Privacy
Policy.

This Policy applies to all personal data processed by Mira Cultural — including data of customers who make in-store purchases, persons who contact us by phone, email or WhatsApp, website visitors, participants in literary events and anyone whose data is processed in connection with our activities.

By purchasing books, participating in events, contacting us or visiting our website, you acknowledge having read and understood this Policy.

In connection with our book retail activities, we process personal data in the following categories:

• In-store purchase data: Name and CPF for NF-e or NFC-e issuance when requested by the customer — we do not require CPF for purchases below the legal threshold.
• Customer registration and loyalty data: Full name, email, phone/WhatsApp and literary preferences — collected for communications, book clubs and personalised recommendations.
• Contact and service data: Messages sent by email, WhatsApp or form — name, phone, email and content of communication for handling requests and orders.
• Event participant data: Name, email and phone of those registered for launches, readings and book clubs — for list management and event communications.
• Book club / subscription data: Full name, delivery address (where applicable), email and literary preferences for personalised curation.
• Technical website data: IP address, browser type, pages visited and access times — for analysis and experience improvement.

We do not store payment card data directly — electronic transactions are processed by PCI-DSS certified payment platforms.

We do not sell or commercially exploit customers' personal data. Sharing occurs only in the following situations:

• SEFAZ-MG / Federal Revenue (Receita Federal): Tax data for NF-e and NFC-e issuance and compliance with applicable federal and state tax obligations for book retail in Minas Gerais.
• Publishers and distributors (special orders): To fulfil orders for out-of-stock titles — minimum data shared (name and contact) only when strictly necessary.
• Payment platforms: For processing electronic transactions — operated under PCI-DSS standards, with no access to purchase history for their own commercial purposes.
• Technology service providers: Email marketing, CRM and event management platforms — under data processing agreements and access limited to contracted purposes.
• PROCON-MG: When required in a consumer dispute mediation procedure under the CDC.
• Legal authorities: When required by a competent judicial or administrative order.

Primary storage of customer data is carried out in Brazil. Email marketing or website analytics platforms that operate on servers outside Brazilian territory do so only under the guarantees of Art. 33 of the LGPD or recognised adequacy mechanisms. Details of any such transfers are available upon request via the contact in Section xiv.

• Tax records (NF-e / NFC-e): Minimum 5 years under federal tax legislation (CTN, Art. 174) and SEFAZ-MG requirements.
• Sales records for consumer rights (CDC): Up to 2 years for post-sale support on book purchases; minimum 5 years for durable goods under CDC Art. 26, II.
• Customer registration and reading preferences: While the registration remains active, or until a deletion request is made. Automatically deleted after 3 years of inactivity.
• Event registrations: Up to 6 months after the event, unless further communication was authorised.
• Book club / subscription data: Duration of the subscription plus 1 year for support and queries.
• Communications and emails: Up to 2 years from the last interaction.
• Website analytics: Aggregated and anonymised after 12 months.

• Access to the customer database restricted to bookstore staff with an operational need;
• Encryption in transit (HTTPS) for the website and digital communications;
• PCI-DSS certified payment platforms — card data is never stored by Mira Cultural;
• Secure credentials and authentication for CRM and email marketing platforms;
• Incident response procedures and breach notification in accordance with LGPD Art. 48.

• Confirmation and Access (Art. 18, I–II): Confirm whether we process your data and receive a copy.
• Correction (Art. 18, III): Request correction of inaccurate or outdated data.
• Anonymisation / Blocking / Deletion (Art. 18, IV): Request restriction or deletion of unnecessary data.
• Portability (Art. 18, V): Receive your data in a structured, interoperable format.
• Deletion of consent-based data (Art. 18, VI): Request deletion of data processed on the basis of consent — e.g. registration, reading preferences, event lists.
• Information on sharing (Art. 18, VII): Find out which entities your data has been shared with.
• Withdrawal of Consent (Art. 8º, §5º): Withdraw consent for marketing communications at any time.
• Complaint to the ANPD (Art. 18, §1º): Lodge a complaint at www.gov.br/anpd.

We respond within 15 business days. Deletions may be limited by legal tax retention obligations for NF-e records — we will always explain the reasons for any limitation.

Our website may use cookies for essential functionality and aggregated performance analysis. We do not use behavioural tracking cookies for advertising purposes without prior consent. Preferences can be managed through browser settings.

Mira Cultural offers a children's and young adult section and organises events for younger readers. We observe the following child protection guidelines:

• For registrations at events intended for children under 13, we require authorisation and contact data from a legal guardian — consent is given by the guardian, not the child (LGPD Art. 14, §1º).
• For adolescents aged 13 to 17, we collect data with their own consent, communicating with the guardian where appropriate.
• We do not send marketing communications directly to children under 13 without explicit guardian consent.
• We do not build reading preference profiles for children for commercial purposes.

Reading preferences — such as interest in works on religion, politics, sexual orientation, health or other sensitive subjects — may indirectly reveal sensitive personal data about the customer (LGPD Art. 5º, II).

Mira Cultural treats reading preferences with special discretion:

• Reading preferences collected for curation and personalised recommendations are used exclusively for that purpose — never shared with third parties for commercial or marketing purposes;
• Customers may request deletion of their preference history at any time, without any impact on the purchase service;
• We do not make inferences about customers' sensitive characteristics based on purchase history.

This Policy may be updated to reflect changes in our activities, the LGPD, ANPD guidance or CDC regulations. Material changes will be communicated by email to registered customers with reasonable advance notice.

All privacy requests, questions and complaints should be directed to our Data Protection Officer (Encarregado — LGPD Art. 41):