1. GOAL

Heinz Brasil S.A. ("Kraft Heinz") respects your privacy and is committed to protecting your Personal Data. This Privacy and Data Protection Policy ("Policy") is intended to inform you about our practices and clarify how we handle your Personal Data ("Personal Data"), the privacy rights you have, and how the law protects them. For more details on how Kraft Heinz handles personal data, please contact the Privacy and Data Protection Team.

2. APPLICATION

This Policy is applicable exclusively to the LATAM Business Unit's BRAZIL market and covers our online and offline data collection activities, including the Personal Data we collect from our customers, through our various channels, such as websites, applications, third-party social networks, Customer Service, points of sale and events.

3. REFERENCE

This Policy is in line with the global policies of KRAFT HEINZ COMPANY "(KHC)" and with the local policies of KHC (KH-LATAM-BR-F-LEG-01 – Internal Privacy Notice Policy and KH-LATAM-BR-F-LEG- 03 – Cookie Policy).

4. INFORMATION

Data ControllerKraft Heinz is made up of different legal entities, the details of which can be found here. This Notice is intended to cover the entire Kraft Heinz Group, so when we say "Kraft Heinz", "we", "us" or "our" in this Notice, we are referring to the Kraft Heinz Group company S.A. responsible for processing your data. Heinz Brasil S.A. is the controller and responsible for this website.

4.2 Privacy & Data Protection Team

We have appointed a Privacy and Data Protection team responsible for overseeing questions related to this Policy. Our Privacy and Data Protection team is led by our Data Protection Officer, Ms. Santini Aguiar. If you have any questions about this Policy, including requests to exercise your rights, please contact the Privacy and Data Protection team using the details below: Brasil.privacidade@kraftheinz.com.

4.3 Contact Details

Full name of the legal entity: Heinz Brasil S.A. Contact: Privacy and Data Protection Team Email address: brasil.privacidade@kraftheinz.com

Postal address: HEINZ BRASIL S.A.com headquarters in the city of São Paulo, State of São Paulo, at Avenida Rebouças, 3970, 13th floor, Ed. Eldorado Business Towers, CEP 05.402-918

We welcome the opportunity to address your concerns and make any necessary adjustments to clarify your rights. Therefore, we ask you to contact us if you have any questions about the use of your data. If you still have concerns following our assistance, you have the right to make a complaint at any time to the regulatory authority, details of which can be found here.

4.4 Helping us keep your personal data up to date

It is important that the Personal Data we hold about you is accurate and up-to-date. Please keep us informed if your Personal Data changes from time to time.

4.5 Third-Party Links

This website may include links to third-party websites, plug-ins and applications. By clicking on these links or enabling these connections, you may allow third parties to collect or share data about you.

Once you allow third parties that we do not control to access your data, any use of the information you provide will be subject to those third parties' privacy statements. We advise you to review these privacy statements for third-party websites you visit and be aware of how they will handle your personal data.

4.6 Children and this site

This website is not intended for children under the age of 12.

5. PERSONAL DATA WE COLLECT

The General Personal Data Protection Law No. 13,709/2018 ("LGPD"), defines the rules of what can and cannot be done with your Personal Data and also your rights as a data subject.

"Personal data" is any information that can be identified or associated with you, such as name, telephone number, address, email, documents, bank details, IP address, among others.

This information may be collected through cookies and similar applications, see below for more details:

We may collect, use, store and transfer different types of personal data, which may include:

Identity data, such as first name, last name, title, marital status, date of birth, and gender.

Contact data, such as home address, billing address, email address, and phone numbers.

Account data, such as account password, saved credit card information, wishlist, and loyalty program history.

Financial data, such as bank account and payment card details, if you order goods from us and, for Kraft Heinz investors, details relating to your investments.

Transaction data, such as details of purchases you have made from us.

Technical data, such as Internet Protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices used to access this website.

Profile data, such as website username and password, purchases or orders made by you, and information about your interests, preferences, comments, and survey responses.

Usage data, such as information about how you use our website, products, and services.

Marketing and communications data, such as your preferences in relation to receiving marketing from us and third parties and the ways in which we communicate with you.

We also collect, use, and share Aggregated Data, such as statistical or demographic data.

