Investor Relations
  • -
  • -
  • -
  • -
Institutional
enpt

Privacy Notice*

Almeida Junior Shopping Centers values the protection of privacy and ensures that the personal data it processes will only be used in accordance with this Privacy Notice and the applicable privacy and data protection legislation, specifically Law No. 13,709/2018 – the Brazilian General Data Protection Law (LGPD).

Almeida Junior Shopping Centers, headquartered in the capital of the State of São Paulo, at Avenida Brigadeiro Faria Lima, No. 2277, 16th floor, suite 1604, Edifício Plaza Iguatemi, Jardim Paulistano, ZIP Code 01452-000, registered with the CNPJ/MF under No. 82.120.676/0001-83, together with its subsidiaries, companies or entities it manages (in particular AJ Realty Desenvolvimento Imobiliário Ltda., CNPJ: 35.312.187/0001-43) and shopping centers in which it holds ownership or participation, is the controller of the personal data processed for the purposes of this Privacy Policy.

This Privacy Notice will be available for consultation, in digital format, in the “Privacy Notice” section at the bottom of the website www.almeidajunior.com.br.

It is essential for us, through this Privacy Notice, to explain clearly and transparently how, when, and where we process our users’ data during and after their relationship with us.

In addition, this Privacy Notice aims to inform users of their rights and explain when and how they may exercise them.
We suggest that you read our Privacy Notice, and if you have any questions, feel free to clarify them through our Data Protection Officer’s contact information provided at the end of this document.

1. What are personal data according to the Brazilian General Data Protection Law (LGPD)?

These are data that allow the identification of a natural person, such as: name, date of birth, CPF (Taxpayer Identification Number), email, RG (General Registry ID), location data, and others.

2. Data we may collect about you:

In your interaction with us, we may collect certain types of personal data, among which we highlight the following scenarios:

2.1. Data you may provide directly to us:

• Full name, email address, home address, telephone numbers, date of birth, age;

• In exceptional situations, you may provide certain document-related data such as, for example, your RG or CPF number;

• In some situations, you may provide your vehicle license plate number, such as in cases of lost parking tickets or the need to leave your vehicle overnight in our parking lot;

• Other types of personal data not listed here, but which you may freely, expressly, and consensually share with us.

2.2 There are also personal data that we may collect using systems that process data automatically, which may occur due to your experience in some of our shopping centers, among which we highlight:

• When you register for our Shopping Center’s Wi-Fi, during registration and while using the Wi-Fi, we may collect your device data limited to IP (Internet Protocol) address, operating system used, in some cases geolocation data, and, if applicable, the identification of your internet access device;

• Images recorded by our CCTV (Closed-Circuit Television – security cameras) system, which are confidential and protected under current legislation, and, in some cases, your vehicle license plate through our license plate recognition system located at our parking gates;

2.3. What is the purpose of using your personal data?

We may use your personal data for the following purposes:

• Registering suggestions, complaints, or compliments in our Customer Service or “Contact Us” system;

• Loaning items such as wheelchairs or baby strollers;

• Issuing and recording your CPF in the electronic invoice system, as well as charging for parking;

• Participation in commercial promotions;

• Ensuring the physical and property security of our customers, store tenants, and service providers;

• Responding to information requests – receiving and answering questions, providing informational materials (floor plans, brochures, descriptive reports), scheduling visits or simulations;

• Preparing a commercial proposal or financing simulation – using data to simulate payment conditions, prepare a personalized proposal, or initiate preliminary contractual negotiations;

• Fraud prevention and operational security – confirming identity, preventing fraud in credit simulations, document forgery, or scam attempts;

• Sharing with accredited brokers – sending data to brokers or real estate agencies linked to the developer to continue the service;

• Controlling access to the property outside business hours;

• Improving your experience during visits or while using our shopping centers by providing information about products and services;

• Use of the Wi-Fi system;

• Registration in our on-site clinic or pre-hospital care system, as well as in nursery or family spaces;

• Recording any incident involving you, such as a vehicle collision;

• Establishing a commercial partnership;

• Registration to receive information about real estate sales;

• Controlling vehicle entry and exit in our properties;

• Registration to apply for a job with us;

• Participation in events organized by Almeida Junior and ensuring your ability to participate if you are interested; enabling communication with you, including sending and receiving emails and text messages (SMS). This may include, but is not limited to, marketing communications about products and services available in our properties, as well as promotions and events that may be of interest to you.

2.4 Sensitive Data.

As a rule, we do not collect sensitive data from our users.

Thus, there will be no processing of data regarding racial or ethnic origin, religious belief, political opinion, union membership or membership in an organization of a religious, philosophical, or political nature, data concerning health or sex life, genetic or biometric data, when linked to a natural person.

The only circumstance in which sensitive personal data may be processed is in relation to pre-hospital care in cases of an incident involving such care provided by one of our employees or by a company contracted by the Shopping Center. We guarantee that such processing is carried out in accordance with the Brazilian General Data Protection Law (LGPD) and solely for the specific purpose of providing pre-hospital care, in which case the following sensitive personal data may be processed: blood pressure, body temperature, or the collection of medical history/special needs information for the purpose of treatment.

