Privacy and Data Protection Policy

This Privacy Policy applies to all research participants, employees, clients, business partners, and users in general who have a relationship with Quantas.

This policy applies to all personal data processed by QUANTAS, including data collected through research, websites, groups, apps, services, and digital platforms, and direct interactions with our representatives.

The personal data are collected, processed, and stored according to a rigorous process designed to guarantee the privacy and security of information, from the time it is collected to when it is excluded.

Quantas is determined to protect the security and privacy of research participants. In this context, Quantas has created this Privacy Policy to reaffirm its commitment and respect towards the rules of privacy and protection of personal data.

Quantas needs to collect and treat the personal data of participants to provide market research services. In this regard, the Privacy and Personal Data Policy of Quantas (hereinafter “Privacy Policy”) aims to help our participants understand what personal data we collect, how and why we use it, to whom we disclose it, and how we protect their privacy when using our services.

Quantas aims to respect the best practices when it comes to the security and protection of personal data by promoting and raising awareness of the best practices in this context. We also aim to improve the systems we use to manage the protection of personal data shared by participants in the strictest observance of the law. By filling out forms, participating in interviews, and directly or indirectly providing data, you agree that you have read and understood this Policy and all other specific terms and conditions and policies concerning the provided services.

Personal Data

Personal data refers to any information related to an individual, identified or identifiable (data subject), such as name, address, e-mail, phone number, behavior, and preference information, among others.

Sensitive personal data

Sensitive personal data is information that requires more protection due to its nature – i.e. race or ethnicity, political views, religious or philosophical beliefs, union membership, genetic information, biometrics, health, sexual habits or orientation, and history of criminal convictions or infractions.

1. Consent of data holder – It is a free, specific, informed, and clear expression of will, through which the data holder agrees, by a statement or clear positive action, that their personal data can be processed;
   
2. Controller: An individual or legal entity, public or private, who is in charge of decisions regarding the processing of the personal data;
   
3. Operator: An individual or legal entity, public or private, who processes personal data on behalf of the controller; 
4. Data protection office (DPO) – a person appointed to ensure, in an organization, that the processing of personal data is in compliance with the LGPD, thus guaranteeing efficient communication with data holders and cooperation with control authorities and connecting the different departments within Quantas. The DPO does not receive instructions regarding the performance of their duties and reports directly to the management of the entity that appointed them. 
5. Data holder – a unique an identified or identifiable natural person to whom the personal data relates; 
6. Treatment – an operation or set of operations conducted over personal data or group of personal data, through automated or non-automated means, such as collection, recording, organization, structuring, preserving, adapting or altering, recovering, consulting, using, transmitting, diffusing, or any other action to make it available, comparing or interconnecting, limiting, erasing, or destroying; 
7. Violation of personal data – a security violation that accidentally or illegally causes the non-authorized destruction, loss, alteration, disclosure, or access to personal data that has been transmitted, preserved, or subject to any other type of treatment;
    
8. Anonymization – a technique that is the result of the treatment of personal data to remove enough elements from the data as to make it irreversibly impossible to identify the data holder. More specifically, the data must be processed so that it can no longer be used to identify an individual through any means that could reasonably be applied, either by the data controller or by third parties. 
9. The Brazilian National Data Protection Authority (ANPD) – A public administration body in Brazil who is responsible for overseeing, implementing, and enforcing compliance with the law.

QUANTAS is responsible for the treatment of personal data and defines the purpose and means of treatment according to data protection legislation. 

This Privacy Policy aims to inform participants about the terms of the treatment of their personal data that is used by QUANTAS by determining the purpose and means used in the context of service provisions. In this context, in the terms used by the LGPD, QUANTAS should be considered the Controller. When an independent third party is contacted by and at the request of QUANTAS, this third party will be considered an Operator as per the LGPD.

If any questions should arise regarding the data privacy of a participant, the third party shall be referred to for the purpose of determining a possible violation, intent, negligence, recklessness, or incompetence.

The information received through reports, interviews, videos, experiences, testimonials, among other methods of information collection for research is treated by Quantas and reported to contracting parties. The contracting parties may not use or share any personal data received beyond the results established in the research and participant interviews, which are usually sent in an anonymized form, i.e. without personal identification.

In the terms of this Policy, the contracting parties that hire Quantas are aware of the responsibility included in the handling of the personal data and sensitive personal data of the participants that they receive from Quantas for the provided services of elaborating market research reports.

We collect data such as name, e-mail, telephone number; demographic, behavioral, and browsing data; opinions; and evaluations. These data are collected through questionnaires, online forms, interactions on social media, website visits, interviews, and other forms of direct interaction. 

Quantas collects personal information given by the participants and this information may identify them. This collected information may vary according to the needs of the research and the kind of information the participant chooses to share with us.

All personal data of the participant may be collected, treated, and stored for the purpose of the services provided by Quantas, including those data presented during interview sessions or groups, such as:

• Identification Data: Name, e-mail, phone number, address.
• Demographic Data: Age, gender, location, social classification.
• Behavioral Data: Preferences, shopping and consumption habits.
• Attitudinal Data: Opinions, Motivations, Expectations.
• Browsing Data: Browsing history and online interactions.

The personal data of the participants is treated so it can offer content and materials that interest the entities that hire Quantas’s services. In order for that to happen, it is often necessary to cross reference the collected data so that marketing actions can be directed to meet the expectations those contracting entities have of Quantas.

