PRIVACY POLICY

DATE OF THE LAST UPDATE: 08/19/2024

We at Companhia Brasileira de Distribuição (“Pão de Açúcar Group”, “GPA” or “we”), with Tax Id. (CNPJ/ME) No. 47.508.411/0001-56 and headquartered at Avenida Brigadeiro Luís Antônio 3142, in Sao Paulo, State of Sao Paulo, Brazil, are one of the largest retail groups in Brazil, having operations with some of the major brands in the country, and we are committed to safeguarding your privacy and protecting your personal data.

Why does GPA process my personal data?

GPA is committed to always offering the best products and services, believing in the customer’s freedom power of choice as part of our purpose. When we talk about personal data, this involves not only respecting and committing to the security and privacy of our customers, but also our commitment that this same power of choice extends to their personal data.

When we make carry out a sale, it is common for us to collect some personal data from customers to finalize the transaction – for example, credit card data. Likewise, some of our services involve registering, either to take part in loyalty programs or to receive purchases at your home. We also use security cameras in our physical stores to ensure your safety and collect certain personal data to better understand your profile and offer provide you with more attractive, tailored ads.

These are just a few examples that show how we need to use personal data in our activities need to use personal data, legitimately and within your expectations. We are very serious about complying with the laws that protect your privacy, and this Privacy Policy (“Policy”) describes how your information and personal data may be collected, used, shared, and stored. If you still have questions after reading this Policy, please feel free to contact us through our service channels.

Important: this Policy applies to our brands, businesses, and services in general. However, other Privacy Policies and Notices may also apply specifically to certain services. In this case, you will find such documents, if applicable, in the service environment you access. In the event of a conflict between this Policy and any of the Privacy Policies and Notices, we ask you to consider the provisions set forth in the Privacy Policy or Notice specifically applicable to the service you are using.

BASIC CONCEPTS: WHAT DO I NEED TO KNOW TO UNDERSTAND THIS POLICY?

In order to make your reading easier, we provide you with some useful definitions for your interpretation:

“Legal Bases” are the legal grounds that allow GPA to Process Personal Data. The Processing of Personal Data is considered valid if it is grounded on a legal basis.

“Personal Data” is any data relating to an identified or identifiable individual, including identifying numbers, location data, electronic identifiers, or any data that, when combined with other information, can identify someone, make them identifiable, or even individualize them.

“Digital Platforms” or “Platforms” are the websites and applications owned by GPA.

“Process” or “Processing” are the uses GPA makes of Personal Data, including for example the following activities: collection, recording, storage, organization, consultation, use, disclosure, sharing, transmission, classification, reproduction, processing, and evaluation.

“you” or “Data Subject” is the person to whom the Personal Data relates to.

HOW DOES GPA COLLECT YOUR PERSONAL DATA AND WHAT TYPES OF PERSONAL DATA ARE COLLECTED?

The types of Personal Data and how GPA collects them depends on how you relate to GPA and why. For example, the Personal Data collected are different if you use our delivery app or make a purchase at any of our physical stores.

Without prejudice to other information provided for in specific Privacy Policies or Notices, we may foresee some situations that occur more frequently in the relationship between GPA and its customers, which we explain briefly below:

Data Source Types of Data Collected Purpose

Navigation on
Digital
Platforms
Browsing data: data collected through cookies or device IDs, including IP, date and time of access, geographic location, browser model, duration of visit, and pages visited.

Access device data: model, manufacturer, operating system, telephone carrier, browser model, connection type, and connection speed. Website operation: activate essential features such as antivirus software, responsiveness of the website/application to the desktop/mobile, among other functions.
Analytics: understand your browsing behavior and how the website/app is being used, in order to improve your experience as a user. The data collected is aggregated and, whenever possible, anonymized.
Marketing: targeting of content and advertising from us and our partners, according to your profile and preferences.

Registration
Forms
Registration data: email, name, telephone, address, and other information (depending on the contracted service). Services provision: delivery, registration in loyalty programs, among others.
Marketing: targeting of content and advertising from us and our partners, according to your profile and preferences.
Ombudsman and Customer
Service Registration data: email, name, telephone, and other information (depending on the contracted service). Handling requests: processing return requests, exchanges, direct customer complaints and inquiries, among others.

Physical Stores
Payment Data: credit and debit card information.

Registration Data (forms): email, name, telephone, address, and other information (depending on the contracted service).

Other data: image capture by security cameras (CCTV). Provision of Services: processing of purchases, division in installments, delivery, and registration in loyalty programs, among others.
Answering requests: make return requests, exchanges, direct customer complaints and requests, among others.
Credit Protection: confirmation of credit card limit, analysis of credit restrictions for division in installments, among others.
Security: physical and logical security of store environments.

