Privacy Policy

1. Introduction and Legal Framework

1.1 Cladtek Group (“Cladtek”) is committed to protecting the personal data of individuals whose information we process in the course of our global operations. We incorporate data protection principles into our business practices in line with the concept of ‘privacy by design’. This Privacy Policy (the “Policy”) includes personal data related to employees, customers, contractors, suppliers, and business partners.

1.2 This Policy,

  • Outlinesthe principles, responsibilities, and practices adopted by Cladtek to ensure the appropriate handling of personal data across all business units and jurisdictions. It is designed to promote transparency, accountability, and alignment with applicable recognized data protection standards when they apply to the jurisdictions within which we operate.
  • Serves as the primary reference for all Cladtek employees and contractors regarding our data protection practices. It is essential that all personnel familiarize themselves with this document and adhere to its guidelines in their day-to-day operations.
  • Aligns, as required, with the data protection regulation(s) applicable to the relevant jurisdiction where Cladtek operates; some examples include:
    – The European Union General Data Protection Regulation (GDPR – Regulation EU 2016/679)
    – The Brazilian General Data Protection Law (LGPD – Law No. 13.709/2018)
    – Singapore’s Personal Data Protection Act (PDPA)
    – Indonesia’s Personal Data Protection Law (PDPL – Law No. 27/2022)
    – The Saudi Personal Data Protection Law (PDPL – Royal Decree No. M/19 dated 09/02/1443H)

1.3 By establishing clear rules and responsibilities for the processing of personal data, Cladtek reinforces its commitment to ethical conduct, legal compliance and the protection of data subject rights in accordance with the applicable legal requirements in each jurisdiction within which we operate.

2. Internal Responsibility & Compliance

2.1 All Cladtek employees, contractors, and authorized third parties processing data on our behalf are responsible for adhering to this Policy. Non-compliance may result in appropriate corrective action, up to and including termination of employment or contract.

2.2 Department heads and team leaders are responsible for ensuring their teams understand and follow this Policy. They should consult with the Data Protection Officer (DPO), Local Privacy Officer, or other designated data protection authority.

3. Definitions

For the purposes of this Policy, the following terms are defined as follows:

  • Personal Data: Any information relating to an identified or identifiable natural person, including but not limited to name, contact details, identification numbers, location data, and online identifiers.
  • Sensitive Personal Data: A subset of personal data that includes information such as racial or ethnic origin, religious or philosophical beliefs, political opinions, health or biometric data, sexual orientation, or other data defined as sensitive under applicable law.
  • Processing: Any operation performed on personal data, whether automated or manual, including collection, use, storage, disclosure, sharing, alteration, or deletion.
  • Data Subject: An individual whose personal data is processed by or on behalf of Cladtek.
  • Controller: The natural or legal person (in this case, Cladtek) who determines the purposes and means of the processing of personal data.
  • Processor: A third party who processes personal data on behalf of the Controller, in accordance with a written agreement (e.g., external service providers, consultants, or software platforms).
  • Data Protection Officer (DPO): The appointed individual within Cladtek responsible for overseeing compliance with data protection laws and this Policy.
  • Local Privacy Office: A designated function within each Cladtek branch responsible for coordinating privacy-related matters locally, including approvals and incident escalation.
  • Data Subject Rights: The set of rights granted to individuals under data protection laws, including but not limited to access, correction, deletion, objection, and data portability, subject to the conditions and limitations established by applicable law.

4. Scope, Applicability and Validity

4.1 This Policy applies to all personal data processed by Cladtek across relevant jurisdictions, business units, systems, and operations — whether physical or digital. It governs the collection, use, sharing, storage, retention, and disposal of personal data relating to employees, contractors, customers, suppliers, and business partners whose data may be processed by Cladtek.

4.2 This Policy is binding on all Cladtek employees, contractors, and authorized third parties processing data on our behalf. It applies to all internal systems, tools, and processes, as well as to external-facing operations that involve personal data processing.

4.3 This Policy covers processing activities performed via internal systems, external websites, mobile applications, third-party platforms, and during physical interactions such as site visits or onboarding processes. It also extends to any personal data processed through Cladtek-authorized tools, devices, or messaging environments.