Aggregated data may be derived from your personal data, but it is not personal data because it does not directly or indirectly reveal your identity. For example, we may aggregate your usage data with the usage of all other users to find out how many people access a particular feature of the site. If we combine or connect Aggregated Data with your Personal Data so that it can directly or indirectly identify you, we will treat the combined data as Personal Data and process it as set out in this Notice.

Generally, we do not collect Sensitive Personal Data as defined by the LGPD. If we need to collect information that includes your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health, and genetic and biometric data, we will specifically inform you about this collection, and ask for your consent to use this information. We will only ask for the information we deem necessary in connection with problems related to our products or other reasons timely disclosed to you at the time of data collection.

Account Creation and Use

Some of our websites may require you to create an account ("Account") if you wish to take advantage of certain features of the website, such as participating in our referral or loyalty programs, saving items to your wish list, saving financial data for later use, or viewing certain Transaction Data. You also have the option to create or access your account using your email address and password or Facebook login. If you choose to use Facebook Login, Facebook will authenticate your identity and you may be asked to share additional information associated with your Facebook account. You can choose not to grant permission for this additional information sharing, but please be aware that we will still continue to receive authentication information, such as your name and unique ID provided by Facebook, as long as you use Facebook login to access your account. Please review Facebook's privacy notice and privacy settings on your Facebook account for more information about how Facebook uses and shares your personal data in connection with its Facebook login tool.

5.2 Failure to provide personal data when requested

There are situations where we need to collect Personal Data by law and you do not provide it when requested. In this situation, we may not be able to provide you with the products or services for which that Personal Data is required. Similarly, where we need to collect Personal Data under the terms of a contract we have with you, and you fail to provide it when requested. In this situation we may not be able to perform the contract we have or are trying to enter into with you (e.g. your address, to deliver goods or services). In such cases, it may be necessary to cancel the contract you have with us.

6. HOW YOUR PERSONAL DATA IS COLLECTED

We use a variety of methods to collect your personal data, including:

Directly from you – i.e. when you provide us with Personal Data, such as your Identity, Contact and Marketing Data, by filling in forms or by corresponding with us by post, telephone, email or otherwise. This includes the personal data you provide when:

request to receive our products or services;

create an account on our website;

subscribe to our service or publications;

requests that marketing be sent to you;

participates in a competition, promotion, or survey;

contact us on social media (such as Instagram, Facebook, or Twitter);

give us any feedback or raise a concern or complaint.

In addition, if you contact us by phone, email, or otherwise, we may keep a record of that correspondence. Regardless of the information you provide to us, we will only use your data as necessary to achieve specific purposes related to the actions set out in this Policy.

By automated means – when you interact with our website, we may automatically collect technical data about your equipment, actions, and browsing patterns. We collect this Personal Data using cookies and other similar technologies, which use small pieces of computer code to help us understand how consumers interact with our website and communications. We may also receive Technical Data about you if you visit other websites that use our cookies.

You can set your browser to refuse all or some browser cookies or to alert you when websites set or access cookies. If you disable or refuse cookies, please note that some parts of this website may become inaccessible or not function properly. For more information about the cookies we use, please see the Kraft Heinz Cookie Notice.

Our cookies are divided into four categories: (a) necessary for your navigation, (b) important for the performance of the website, (c) functional, and (d) marketing. Please see our Cookie Notice for more details, or see instructions on how to enable/disable cookies in your browser: Internet Explorer, Mozilla Firefox(opens in a new window), Google Chrome(opens in a new window), Safari(opens in a new window).(opens in a new window)

From third parties and publicly available sources. We may receive Personal Data about you from various third parties and publicly available sources, where relevant, as set out below:

Technical data from analytics providers;

Contact, financial and transaction data from providers of technical, payment and delivery services;

Identity and contact data from data brokers or aggregators, and

Identity and contact data from publicly available sources, such as the Electoral Registry based in Brazil.

7. HOW WE USE YOUR PERSONAL DATA

We will use your Personal Data only and when it is necessary, and for the specific purpose stated at the time of collection. The data shall be collected only for the purpose for which it is intended, for as long as necessary to meet the purpose for which it was collected, to comply with a legal standard or requirement, or in situations of legitimate interest of Kraft Heinz. Generally, we will use your personal data in the following circumstances:

In accordance with a contract we are about to enter into with you.

Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights are not overridden by them.

Where we need to comply with a legal or regulatory obligation.

Where we need this information pursuant to a legal claim.

Generally, we do not use consent as a legal basis for processing your Personal Data, although we do so before sending direct marketing communications to you, by email, text message or targeted advertising to you on social media platforms.

You have the right to withdraw consent to marketing at any time by contacting the Privacy and Data Protection team.

In more detail, we may use your Personal Data for or in connection with the following purposes:

Where necessary, to establish and perform your contract with us, such as where you purchase products directly from us;

Where necessary to comply with a legal obligation:

In connection with any potential or actual corporate transaction or employment transfer arising out of a business transfer or change of service provider, in which case Personal Data may only be processed to the extent permitted by applicable law;

Compliance with applicable procedures, laws, or regulations, including in relation to the retention of records of business activities and payment of taxes;

disclosures to law enforcement agencies or in connection with legal claims, health and safety compliance, regulatory, investigative, and disciplinary purposes (including disclosure of such information in connection with legal proceedings or proceedings)

Where it is necessary for Kraft Heinz's legitimate interests in connection with the purposes listed below and where our interests are not overridden by your data protection rights:

The proper conduct and development of Kraft Heinz's business and operations;

Research including consumer and market preferences to assist in the operation and development of Kraft Heinz's business;

Assist in the development of existing products and the creation of new Kraft Heinz products and services;

Manufacture of Kraft Heinz products and supply of these products to Kraft Heinz customers;

Marketing and promotional activities (including racing competitions and sweepstakes) in connection with Kraft Heinz's business and products;

Other disclosures required in connection with the promotion or marketing of Kraft Heinz, its products or services;

Financial forecasting and modeling, among others;

Operation, maintenance and development of Kraft Heinz systems, networks and equipment associated with or connected to such systems and networks;

Development of Kraft Heinz's business through mergers, acquisitions, divestitures and other corporate actions;

Dealing with actual and potential shareholders, investors, and other stakeholders in Kraft Heinz's business;

Maintenance and protection of Kraft Heinz's physical and intellectual property and assets;

Protect corporate and personal security (which may include the use of CCTV and other visual or audio monitoring);

Record, respond to, deal with, and resolve issues that arise in relation to Kraft Heinz products or employees;

Register, respond to, deal with, and resolve actual or potential customer and consumer complaints;

Investigations to ensure compliance or identify/confirm potential violations of any applicable procedures, laws, or regulations;

Establish, exercise or defend legal rights;

Working with suppliers to whom Kraft Heinz has outsourced business or other services;

In connection with the acquisition, divestiture, or reorganization of businesses, except where information is exchanged in connection with a legal obligation as set forth above; and

Processing necessary for the purposes of other legitimate interests pursued by Kraft Heinz.

Information used as Aggregated Data or Anonymized Data is not subject to this privacy notice.

7.1 Brazil Promotional Offers

We may use your identity, contact, technical, account usage and profile data to form a view of what we think you may want or need, or what may be of interest to you. This is how we decide which products, services, and offers might be relevant to you (we call this marketing).

Combining data from multiple sources in this way is commonly known as "data enrichment" or "profiling." This is how we decide which products, services and offers to include in the marketing messages we send. This process may involve automated decision-making to determine which marketing messages will be most meaningful to you. If you do not want us to use data from brokers and data aggregators to enrich the data we collect from you, or if you would like to object to automated decision-making, please contact the Data Privacy Team. We will not use the Special Category data to create a profile about you unless you give us your consent to do so.

You can request that we stop sending you marketing messages at any time by clicking on the "unsubscribe" link in our marketing messages or by contacting the Privacy and Data Protection team.

We may also use your identity, technical, usage, account, and profile data to help us understand the types of products and services that may be of interest to other consumers like you. To do this, we partner with social media companies like Facebook and Instagram to identify and deliver marketing messages to audiences of their consumers who share their characteristics, known as "lookalike audiences." We will not use any Special Category data we collect from you to create lookalike audiences unless you give us your consent to do so. Delivering advertising to you through lookalike audiences involves using automated decision-making to create lookalike audiences and deliver marketing messages to them. If you would like to object to our use of automated decision-making, please contact the data privacy team.