HOW DOES GPA USE COOKIES?

Like many companies, we use cookies on our Platforms to collect information that helps us improve your experience with us. In this section, we will explain what cookies are, the types of cookies we use, the information we collect using cookies, and the purposes for which this information is used.

What are Cookies? Cookies are small files that we transfer to your browser or device (such as a mobile phone or tablet) that allow us to recognize your browser or device and understand how and when GPA’s websites, products, and services are used. They can be useful, for example, in adapting the size of the website to your screen, better understanding your preferences, and providing you with a more efficient service.

What types of cookies does GPA use? On our Platforms, we use the following categories of cookies:

(i) Strictly Necessary Cookies: These are cookies necessary to provide our services and for our Platforms to function correctly, ensuring secure browsing, content scaling, and compliance with GPA’s legal obligations.

(ii) Advertising Cookies: These cookies are used for content targeting and advertising based on your profile and preferences. They aim to show you more relevant and interesting ads during your browsing.

(iii) Statistical Cookies: Provide information about your browsing behavior and how the Platform is being used. The collected data is aggregated, and our goal is to better understand our audience so that we can offer more interesting content, services, and products to those who access our platforms.

What is the storage time for cookies? Cookies generally have an expiration date. On our Platforms, cookies can be:

(i) Session Cookies: These cookies are automatically deleted when you close the browser.

(ii) Persistent Cookies: These cookies remain stored on your device even when you end your navigation on the Platform. We use these types of cookies to remember your browsing preferences.

How can I remove or block cookies? If you want to know which cookies are installed on your device, or if you want to delete or restrict them, you can use your browser settings for this purpose. For information related to other browsers, visit the browser developer’s website.

Please remember that the use of cookies allows us to offer you a better experience with our products and services. If you block cookies on our Platforms or decide not to allow the operation of some of them, we cannot guarantee the correct functioning of all Platform features, and you may not be able to access certain areas of our products. Additionally, certain functions and pages may not work properly.

WITH WHOM DOES GPA SHARE YOUR PERSONAL DATA?

Like any large company, GPA operates in partnership with several other companies to offer its products and services. In this sense, we may share your Personal Data with these GPA partner companies, always seeking to preserve your privacy to the maximum extent and, whenever possible, anonymously. Below we describe situations in which we may share Personal Data and for what purposes:

Our suppliers. We have a series of suppliers that we need to hire to operate our services, and some of them may Process Personal Data that we collect, such as companies that provide data hosting, property security, registration authentication and validation services, advertising companies, payment methods, among others. To the extent possible, we always strive to carefully assess our suppliers and enter into contractual obligations with them regarding information security and the protection of Personal Data, aiming to minimize risks for the Data Subjects.

Social media. Some of our Digital Platforms allow you to register by signing into your account through a third-party service, such as your Facebook or Google profile. When this occurs, certain Personal Data may be shared with those third parties. It is always the choice of the Data Subject to decide whether or not they wish to integrate this information. We remind you that we do not control the policies and practices of any other third-party website or service.

Data Companies. Some of our business partners are data companies, popularly known as bureaus, with whom we may share Personal Data for some important purposes, such as validating a certain profile to prevent fraud, supporting credit approval, enabling the sale in installments, or facilitating other commercial and business transactions that involve financial risk.

Business Partners. In addition to our suppliers, we may occasionally share Personal Data with GPA’s business partners in order to enable a particular product or service or special condition for our customers. For example, we need to share Personal Data for delivery services, or so that the Data Subject can enjoy a certain reward in a loyalty program. In the same way as we do with our suppliers, we use our best efforts to carefully assess our business partners and establish contractual obligations with them regarding information security and the protection of Personal Data, with the goal of minimizing risks for the Data Subjects.

Public Authorities. We must comply with the law. Therefore, if a judge or an authority with competent jurisdiction requires GPA to share certain Personal Data for purposes of, for example, an investigation, we will comply. We are against any abuse of authority and, if GPA deems a particular order is abusive, we will always defend the privacy of the Data Subjects.

Companies affiliated with GPA. Some Personal Data may be shared among the companies and business units of GPA. We do this to meet GPA’s legitimate interests, support the development of new products and businesses, exchange experiences and best practices, analyze data, among other situations.

Furthermore, we reserve the right to share any Personal Data that we believe to be necessary to comply with a legal obligation, enforce or apply our policies, or protect the rights, property, or safety of GPA, our employees, and customers.

DOES GPA TRANSFER PERSONAL DATA TO OTHER COUNTRIES?

Yes. Although GPA is headquartered in Brazil and its products and services are intended for people located in Brazil, thereby subject to Brazilian laws related to the protection of Personal Data, the Personal Data we collect may be transferred to countries located in the European Union and the USA. Such transfer is due to certain suppliers and business partners of GPA, who may be located in these areas.

