Global Data Privacy Policy Policy Name: Global Data Privacy Policy (GDPP)

Purpose: To define how Nextracker Inc. collects, uses, protects, and shares personal data in compliance with GDPR, CCPA, LGPD, EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) and other applicable laws.

Effective Date: June 1, 2025

Policy Owner: Bruce Ledesma, General Counsel, Chief Compliance and Ethics Officer, and Data Privacy Officer

Policy Contact: Maria Casablanca, Senior Compliance Counsel, and Data Privacy Coordinator

Executive Sponsor: Pranab Sinha, Chief Information Officer

Applicability: Management is responsible for establishing processes that ensure compliance with all applicable data protection and privacy laws. All employees must adhere to these principles when handling personal data in the course of their work. This responsibility also extends to external business partners who process personal data on behalf of Nextracker.

Release Date: Q1 2026 Version History: Version 1.0 Approved by: Audit Committee Approved Date: May 23, 2025

Table of Contents

Section

Title

Page

1

Introduction

1

2

Data Protection Principles

1

3

Data Controller Information

2

4

Collection of Personal Information

3

5

Use of Your Data

4

6

Legal Basis for Processing

4

7

Data Sharing

4

8

International Transfer of Personal Information

4

9

Data Retention

4

10

Your Rights Under GDPR

5

11

Minors

5

11.1

Children’s Privacy (COPPA Compliance)

5

12

Links to Other Websites

6

13

E-mail Communication

6

14

Data Security

6

15

Cookies and Tracking Technologies

7

16

Policy Updates

7

17

Breach

7

Section

Title

Page

18

Additional Privacy Commitments

7

18.1

Sensitive Personal Information (SPI)

7

18.2

Third-Party Processors and Contractual Safeguards

8

18.3

Automated Decision Making and Profiling

8

18.4

Employee Training and Awareness

8

18.5

Record of Processing Activities (RoPA)

8

18.6

Contact and Escalation for Privacy Complaints

8

Appendix A

Country-Specific

9

I

California Residents

9

II

EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF)

11

III

Brazilian Residents (LGPD)

12

Appendix B

Glossary of Key Terms

14

  1. INTRODUCTION

    Nextracker Inc., including its subsidiaries (collectively, “Nextracker” or the “Nextracker Group”)1, a global leader in solar tracking solutions, is committed to protecting your privacy and ensuring the security of your personal data. This Global Data Protection Policy (GDPP) outlines how we collect, use, and safeguard your information in accordance with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

    The relevant Nextracker entity that is responsible for your personal information will be the Nextracker entity to which you provided your personal information. However, as we may share your personal information within the Nextracker Group, other Nextracker Group entities may also use your personal information in accordance with this GDPP.

    Please read this GDPP carefully to understand our policies and practices regarding your personal information and how we will use such information. If you do not agree with these policies and practices, please do not use the Websites2. By accessing or using the Websites and our services, you agree to our collection, use and disclosure of your personal information.

  2. DATA PROTECTION PRINCIPLES

    Nextracker is not in the business of selling your information. We consider this information to be a vital part of our relationship with you. Any use of your information by Nextracker must be justified in accordance with the following legal grounds:

    1. processed lawfully, fairly and in a transparent manner in relation to individuals;

    2. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical

      1 The term “Nextracker,” the “Company,” “we,” “us,” and “our,” may refer to Nextracker Inc. or one or more of the Nextracker Inc. subsidiaries or to all these entities taken as a whole. All these terms are used for convenience only and are not intended as a precise description of any of the separate companies.

      2 Website(s) include but is not limited to: Corporate website, Investor Relations website, and Customer facing software tools, including third party tools.

      research purposes or statistical purposes shall not be incompatible with the initial purposes;

    3. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;

    4. accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;

    5. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organizational measures required by regulations in order to safeguard the rights and freedoms of individuals; and

    6. processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.

  3. DATA CONTROLLER INFORMATION

    Nextracker Inc. is the data controller responsible for processing your personal data. If you have any questions about this policy, you can contact us at:

  4. COLLECTION OF PERSONAL INFORMATION

    Nextracker collects personal data that you provide to us directly or through interactions with our website, products, and services. You may also provide Nextracker with personal information in other ways, such as if you communicate with us through social media or participate in our promotions.

