PRIVACY NOTICE - DIGAÍ Public Version - January 2026

IMPORTANT NOTICE REGARDING SCOPE


This document establishes two distinct personal data processing regimes depending on the context of use of the DigAÍ platform, in compliance with Law No. 13.709/2018 (General Data Protection Law - LGPD). The application of each regime depends solely on how the service is contracted and used.


SECTION 1 - CORPORATE USE (B2B) DigAÍ as DATA PROCESSOR


1.1 Scope of Application

This section applies when DigAÍ is used by client companies to conduct their own selection processes, with DigAÍ acting as a technology provider. In this context:

  1. the client company acts as the Personal Data Controller;
  2. DigAÍ acts as the Processor, pursuant to Art. 5, VII, of the LGPD.

1.2 Role of DigAÍ

In the B2B context, DigAÍ commits to:

  1. processing personal data exclusively in accordance with the documented instructions of the Controller Client;
  2. not defining its own processing purposes;
  3. not sharing data with other DigAÍ clients in the context of providing the service to the Controller Client, except when there is specific consent from the data subject for independent processing, as per item 1.8 of this policy. All processing occurs strictly to execute the contract signed with the Controller Client.

1.3 Processing Purposes

Personal data is processed exclusively to:

  1. support the selection process conducted by the Controller Client;
  2. process interviews and evaluations requested by the Controller Client;
  3. operate authorized integrations (e.g., WhatsApp, ATS);
  4. ensure information security, auditing, and fraud prevention.

1.4 Algorithmic Transparency and Absence of Automated Decision-Making

DigAÍ provides artificial intelligence tools aimed at optimizing screening, acting strictly under the parameters defined by the Controller Client, who exercises the role of Data Controller, without producing legal effects or definitive decisions automatically.


1.4.1 Definition of Criteria by the Controller Client

The analysis performed by the AI tool is based exclusively on criteria previously configured by the Controller Client, including but not limited to:

  1. technical and behavioral competencies;
  2. keywords;
  3. weights and evaluation parameters;
  4. requirements defined by the Controller Client's Recruitment and Selection team. DigAÍ does not define, alter, or impose its own evaluation criteria.

1.4.2 Advisory Nature of Automated Analysis

The results generated by the tool, including scores, rankings, or suggestions, are merely advisory and recommendatory in nature, not producing, by themselves, any decision-making effect. The tool does not have the autonomy to eliminate, fail, or pass candidates automatically.


1.4.3 Mandatory Human Decision (Human-in-the-loop)

The final decision of approval, rejection, or advancement to the next stage lies entirely with the human recruiters of the Controller Client, who have access to the candidates' original responses (audio, text, or video) to validate the analysis suggested by the tool.


1.4.4 Compliance with LGPD

Due to the non-decisional nature of the tool:

  1. there is no exclusive automated decision, nor production of legal or significantly relevant effects automatically, pursuant to Art. 20 of the LGPD;
  2. the possibility of human review is ensured;
  3. data subjects' rights are preserved;
  4. decision-making responsibility remains entirely with the Controller Client.

1.5 Data Sharing

In corporate use, personal data may be shared exclusively with:

  1. contracted subprocessors (e.g., AWS, OpenAI, Meta/WhatsApp);
  2. always under contracts containing data protection, confidentiality, and security clauses. Data is not shared with other DigAÍ clients, except as provided in item 1.8.

1.6 Rights of Data Subjects

The exercise of rights provided in Arts. 18 and 20 of the LGPD must be performed directly before the Controller Client. DigAÍ will provide technical and operational support as provided in the contract and any Data Processing Agreement (DPA).


1.7 Contractual Hierarchy

In case of conflict between this policy and the contract signed with the Controller Client, the contractual provisions and the Data Processing Agreement (DPA) shall prevail.