In that sense, Quantas uses personal data to communicate and manage the relationship with the participant. The data collection allows us to contact the participant via mail, e-mail, social media, or text message, for administrative or operational purposes – for example, to send them news that might interest them. We will also use your personal data to fulfill requests, respond to suggestions or messages so that we can improve our services and your experience as a Quantas participant.

The LGPD requires that, for the processing of personal data to be lawful, there must be an appropriate legal basis for each specific processing activity.

We treat personal data on the following bases:

• Data holder consent.
• Execution of contracts.
• Compliance with legal obligations.
• Legitimate interests of QUANTAS.

Regarding Quantas’s treatment of participants’ data to improve our services and meet our administrative and quality goals, the appropriate legal basis will be the pursuit of the legitimate interests of the Controller and the Contractual Compliance, when applicable, and the participant’s consent. This consent means that data holders may oppose the treatment of their data for the abovementioned purposes if they present valid reasons regarding their specific situation. Should that happen, the Controller may present legitimate reasons that justify the continuation of the data treatment, in which case the Controller reserves the right to continue processing your data for these purposes, such as when the processing is necessary for the establishment, exercise, or defense of a right in legal proceedings.

Regarding the data treatment conducted by Quantas in the context of compliance with legal obligations, the appropriate legal basis for data treatment – which consists, in most cases, of sharing the data with external entities – will be the need for said treatment for the Controller to comply with legal obligations.

Personal data are accessed only by trained and authorized employees at QUANTAS, who require this information to perform their duties.

In the context of the treatment of the participant’s personal data, Quantas observes, at all times, the principles of data protection beginning at conception (privacy by design). This commitment means, among other things, that your personal data will be of limited access to the people who need the data to perform their duties, strictly to the extent necessary for the pursuit of the treatment purposes we have listed above.

The participants’ personal data, which may include videos and images, that Quantas collects are treated in strict compliance with the applicable legislation and are stored in a specific database. The data is kept in a format that allows the identification of data holders only during the period when that is necessary for the purposes for which they are treated. There are, however, legal requirements that mandate that the data be kept for a certain period. We use as a reference to determine the appropriate period of storage the several deliberations of the data protection control authorities, appointed by the Brazilian Data Protection National Authority (ANPD) and the Code of Ethics of the Brazilian Association of Research Companies (ABEP).

Under the applicable legislation, the data holder may request, at any time, access to their personal data, the correction of incomplete, inaccurate, or outdated data, the deletion, restriction, and objection to the processing/treatment of their data, directly via e-mail at dpo@quantas.com.br

Quantas is determined to ensure the confidentiality, protection, and safety of the participants’ personal data by implementing the appropriate technical and organizational measures to protect your data from any type of unauthorized or illegitimate treatment and from any accidental loss or destruction. To that end, we have dedicated systems and teams to ensure the security of the treated personal data, which create and update the procedures that prevent non-authorized access, accidental loss and/or destruction of the personal data with a commitment to comply with data protection legislation and to treat the data only to the extent for which they were collected and ensure that the data will be treated with the appropriate security and confidentiality levels.

Quantas may, in some cases, transmit your personal data to third parties. Quantas has defined clear contractual rules regarding the treatment of personal data with its operators and requires that these operators adopt appropriate technical and organizational measures to protect your personal data. However, in some cases, we may be required by law to disclose your personal data to third parties (such as control authorities), over whom we have relatively limited control when it comes to the protection of personal data.

The information database created by Quantas may be made available to strategic business partners to generate mutual benefits and results, such as providing or improving our products, services, and advertising.

Quantas may be required to disclose your personal information if required by law, legal proceedings, litigation, and/or requests from public and governmental authorities within or outside your country of residence. We may also share your information if we determine that sharing the information is necessary or appropriate for national security reasons, law enforcement, or other matters of public interest.

We may also reveal your information should we determine that it is reasonably necessary to do so in order to impose our terms and conditions or to protect our operations or users. In addition, in the event of a reorganization, merger, or sale, we may transfer any and all personal information we have collected to the relevant third parties.

The personal data may be shared with third parties only under the following circumstances:

• To service providers who work with QUANTAS.
• To fulfill legal obligations or respond to legal proceedings.
• With the consent of the data holder.

Quantas relies on other entities to provide certain services. This may occasionally result in these entities accessing the personal data of participants. This applies to entities that provide support services to Quantas. 

Thus, any entity that is characterized as a Quantas Operator will treat the personal data of our participants on our behalf and at our request, in the strict observance of our instructions. Quantas guarantees that the entities characterized as Operators offer sufficient guarantee of the execution of the appropriate technical and organizational measures so that the data treatment can meet the requirements of the applicable legislation and ensure the security and protection of the rights of the data holders, under the terms of the subcontracting agreement entered into with said Operators. 

Quantas may transmit your personal data to any Public Entity, Court, Solicitor, law-enforcement authorities or the District Attorney’s office when notified to do so or when it is necessary to comply with legal obligations, as legally required. 

In any of the situations mentioned above, Quantas is committed to taking all reasonable measures to ensure the effective protection of the personal data it treats.

You can contact the Data Protection Officer (DPO) of Quantas for further information regarding the treatment of your personal data and any other issues related to the exercise of the rights your are entitled to as per the applicable legislation and, especially, those referred in this Privacy Policy through the following channel:

• e-mail: dpo@quantas.com.br