3. Cookies.

Cookies are small text files automatically downloaded to your device when you access and browse a website. They serve mainly to enable the identification of devices, activities, and user preferences.

Cookies do not allow any file or information to be extracted from the user’s hard drive, nor do they provide access to personal information that has not originated from the user or from the way the user utilizes the website’s features.

a. Website Cookies.

Website cookies are those sent to the user’s computer or device and managed exclusively by the website.

The information collected through these cookies is used to improve and personalize the user’s experience. Some cookies, for example, may be used to remember user preferences and choices, as well as to offer personalized content.

b. Cookie Management.

The user may refuse the registration of cookies by the website by disabling this option in their own browser. More information on how to do this in some of today’s most widely used browsers can be found at the following links:

Internet Explorer:

https://support.microsoft.com/pt-br/help/17442/windows-internet-explorer-delete

– manage-cookies

Safari: https://support.apple.com/pt-br/guide/safari/sfri11471/mac

Google Chrome:

https://support.google.com/chrome/answer/95647?hl=pt-BR&hlrm=pt

Mozila Firefox:

https://support.mozilla.org/pt-BR/kb/ative-e-desative-os-cookies-que-os-sites-

usam

Opera: https://www.opera.com/help/tutorials/security/privacy/

Disabling cookies, however, may affect the availability of some tools and functionalities of the website, impairing its proper and expected functioning. Another possible consequence is the deletion of user preferences that may have been saved, negatively affecting the user experience.

4. Collection of Data Not Expressly Provided For.

From time to time, other types of data not expressly provided for in this Privacy Policy may be collected, provided that they are supplied with the user’s consent or that the collection is permitted based on another legal ground provided for by law.

In any case, the collection of such data and the processing activities resulting from it will be informed to the website’s users.

5. Sharing of Personal Data with Third Parties.

We share some of the personal data mentioned in this section with third parties.

• Companies within the Almeida Junior Group: Group companies, if any, may share among themselves the personal data processed from the provision of Services in order to operate, perform, improve, understand, personalize, support, develop strategies, exercise rights, and prevent fraud.

• Third-party service providers: We work with third-party service providers to help us operate, perform, improve, understand, personalize, and support our Services. When we share data with third-party service providers, we require them to use your data in accordance with our instructions and terms or with your express consent, where applicable.

• Business partners: In such cases, we will ensure that you are aware of the sharing and, when necessary, we will obtain your consent for it.

• Regulatory bodies, judicial or administrative authorities: We may share your personal data to provide competent authorities with all information requested regarding the Data Subject. In addition, we may share your personal data with public authorities or private entities to combat fraud and abuse in the use of the Services, to investigate suspected violations of the law, to defend our rights, or to address any other suspected breach of our policies and contracts.

• With your authorization: In other cases not provided for above, if there is an intention to share personal data and information, we will send you a notification with information regarding such sharing to request your consent for a specific purpose.

In any case, the sharing of personal data will comply with all applicable laws and regulations, always seeking to ensure the security of our users’ data in accordance with the technical standards employed in the market.

6. How long your personal data will be stored.

We store and keep your information: (i) for the specific period required by law; (ii) until the end of the processing of personal data; or (iii) for the time necessary to preserve the legitimate interests of the Shopping Center (such as, for example, during applicable statutory limitation periods or to comply with legal or regulatory obligations).

The end of personal data processing will occur when it is verified that:

• The purpose for which the data was collected has been achieved, and the collected personal data is no longer necessary or relevant for the specific intended purpose;

• The Data Subject expresses such intention, upon termination of the relationship between the Shopping Center and the Data Subject; or

• There is a legal requirement to do so.

In the case of consent withdrawal or a request for deletion of your personal data, some information may still be retained as necessary to comply with legal obligations, for the regular exercise of rights, to serve legitimate interests, and for fraud detection and prevention.

In these cases of termination of personal data processing, except for situations established by applicable law or this Privacy Notice, the personal data will be deleted.

7. Legal bases for processing personal data.

A legal basis for the processing of personal data is a legal justification, provided for by law, that authorizes such processing. Each personal data processing activity must have a corresponding legal basis.

We process our users’ personal data in the following situations:

– with the consent of the personal data subject;

– for compliance with a legal or regulatory obligation by the controller;

– for the execution of a contract or preliminary procedures;

– for the protection of life or physical safety of the data subject or a third party;

– for the regular exercise of rights in judicial, administrative, or arbitration proceedings;

– When necessary to serve the legitimate interests of the controller;

7.1 Consent.

Certain personal data processing activities carried out on our website will depend on the user’s prior agreement, which must be expressed freely, informed, and unequivocally.

The user may withdraw their consent at any time, and in the absence of a legal basis that allows or requires the retention of the data, the data provided under consent will be deleted.