8. SHARING YOUR DATA WITH THIRD PARTIES

We may share your data with third parties, including other Kraft Heinz companies and with third-party service providers who provide services to us, as further explained below.

When we provide Personal Data to partners and suppliers who provide services, including assistance with the processing activities set out in this notice, we will enter into a contract with the appropriate data protection clause (including the provisions required by the LGPD), with such suppliers, to ensure the same degree of protection as Kraft Heinz itself would.

To comply with our legal and other obligations and in connection with our rights, including the protection of our legitimate interest, we reserve the right to disclose Personal Data (or Special Category Data, as the case may be) to law enforcement agencies, regulatory bodies, government agencies, and other third parties as required by law or for administrative purposes (e.g., National Data Protection Authority in Brazil, ) and to the extent that local law permits and/or requires it.

We may transfer your Personal Data to other Kraft Heinz group companies, partners, suppliers, law enforcement agencies and other organizations located outside of Brazil for the purpose of establishing and performing your contract with us, complying with legal obligations and, where necessary, fulfilling our legitimate interests described above, where our interests are not overridden by your data protection rights.

The laws of some jurisdictions outside of Brazil may not be as protective as the LGPD. In such case, Kraft Heinz will ensure that, for such jurisdictions, appropriate measures are taken for compliance with the LGPD in relation to the transfer of Personal Data to such jurisdictions.

9. DATA RETENTION

We have legal duties to keep multiple records that need to be kept for different periods depending on their content. Therefore, we will keep Personal Data for as long as we reasonably deem necessary in connection with these obligations. In cases where we do not need to keep Personal Data for a period specified by law, we will not keep Personal Data for longer than Data Protection Law allows us to.

For more information about our approach to data retention, please contact the Privacy and Data Protection team.

10. YOUR RIGHTS

In accordance with data protection laws, you have the right to request from Kraft Heinz a copy of your personal data and to request that your information be corrected, redacted or restricted to its processing. In certain situations, you can also ask Kraft Heinz to delete your personal data or transfer some of it to other organizations.

You also have the right to object to some processing of your Personal Data, although Kraft Heinz may continue such processing if it is necessary in connection with legal obligations or other applicable legal grounds.

Your personal data rights may be limited or subject to exceptions in some situations; for example, where Kraft Heinz demonstrates that it has a legal requirement to process your data, such as where tax authorities require us to retain it, or where it is necessary for the proper performance of a contract.

Where Kraft Heinz has requested your consent to process the Personal Data and that consent is withdrawn, we will no longer process the Personal Data, but we may not be able to continue providing the goods or services for which the Personal Data was requested. Where consent is withdrawn, this will not affect the data processing that took place prior to the withdrawal.

Where Kraft Heinz has a legal right or obligation to retain personal data or is able to do so in connection with its legitimate interests, it may preserve the information even if you have withdrawn Kraft Heinz's consent to keep your personal data.

Where Kraft Heinz requires Personal Data to comply with legal or contractual obligations, the provision of such data is mandatory. If this data is not provided, Kraft Heinz will not be able, for example, to manage the employment or employment relationship, perform any contract, or comply with legal obligations imposed on us. In all other cases, the provision of the requested Personal Data is optional.

11. IF YOU ARE CONCERNED ABOUT YOUR PERSONAL DATA

For any questions about how Kraft Heinz processes your Personal Data or any questions regarding your rights in relation to your personal data, please contact the Privacy and Data Protection Team.

At first, you should raise all your concerns related to your personal data with the Privacy and Data Protection Team, but you have the right to complain directly to the data protection authorities at any time. The relevant data protection authority shall be the supervisory authority located in Brazil, the National Data Protection Authority (ANPD).

Check the KHC website for more details of the national data protection authorities.

12. CHANGES TO THIS NOTICE

We may change this Notice at our discretion. If changes are made, we will make the revised Notice available on our websites.

Previous versions of this Notice will be archived in the possession of the Data Privacy team.