Privacy Policy

1. Introduction and Commitment to Privacy

CodeCortex Tecnologia Ltda. ("CodeCortex", "we", "us" or "Complyer") is deeply committed to protecting the privacy and personal data of all users of the Complyer.app service ("Service", "Platform"). This Privacy Policy clearly and transparently describes how we collect, use, store, share and protect your personal information.

This Policy is fully compliant with the Brazilian General Data Protection Law (LGPD - Law No. 13.709/2018) and other applicable privacy legislation in Brazil. By using our Service, you expressly agree to the practices described in this Policy.

Conscious Irony: We are a data compliance platform. We take the protection of your data as seriously as we expect you to take the protection of your company's data.

2. Definitions and Terminology

For the purposes of this Policy, the following definitions apply as per LGPD:

• Personal Data: Information relating to an identified or identifiable natural person
• Data Subject: Natural person to whom the personal data refers (you)
• Controller: Entity that makes decisions about personal data processing (CodeCortex for account data; You for Customer Data)
• Processor: Entity that processes data on behalf of the controller (CodeCortex when processing Customer Data)
• Processing: Any operation with personal data (collection, storage, use, sharing, deletion, etc.)
• Anonymization: Process that makes it impossible to identify the data subject
• Consent: Free, informed and unequivocal manifestation of agreement
• Data Protection Officer (DPO): Person responsible for acting as a communication channel for privacy matters

3. Information We Collect

We collect different categories of information to provide, maintain and improve our Service. Below, we detail each category:

3.1. Registration and Identification Data

• Full name
• Corporate email (used as primary identifier)
• Company/organization name
• Job title/function in the company
• Phone number (optional)
• Billing information (when applicable)

3.2. Usage and Navigation Data

• Information about how you access and use the Service
• Pages visited, features used, session time
• Configuration and personalization preferences
• History of queries and searches within the platform
• Interactions with alerts and generated reports
• Activity logs and timestamps

3.3. Technical and Device Data

• Internet Protocol (IP) address
• Browser type and version
• Operating system and version
• Screen resolution and device settings
• Language and time zone
• Internet service provider (ISP)
• Referral pages (where you came from)
• Unique device identifiers (when applicable)

3.4. Document and Content Data (Customer Data)

Important: These are the data that you, as a Customer, upload to the platform for analysis. For this data, YOU act as Controller and we act as Processor under your instructions.

• Documents, files and contracts uploaded for analysis
• Emails and communications connected via integrations
• Spreadsheets, PDFs, text documents and other formats
• File metadata (dates, authors, sizes)
• Text content extracted for AI analysis
• Analysis results and generated reports

3.5. Communication Data

• Messages exchanged with our support team
• Feedback, ratings and satisfaction surveys
• Participation in webinars, demos or events
• Subscription to newsletters or marketing communications (with consent)

3.6. Third-Party Integration Data

When you connect Complyer to third-party services (Google Workspace, Microsoft 365, etc.), we may collect data as authorized by you through these integrations:

• Google/Microsoft profile information (name, email, photo)
• Access permissions to documents and emails (read-only, as authorized)
• File and folder metadata
• Access tokens and refresh tokens (stored encrypted)

4. How We Use Your Information

We use the collected information exclusively for the purposes described below, always respecting the principle of purpose and data minimization:

4.1. Service Provision and Operation

• Create, maintain and manage your user account
• Authenticate and authorize your access to the platform
• Process and analyze documents through our AI algorithms to identify compliance risks
• Detect LGPD violations, data breaches and problematic contract clauses
• Generate personalized reports, dashboards and alerts
• Sync data with authorized integrations (Google Workspace, Microsoft 365)

4.2. Communication with Users

• Send transactional notifications about critical compliance alerts
• Notify about service updates, maintenance or changes to Terms
• Respond to your support requests and technical questions
• Send order confirmations and invoices (when applicable)
• Marketing communications (only with explicit consent and unsubscribe option)