    Personal Data: We collect Personal Data from you when you voluntarily provide such information, such as when you contact us with inquiries, respond to one of our surveys, register for access areas of our website or use of our products and services. Whenever and wherever Nextracker collects Personal Data, you should see a link to this Privacy Policy.

    Non-Identifiable Data: When you interact with Nextracker through our website, products, or services, we receive and store certain personally non- identifiable data. Such data, which is collected passively using various technologies, cannot presently be used to specifically identify you. Nextracker may store such data itself, or such data may be included in databases owned and maintained by Nextracker affiliates, agents or service providers. As part of our products and services, we may pool this data and use it with other information to track, for example, the total number of visitors to our website, the number of visitors to each page of our website, and the domain names of our visitors’ Internet service providers. It is important to note that no Personal Data is available or used in this process.

    Aggregated Personal Data: In an ongoing effort to better understand and serve the users of the website and our products and services, Nextracker often conducts research on its customer demographics, interests and behavior based on personal data and other information provided to us. This research may be compiled and analyzed on an aggregate basis, and Nextracker may share this aggregate data with its affiliates, agents and business partners. This aggregate information does not identify you personally. Nextracker may also disclose aggregated user statistics to describe our services to current and prospective business partners, and to other third parties for other laws.

  5. USE OF YOUR DATA

    Nextracker processes personal data, including but not limited to the following purposes:

    • To provide and improve our services: Ensuring optimal functionality of our products and support services.

    • To communicate with you: Sending product updates, newsletters, and responding to inquiries.

    • To carry out selection processes: Evaluating your profile and candidacy when you apply to work for us.

    • To comply with legal obligations: Ensuring regulatory compliance and enforcing contractual agreements.

    • For marketing and analytics: Enhancing user experience, analyzing website traffic, and personalizing content.

  6. LEGAL BASIS FOR PROCESSING

    Nextracker is not in the business of selling your information. We consider this information to be a vital part of our relationship with you. Any use of your

    information by Nextracker must be justified in accordance with the following legal grounds:

    1. Consent: When you opt-in to marketing communications or cookies. We use a double opt-in process to ensure your explicit consent. After signing up, you will receive an email requesting confirmation of your subscription before we send further communications. Evidence of opt-in consent shall be kept with the personal data. The option for you to revoke your consent will be in place to ensure that you can revoke your consent and is reflected accurately in Nextracker’s systems.

    2. Contractual Necessity: When processing is required to fulfil a contract or to take steps at the request of the data subject prior to entering into a contract.

    3. Legal Obligation: When required by law to retain certain records.

    4. Legitimate Interest: To improve services and business operations, provided such interests do not override your rights.

  7. DATA SHARING

    We do not sell or rent your personal data. However, we may share your data with:

    • Service Providers: Vendors assisting with IT, marketing, payroll, benefits, and customer support.

    • Affiliates and Partners: For business operations and service enhancements.

    • Regulatory Authorities: When required to comply with legal requests.

  8. INTERNATIONAL TRANSFER OF PERSONAL INFORMATION

    Due to the global nature of our business, we may transfer personal information to other Nextracker Group entities, suppliers and other recipients located in different countries, including to countries outside of the European Economic Area (“EEA”) or the United Kingdom (“UK”). Where we transfer your personal information to recipients in countries not considered to provide an adequate level of data protection, we will ensure we take steps to ensure your personal information is protected and safeguarded. Such steps include entering EU Standard Contractual Clauses (“SCCs”) with the recipient or seek assurances from them that they have Binding Corporate Rules (“BCRs”) in place. BCRs are data protection policies adhered to by companies established in the EU and UK for transfers of personal information outside of the EU and UK within a corporate group.

  9. DATA RETENTION

    We will retain your personal information for no longer than is necessary for the provision of the products and/or services, internal analytical purposes, recruiting purposes, or to comply with our legal obligations, resolve disputes and enforce

    agreements (e.g., settlement). The criteria used to determine the retention periods include:

    • how long the personal information is needed to provide the products and/or services and operate the business;

    • the type of personal information collected; and

    • whether we are subject to a legal, contractual or similar obligation to retain the data (e.g., mandatory data retention laws, government orders to preserve data relevant to an investigation, or data that must be retained for the purposes of litigation or disputes).

