We, at Cruzeiro do Sul Educacional (“CSED”), believe in building relationships based on trust. Therefore, we are committed to acting with integrity and ethics in all our activities. This commitment includes the conscious and responsible use of personal data of our students, employees, and other individuals with whom we interact.
We place great importance on your privacy, which is why we adopt all necessary measures to protect it. In order to ensure safe and responsible handling of your personal data, we have developed this Privacy Policy (“Policy”), which clarifies how and which data is processed by the Institutions of Cruzeiro do Sul Educacional, and what measures we take to protect and ensure your privacy.
The application of this Policy covers all activities conducted by Cruzeiro do Sul Educacional involving online or offline processing of personal data, including access to and/or use of services, virtual learning platforms, social media (Twitter, Facebook, Instagram, LinkedIn, YouTube, etc.), websites, apps, products, and other resources offered by the Company.
If you have any questions or concerns about this Privacy Policy or the operations involving your personal data, or if you suspect or become aware that your data has been misused, you can contact us through our Privacy Channel (www.contatoseguro.com.br/privacidadecruzeiroeducacional) or by email at dpo@cruzeirodosul.edu.br.
1. Terms and Definitions
Below are some definitions and abbreviations to facilitate understanding of this Policy:
Adolescent: A natural person between 12 (twelve) and 18 (eighteen) years of age, according to the Statute of Children and Adolescents (“ECA”);
Student: An individual enrolled at one of the institutions of Cruzeiro do Sul Educacional;
Applicant: An individual interested in enrolling at one of the institutions of Cruzeiro do Sul Educacional;
Sharing: Any communication, dissemination, international transfer, interconnection of personal data, or shared processing of personal data banks by public bodies and entities in compliance with their legal duties, or between public and private entities, with specific authorization for one or more types of processing permitted by these public entities, or between private entities;
Consent of the data subject: A free, informed, and unequivocal expression through which the data subject agrees to the processing of their personal data for a specific purpose;
Controller: A natural or legal person, public or private, responsible for making decisions regarding the processing of personal data;
Cookies: Text files that track user activities. Their purpose is to make browsing easier, faster, and more convenient, automatically configuring certain information. The goal is to avoid entering the same information repeatedly and also to analyze data regarding user behavior in the browser.
Child: A natural person up to 12 (twelve) years old, according to the Statute of Children and Adolescents (“ECA”);
Personal data: Any information that can identify a person, directly or indirectly, such as name, ID number, CPF, date of birth, photo, phone number, geolocation, among others;
Sensitive personal data: Personal data regarding racial or ethnic origin, religious beliefs, political opinions, membership in a trade union or religious, philosophical, or political organization, data regarding health or sexual life, genetic or biometric data, when linked to a natural person;
Data deletion: The exclusion of a data or data set stored in a data repository, regardless of the procedure used;
Data Protection Officer (DPO): A person appointed by the controller and processor to act as a communication channel between the controller, data subjects, and the National Data Protection Authority (ANPD);
Parents/Guardians: A person responsible for the custody of a child or adolescent;
Processor: A natural or legal person, public or private, who processes personal data on behalf of the controller;
Third parties: A natural or legal person who provides services or acts on behalf of Cruzeiro do Sul Educacional to assist in performing its activities. Third parties may include business partners, suppliers, consultants, outsourced or service providers in general.
Personal data subject: An individual to whom personal data refers, and who is subject to processing;
International data transfer: The transfer of personal data to a foreign country or international organization of which the country is a member;
Personal data processing: Any operation performed with personal data, such as collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, filing, storage, deletion, evaluation, or control of information, modification, communication, transfer, dissemination, or extraction.
2. Who is responsible for processing your personal data (Controller)?
Cruzeiro do Sul Educacional S.A., a publicly traded corporation registered under CNPJ/MF no. 62.984.091/0001-02, located at Rua Cubatão, 320, 3rd, 8th, and 9th floors, Vila Mariana, ZIP code 04.012-911, and other companies in the Cruzeiro do Sul Educacional group (as indicated in Annex I), is the legal entity responsible for decisions regarding the processing of your personal data.
To support compliance with its obligations and privacy program management, Cruzeiro do Sul Educacional appointed Mrs. Cibelle Cristine de Souza Pengo as the Data Protection Officer, who can be contacted at dpo@cruzeirodosul.edu.br.
