Terms of Use and Privacy Policy

LEGAL

INTRODUCTION

NAGASE DO BRASIL COMÉRCIO DE PRODUTOS QUÍMICOS LTDA.- CNPJ 15.775.831/0001-02, in its capacity as Controller, is committed to the lawful and secure use of personal data and information that our customers, employees, and partners share with us, in accordance with the definitions below.

This Policy is a fundamental pillar of our Privacy Governance Program (PGP) and establishes guidelines for all personal data processing operations under our responsibility, in strict compliance with the General Data Protection Law (LGPD), Law No. 13.709/2018.

The purpose of this document is to transparently demonstrate how Nagase collects, uses, stores, shares, and protects Personal Data, regulating both internal operations and international data transfers within the Nagase Group. This policy is binding on all company employees and directors.

This policy will always be accessible to all who have or wish to have a relationship with Nagase.

If you have any comments, questions, suggestions, or concerns, please contact the individuals listed at the end of this policy.

DEFINITIONS

PERSONAL DATA: Any information that makes it possible to identify an individual among others, such as name, ID number, image or photograph, and location. Personal data may also include sensitive data.

SENSITIVE PERSONAL DATA: In addition to identifying a person, personal data may be sensitive when it involves intimate and exclusive information that could impact certain civil or fundamental rights. Sensitive data includes racial or ethnic origin, religious beliefs, political or philosophical opinions, union membership, or membership in NGOs and religious organizations. It also includes information about health, genetic or biometric data, and sexual life.

USER(S) or DATA SUBJECTS: Individuals who have any relationship with Nagase and who, in some way, have provided their personal data to us. They may be customers, website or social media users, employees, or partners.

COOKIES: When a user visits a website or certain social media platforms, some information files may be stored on their computer or mobile device. These files store user preferences such as display mode, language, or location. Cookies may remain stored even after the session ends, until deleted.

CONSENT FORM: A physical or digital document that records the data subject’s consent, allowing data processing for specific purposes.

PARTNERS: Public or private organizations, national or international, and individuals that maintain some form of relationship with Nagase to support our activities.

COLLECTION OF PERSONAL DATA

Nagase collects only the personal data necessary to provide services and products with quality and excellence.

When personal or sensitive data is required, the user will be asked to complete a Consent Form following our company’s values, mission, and applicable legislation.

Browsing Nagase’s website or social media pages does not mean personal data is being collected.

Data will only be requested when necessary, through electronic forms or by phone.

Data from individuals under 18 will only be collected with express consent from a parent or legal guardian.

For phone services, data collection will be conducted by a Nagase employee or partner. Calls may be recorded, and the request will be logged in an electronic system. The data subject will then be asked to confirm consent via email, website form, or another authorized communication method.

Only after receiving consent, as described above, will we proceed with registering and handling the request.

DATA PROCESSING PURPOSES

When the data subject voluntarily enters or submits their personal data or sensitive personal data through Nagase’s service channels, the data will be used as follows:

 

01) REGISTRATION DATA: Full name, email address, date of birth, identification document number, Individual Taxpayer Registry (CPF) number, phone number, full address, the name of the company where they work, the company’s website URL, the type of business the company operates, their position in the company, and the country where the company is located — for the following purposes:

  • Transfer registration data to another Controller in the same field of activity when requested by the data subject

  • Fulfill legal and regulatory obligations related to Nagase products used by data subjects

  • Inform about product updates, news, events, alerts, and other important information in relation to the data subject

  • Promote products, send samples, prices, and product information

  • Send newsletters, promotional materials, surveys, updates, and offers

  • Send emails and physical mail containing information about the Nagase brand and Nagase Group companies

  • Develop and deliver advertising tailored to the data subject’s interests

  • Personalize their experience on our webpages by presenting materials based on their preferences

  • Evaluate and manage Nagase Group products and services

  • Measure trends based on data subject usage—identifying the most popular products and services

  • Respond to data subject requests

     

02) DIGITAL DATA: IP address logs; history of the data subject’s interactions with Nagase’s website and the pages accessed; interaction and identification with mobile devices (phones, tablets, etc.) that use geolocation systems; app usage, if installed by the data subject; session records (Session ID); cookies — for the following purposes:

  • Fulfill obligations established in Law No. 12.965/2014 (Brazilian Internet Civil Framework)

  • Identify the data subject

  • Periodically evaluate the use, efficiency, and quality of services provided through Nagase’s digital platforms

