1. WHAT IS THE PERSONAL DATA PROTECTION AND PRIVACY POLICY
Through the Personal Data Protection and Privacy Policy (the “Policy”), we explain how we process your personal data, the purposes of such processing, for how long, the security criteria observed, and what your rights are as a data subject, as well as how they can be exercised, all in accordance with legal provisions regarding the protection of personal data, especially Law 13.709/18 (General Data Protection Law – LGPD).
2. DEFINITIONS
Some definitions are important for a better understanding of this Policy:
- GENERAL DATA PROTECTION LAW (LGPD)
- Law No. 13.709, of August 14, 2018, which regulates the processing of personal data, including digital means, by natural or legal persons, public or private, aiming to protect fundamental rights of freedom, privacy, and the free development of the individual.
- CONTROLLER
- Natural or legal person, public or private, who is responsible for decisions regarding the processing of personal data.
- PROCESSOR
- Natural or legal person, public or private, who processes personal data on behalf of the controller.
- PERSONAL DATA
- Any information related to an identified (e.g., name, ID, address, phone) or identifiable natural person (e.g., by combining information).
- SENSITIVE PERSONAL DATA
- According to Art. 5, II, of the LGPD, these are data that reveal intimate aspects of the subject and require enhanced protection, such as personal data on racial or ethnic origin, religious belief, political opinion, union membership or membership in an organization of a religious, philosophical, or political nature, data concerning health or sex life, genetic or biometric data, when linked to a natural person.
- REGISTRATION PERSONAL DATA
- Information that identifies or directly describes a natural person, including identification, contact, and document data, among others.
- FINANCIAL PERSONAL DATA
- Information linked to the individual’s financial condition, referring to accounts, operations, and financial profile, such as: income, credit score, bank account number, branch, credit card number, among others.
- BEHAVIORAL PERSONAL DATA
- Information about habits, preferences, behaviors, and usage patterns of individuals, related to profiling or behavior tracking, such as: browsing and usage habits (cookies, page history), consumption and purchasing profile, performance, among others.
- PROCESSING
- Any operation carried out with personal data, including but not limited to, collection, storage, consultation, use, sharing, transmission, classification, reproduction, deletion, and evaluation.
- DATA SUBJECT(S)
- The natural person to whom the personal data refers.
- COOKIES
- Small files that websites store on a computer through the browser to identify the visitor and customize the page according to their preferences.
3. HOW WE PROCESS PERSONAL DATA
ING processes personal data with specific, determined, and legitimate purposes, necessary for carrying out its commercial activities, such as those listed in this Policy, respecting the principles of the LGPD. The availability of personal data, as well as confirmation of its processing, may be requested through the official channels provided in this Policy.
Access data may include information such as registration data for contact, as well as data like the IP address of the Subject’s device, browser type and version. Behavioral data refers to navigation (pages visited, date and time of visit, time spent), as well as professional data and history when provided for recruitment and selection purposes.
4. USE OF COOKIES AND PLUG-INS
ING’s institutional website uses necessary, performance, and targeting cookies, respectively to: store access records composed of IP, date, and time; assess usage and distinguish subjects when accessing the site; and allow the collection of information about preferences to link to advertisements, for example. Necessary cookies will be used regardless of acceptance. At any time, it is possible to activate in your browser (or mobile device) mechanisms to notify you when cookies are enabled or to prevent them from being enabled. Your device or browser has functions to remove them at any time. Performance cookies will depend on your acceptance to be enabled.
4.2. Necessary cookies
Intended to enable navigation and platform operation, such as: (i) activating essential functionalities; (ii) displaying content appropriately according to your screen size, connection speed, and browser type; (iii) remembering your login; and (iv) understanding your browsing behavior and how the platform is being used.
| Cookie name |
Maximum duration |
Purpose |
| PHPSESSID |
During the session |
General-purpose identifier to maintain user session variables (e.g., keeping login status across pages). |
4.4. Performance cookies
Used to collect anonymous data about users’ interaction with the website/application in order to assess performance (number of visits, most accessed pages, error occurrences, etc.) and optimize the experience.
| Cookie name |
Maximum duration |
Purpose |
| _ga_2BWYJMHLK7 |
1 year and 1 month |
Track and analyze visitor behavior, allowing understanding of how users interact with the software and website when applicable. |
| _ga |
1 year and 1 month |
Associated with Google Universal Analytics to distinguish unique users via a randomly generated client identifier; used to calculate visitor, session, and campaign data in analytics reports. |
4.5. Targeting cookies
Collect data on users’ online behavior and preferences (pages visited, clicks, browsing history), for the purpose of creating profiles/segments to display personalized ads.
| Cookie name |
Maximum duration |
Purpose |
| _gcl_au |
No expiration |
Used by Google AdSense to test ad effectiveness on websites that use its services. |
| _fbp |
2 months and 4 weeks |
Used by Meta to deliver a range of advertising products, such as real-time bidding from third-party advertisers. |
You can manage cookies through your browser (Chrome or other). We recommend reading the guidelines provided in the website’s cookie banner.
Any links to third-party websites provided on the site do not constitute endorsement or sponsorship by ING. Such websites are subject to their own terms of use and privacy policies. It is recommended to read those documents.
5. SHARING AND LIFECYCLE OF PERSONAL DATA
ING will not sell personal data to third parties.
Your personal data will only be shared with third parties when strictly necessary to meet the indicated purposes, observing contractual and legal needs. Any sharing will observe the principle of necessity and purpose, with prior compliance review and in line with the Subject’s expectations.
Personal data will have a lifecycle linked to current legislation and to contract fulfillment, observing the legal bases applicable to each case. They will remain processed for as long as necessary to fulfill the purpose for which they were collected, as well as to comply with legal, regulatory, and contractual obligations.
6. INTERNATIONAL DATA TRANSFER
ING may carry out international transfer of personal data if it chooses to contract business partners that provide cloud storage services on servers located outside Brazil.
In such cases, ING will only contract service providers with technical, organizational, and administrative structures that ensure the security and integrity of personal data, in accordance with the principles and obligations of the LGPD and other applicable laws.
7. DATA SUBJECT RIGHTS
You have always been the holder of your personal data and have always had rights regarding them. The LGPD, through Art. 18, expanded your rights, which may be exercised at any time:
- a) confirmation of the existence of processing;
- b) access to the data;
- c) correction of incomplete, inaccurate, or outdated data;
- d) anonymization, blocking, or deletion of unnecessary, excessive, or unlawfully processed data;
- e) portability of data to another service or product provider, upon express request, subject to trade and industrial secrets and the regulation of the national authority;
- f) deletion of personal data processed with the subject’s consent, except in the cases provided for in the LGPD;
- g) information about the public and private entities with which the controller shared data;
- h) information about the possibility of not providing consent and the consequences of refusal;
- i) withdrawal of consent.
To exercise your rights, ING provides a channel for clarifying questions about the processing of personal data and for exercising data subject rights. Contact: dpo.ingguindastes@fdlaw.adv.br.
8. SECURITY OF YOUR PERSONAL DATA
While your personal data is processed by ING, it will be responsible for protecting it, according to the declared purposes. All personal data is safeguarded by information security technologies and procedures in accordance with legislation and technical standards, including but not limited to backup security, authentication and authorization factors, and compliance with the need to know principle (least privilege) for access to personal data — ensuring that only necessary and authorized persons access the data.
Although high standards of information security are adopted, no system is absolutely invulnerable. ING follows the guidelines of the National Data Protection Authority (ANPD) for responding to incidents involving personal data, and you will be immediately informed if any incident occurs involving your personal data that poses risks to civil liberties and fundamental rights.
