Privacy Policy (English)

1.0 Purpose

This Privacy Policy is designed to demonstrate our commitment to safeguarding your privacy and protecting your Personal Data, establishing the rules on the treatment of Personal Data, as well as explaining what your rights are and how to exercise them.

Please read this Policy carefully and, if you still have any questions, feel free to contact us through the Service Channels provided below.

If you do not agree with the provisions of this Policy, we kindly ask you to discontinue your access or use of our website.

2.0 Terms and definitions

  • Personal Data: any information referring to an identified or identifiable natural person, such as, for example, name, identity number, address, and tax ID number.
  • Sensitive Personal Data: personal data concerning racial or ethnic origin, religious belief, political opinion, membership of a trade union or religious, philosophical, or political organization, data concerning health or sex life, genetic or biometric data, when linked to a natural person.
  • Processing: any operation carried out with personal data, such as those relating to the collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, filing, storage, elimination, evaluation or control of the information, modification, communication, transfer, dissemination, or extraction.
  • Data Subject: you, the natural person to whom the Personal Data refer, whether in the capacity of consumer, site user, investor, service provider, collaborator.
  • Controller: the company or individual that determines the purposes and means used for processing personal data. Gomes da Costa is the controller of its Users’ personal data.
  • Operator: a company or individual who processes the Data in accordance with the Controller’s instructions.
  • Officer or “DPO”: the person appointed to act as a communication channel between Gomes da Costa, the Users, and the National Data Protection Authority (“ANPD”).
  • Cookies: Small files sent by the Gomes da Costa site, saved on the devices and which store the preferences and a few other pieces of information, with the purpose of personalising browsing according to the User’s profile.
  • Our sites: designates the e-mail address and its subdomains.
  • Applicable legislation: all legislation on privacy and protection of Personal Data, especially Law No. 13,709/2018 (General Law on Personal Data Protection– LGPD).

3.0 Collection of personal data

The collection of Personal Data is necessary to provide services tailored to the needs of our consumers and website users. If you choose not to provide some of the Personal Data listed below, it may make it impossible to provide the service – either totally or partially.

For example:

Data collectedWhy do we collect these personal data?
Contact details (Talk to us)
NameInteraction with the users of our website, including answering questions and possible requests.  
Recruitment data (Work with us)
NameIdentification and authentication.Account registration so that the candidate can give us access to their CV.Evaluation of applications for vacancies and opportunities at Gomes da Costa.
Professional details
Details for complaints (Ethics line)
NameReception and verification of conducts that violate our Code of Ethics, good company practices or even the legislation in force.
Digital identification data
CookiesIdentification and authentication.Compliance with legal obligations of record-keeping established by the Civil Internet Procedure – Law nº 12.965/2014.Content customization and browsing matters (for further information, please, refer to our Cookies Policy).

Therefore, depending on the type of interaction you have with Gomes da Costa, your data may be used in the following ways:

  • With our recruitment and selection area, when you access the “Work with us” area of the website and send your CV.
  • With the Compliance area for the investigation of complaints made through the Ethics Channel.
  • With the Marketing area, regarding the records of surveys, queries, consumer complaints and reward programmes.
  • Automatically, in the event of corporate movements, such as mergers, acquisitions, and incorporations.

3.1. Social Networks

We have pages hosted on social networks such as Facebook, Instagram, LinkedIn and YouTube for the dissemination of our products and events, as well as for interaction with users.

These social networks have their own privacy policies, which may be different from the way we treat Personal Data. Therefore, it is up to you to consult the documents on each of these companies’ websites.

Updating and veracity of Personal Data

You are solely responsible for the accuracy, veracity or updating of the Personal Data you provide us. We are not obliged to process your Personal Data if there are reasons to believe that such processing could impute to us the infringement of any applicable law, or if you are using our environments for any purpose that is illegal, illicit, or immoral.


The database formed through the collection of Personal Data is our property and is under our responsibility, and its use, access and sharing, when necessary, will be done within the limits and business purposes described in this Policy.

Technologies used

We use cookies on our websites, but you can set your browser to block cookies. In this case, some of the functionalities we offer may be limited. For more information, please see our Cookie Policy.

3.2. Data Sharing

Personal Data collected and activities recorded may be shared:

  • With third parties, for the supply of products or services essential to the provision of services.
  • With companies belonging to the Calvo Group.
  • With competent judicial, administrative, or governmental authorities, whenever there is a legal requirement, request, requisition, or judicial order.
  • Other third parties in limited circumstances, such as reporting suspected criminal activity, complying with legal requirements, preventing fraud, and protecting the security of our users.

If you have any questions about with whom we share your Personal Data, please contact us through the Service Channels provided in this Policy.

Please note that for the purposes of market intelligence research, dissemination of data to the press and advertising, the data provided by you will be shared on an anonymous basis, so as not to allow your identification.