We clarify that, under the General Data Protection Law (Law No. 13.709/18 or “LGPD”), Cruzeiro do Sul Educacional is responsible for personal data processing activities that it carries out and/or delegates in the context of its operations and Institutions, but not for processing activities directly carried out by our network of Partner Poles.
As detailed in this Privacy Policy, your personal data may be shared between Cruzeiro do Sul Educacional and its Partner Poles for purposes related to the marketing of our products, service provision, customer service, and operation of online or offline applications related to our educational services, where the parties may act in joint or individual control.
Cruzeiro do Sul Educacional shares and disseminates best practices regarding the processing of personal data with its entire network of Partner Poles. However, we highlight that Partner Poles, as independent controllers, may process your personal data autonomously and for purposes different from those described above. In such circumstances, Cruzeiro do Sul Educacional is not responsible and does not have any involvement or participation in the processing activities performed.
3. How and what data we collect about you
We collect information about you through various interactions with us or with third parties acting on our behalf, through documents, forms, platforms, and communication channels, whether online or offline, as described below:
3.1. Visit/Navigation Data: When accessing our websites and applications, we may collect, in addition to your registration data, navigation data through the use of cookies and/or similar technologies that allow us to recognize your browser or device and inform us where (geolocation), how, and when our pages and features are visited and how many people access them.
Cruzeiro do Sul Educacional uses cookies and/or similar technologies to authenticate users, remember user preferences and settings, determine the popularity of content, disclose and measure the effectiveness of marketing campaigns, and analyze trends and interests of people interacting with our services and platforms.
You have the autonomy to restrict, refuse, or disable the use of cookies through your browser settings. However, doing so may cause certain areas of our website to not function properly, which could prevent you from benefiting from some of our features.
For more detailed information on the subject, visit our Cookie Policy available in the footer of our institutional pages.
3.2. Marketing and Advertising Data: When accessing our platforms, websites, and applications and interacting with our materials and content, we may collect information that you choose to share with us, such as full name, CPF, phone number, email address, education level, state, city, and educational interests.
Such data is collected through registration forms, information requests, comments, promotions, searches, among others. Data may also be collected through social media pages linked to our brands, physical forms, or other formats from registrations and interest surveys conducted at events, public places, or private institutions that authorize the disclosure of our services.
The data collected may be cross-analyzed to better understand your profile and direct content, products, and services that are of interest to you. However, we assure you that this cross-analysis is not done for discriminatory purposes, and all individual rights and freedoms will be guaranteed.
When creating an account on our websites, please be mindful as you are responsible for maintaining the confidentiality of your account data and password, and you should keep them under your control, including, but not limited to, restricting access to your computer, phone, mobile device, and/or account. In the case of a confidentiality breach, access our Privacy Channel (www.contatoseguro.com.br/privacidadecruzeiroeducacional).
3.3. Data Related to Selection Processes: To facilitate enrollment and participation in selection processes conducted by our Institutions (e.g., entrance exams, scholarships, research grants, extension programs, and monitoring positions), it will be necessary to collect personal data from applicants, such as: Name, CPF, RG, RGM, email, and phone number.
This data is collected through registration forms, which may be physical or electronic, and its collection and use follow the terms outlined in the respective public notices for each selection process.
We may also collect your data through application forms for selection processes for professional positions at the Institutions of Cruzeiro do Sul Educacional, such as: Full name, CPF, date of birth, email, and phone, education level, and professional history.
3.4. Data for Enrollment and Provision of Educational Services: To acquire our products, we need to collect some personal data necessary for contract execution, appropriate service provision, and compliance with applicable laws and regulations, such as: identification data (full name, date of birth, gender, CPF, RG, parentage); contact data (email and phone); document copies; location data (country, state, city, residential address); professional data (position and company name where you work); educational data (education level, course name, educational institution name); billing data (name, CPF, address, credit card), among others.
We may also collect sensitive data, such as religion, ethnic/racial origin, medical data, physical or cognitive disabilities, to comply with legal or regulatory obligations and/or ensure your access to rights and the proper provision of contracted services, by either party.