    Once no longer needed, data is securely deleted or anonymized.

  10. YOUR RIGHTS UNDER GDPR

    As an individual under GDPR, you have the right to:

  11. MINORS

    You must be at least 16 years old to use our websites and other digital offerings. We do not knowingly solicit or collect personal information from individuals under the age of 16. If we become aware that we have received such information, or any information in violation of this policy, we will make reasonable efforts to locate and delete it from our records.

    1. Children’s Privacy (COPPA Compliance)

      We do not knowingly collect, use, or disclose personal information from children under the age of 13 without verifiable parental consent, as required by the Children’s Online Privacy Protection Act (COPPA). Our websites, products, and services are not directed to children under 13. If we become aware that we have inadvertently collected personal information from a child under 13 without proper consent, we will take steps to delete such information promptly.

      If you believe that a child under 13 has provided us with personal information without parental consent, please contact us at dpo@nextracker.com so that we can

      take appropriate action.

  12. LINKS TO OTHER WEBSITES

    Our Websites may contain links to other websites that are not operated or controlled by us. We do not control such third-party websites or their privacy practices. Any personal information you choose to give to third-party websites is not covered by this GDPP. If you have reasons to believe that your interaction with us is no longer secure, please immediately notify us of the problem by contacting us as set out below.

  13. E-MAIL COMMUNICATION

    We comply with the requirements of the Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act. All commercial email communications from us will include clear identification of the sender, a valid physical postal address, and a clear and conspicuous way to opt out of receiving future emails.

    If you no longer wish to receive marketing or promotional emails from us, you may unsubscribe at any time by following the instructions included in each email. We will honor all opt-out requests promptly and in accordance with the timeframes required by law.

  14. DATA SECURITY

    Nextracker maintains electronic, physical and procedural safeguards so that we meet or exceed the applicable privacy regulations for the protection of personal data provided via the products and services from loss, misuse, unauthorized access, disclosure, alteration or destruction.

    Our website is scanned on a regular basis for security holes and known vulnerabilities, which include scanning for malware, to make your visit safe. Personal data is contained behind secured networks and is only accessible by a limited number of people who have special access rights to such systems and are required to keep the information confidential. In addition, Nextracker utilizes Transport Layer Security (TSL, which used to be known as SSL) technology across the website.

    Nextracker will NEVER ask anyone for a password to be sent separately or in clear text. Anyone making such a request is probably trying to gain access to something that does not belong to them. If you ever receive such a request, please contact Nextracker (dpo@nextracker.com).

    However, no Internet or email transmission is ever fully secure or error free.

    Therefore, you should take special care in deciding what information you send to us via email. Please keep this in mind when disclosing any personal data to Nextracker via the Internet.

  15. COOKIES AND TRACKING TECHNOLOGIES

    We use cookies to enhance user experience, analyze traffic, and provide targeted advertisements. You can manage your cookie preferences through your browser settings. You can find more details about cookies in our Cookies Policy.

  16. POLICY UPDATES

    Our products, services, and business operations may evolve over time. Accordingly, Nextracker reserves the right to update or modify this Global Data Protection Policy (GDPP) at any time, without prior notice. We encourage you to review this policy periodically, particularly before submitting any personal data, to stay informed of any updates. The “Last Updated” date at the top of this document reflects the most recent changes.

    By continuing to use our websites, products, or services after any revisions are made, you agree to the terms of the updated GDPP.

    If you have any questions or require further information, you may contact us at:

  17. BREACH

    In the event of a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data, Nextracker shall promptly assess the risk to people’s rights and freedoms and if appropriate report this breach to the competent authority.

  18. ADDITIONAL PRIVACY COMMITMENTS

    1. Sensitive Personal Information (SPI)

      We recognize that certain categories of personal data, such as financial details, health information, biometric data, precise geolocation, and race or ethnicity, may be classified as Sensitive Personal Information (SPI). Where applicable laws require, we will provide additional safeguards, obtain explicit consent where necessary, and allow individuals to limit the use and disclosure of SPI. SPI is processed only for specific purposes and is subject to heightened access controls and retention limitations.

