Last updated: May 2026
PRIVACY POLICY
This Privacy Policy was prepared by VOLKSWAGEN CAMINHÕES E ÔNIBUS LTDA ("VWCO" or "We") and reinforces the company’s commitment to the Brazilian General Data Protection Law (LGPD), highlighting its ethical, transparent and accountable approach to the processing of personal data.
The purpose of this Policy is to clearly and transparently explain, how personal data is collected, used, shared and protected, as well as to inform the rights of the holders and provide contact channels for questions.
VWCO processes personal data only where necessary and for specific purposes, such as enabling services or products, providing support, improving quality, managing the relationship, developing new products, complying with legal or contractual obligations, and improving processes and security.
To make the reading of this Privacy Policy clearer, we provide at the end of the document, in item 10, a set of essential definitions for consultation.
1. What data we collect and for what purposes we use it
We collect personal data based on our relationship with You. Therefore, the data we may collect varies according to your profile and the way You interact with us.
This can happen, for example, when You:
• You are our customer or user of our products and services;
• use our digital channels or contact us through the service channels;
• work within our dealer or service network; or
• act as a third party (e.g., supplier, service provider or visitor)
In general, we use your data only when necessary and for specific purposes, such as: enabling the provision of services, improving our processes and security, developing and improving products and services, and complying with legal obligations, as detailed in this Policy.
We emphasize that, in interactions with dealerships and authorized repair shops in our Network, these partners may process personal data as independent controllers, for their own purposes and in accordance with their respective privacy policies, when applicable. In such cases, VWCO does not determine the purposes and means of this processing. We encourage You to review the privacy policies of these partners for more information about how your data is handled and how to exercise your rights.
The categories of personal data we process and the respective purposes of processing will be detailed at the end of this Policy, attached, according to your relationship with us.
2. How We Collect Your Data
The collection of your personal data may vary depending on the context of your interaction with us. In general, we collect personal data in the following ways:
- Directly with You, in face-to-face interactions or through service channels and digital forms;
- Through your interactions with our website, social media, and other digital platforms;
- Through dealerships and authorized workshops in our Network, when applicable. In these cases, dealers and authorized companies may act as independent controllers and share data with us for specific purposes, for example, service, support, and product/service-related matters;
- Through ACAV – the Brazilian Association of Volkswagen Truck & Bus Dealers, when applicable, for example in institutional actions, communications and initiatives aimed at the Network. In these cases, ACAV and/or associated dealers may process data according to their purposes and responsibilities, and may share data with us when necessary for specific purposes, according to the legal basis and applicable rules;
- During interactions related to the vehicle and services, when You allow;
- In our units, through images from security cameras (CCTV) and other access and security controls;
- Through business partners, contractors and service providers;
- From publicly available sources and third-party databases, when necessary for activities to comply with legal obligations, on a proportionate basis, limited to what is necessary and when permitted by law;
- In connection with companies of the Traton Group, where applicable and in accordance with this Policy; and
- In other specific situations, when You use services, attend events, request information or interact with VWCO through other channels.
3. Who do we share your Data with?
VWCO may share your personal data with third parties when this is necessary. Such sharing is carried out in accordance with the purposes described in this Policy, the limits established by the General Data Protection Law (LGPD), limited to the personal data strictly necessary for each purpose and, when applicable, we adopt contractual, organizational and technical measures to protect the information.
The following are examples of third parties with whom we may share personal data and the most common purposes for which we share it:
- Carriers and logistics processors: to enable the delivery of products, we may share data with carriers and logistics partners.
- Service providers, representative entities and business partners: to carry out administrative and operational activities, support, security, marketing, process standardization, service and improvement of products and services.
- Financial institutions: to enable financing, when You request it.
- Technology partners and processors: for services such as hosting, cloud storage, management software (e.g., CRM) and other services necessary for the operation.
- Payment gateways and service providers: for processing, authorisation and management of financial transactions and means of payment.
- Traton Group companies: where necessary, we may share personal data between Traton Group companies for operational, administrative, support and/or fulfillment purposes.
- Dealerships, authorized workshops and service network: when necessary to enable sales, support, warranty, technical campaigns, recalls and operational processes. Dealers and authorized companies may act as independent controllers, according to their own purposes and privacy policies, when applicable.
- Public authorities: judicial, administrative or governmental authorities, when there is a legal/regulatory obligation, determination or specific order.
