Privacy Notice - CPFL Energia | Investor Relations

For over a century, we have been dedicated to the energy sector, providing generation, transmission, distribution, and a range of services and solutions to our valued clients. Your trust is of utmost importance to us.

Our commitment to security is non-negotiable, and we are guided by transparency, ethical conduct, integrity, and responsibility in all our actions.

As we carry out activities to achieve the corporate purposes of the companies within the CPFL Energia Group, we utilize numerous pieces of information, which may include personal data.

The treatment of this information is conducted with the utmost care and responsibility, ensuring compliance with all applicable laws and regulations on personal data privacy and protection.

We strongly encourage you to read this Privacy Notice, as it explains (i) how personal data is collected, shared, and processed by the CPFL Energia Group (see the list of companies in the Glossary); and (ii) how you can exercise your rights over your personal data, as provided by the Brazilian General Data Protection Law - LGPD (Federal Law 13,709/18).

In the Glossary (section 13 of this document), we clarify certain terms used in this notice that may not be familiar to you.

We welcome your feedback, questions, and suggestions for improvements or corrections to this Privacy Notice. Please feel free to contact us through the available channel. We will review your inquiries, respond to questions as needed, and if any corrections or clarifications are required, our Data Protection Management team will take the necessary steps to update this document.

We hope you find this information helpful!

Index:

This notice applies to any individual who (i) is or has been our client or customer; (ii) has had any form of relationship with us, including participation in events or research conducted by the CPFL Group; (iii) has visited our facilities or is an investor in the CPFL Group.

For clarity, we have categorized the types of data we process and their intended uses by data subject groups.

Identify which data subject category you belong to and learn about the types of data we may process about you, where we collect it, and the specific purposes for its use.

In general, the CPFL Group does not process personal data of individuals under 18 years of age. However, when such processing is necessary, we will also apply the rules outlined in section “2.3. Processing of data of individuals under 18 years old.”

Clients: Individuals who use our products or services.

Consumers: Potential or former users of our products and services.

Category	Data we may process	Most common sources of collection	Purpose
Registration data	Personally identifiable information, such as name, date of birth, email, home address, phone number, profession, occupation, marital status, and other similar details. Information obtained from documents issued by official government agencies, such as RG (ID number), CPF (individual taxpayer number), CNH (driver’s license), CTPS (employment record book), among others.	Data subject.	Personal identification and authentication in the formalization of contracts. Representation of legal entities. Offer and use of our products and services. Registration of requests and demands in the service channels. Registration for social benefits (e.g., electricity 'Social Tariff').
Business data	Information related to your workplace, such as work phone and email, work address, activity, and role.	Data subject.	Submission of invoices, reading history, reports, newsletters and news.
Financial/transactional data	Data related to power meter readings, payments, bank and income.	Data subject. Company, public or private databases, financial institutions (e.g., payment confirmation) or even data generated by the CPFL Group itself (reading and payment history – electricity bill).	Registration for automatic debit. Payment history. Energy consumption history (consumption unit reading). Credit recovery including protest and negative credit reporting in case of unpaid debts. Assessment of irregularities at consumer units. Accounting activities.
Third party data	Registration and business data, as listed above, pertaining to representatives, counterparties, proxies, employees, partners, or beneficiaries of products and services.	Data subject or the individual/legal entity represented	To allow third parties to represent the data subject in legal actions and transactions, including the ability to perform activities on behalf of and under the direction of the Represented Party (on a corporate or civil capacity).
Electronic records	IP with date and time of access only for Virtual Agency (logged in area). Pages accessed. Subsequent pages accessed after leaving the Platforms. Information about user activities and/or interests, or any search terms entered on the Platforms.	Data subject who browses the websites or applications of the CPFL Group.	Access logs are maintained to comply with legal obligations (Brazilian Internet Civil Framework) and to verify actions performed in logged-in areas. Analysis of platform performance and measurement of audience engagement. This information supports the development, maintenance, and enhancement of website and application features. Statistical analysis of access patterns and use of site/application resources and functionalities.
Service history	Telephone recordings, email content, text messages, and other information shared through customer service channels.	Data subject.	Resolution of disputes and response to the data subject.
Health data	Medical report, medical certificate, disease classification code (ICD), treatment period, physician's license number, and appointment date (e.g., medical report).	Client of the energy bill (who may or may not be the data subject).	Exclusively for energy consumer units whose premises require essential medical equipment for human survival, as defined by ANEEL Resolution 414/2016 (e.g., energy supply for subjects with home-based intensive care units).

When we host events, we process the personal data of attendees. Below is a list of the types of data we may process:

Category	Data we may process	Most common sources of collection	Purpose
Registration data	Personally identifiable information, such as name, date of birth, email, home address, phone number, profession, occupation, marital status, and other similar details. Information obtained from documents issued by official government agencies, such as RG (ID number), CPF (individual taxpayer number), CNH (driver’s license), CTPS (employment record book), among others.	Data subject.	Participant identification and authentication. To ensure security, conduct satisfaction surveys, send news, reports, updates, and materials related to the event, among other purposes.
Images and videos	Event photos and recordings.	CPFL Group	We typically document events as evidence of their occurrence and to share them through our corporate materials and channels. If an event is recorded, participants are always notified in advance. Depending on the nature of the event, CPFL may share recordings and photos of participants.