In addition, the user may choose not to agree to certain personal data processing activities based on consent. However, in such cases, it is possible that they may not be able to use certain website features that depend on that processing. The consequences of withholding consent for a specific activity are informed before processing begins.

7.2 Compliance with a legal or regulatory obligation by the controller.

Some personal data processing activities, particularly data storage, will be carried out so that we can comply with obligations established by law or other regulatory provisions applicable to our activities.

7.3 Protection of the life or physical safety of the data subject or third parties.

In certain situations, we may process personal data based on the legal basis that allows processing when necessary to protect the life or physical safety of the data subject or third parties. This applies, for example, in cases of medical emergencies, accidents, or any other situation involving imminent risk to health or safety, in which obtaining the data subject’s prior consent is not feasible. In such cases, processing will be limited to what is strictly necessary to preserve the integrity and safety of those involved.

7.4 Execution of a contract or preliminary procedures.

The legal basis “execution of a contract or preliminary procedures” is provided for in Article 7, Item V of the LGPD and allows the processing of personal data without consent, provided such processing is necessary to fulfill contractual obligations or take preliminary measures at the request of the data subject.

7.5 Compliance with a legal or regulatory obligation by the controller.

Some personal data processing activities, particularly data storage, will be carried out so that we can comply with obligations established by law or other regulatory provisions applicable to our activities.

7.6 Legitimate interest.

For certain personal data processing activities, we rely exclusively on our legitimate interest. To learn more about the specific cases in which we rely on this legal basis, or to obtain more information about the assessments we conduct to ensure we can use it, please contact our Data Protection Officer through one of the channels provided in the “How to contact us” section of this Privacy Policy.

8. User rights.

The Brazilian General Data Protection Law (Law No. 13,709/18), in Article 18, lists the rights of personal data subjects, detailed below:

The Data Subject has the right to obtain from the Controller, at any time and upon request, with respect to the data processed:

I – confirmation of the existence of processing; II – access to the data;

III – correction of incomplete, inaccurate, or outdated data; IV – anonymization, blocking, or deletion of unnecessary, excessive data, or data processed in non-compliance with the provisions of Law No. 13,709;

V – portability of the data to another service or product provider, upon express request and subject to commercial and industrial secrets, in accordance with the regulation of the controlling authority;

VI – portability of the data to another service or product provider, upon express request, in accordance with the regulation of the national authority, subject to commercial and industrial secrets;

VII – deletion of personal data processed with the data subject’s consent, except in cases provided for in Article 16 of Law No. 13,709;

VIII – information about public and private entities with which the controller has shared data;

IX – information about the possibility of not providing consent and the consequences of refusal;

X – withdrawal of consent, under the terms of paragraph 5 of Article 8 of Law No.

13,709/2018.

It is important to note that, under the LGPD, there is no right to deletion of data processed under legal bases other than consent, unless the data is unnecessary, excessive, or processed in violation of the law.

9. How the data subject can exercise their rights.

Data subjects whose personal data we process may exercise their rights by sending a message to our Data Protection Officer. The necessary information for this is available in the “How to contact us” section of this Privacy Notice.

To ensure that the user requesting to exercise their rights is, in fact, the data subject of the personal data in question, we may request documents or other information to help with proper identification, in order to safeguard our rights and the rights of third parties. This will only be done if absolutely necessary, and the requester will receive all related information.

10. Security measures in the processing of personal data.

We employ technical and organizational measures to protect personal data from unauthorized access, as well as from destruction, loss, misplacement, or alteration. The measures we use take into account the nature of the data, the context and purpose of processing, the risks that a potential breach could pose to the user’s rights and freedoms, and the standards currently employed in the market by companies similar to ours.

Although we take all reasonable measures to prevent security incidents, it is possible that a problem may occur solely due to third-party actions, such as hacker or cracker attacks, or even due to the user’s exclusive fault, for example, when they themselves share their data with a third party. Thus, although we are generally responsible for

the personal data we process, we disclaim liability in exceptional situations over which we have no control.

In any case, if any security incident occurs that could cause significant risk or damage to any of our users, we will notify the affected parties and the National Data Protection Authority of the incident, in accordance with Article 53 of Law No. 13,709/2018.

11. Complaints to the National Data Protection Authority (ANPD)

Without prejudice to any other administrative or judicial remedies, personal data subjects who feel they have been harmed in any way may lodge a complaint with the National Data Protection Authority.

12. Changes to this policy.

We reserve the right to modify these rules at any time, especially to adapt them to any changes made to our website, whether through the availability of new features or the removal or modification of existing ones.

Whenever there is a change, our users will be notified about it.

13. Children’s data.

As a rule, we do not process children’s data to provide our Services.

14. How to contact us.

To clarify any questions about this Privacy Notice or about the personal data we process, please contact our Data Protection Officer: Name: Bernardi Advogados

E-mail: dpo@brdadvogados.com.br

UPDATED ON JULY 25, 2025.