5C Company

1

Purpose

This Data Protection Policy for External Service Providers sets forth the principles, requirements, and obligations governing the processing of personal data by suppliers, external service providers, business partners, and other third parties that maintain a contractual relationship with 5C Company LLC.

This Policy has been prepared in compliance with:

General Data Protection Law – LGPD (Lei nº 13.709/2018 – Brazil);
Federal Trade Commission Act (FTC Act – USA);
California Consumer Privacy Act / CPRA (CCPA/CPRA – USA), as applicable;
Texas Data Privacy and Security Act (TDPSA – Texas);
Other applicable data protection and privacy laws and regulations.

2

Scope

This Policy applies to all third parties that process personal data on behalf of 5C Company LLC or that, by virtue of their contractual relationship with 5C Company LLC, have access to:

Customer data;
Model and content creator data;
Employee and internal contractor data;
Business partner data;
Data stored in the company's systems, platforms, or documents.

3

Definitions

For the purposes of this Policy:

Personal data: any information relating to an identified or identifiable natural person.

Sensitive personal data: personal data revealing racial or ethnic origin, religious or philosophical beliefs, political opinions, union membership, health or sexual orientation, biometric data, or any other categories of data deemed sensitive under applicable law.

Data processing: any operation or set of operations performed on personal data, whether or not by automated means, including collection, access, use, storage, disclosure, transmission, dissemination, transfer, anonymization, blocking, and deletion.

Data subject: the natural person to whom the personal data relates.

External service providers: companies, independent contractors, consultants, suppliers, and business partners that are not part of the company's internal organization.

4

Principles Applicable to Data Processing

External service providers shall comply with the following data protection principles:

Purpose limitation and lawfulness;
Data minimization and necessity;
Transparency and good faith;
Non-discrimination;
Accountability and auditability;
Confidentiality and integrity.

5

Instructions for Processing by Third Parties

External service providers shall only process personal data:

In accordance with the documented instructions of 5C Company LLC;
To the necessary extent to perform the contract or business arrangement with 5C Company LLC;
Using appropriate technical and organizational measures to protect personal data;
By personnel who have a demonstrable need to access such data;
In compliance with applicable data protection laws and contractual obligations.

Personal data shall not be used for any purpose other than those expressly authorized by 5C Company LLC, including for the provider's own commercial purposes.

6

Lawful Bases for Processing

External service providers shall ensure that the processing of personal data is supported by an appropriate lawful basis under applicable law, including:

6.1 Under the LGPD:

Contract execution;
Compliance with a legal or regulatory obligation;
Legitimate interests of the company;
Consent of the data subject, where required;
The regular exercise of rights in judicial, administrative or arbitration proceedings.

6.2 Under applicable U.S. Law:

Legitimate Business Interest;
Contractual Necessity;
Legal Compliance;
Consumer Protection and Fraud Prevention.

7

Confidentiality

External service providers shall maintain the confidentiality of all personal data and other confidential information to which they are given access.

Providers shall not:

Disclose personal data to unauthorized third parties;
Use personal data for their own benefit;
Reproduce or store personal data outside authorized systems;
Share corporate credentials or access.

The confidentiality obligations set forth herein shall survive termination of the relevant agreement.

8

Security Information

External service providers shall implement and maintain appropriate technical, administrative, and organizational security measures, including, without limitation:

Protection of systems and devices used to process personal data;
Access controls and secure authentication;
Use of updated and secure software;
Secure storage of physical and electronic records;
Internal policies and procedures consistent with this Policy.

9

Subprocessing

External service providers shall not engage subprocessors to process personal data without the prior written consent of 5C Company LLC. Where such consent is granted, the provider shall ensure that each subprocessor is bound by written terms no less protective than those outlined in this Policy and applicable law.

10

Data Sharing

Personal data may be shared by external service providers only when:

Necessary for the performance of the contract;
Authorized by 5C Company LLC;
Required by law or ordered by a competent authority.

Sharing of personal data via informal channels, unauthorized platforms or personal devices is prohibited unless expressly authorized.

11

Security Incidents and Notification

External service providers shall promptly notify 5C Company LLC upon becoming aware of any actual or suspected security incident affecting personal data, including:

Data breaches or suspected breaches;
Unauthorized access;
Loss or theft of devices;
Misuse or unauthorized disclosure of personal data;
Cyberattacks or security failures.

Notification shall be immediate and shall include sufficient information to enable the company to assess, contain and remediate the incident.

12

Data Subject Requests

External service providers are not permitted to respond directly to requests from data subjects. Any data subject request received by a provider shall be immediately forwarded to 5C Company LLC for handling.

Data subjects may exercise rights such as:

Access and processing confirmation;
Data correction;
Deletion of unnecessary data;
Withdrawal of consent where applicable;
Processing objection where permitted by law.

13

International Data Transfers

Given the company's international operations, personal data may be transferred across borders. In such cases, external service providers shall ensure:

Implementation of adequate contractual safeguards;
Compliance with LGPD requirements;
Compliance with applicable U.S. laws;
Application of appropriate security and governance measures.

14

Provider Responsibilities

External service providers shall:

Comply with this Policy and applicable data protection laws;
Ensure the confidentiality, integrity, and security of personal data;
Limit processing activities to the contractual scope;
Report security incidents without undue delay;
Cooperate with audits, inspections, and investigations;
Maintain records of processing activities where required by law.

15

Audit and Compliance

5C Company LLC reserves the right to conduct audits or request evidence of compliance with data protection obligations. External service providers shall cooperate and provide relevant documentation and information upon request.

16

Breaches and Sanctions

Non-compliance with this Policy or applicable law may result in:

Suspension or restriction of access to data;
Termination of contract relationships;
Civil liability and indemnification obligations;
Contractual penalties;
Notification to regulatory authorities when required by law.

17

Training and Awareness

Where applicable, external service providers may be required to participate in training or receive guidance on data protection, information security, and compliance matters.

18

Contact and Data Protection Channel

For communications concerning data protection, security incidents, or questions regarding this Policy, external service providers shall contact:

5C Company LLC – Compliance & Data Protection
E-mail: [email protected]

19

Final Provisions

Ignorance of this Policy does not relieve external service providers of their legal and contractual obligations with respect to personal data protection.

All external service providers processing personal data on behalf of 5C Company LLC shall formally adhere to this Policy and undertake to comply with its principles, requirements, and obligations.

COOKIE POLICY

1. PURPOSE

2. WHAT ARE COOKIES

3. PURPOSES OF COOKIE USE

4. TYPES OF COOKIES USED

4.1 Essential (Strictly Necessary) Cookies

4.2 Performance and Analytics Cookies

4.3 Functionality Cookies

5. SESSION COOKIES AND PERSISTENT COOKIES

6. USER CONSENT AND CONTROL

7. SHARING OF DATA COLLECTED BY COOKIES

8. LEGAL BASES FOR DATA PROCESSING

9. DATA SECURITY AND RETENTION

10. USER RIGHTS

11. CHANGES TO THIS POLICY

12. CONTACT AND DATA PROTECTION OFFICER

13. FINAL PROVISIONS

Privacy Policy