Aviso de Privacidade


This Policy establishes the Personal Data Protection principles that all departments of Ibitu Energia S/A, enrolled in the CNPJ/MF under n. 31.908.280/0001-64, and its invested companies, directly or indirectly controlled, wholly-owned subsidiaries and affiliates (hereinafter jointly just “Company”), will implement and exercise to ensure compliance with applicable data protection requirements, especially Law 13.709/2018 – General Data Protection Law (LGPD) and best corporate practices for the collection, processing, storage and disclosure of Personal Data (defined below).


This Policy applies to all departments of the Company, as well as its managers, agents, employees, interns or apprentices, contractors, customers, suppliers, partners and/or external consultants who work for and/or on behalf of the Company.


Processing Activities: Activities carried out within the scope of the Company’s business operations, carried out by its employees, representatives, agents and/or computer systems of the Company, carried out with the use of Personal Data, such as: collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, archiving, storage, disposal, evaluation, information control, communication, transfer, dissemination or extraction.

National Authority for Data Protection – ANPD: This is the national regulatory and supervisory body on compliance with obligations and respect for the rights provided for in the LGPD.
Legal Basis (for the Processing of Personal Data): Legal provision, arising from a normative instrument accepted in Law, which authorizes the Processing of Personal Data. Among the various legal bases provided for by law, each treatment activity carried out by the company must have a respective legal basis that justifies it, duly assigned by the Company.

Personal Data: Any information that can be linked to an identified or identifiable person. This includes, but is not limited to, name, contact information (home address, telephone and email address), date of birth, insurance numbers, nationality, copies of passport, copies of birth and marriage certificates, details credit card information, military status, marital status, number of children, photograph, mileage card (airline) details, countries visited and vaccination records, location, job/title job contact (phone and fax numbers and address e-mail), salary, educational level and any other categories of Personal Data that Ibitu Energia comes to process.
Sensitive Personal Data: Under the terms of the LGPD, it is all personal data that identifies or allows identifying, referring to an individual, their racial or ethnic origin, religious conviction, political opinion, union affiliation or organization of a religious, philosophical or political nature, data relating to health or sex life, genetic or biometric data.

Holder: Natural person (individual) to whom the Personal Data that are subject to treatment refer, such as, for example: consumers when applicable, employees in general, representatives, website users, etc. The Company processes data from people who are or were its collaborators, representatives and employees of contracted companies or in negotiations, customers and users when applicable, third parties who frequent its establishments in the country or exchange communication and website users on the internet. Such data may be obtained directly from the holder, through digital platforms used by the Company, through contracted third parties, public bodies or even in an automated way, when the holder browses the website or uses technological applications made available by the Company.


4.1 Transparency/Notification: The Company will always keep available its policies and details on practices related to activities that process Personal Data through privacy notices and/or equivalent document that allow, in an objective, transparent and easily accessible way, that the holder understands which data is collected, how long the Personal Data is processed and retained, how it will be used, shared and disposed of, as well as contact information for submitting inquiries, complaints and any rights available to individuals in relation to Personal Data under the control of Company.

4.2 Purposes and Legal Bases: Personal Data are handled by the Company exclusively for planning, managing and executing its core activities, in accordance with its social objectives, whether in the selection and hiring of a workforce for this purpose, the acquisition of products and services for the same purpose, or fulfillment of signed contracts. The Company also processes Personal Data to comply with legal and regulatory requirements for the activities described above.
Therefore, the Legal Bases, set out in detail in the process registration documentation and risk analysis of the treatment activities, are predominantly those provided for contract compliance/execution, legal or regulatory obligation and legitimate interest.

4.3 Sensitive Personal Data: These are data processed only when essential for the purposes of the activity, such as, for example and not limited to, due to the use of the corporate health plan, compliance with legal or regulatory obligations (such as, for example, information on ethnicity for e-Social and admission medical examination) and work safety applicable to the Company itself or to customers/suppliers, also duly detailed and substantiated in the documents that record the Personal Data Processing processes and risk analysis, when applicable .

4.4 Minimization of Data: Personal Data is collected and used only for legitimate business purposes and in compliance with current regulations. When processed, Personal Data must be limited to the minimum necessary for the purposes of each activity and adequate for the Company’s intended use.

4.5 Collection, Quality and Retention: The Company will only collect Personal Data insofar as it is reasonably related to the uses for which it was obtained, will only retain Personal Data for as long as necessary for those uses and as necessary for legitimate legal and business purposes. Personal Data will always be maintained in full and in accordance with the characteristics that were collected, as applicable, unless necessary updating and/or requested by the holder to adjust its accuracy.

4.6 Use and Disclosure: The Company will limit the use of Personal Data to those purposes expected by individuals, based on the nature of the relationship or context in which the Personal Data was collected. Disclosures of Personal Data to third parties will be limited to those directly related to the performance of services on behalf of the Company (for example, service providers), as required or permitted by applicable law and, as applicable, where third parties are obligated to the security of data and other legal obligations.
All direct and indirect employees, contractors, suppliers, customers and representatives of third parties should only have access to the Personal Data of holders if and when strictly necessary for the performance of core activities of Ibitu Energia, whose nature, purpose and result depend on the treatment of such data. Also, whenever necessary to process Personal Data, they must make the best efforts to guarantee the privacy, secrecy and protection of Personal Data, acting in a way to prevent any leakage, access or misuse that may occur, causing or not damage to personal data holders.
The sharing and disclosure of Personal Data of the Company’s holders may only occur when legally permitted and when provided for in the internal process that regulates the respective treatment activity. International transfers are applicable for data processed through cloud systems and applications, whose databases are located in another territory – such information is provided in detail and legally supported in the documentation of process registration and risk analysis of treatment activities.

4.7 Non-Discrimination: The Personal Data processed by the Company may never be used or support any act that implies or presumes discriminatory purposes, of any nature, being certain that the Company, in case of non-compliance with the provisions herein, will immediately adopt the appropriate measures so that such acts are immediately ceased, as well as the administrative, disciplinary and/or legal sanctions applicable against violators.

4.8 Security/Safeguards: The Company takes reasonable measures to protect Personal Data from loss, unauthorized access, use, destruction, modification or disclosure, appropriate to the level of risk and sensitivity of the data, as set out in the Company’s Information Security Policy , whose standards and guidelines set forth therein describe the measures to be taken by all departments of the Company to protect Personal Data.

The Company is committed to always making the best efforts to protect the Personal Data subject to treatment against internal and external security incidents, employing resources in accordance with applicable legislation, regulations and best practices.


5.1 Sharing Personal Data with third parties: Personal Data processing activities involving more than one Processing Agent are a critical point for the Protection of Personal Data. In this sense, it is important to establish guarantees, define responsibilities and adopt measures to be observed when sharing Personal Data with third parties, whether Controllers or Data Operators.

The Company may share Personal Data with third parties in the development of its activities, always following the rules and principles of Personal Data Protection and Information Security. Sharing can be done with:

  • Service providers (example: IT servers and software);
  • Business partners, in the development of the Company’s commercial activities;
  • Public Authorities;
  • In case of protection of Ibitu Energia’s interests in any type of conflict, including lawsuits;
  • By court order;
  • Other cases foreseen and/or authorized by law.

It should be noted that only the data necessary to carry out the respective Treatment must be shared, upon conclusion of a contract with protective clauses for the Holders and that guarantee that the third party will comply with all applicable legal determinations, unless otherwise authorized by the person in charge of the area of Privacy and Data Protection of the Company, but provided that security measures for sharing are met. In any event, sharing must be formally mapped and identified in the Company’s internal controls.

Before sharing Personal Data, it is important to define whether the recipient will act as Controller or Operator in the Processing of Personal Data, with their responsibilities and requirements for sharing reflected in the most appropriate contractual instrument that will govern the relationship.