3.3. Security of information

Security and Governance Practices

To safeguard your privacy and protect your Personal Data, we have a governance program containing rules of good practice, internal policies and procedures, which establish organizational conditions, training, educational actions and mechanisms for the supervision and mitigation of risks related to the Processing of Personal Data.

Access to personal data, proportionality and relevance

Internally, the Personal Data collected is accessed only by duly authorized professionals, respecting the principles of proportionality, necessity, and relevance to the objectives of our business, as well as the commitment to confidentiality and preservation of your privacy under the terms of this Policy.

Adoption of good practices

You are also responsible for the confidentiality of your Personal Data and should always be aware that sharing passwords and access data violates this Policy and may compromise the security of your Data and our environments. If you identify or become aware that the security of your Personal Data has been compromised, please contact us through the Service Channels provided in this Policy.

External links

When you use our websites, you may be taken, via link, to other portals or platforms, which may collect your Personal Data and have their own Privacy Policy. It is up to you to read these policies and it is your responsibility to accept or reject them. We are not responsible for the Privacy Policies of third parties or the content of any websites or services linked to sites or environments other than our own.

Treatment by third parties under our direction

We carefully evaluate those who provide services to us and have contractual information security and personal data protection obligations with them in order to protect you.

3.4. Storage of personal data and recording of activities

Storage site

The Personal Data collected, and the activity records are stored in a safe and controlled environment, which may be in our servers located in Brazil, as well as in an environment of resource use or servers in the cloud, which may require the transfer and/or processing of your Personal Data outside Brazil. These transfers only involve companies that demonstrate compliance with applicable laws, maintaining a level of compliance similar to or more stringent than that provided by Brazilian law.

Storage period

We store Personal Data only for as long as is necessary to fulfil the purposes for which it was collected or to comply with any legal, regulatory obligations or to preserve rights.

Deletion of personal data

Upon expiry of the maintenance period and legal necessity, Personal Data will be deleted using secure disposal methods or used in an anonymised form for statistical purposes.

3.5. Exercising of rights

The Personal Data is yours and the applicable law provides a series of rights related to them, which may be exercised by you through the Service Channel provided in this Policy.

  • (i) Confirmation and access: you may request confirmation as to the existence of Processing and access to your Personal Data, including by requesting copies of records we hold about you.
  • (ii) Correction: you may request the correction of your Personal Data that is incomplete, inaccurate or outdated.
  • (iii) Anonymisation, blocking or elimination: you may request the anonymisation of your Personal Data so that they can no longer be associated with you, the blocking of your Personal Data by temporarily suspending their processing for certain purposes, or the erasure of your Personal Data.
  • (iv) Portability: you may request that we provide your Personal Data in a structured and interoperable format for transfer to a third party, respecting our intellectual property or trade secrets.
  • (v) Information on sharing: you may request information about third parties with whom you share your Personal Data, limiting such disclosure to information that does not infringe our intellectual property or trade secrets.
  • (vi) Revocation of consent: you may choose to withdraw consent for any purpose to which you have consented. Any such withdrawal will not affect the legality of any prior processing. If you withdraw your consent for purposes essential to the smooth operation of our sites and services, they may become unavailable to you.
  • (vii) Opposition: you may object to the Processing of your Personal Data if you do not agree with any purpose.


Before providing the information, we need to confirm that the request has been made by the actual Data Subject.
For this reason, when making the request you must identify yourself appropriately. Eventually, we may request a copy of a document for final validation and delivery of the data. In this way, we guarantee greater security to the analysis process, avoiding access by unauthorized third parties.

Failure to respond to requests.

We may fail to comply with requests to exercise rights if compliance would infringe intellectual property or trade secrets, or where there is a legal or regulatory obligation to retain Personal Data. In addition, we may fail to comply with your request if we need to retain Personal Data to enable our or a third party’s defence in disputes of any nature.

Replies to requests

We undertake to respond to all requests within a reasonable time and always in compliance with applicable law.

3.6. Further information

Amendment of the content and updating

You acknowledge our right to change the content of this Policy at any time, according to the purpose or need, such as for adequacy and legal compliance with the provision of law or standard that has equivalent legal force, being up to you to check it every time you access our environments. If there are updates to this document and if they require new consent collection, you will be notified through the contact channels you inform us of.


Should any part of this Policy be found to be unenforceable by a Data Protection Authority or court, the remaining terms will remain in full force and effect.

Service Channels

If you have any questions regarding the provisions contained in this Policy, including the exercise of your rights, you may contact our Officer, who is available at the following address:

  • (i) Data Protection Officer (DPO): Áudea Seguridad de la Información S.L.
  • (ii) Contact e-mail:

Applicable law and venue

This Policy will be interpreted according to the Brazilian legislation, in the Portuguese language, choosing the jurisdiction of your domicile to settle any controversy involving this document, unless specific personal, territorial, or functional jurisdiction is specifically provided by the applicable legislation.