4.3. Improvement and Development

• Analyze usage patterns to improve existing features
• Develop new features and enhance AI algorithms
• Conduct A/B testing and UX experiments (with anonymized data)
• Train machine learning models (only with aggregated and anonymized data)
• Conduct satisfaction surveys and product analysis

4.4. Security and Fraud Prevention

• Detect, prevent and resolve technical and security issues
• Protect against unauthorized access, misuse or fraudulent activities
• Monitor and analyze suspicious login attempts
• Investigate violations of Terms of Use
• Maintain audit logs for security and compliance purposes

4.5. Legal and Regulatory Compliance

• Comply with legal and regulatory obligations (LGPD, Marco Civil, etc.)
• Respond to court orders, subpoenas or government requests
• Enforce our contractual rights
• Maintain accounting and tax records as required by law

5. Legal Basis for Data Processing (LGPD)

We process your personal data based on the following legal bases provided for in Article 7 of LGPD:

• Contract execution (Article 7, V): To provide the contracted compliance services, including document processing, report generation and alert sending
• Legitimate interest (Article 7, IX): To improve our services, develop new features, ensure platform security and prevent fraud, always respecting your rights and freedoms
• Consent (Article 7, I): For marketing communications, non-essential cookies and data sharing beyond what is necessary for the service (when applicable)
• Compliance with legal obligation (Article 7, II): To comply with legal and regulatory determinations, court orders or requests from competent authorities
• Exercise of regular rights (Article 7, VI): To protect our rights in judicial, administrative or arbitration proceedings

6. Sharing Data with Third Parties

Commitment: We do NOT sell, rent or commercialize your personal data. Sharing only occurs in strictly necessary situations described below:

6.1. Service Providers (Sub-processors)

We use third-party service providers to assist in platform operation. All sub-processors are carefully selected and bound by contracts that ensure protection of your data:

• Cloud hosting: Amazon Web Services (AWS) or Google Cloud Platform (GCP) - location: Brazil/USA with appropriate transfer clauses
• Analytics and monitoring: Google Analytics, Mixpanel (anonymized data)
• Customer support: Zendesk, Intercom or similar
• Transactional email: SendGrid, Amazon SES
• Payment processing: Stripe, Pagar.me (when applicable)
• CDN and security: Cloudflare

6.2. Government Authorities and Legal Requests

We may disclose personal data when legally required or in response to valid legal processes:

• Court orders, warrants or subpoenas
• Requests from the National Data Protection Authority (ANPD)
• Police or regulatory authority investigations
• Compliance with applicable Brazilian laws

Transparency: Whenever legally permitted, we will notify you of such requests.

6.3. Corporate Successors

In case of merger, acquisition, asset sale, reorganization or bankruptcy, your personal data may be transferred to the successor. You will be notified of such transfer and any changes to privacy practices.

6.4. With Your Consent

We may share data with other entities when you provide explicit consent to do so.

7. Data Security

We implement rigorous technical, administrative and organizational security measures to protect your data against unauthorized access, alteration, disclosure or destruction:

7.1. Technical Measures

• Encryption in transit: TLS 1.3 for all data transmissions
• Encryption at rest: AES-256 for data stored in databases and storage
• Multi-factor authentication (MFA): Available and recommended for all accounts
• Password hashing: bcrypt with random salt (we never store passwords in plain text)
• Firewall and WAF: Protection against DDoS, SQL injection, XSS attacks
• Continuous monitoring: Security logs, intrusion detection, automated alerts
• Encrypted backups: Automatic daily backups with 30-day retention
• Penetration testing: Regular security audits by specialized third parties

7.2. Administrative Measures

• Role-based access control (RBAC) with least privilege principle
• Periodic reviews of access permissions
• Mandatory security and privacy training for all employees
• Non-disclosure agreements (NDAs) with all collaborators and partners
• Formal security incident response process
• Regular internal and external audits

7.3. Certifications and Compliance

• ISO 27001 certification (Information Security Management System)
• LGPD compliance (Law No. 13.709/2018)
• Alignment with international best practices (NIST, CIS Controls)

Important: Despite all our efforts, no system is 100% secure. You also have responsibility to keep your credentials secure and report any suspicious activity immediately.

