Privacy Policy

We, at Cruzeiro do Sul Educacional (“CSED”), believe in building relationships based on trust. Therefore, we are committed to acting with integrity and ethics in all our activities. This commitment extends to the conscious and responsible use of the personal data of our students, employees, and other stakeholders with whom we interact.

We place great importance on your privacy, so we have adopted all necessary measures to preserve it. To ensure the safe and responsible handling of your personal data, we have developed this Privacy Policy (“Policy”), through which we explain how and which data are processed by the institutions of Cruzeiro do Sul Educacional and what measures we take to protect them and ensure your privacy.

This Policy applies to all activities carried out by Cruzeiro do Sul Educacional that involve the online or offline processing of personal data, including access to and/or use of services, virtual learning platforms, social networks (Twitter, Facebook, Instagram, LinkedIn, YouTube, etc.), websites, applications, products, and other resources offered by the Company.

If you have any questions or concerns about this Privacy Policy or about the processing operations involving your personal data, or if you are aware of or suspect that your data has been misused, you can contact us through our Privacy Channel (www.contatoseguro.com.br/privacidadecruzeiroeducacional) or by email at: dpo@cruzeirodosul.edu.br.

1.Terms and conditions

Below, we list some definitions and acronyms to facilitate understanding of this Policy:

  • Adolescent: Any individual between 12 (twelve) and 18 (eighteen) years of age, according to the Child and Adolescent Statute (“ECA”).
  • Student: An individual enrolled in any of the Cruzeiro do Sul Educacional institutions.
  • Applicant: An individual who is interested in enrolling in any of the Cruzeiro do Sul Educacional institutions.
  • Sharing: Any communication, dissemination, international transfer, interconnection of personal data, or shared processing of personal data databases by public agencies and entities in the fulfillment of their legal duties, or between these and private entities, reciprocally, with specific authorization, for one or more processing modalities permitted by these public entities, or between private entities.
  • Consent of the Data Subject: The free, informed, and unequivocal expression by which the data subject agrees to the processing of their personal data for a specific purpose.
  • Controller: A natural or legal person, of public or private law, who is responsible for decisions regarding the processing of personal data.
  • Cookies: Text files that record the user’s activities. Their purpose is to make browsing easier, faster, and more practical by automatically configuring certain information. The idea is to avoid the need to repeatedly input the same information; additionally, cookies have an analytical function, saving data on the user’s behavior in the browser.
  • Child: Any individual under the age of 12 (twelve) years, according to the Child and Adolescent Statute (“ECA”).
  • Personal Data: Any information that can identify a person, directly or indirectly, such as name, ID number, CPF, date of birth, photo, telephone, geolocation, among others.
  • Sensitive Personal Data: Personal data concerning racial or ethnic origin, religious beliefs, political opinions, union membership, or membership in a religious, philosophical, or political organization, data concerning health or sexual life, genetic or biometric data when linked to a natural person.
  • Data Deletion: The exclusion of data or a set of data stored in a data repository, regardless of the procedure used.
  • Data Protection Officer (DPO): The person designated by the controller and operator to act as a communication channel between the controller, data subjects, and the National Data Protection Authority (ANPD).
  • Parents/Guardians: The person responsible for the custody of a child or adolescent.
  • Operator: A natural or legal person, of public or private law, who processes personal data on behalf of the controller.
  • Third Parties: A natural or legal person who provides services or acts on behalf of Cruzeiro do Sul Educacional to assist in carrying out its activities. A Third Party can be a business partner, supplier, consultant, contractor, or service provider in general.
  • Data Subject: The individual to whom personal data refers and who is the subject of processing.
  • International Data Transfer: The transfer of personal data to a foreign country or an international organization of which the country is a member.
  • Processing of Personal Data: Any operation performed with personal data, such as collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, archiving, storage, deletion, evaluation or control of information, modification, communication, transfer, dissemination, or extraction.

2.Who is Responsible for Processing Your Personal Data (Controller)?

Cruzeiro do Sul Educacional S.A., a publicly-held corporation registered under CNPJ/MF nº 62.984.091/0001-02, with headquarters at Rua Cubatão, 320, 3rd, 8th, and 9th floors, Vila Mariana, ZIP Code 04.012-911, and other companies in the Cruzeiro do Sul Educacional group (as listed in Annex I), is the legal entity responsible for decisions regarding the processing of your personal data.