Category

Data we may process

Most common sources of collection

Purpose

Registration data

Personally identifiable information, such as name, date of birth, email, home address, phone number, profession, occupation, marital status, and other similar details.

Information obtained from documents issued by official government agencies, such as RG (ID number), CPF (individual taxpayer number), CNH (driver’s license), CTPS (employment record book), among others.

Data subject.

Participant identification and authentication. To ensure security, conduct satisfaction surveys, send news, reports, updates, and materials related to the event, among other purposes.

Images and videos

Event photos and recordings.

CPFL Group

We typically document events as evidence of their occurrence and to share them through our corporate materials and channels. If an event is recorded, participants are always notified in advance. Depending on the nature of the event, CPFL may share recordings and photos of participants.

The CPFL Group, as a participant in Energy Efficiency Research and Technological Development Programs governed by Law 9,991 (July 24, 2000) and resolutions of the Brazilian Electricity Regulatory Agency (ANEEL), may collect and process personal data from administrators of educational institutions, educators, and students who take part in these research projects.

Category	Data we may process	Sources	Purpose
Registration data	Personally identifiable information, such as name, date of birth, email, home address, phone number, profession, marital status, and other similar details. Information obtained from documents issued by official government agencies, such as RG (ID number), CPF (individual taxpayer number), CNH (driver’s license), CTPS (employment record book), among others.	Data subject.	Identification and authentication of project participants, including but not limited to university officials, directors, faculty, and students.
Images and videos	Photos and videos.	CPFL, in connection with the event.	Monitoring, sharing and presentation of the project's results.

We process personal data of individuals who visit our facilities or interact with us on our social media platforms, such as YouTube, Facebook, Twitter, Instagram, and LinkedIn.

Category	Data we may process	Most common sources of collection	Purpose
Registration data (on-site visits)	Name, data from identification documents issued by official government agencies, such as RG (ID number), CPF (individual taxpayer number), CNH (driver’s license), CTPS (employment record book), among others.	Data subject.	Visitor identification for access control and on-site security.
Business data	Information related to the visitor's workplace, such as the company's legal or trade name, phone number and professional email, business address, job role, and responsibilities.	Data subject.
Social media data	Name, email, data subject's account on the selected social network, and phone number.	Official electronic channels and social media platforms of the CPFL Group.	Address and respond to requests and inquiries submitted through these channels.

We may process personal data of individuals who hold securities issued by the CPFL Group.

Category	Data we may process	Most common source of collection	Purpose
Registration data	Personally identifiable information, such as name, date of birth, email, home address, phone number, profession, occupation, marital status, and other similar details. Information obtained from documents issued by official government agencies, such as RG (ID number), CPF (individual taxpayer number), CNH (driver’s license), CTPS (employment record book), among others. Investor identification.	Data subject. Financial institutions engaged by the data subject.	Asset management. Support provided through the channels made available by the CPFL Group. Investor relations. Registration for external events.
Business data	Information related to your workplace, such as company name, business phone and email, work address, job activity, and position.	Typically provided by the data subject during registration.
Financial/transactional data	Stock activity history. Banking data. Investment information.	Data subject. Financial institutions.	Asset management. Accounting.

We process personal data of job applicants, starting from resume screening for participation in selection processes (including direct registration of individuals in CPFL Group or third-party resume databases), through pre-selection, selection, and acceptance of employment offers.

Once an applicant becomes an employee, data processing rules are communicated directly through CPFL Group’s internal documents.

Below is a list of data we may process:

Category	Data we may process	Most common source of collection	Purpose
Registration data	Personally identifiable information, such as name, date of birth, email, home address, phone number, profession, occupation, marital status, and other similar details. Information obtained from documents issued by official government agencies, such as RG (ID number), CPF (individual taxpayer number), CNH (driver’s license), CTPS (employment record book), among others. Investor identification.	Data subject. Financial institutions engaged by the data subject.	Asset management. Support provided through the channels made available by the CPFL Group. Investor relations. Registration for external events.
Registration data	Information obtained from documents issued by official government agencies, such as RG (ID number), CPF (individual taxpayer number), CNH (driver’s license), CTPS (employment record book), PIS (Social Integration Program number), SUS (public health program) card, photo, among others.	Data subject (approved for hiring in a selection process)	Arrangements for execution of employment contract.
Information on educational background, credentials, and training	Educational background, professional training, and relevant certifications.		Determine eligibility and qualifications for the role.
Professional data	Record of past and present jobs.
Financial information	Information regarding fixed and variable compensation, as well as benefits.	Data subject.	Understand the applicant's present circumstances and their expectations for salary and benefits to evaluate if they meet the financial criteria established for the role.
Data sourced from public or private information repositories	Verification of personal data and criminal record (only when required by law, the nature of the position, or a special level of trust associated with the role).	Third-party databases	Identify and authenticate candidates. Verify qualifications for the position. Ensure the safety of other employees, third parties, and the organization itself.
Health data	Occupational Health Certificate (ASO). Identification of any disability.	Occupational health physician Occupational health company Data subject	Confirm whether the employee is fit to perform the professional duties of the specified position. Ensure compliance with legal requirements for hiring individuals with disabilities. Provide appropriate accommodations to support job performance.

