Data protection and privacy

Ensuring the security of our information and data privacy is fundamental to the strategic and operational conduct of our business. This is why we strive for transparent, ethical and secure handling of the personal data we process. The activities that involve them are carried out legitimately, lawfully and based on the laws, internal regulations and best market practices.

Find out more about the subject and the actions we take to guarantee the privacy and security of the data of all the people who have contact with us.

About privacy and data protection

Privacy is the right to respect for a person’s private and family life, their home and correspondence, i.e. the ability of people to determine for themselves when, how and to what extent personal information about them can be shared or communicated to others.

But what is the difference between Privacy and Data Protection?

They complement each other, but they are not the same thing. Privacy is a right that must be protected, and Data Protection are the measures that will be used to carry out this protection.

What about the LGPD?

The Brazilian General Personal Data Protection Law (13.709/2018) was inspired by the GDPR and comes into force in August 2020.
With the LGPD, Brazilian citizens now have various rights in relation to their personal data and greater control over it. The law guarantees protection for all data whose owners are natural persons, whether in physical or digital format. Thus, the LGPD does not cover data held by legal entities – which are not considered personal data for the purposes of the Law.

It is essential to clarify that the LGPD is not intended to prohibit data processing, but rather to establish rules and limits in order to protect data subjects. However, the LGPD provides some definitions and establishes roles and responsibilities for the actors involved in processing this personal data:

Principles that guide the LGPD


ANPD sanctions:

The body responsible for ensuring and monitoring compliance with the LGPD is the National Data Protection Authority (ANPD). Failure to comply with the General Data Protection Law may result in sanctions from the ANPD. These sanctions can be:


Common questions:

What is LGPD?

Law No. 13,709 was approved in August 2018 and came into force in September 2020. This law establishes rules on any activity that can be carried out with personal data, from collection, storage, sharing, and disposal (activities known as “treatment”), aiming at more protection for citizens and sanctions for companies for non-compliance.

But what is personal data?

It is any information related to an individual that can identify him/her from the collected data, for example: name, age, CPF, e-mail, geolocation, etc.

And what is sensitive data?

The LGPD also brings the concept of sensitive personal data, which is information that, because it allows discrimination, should be treated with even more care, such as: information of racial or ethnic origin, religious belief, political opinion, and data related to health.

What are the users' rights?

1. Right to access

The holder has the right to receive a confirmation on the treatment or not of his/her personal data and, if that is the case, to consult that data and additional information related to his/her treatment (such as, for example, the sharing of information with public and private entities).

2. Right to correction

If the holder requests it, the Controller has an obligation to correct personal data that are incomplete, wrong, or outdated.

3. Right to anonymize, block or delete unnecessary, excessive, or treated data in non-compliance with the LGPD

The holder has the right to request that the Controller make his/her personal data anonymous, that is, impossible to associate with the holder. In addition, he/she may restrict the processing of his/her data and request the disposal of the data if it (i) is not necessary or suitable for the purpose for which it was provided or (ii) when the treatment does not follow the provisions of the LGPD.

4. Right to Portability

The right to data portability allows holders to request the transfer of their personal data to another Controller, but this right still depends on additional regulation by the National Authority.

5. Right to delete data processed with consent

When the treatment depends on consent, the holder may, upon express request, demand the destruction of the data that are the object of treatment.

6. Right to informed consent

The holders have the right to refuse to give consent, when it is necessary for the processing of the data, as well as to be informed about the consequences of that decision. In addition, they may regret the consent previously given and, at any time, revoke the authorization by express expression.

7. Right to object to treatment

Holders have the right to object to the processing of their personal data at any time, even in situations that do not depend on their consent, should they find that it is being carried out in breach of the LGPD.

Who are the main LGPD characters?

A) Holder

It is the natural person to whom the personal data refer. For example, users, customers, policyholders, brokers, employees, among others linked to our business.

B) Controller

Who defines how personal data can be treated, considering the purpose for which it was collected. The Controller is responsible for the personal data processed in his environment and in the environment of third parties who process the data at his/her own direction.

C) Operator

It is the person who carries out the treatment and processing of personal data under the Controller’s instructions. The Operator may only process data for the purpose determined by the Controller.

D) Data Protection Officer (DPO)

Person or area indicated by the Controller who assists the company in the area of privacy and acts as a communication channel with the Holders and the National Data Protection Authority (ANPD).

E) National Data Protection Authority (ANPD)

Public agency responsible for overseeing, implementing, and supervising compliance with the Law.

What are the 10 principles for processing personal data?

1. Purpose

Have a specific, legitimate, explicit, and informed purpose.

2. Suitability

Use of data in compliance with the stated purpose.

3. Need

Use (only) of strictly necessary data.

4. Free access

Information, in a simple and free way, to the full data.

5. Data quality

Accurate, relevant, and up-to-date data.

6. Transparency

Clear, accurate, and true information to data subjects.

7. Security

Technical and administrative measures to protect data.

8. Prevention

Adoption of previous measures to avoid damage to the holders.

9. Non-Discrimination

Do not use data for discriminatory, abusive, or unlawful purposes.

10. Accountability

Demonstrate the adoption of effective measures to comply with the standards.


Data Collection

Cosan collects, stores, and uses personal data, including data called “cookies”. For that reason, we recommend reading its Privacy Policy which explains what data is collected and for what purpose. Regarding the “cookies”, in compliance with its Privacy Policy, Cosan collects cookies to provide to the user a better browsing experience on its web pages.

Cookies are small pieces of text placed on the user’s computer hard drive when visiting certain websites and applications. Cosan may use cookies to obtain information, for example, if the user has visited Cosan’s websites before or if he/she is a new visitor, helping Cosan to identify what features can improve the user experience. Cookies can enhance your online experience by saving your preferences while you visit a website. When visiting Cosan website, you will be informed about what types of cookies will be collected so that you can disable such cookie collections.

Recurring verification of our Privacy Policy is recommended, which is subject to change without notice.

To access Cosan’s Data Privacy Policy click here!

To contact the DPO, contact us by e-mail: