1. Introduction

​

Grigoletto Advogados (“Firm” or “Grigoletto Advogados”) maintains a privacy and data protection program establishing standards for the processing of personal data, in compliance with applicable laws and regulations, particularly the Brazilian General Data Protection Law – LGPD (Law No. 13,709/2018).

 

By law, the protection of personal data is founded on:

 

(i) ​Respect for privacy;

(ii) Informational self-determination;

(iii) Freedom of expression, information, communication, and opinion;

(iv) Inviolability of intimacy, honor, and image;

(v) Economic and technological development and innovation;

(vi) Free enterprise, free competition, and consumer protection; and

(vii) Human rights, free development of personality, dignity, and the exercise of citizenship by natural persons.

 

This Privacy and Personal Data Protection Policy (“Privacy Policy”) establishes rules for the processing of personal data collected when a user (“User”) accesses the Firm’s website, https://www.grigolettoadvogados.com.br (“Website”) and any subsites, when the Firm provides legal services (“Services”) to clients or potential clients (“Clients”), whether on-site or electronically, or when the Firm enters into contracts or maintains business relationships with suppliers, correspondents, and other service providers (“Business Partners”).

​

2. Definitions

​

(i) Personal Data: Any information relating to an identified or identifiable natural person, including name, address, phone number, CPF, driver’s license number, etc;

(ii) Sensitive Personal Data: Personal data revealing racial or ethnic origin, religious beliefs, political opinions, union or organizational affiliations, health, sexual life, genetic or biometric data linked to a natural person;

(iii) Data Subject: The natural person to whom the personal data relates. This includes Clients, Business Partners (natural persons), legal representatives of legal entities, employees representing a company, and Website Users;

(iv) Controller: The natural or legal person, public or private, responsible for decisions regarding personal data processing (“Firm”).

(v) Data Protection Officer (DPO): The person appointed by the Firm as a liaison between the Firm, data subjects, and the National Data Protection Authority (“ANPD”);

(vi) Security Incident: Unauthorized access, accidental or unlawful destruction, loss, alteration, communication, or any inappropriate or unlawful processing of personal data;

(vii) Processing: Any operation performed on personal data, including collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, storage, elimination, evaluation, modification, communication, transfer, dissemination, or extraction.

 

3. Personal Data Processing

​

To provide our Services, it is often necessary to access, collect, store, share, or otherwise process Personal Data.

Data may be obtained:

​

(i) Directly from the Data Subject or related persons (e.g., employer when the subject is a legal representative);

(ii) Incidentally during legal services or contract execution, accessing data from other parties;

(iii) From publicly available sources;

(iv) Automatically from Website Users (e.g., cookies);

(v) From Clients or Business Partners visiting the Firm’s premises (e.g., security cameras).

 

The Firm is not responsible for data collection or use by the platform hosting the Website.

​

4. Personal Data Collected

​

Subject to applicable law and only when necessary, the Firm may process:

​

(i) Identification and contact data: Full name, address, date of birth, nationality, ID numbers (RG, CPF, CNH, OAB, etc.), email, phone;

(ii) Academic and professional information: Employer, occupation, position, education;

(iii) Financial information: Bank details, income, transaction history, credits, assets, debts, loans;

(iv) Family information: Marital status, family structure, data of relatives or close associates;

(v) Message content: Emails or electronic communications regarding cases, negotiations, strategies, or facts;

(vi) Images: CCTV footage captured on Firm premises;

(vii) Technical navigation data: Browser, device, IP address, location, referring website, and usage patterns via cookies, web beacons, or similar technologies.

 

The Website does not intentionally collect sensitive personal data or data from minors under 18, except when necessary to provide Services, in compliance with applicable law and client consent.

