Privacy Policy


This Policy contains information on the processing of personal data carried out by CCR S.A (“we” or “CCR S.A”). Here, you will find information on how your personal data is used, and if you would like more details about its use, you can contact our DPO, who will answer questions not covered by this Policy.


Avenida Chedid Jafet, 222, Block B, 5th floor, Vila Olimpia neighborhood, Municipality of São Paulo, State of São Paulo

Taxpayers Roll under the Treasury Ministry under No. 02.846.056/0001-97


CCR's DPO is:

Fabio Aparecido Odoni


As a condition for accessing and using the exclusive features on, You declare that you have read this Policy completely and carefully, being fully aware, thus granting your free and express agreement with the terms stipulated herein, including the collection of the Data mentioned herein, as well as its use for the purposes specified below. If you do not agree with the provisions of this Policy, you must discontinue your access or use of



Please do not register at if you are under 16 years old.



Although we prohibit the registration of children and adolescents under the age of 16, parents must supervise the online activities of their minor children.

The activities of teenagers over 16 and under 18 must be attended by parents or legal representatives.

What are personal data?

Personal data refers to any information relating to a person that can be used to identify them, either individually or based on an analysis involving various types of information.

How do we collect data?

Data, including Personal Data, may be collected when you submit it or when you interact with



The database formed through the collection of Data is our property and is under our responsibility, and its use, access and sharing, when necessary, will be done within the limits and purposes of the business described in this Policy.

What data do we use?


What do we collect?

  • Name
  • Email
  • Company
  • Subject
  • Message

What do we collect for?

  • Identify you.
  • Fulfill the obligations arising from the use of our services.
  • Expand our relationship, inform you about news, features, content, and other events that we consider relevant to you.
  • Enrich your experience with us and promote our products and services.
  • Comply with our legal and regulatory obligations.



What do we collect?

  • Source IP Address and Logical Port
  • Device (OS version)
  • Geolocation
  • Timestamps every action you take
  • Which screens did you access?
  • Session ID
  • Cookies

What do we collect for?

  • Identify you.
  • Comply with legal record-keeping obligations established by the Civil Rights Framework for the Internet - Law 12,965/2014.
  • Comply with our legal and regulatory obligations.


Many of our services directly depend on some Data reported in the table above, mainly Registration Data. If you choose not to provide some of this Data, we may be unable to provide all or part of our services to you.



You are solely responsible for the accuracy, veracity, or lack thereof in relation to the Data you provide or for its outdatedness. Please note that it is your responsibility to ensure accuracy or keep them up to date.


Likewise, we are not obliged to process or treat any of your Data if there are reasons to believe that such processing or treatment could impute to us any breach of any applicable law, or if you are using br/ for any illegal, illicit, or contrary to morality purposes.

Does CCR share my personal data with third parties?

We do not share your personal data with third parties except in the cases described below:

  • When we have obtained your consent for the sharing of your personal data;
  • With affiliated companies within the CCR group;
  • With service providers and CCR business partners, who process personal data on behalf of CCR;
  • With service providers and CCR business partners, in the context of the concession agreement, in addition to other illegal conduct with a high risk of damage, in the interest of CCR and the protection of third parties.
  • With the Public Administration, in compliance with legal and contractual obligations, including in the context of concession, permission or authorization contracts;
  • With law enforcement authorities as required by law or when reasonably necessary to protect the rights, property and/or safety of the User, third parties and/or CCR; 
  • With competent judicial, administrative or governmental authorities, whenever there is a legal determination, request, requisition or court order;
  • When necessary for commercial activities and services provided by Us through;
  • Automatically, in case of corporate movements, such as mergers, acquisitions, and incorporations.


We have commercial partners who, eventually, can offer services through functionalities or websites that can be accessed from The Data provided by you to these partners will be their responsibility and will therefore be subject to their own data collection and use practices.

If third-party companies carry out the Processing on our behalf of any Personal Data that we collect, they will obligatorily respect the conditions stipulated herein and the information security standards.

For the purposes of market intelligence research, disclosing data to the press and carrying out advertisements, the data provided by you will be shared anonymously, which means, in a way that does not allow your identification.

How we protect your data and how you can protect it too.

It is very important that you protect your Data against unauthorized access to your computer, account, or password, in addition to making sure you always click on “exit” when ending your browsing on a shared computer. It is also very important that you know that we will never send electronic messages requesting confirmation of data or with attachments that can be executed (extensions: .exe, .com, among others) or even links to eventual downloads.