We process data as required to fulfill legal or regulatory obligations related to terminated employment contracts. Data processing policies are communicated directly through CPFL Group’s internal documentation.

Specific retention period. If your application process is not successful, CPFL Group may retain your personal data listed in the table above for a period of two (2) years from the conclusion of the selection process, for audit purposes and to protect the rights of CPFL Group.

For former employees, after the termination of the employment contract, personal data will continue to be processed for the period established in law, to fulfill legal or employment-related obligations (such as retirement, proof of FGTS and income tax payments, or occupational health and safety requirements), to exercise rights in legal proceedings (defending CPFL Group’s interests in court), or to pursue the legitimate interests of the company or third parties.

If you wish to keep your personal data in our database to be considered for future job opportunities that match your profile, you must provide your consent when completing the registration on the CPFL – Careers page.

If your application process is successful, all personal information collected up to that point will be retained, even after the end of your employment contract, to comply with legal or regulatory obligations (such as retirement, proof of FGTS payments, occupational health and safety requirements, among others) and to defend CPFL Group's interests in accordance with applicable legal retention periods.

The suppliers and service providers (mostly legally established companies) that the CPFL Group engages with for its business operations are always the Controllers of the personal data of their legal representatives, partners, and employees.

In certain situations, the CPFL Group may need to process the personal information of these individuals, but only within the context of the legal relationship established with the service provider, supplier, or partner.

For this group, we may process the following data:

Category	Data we may process	Most common sources of collection	Purpose
Registration data	Personally identifiable information, such as name, email, address, phone number, profession, occupation, photograph, educational background, marital status, and other similar details. Information derived from documents issued by official government agencies, such as RG (ID number), CPF (individual taxpayer number), CNH (driver’s license), CTPS (employment record book), among others.	Public documents provided by suppliers, service providers, or partners, including bylaws, minutes of board election meeting, and powers of attorney.	Registration and verification of powers of representation.
Business data	Information related to your workplace, such as company name, business phone and email, work address, job activity, and position.	This information is typically provided by the supplier or service provider.	Registration and confirmation of powers to sign legal documents, as well as validation and payment of invoices.

For this group, we may process the following personal data:

Category	Data we may process	Most common sources of collection	Purpose
Registration data	Personally identifiable information, such as name, email, address, phone number, profession, occupation, marital status and other similar details. Information derived from documents issued by official government agencies, such as RG (ID number), CPF (individual taxpayer number), CNH (driver’s license), CTPS (employment record book), among others.	Supplier or contractor Data subject	Identification of the data subject performing the service. Security and risk prevention. Granting access to facilities, remote access, systems, tools, and information databases of the CPFL Group. Prevention of labor and tax risks related to outsourcing. Management of the service provision contract.
Business data	Information related to your workplace, such as company name, business phone and email, work address, job activity, position, and employee ID number.	Typically provided by the supplier, service provider, or the data subject.
Electronic records	Equipment or tools belonging to the CPFL Group: messages exchanged through official communication channels (such as email, electronic messages on Skype, Teams, and others), records of access to websites, applications, and tools (always within the context of business activities and the use of CPFL Group equipment and tools).	CPFL Group	Monitoring, control, and security activities conducted through internal policies (including audits, internal controls, information security, labor relations, and related areas).
Employment, social security, and tax data	Employment contract. Control of working hours. Benefits. Declared dependents for income tax filing. Records of the provision of uniforms and personal protective equipment (PPE). Proof of completed training sessions. Vacation and payment receipt. Termination agreement and corresponding proof of payment for severance and tax-related amounts. Occupational Health Certificate (ASO).	Suppliers and service providers	Monitor payments of labor, tax, and social security amounts under legal and regulatory requirements (outsourcing risk management).
Biometric data	Digital	Data subject.	Exclusive to employees with access to the CPFL Group data center, meeting security requirements based on international frameworks such as NIST and ISO.

We may process the data of family members of CPFL Group employees to collect information required by law or specific regulations, as well as in the context of CPFL Group internal marketing initiatives or events aimed at internal audiences.

Below is a list of data we may process:

Category	Data we may process	Most common sources of collection	Purpose
Registration data	Personally identifiable information, such as name, date of birth, email, personal and business phone numbers, home address, occupation/position, marital status, among others. Information derived from documents issued by official government agencies, such as RG (ID number), CPF (individual taxpayer number), CNH (driver’s license), among others.	Employee or data subject Financial institutions engaged by the data subject	Management of benefits extended to family members. Mandatory information employers must provide about their employees. Registration for events. Institutional activities of the CPFL Group.
Images and videos	Photos and recordings.	Employee or data subject	Recording of events as evidence of their occurrence and to share them through our corporate materials and channels.
Health data	Medical history, medical treatment, medical diagnosis.	Data subject Employee of the CPFL Group	Provide special assistance to employees.