- Audits and consultancies: accounting, legal and compliance services, when necessary, through confidentiality agreements and other applicable safeguards.
- Commercial and service partners (events and joint initiatives): to enable events and actions carried out jointly by VWCO and partners.
4. International transfers
In some cases, VWCO may transfer your personal data to Traton Group companies, business partners and service providers located outside of Brazil. Such transfers may occur only when necessary to provide, offering, and improvement of products and services, as well as the storage, support, and secure operation of our systems and databases, where applicable.
In these cases, the transfer will occur with the adoption of technical and organizational security measures, in accordance with the applicable legislation.
Where applicable, VWCO adopts the safeguards provided for in Article 33 of the LGPD and in the International Data Transfer Regulation (e.g., Standard Contractual Clauses approved by the ANPD, pursuant to Resolution CD/ANPD No. 19/2024).
In addition, where applicable, VWCO may provide information on international transfers made and the safeguards adopted, upon request through the channels indicated in this Policy.
5. How we protect your data
During the processing of your data, we adopt technical and organizational measures to protect your personal data and reduce risks, maintaining compliance with the LGPD and other applicable laws. Among these measures, we can mention:
- Access control: to ensure that only authorized users have access to your data, as needed for use;
- Encryption of data;
- Registration and monitoring of systems: to prevent and detect improper access and incidents;
- Internal security policies and procedures;
- Periodic tests and evaluations: to verify and improve the effectiveness of controls;
- Supplier assessment and management: to ensure adequate levels of data protection;
- Training and awareness of employees on privacy and security;
- Backups and data recovery procedures to protect against loss and unavailability; e
- Incident prevention and response procedures, including investigation, containment and mitigation measures, where applicable.
Despite these measures, no environment is completely risk-free. Therefore, we recommend that You also adopt security measures and good practices when using our channels and services, such as protecting your passwords, not sharing credentials, and being suspicious of unusual requests.
If You notice any suspicious activity, we ask that You immediately report it to us through the service channels indicated in this Policy, so that we can assess the situation and take appropriate action.
When sharing occurs with processors (providers who process data on our behalf), it will be carried out with appropriate security measures, in order to protect the privacy of your personal data. When sharing occurs with other controllers, each organization will be responsible for its own processing of personal data, in accordance with its purposes and privacy policies.
6. Retention and disposal
We keep your personal data only for as long as necessary to fulfill the purposes of the Policy and legal, regulatory or contractual obligations. We use internal criteria to define retention periods, considering the type of data, purpose and relationship with the holder. In some cases, data may be kept in backups for security and integrity reasons, and may be deleted at the end of these cycles. After the retention period, the data is securely deleted or anonymized, according to the legislation.
7. Rights of Data Subjects
As a data subject, You have rights that can be exercised before VWCO at any time and free of charge, under the terms of the LGPD. Your rights include:
- Confirmation of the existence of processing.
- Access to your personal data.
- Correction of incomplete, inaccurate, or outdated data.
- Anonymization, blocking or deletion of data that is unnecessary, excessive or processed in violation of the law.
- Portability of your personal data, where applicable and subject to legal requirements.
- Deletion of personal data processed on the basis of consent, where applicable (e.g. after revocation of consent for certain purposes, such as marketing cookies).
- Information about the public and private entities with which we share data.
- Information on the possibility of not providing consent and on the consequences of refusal, when the processing is based on consent.
- Revocation of consent, where applicable.
- Objection to processing carried out based on legal grounds other than consent, where there is non-compliance with the LGPD.
- Review of decisions made solely on the basis of automated processing of personal data that affect your interests, including decisions aimed at defining your personal, professional, consumer and credit profile or aspects of your personality.
To exercise any of these rights, please send a message to the Data Protection Officer (DPO) using the contact details indicated below. In some cases, to protect You from fraud, we may ask You for additional information to confirm your identity, where applicable.
Where VWCO has legal obligations to comply with or where the exercise of the right depends on requirements provided for by law, some of these rights may not be fully available or may only be partially fulfilled. In these cases, we will explain the reasons and, when possible, indicate the measures that can be adopted to make the service viable.
8. Use of AI
VWCO may use artificial intelligence systems, automated tools and other digital technologies to support activities related to the employment relationship management relationship, such as information organization, document analysis, support for internal processes, improvement of operational efficiency, information security, fraud prevention, response to requests and generation of internal metrics and insights. The use of these tools will comply with the purposes set forth in this Policy, the applicable legal bases, the principles of necessity, transparency, security and non-discrimination, as well as internal controls to limit access to and processing of personal data to what is strictly necessary.