Internally, the Personal Data collected is accessed only by duly authorized professionals, respecting the principles of proportionality, necessity, and relevance for the purposes of our business, in addition to the commitment to confidentiality and preservation of your privacy under the terms of this Policy.


When you use, you may be led, via link, to other portals or platforms, which may collect your information and have their own Data Processing Policy.


It will be up to you to read the Privacy and Data Processing Policies of such portals or platforms outside our environment, being your responsibility to accept or reject them. We are not responsible for the Privacy Policies and Data Processing of third parties nor for the content of any websites, content or services linked to environments other than ours.

As controllers of your personal data, we have the following responsibilities:

  • Record processing activities;

  • Adopt technical and administrative security measures;

  • Ensuring information security;

  • Comply with the holders' rights; 

  • Cooperate with the National Data Protection Authority;

  • Ensure compliance with the principles and legal bases of the LGPD (GDPR law in Brazil).

How long does CCR keep my personal data?

We keep your data for the period necessary to fulfill the purposes listed in this Privacy Policy, including for the fulfillment of legal and contractual obligations under concession, permission, or authorization contracts. For specific information about data retention periods, you can contact us through our communication channel with the person in charge of the protection of personal data by sending an email to:


Personal Data collected and activity logs are stored in a secure and controlled environment on our local servers.


If you request the deletion of your Personal Data, it may occur that the Data need to be kept for a period longer than the deletion request, pursuant to article 16 of the General Law on the Protection of Personal Data, for (i) compliance with a legal or regulatory obligation, (ii) study by a research body, and (iii) transfer to a third party (respecting the data processing requirements set forth in the same Law). In all cases, through the anonymization of Personal Data, whenever possible.


In addition, some data is stored for longer periods for auditing, security, fraud control, credit protection and preservation of rights purposes, we may keep the registration history of your Data for a longer period in cases that the law or regulatory standard so establish or for the preservation of rights.


At the end of the maintenance period and the legal necessity, Personal Data will be deleted using safe disposal methods, or used in anonymized form for statistical purposes.

Are my personal data transferred to other countries?

The Data collected will be stored on our servers located in Brazil, as well as in an environment using resources or servers in the cloud, which may require a transfer and/or processing of this Data outside Brazil.

How can I exercise my rights as a holder?

The General Data Protection Act grants you rights related to your personal data which are:

  • confirmation of the existence of processing of your personal data;
  • access to your personal data;
  • correction of incomplete, inaccurate or outdated personal data;
  • anonymization, blocking or deletion of unnecessary, excessive data or data treated in non-compliance with the provisions of the LGPD, if applicable;
  • portability of personal data to another provider, subject to regulation by the National Authority (ANPD);
  • request for erasure or anonymization of personal data processed based on your consent, except when the law authorizes the maintenance of these data for another reason;
  • information about the public and private entities with which We have shared use of your personal data;
  • information about the possibility of not consenting to the processing of your personal data and the consequences of such action;
  • revocation of your consent.

Does CCR use cookies?

CCR may use this technology on its website, collecting information automatically, such as navigation data and device IP. This information will be used to improve your experience and so that we can evaluate the good functioning of the portal functionalities. It is up to you to configure your Internet browser if you wish to block them. In this case, some of the functionalities we offer may be limited. All the technologies used will always respect the current legislation and the terms of this Policy.

We do not use any type of decision solely automated that impacts you.

Information about our digital communication

You acknowledge that all communication made by email (to the addresses informed in your registration), SMS, instant communication apps or any other digital form, are also valid, effective and sufficient for the disclosure of any subject that refers to the services that we provide, to your Data, as well as to the conditions of its provision or to any other subject addressed therein, the exception being only what this Policy provides as such.


To optimize and improve our communication, when we send you an email, we may receive a notification when they are opened, provided this possibility is available. It is important that you pay attention, as emails are sent only by the domain:


In case of any doubt regarding the provisions contained in this Privacy and Data Processing Policy, you may contact us through the Communication Channel.



Some information about this policy

To improve its services, CCR may update this Policy, according to the purpose or need, such as for adequacy and legal compliance with a provision of law or rule that has equivalent legal force, and it is up to you to verify it whenever you access to or use our services.


In the event of updates to this document that require a new collection of consent, you will be notified through the contact channels you provide.

This privacy policy is effective as of October 2022.