    2. Third-Party Processors and Contractual Safeguards

      All third-party vendors that process personal data on behalf of Nextracker are required to enter into Data Processing Agreements (DPAs) that include confidentiality obligations, security requirements, data handling instructions, and audit rights. These agreements ensure that personal data is processed lawfully, securely, and only in accordance with Nextracker’s instructions and applicable data protection laws.

    3. Automated Decision-Making and Profiling

      Nextracker does not engage in automated decision-making or profiling that produces legal or similarly significant effects on individuals. Should our practices change in the future, we will implement appropriate safeguards, provide advance notice, and ensure individuals are able to object to such processing or request human intervention as required by law.

    4. Employee Training and Awareness

      All Nextracker employees who have access to personal data are required to complete data protection and privacy training as part of their onboarding and on a recurring basis. We promote ongoing awareness through internal resources and communications to ensure compliance with applicable laws and company policies.

    5. Record of Processing Activities (RoPA)

      In accordance with Article 30 of the General Data Protection Regulation (GDPR) and other relevant laws, Nextracker maintains a Record of Processing Activities (RoPA). This record outlines the categories of personal data we process, the purposes for processing, recipients of the data, data transfers, and applicable retention periods. It is reviewed and updated regularly.

    6. Contact and Escalation for Privacy Complaints

If you believe your personal data has been mishandled, you have the right to file a complaint with your local data protection authority, such as the European Data Protection Board (EDPB), the UK Information Commissioner’s Office (ICO), or Brazil’s Autoridade Nacional de Proteção de Dados (ANPD). You may also contact Nextracker directly at dpo@nextracker.com for questions or concerns about our data practices.

APPENDIX A COUNTRY SPECIFIC

  1. RIGHTS AND DISCLOSURES SPECIFIC TO CALIFORNIA RESIDENTS

    If you are a resident of the U.S. state of California, you have certain rights granted by the California Consumer Privacy Act (“CCPA”) and is described in this Country Specific Appendix of the GDPP. This portion of the Country Specific Appendix of the GDPP describes the rights of California residents.

    Right to Opt Out of the Sale of Personal Information

    We share (as the terms are defined under the CCPA) personal information when you interact with a Website. You have the right to opt-out of the sharing of your personal information with third parties. We do not knowingly share personal information of any individual under 16 years of age. If you opt out, we will wait at least 12 months before asking you if we may share your personal information.

    Your Rights

    Your Right to Request Disclosure of Information We Collect and Share About You

    If you are a California resident, you have the right to ask us for any or all the following types of information regarding the personal information we have collected about you prior to our receipt of your request:

    • Specific pieces of personal information we have collected about you;

    • Categories of personal information we have collected about you;

    • Categories of sources from which such personal information was collected;

    • Categories of personal information that the business sold or disclosed for a business purpose about the consumer;

    • Categories of third parties to whom the personal information was sold or disclosed for a business purpose; and

    • The business or commercial purpose for collecting your personal information.

    Your Right To Request Deletion of Personal Information We Have Collected About You

    Additionally, California residents have the right to request that we delete the personal information we have collected about you, except for situations where the CCPA authorizes us to retain specific information, including when it is necessary for us to provide you with services that you requested; perform a contract we entered into with you; maintain the functionality or security of our systems; or comply with

    or exercise rights provided by the law. The law also permits us to retain specific information for our exclusively internal use, but only in ways that are compatible with the context in which you provided the information to us or that are reasonably aligned with your expectations based on your relationship with us. We will act on your deletion request within the timeframes set forth below.

    Exercising Your Rights and How We Will Respond

    Residents of California may exercise their access or deletion rights, or to ask a question about your data subject rights, by contacting us at [toll-free phone], [email] or click here.

    We will first acknowledge receipt of your request within 10 business days of receipt of your request. We will then provide a substantive response to your request as soon as we can, generally within 45 days from when we receive your request, although we may be allowed to take longer to process your request under certain circumstances. If we expect your request is going to take us longer than normal to fulfill, we will let you know.

    We usually act on requests and provide information free of charge, but we may charge a reasonable fee to cover our administrative costs of providing the information in certain situations. In some cases, the law may allow us to refuse to act on certain requests. When this is the case, we will endeavor to provide you with an explanation as to why.

