Brasil Refinarias Ltda, registered under CNPJ nº 08.839.018/0001-93, with headquarters at Via Periférica I, 98999, Cia Sul, Simões Filho, Bahia, establishes this Personal Data Protection Policy in compliance with Law nº 13.709/2018 (General Data Protection Law – LGPD) and related regulations, with the objective of guiding, clearly and transparently, the principles, guidelines, and practices adopted in the processing of personal data in our corporate activities and in the digital environments under our management.

This Policy applies to candidates, employees, and interns, service providers and suppliers, visitors to the facilities, clients and potential clients, representatives of public bodies, and other data subjects who interact with us through physical or digital means; it covers operations such as recruitment and selection, management of contracts and partnerships, property and process security (including access control and video surveillance), response to sectoral and environmental regulatory demands, institutional communications, and administrative, financial, legal, and compliance support activities. We adopt and publicize the LGPD principles as the basis of our operations: determined and legitimate purpose for each processing; adequacy of use to the informed purpose; necessity (data minimization); free access and transparency for the data subject to know how their data is processed; data quality and accuracy; security and prevention against incidents; non-discrimination; accountability and reporting with governance, controls, and evidence.

The processing of personal data observes legal hypotheses provided for in the LGPD, as applicable:

• Execution of contracts or preliminary procedures at the request of the data subject;

• Compliance with a legal or regulatory obligation (including before ANP, environmental and fiscal authorities); regular exercise of rights in judicial, administrative, or arbitration proceedings;

• Protection of the life or physical integrity of the data subject or a third party;

• Health protection in procedures carried out by health professionals and services; legitimate interests of the controller or third parties, respecting the legitimate purpose, the data subject’s expectation, and risk minimization;

• Free, informed, and unambiguous consent of the data subject, when required.

The eventual processing of sensitive data (for example, health information related to occupational medicine, biometric data for access control, union affiliation when necessary for labor obligations) will occur only in applicable legal hypotheses and with additional security safeguards and restricted access. We collect data through forms and internal systems, digital channels (websites, landing pages, career pages), integrations with technology providers, and plant operational records; among the data processed, depending on the interaction, may include: identification and contact, professional and academic data, attendance and access records, surveillance camera images in signaled areas, device and navigation data as described in our Cookies Policy, banking and fiscal data for contractual execution, and metadata generated by operational security and integrity systems.

We use data for specific purposes, such as: managing relationships with candidates, employees, suppliers, and clients; qualifying and approving third parties; complying with legal, regulatory, and contractual obligations; ensuring the safety of people, assets, and operations; conducting audits, internal investigations, risk management, and fraud prevention; improving processes and services based on indicators and statistics; conducting institutional communications and relationship actions when appropriate and permitted; responding to requests from data subjects and authorities; and supporting legitimate business decisions with aggregated and anonymized data when possible. We share personal data strictly to the extent necessary and with adequate guarantees with: service providers acting as data processors on our behalf (e.g., hosting and cloud, HR management, occupational health and safety, access control and CCTV, email and customer service providers, analytics tools), companies of the same economic group for governance and administration purposes, financial institutions and insurers when necessary, technical partners involved in projects and licenses, and public authorities as required by law or official order; in corporate transactions (mergers, acquisitions, or restructurings), data may be shared with involved third parties, observing the duty of confidentiality and the continuity of the level of protection.

In case of international transfer, we will adopt legally valid mechanisms, such as specific contractual clauses, assessment of the protection level of the destination country, or data subject consent when applicable. We retain data for the period strictly necessary to fulfill the stated purposes, comply with legal and regulatory obligations, preserve rights, and for accountability; once the purposes and deadlines are exhausted, we will proceed with elimination or anonymization, except in cases of legal retention. We implement technical and administrative measures capable of protecting data against unauthorized access and accidental or illicit situations of destruction, loss, alteration, communication, or dissemination, including profile-based access controls, encryption in transit and/or at rest when applicable, infrastructure hardening, vulnerability management, backup and recovery, log recording, environment segregation, and periodic training; we maintain an incident response plan and, in the event of an occurrence that may cause significant risk or damage, we will communicate with the ANPD and the affected data subjects, under the terms of art. 48 of the LGPD.

We adopt privacy governance practices, such as:

• Appointment of a Data Protection Officer (DPO) as a communication channel with data subjects and the ANPD;

• Data Protection Impact Assessment (DPIA) when relevant;

• Privacy by design and by default in projects and systems;

• Information classification and retention policy; contracts with processors and specific data protection clauses; records of processing operations, especially when based on legitimate interest; and audits and compliance monitoring with evidence generation.

The data subject possesses, under the terms of art. 18 of the LGPD and other applicable provisions, rights of confirmation of the existence of processing, access, correction of incomplete, inaccurate, or outdated data, anonymization, blocking or elimination of unnecessary, excessive, or non-compliant data, portability, information about sharing, and about the possibility of not providing consent and its consequences, revocation of consent, and review of decisions made solely based on automated processing that affect their interests, observing trade and industrial secrets and technical and legal limits; requests can be made through our channels and will receive a response within a reasonable timeframe, observing, when applicable, the timeframe of up to 15 (fifteen) days for a complete declaration as provided in art. 19 of the LGPD. Regarding children and adolescents, we do not intentionally collect data without the due authorization and participation of their guardians, when required; in physical facilities, areas with video surveillance are signaled. The use of cookies and similar technologies is governed by our Cookies Policy, where you can manage preferences and consents; this Policy should be read in conjunction with our Privacy Policy, which details categories of data collected through digital channels, legal bases, and ways to exercise rights. To exercise rights, clarify doubts, report a security incident, send feedback, or contact the Data Protection Officer (DPO), use the email [ti@brasilrefino.com.br] or the address indicated at the beginning of this Policy; when communicating, describe your request clearly, attach documents proving your identity, and inform, when applicable, dates, contexts, and systems involved in the questioned processing; the data subject is free to petition the ANPD regarding their data.

This Policy may be updated to reflect legislative, regulatory, technological, organizational, or process changes; the new version will take effect on the publication date and will indicate the “update date”; should relevant changes require new consent, we will inform you appropriately. The continued use of our physical and digital environments after the publication of the new version will constitute acknowledgment of the modifications, without prejudice to the rights guaranteed by the LGPD.

Update date: August 29, 2025.