Privacy Policy

Back

  1. PURPOSE

1.1. This Policy aims to define the principles and guidelines that govern the processing of personal data of individuals with whom Severo da Costa Advogados interacts in the course of its professional activities. This includes, among others, clients and their legal representatives, partners, officers, employees, service providers, witnesses, expert assistants, as well as any other natural persons whose data is processed by the organization (“DATA SUBJECT”).

1.2. Severo da Costa Advogados (“CONTROLLER”) acts as the party responsible for processing the personal data collected and is in charge of deciding the purposes and means of such processing, including the appointment of a data protection officer (“DPO”).

  1. CATEGORIES OF DATA PROCESSED

2.1. In accordance with Law No. 13.709/2018 – the Brazilian General Data Protection Law (“LGPD”), the following data may be subject to processing:

  • Identification and contact information: full name, residential address, date of birth, nationality, official documents (such as ID, CPF, driver’s license, bar association number), email, phone number;
  • Professional and academic data: associated company, profession, job title, education level;
  • Registration information: documents required for employment (such as work and social security documents), biometrics, photographs, political affiliation, disability status, bank details, income reports, among others;
  • Financial data: remuneration, transaction history, assets and properties, debts and certificates, tax declarations;
  • Family information: family composition and relationships;
  • Data used in legal and administrative proceedings: marital status, place of residence, identification documents, languages, nationality, place of birth, among others;
  • Data collected in digital environments: cookies and other identifiers used during navigation on the law firm’s website; information provided through contact forms and subscription to institutional mailing lists.

2.2. This data may be collected directly from the DATA SUBJECT, through related third parties or public sources.

2.3. All collected data will be processed in accordance with the limits established in this Policy.

  1. PURPOSES OF DATA PROCESSING

3.1. Personal data will be used as necessary for the performance of institutional functions and the provision of legal services in their various forms.

3.2. The CONTROLLER may process the data for purposes such as:

  • Drafting and reviewing contracts;
  • Conducting audits;
  • Acting in judicial, administrative, arbitral proceedings and investigations;
  • Preparing legal opinions, consultations, and memoranda;
  • Legal documentation regularization (e.g., property deeds, tax obligations);
  • Representing clients before public authorities;
  • Participation in training sessions, meetings, and institutional events;
  • Execution of complex legal operations, including M&A and capital markets transactions.

3.3. In addition, data may be used for:

  • Issuance of invoices and billing;
  • Institutional communication and informational content delivery;
  • Event organization, including accessibility analysis and special needs;
  • Satisfaction surveys and service evaluations;
  • Internal management of personnel and third parties, including access control and compliance policy enforcement.

  1. DATA SHARING AND INTERNATIONAL TRANSFER

4.1. Personal data may be shared with:

  • Technology providers, cloud storage services, hosting, and digital infrastructure companies;
  • Professional partners (correspondents, auditors, translators, experts, etc.);
  • Public authorities, regulators, courts, and private entities, when necessary for the law firm’s operations;
  • Specialized publications, provided that professional confidentiality is maintained.

4.2. International data transfers may occur, provided they comply with the safeguards set out in the LGPD, including the execution of specific contractual clauses with the recipients.

  1. RETENTION PERIOD

5.1. Personal data will be retained:

  • For the period required by legal or regulatory obligations;
  • While the relationship justifying the processing remains valid;
  • For as long as necessary to protect the CONTROLLER’s legitimate interests or for the defense of rights in administrative or judicial proceedings.

5.2. Once processing has ended and no legal basis for retention remains, the data will be appropriately discarded.

  1. DATA SUBJECT RIGHTS

6.1. The DATA SUBJECT may, by sending a request to the email address dpo@severodacosta.com.br, exercise the following rights:

  • Confirmation and access to processed data;
  • Correction of inaccurate or outdated data;
  • Anonymization, blocking, or deletion of unnecessary or excessive data;
  • Data portability;
  • Information about data sharing with third parties;
  • Withdrawal of consent, when applicable;
  • Complaint to the Brazilian National Data Protection Authority (ANPD).

6.2. Some requests may be subject to limitations under applicable law, especially due to professional confidentiality, legal obligations, or the CONTROLLER’s legitimate interests.

  1. GENERAL PROVISIONS

7.1. This Policy aims to provide clear and transparent guidance on data processing, reducing ambiguous interpretations. In case of doubts, the DATA SUBJECT may contact the DPO or the CONTROLLER’s Compliance Committee.

7.2. The CONTROLLER reserves the right to modify this Policy at any time, based on legislative or institutional changes.

7.3. This Policy is effective for an indefinite period.

São Paulo, July 7, 2025.