4.4Cladtek integrates privacy considerations into the design of its business operations, with a particular focus on the clear communication of privacy notices. These notices inform individuals about how their data is collected, used, retained, transferred, and protected — and serve as formal instruments to demonstrate Cladtek’s commitment to ethical data handling and legal compliance.

4.5 Access to personal data is strictly limited to authorized Cladtek employees and service providers, in accordance with their roles and responsibilities. Requests for access, sharing, or disclosure of personal or sensitive data beyond routine operations must follow the approval flow described in this Policy — including review by the Local Privacy Office and, when required, escalation to the DPO.

4.6 Where specific privacy policies or contractual data protection provisions apply (e.g., customer-specific terms, local legal obligations, or sectoral rules), such provisions supplement — and, where appropriate, take precedence over — this Policy.

4.7 Cladtek encourages all employees, business partners, and data subjects to read this Policy in conjunction with relevant product/service terms, internal procedures, and security policies. These complementary documents may contain additional privacy requirements tailored to specific legal, contractual, or operational contexts.

5. Use of Personal Devices and Messaging Applications

5.1 This Policy also applies when personal data is accessed, processed, or transmitted via personally owned devices (such as laptops or smartphones) or third-party messaging applications (e.g., WhatsApp, Signal, email clients).

5.2 In such cases, Cladtek applies the same security and privacy safeguards as it does in fully managed corporate environments.

5.3 The governance of personal device usage is addressed in detail in Cladtek’s Information Security Policy, which includes requirements for secure access, data segregation, and responsible use.

5.4 All individuals who process Cladtek data via personal tools are expected to comply with these requirements and report any incidents without delay.

6. Roles and Responsibilities

The protection of personal data is a shared responsibility across all entities within Cladtek. This section outlines the key roles and responsibilities for data protection within Cladtek. All employees are expected to understand their role in safeguarding personal data.

6.1 Data Subjects

This refers to individuals whose personal data is collected, stored, or processed by Cladtek, including, but not limited to:

  • Employees and former employees
  • Job applicants
  • Customers and customer representatives
  • Suppliers, partners, and service providers
  • Visitors to Cladtek premises or digital platforms

Responsibilities:

  • Provide accurate and updated personal information
  • Exercise data protection rights responsibly
  • Use official Cladtek channels to submit requests, questions, or complaints

6.2 Local Privacy Coordinators / Local Privacy Offices

Each Cladtek branch is required to establish a Local Privacy Office, coordinated by a designated staff member:

Responsibilities:

  • Serve as the local focal point for privacy matters
  • Review and authorize data access or sharing requests
  • Conduct privacy training and awareness initiatives
  • Support internal investigations and risk assessments
  • Escalate cases to the Group DPO that involve sensitive data, materiality, international transfers, or cross-jurisdictional processing

6.3 Group Data Protection Officer (DPO)

The Group DPO is responsible for overseeing the implementation of this Policy across all jurisdictions and ensuring compliance with applicable data protection regulations.

Responsibilities:

  • Advise business units on legal and regulatory obligations related to data privacy
  • Review and approve data sharing requests involving sensitive data, where required
  • Act as the contact point for applicable data protection authorities
  • Support responses to personal data incidents or breaches
  • Lead periodic reviews of this Policy and conduct Privacy Impact Assessments (PIAs)
  • Identify and mitigate privacy risks across the organization through training, internal audits and integration with Cladtek’s business framework

For internal inquiries about this Policy, or to report potential data protection issues, please contact our Data Protection Officer (DPO): Irina Bergman Moreira – irina.bergman@cladtek.com.

6.4 Business Units and Departments

All business and support functions (e.g., HR, Legal, IT, Commercial, Operations) are responsible for ensuring that personal data under their management is processed in accordance with this Policy.

Responsibilities:

  • Integrate privacy considerations into the design of processes, systems, products, or contracts
  • Notify the Local Privacy Office of any incidents or data subject requests
  • Ensure that vendors or partners have appropriate contractual clauses in place addressing data protection

6.5 Third Parties and Data Processors

Vendors, contractors, and service providers that process personal data on behalf of Cladtek act as data processors and must comply with legal and contractual obligations plus the applicable requirements of this Policy.

