SPACE PLAN SERVICES, PLANNING AND PROJECT MANAGEMENT LTD. (“Space Plan”, located at Rua Olimpíadas, 242 – 6th floor, suite 61 – 04551-000 – Vila Olimpia – São Paulo – SP, CNPJ 00.963.994/0001-41, values the protection of privacy and guarantees that personal data processed by it will only be used in accordance with this Privacy Notice and with the applicable privacy and data protection legislation, specifically Law 13.709/2018 – General Data Protection Law (LGPD).

This Privacy Notice will be available for consultation, in digital format, in the section “Privacy Notice” at the end of the website https://www.spaceplan.com.br.

So, it is fundamental for us, through this Privacy Notice, to explain clearly and transparently how, when, and where we process our users' data during and after their relationship with us.

Furthermore, this Privacy Notice aims to inform users of their rights and clarify when and how they can exercise them. We suggest you read our Privacy Notice, and if you have any remaining questions, feel free to clarify them by contacting our Data Protection Officer identified at the end of this document.

What is personal data according to the General Data Protection Law?

These are those that allow the identification of a natural person, such as: name, date of birth, CPF (Brazilian taxpayer registry ID), email, RG (Brazilian national identity card), location data, and others.

2. Data We May Collect About You:

In our interactions with you, we may collect certain types of personal data, among which we highlight the following scenarios:

2.1. Information you may provide directly to us:

• Full name, email address, address, phone numbers, date of birth, age;
• In exceptional situations, you may provide some data related to documents, such as RG or CPF numbers;
• In some situations, you may need to provide your vehicle's license plate number, such as in cases of lost parking tickets or if your vehicle needs to stay overnight in our parking lot.;
• Other types of personal data that have not been exemplified, but which you may freely, expressly, and with consent share with us;

2.2. Automatically Collected Data:

There is still personal data that we can collect using systems that will process the data automatically and which may occur due to your experience at our establishment, among which we can highlight:

• When you register for our Wi-Fi, we may collect your device data during registration and Wi-Fi usage, limited to your IP address, operating system, in some cases, geolocation data, and if applicable, the identification of your registered internet access device.;
• The footage recorded by the CCTV system (Closed-Circuit Television – Security Cameras), which is confidential and protected under current law;

2.3. What is the purpose of using your personal data?

We may use your personal data for the following purposes:

• Registration of suggestions, complaints, or compliments in our Customer Service or CONTACT US system;
• Participation in commercial promotions;
• Response to a request for information;
• Fraud prevention and operational security – Confirm identity, prevent fraud, document forgery, or scam attempts;
• Use of the Wi-Fi system;
• Establishment of a commercial partnership;
• Sign up to work with us;
• Marketing communications about products and services, as well as promotions and events that may be of interest to you.

2.4. Sensitive Data

As a rule, sensitive data from our users will not be collected.

Therefore, there will be no processing of data on racial or ethnic origin, religious beliefs, political opinions, membership in a trade union or organization of a religious, philosophical or political nature, data concerning health or sexual life, genetic or biometric data, when linked to a natural person.

3. Cookies

Cookies are small text files that are automatically downloaded to your device when you access and browse a website. They basically serve to identify users' devices, activities, and preferences. Cookies do not allow any files or information to be extracted from the user's hard drive, nor do they allow personal information that did not originate from the user or from how they use the website's resources to be accessed.

1. Site cookies

Website cookies are those sent to the user’s computer or device and managed exclusively by the website. The information collected through these cookies is used to improve and personalize the user experience; for example, some cookies may be used to remember the user’s preferences and choices, as well as to provide personalized content.

1. Cookie Management

Users may opt out of the use of cookies on this website by disabling this feature in their browser. For more information on how to do this in some of the most popular browsers currently in use, please visit the following links:

Disabling cookies, however, may affect the availability of some site tools and functionalities, compromising their correct and expected operation. Another possible consequence is the removal of user preferences that may have been saved, negatively impacting their experience.

4. Collection of data not expressly foreseen

Eventually, other types of data not expressly provided for in this Privacy Policy may be collected, provided that they are provided with the user's consent, or, still, that the collection is permitted on the basis of another legal ground provided by law. In any case, the data collection and the processing activities resulting from it will be communicated to the website users.

5. Sharing of personal data with third parties

We share some of the personal data mentioned in this section with third parties.