Category

Data we may process

Most common sources of collection

Purpose

Registration data

Personally identifiable information, such as name, date of birth, email, personal and business phone numbers, home address, occupation/position, marital status, among others. Information derived from documents issued by official government agencies, such as RG (ID number), CPF (individual taxpayer number), CNH (driver’s license), among others.

Employee or data subject

Financial institutions engaged by the data subject

Management of benefits extended to family members. Mandatory information employers must provide about their employees. Registration for events. Institutional activities of the CPFL Group.

Images and videos

Photos and recordings.

Employee or data subject

Recording of events as evidence of their occurrence and to share them through our corporate materials and channels.

Health data

Medical history, medical treatment, medical diagnosis.

Data subject

Employee of the CPFL Group

Provide special assistance to employees.

As a general rule, we do not process personal data of individuals under the age of 18, except when required to fulfill legal or regulatory obligations (e.g., registration for Social Tariff programs, compliance with court orders in child support cases), for participation in educational or research projects, exercising rights in administrative or legal proceedings, involvement in internal events, or hiring of young apprentices, among others.

When we do process such data, we ensure that only the minimum necessary personal information is collected for a clearly defined purpose, always prioritizing the best interests of the minor and complying with all legal requirements for processing this data, including obtaining explicit consent from legal guardians when required by law.

Confirmation of data processing.
Verify whether we hold any of your personal data in our records.
Comprehensive personal data statement.
Obtain all the information the CPFL Group has about you, as well as its origin and intended use.
Anonymization, blocking, or deletion of personal data.
To halt the processing of personal data that may be excessive, unnecessary or in violation of the Brazilian General Data Protection Law (LGPD).
Deletion/anonymization are rights that will only be exercised when there is no longer a legal or regulatory purpose for retaining such data within the CPFL Group.
Objection to data processing.
You may disagree and state your reasons for believing that your data should not be processed.
This right is applicable when the Controller processes your data under a legal basis other than consent (a separate right applies to consent-based processing).
If your data has been processed under a legal basis other than consent, you can still exercise your right by notifying us of your objection to the processing of your data and providing the reasons for your disagreement. We will review your request and respond accordingly.
Revocation and suspension of consent.
If your data is processed based on your authorization (consent), you may withdraw (revoke) or suspend your consent at any time.
Deletion of data processed without consent.
If your data is being processed based on consent and such consent was not properly obtained in accordance with the LGPD, you have the right to request that your data be deleted from the CPFL Group’s database.
For more information about consent, please refer to item 13 in the Glossary, under the topic “Legal Permission for Processing Personal Data.”
Review of automated decisions
If decisions are made by the CPFL Group solely based on electronic analysis of personal data, you have the right to request a review of the decision.
Right to an explanation regarding automated decisions.
Request information about the criteria and procedures used in automated decisions, except for information protected as trade secrets.
Reports/inquiries related to the Brazilian General Data Protection Law (LGPD)
Protecting your data is extremely important to us, and your involvement is essential in fostering a culture of data protection within our organization. We welcome your questions and concerns regarding this privacy notice, and we use your feedback to enhance transparency and monitor data processing activities carried out by the CPFL Group.
Please note that we will only address inquiries related to the topics covered in this notice or the LGPD, provided a specific event involving the data subject is indicated.
Any other matters will not be addressed here and should be directed to the appropriate customer service channels.
Data portability
Submission of personal data, at the data subject's request, to another provider. We are awaiting guidance from the National Data Protection Agency (ANPD) to enable the exercise of this right.

The CPFL Group does not extract biometric data (such as facial features and/or fingerprints) from official document photos collected from data subjects or voice biometrics from recordings made through customer service channels or during events it organizes.

Please see below the rights of data subjects under the LGPD, which you can request from the CPFL Group.

Canais para requisições dos titulares
Clients and costumers in general	0800 010 10 10 - CPFL Paulista 0800 010 25 70 - CPFL Piratininga 0800 772 21 96 - CPFL Santa Cruz 0800 970 0900 - RGE In-Person Service Center. Website
Events participants	Website
Participants in educational and research projects	Website
Visitors	Website
Investors	Website
Applicants and former employees	Website
Legal representatives of suppliers and service providers	Website
Family members of employees	Website

Data Subject Rights

What can you request?

What is it for?

Ensuring the secure exercise of the rights of data subject.
We recognize that malicious actors may attempt to impersonate you through such requests to gain unauthorized access to your data. Therefore, to process your request, we will implement procedures to verify your identity, which may include requesting additional information and/or documents to ensure a secure response.

Response timeframe.
Once your identity is verified, your request will be processed within fifteen (15) days, preferably via email, except in cases where you are exercising your right to confirmation of data processing (in which case the response will always be "yes" or "no"), and this information will be provided immediately, whenever possible.