Responsibilities:

  • Comply with the terms of this Policy and their applicable laws in respect of personal data protection
  • Implement technical and organizational safeguards equivalent to Cladtek’s standards
  • Notify Cladtek immediately in case of a personal data breach or related incident

All Cladtek personnel who handle personal data — regardless of function or seniority — share the responsibility to act in accordance with this Policy, the applicable laws, and the ethical handling of personal information.

The organizational roles defined above form the foundation for Cladtek’s data governance model. The sections that follow detail how these responsibilities are operationalized across our data processing lifecycle.

7. Method Acquisition and Processing of Personal Data by Cladtek Group

7.1 In the course of its operations, Cladtek acts as the Data Controller for personal data processed across its global business units. The company collects and processes personal data based on legitimate, clearly defined legal grounds, and in accordance with applicable data protection laws and regulations.

7.2 Cladtek only initiates personal data processing when a valid legal basis is established. These may include, but are not limited to:

  • The data subject’s informed consent.
  • The necessity of processing to perform or enter into a contract;
  • Compliance with legal or regulatory obligations;
  • The pursuit of Cladtek’s legitimate interests, provided these are balanced against the data subject’s rights and freedoms.

7.3 The appropriate legal basis for each processing activity is determined during internal data mapping and Privacy Impact Assessments (PIAs). This process is led by the relevant business function in collaboration with the Local Privacy Office and validated by the Group DPO, where applicable. All assessments are formally documented in Cladtek’s Data Processing Inventory, which is reviewed periodically to ensure ongoing compliance.

7.4 Processing activities require a legal basis to be confirmed and the supporting documentation (such as signed consent forms, contractual clauses, or regulatory citations) to be available and retained in accordance with Cladtek’s record-keeping obligations.

7.5 Furthermore, Cladtek:

  • Ensures all data is collected lawfully, fairly, and transparently.
  • Limits the processing to specific, explicit, and legitimate purposes;
  • Applies the principle of data minimization, collecting only what is necessary for the identified purpose;
  • Implements technical and organizational measures to protect data integrity and confidentiality throughout its lifecycle;
  • Periodically reviews processing activities to validate their continued necessity and lawfulness.

8. Personal Data Collection Activities

Cladtek collects personal data through a range of operational, digital and administrative channels, including the following typical activities:

  • Collaborate with Cladtek, such as during due diligence activities, registering your company in procurement and/or accounting and billing systems, correspondence, or registering your company to become a business partner of Cladtek.
  • Utilize Cladteks network, products, and services.
  • Visit facilities provided by us, such as office buildings and/or customer service centers.
  • Inquire as a customer, register for information or other services.
  • Respond to communications from Cladtek (such as SMS, email, questionnaires, or surveys).
  • Interact with Cladtek’s websites to learn about Cladtek’s products and services, submit application forms, fill out surveys, or use online services. (If your browser enables internet cookies, this may help Cladtek track personal preferences, visited pages, etc.).
  • Participate in Cladtek’s social media pages.
  • Participate in promotional events or loyalty programs organized by Cladtek.
  • Contact the Cladtek-related call center physically, by phone, or electronically to submit complaints or other services.

9. Categories of Personal Data

The details of personal data able to be collected might include, but are not limited to:

  • Contact information (such as full name, address, email address, and telephone number).
  • Identification information (such as date of birth, jurisdictional identity cards and other such documents (i.e tax identification numbers, social security numbers, driving license details, visas etc), passport, or any other government-issued identification.
  • Demographic information (such as age range, marital status, gender, nationality, religion, race, and ethnicity).
  • Photos and video recordings, such as photos and/or video recordings for documentation purposes, photos you submit for contests, reporting requirements of agreements and recordings from CCTV cameras.
  • Specific information related to user preferences, membership in closed user groups, and family-related details (e.g., dependents, emergency contacts).
  • Banking information (such as account numbers, credit card information, billing payment history)
  • Geographic location information, such as location obtained from your IP address or GPS, Base Stations, Bluetooth or Wi-Fi signals.
  • Certain services may involve the use of biometric data for identification or authentication purposes, such as fingerprints, signatures, voice, audio, and/or video.
  • Related Information from and about various technologies used in a range of our services (SCADA or Internet of Things “IoT”), such as computers, phones, and tablets, as well as interactively with the Cladtek network.