• Companies belonging to the Space Plan Group: Group companies, if any, may share the personal data they process with one another for the purposes of operating, executing, improving, understanding, personalizing, providing support, developing strategies, exercising rights, and preventing fraud.
• Third-party service providers: We work with third-party service providers to help us operate, perform, enhance, understand, personalize, and support our Services. When we share data with third-party service providers, we require them to use your data in accordance with our instructions and terms or with your express consent, where applicable.
• Business partners: In these cases, we will ensure you are aware of the sharing and, when necessary, will obtain your consent to do so.
• Regulatory bodies, judicial or administrative authorities: We may share your personal data to provide competent authorities with all requested information concerning the Data Subject. Furthermore, we may share your personal data with public authorities or private entities for the purpose of combating fraud and abuse in the use of the Services, for investigating suspected violations of the law, to defend our rights, or to combat any other suspected breach of our policies and agreements.
• With your authorization: In other cases not provided for above, with the objective of sharing personal data and information, if necessary, we will send you a notification with information regarding such sharing to request your consent for a specific purpose.

In any case, the sharing of personal data will comply with all applicable laws and regulations, always seeking to ensure the security of our users' data, observing the technical standards employed in the market.

6. For how long will your personal data be stored

We store and retain your information: (i) for the specific time required by law; (ii) until the termination of personal data processing; or (iii) for the time necessary to preserve Space Plan's legitimate interest (such as, for example, during applicable statutes of limitations or compliance with legal or regulatory obligations). The termination of personal data processing will occur when it is verified:

• That the purpose for which the data was collected has been achieved, and that the personal data collected is no longer necessary or relevant for achieving the specific purpose intended;
• A declaration by the Holder to this effect, upon the termination of the relationship between Space Plan and the Holder; or
• Legal determination

In the case of withdrawal of consent or request for deletion of your personal data, some information may still be retained as necessary for compliance with legal obligations, regular exercise of rights, legitimate interest fulfillment, fraud detection and prevention.

In these cases of termination of personal data processing, except for the hypotheses established by applicable legislation or by this Privacy Policy, personal data will be eliminated.

7. Legal bases for the processing of personal data

A legal basis for the processing of personal data is a legal foundation, provided by law, that justifies the processing. Therefore, each personal data processing operation must have a corresponding legal basis.

We process our users' personal data in the following situations:

– with the consent of the personal data subject;

– for the fulfillment of a legal or regulatory obligation by the controller;

– execution of contract or preliminary procedures;

– for the protection of the life or physical integrity of the data subject or of a third party;

– for the regular exercise of rights in judicial, administrative, or arbitration proceedings;

– when necessary to meet the legitimate interests of the controller.

7.1 Consent

Certain personal data processing operations carried out on our website will depend on the prior consent of the user, which must be freely, informedly, and unequivocally expressed.

The user may revoke their consent at any time, and if there is no legal hypothesis that permits or requires the storage of the data, the data provided via consent will be deleted.

Furthermore, if desired, the user may disagree with any personal data processing operation based on consent. In such cases, however, it may not be possible to use some website functionality that depends on that operation. The consequences of not consenting to a specific activity are informed prior to processing.

7.2 Fulfillment of legal or regulatory obligation

Some processing of personal data, particularly data storage, will be carried out so that we can comply with obligations provided for by law or other regulatory provisions applicable to our activities.

7.3 Protection of life or physical integrity

In certain situations, we may process personal data based on the legal ground that permits the processing of personal data when necessary for the protection of the life or physical integrity of the data subject or third parties. This hypothesis applies, for example, in cases of medical emergencies, accidents, or any other situation involving an imminent risk to health or safety, in which obtaining prior consent from the data subject is not feasible. In such cases, the processing will be limited to what is strictly necessary, with the aim of preserving the integrity and safety of those involved.

7.4 Contract Execution or Preliminary Procedures

The legal basis “performance of a contract or preliminary procedures” is provided for in Article 7, item V of the LGPD, and allows the processing of personal data without the need for consent, provided that this processing is necessary to fulfill contractual obligations or to take preliminary measures at the request of the data subject.

7.5 Legitimate interest

For certain personal data processing operations, we rely exclusively on our legitimate interest. To learn more about in which specific cases we use this legal basis, or to obtain more information about the tests we conduct to ensure we can use it, please contact our Data Protection Officer through one of the channels provided in this Privacy Policy, in the section “How to Contact Us.”.