We follow the provisions of laws and regulations that govern data privacy and protection in Brazil, in particular the General Data Protection Law (Federal Law 13,709/2018) ("LGPD"). Below, we outline the criteria used for processing personal data:

Existence of legal basis authorizing such activity (see the scenarios provided by the LGPD for data processing in the Glossary under "Legal Permission for Processing Personal Data");
When defining the purpose of data processing, we strive for it to be legitimate and specific, making sure the data subject is aware of what is done with their personal data (which is done in this Privacy Notice or in complementary legal documents), with due transparency;
We use only the minimum data necessary, appropriate for each specific data processing context;
We implement appropriate and feasible security measures to protect personal data from unauthorized third-party access, as well as from accidental or unlawful situations, always tailored to the sensitivity, volume, and methods of data processing involved.
If necessary, we request authorization (consent) from the data subject to fulfill the purpose previously communicated to them (this may be outlined in a contract, terms of use, or a separate document), including information about the consequences if authorization for data processing is not granted. We also provide a channel for data subjects to suspend or withdraw their consent at any time (see the answer to question 13 below – Suspension or withdrawal of consent);
When processing data based on the legitimate interests of the CPFL Group or third parties, our primary focus is to minimize any impact on the data subject’s privacy. We strive to balance the interests of the CPFL Group or third parties with the expectations of the data subject regarding the use of their personal data, carefully assessing whether there could be any negative effects on their fundamental rights and guarantees. Additionally, we provide a straightforward way for individuals to exercise their right to object to the processing of their personal data. This means you can request that your data no longer be processed on the basis of legitimate interest (see the answer to question 13 below – Objection to Data Processing);
We offer a dedicated channel for data subjects to exercise their rights regarding their personal data we process and to address any questions related to the LGPD (see question 13 "What are my rights as a data subject and how can I exercise them?").

CPFL Group generally stores personal data within Brazil. However, to enhance operational efficiency and performance, your personal data may occasionally be transferred to other countries. In this case, the CPFL Group will remain responsible for the personal information and will assure the data subjects, the target audience of this notice, that even with the processing of data in a foreign country, the rights and obligations established for data subjects in this document, in the laws and regulations that govern the protection of personal data, and also in the information security and data protection policies and guidelines of the CPFL Group, will be observed..

We will retain your personal data based on the following criteria:

(i) for as long as necessary to fulfill the purposes for which the data was collected, as outlined in item II below. For example, for as long as the client of the energy bill continues to use the energy distribution services provided by CPFL Group companies. In the case of a legal representative (concerning the electricity bill of a business), data will be retained while the individual remains registered as the representative of the legal entity that maintains a relationship with the CPFL Group;

(ii) for the defense of rights in legal, administrative or arbitration proceedings, such as after the termination of your energy supply contract, CPFL is legally permitted to retain your personal and contract data for up to 10 years from the end of the commercial relationship; and

(iii) if there is a specific law or regulation requiring the retention of personal information for a defined period.

For online access to our website or app, any access logs collected from data subjects will be stored for up to six (6) months, as required by the Brazilian Internet Civil Framework (Federal Law 12,965/2014) and its regulatory decree. If, at the discretion of the CPFL Group, the collected logs are necessary to protect our rights in legal or administrative proceedings, the retention period may be extended to ten (10) years, as permitted by the Brazilian Civil Code.

Your personal data will be securely deleted or rendered non-identifiable (anonymized) when there is no longer a legal or regulatory basis for its retention by CPFL Group.

First and foremost, CPFL Group does not sell your personal data to third parties under any circumstances. However, in the course of its operations, your personal data may be shared with third parties who support business activities, to ensure proper delivery of services, protect the company’s rights, and comply with legal or regulatory obligations, as well as for assessments carried out by consulting firms, use of online services and products, among other legitimate reasons.

Any data sharing will always comply with applicable data protection laws and regulations, as well as internal data protection and information security policies and procedures, with records of the information shared and the intended purposes and respect for the data subject's privacy and rights.

All third parties contracted by the CPFL Group that process personal data are required to: (i) comply with all obligations and rights established by data protection laws and regulations, including the LGPD; (ii) process data confidentially and solely for the purposes defined in the contract; (iii) implement data protection and security measures appropriate to the sensitivity, volume, format, and processing methods involved; (iv) ensure that their practices meet or exceed the standards set forth in this Privacy Notice, CPFL Group’s information security policies and procedures, and any relevant contracts or legal documents providing for personal data processing rules applicable to the contract in question; and (v) ensure that their partners, representatives, employees, and third parties process personal data confidentially and that they fulfill the obligations outlined in the documents mentioned in the previous item.

Why and with whom we share your personal data:

Recipients	Why we share your personal data:
Partners and suppliers	To develop, maintain, and offer our products and services, such as energy consumption monitoring, project execution, specialized services, and document storage companies.
Service providers	Service providers are typically technology companies that offer business support services such as website and application development, hosting, maintenance, backup, storage, virtual infrastructure, and payment processing.
Specialized professionals	To provide services such as compliance, legal, insurance, accounting, auditing, finance, collections, HR consulting, among others.
Administrative, judicial and governmental authorities	To comply with specific laws or regulations (e.g., anti-money laundering, FATCA), subpoenas or court orders, audits by self-regulatory agencies to which we are subject, to ensure the safety of any individual, to investigate potential crimes or offenses (such as fraud, theft, or burglary), to protect our rights, interests, and those of third parties, as well as in educational research projects as described in item 3, section “c.”
Advertising companies and advertisers	To place ads for data subjects through online advertising on our own or third-party websites, send electronic messages, make telephone calls or even send direct mail to promote our services, products and features.
Researchers	To enhance our products, services, digital platforms, customer support, initiatives, and more.
Public or private information databases	To identify and authenticate data subjects during the contracting and use of digital services, adopt anti-money laundering measures, identify politically exposed persons, comply with FATCA, update records, prevent fraud and socio-environmental crimes, among other purposes.
Parent companies	For the parent company to carry out control and management activities for the CPFL Group in accordance with the laws governing business operations.
Acquisition of companies or assignment of credits	In case of corporate transactions, such as merger, acquisition or incorporation, or in the event of assignment of rights.

The CPFL Group applies security measures—both technical and administrative—tailored to the data sensitivity, volume, format, and processing methods. These measures are based on industry best practices to safeguard personal data against unauthorized access, as well as risks of destruction, loss, alteration, disclosure, or dissemination.

All data processed by the CPFL Group is stored in a secure environment, with strict adherence to internal security protocols, including information security and cybersecurity standards. These security measures are regularly tested to ensure the ongoing privacy and protection of data subjects’ personal data.

Those authorized to process personal data as part of their roles within the CPFL Group are bound by confidentiality agreements and are committed to safeguarding the privacy of data subjects.

A personal data incident occurs when personal data is improperly disclosed or accessed by unauthorized third parties.

Important: No security system is foolproof, whether online or offline (consider how many homes with locks, surveillance cameras, and security measures have still experienced break-ins). Similarly, the CPFL Group is not immune to malicious attempts at unauthorized access and could potentially be targeted by fraud, cybercrime, or other security breaches. Nevertheless, we are fully prepared to address such situations.

Should a personal data exposure occur, the CPFL Group will take all necessary measures to eliminate or minimize the impact on your privacy. This includes activating our incident response plan, which features established procedures and data analysis techniques, including forensic analysis, to help our teams identify, monitor, report, and assess the severity of the event, as well as resolve data breach incidents.

If a data incident results in significant risks or harm to the privacy of the data subject, the CPFL Group will notify both the affected data subject and the National Data Protection Authority (ANPD), providing details about the event, its impacts, and the actions taken to mitigate risks, in accordance with the LGPD, the regulations of the ANPD and, when applicable, other relevant sector regulators.

To communicate with the data subject, the CPFL Group will use the contact channels available at the time, which may include phone, email, or letter, at the CPFL Group's discretion.

For active clients (with active contracts), the preferred method of communication will be the email address registered in CPFL Group’s database. Please ensure your contact information is always up to date.

Cookies are files containing an identifier (a sequence of letters and numbers) that your browser stores when you access websites and applications online.

In general terms, the browser you use maintains a list of internet user identifiers, and when you visit a website or application, the identifier for your device (such as a smartphone, laptop, computer, or tablet) is activated. Your browser then locates this number in its list of identifiers and automatically informs the CPFL Group website or application that this code is browsing. Please note that if you are not logged into our website or application (i.e., you have not accessed it with a username and password), it is very difficult for the CPFL Group to identify you.

The CPFL Group collects cookies required for the operation of our website or app (in other words, to enable the use of its features), with operational analytics purposes to facilitate navigation, better understand and optimize site/session performance, assess the most viewed pages, identify bounce rates, and deliver more relevant content to users browsing our sites and apps.

You may configure your browser to block cookies during your visit; however, some features of the website or app may not function properly. Please refer to your browser’s help section to learn how to disable cookies.

The Data Protection Officer is the individual appointed by the Controller or Operator to serve as the primary point of contact between them, the National Data Protection Authority (ANPD), and data subjects. Denise Ramos de Lima currently serves as our DPO, supported by a dedicated team responsible for assisting data subjects in exercising their rights under the LGPD. This team follows established procedures to ensure your requests are handled securely and efficiently, providing you with high-quality information and support.

In the event of absence, unavailability, or vacancy of the Data Protection Officer, the alternate DPO, Nadine Emile Marostegan Prado, will act as the DPO.

All inquiries from data subjects and other interested parties should be directed through the designated data subject communication channel (see the link in question 3 of this document).

The exclusive communication channel for receiving notifications and communications from the ANPD is privacidade@cpfl.com.br.

Note: Data Protection Officers are not authorized to respond to inquiries submitted through channels other than the one officially specified in this privacy notice.
Please note that our employees’ social media profiles are private and must not be used for work-related purposes. Therefore, our Data Protection Officer is not authorized to address questions or fulfill requests made through any channel other than the one specified in item 3 above.

To maintain accuracy and transparency, we reserve the right to update this notice at any time. The most recent version will always be accessible on our institutional website.