10. Purposes of Personal Data Use

Personal data is processed only as necessary to support Cladtek’s business activities, comply with legal obligations, and enhance user experience. The purposes for which personal data is processed include, but are not limited to:

  • To communicate and contact related the business purposes.
  • Provide related services and products.
  • To deliver products, services, and offers that may be of interest to you.
  • To inform about benefits and changes to our products or services.
  • To provide you with our latest offers, advertisements, and promotions.
  • To address and resolve your complaints.
  • To provide you with security updates, versions, features, options, and controls related to your system or device
  • In everyday business operational activities.
  • To process payments or related financial purposes such as perform accounting, auditing, reconciliation, and billing activities, including law enforcement and crime prevention, protecting our legal rights and yours, and fulfilling our obligations under contracts to you and our business partners.
  • For research and studies related to our business operational activities.
  • For functionality, development, and improvement of services.
  • To provide network connectivity, measure the level of service usage, diagnose problems, and provide the latest security features.
  • To test, modify, enhance, or develop new products, services, and technologies, and to identify existing trends
  • For advertising and marketing, as long as your data is relevant for this purpose.
  • We may use your device’s physical location, combined with information about the ads you see and other information we obtain, to provide personalized content for you in the range of Cladtek’s services.
  • For some purposes, we use personal data to generate automated decision-making (including profiling) that may affect individuals.
  • You can choose to allow or refuse these advertising offers. You can also refuse permissions requested through your device. However, if you choose to refuse these offers and/or permissions, we may not be able to provide you with personalized services and content, which may be beneficial to you.

11. Authorized Access to Personal Data

11.1 These authorized users are granted access based on their roles and responsibilities within the organization and are expected to adhere to strict data protection protocols and confidentiality agreements.

11.2 Usual departments that commonly access personal information may include:

  • Human Resources (HR): HR departments often require access to personal information for employee management purposes, such as recruitment, onboarding, payroll processing, performance evaluation, employee benefits administration, and visitor monitoring purposes.
  • Finance and Accounting: The finance and accounting departments may access personal information for financial transactions, billing, invoicing, expense management, tax compliance, and auditing purposes.
  • Customer Service and Support: The customer service team (Project & QHSE) may access personal information to provide assistance and support to customers, including resolving inquiries, handling complaints, processing orders, and managing customer accounts.
  • Legal and Compliance: The legal and compliance departments may access personal information to ensure regulatory compliance, manage legal matters, handle data protection issues, and respond to legal requests or disputes.
  • Information Technology (IT): IT departments often manage access to personal information stored in digital systems and databases, ensuring data security, implementing access controls, maintaining system integrity, and providing technical support.
  • Marketing and Sales: Marketing and sales teams may access personal information to develop targeted marketing campaigns, analyze customer behavior, generate leads, and manage customer relationships.
  • Research and Development (R&D): R&D departments may access personal information for product development, market research, testing, and innovation purposes.
  • Operations and Logistics: Operations and logistics departments may access personal information for supply chain management, inventory tracking, order fulfillment, and logistics planning.

11.3 Cladtek implements robust access control measures and regularly reviews and updates access permissions to prevent unauthorized access to personal information. Additionally, there are training and awareness programs in place to ensure that authorized users understand their responsibilities related to sensitive data and adhere to relevant privacy policies and regulations.

12. Data Sharing with Third Parties

12.1 As part of its operational model, Cladtek collaborates with a range of external partners, vendors, and service providers. In doing so, personal data may be shared with these third parties, provided that the sharing is justified by a lawful basis and subject to compliance measures in accordance with this Policy.

12.2 Any sharing of personal data is conducted in accordance with this Policy and applicable data protection laws. It is contingent upon the following safeguards:

  • A clear and legitimate purpose for the data sharing;
  • A valid legal basis, such as contractual necessity, legal obligation, risk assessment(s) or legitimate interest;
  • Execution of formal Data Processing Agreements (DPAs) or contractual clauses defining the scope, purpose, and limitations of the processing in relation to same;
  • Verification that the recipient has implemented adequate technical and organizational security measures, including encryption, access controls, and incident response protocols;
  • Ongoing compliance monitoring, including privacy audits and vendor assessments conducted by the Local Privacy Office and, where applicable, the Group DPO.