The Sharing of Personal Data with third parties must occur, as a rule, solely and exclusively: (i) to meet the purpose that justified the Processing of Personal Data, within the limits of the legal basis defined for that purpose; and (ii) in accordance with the activity that underlies the supplier’s and partner’s relationship with the Company. When another type of sharing of Personal Data is necessary that does not meet the conditions established above, it will be necessary to correspond to one of the legal bases established by the LGPD.

The third party must demonstrate that it has adequate guarantees, considering aspects of Personal Data protection and Information Security. Whenever possible, the third party must demonstrate that it is capable of complying with the Company’s policies and procedures that deal with the protection of Personal Data and Information Security.

The Company will not share Personal Data when there is a legal prohibition, contractual restriction or that results in an offense to the Holder’s rights provided for by law.

Under no circumstances may Personal Data be publicly disclosed, unless such activity is formally mapped and with an adequate legal basis provided for it.

5.2. Person in Charge of Personal Data Processing: The Person in Charge of Personal Data Processing (only “In charge”, or “DPO”) is primarily responsible for the development and administration of this Policy; must stay informed of legal and regulatory developments and provide related alerts; maintain company-wide privacy agreements, notices and training materials. The Person in Charge is responsible for the representation and communication of the Company with the Holders of Personal Data, with the ANPD and other bodies that deal or will deal with this matter.

The Company’s Manager is Alexandre Fonte (Blasquez da Fonte Advogados), based in São Paulo/SP, with e-mail address lgpd@ibituenergia.com.

Exercise of Holders’ Rights and Complaints: The Company undertakes to guarantee the protection of Holders’ rights, under the terms of the applicable rules, which may be exercised upon request addressed to the person in charge/DPO through the e-mail lgpd@ibituenergia.com, between they:

  • confirmation of the existence of treatment;
  • access to processed Personal Data;
  • correction of Personal Data that is incomplete, inaccurate or out of date;
  • anonymization, blocking or deletion of data that is unnecessary, excessive or processed in
  • non-compliance with the Law;
  • portability right;
  • right to delete Personal Data processed with the consent of the holder;
  • information on the entities with which your Personal Data was shared;
  • information about the possibility of not providing consent and consequences of the refusal, as well how, right to revocation of consent;
  • right to complain/claim before the competent authorities;
  • right to oppose the treatment carried out based on one of the hypotheses of waiver of consent.

If a request sent by the Holder is denied, the Company will provide, in a reasoned manner, a response containing the reasons for the Holder.

5.3 Response to Incidents: In case of imminence or occurrence of incidents that could compromise Personal Data, the Company will respond promptly in order to avoid and/or stop the incident and avoid or minimize damages. If the occurrence of an incident that effectively compromises the Personal Data of Holders is confirmed, the Company will notify them, as well as the competent authorities, detailing the affected information, extension and other applicable details.


The LGPD does not apply, and therefore will be outside the scope of this Privacy Policy, data used exclusively for journalistic and artistic purposes, public safety, national defense, State security, investigation and repression of criminal offenses, (i.e. non-economic purposes) and anonymized data.


The unrestricted observance of the guidelines, responsibilities and application of this Policy, as well as the rules contained therein and current legislation is a condition for relating and maintaining a relationship with the Company, under penalty of applying disciplinary sanctions.

In case of verification of non-compliance and/or detection of an attitude that violates one or more points set forth in this policy, the facts will be verified by the DPO function, with the support of internal and/or external people and teams at its discretion. If the infringement involves a person from the DPO, the negotiations will be conducted by the company’s top management, and the necessary measures must be taken or determined to verify the facts.

Violators who cause violations and/or fail to comply with the provisions of this Policy may have their relationship with the Company definitively terminated, for good reason, in addition to being civilly and/or criminally liable for the damages caused to the Company and/or third parties, without prejudice to the adoption by the company of other legally and contractually provided for measures.


  • IBITU-CMP-020.1 – Information Security Booklet IBITU-CMP-020 – Information Security Policy IBITU-CMP-001 – Code of Ethics
  • IBITU-CMP-010 – Cookie Policy
  • IBITU-CMP-016 – IT Policy
  • IBITU-CMP-021 – Access Control Policy IBITU-CMP-022 – Email Policy