To support the fulfillment of its obligations and the management of its privacy program, Cruzeiro do Sul Educacional has appointed Ms. Andréia Silva Flores as the Data Protection Officer, who can be contacted via email at dpo@cruzeirodosul.edu.br.

We clarify that, under the terms of the General Data Protection Law (Law No. 13.709/18 or “LGPD”), Cruzeiro do Sul Educacional is responsible for the personal data processing activities it carries out and/or delegates in the context of its operations and institutions, but not for the processing activities conducted directly by our network of Partner Centers.

As detailed in this Privacy Policy, your personal data may be shared between Cruzeiro do Sul Educacional and its Partner Centers for purposes related to the commercialization of our products, the provision of services, and the operation of online or offline applications related to our educational services. In such cases, the Parties may act under a joint or singular controllership arrangement.

Cruzeiro do Sul Educacional shares and promotes best practices related to personal data processing throughout its network of Partner Centers. However, we emphasize that the Partner Centers, as independent controllers, may process your personal data autonomously and for purposes different from those described above. In such circumstances, Cruzeiro do Sul Educacional is not responsible for and has no influence or participation in the processing activities carried out.

3.How and What Data We Collect About You

We collect information about you through various interactions with us or with third parties acting on our behalf, through documents, forms, platforms, and communication channels, whether online or offline, as described below:

3.1. Visitation/Browsing Data: When accessing our websites and applications, we may collect your browsing data through the use of cookies and/or similar technologies that allow us to recognize your browser or device and inform us where (geolocation), how, and when our pages and resources are visited and how many people access them.

Cruzeiro do Sul Educacional uses cookies and/or similar technologies to authenticate users; remember user preferences and settings; determine the popularity of content; publicize and measure the effectiveness of marketing campaigns; and analyze trends and interests of people interacting with our services and platforms.

You have the autonomy to restrict, refuse, or disable the use of cookies through your browser settings. However, by doing so, some areas of our website may not function correctly, which may prevent you from benefiting from some of our features. For more detailed information on this topic, please refer to our Cookie Policy available in the footer of our institutional pages.

3.2. Marketing and Advertising Data: When accessing our platforms and interacting with our materials and content, we may collect information that you choose to share with us, such as full name, CPF, phone number, email address, education level, state, city, and educational interests.

Such data is collected through the completion of registration forms, requests for information and quotes, comments, registration for promotions, searches, among others, carried out on our websites and social media pages associated with our brands. Data may also be collected through physical forms or other formats, resulting from registrations and interest surveys conducted at events, public places, or private institutions that authorize the promotion of our services.

The collected data may be cross-analyzed to better understand your profile and direct content, products, and services that may be of interest to you. However, we assure you that this cross-analysis is not done for discriminatory purposes and that all individual rights and freedoms will be guaranteed.

When creating an account on our websites, please be aware that you are responsible for maintaining the confidentiality of your account data and password and should keep them under your guard and control, including, but not limited to, restricting access to your computer, mobile phone, mobile device, and/or account. In the event of a breach of your confidentiality, please access our Privacy Channel (www.contatoseguro.com.br/privacidadecruzeiroeducacional).

3.3. Data Related to Selection Processes: To enable registration and participation in selection processes conducted by our Institutions (e.g., entrance exams, scholarships and discounts, research grants, extension and monitoring, among others), it will be necessary to collect personal data from candidates, such as: Name, CPF, RG, RGM, email, and phone number.

These data are collected through the completion of registration forms, which can be physical or electronic, and follow the terms provided in the respective public notices of each selection process.

We may also collect your data through application forms for selection processes for professional roles at Cruzeiro do Sul Educacional institutions, such as: Full name, CPF, date of birth, email and phone number, education level, and professional history.

3.4. Data for Enrollment and Provision of Educational Services: To purchase our products, we will need to collect some personal data necessary for the execution of the contract, proper provision of services, and compliance with applicable laws and regulations, such as: identification data (full name, date of birth, gender, CPF, RG, parentage); contact data (email and phone number); copies of documents; location data (country, state, city, residential address); professional data (position and name of the company you work for); educational data (education level, course name, name of the educational institution); billing data (name, CPF, address, credit card), among others.

We may also collect sensitive data, such as religion, ethnic/racial origin, medical data, physical or cognitive disabilities, in order to comply with legal or regulatory obligations, and/or to ensure your access to rights and the proper provision of services contracted by either party.