When accessing the systems, platforms, and learning environments provided for proper service delivery, such as the Student Area and Blackboard, data will be collected as: name, RGM, date, time, access IP, and user content (e.g., comments, voice interactions, and images).
3.5. Data for use of services open to the community: If you are interested in using any of our services open to the community, such as legal and/or accounting advice, medical and psychological assistance, it will be necessary to collect some personal data directly from the individual or responsible party to provide the chosen service.
The data collected will depend on the contracted service and may include registration data (Name, CPF, RG, Date of birth, address, phone) and sensitive health data, such as: exams and medical history. These data will be processed solely for providing the offered services and for the academic practice and development of our students.
3.6. Monitoring systems and access control: When visiting and accessing the premises of our Institutions, we may record your image through our internal monitoring system. Personal data may also be collected to provide your visitor registration and/or access credentials, to maintain a safe academic and work environment.
3.7. Participation in events organized or supported by Cruzeiro do Sul Educacional: If you participate in any event organized or supported by the Institutions of Cruzeiro do Sul Educacional, the necessary data will be collected to confirm your registration (such as name, email, phone number, geolocation data, and educational interests) and/or to register your attendance.
Your contact data collected at our events may be used by our commercial and marketing teams to send you content and news related to topics covered in the event or that might interest you. We may also share such data with event sponsors or supporters, upon obtaining your consent.
3.8. Through third parties: Some of your personal data may also be collected through publicly available sources, service providers, government agencies, and business partners, such as, for example, partner distance learning hubs, recruitment platforms, resume banks, marketing and acquisition companies, information bureaus, discount websites, and/or Ministry of Education educational programs (PROUNI and FIES).
CSED, through third parties, may use data cleansing and enrichment measures to ensure access to correct and updated data, allowing for the proper provision of services and/or execution of the contractual relationship with the individual, such as for confirming enrollment data, receiving required documents, or collecting outstanding debts.
Some of the ways personal data is collected as indicated in the items above may be based on your consent, situations where Cruzeiro do Sul Educacional has no other legal grounds to process the data. In such cases, refusal of consent may result in the inability to access services offered by the company, in whole or in part.
We highlight that you can obtain information about the processing activities for which you have provided consent, as well as request its revocation through the channels indicated in item 7 of this Policy.
4. For what purpose do we process your data?
All personal data processing carried out by the Institutions of Cruzeiro do Sul Educacional is based on the legal grounds provided in Law 13.709/2018 (LGPD), mainly regarding contractual execution, compliance with legal/regulatory obligations, exercise of rights, legitimate interest, and consent.
Your data is processed to enable:
4.1. The execution of preliminary activities for the execution of the contract and/or formalization and execution of the contract for providing our services, covering the specifics of commercial agreements;
4.2. The provision of services offered to the community, primarily through our clinics-schools and legal or accounting practice centers;
4.3. Registration and selection in academic and professional selection processes, including compliance with legal/regulatory obligations and/or internal policies related to diversity and inclusion, times when automated decision-making tools may be used;
4.4. Proper registration of users in the systems and platforms used to provide the contracted services;
4.5. Billing, payment processing and management, and debt collection;
4.6. Conducting analyses and procedures to (i) update and improve user records, ensuring data quality, and (ii) prevent fraud in the contracting and billing of our services, based on our legitimate interest;
4.7. The promotion and offering of services, promotions, and special conditions that may be of interest to you and customization of advertising actions;
4.8. Conducting research and statistical analyses to enable, for example, proper evaluation of supply vs. demand by geographical region, identifying and correcting flaws in our services, and continuously improving our services;
4.9. Sending communications about relevant topics related to the provision of our services, such as changes in the academic calendar, internal events, alerts on deadlines or risks, among others;
4.10. Sending marketing and advertising communications related to our products and services, as well as commercial conditions, such as tuition fees, discount campaigns, new course offerings, among others;
4.11. Compliance with legal, judicial, regulatory, or administrative obligations, and requests from competent authorities;
4.12. Monitoring activities and usage trends, as well as measuring interaction and engagement levels regarding our services and platforms, to improve user experience;
4.13. Enabling physical and logical access control, as well as video surveillance of some of our spaces, to ensure the security of our systems and assets, as well as the physical integrity of the individuals in our premises.
