries, and legal departments (internal and external).

PURPOSE OF DATA PROCESSING:

Data processing aims to enable the correct and adequate provision of services contracted by the User. It also seeks to preserve CORIUM’s legitimate interests related to its technical, civil, and criminal responsibilities arising from service provision. Requested data are closely related to the contracted service/product and will be used for execution, business improvement, security, personalization of services or products, marketing, advertising, or any purpose contributing to service delivery.

Users will be informed of any significant changes to this policy and will be required to provide renewed consent (opt-in). If the User disagrees with the new terms, an opt-out option will be provided in the same communication.

For transparency and data quality verification, the following personal data are required:

Name
CPF (Brazilian individual taxpayer registry)
Residential address
RG (Identity card)
Email
Business address

OTHER DATA MAY BE REQUIRED. THE ABOVE LIST IS NOT EXCLUSIVE OR LIMITING REGARDING ADDITIONAL DATA THAT MAY BE REQUESTED.

Users declare that the personal data provided are voluntary, accurate, complete, and up-to-date, and CORIUM commits to their preservation and protection.

Data will not be used for purposes other than those described herein, except with User consent or legal authorization. CORIUM’s legitimate interest may also serve as a legal basis for processing data differently from the original purpose.

HOW DATA WILL BE USED:

Data will be used to provide contracted services, improve services when necessary, and for marketing purposes aimed at promoting the company’s products and services.

If personal data of minors are collected, specific consent from at least one parent or legal guardian is required. Under no circumstances will personal data of children be shared with third parties without such consent.

CONSENT:

Consent is one of the legal bases for processing personal data, along with the following:

Compliance with legal/regulatory obligations
Execution of public policies
Research by authorized bodies
Contract execution/pre-contractual diligence
Regular exercise of rights
Protection of life
Health care
Legitimate interest
Credit protection

No consent is required when data processing relates to criminal investigations, public safety, national defense, regulatory guidelines, or other situations listed above.

SPECIFIC CONSENT:

BY THIS SPECIFIC CONSENT, THE USER AUTHORIZES THE PROCESSING OF THEIR PERSONAL DATA FOR DIRECT MARKETING PURPOSES. THE USER ALSO AUTHORIZES RECEIPT OF COMMUNICATIONS ABOUT NEW PRODUCTS OR SERVICES OFFERED BY THE COMPANY.

WITHDRAWAL OF SPECIFIC CONSENT:

Specific consent may be revoked at any time by the User through an express request.

PRINCIPLES OF THIS PRIVACY POLICY:

This Privacy Policy follows these principles:

Purpose: processing serves legitimate, specific, explicit, and informed purposes
Adequacy: processing compatible with the informed purpose
Necessity: processing limited to the minimum required for its purposes
Free Access: Users have free and easy access to their data and processing details
Data Quality: accuracy, clarity, and relevance of data
Transparency: clear, precise, and accessible information about processing and agents
Security: technical and administrative measures to protect data from unauthorized access
Prevention: preventive actions to avoid damage from data processing
Non-discrimination: no processing for discriminatory, abusive, or unlawful purposes

Users may confirm processing, access, correct, anonymize, block, delete data (with consent), request portability, obtain information on data sharing, refuse consent, and revoke consent, in accordance with LGPD Articles 17 to 22. Responses will be provided promptly.

HOW WE KEEP DATA SECURE:

CORIUM stores collected information on its own or contracted servers.

Reasonable and LGPD-authorized methods ensure data privacy, including:

Protection against unauthorized system access
Restricted physical access to data storage locations
Confidentiality agreements for employees and service providers with penalties for breaches
Access logs to identify responsible parties for incidents
Risk management programs and staff training per LGPD requirements
Data access limited to personnel necessary for service delivery
Prohibition on data transport via laptops, pen drives, etc.
All staff aware of the Privacy Policy

While CORIUM makes every effort to preserve User privacy, no site is fully secure. Users are encouraged to protect their information, such as keeping usernames and passwords confidential.

RISK MANAGEMENT:

CORIUM has a risk management policy for incidents involving personal and sensitive data. In case of an incident, the Data Protection Officer (DPO) will notify the User via email, SMS, and WhatsApp about the incident, potential consequences, and measures taken.

IMPOSIBILITY OF DATA DELETION:

Users have the right to request full deletion of their personal data. However, deletion requests may be denied if there is a legal basis preventing it, such as:

Legal/regulatory compliance
Public policies execution
Research purposes
Contract execution/pre-contractual diligence
Regular exercise of rights
Protection of life and health
Legitimate interest
Credit protection

COOKIE USE:

Cookies are small files stored on the User’s browser or device to:
a) ensure session security and confidentiality;
b) collect data for analysis and audience measurement;
c) deliver targeted advertising or content.

We use cookies to enhance User experience and gather site usage data to improve content and services.

Upon User consent, CORIUM will store a cookie on the device to remember consent for future sessions.

Users may revoke consent to cookies at any time. However, refusal may severely affect service quality.

DATA SHARING:

Data sharing occurs internally with employees necessary for service execution and external professionals involved in service delivery. If sharing with others is required, the User will be informed and consent requested.

DATA RETENTION:

Data collected have a specific purpose clearly communicated to the User.

After the purpose is fulfilled, personal and sensitive data will be deleted automatically, respecting legal exceptions.

Data will also be deleted upon User request if processing was authorized by consent.

YOUR RIGHTS:

Users have the right to:
i) confirm data processing;
ii) access their data;
iii) correct incomplete, inaccurate, or outdated data;
iv) anonymize, block, or delete unnecessary or unlawfully processed data;
v) data portability upon express request;
vi) delete data processed with consent;
vii) information about data sharing;
viii) be informed of consent refusal consequences;
ix) revoke consent.

INTERNATIONAL DATA TRANSFER:

CORIUM does not transfer personal data collected in Brazil abroad without User authorization. When international transfer occurs, third parties with adequate privacy standards are used.

By accessing our services, Users agree to data processing and transfer to Brazil and possibly other countries. Users are informed that their data may be subject to foreign laws upon transfer.

APPLICABLE LAW AND JURISDICTION:

This Privacy Policy is based on Brazilian Law No. 13,709/2018 (LGPD) and other applicable privacy regulations. The parties agree to the jurisdiction of the courts of Novo Hamburgo/RS for any disputes arising from this document.

If you have any questions about our Data Protection Policy, please contact us at:
rh@corium.com.br
Attention: Data Privacy Officer

Updated on June 7, 2021.