When accessing systems, platforms, and learning environments made available for the proper provision of services, such as the Student Area and Blackboard, data such as: name, RGM, date, time, IP of access, and user content (e.g., comments, voice, and image interactions) will be collected.

3.5. Data for Use of Services Open to the Community: If you are interested in using any of our community services, such as legal and/or accounting advice, medical and psychological assistance, it will be necessary to collect, directly from the holder or guardian, some personal data necessary for the provision of the chosen service.

The data collected will depend on the contracted service and may include registration data (Name, CPF, RG, Date of birth, address, phone number) and sensitive health data, such as: exams and medical history. These data will be processed solely to provide the offered services and for academic practice and development purposes.

3.6. Monitoring and Access Control Systems: When visiting and attending the premises of our Institutions, we may record your image through our internal monitoring system. Personal data may also be collected to provide your access credentials, in order to maintain a safe academic and work environment.

3.7. Participation in Events Organized or Supported by Cruzeiro do Sul Educacional: If you participate in any event organized or supported by the Institutions of Cruzeiro do Sul Educacional, the necessary data will be collected to confirm your registration (such as name, email, phone number, geolocation data, and educational interests) and/or to register your attendance.

Your contact data collected at our events may be used by our commercial and marketing teams to send you content and updates about topics related to the event or that may be of interest to you. We may also share such data with sponsors or supporters of the event, with prior notice or upon collecting your consent.

3.8. Through Third Parties: Some of your personal data may also be collected from publicly available sources, service providers, government agencies, and business partners, such as Partner Centers for distance learning, recruitment platforms and resume banks, marketing and recruitment companies, information bureaus, discount and/or scholarship sites, and educational programs of the Ministry of Education (PROUNI and FIES).

CSED, through Third Parties, may use data cleaning and enrichment measures to ensure access to correct and updated data that allow the proper provision of services and/or execution of the contractual relationship established with the holder, such as, for example, for the receipt of mandatory documents or collection of debts.

Part of the personal data collection methods indicated above may be carried out based on your consent, in cases where Cruzeiro do Sul Educacional does not have another legal basis for processing. In such cases, the refusal of consent may result in the inability to fully or partially access the services offered by the Company.

We emphasize that you can obtain information about the processing activities for which you have provided consent, as well as request its revocation, through the channels indicated in item 7 of this Policy.

4.Purpose of Processing Your Data

All personal data processing carried out by Cruzeiro do Sul Educacional institutions is supported by the legal bases provided in Law 13.709/2018 (LGPD), particularly concerning contract execution, compliance with legal/regulatory obligations, regular exercise of rights, legitimate interest, and consent.

Your data is processed to enable:

4.1. The execution of preliminary activities for the execution of the contract and/or the formalization and execution of the contract for the provision of our services, including the specificities of commercial agreements;

4.2. The provision of services offered to the community, mainly through our teaching clinics and legal or accounting practice centers;

4.3. Registration and selection in academic and professional selection processes, including compliance with legal/regulatory obligations and/or internal policies related to diversity and inclusion, during which tools that perform automated decisions may be adopted;

4.4. The proper registration of users in the systems and platforms used for the provision of contracted services;

4.5. Billing, payment processing and management, and debt collection;

4.6. Conducting analyses and procedures aimed at (i) updating and improving user registration, thus ensuring data quality, and (ii) enabling fraud prevention in the contracting and billing of our services, according to our legitimate interest;

4.7. The dissemination and offering of services, promotions, and special conditions that may be of interest to you and the customization of advertising actions;

4.8. Conducting research and statistical analyses that allow, for example, the proper evaluation of supply versus demand by geographic region, the identification and correction of flaws in our services, and the continuous improvement of our services;

4.9. Sending communications about relevant topics related to the provision of our services, such as changes in the academic calendar, internal events, alerts about deadlines or relevant risks, among others;

4.10. Sending marketing and advertising communications related to our products and services and commercial conditions, such as tuition fees, discount campaigns, offering new courses, among others;

4.11. Compliance with legal, judicial, regulatory, or administrative obligations and orders from competent authorities;

4.12. Monitoring activities and usage trends, as well as measuring the level of interaction and engagement with our services and platforms, with the aim of improving the user experience;

4.13. Enabling the control and management of physical and logical access, as well as video surveillance of some of our spaces, in order to ensure the security of our systems and assets, property security, and the protection of the physical integrity of people who circulate within our premises.