  • Generate statistics

  • Improve the security of digital channels and platforms

  • Fulfill legal and regulatory obligations related to the use of Nagase products by data subjects

     

03) DATA THAT WILL NOT BE COLLECTED: Nagase will not collect the following types of data from data subjects unless express consent is given and a specific purpose is defined:

  • Data regarding race, creed, social condition, medical history, or criminal information as defendant or victim

  • Information about disability status

  • Medical test results or other examinations

  • Medical treatment information or medications used by the data subject, unless expressly authorized and required for legal compliance, collective bargaining agreements, or court orders

OUR PRIVACY GOVERNANCE STRUCTURE

01. DATA PROTECTION PRINCIPLES

All processing of personal data at NSAS is guided by the following principles:

Purpose: We process data for legitimate, specific, explicit purposes that are informed to the data subject.

Adequacy: The processing is compatible with the purposes that were communicated.

Necessity: We limit processing to the minimum necessary to achieve its intended purposes.

Free Access, Data Quality, and Transparency: We ensure that data subjects can easily consult how and for how long their data is processed, as well as the accuracy and updating of their data.

Security and Prevention: We use technical and administrative measures to protect personal data.

Non-Discrimination: We do not process data for unlawful or abusive discriminatory purposes.

Accountability: We demonstrate the adoption of effective measures capable of proving compliance with data protection regulations.

02. The Controller and the Data Protection Officer (DPO)

NAGASE DO BRASIL COMÉRCIO DE PRODUTOS QUÍMICOS LTDA – CNPJ 15.775.831/0001-02 is the Controller of personal data under this policy.

To serve as the communication channel between the Controller, data subjects, and the ANPD, the following Data Protection Officer (DPO) has been appointed:

PROCESSING AND FLOW OF PERSONAL DATA

NSAS processes personal data strictly to fulfill its operational purposes and legal obligations, as detailed below.

01. Personal Data Flow Map

Data Subjects: Employees, Directors, Candidates, and Former Employees:

  •  
  • Purposes: Complete management of the employment lifecycle, including recruitment, hiring, payroll and benefits administration, time and attendance control, performance evaluations, training, workplace safety, compliance with legal obligations (labor, tax, social security), and global career management.
  • Types of Data: Identity data (name, personal documents), employment data (work card, position, salary), contact data, financial data (banking information), and sensitive data such as health information (occupational health exams, medical certificates), biometric data (access control), and labor-union membership (when applicable).
  • Legal Bases: Execution of the Employment Contract, Compliance with Legal or Regulatory Obligations, Legitimate Interest, and in specific cases, the Data Subject’s Consent.

Data Subjects: Customers and Suppliers (Individuals or Representatives)

  • Purposes: Commercial relationship management, contract preparation and execution, invoicing, billing, and payments.
  • Types of Data: Identity data, contact data, financial data, and transaction data.
  • Legal Bases: Contract Execution, Legitimate Interest, Credit Protection, and Compliance with Legal Obligations.

 

02. Sharing of Personal Data

Data sharing occurs in a restricted manner and for legitimate purposes, including:

  • Service Providers: Such as benefits operators, IT services, and consultants (legal, audit), always under contractual obligations of security and confidentiality.

  • Public Agencies and Authorities: To comply with legal obligations or court orders.

  • Nagase Group Companies: As detailed in the section on International Transfers.

     

03. Important Information

3.1 Controller and Person Responsible for Personal Data Protection

When we use the terms “Nagase,” “affiliates,” “Company,” “we,” or “our” in this Privacy and Personal Data Protection Policy, we are referring to the Controller of your Personal Data under applicable law. The Controller is primarily responsible for processing and ensuring adequate protection of your data.

The Data Protection Officer (DPO) is responsible for:

a) receiving complaints and communications from Data Subjects, providing clarifications, and taking appropriate measures;
b) guiding employees on practices to be adopted regarding personal data protection; and
c) performing other duties determined by the company and applicable law.

3.2 Response Timeframe

We strive to respond to all reasonable requests within 15 (fifteen) days. Occasionally, responses may take longer if the request is particularly complex or if the employee has made several submissions.

Responses will preferably be provided electronically, unless you request a printed or commonly accessible digital format.

 

04. Right to Petition the ANPD

If the data subject does not receive a response within the established timeframe or is not satisfied with the proposed solution, they have the right to submit a formal complaint directly to the National Data Protection Authority (ANPD).

 

05. Duty to Inform About Changes to Personal Data

It is important that the Personal Data provided to the company is accurate, truthful, and up to date.