We emphasize that, for some of the purposes indicated above, CSED may rely on partners and service providers, with whom it will share strictly necessary data to achieve the intended purpose, taking the necessary precautions as indicated in item 8 of this Policy.
5. How we process sensitive data and data of minors:
Sensitive personal data is processed by Cruzeiro do Sul Educacional exclusively for the purposes for which such data is strictly necessary. In these cases, as provided by Law 13.709, we adopt more restrictive access measures and apply sufficient security controls to protect the data.
Similarly, we understand the importance of protecting the personal data of minors. Therefore, all data collected related to such individuals is obtained and processed with the goal of serving the best interest of the minor and with restricted access to professionals and partners who genuinely need access to it for the execution of their activities.
In the case of teenagers over the age of 16 (sixteen), the data may be provided directly by the individual, except for processing activities that require the authorization of a legal representative (e.g., contract execution). Data of children and minors under the age of 16 (sixteen) must be provided directly by their respective legal representatives/guardians.
Therefore, we request that minors under the age of 16 (sixteen) do not use our platforms without the supervision or consent of their parents or guardians.
Legal representatives will also be fully responsible in the case of access to Cruzeiro do Sul Educacional’s sites and platforms by children and minors without prior authorization. They bear full responsibility for monitoring the activities and conduct of the minors under their care, as well as understanding the full extent of these Terms.
6. How we process personal data of employees:
We adopt the same level of care in processing the personal data of our employees, collecting and processing only the minimal necessary data for specific purposes that have legitimate legal grounds.
If you are one of our employees, you can obtain more details about how we process your data by accessing our Administrative Privacy Policy, available on the Cruzeiro Network, our Intranet.
7. How you can manage and monitor your data:
We acknowledge and respect all the rights of the data subjects we interact with, which can be exercised preferably through the Privacy Channel, available at: https://contatoseguro.com.br/pt/privacidadecruzeiroeducacional or via email: dpo@cruzeirodosul.edu.br.
We inform you that, for exercising some of the rights described below, Cruzeiro do Sul Educacional may request identity authentication, to ensure that no information is shared with unauthorized persons and that no actions are taken without your knowledge and authorization.
Through the channels indicated above, you can:
7.1. Consult your data: You may request, through our service channels, the list of your personal data that we process.
7.2. Correct data: You may, at any time, request correction/modification of your personal data when it is incomplete, incorrect, or outdated. If you are a student or former student, you can also perform some corrections and updates independently in the Student Area, or request such adjustments with the Central Student Service (CAA and CAA Online), Academic Secretariat, or relevant Corporate Areas, in the case of employees or third parties.
7.3. Opposition: You can oppose certain data processing operations involving your data or restrict its use for certain purposes, as well as request a review of automated decisions.
7.4. Unsubscribe or cancel the sending of communications and advertisements: You can request the removal of your contact information from all our distribution lists or specific lists to cease receiving communications that do not interest you.
We emphasize that if you fill out any form and express your interest in contacting or receiving information and materials from Cruzeiro do Sul Educacional, your contact will be reintegrated into our databases. Therefore, the request for cancellation must be registered again, if desired, whenever there is new interaction with us.
7.5. Manage or revoke consent: For cases where the processing of your data is based on your consent, you can manage the consent you provided or request the revocation of the consent given.
7.6. Data deletion: You can, at any time, request the deletion, in whole or in part, of your personal data by canceling your enrollment or other registrations you have made.
However, we highlight that, even after the deletion request, the Institutions of Cruzeiro do Sul Educacional may retain some of your personal data to fulfill the following purposes: (a) judicial, administrative, and arbitration processes (for the necessary period), (b) compliance with legal and/or regulatory obligations, or (c) regular exercise of rights, such as enforcing the rights of the Institutions of Cruzeiro do Sul Educacional based on the service contract.
We emphasize that there may be situations where Cruzeiro do Sul Educacional, for legitimate reasons, may refuse to meet a rights exercise request, such as (i) when providing information and documents could violate trade secrets or intellectual property rights of Cruzeiro do Sul Educacional; (ii) when there is another legal basis that requires or legitimizes the retention of data by Cruzeiro do Sul, such as compliance with legal/regulatory obligations and defense of the Company in legal, administrative, or arbitration processes; or (iii) when the request falls outside the scope of Cruzeiro do Sul Educacional’s responsibilities.