12.3 Cladtek maintains a third-party risk management framework, which includes privacy-specific due diligence during vendor onboarding and periodic reassessment of vendors handling personal data. Any third party that fails to meet contractual privacy obligations may be subject to remediation measures or contract termination.

12.4 Additionally, Cladtek may be required to share personal data to comply with legal obligations, respond to regulatory inquiries, or support legitimate interests that are balanced against the rights and freedoms of data subjects.

13. Cross-Border Data Transfers

13.1 Where personal data is transferred across national borders, Cladtek seeks to ensure compliance with applicable cross-border transfer regulations. Such transfers are supported by appropriate safeguards, including Standard Contract Clauses (SCCs) or other lawful mechanisms, in accordance with the relevant data protection laws in the applicable jurisdictions.

Typical use cases include:

  • Centralized cloud infrastructure and data hosting;
  • Regional HR and payroll processing;
  • Multinational business services (e.g., compliance, audit, risk analysis, technical support etc).

13.2 To support accountability and oversight, Cladtek will utilize an internal Data Transfer Register to bereviewed periodically by the Privacy Office. Certain new or exceptional transfer arrangements may be subject to review by the Group Data Protection Officer (DPO).

14. Sensitive Data Release Workflow

14.1 This section translates the governance responsibilities outlined in Section 5 into a structured operational process for approving and documenting non-routine access to, or sharing of, personal or sensitive data.

14.2 Whenever personal or sensitive data must be accessed or disclosed outside the scope of standard business operations, a formal approval workflow must be followed. This process ensures consistency with applicable data protection laws and strengthens Cladtek’s internal data governance framework.

14.3 The approval workflow consists of the following sequential steps:

*The DPO may consult with appropriate Cladtek business units before rendering a decision.

15. Detail Storage of Personal Data (Retention)

15.1 The personal data collected will be retained for the period necessary to fulfill the purposes mentioned above. We may store your personal data to provide the business-related, or for other legitimate purposes, such as complying with our legal obligations based on laws and regulations and obligations from government authorities, resolving legal issues, and conducting our business operational activities. The retention period of personal data is based on applicable legal requirements. However, if there are no relevant laws and regulations, your personal data will be stored for as long as necessary. Furthermore, this personal data may be stored in printed or electronic copies.

15.2 We may store your data in data centers or archive storage spaces managed by us or by data storage service providers, for and on our behalf. All storage locations, systems, and products have been equipped with the necessary security controls to ensure the protection of personal data.

15.3 The retention period may vary depending on the type of information and the legally mandated storage periods, the progress of legal proceedings, the business implementation needs, the execution of intellectual property rights, agreements, operational needs, and archiving. In the event your personal data is deleted from our systems, it will be erased or destroyed using appropriate security protocols to prevent reconstruction or re-reading by unauthorized parties.

15.4 For operational details on data retention periods by category, refer to the Retention Schedule Annex (Document REF-009).

16. Security

16.1 We endeavor to process your information in a secure environment by preventing unauthorized access or unlawful processing. We also safeguard your personal data from loss or damage. We have implemented various types of physical, technical, and administrative security measures to protect your Personal Data and our networks from unauthorized access. These measures include:

  • Proper measures to ensure data protection.
  • Ongoing compliance with privacy and security practices.
  • Ongoing ISO 27001 Information Security Management Systems (ISMS) certification.
  • Planned audits to enhance our operational standards.
  • Limiting access to Personal Data only to personnel with a legitimate need to know the data.

16.2 We request our suppliers and vendors to implement similar protections when they access or use the Personal Data we share with them. We also continually encourage you and all the Cladtek’s service users to protect the data, systems, networks, and services they use. However, no technology, data transmission, or system can be securely guaranteed.

16.3 In the event of a suspected or confirmed personal data breach, Cladtek will respond in accordance with its internal Data Incident Response Plan. All such incidents must be reported to the Local Privacy Office or the Group DPO immediately upon discovery.