CPFL ENERGIA GROUP: All companies governed and directly or indirectly controlled by the CPFL Energia Group:

DISTRIBUTION COMPANIES:

COMPANHIA PAULISTA DE FORÇA E LUZ, CNPJ: 33.050.196/0001-88, Address: Rua Jorge de Figueiredo Correa, 1632 - parte - Jardim Professora Tarcilia - CEP: 13087-397 - Campinas/SP;

COMPANHIA PIRATININGA DE FORÇA E LUZ, CNPJ: 04.172.213/0001-51, Address: Rua Jorge de Figueiredo Correa, 1632 - parte - Jardim Professora Tarcilia - CEP: 13087-397 - Campinas/SP;

RGE SUL DISTRIBUIDORA DE ENERGIA S.A., CNPJ: 02.016.440/0001-62, Address: Avenida São Borja, nº 2.801, Bairro Fazenda São Borja – CEP: 93032-525, São Leopoldo - Rio Grande do Sul;

COMPANHIA JAGUARI DE ENERGIA ("CPFL SANTA CRUZ") – CNPJ: 53.859.112/0001-69 – Address: Rua Vigato, 1620 - Térreo - CEP: 13820-000 - Jaguariúna/SP.

ELECTRICITY TRADING COMPANIES:

CLION ASSESSORIA E COMERCIALIZAÇÃO DE ENERGIA ELÉTRICA LTDA. (Trade name: CPFL Meridional) – CNPJ: 04.785.914/0001-66, Address: Rua Vigato, 1620 - 1 And, SL 7, Bairro Joao Aldo Nassif, CEP: 13916-070 - Jaguariúna/SP;

CPFL COMERCIALIZAÇÃO BRASIL S.A. – CNPJ: 04.973.790/0001-42, Address: Rua Jorge de Figueiredo Correa, 1632 - parte - Jardim Professora Tarcilia - CEP: 13087-397 - Campinas/SP;

CPFL BRASIL VAREJISTA DE ENERGIA LTDA. – CNPJ: 22.141.909/0001-00, Address: Rua Jorge de Figueiredo Correa, 1632 - parte - Jardim Professora Tarcilia - CEP: 13087-397 - Campinas/SP;

SUL GERADORA PARTICIPAÇÕES S.A., CNPJ: 02.689.862/0001-07, Address: Rod. Engenheiro Miguel Noel Nascentes Burnier, 1755 - Km 2,5 Bloco 06, térreo, Sala 02 - Parque São Quirino - CEP: 13088-140 - Campinas/SP;

CPFL COMERCIALIZAÇÃO DE ENERGIA CONE SUL LTDA., CNPJ: 02.190.883/0001-75, Address: Rua Jorge de Figueiredo Correa, 1632 - parte - Jardim Professora Tarcilia - CEP: 13087-397 - Campinas/SP;

CPFL PLANALTO LTDA., CNPJ: 02.150.562/0001-47, Address: Rua Vigato, 1620 - 1º andar - sala 07 - João Aldo Nassif - CEP: 13916-070 - Jaguariúna/SP.

ELECTRICITY GENERATION COMPANIES:

CPFL JAGUARI DE GERAÇÃO DE ENERGIA LTDA., CNPJ: 07.137.154/0001-79, Address: Rua Vigato, 1620 - Térreo - Sala 2 - CEP: 13916-070 Jaguariúna/SP;

CPFL TRANSMISSÃO DE ENERGIA PIRACICABA LTDA., CNPJ: 17.079.395/0001-62, Address: Rua Jorge de Figueiredo Correa, 1632 - parte - Jardim Professora Tarcilia - CEP: 13087-397 - Campinas/SP;

CPFL TRANSMISSÃO DE ENERGIA MORRO AGUDO LTDA., CNPJ: 21.986.001/0001-27, Address: Rua Jorge de Figueiredo Correa, 1632 - parte - Jardim Professora Tarcilia - CEP: 13087-397 - Campinas/SP;

CPFL TRANSMISSÃO DE ENERGIA MARACANAÚ LTDA., CNPJ: 31.161.310/0001-11, Address: Rua Jorge de Figueiredo Correa, 1632 - parte - Jardim Professora Tarcilia - CEP: 13087-397 - Campinas/SP;

CPFL TRANSMISSÃO DE ENERGIA SUL I LTDA., CNPJ: 33.062.635/0001-72, Address: Rua Jorge de Figueiredo Correa, 1632 - parte - Jardim Professora Tarcilia - CEP: 13087-397 - Campinas/SP;

CPFL TRANSMISSÃO DE ENERGIA SUL II LTDA., CNPJ: 33.062.600/0001-33, Address: Rua Jorge de Figueiredo Correa, 1632 - parte - Jardim Professora Tarcilia - CEP: 13087-397 - Campinas/SP;

CPFL ENERGIAS RENOVÁVEIS S.A., CNPJ: 08.439.659/0001-50, Address: Rua Jorge de Figueiredo Correa, 1632 - parte - Jardim Professora Tarcilia - CEP: 13087-397 - Campinas/SP;

CPFL TRANSMISSÃO (CEEE-T), CNPJ: 92.715.812/0001-31, Address: Rua Dr. João Inácio, 859, Navegantes, Porto Alegre, Rio Grande do Sul, CEP 90230-181.

