Brasil Refinarias Ltda, registered under CNPJ nº 08.839.018/0001-93, with headquarters at Via Periférica I, 98999, Cia Sul, Simões Filho, Bahia, presents this Privacy Policy to explain, clearly and transparently, how it collects, uses, shares, and protects personal data within the scope of its institutional website and other digital channels under its management (e.g., contact forms, career pages, newsletters, catalogs, landing pages, and official profiles).

By browsing our environments or providing us with data, you declare awareness and agreement with the practices described herein, in accordance with Law nº 13.709/2018 (General Data Protection Law – “LGPD”) and related regulations. We collect personal data directly provided by you, such as name, email, phone number, company, position, area of interest, and the content of messages sent through website forms, as well as data attached to applications (resume, professional history, education, certifications, salary expectations, and any complementary information), supplier registration data (company name, CNPJ/CPF, address, contacts, and supporting documents), and data related to participation in events, newsletters, and institutional communications. We also automatically collect navigation and device data when you use the website, such as IP address, date and time of access, pages visited, cookie identifiers, traffic source, approximate geolocation, browser type and version, and operating system, as well as performance and interaction metrics, through cookies and similar technologies.

We use your personal data for legitimate and specific purposes, including:

• Responding to requests, queries, and applications submitted through forms;

• Evaluating applications and conducting selection processes;

• Qualifying and approving suppliers;

• Sending institutional communications, technical information, event invitations, and materials about our products, services, and operations (always with an unsubscribe option);

• Complying with legal, regulatory, and sectoral obligations (e.g., before ANP, environmental and fiscal bodies);

• Protecting our rights and preventing fraud, security incidents, and misuse;

• Improving the browsing experience, usability, and website content;

• Conducting statistical and audience analyses to support legitimate business decisions; and

• Executing contracts or preliminary procedures at the data subject’s request.

The legal bases that support the processing include, as applicable, the data subject’s consent; the execution of a contract or preliminary procedures; compliance with a legal or regulatory obligation; the regular exercise of rights; the pursuit of legitimate interests of the controller or third parties, observing the legitimate purpose, necessity, and balance with the data subject’s rights; and credit protection. In specific situations involving sensitive data (e.g., health reports or information voluntarily provided in recruitment processes), we will adopt additional safeguards and will only process such data in legally permitted hypotheses.

The provision of data is voluntary, but necessary for certain functionalities; the absence of information may prevent the proper provision of the requested service, the evaluation of an application, or the sending of communications. We share personal data with service providers acting as data processors on our behalf (e.g., hosting and cloud computing, email delivery, analytics tools, customer and supplier management/service), with companies of the same economic group when necessary for administrative and governance purposes, with public authorities for compliance with legal obligations or official orders, and with third parties in corporate transactions (mergers, acquisitions, or restructurings), always observing LGPD requirements and entering into appropriate contractual instruments. When there is an international transfer of data, we will adopt legally valid mechanisms, such as specific contractual clauses, guarantees of compliance with compatible protection standards, or the data subject’s consent when applicable.

We retain data for the time necessary to fulfill the stated purposes, comply with legal and regulatory obligations, exercise regular rights, or, when applicable, until consent is revoked. Upon expiration of deadlines or achievement of purpose, data will be deleted or anonymized, except in cases of legal retention. We employ technical and organizational security measures to protect personal data against unauthorized access, destruction, loss, alteration, undue communication, or dissemination, such as access controls, encryption at rest and/or in transit when applicable, log records, cloud environment with recognized security standards, vulnerability management, and personnel training. In the event of a security incident that may cause significant risk or damage, we will notify the National Data Protection Authority (ANPD) and the affected data subjects, in accordance with the legislation. We use strictly necessary cookies for the website’s functionality, functional cookies that remember preferences, and performance/analytics cookies that help us understand the use of the environments and improve content and services; when required, we will request your consent through the cookie banner, where you can accept, reject, or customize non-essential categories. You can also manage cookies directly in your browser settings, being aware that disabling certain cookies may affect the browsing experience. Our environments may contain links to third-party websites, applications, and services subject to their respective privacy policies; we are not responsible for the privacy practices of these third parties and recommend careful reading of their documents.

This website is not intended for children and adolescents; we do not intentionally collect personal data from minors under 18 (eighteen) years of age without the proper authorization from parents or guardians, when applicable. In accordance with the LGPD, you, as the data subject, can exercise the following rights through our channels: confirmation of processing, access, correction of incomplete, inaccurate, or outdated data, anonymization, blocking or deletion of unnecessary, excessive, or non-compliant data, portability, information about sharing, and about the possibility of not providing consent and its consequences, revocation of consent, and review of decisions made solely based on automated processing that affect your interests, observing trade and industrial secrets and applicable technical and legal limits. We will provide a response to your request within a reasonable timeframe, observing, when applicable, the deadline of up to 15 (fifteen) days for a complete declaration as provided in art. 19 of the LGPD. To exercise your rights, clarify doubts, report incidents, or speak with the Data Protection Officer (DPO), use the email ti@brasilrefino.com.br or the physical address indicated at the beginning of this Policy; when contacting us, describe your request clearly, attach documents that prove your identity, and inform, when applicable, dates and contexts of the processing. You may also petition the ANPD regarding your data. This Policy may be updated to reflect legislative, regulatory, technological, organizational, or practice changes; the new version will become effective upon its publication on the website, with an indication of the “update date.”

We recommend periodic verification of the document. Should relevant changes require new consent, you will be duly informed. By using our environments after the disclosure of a new version, you agree to the modifications. In case of conflict between this Policy and specific contracts entered into with you, the conditions most favorable to the data subject will prevail, without prejudice to legal requirements. This Policy applies only to digital environments under our control and does not, in itself, alter obligations arising from operational, commercial, supply, recruitment, or other contracts, which may contain their own privacy and confidentiality rules.

Update date: August 29, 2025.