Where third-party vendors or solutions are used, VWCO will adopt appropriate contractual, technical and organisational measures to protect the personal data processed. Whenever decisions that may significantly affect the interests of employees are supported by automated technologies, the applicable safeguards will be observed, including the possibility of human intervention, review and exercise of the rights provided for in the LGPD, when applicable.
9. DPO
If You have any questions or wish to exercise your rights as a Data Subject, You can contact our Data Protection Officer (DPO), Giovanna Bonucci, through the Portal:
Form or by email: dpvwco@volkswagen.com.br
10. Updates to this Policy
We may update this Policy to reflect legal, regulatory, or operational changes and users will be notified in the event of material changes.
11. Definitions
To make this Privacy Policy easier to understand, we have gathered below some important definitions:
| Term | Meaning |
|---|---|
| Personal Data | Information related to an identified or identifiable natural person, which allows the identification of the person directly (e.g., name, CPF) or indirectly (e.g., e-mail, telephone, address, electronic identifiers). |
| Data Subjects | The identified or identifiable natural person(s) to whom the Personal Data belongs or relates. |
| Data processing | Any operation performed on Personal Data, such as collection, use, access, storage, organization, sharing and deletion. |
| Controller | Natural or legal person, under public or private law, who is responsible for decisions regarding the Processing of Personal Data, especially as to its purposes and means. In general, VWCO acts as a controller in the activities described in this Policy. |
| Processors | Natural or legal person, under public or private law, who carries out the Processing of Personal Data on behalf of the Controller, upon documented instructions from the Controller. |
| Data Protection Officer (DPO) | Person appointed to act as a communication channel between VWCO, data subjects and the National Data Protection Agency (ANPD), under the terms of the LGPD. |
| Data sharing | Provision or transfer of Personal Data to third parties, when necessary and for legitimate purposes, subject to the LGPD. |
CUSTOMER DATA
If You are one of our Customers of Products and Services, we may use your personal data for purposes related to the provision of services, fraud prevention, compliance with legal obligations and others.
The following are the types of personal data that may be used and their purposes:
| Types of personal data used | Purpose of use |
|---|---|
| Identification and registration data: name, CPF, RG, date of birth, corporate name and, when applicable, data of the company's legal representative or attorney-in-fact | Identify the customer, create and maintain registration in our databases, confirmation of identity, product offering, facilitate purchases, service and provision of services, comply with legal and regulatory obligations and for fraud prevention. |
| Contact data and address: email, phone, address, city, state, contact preferences | Fulfillment of requests, sending operational communications, sending promotional offers, sending important notices such as technical campaigns/recalls when applicable, relationship management, support and feedback on requests made by You. |
| Network relationship data: dealers for service, service history, protocols, service records | Provide service and support, audit and internal control, resolution of complaints and disputes and legal exercise of rights. |
| Purchase and service contracting data: proposals, orders, quotes, contract, payment method, receipts, billing, invoice, delivery | Process purchases made with us, including billing and delivery of vehicles or services, administrative management of VWCO, comply with tax and accounting obligations, execution of contract and exercise of legal rights. |
| Financing data: registration data for proposal, information needed for credit analysis, insured asset data, policy data | When You request, to enable simulation of financing with banking institutions, submission of proposal and contracting. In general, financial institutions and insurance companies may process data as independent controllers, according to their policies, where applicable. |
| Vehicle data: license plate, RENAVAM, chassis, model, year, version, items and configurations, ownership/possession data, engine number and technical information | Link the Holder to a particular vehicle or identify it, provide support, perform maintenance, warranty maintenance, fraud prevention and compliance with legal/regulatory obligations. |
| Vehicle technical data, aftermarket and services: service orders, warranty history, services performed, technical diagnostics, schedules, dealership checklists, technical claims log, component status, fault/diagnostic codes, software version, technical logs, performance information, system integrity/safety | Diagnosis and maintenance, fault update, technical analysis, provide repair or warranty-related services, maintain safety and quality, perform improvements, comply with regulatory and safety obligations. |
| Data from the use of digital channels: registrations and forms on the website, downloads, event registration, preferences, access logs, session identifiers, cookies and similar technologies | Operate and protect the website, measure performance and improve the Holder's experience on our platforms, respond to requests, personalize content and communications, where applicable. |
| Marketing data and preferences: interests, commercial targeting, campaign history, purchases, consents/opt-in and opt-out, communication preferences | Send communications about our products, services, events and content, allow the management of preferences, measure the effectiveness of our campaigns, avoid unwanted contacts, conduct surveys, offer shopping incentives, comply with consent rules when applicable. |
| Data required for legal obligations and advocacy: documents, transaction records, evidence of compliance, consent records, communications | Comply with legal/regulatory obligations, respond to authorities, exercise rights in administrative/judicial proceedings, prevention and investigation of fraud/irregularities, audits and compliance. |
| Participation data in VWCO programs, events and actions: registration for training, relationship campaigns, satisfaction surveys, technical/operational events | Carry out the relevant activity, measure satisfaction and quality, improve products and services and maintain a relationship with You. |
| Compliance, integrity and due diligence data: information for integrity verification and evidence | Compliance with internal policies and compliance requirements, compliance with legal or regulatory obligations.