1.8 Optional Inclusion in DigAÍ Talent Pool (Data Subject Consent)

When the candidate participates in a selection process conducted by a Controller Client through the DigAÍ platform, they may be offered, optionally and subsequent to the selection process, the possibility of including their professional profile in the DigAÍ Talent Pool, for the purpose of disclosing new professional opportunities. Inclusion in the Talent Pool:

  1. is not part of the scope of the contract signed between DigAÍ and the Controller Client;
  2. is not automatic, depending on the free, informed, specific, and unequivocal manifestation of the candidate;
  3. occurs exclusively upon explicit consent, collected through a highlighted action (e.g., unselected checkbox);
  4. constitutes independent data processing, distinct from that carried out in the context of the Controller Client's selection process. Upon granting consent, DigAÍ will act as the Data Controller for this specific purpose, being able to share the candidate's profile with companies interested in compatible opportunities, under the terms of SECTION 2 - INDIVIDUAL USE / TALENT POOL (B2C) of this policy. Consent may be revoked at any time, without any prejudice to the candidate or impact on previous selection processes, not applying retroactively to data processed in the context of the selection process conducted by the Controller Client.

SECTION 2 - INDIVIDUAL USE / TALENT POOL (B2C) DigAÍ as DATA CONTROLLER


2.1 Scope of Application

This section applies when DigAÍ offers, independently, services of:

  1. professional connection;
  2. talent pool;
  3. expansion of recruitment opportunities; without a direct link to a specific corporate client.

2.2 Collected Personal Data

The following may be collected:

  1. name, email, and phone;
  2. audio, video, text, and messages sent voluntarily;
  3. technical data, such as IP address, browser, operating system, and access logs.

2.3 Processing Purposes

Personal data may be used for:

  1. evaluation of professional profiles;
  2. connection with interested companies;
  3. continuous improvement of DigAÍ services;
  4. security, auditing, and fraud prevention.

2.4 Data Sharing

Personal data may be shared with:

  1. companies interested in the data subject's professional profile;
  2. technology suppliers and partners;
  3. legal authorities, when required by law. Sharing occurs upon free, informed, and unequivocal consent of the data subject.

2.5 Legal Basis

Data processing in the B2C context is based on consent, pursuant to Art. 7, I, of the LGPD. Consent may be revoked at any time, without prejudice to previously performed processing.


2.6 Use of Artificial Intelligence and Algorithmic Transparency

DigAÍ uses artificial intelligence tools to support the organization, analysis, and recommendation of professional profiles.


2.6.1 Nature of Automated Analysis

The analysis may generate scores, rankings, or recommendations with exclusively informative and guiding purposes, not producing, by itself, legal effects or definitive decisions automatically.


2.6.2 Absence of Exclusive Automated Decision-Making

DigAÍ does not use exclusive automated decisions to eliminate, fail, or prevent the data subject's access to professional opportunities without human intervention.


2.6.3 Rights of the Data Subject

The data subject may, pursuant to Art. 20 of the LGPD:

  1. request information about the general criteria used by the AI;
  2. request clarification on automated decisions;
  3. request human review when applicable.

2.7 Rights of Data Subjects

The data subject may request:

  1. access to personal data;
  2. correction or update;
  3. anonymization, blocking, or deletion;
  4. revocation of consent. Requests should be sent to: contato@digai.ai.

SECTION 3 - SECURITY, GOVERNANCE, AND CONTACT Applicable to B2B and B2C Contexts


3.1 Information Security

DigAÍ adopts adequate technical and organizational measures, including:

  1. encryption of data in transit and at rest;
  2. role-based access control;
  3. continuous monitoring and audit logs;
  4. Privacy by Design and Security by Design principles.

3.2 Updates to this Policy

This policy may be updated periodically. Relevant changes will be communicated through the DigAÍ platform.


3.3 Data Protection Officer (DPO)

Officer: Christian Pedrosa. Substitute: José Melendez. Contact: contato@digai.ai


3.4 Applicable Legislation

This document is governed by the General Personal Data Protection Law (Law No. 13.709/2018).


Copyright © 2026 DigAÍ. All rights reserved.