We emphasize that to achieve some of the purposes indicated above, CSED may rely on the support of partners and service providers, with whom it will share the strictly necessary data to achieve the intended purpose, taking the necessary precautions as indicated in item 8 of this Policy.

5. How We Handle Sensitive Data and Minors’ Data

Sensitive personal data is processed by Cruzeiro do Sul Educacional exclusively for purposes for which such data is strictly necessary. In these cases, as provided by Law 13.709, we adopt more restrictive access measures and apply sufficient security controls to protect the data.

Similarly, we understand the importance of protecting the personal data of minors. Therefore, all data collected related to such individuals is obtained and processed with the objective of serving the best interests of the minor and with restricted access to professionals and partners who genuinely need to access it to carry out their activities.

In the case of adolescents over 16 (sixteen) years of age, the data may be provided directly by the data subject, except for processing activities that require the authorization of a legal representative (e.g., contract execution). Data of children and adolescents under 16 (sixteen) years of age must be provided directly by their respective guardians/legal representatives.

Thus, we request that minors under 16 (sixteen) years of age do not use our platforms without the supervision or consent of their parents or guardians.

Legal representatives will also be fully responsible in cases where children and adolescents access the Cruzeiro do Sul Educacional websites and platforms without obtaining prior authorization. It is their full responsibility to supervise the activities and conduct of the minors under their care, as well as to be fully aware of these Terms.

6. How We Handle Employees’ Personal Data

We apply the same level of care in handling the personal data of our employees, collecting and processing only the minimal data necessary for specific purposes and which have legitimate legal bases.

If you are one of our employees, you can obtain more details on how we handle your data by accessing our Administrative Privacy Policy, available on the Rede Cruzeiro.

7. How You Can Manage and Monitor Your Data

We recognize and respect all the rights of personal data subjects with whom we interact, which can be exercised preferably through the Privacy Channel, available at: https://contatoseguro.com.br/pt/privacidadecruzeiroeducacional or by email: dpo@cruzeirodosul.edu.br.

Please note that for the exercise of some of the rights described below, Cruzeiro do Sul Educacional may request authentication of your identity to ensure that no information is shared with unauthorized persons and that no action is taken without your knowledge and authorization.

Through the channels indicated above, you can:

7.1. Data Consultation: You can request, through our service channels, a list of the personal data you own that we process.

7.2. Data Correction: You can, at any time, request the correction/update of your personal data when it is incomplete, incorrect, or outdated. If you are a student or former student, you can also make some corrections and updates independently in the Student Area or request such adjustments from the Student Service Center (CAA and CAA Online), Academic Office, or relevant Corporate Areas, when it concerns employees or third parties.

7.3. Expression of Objection: You can object to certain processing operations involving your data or restrict its use for specific purposes, as well as request the review of automated decisions.

7.4. Unsubscribing or Canceling the Receipt of Communications and Advertisements: You can request the removal of your contacts from all our mailing lists or specific lists to stop receiving communications that are not of interest to you.

Please note that if you fill out any form and again express your interest in being contacted or receiving information and materials from Cruzeiro do Sul Educacional, your contact will be reinserted into our databases. Therefore, the cancellation request must be made again, if desired, whenever there is a new interaction with us.

7.5. Consent Management or Revocation: For cases where the processing of your data occurs based on your consent, you can manage the consent you have provided or even request the revocation of the consents given.

7.6. Data Deletion: You can, at any time, request the total or partial deletion of your personal data by canceling your enrollment or other registrations and subscriptions you have made. However, we emphasize that even after a deletion request, Cruzeiro do Sul Educacional institutions may retain part of your personal data to fulfill the following purposes: (a) judicial, administrative, and arbitration proceedings (for the necessary period), (b) compliance with legal and/or regulatory obligations, or (c) the regular exercise of rights, such as enforcing the rights of Cruzeiro do Sul Educacional institutions based on the service contract.

We highlight that there may be situations in which Cruzeiro do Sul Educacional, for legitimate reasons, may decline to comply with a rights request, such as: (i) when providing information and documents could violate trade secrets or intellectual property rights of Cruzeiro do Sul Educacional; (ii) when there is another legal basis that obliges or legitimizes Cruzeiro do Sul to retain data, such as compliance with legal/regulatory obligations and the defense of the Company in judicial, administrative, or arbitration proceedings; or (iii) when the request falls outside the responsibilities of Cruzeiro do Sul Educacional.