|
SUPPLIERS, THIRD PARTIES, BUSINESS AND OPERATIONAL PARTNERS
If You are a supplier, service provider, business or operating partner, your personal data may be used to enable the business relationship and the execution of contracts, comply with security requirements and comply with legal obligations. The following are the types of personal data that may be used and their purposes:
| Types of personal data used | Purpose of use |
|---|---|
| Identification and registration data of the supplier: corporate name, CNPJ card data, business address, legal representative data or | Registration and qualification of suppliers in VWCO's systems, establish commercial relationship, database maintenance, send and formalize contracts, execution of contracts, compliance with legal and tax obligations. |
| Identification data of the Third Party, to organize VWCO units: personal documents such as CPF and RG or address | Issuance of air tickets and transfers for suppliers who need to visit our facilities and access control to our units. |
| Contact/representative identification data: name, title, signature and identification document when required | Identify those responsible for the Company, formalize signatures, register requests and authorizations, prevent fraud and support governance and internal control activities. |
| Contact data: corporate email, telephone, professional address | Establish communication with those responsible for the supplier, support, registration in systems, sending contractual and administrative communications. |
| Compliance, integrity, and due diligence data, where applicable: information for integrity checks, conflicts of interest, sanctions, restrictive lists, statements, and evidence | Compliance with internal policies and compliance requirements, prevention and detection of fraud and legal irregularities, risk management, compliance with legal/regulatory obligations. |
| Technical qualification data and certifications: professional certifications, required training, qualification records, specific authorizations | Verify technical aptitude to perform internal or external work, comply with legal requirements, comply safety and quality requirements, comply regulatory and auditing requirements and release access to carry out activities. |
| Access data to the units and property security: entry/exit registration, badge, visitor's vehicle data, CCTV images when existing | Access control to our premises, security of people and property, traceability, registration of occurrences and internal investigations. |
| Occupational health and safety data, when required for internal access and activity: ASO and information necessary to comply with OSH standards | Comply with health and safety standards, control of access to operational areas, exercise of rights, prevention of accidents, and investigation of internal occurrences and compliance with legal obligations. |
| IT data and access credentials: corporate user, access logs, authentication logs, permissions, identification in systems, VPN when applicable | Grant and administer access to systems, environments, and connection networks, comply with information security requirements, comply auditing requirements, and for incident prevention and response |
| Communication and service records: emails, calls, tickets, recordings when applicable, history of negotiations | Monitor requests made, ensure quality and traceability, contract execution, auditing, conflict resolution and process improvements. |
| Data related to logistics and operation: identification of drivers, delivery people or third parties, record of collections or deliveries, proof of receipt | Enable logistical issues, such as deliveries and withdrawals, contract execution, internal activities, security, traceability, incident management and quality. |
| Data required for legal obligations and advocacy:documents and records linked to contracts, audits, investigations, litigation | Compliance with legal/regulatory obligations, exercise of legal rights, dispute resolution and management, and response to requests from authorities. |
VISITORS AND JOURNALISTS
If You are a visitor to one of our units or maintain institutional contact with us, your personal data may be used to organize and enable the visit, maintain the security of our facilities or maintain the institutional relationship, when applicable.