17. Data Subject Rights

17.1 Cladtek is committed to upholding the rights of individuals whose personal data we process. These rights may vary depending on the applicable data protection laws (e.g., GDPR, LGPD, PDPA etc), but generally include the following:

  • Right of Access: The right to obtain confirmation as to whether your personal data is being processed, and to access a copy of such data.
  • Right to Rectification: The right to request correction or completion of inaccurate or incomplete personal data.
  • Right to Erasure (“Right to be Forgotten”): The right to request the deletion of your personal data in certain circumstances, such as when the data is no longer necessary for the purposes for which it was collected.
  • Right to Restriction of Processing: The right to request that Cladtek temporarily or permanently limit the processing of your data under certain conditions.
  • Right to Data Portability: The right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit it to another controller.
  • Right to Object: The right to object to the processing of your personal data on grounds relating to your particular situation, including direct marketing activities.
  • Right to Withdraw Consent: Where processing is based on your consent, you may withdraw it at any time without affecting the lawfulness of processing carried out before the withdrawal.
  • Right to Lodge a Complaint: You have the right to file a complaint with the relevant data protection authority in your jurisdiction if you believe that your rights have been violated.

17.2 How to Exercise Your Rights

Data subjects can submit requests or inquiries regarding their rights by contacting the Local Privacy Office or the Group DPO via the contact details provided in this Policy.

17.3 Response Timelines

The exercise of data subject rights — such as access, rectification, erasure, objection, or portability — is subject to response deadlines defined by applicable law. Each jurisdiction in which Cladtek operates may impose different timelines for fulfilling such requests (e.g., 15 days under Brazil’s LGPD, 30 days under the GDPR). Data subjects are encouraged to consult with the Local Privacy Office for specific guidance on applicable deadlines and documentation requirements in their country or region.

18. Consent to Personal Data Processing Terms

By providing your personal data to Cladtek, you acknowledge and agree to the following:

  • You have read and understood this Policy and consent to the collection, use, and processing of your personal data as described herein.
  • If you provide Cladtek with personal data relating to another individual (such as a spouse, family member, emergency contact, or other third party), you confirm that such disclosure is lawful and appropriate under applicable data protection laws.
  • You are responsible for informing the individual concerned about the contents of this Policy and, where legally required, for obtaining their explicit consent or ensuring that an alternative valid legal basis justifies the sharing of their data with Cladtek.
  • Cladtek does not accept personal data from third parties without a lawful justification and reserves the right to request evidence that the data subject is aware of, or has consented to, the disclosure.
  • All information you provide is accurate and complete to the best of your knowledge, and you confirm that you have not knowingly withheld any material information.
  • Your consent is provided freely and without coercion from any party. If you believe that your consent was obtained under duress, through misleading information, or in circumstances that impaired your ability to make a voluntary decision, you have the right to raise this concern. You may report such concerns confidentially to the Local Privacy Office or the Group Data Protection Officer (DPO), who will review the matter and take appropriate corrective action in accordance with Cladtek’s internal data protection protocols.
  • You may withdraw your consent at any time, without affecting the lawfulness of any processing conducted prior to the withdrawal.

19. Jurisdictional Addenda

Cladtek may publish jurisdiction-specific addenda to this Policy should this be relevant to meet the requirements of local data protection laws. These addenda would supplement the global policy and take precedence where local requirements impose additional obligations, if applicable.

20. Policy Review and Updates

This Policy is subject to review at least once per year, or earlier if triggered by significant changes in applicable laws, internai processes, organizational structure, or enabling technologies. Such review will not necessarily trigger an amendment of this Policy.

To maintain relevance and flexibility, Cladtek may update or supplement this Policy through referenced documents or annexes-such as procedural guidelines, addenda, or compliance tools-without amending the core policy text, provided that such updates are legally compliant and approved by the Data Protection Officer (DPO).

Periodic reviews are conducted to ensure continued alignment with evolving data protection standards and best practices. Any material changes will be communicated through official channels, and the most current version will be made available on Cladtek’s internai platforms.

21. Policy References and Related Documents

  • Data Release Request Form Template (under development)
  • ISMS Documentation (ISO/IEC 27007 Framework).
  • lnformation Security Policy.