Please keep us informed if your Personal Data changes during your relationship with us (contact the department responsible).

 

06. Transmission of Personal Data to Third Parties

We will not transmit your Personal Data to any party outside our group of companies unless required by applicable law—especially to fulfill obligations related to our relationship with the employee—or by statutory, legal, and/or contractual obligations, and, when applicable, upon your consent.

Outside of these circumstances, our websites may include links to third-party sites, plug-ins, and applications. Accessing these links or activating these connections may allow third parties to collect or share your data. We do not control these third-party sites and are not responsible for their privacy practices. For this reason, we recommend that employees read the respective Privacy Policy of each site they visit.

 

07. Corporate Email

Nagase provides corporate email to its employees and authorized third parties for professional use. Even though it may occasionally be considered personal data in specific circumstances, all content within these corporate email accounts is considered professional and not personal. Therefore, Nagase may access it at any time to ensure proper execution and continuity of its activities.

Nagase instructs its employees not to use corporate email for personal purposes and to delete any personal data that is not part of the data processing activities controlled by NSAS.

RESPONSIBILITY FOR THE CONTENT OF THE DATA

Nagase is not responsible for the completeness, accuracy, or absence of data provided by the data subject through our service channels, nor is it responsible for outdated information when its provision or updating is the responsibility of the data subject.

HOW WE USE PERSONAL DATA

Nagase is a global organization founded in 1832, with values reflected in the quality and diversity of our products, including functional, advanced, and processing materials for industry; products for electronic manufacturing and energy transmission; and inputs for the pharmaceutical, medical, cosmetic, and food sectors.

All personal data collected by Nagase is connected to its mission and values, especially those dedicated to caring for people and fostering a better, more modern society.

Basic Principles

1. What data may we collect?

“Personal Data” means any information relating to an individual that identifies them or makes them identifiable, excluding information in which the identity has been removed or cannot be associated with an individual (“Anonymized Data”). We may collect, use, store, process, and transfer different categories of Personal Data about an employee, obtained over the course of any relationship between us. Such Personal Data may include, but is not limited to, the following types of information:

a. Identity Data: Documents and/or personal information of the data subject and/or their children or spouse, including: first and last name, gender, nationality, date of birth, marital status, username, employee ID or similar identifier, and personal documents (RG, CPF, Voter Registration Card);

b. Employment Data: Work card number, social security number, degree of disability (if applicable), salary and other compensation, job description, work schedule, absences (particularly medical leave, special leave, maternity leave, parental leave), and when applicable, paid leave, as well as any additional data necessary to manage the employment relationship;

c. Contact Data: Address, mailing address, email address, and landline or mobile phone numbers;

d. Financial Data: Bank agency and account number, debit and credit card details, and credit history;

e. Transaction Data: Details regarding payments “to” and “from” the employee, as well as products and services provided and/or acquired;

f. Access Control Data: Access records via badge, and information from electronic monitoring and security systems such as CCTV (video recordings, access information, and time logs);

g. Technical Data: IP address, login information, browser type and version, time zone settings and location, browser plug-in types and versions, operating system and platform, and other technologies used on devices through which the employee accesses any of our websites, applications, or social networks;

h. Profile Data: Username and password, comments, and responses to surveys;

Health-related data may be collected and processed to comply with legal and regulatory obligations, particularly those under labor, social security, or welfare laws, as well as for the purposes of preventive medicine, occupational health, assessing employee fitness for work, and administering health plans and insurance programs; 

Likewise, biometric data required for entry into company facilities, access control, timekeeping, and other internal Company controls may be collected and processed strictly for these specific purposes;

Except where necessary to comply with applicable legal or regulatory requirements and/or to fulfill a specific labor or contractual obligation, we do not collect Sensitive Personal Data such as racial or ethnic origin, religious belief, political opinion, union membership or affiliation with a religious, philosophical, or political organization, health or sexual-life data, genetic data, or biometric data beyond what is required for access and security controls.

SHARING OF PERSONAL DATA

Personal data may be shared among Nagase’s internal departments and business units, with access granted only to identified employees and authorized partners who are able to address requests made by data subjects.

In compliance with applicable laws and regulations, personal data may also be shared with professional associations, national and international research institutions, authorities, public agencies, and health regulatory bodies whenever required by law, formal request, or court order.

Personal data may additionally be shared in the context of corporate transactions, such as acquisitions, mergers, consolidations, or corporate reorganizations.

Personal data may also be shared, as permitted by law, with the National Data Protection Authority (ANPD), when mandated by judicial authorities or any other legally empowered public authority.