The following are the types of personal data that may be used and their purposes:
| Types of personal data | Purposes (what we use it for) |
|---|---|
| Identification and contact data of journalists and press contacts: name, vehicle/company, e-mail, telephone, position, editorial, city/state | Maintain institutional and press relationships; sending communications and materials (mailing); meeting journalistic demands; organization of interviews, agendas and events. |
| Records of communication with journalists: contact history, emails, invitations, confirmations, returns and receipt/opt-out preferences | Manage requests and relationship; prove services and communications; improve contact efficiency; respect communication preferences and avoid unwanted contact. |
| Visitor data: name, identification document and contact data when required, entry/exit record, company/area visited when applicable, vehicle data, CCTV images when existing | Access control and property and people security, carrying out integration activities, organizing and managing visits (including institutional and factory visits), recording occurrences, compliance with internal security requirements. |
NETWORK AND DEALERS
If You work in our commercial network or distribution partners, your personal data may be used to enable communication and operational support, manage access to systems, ensure process traceability, and comply with quality, security, and compliance requirements. The following are the types of personal data that may be used and their purposes:
| Types of personal data | Purposes (what we use it for) |
|---|---|
| Identification and contact details of representatives: name, corporate email, telephone number, job title, company/unit, city/state | Management of the relationship with the Network, operational communication, support and clarifications to dealers. |
| Credentials and system access data: user, permissions, authentication, access logs, audit trails | Grant and manage access to systems and network, information security, traceability, auditing and prevention of security incidents. |
| Sales and after-sales operational records linked to customer service: protocols, referrals, warranty/campaign records, status of requests | Enable support to the end customer and network employees, warranty management and technical campaigns, process standardization, quality control and compliance. |
| Training and enablement data: registration, attendance, certifications, completion records | Technical qualification, employee training, compliance with quality and safety standards, training traceability. |
| Communication and support records: emails, tickets, meetings, minutes and negotiations | Monitor demands, contract execution, maintenance of quality standards, auditing, process improvement, conflict management and compliance. |
| Compliance and integrity data: statements, verifications, audit logs, evidence | Comply with internal policies, risk management, prevention, detection of irregularities, compliance with obligations, audits and compliance and legal obligation. |
| Unit access/property security data: entry/exit registration, badge, visitor vehicle data, CCTV images when existing | Access control, security of people and property, registration of occurrences and internal investigations and compliance with internal security requirements, when applicable. |
| Data required for legal obligations and advocacy: documents and records related to contracts, audits, investigations and litigation | Compliance with legal/regulatory obligations, assistance to authorities, exercise of legal rights. |
SERVICE CHANNEL USERS
If You are a user of our website or other service channels, your personal data may be used to enable and maintain our communications, respond to and follow up on your requests, improve our channels and strengthen the security of these interactions, as applicable.
The following are the types of personal data that may be used and their purposes:
| Types of personal data (suppliers and representatives) | Purposes (what we use it for) |
|---|---|
| Identification and contact data: name, e-mail, telephone number, city, state and other data that You provide during the contact | Attend and return requests made by You, register and monitor protocols, direct your demand to the responsible area, when necessary. |
| Information sent by You on service channels or social networks: messages, requests, attachments and other data entered in forms, chat, email or telephone | Provide support, respond to requests, improve processes and quality of service and maintain a history of dealings. |
| Technical browsing and device data: IP, browser, operating system, logs and session identifiers | Operate, maintain and secure our digital channels, prevent fraud, diagnose failures, improve performance and security. |
| Records of the service performed on our Channels: protocols, date, time, history of interactions and recordings when applicable | Service management, auditing and internal controls, resolution of complaints and disputes, prevention of fraud and abuse, and exercise of legal rights. When there is a recording, it can be used to prove service, quality, training and safety, if necessary. |
| Cookies and similar technologies, where applicable, as You choose. | Ensure the operation of the website, remember preferences, measure audience and improve content, personalize experience and communications when applicable. |
| Preferences and consents: opt-in/opt-out and consent records | Manage communications, respect your choices, manage compliance with the LGPD and avoid unwanted contacts. |
| Data required for legal obligations and advocacy: records and evidence linked to the use of service channels | Comply with legal/regulatory obligations, respond to authorities, exercise rights and defend themselves in administrative or judicial proceedings. |
If the service is carried out with the support of service providers (e.g. service platform or call center), these third parties may process personal data on behalf of VWCO, with security measures and contractual obligations, where applicable.