SERVICES:

CPFL SERVIÇOS, EQUIPAMENTOS, INDÚSTRIA E COMÉRCIO S.A., CNPJ: 58.635.517/0001-37, Address: Avenida dos Braghetta, 364 - CEP: 13720-000 - S. José do Rio Pardo/SP;

CPFL ATENDE CENTRO DE CONTATOS E ATENDIMENTOS LTDA., CNPJ: 09.606.475/0001-09, Address: Rua Antonio Carlos Mori, 677, Sala B - CEP: 19900-080 - Ourinhos/SP;

CPFL EFICIÊNCIA ENERGÉTICA LTDA., CNPJ: 18.710.670/0001-67, Address: Rua Jorge de Figueiredo Correa, 1632 - parte - Jardim Professora Tarcilia - CEP: 13087-397 - Campinas/SP;

CPFL GERAÇÃO DISTRIBUÍDA DE ENERGIA LTDA (GD), CNPJ: 23.842.913/0001-50, Address: Rua Jorge de Figueiredo Correa, 1632 - parte - Jardim Professora Tarcilia - CEP: 13087-397 - Campinas/SP;

NECT SERVIÇOS ADMINISTRATIVOS DE INFRAESTRUTURA LTDA. (Trade name: CPFL Infra) – CNPJ: 08.971.542/0001-13, Address: Avenida Presidente Vargas, 2.921, 10º andar, Vila Homero, CEP 13338-705, Indaiatuba/SP;

NECT SERVIÇOS ADMINISTRATIVOS DE RECURSOS HUMANOS LTDA. (Trade name: CPFL Pessoas) – CNPJ: 34.050.376/0001-22, Address: Avenida Presidente Vargas, n° 2.921, 11º andar, Vila Homero, CEP 13338-705 - Indaiatuba/SP;

NECT SERVIÇOS ADMINISTRATIVOS FINANCEIROS LTDA. (Trade name: CPFL Finanças) – CNPJ: 34.047.930/0001-12, Address: Avenida Presidente Vargas, n° 2.921, 13º andar, Vila Homero, CEP 13338-705 - Indaiatuba/SP;

NECT SERVIÇOS ADMINISTRATIVOS DE SUPRIMENTOS E LOGÍSTICA LTDA. (Trade name: CPFL Supri) – CNPJ: 34.049.289/0001-55, Address: Avenida Presidente Vargas, n° 2.921, 9º andar, Vila Homero, CEP 13.338-705 - Indaiatuba/SP.

Biometrics – Physical or behavioral characteristics of an individual, such as fingerprints collected during transactions at ATMs in your financial institution, or unlocking a mobile device using fingerprint or facial recognition.

LGPD (Brazilian General Data Protection Law) – It sets guidelines for how third parties may use your personal data in business activities.

ANPD (National Data Protection Authority) – The highest authority for data protection, responsible for ensuring compliance with personal data protection standards, issuing rules and procedures as established by the LGPD, consolidating interpretations on data protection topics, requesting information from companies regarding data processing, maintaining records and monitoring data subject complaints, as well as overseeing and imposing sanctions on data controllers and operators.

Legal authorization for the processing of personal data – The law specifies the circumstances under which the Controller may process personal data. Below, we highlight the most relevant legal bases for the processing purposes described in this document. Note that no legal basis is inherently more important than the other; rather, the most appropriate basis is determined by the specific purpose of the processing: (i) consent (when authorization is required); (ii) compliance with legal or regulatory obligations (when a law, regulation, or court order authorizes or requires data processing, such as for energy bill information); (iii) steps prior to entering into or performing a contract (for example, when a client requests a new energy connection or a change in an existing connection); (iv) legitimate interests of the controller or third parties (there must be a balance between the legitimate interests of the organization or third parties and the rights and expectations of data subjects; Sensitive Data CANNOT be processed under this basis); (v) credit protection (only for data that is NOT classified as sensitive); (vi) regular exercise of rights in judicial, administrative, or arbitration proceedings (to defend the rights of the Controller or third parties); (vii) protection of life or physical safety of the data subject or others; (viii) health protection, in a procedure carried out by healthcare professionals, health services, or public health authorities; (ix) fraud prevention in identification and authentication processes for electronic system registrations (applicable only to Sensitive Data).

Controller – This is the entity responsible for making decisions regarding the processing of personal data.

Personal data – These are pieces of information related to a data subject that enable their identification. For example, your full name, email, your parents’ names, and your date of birth are all considered personal data.

Sensitive personal data includes information about racial or ethnic origin, religious beliefs, political opinions, union membership, affiliation with religious, philosophical, or political organizations, as well as data related to health, sexual life, genetics, or biometrics. For the purposes of this privacy notice, whenever we refer to personal data, we are referring to both sensitive and non-sensitive personal data.

Data center – A data processing facility that houses a wide range of servers and databases.

Website and applications – Refers to the CPFL Group's websites and applications.

Data subject – The individual, either identified or identifiable, whose personal data is being processed. Therefore, the individual for whom this privacy notice is intended.

Processing – Any and all operations carried out with personal data, which includes the collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, filing, storage, elimination, evaluation or control of information, modification, communication, transfer, dissemination or extraction. Thus, whenever we use the term "processing" we are referring to any of these activities.?