    Our Commitment to Allowing You to Exercise Your Rights – Non-Discrimination

    If you exercise any of the rights explained in this GDPP, we will continue to treat you fairly. If you exercise your rights under this GDPP, you will not be denied or charged different prices or rates for products or services or provided with a different level or quality of products or services than others.

    Verification of Identity – Access or Deletion Requests

    We will ask California residents for identifying information and attempt to match it to information that we maintain about them to verify their request. If we are unable to verify your identity with the degree of certainty required, we will not be able to respond to your request. We will notify you to explain the basis of the denial.

    Authorized Agents

    You may designate an agent to submit requests on your behalf. The agent must be a natural person or a business entity that is registered with the California Secretary of State. If you would like to designate an agent to act on your behalf, you and the

    agent will need to comply with our verification process. Specifically, if the agent submits requests to access, know or delete your Personal Information, the agent will need to provide us with your signed permission indicating the agent has been authorized to submit the opt-out request on your behalf. We will also require that you verify your identity directly with us or confirm with us that you provided the agent with permission to submit the request.

    Please note that this subsection does not apply when an agent is authorized to act on your behalf pursuant to the valid power of attorney. Any such requests will be processed in accordance with California law pertaining to powers of attorney.

    Additional California Regulations

    California Shine the Light

    California Civil Code Section 1798.83, also known as the “Shine the Light” law, permits California residents that have an established business relationship with a business to annually request, free of charge, information about certain categories of personal information a business has disclosed to third parties for those parties’ direct marketing purposes in the preceding calendar year.

    California Do Not Track

    Some browsers have a “do not track” feature that lets you tell websites that you do not want to have your online activities tracked. Currently, we do not respond to browsers’ do not track signals.

    California Online Privacy Protection Act (CalOPPA)

    We also comply with the California Online Privacy Protection Act (CalOPPA). As required, our privacy policy describes the categories of personal information we collect, how we use it, and the choices available to users.

    California Privacy Act (CPRA)

    We comply with the California Privacy Rights Act (CPRA), which enhances consumer privacy rights and imposes additional obligations on businesses, including requirements related to sensitive personal information, data minimization, and the right to correct inaccurate data.

  2. EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-

    U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF)

    If you are located in the EEA/UK, you may have legal rights under applicable laws, which may be subject to certain limitations and/or restrictions. These rights may include to:

    • request access to personal information we hold about you;

    • correct personal information when incorrect, out of date or incomplete;

    • request that we erase your personal information;

    • opt-out of any marketing communications that we may send you and object to us using / holding your personal information if we have no legitimate reason to do so;

    • request that we restrict the processing of your personal information (i.e., we would need to secure and retain the data for your benefit but not otherwise use it);

    • withdraw your consent at any time; and

    • the portability of personal information (i.e., ask for a copy of your personal information to be provided to you, or a third party, in a digital format).

    All such requests should be made using the contact details set out in the Data GDPP. Please be advised that if you request that your personal information be deleted, you may no longer be able to access or use certain parts of the Website. By accessing your account on the Website, you may at any time modify or delete personal details such as name, address and country of residence. You may also delete your personal account at any time.

    We will respond to any request in writing, or orally if requested, as soon as practicable and in any event not more than one (1) month after receiving that request. In exceptional cases, we may extend this period by two (2) months, and we will provide reasons. We may request proof of identification to verify your request. For more details in relation to your rights, including how to exercise them, please contact us using the contact details as set out below.

    You also have the right to lodge a complaint about the processing of your personal information with your local data protection authority.

  3. BRAZILIAN DATA SUBJECT RIGHTS

    If you are in Brazil this GDPP also applies and you may have legal rights under Brazilian Law “LGPD” and other applicable laws, which may be subject to certain limitations and/or restrictions. These rights may include to:

    • request access to personal information we hold about you;

    • correct personal information when incorrect, out of date or incomplete;

    • request that we erase your personal information except those that may be retained for compliance with legal and/or regulatory purposes;

    • opt-out of any marketing communications that we may send you and object to us using / holding your personal information if we have no legitimate reason to do so;

    • withdraw your consent at any time; and

    • the portability of personal information (i.e., ask for a copy of your personal information to be provided to you, or a third party, in a digital format).