Those transfers involve only companies that prove to be compliant or in the process of being compliant with applicable laws and maintain a similar or even stricter level of compliance than that provided for in the applicable Brazilian laws.

WHAT ARE YOUR RIGHTS AS A PERSONAL DATA SUBJECT?

The Personal Data is yours, and Brazilian law ensures that you have a series of rights related to them. We are committed to complying with these rights, and in this section we will explain how you can exercise these rights with GPA.

Right Explanation
Anonymization, blocking, or deletion You can request: (a) anonymization of your Personal Data, so that they can no longer be related to you; (b) blocking of your Personal Data, temporarily suspending the possibility of processing for certain purposes; and (c) deletion of your Personal Data, in which case we must erase all your Personal Data from our database.
Access and confirmation You can request confirmation of the existence of the processing of your Personal Data, and if it is confirmed, you can access them, including by requesting copies of the records we have about you.
Correction You can request the correction of your Personal Data if it is incomplete, inaccurate, or outdated.
Information about the possibility of not providing consent You have the right to receive clear and complete information about the possibility and consequences of not providing consent when it is requested.
Information about data sharing You have the right to know which public and private entities we share your Personal Data with. Depending on the situation, we may limit the information provided to you if its disclosure could violate intellectual property or trade secrets.
Object The law allows the processing of Personal Data even without your consent or a contract with us. In these situations, we will only process your Personal Data if we have legitimate reasons to do so. If you do not agree with any purpose of processing your Personal Data, you may object and request cessation
Portability You can request the provision of your Personal Data in a structured and interoperable format for transfer to a third party, provided that such transfer does not violate intellectual property or trade secrets.
Consent withdrawal If you have consented to any purpose of processing your Personal Data, you can always choose to withdraw your consent. However, this will not affect the legality of any processing carried out before the withdrawal.

If you wish to exercise any of your rights, simply contact us through the channels indicated in this Policy.

Whenever Data Subjects choose to exercise their rights, GPA may request some additional information for the purpose of proving their identity, in order to prevent fraud. We do this to ensure the security and privacy of our customers.
In some cases, GPA may have legitimate reasons to refrain from fulfilling a request. These situations include, for example, cases where disclosing specific information could violate GPA’s or third parties’ intellectual property rights or trade secrets, as well as cases where requests for anonymization, blocking, or deletion of data cannot be fulfilled due to GPA’s obligation to retain the data, either to comply with legal and regulatory obligations or to enable the defense of GPA’s or third parties’ rights, including in disputes of any nature.
Moreover, some requests may not be answered immediately, but GPA commits to responding to all requests within a reasonable timeframe and always in accordance with applicable law.

HOW LONG WILL PERSONAL DATA BE STORED?

GPA has a Personal Data retention policy aligned with applicable law. Personal Data is stored only for as long as necessary to fulfill the purposes for which they were collected, unless there is any other reason for their maintenance, such as the need to comply with any legal, regulatory or contractual obligations, among others, provided that they are based on a Legal Basis.

WHAT ARE OUR RESPONSIBILITIES AND HOW DOES GPA PROTECT MY PERSONAL DATA?

Our responsibility is to take care of your Personal Data and use them only for the purposes described in this Policy. To ensure your privacy and the protection of your Personal Data, we have adopted appropriate security practices for our market, including the use of encryption techniques and other information security systems.

We strive to protect your privacy and your Personal Data, but unfortunately, we cannot guarantee complete security. Unauthorized third-party access or use of your account, hardware or software failure beyond GPA’s control, and other factors can compromise the security of your Personal Data. Therefore, your cooperation is essential to maintaining a secure environment for everyone. You can help us by adopting good security practices regarding your account and data (for example, not sharing your password with third parties). If you identify or become aware of anything that compromises the security of your data, please contact us through our customer service channels.

HOW CAN I TALK ABOUT PERSONAL DATA WITH GPA?

If you believe that your Personal Data have been used in a manner incompatible with this Privacy Policy or with your choices, or if you have any questions, comments, or suggestions related to this Policy, please contact us. We have a Data Protection Officer (DPO) who is available at the following contact addresses:

Data Protection Officer (DPO): Baptista Luz Advogados
Responsible person: Fernando Bousso
Mailing Address: Rua Ramos Baptista, 444, 2nd floor, Vila Olímpia, São Paulo/SP, Brazil, ZIP Code 04552-020
Contact channel: dpo@gpabr.com

CHANGES TO THE PRIVACY POLICY

As we are always seeking to improve our products and services, this Privacy Policy may be updated to reflect the improvements made. Therefore, we recommend periodic visits to this page so that you are aware of the modifications made.