​

5. Purpose of Processing

​

Personal Data is processed to:

​

(i) Formalize and execute contracts with Clients and Business Partners;

(ii) Analyze conflicts of interest;

(iii) Identify Clients and Business Partners and grant access to Firm premises;

(iv) Communicate regarding commercial relationships;

(v) Draft, review, or negotiate contracts; file legal actions, defenses, and appeals; manage judicial, administrative, or arbitral processes; conduct investigations and inquiries; draft legal opinions and memoranda; hold meetings and conferences;

(vi) Invoice and collect payments from Clients;

(vii) Pay Business Partners;

(viii) Monitor physical premises for safety;

(ix) Facilitate client references for legal publications;

(x) Conduct satisfaction surveys and feedback;

(xi) Send institutional communications, newsletters, and event invitations;

(xii) Respond to requests or obtain consent from Data Subjects;

(xiii) Maintain central Client and Partner databases;

(xiv) Optimize or personalize the Website experience.

 

Additionally, processing may occur to:

​

(i) Comply with legal or regulatory obligations;

(ii) Follow judicial, regulatory, or competent authority orders;

(iii) Protect Firm interests, members, Clients, and Business Partners;

(iv) Detect and prevent fraud;

(v) Exercise legal rights in judicial, administrative, or arbitral proceedings;

(vi) Other lawful purposes.

 

6. Cookies

​

The Website uses cookies and similar technologies to collect information about usage, including browser type, pages visited, and preferences. Cookies are categorized as:

​

1. Essential cookies: Required to access secure areas and provide services.

2. Analytical cookies: Used to analyze Website usage and performance, improve user experience, and generate anonymous statistical data.

3. Functional cookies: Store user preferences, such as language selection, to improve Website usability.

​

Users can manage cookies through browser settings, though disabling cookies may affect Website functionality. The Firm is not responsible for the hosting platform’s data collection or use.

​

7. Sharing of Personal Data

​

Data may be shared as necessary with:

(i) System service providers: Software and IT providers supporting data management and administration;

(ii) Legal and administrative service providers: Correspondent lawyers, experts, partner law firms (domestic and international), auditors, accountants, translators, and financial institutions;

(iii) Legal rankings: Data may be shared to allow clients to evaluate the Firm for rankings publications;

(iv) Authorities: To comply with legal or regulatory obligations, judicial or administrative processes, audits, or investigations.

 

All third parties and temporary service providers with access to data must comply with LGPD and this Privacy Policy, under penalty of contract termination.

​

8. International Data Transfers

​

The Firm may transfer Personal Data to service providers or partner firms abroad. Appropriate measures will be adopted to ensure adequate protection in compliance with national and international data protection laws, selecting third parties with high security standards.

​

9. Data Subject Rights

​

Data Subjects may request, in writing via the Website form:

(i) Confirmation of data processing;

(ii) Access to Personal Data;

(iii) Correction of incomplete or inaccurate data;

(iv) Anonymization, blocking, or deletion of unnecessary or unlawful data;

(v) Portability to another service provider;

(vi) Deletion of data processed with consent;

(vii) Information about data sharing;

(viii) Information on consequences of refusing consent;

(ix) Revocation of consent.

 

Exceptions apply, e.g., data may be retained for legal obligations or legitimate purposes, and access may be restricted to protect other Data Subjects or trade secrets. Verification of identity may be required.

​

10. Security

​

The Firm adopts technical, physical, and organizational measures to safeguard data, including access controls, encryption, firewalls, intrusion detection, and network monitoring. All members and third parties are required to maintain confidentiality and comply with security policies, under penalty of contract termination.

​

11. Data Retention and Termination of Processing

​

Data processing ends when:

(i) The purpose is achieved or data is no longer needed;

(ii) The retention period expires;

(iii) Data Subject requests termination or revokes consent;

(iv) Ordered by the national authority.

 

Data may be retained to:

​

(i) Comply with legal or regulatory obligations;

(ii) Retain anonymized data for internal use.

 

12. Changes to the Privacy Policy

​

This Privacy Policy may be updated periodically to reflect changes in practices or law. The last revision date is indicated at the top. Significant changes will be communicated to Users. We recommend reviewing the Policy regularly to stay informed.