Furthermore, we emphasize that some requests may not be responded to immediately. In such cases, the data subject can monitor the progress of their request through the channels indicated at the beginning of this item, with Cruzeiro do Sul Educacional committing to provide feedback within a reasonable timeframe and in compliance with applicable legislation.

8. Sharing Your Data

Your data is shared in certain situations, respecting your privacy and data protection, as well as the principles and guidelines provided in the LGPD.

Below, we list some instances where your data may be shared:

8.1. Among Cruzeiro do Sul Educacional institutions, within the limits of the purposes described in this Policy;

8.2. With judicial, administrative, and governmental authorities: To comply with legal and regulatory determinations or obligations, inspections and evaluations, the granting of scholarships and student financing, among others. Or to defend the Company’s rights in judicial or administrative proceedings;

8.3. With our network of Partner Centers: To facilitate the promotion of our products and services, the execution of pre-contractual activities, the completion of enrollments, and the provision of contracted educational services;

8.4. With financial institutions, payment service providers, payment integrators, and credit card companies: To process payment for acquired educational and administrative services;

8.5. With business partners to enable commercial partnerships or agreements that allow access to specialized products or the execution of academic activities necessary for the training of our students (e.g., mandatory internships, exchanges, graduation ceremonies);

8.6. With service providers who process personal data on behalf of Cruzeiro do Sul Educacional to perform certain functions such as: providing/licensing learning platforms and educational technology; collections and negotiation of financial issues; providing life and health insurance; recruitment of professionals; marketing and communication actions; physical access management and control; cloud storage services; external auditing; among others.

Cruzeiro do Sul Educacional only uses services and technologies offered by trustworthy third parties who demonstrate adherence to adequate and sufficient security standards. Therefore, all third parties with whom we share personal data undergo an evaluation process and a process of signing confidentiality and privacy clauses and agreements.

Under no circumstances does Cruzeiro do Sul Educacional sell or transfer personal data to any third party for financial gain or in a manner contrary to this Policy or the General Data Protection Law (LGPD).

9. International Data Transfer

Cruzeiro do Sul Educacional is headquartered in Brazil; however, in some situations, we may share your personal data with third parties located outside Brazil, such as cloud storage service providers or universities and business partners with international operations, who may act as Operators or in a joint controllership arrangement.

We emphasize that, regardless of the location of processing/storage, we adopt the necessary technical and administrative measures to ensure the security, confidentiality, and privacy of your data, such as conducting privacy and information security assessments, as well as implementing specific contractual clauses to ensure processing in compliance with the LGPD or equivalent legislation.

10. Data Storage Period

Your personal data will be retained by Cruzeiro do Sul Educacional only for the time necessary to fulfill the purposes for which they were collected, always respecting the data retention period provided by applicable law.

We also emphasize that if the deletion or anonymization of personal data is requested, this will only be possible for data whose storage is not required by law, regulatory authority, contractual execution, or other circumstances that justify the data’s retention.

11. Security Measures We Adopt

With the goal of preserving your privacy and protecting your personal data, Cruzeiro do Sul Educacional adopts best practices in information security and continuously implements improvements to protect the data we collect. Among these measures, we have implemented access controls and permission levels, multi-factor authentication, data encoding and encryption techniques both in transit and at rest, and incident monitoring.

We expect our entire value chain to share the same level of security that we strive for, which is why we have adopted a process for evaluating third parties who may process personal data on behalf of or for the benefit of Cruzeiro do Sul Educacional.

Additionally, we periodically train our employees on good cybersecurity and privacy practices, and we have specific teams prepared to detect and respond appropriately in the event of an incident that could compromise the security of your data.

Despite the aforementioned precautions and efforts, it is not possible to guarantee that our services and systems are inviolable. Therefore, we also rely on your collaboration to adequately protect your access passwords and limit third-party access to your devices, accounts, and personal data. Cruzeiro do Sul Educacional will not be responsible for the illegal and unauthorized use of your personal data that results from the misuse or misappropriation of your access credentials.

Policy Updates

We are always striving to improve our services and policies, and therefore, this Privacy Policy may undergo updates. For this reason, before accessing one of our platforms or using our services, please review our Policy on the websites of our Institutions, which will contain the date of its latest revision.

Last updated  08/13/2024