8. User Rights

The General Data Protection Law (Law No. 13.709/18), in Article 18, lists the rights of personal data subjects, which we will detail below:

Holder's Rights: The Data Subject has the right to obtain from the Controller, with respect to the data processed by it, at any time and upon request:

I – confirmation of the existence of treatment;

II – access to data;

III – correction of incomplete, inaccurate, or outdated data;

IV – anonymization, blocking or deletion of unnecessary, excessive, or unlawfully processed data in accordance with Law No. 13,709;

V - data portability to another service or product provider, upon express request and subject to commercial and industrial secrets, in accordance with the regulations of the controlling body;

VI – elimination of personal data processed with the data subject's consent, except in the cases provided for in art. 16 of Law No. 13.709;

VII – information of public and private entities with which the controller has shared data;

VIII – information on the possibility of not providing consent and the consequences of refusal;

IX – revocation of consent, pursuant to § 5 of art. 8 of Law No. 13,709/2018.

It is important to highlight that, under the terms of the LGPD, there is no right to data deletion for data processed based on legal grounds other than consent, unless the data is unnecessary, excessive, or processed in violation of the law.

9. How the holder can exercise their rights

Data subjects whose personal data is processed by us may exercise their rights by sending a message to our Data Protection Officer. The information necessary for this is in the “How to Contact Us” section of this Privacy Notice.

To ensure that the user intending to exercise their rights is indeed the data subject of the request, we may request documents or other information that can assist in their correct identification, in order to protect our rights and the rights of third parties. This will only be done, however, if absolutely necessary, and the requester will receive all related information.

10. Security measures for personal data processing

We employ technical and organizational measures suitable for protecting personal data from unauthorized access and from situations of destruction, loss, accidental loss, or alteration of this data.

The measures we use take into account the nature of the data, the context and purpose of its processing, the risks that any breach would generate for the user's rights and freedoms, and the standards currently employed in the market by companies similar to ours.

Even though we take every possible measure to prevent security incidents, it's possible for a problem to occur solely due to a third party, such as in cases of hacker or cracker attacks, or even in cases of exclusive user fault, which occurs, for example, when a user transfers their data to a third party. Therefore, while we are generally responsible for the personal data we process, we disclaim any responsibility in exceptional situations like these, over which we have no control.

In any event, should any type of security incident occur that may generate a relevant risk or damage to any of our users, we will communicate with those affected and the National Data Protection Authority concerning what happened, in accordance with the provisions of Article 53 of the General Law for the Protection of Personal Data, Law no. 13,709/2018.

11. Complaint to the National Data Protection Authority – ANPD

Without prejudice to any other administrative or judicial remedy, data subjects who feel aggrieved in any way may lodge a complaint with the National Data Protection Authority.

12. Changes to this Policy

We reserve the right to modify these terms and conditions at any time, especially to adapt them to any changes made to our website, whether through the introduction of new functionalities or the deletion or modification of existing ones.

Whenever there is a modification, our users will be notified about the change.

13. Children's Data

As a rule, we do not process children's data to provide our Services.

14. International Transfer

In certain situations, the personal data processed may be transferred to other countries, especially when we use third-party services that operate outside national territory, such as technology providers, cloud storage, marketing tools, and data analysis.

These transfers are carried out in compliance with applicable legislation, including the General Data Protection Law (Law No. 13.709/2018 – LGPD), and we strive to ensure that recipient countries offer an adequate level of personal data protection.

A Space Plan adopts technical and administrative measures to ensure that these transfers occur in compliance with Brazilian legislation, including:

• Adoption of standard contractual clauses approved by the National Data Protection Authority (ANPD);
• Assessment of the recipient country's data protection adequacy;
• Implementation of global corporate standards, where applicable;
• Provision of clear information to the data subject regarding the purpose of the transfer and the protection mechanisms adopted.

The data subject may request additional information about the mechanisms used for international transfer, as well as exercise their rights under the LGPD through the contact channels provided in this Notice.

15. How to contact us

To clarify any doubts regarding this Privacy Notice or the personal data we process, please contact our Data Protection Officer:

Name: Information Technology Department

Email: suporte.ti@spaceplan.com.br

UPDATED 05/19/2026