All data transmissions will be conducted using encrypted digital systems that ensure privacy and security during transfer.

Such processing, use, or handling may occur, for example, for the following purposes:

  • to enable us to effectively and efficiently perform and manage our operational and administrative activities;

  • to ensure a consistent approach to employee management;

  • to maintain compliance with laws, regulations, and internal policies, rules, and procedures; or

  • to contact the employee or their family in case of emergency.

The Company may also process, use, and handle your data based on your explicit consent, when applicable. In cases where processing relies on consent, the employee should be aware that they may withdraw such consent at any time; however, withdrawal shall not affect the lawfulness of processing carried out prior to its revocation.

Data will be made available only to those who need access and/or must process it, primarily including the following areas: Human Resources, Corporate and Institutional Communications, Controlling and Finance, Legal, and Executive Management. In specific circumstances, your data may be shared with additional business areas, depending on the intended purpose.

We may need to share your personal data with certain third parties to fulfill the purpose for which the data was collected, comply with contractual, legal, or regulatory obligations, pursue our legitimate interests or those of third parties (whether engaged by us or not), and/or for credit protection.

In general, data will be shared in anonymized form whenever possible; however, individual (non-anonymized) data may need to be shared in certain situations, most commonly with the following recipients:

a) Service providers acting as data processors who perform essential activities related to our operations, including IT service providers and system administration services for Company websites;
b) Professional consultants and advisors, including attorneys, financial institutions, auditors, and insurers;
c) Public authorities, regulatory bodies, and labor unions, in circumstances established by law or collective labor agreements.

We require all third parties to maintain appropriate security measures and to process your personal data in accordance with applicable laws.

We do not permit our vendors or service providers to use employees’ personal data for any purpose other than those explicitly defined and in accordance with our formal instructions.

When personal data is shared with third parties, the contract shall require compliance with the General Data Protection Law (LGPD) and establish penalties for failure to meet legal and contractual obligations related to the protection of personal data. Contractual clauses will include, at a minimum:

  • an obligation of confidentiality regarding personal data;

  • a commitment to strict adherence to Nagase’s Policies and Procedures and those of its affiliates;

  • compliance with Policies and Procedures related to information technology security; and

  • the return or disposal of personal data at the end of the contract or when the data is no longer necessary for processing.

INTERNATIONAL DATA TRANSFERS

1. Context, Purpose, and Scope

To enable the integrated management of our operations, Nagase transfers personal data to companies within the Nagase Group, specifically to the headquarters NAGASE & CO., LTD., a foreign company duly registered in Brazil under CNPJ/MF No. 15.663.612/0001-31 in Japan, and to the subsidiary NAGASE AMERICA LLC, a foreign company duly registered in Brazil under CNPJ/MF No. 15.663.616/0001-10 in the United States.
The purposes of these transfers are strictly limited to:

  • Global Human Resources management (career development, succession planning, evaluations);

  • Centralized Information Technology (IT) systems support;

  • Preparation of consolidated managerial and financial reports.

     

2. Binding Nature and Safeguards

This Policy and its associated procedures serve as the foundation for Nagase’s Global Corporate Rules (GCR), establishing a binding framework for all group entities that receive personal data.

Nagase ensures that the level of data protection in the destination countries will be no less stringent than the requirements established by the LGPD, adopting robust technical and organizational security measures. This document formalizes the appropriate safeguards for international transfers, which will be submitted to the ANPD for acknowledgment and transparency.

 

3. Legal Bases for Transfer

International data transfers carried out by Nagase are based on the following legal grounds under the LGPD:

  • Execution of a contract, or preliminary procedures related to a contract to which the data subject is a party;

  • Compliance with a legal or regulatory obligation by the controller;

  • When necessary to meet the legitimate interests of the controller or a third party;

  • Upon explicit and highlighted consent provided by the data subject.

THE STORAGE OF PERSONAL DATA

The retention of personal data will occur exclusively for the period established by law or for as long as the data is necessary to fulfill the purposes set forth in this Privacy and Personal Data Protection Policy.

In situations involving administrative inquiries by Government Authorities or in judicial proceedings, the data will be preserved until a final decision is issued and no further administrative or judicial appeals remain available.

Nagase undertakes and affirms that it will always use systems designed to protect against loss, alteration, unauthorized access, unauthorized copying, unlawful use, or the misappropriation of personal data under its custody.

In the event of an incident that exposes, alters, compromises, or results in the unauthorized circulation of personal data under Nagase’s responsibility, users will be notified of the incident and of the measures to be taken as soon as possible.

The data subject is jointly responsible for the confidentiality of their personal data when they share their passwords or access credentials with other individuals or organizations in connection with Nagase’s service channels. Such conduct constitutes a violation of this Privacy Policy by the data subject.

 

Retention and Disposal of Personal Data

We will retain your Personal Data, in physical and/or electronic form, only for as long as necessary to fulfill the purposes for which it was collected, as well as for the retention periods established by law or required to safeguard rights and obligations.

To determine the appropriate retention period for your Personal Data, we consider the applicable statutory limitation periods, the volume, nature, and sensitivity of the Personal Data, the potential risk of harm arising from unauthorized use or disclosure, the purposes for which we process the data, and the legal requirements that apply.

The employee may withdraw their consent at any time and request the deletion of their data, and we will do so as promptly as possible, except for data necessary to comply with contractual, legal, regulatory, or legitimate interest obligations, which will be retained for as long as such obligations remain in effect.

In certain circumstances, such as for research or statistical purposes, we may anonymize your Personal Data so that it can no longer be associated with you. In such cases, the information is no longer considered Personal Data and may be used indefinitely for these specific purposes.

Examples of Personal Data and Document Retention and Disposal:

a) Human Resources: Data and documents are stored for the duration of the employee’s tenure with the Company and retained after the termination of the Employment Contract in order to comply with statutory retention periods established under labor, tax, and/or social security legislation;

b) Security Records: Images captured in areas monitored by cameras are retained for a predefined period. Badge and biometric data are retained for the duration of the employee’s tenure and, after termination of the Employment Contract, for the period necessary to comply with applicable labor regulations. Visitor data is retained according to a predetermined standard retention timeframe;

c) Audits or Administrative and Judicial Proceedings: Data and documents are archived for the period necessary to comply with applicable statutory limitation and expiration periods and may be retained longer, as a precautionary measure, in the event of administrative or judicial proceedings—until a final judgment is issued.

Physical data and documents that are no longer necessary or whose retention period has expired are destroyed—through shredding or another appropriate and secure method—on a quarterly, semiannual, or annual basis by the responsible managing area or by the Central Archive team, whichever holds custody of such documents.

RESPONSIBILITY FOR DATA CONTENT

Nagase is not responsible for the completeness, accuracy, or absence of data provided by the data subject through our service channels, nor is it responsible for outdated information when the provision or updating of such data is the responsibility of the data subject.

DUTIES OF NAGASE AND RIGHTS OF USERS

Any individual whose data has been collected by Nagase may, at any time, request:

  • Information regarding which personal data Nagase holds;

  • The updating or correction of personal data held by Nagase;

  • The deletion or restriction of the use of personal data held by Nagase;

  • The anonymization of unnecessary personal data;

  • The portability of personal data from Nagase to another public or private organization;

  • Objection to the processing of personal data by Nagase through the withdrawal of consent previously provided by the data subject.

Requests may be denied when justified on the basis of applicable legislation or if the data has already been deleted by Nagase within the legally established timeframe.

All rights described herein may be exercised directly through Nagase’s website, by telephone at (11) 3251-3111, or by email at contato@nagasebrasil.com.br

.

Each data subject may also submit questions or complaints to the National Data Protection Authority (ANPD) as provided by law.

Consumer registration data will be stored for a period of five (5) years after the end of the contractual relationship, in accordance with Articles 12 and 34 of the Consumer Protection Code.

Digital identification data will be stored for six (6) months, in accordance with Article 15 of the Brazilian Internet Civil Framework (Marco Civil da Internet).

 

Infractions

Any violation of this Privacy Policy by our employees may result in the initiation of an internal procedure to determine responsibility.

After due investigation, Nagase’s Executive Management will apply the legal and contractual measures applicable to those involved.

CHANGES TO THE PRIVACY POLICY

Nagase may amend this Personal Data Privacy Policy at any time.

Whenever a change substantially modifies the form, justification, or use of personal data, Nagase will seek to contact users, informing them of the changes and requesting a new consent agreement.

If it is not possible to contact the user/data subject, or if the data subject elects to exercise data portability or choose not to renew consent for the processing of their data, such data will be deleted or transferred according to the data subject’s decision.

 

Questions

All rights and provisions expressed herein may be exercised directly by data subjects through the following contact channels:

Name: Wataru Ishihara
Phone: +55 11 3251-3111
Centralized Contact Channel: contato@nagasebrasil.com.br

Published on: Dec/01/2025