All such requests should be made using the contact details set out in the Data GDPP or through Nextracker Brazil Ltda.’s Data Protection Officer (DPO – “Encarregado de Proteção de Dados”) Regiane Alves Gomes at rgomes@nextracker.com.

Please be advised that if you request that your personal information be deleted, you may no longer be able to access or use certain parts of the Website. By accessing your account on the Website, you may at any time modify or delete personal details such as name, address and country of residence. You may also delete your personal account at any time.

We will respond to any request in writing as soon as practicable and in any event not more than fifteen (15) days after receipt of that request. We may request proof of identification to verify your request. For more details in relation to your rights, including how to exercise them, please contact us using the contact details as set out below.

You also have the right to lodge a complaint about the processing of your personal information with your local data protection authority the ANPD (“Autoridade Nacional de Proteção de Dados”).

Contact Details:

Nextracker Brasil Ltda. DPO – Encarregado de Proteção de Dados – Regiane Alves Gomes rgomes@nextracker.com

APPENDIX B GLOSSARY OF KEY TERMS

Term

Definition

Access Controls

Security measures ensure that only authorized individuals can access certain data or systems.

Aggregated Personal Data

Data that has been combined and anonymized so that individuals cannot be identified, often used for analytical

or statistical purposes.

Anonymization

The process of altering personal data so that the individual can no longer be identified, directly or indirectly.

BCR (Binding Corporate Rules)

Internal policies adopted by multinational companies allow data transfers within the same corporate group to countries lacking adequate protection.

CCPA (California Consumer Privacy Act)

A California law that gives residents rights over their personal information and imposes obligations on businesses handling such data.

Consent

Freely given, specific, informed, and unambiguous agreement by the data subject to process their personal data.

Cookies

Small text files stored on a user's device by a website to remember user preferences or track website activity.

Data Breach

A security incident in which sensitive, protected, or confidential personal data is accessed or disclosed without authorization.

Data Controller

The organization or individual that determines the purpose and means of processing personal data.

Term

Definition

Data Minimization

A principle requiring that only the minimum necessary

personal data be collected and processed for a specific purpose.

Data Privacy Framework (DPF)

A mechanism for transferring personal data from the EU, UK, and Switzerland to the U.S. while ensuring adequate privacy protection.

Data Retention

The period during which personal data is stored before being deleted or anonymized.

Data Subject

A person whose personal data is being collected or processed.

Do Not Track

A browser setting that signals to websites that the user does not wish to be tracked across web browsing sessions.

Double Opt-In

A confirmation method where a user must verify their subscription or consent via a secondary action, typically by email.

DPO (Data Protection Officer)

A designated person responsible for overseeing a company’s data protection strategy and ensuring compliance with laws like GDPR.

Encryption

A security method that encodes data, making it accessible only to authorized users with a decryption key.

Executive Sponsor

A senior leader responsible for championing a policy or program within the organization and ensuring alignment with business goals.

GDPP (Global Data Protection Policy)

A document outlining Nextracker’s practices for

collecting, using, storing, and protecting personal data.

GDPR (General Data Protection Regulation)

A regulation by the EU that governs how personal data of individuals in the EU can be legally processed.

Term

Definition

Legitimate Interest

A lawful basis under GDPR allowing processing of personal data when it is necessary for a business’s interests, provided it doesn’t override the individual’s rights.

LGPD (Lei Geral de Proteção de Dados)

Brazil’s data protection law that regulates the processing

of personal data and grants rights to individuals.

Non-Identifiable Data

Data that cannot be used to identify an individual on its own, such as browser type or aggregate web traffic

information.

Personal Data

Any information relating to an identified or identifiable natural person, such as name, email address, or IP

address.

Privacy Policy

A public-facing document that explains how an organization collects, uses, discloses, and protects personal information.

Processing

Any operation performed on personal data, including collection, storage, use, sharing, or deletion.

SCC (Standard Contractual Clauses)

Standard legal contracts approved by the European Commission to allow personal data transfers outside the

EU/EEA.

Sensitive Personal Information (SPI)

A category of personal data that includes more privacy- sensitive attributes such as health data, financial information, biometric identifiers, etc. (especially

relevant under CPRA).