Also, some requests may not be answered immediately. In such cases, the data subject may follow the progress of their request through the channels indicated at the beginning of this item, with the commitment of Cruzeiro do Sul Educacional to provide feedback within a reasonable time frame and in accordance with applicable legislation.
8. With whom we share your data:
Your data is shared in certain situations, respecting your privacy and data protection, as well as the principles and guidelines set forth in the LGPD.
Below are some situations in which your data may be shared:
8.1. Between the Institutions of the Cruzeiro do Sul Educacional group, within the limits of the purposes described in this Policy;
8.2. With judicial, administrative, and governmental authorities: For compliance with legal and regulatory obligations, inspections and evaluations, granting scholarships and student financing, among others. Or for the defense of the Company’s rights in legal or administrative proceedings;
8.3. With our Partner Network Hubs: To enable the promotion of our products and services, execution of pre-contractual activities, registration completion, and provision of contracted educational services, including the handling of administrative and academic demands;
8.4. With financial institutions, payment service providers, payment integrators, and credit card companies: To process payment for the educational and administrative services purchased;
8.5.With business partners to enable commercial partnerships or agreements that provide access to differentiated products or the execution of academic activities necessary for the training of our students (e.g., mandatory internships, exchanges, graduation ceremonies, and commencement).
8.6. With service providers that process personal data on behalf of Cruzeiro do Sul Educacional, in order to perform certain functions such as: supply/licensing of learning platforms and educational technology; billing and financial debt negotiation; provision of life and health insurance; recruitment of professionals; marketing and communication actions; physical access management and control; cloud storage services; external audits; among others.
Cruzeiro do Sul Educacional only uses services and technologies provided by trusted Third Parties that demonstrate compliance with adequate and sufficient security standards. Therefore, all Third Parties with whom we share personal data are subject to an evaluation process and the signing of confidentiality and privacy clauses and agreements.
Under no circumstances will Cruzeiro do Sul Educacional sell or transfer personal data to any Third Party for financial gain or in violation of this Policy or the General Data Protection Law (LGPD).
9. International Data Transfers
Cruzeiro do Sul Educacional is based in Brazil. However, in some cases, we may share your personal data with Third Parties located outside of Brazil, such as cloud storage service providers or international universities and commercial partners, who may act as Operators or under a joint control regime.
We emphasize that regardless of the location of data processing/storage, we adopt the necessary technical and administrative measures to ensure the security, confidentiality, and privacy of your data, such as conducting privacy and information security assessments, as well as implementing specific contractual clauses to ensure compliance with the LGPD or equivalent legislation.
10. Data Retention Period
Your personal data will be kept by Cruzeiro do Sul Educacional only for as long as necessary to fulfill the purposes for which they were collected, always respecting the data retention period stipulated by applicable law.
We also emphasize that if the deletion or anonymization of personal data is requested, this will only be possible for data whose storage is not required by law, regulatory authority, contract execution, or other justifiable reasons for data retention.
11. Security Measures We Adopt
In order to preserve your privacy and protect your personal data, Cruzeiro do Sul Educacional adopts best information security practices and implements continuous improvements to ensure the protection of the data we collect. Among these measures, we adopt access controls, permission levels, multi-factor authentication, encryption techniques for data in transit and at rest, and incident monitoring.
We expect that the entire value chain shares the same level of security that we seek, which is why we evaluate third parties who process personal data on behalf of Cruzeiro do Sul Educacional.
Furthermore, we periodically train our employees on cybersecurity and privacy best practices and have specific teams prepared to detect and respond appropriately if an incident compromising the security of your data is identified.
Despite the precautions and efforts mentioned, it is not possible to guarantee that our services and systems are invulnerable. Therefore, we also count on your cooperation to adequately protect your access passwords and limit third-party access to your devices, accounts, and personal data. Cruzeiro do Sul Educacional will not be held responsible for the illegal or unauthorized use of your personal data resulting from misuse or diversion of your access credentials.
12. Updates to This Policy
We are always looking to improve our services and policies, so this Privacy Policy may be updated. Therefore, before accessing any of our platforms or using our services, please review our Policy on the websites of our Institutions, where you will find the date of its most recent update.