8. Your Rights as a Data Subject (LGPD)

According to Articles 17 and 18 of LGPD, you have the following rights related to your personal data:

8.1. Guaranteed Rights

• Confirmation and Access (Article 18, I and II): Confirm if we process your data and obtain access to personal data we hold about you
• Correction (Article 18, III): Request correction of incomplete, inaccurate or outdated data
• Anonymization, Blocking or Deletion (Article 18, IV): Request anonymization, blocking or deletion of unnecessary, excessive or non-compliant data
• Portability (Article 18, V): Request portability of your data to another service provider, upon express request and in structured format
• Deletion (Article 18, VI): Request deletion of data processed based on consent
• Sharing Information (Article 18, VII): Obtain information about which public and private entities we share your data with
• Consent Refusal Information (Article 18, VIII): Be informed of consequences of not providing consent
• Consent Revocation (Article 18, IX): Revoke previously provided consent
• Opposition (Article 18, § 2º): Oppose processing that violates LGPD
• Automated Decision Review (Article 20): Request review of decisions based solely on automated processing that affect your interests

8.2. How to Exercise Your Rights

To exercise any of the above rights, you can:

• Send an email to our Data Protection Officer (DPO): [email protected]
• Use the privacy channel: [email protected]
• Access privacy settings within the platform (for some rights)

Response Deadline: We will respond to your request within 15 business days, as per Article 19 of LGPD. In complex cases, we may extend by another 15 days with justification.

Identity Verification: To protect your privacy, we may request additional information to confirm your identity before processing your request.

9. Data Retention and Deletion

We retain your personal data only for as long as strictly necessary to fulfill the purposes described in this Policy, respecting the necessity principle (Article 6, III, LGPD):

9.1. Retention Periods

• Active account data: During the entire contract/subscription period
• Document Data (Customer Data): As per your instructions as Controller; deleted within 30 days of account termination, unless legal obligation
• Security and audit logs: 12 months (security requirement and incident investigation)
• Tax and accounting data: 5 years (as per Brazilian tax legislation)
• Marketing communications: Until consent revocation or 2 years without interaction
• Anonymized data: Indefinitely (anonymized data is not personal data under LGPD)

9.2. Deletion Process

At the end of the retention period, we proceed with secure data deletion:

• Permanent deletion from production databases
• Backup removal per rotation schedule
• Destruction of copies in third-party systems
• Documentation of deletion process for audit purposes

9.3. Legal Exceptions

We may retain data for longer periods when:

• Required by law or regulation (tax, labor obligations, etc.)
• Necessary for compliance with court order
• Essential for exercise of rights in judicial or administrative proceedings
• With your explicit consent for longer period

10. Cookies and Tracking Technologies

We use cookies and similar technologies to improve your experience and understand how you use our Service.

10.1. Types of Cookies Used

• Strictly Necessary Cookies: Essential for basic functioning (authentication, security, session preferences). Do not require consent per LGPD.
• Performance and Analytics Cookies: Collect aggregated information about site usage (Google Analytics with anonymized IP). Require consent.
• Functionality Cookies: Store user preferences (language, theme, settings).
• Marketing Cookies: Track visitors to display relevant ads (when applicable). Require explicit consent.

10.2. Cookie Management

You can manage your cookie preferences:

• Through the consent banner displayed on your first visit
• In your browser settings (Chrome, Firefox, Safari, Edge)
• Through analytics opt-out tools (Google Analytics Opt-out)

Attention: Disabling essential cookies may affect Service functionality.

10.3. Other Technologies

• Web Beacons/Pixels: Small images in emails for open tracking (only in marketing emails with consent)
• Local Storage: Local storage to improve performance and offline experience
• Session Storage: Temporary storage during browsing session

11. International Data Transfer

Your data is preferably stored and processed on servers located in Brazil. However, some of our service providers may be located outside Brazil, including the United States and Europe.

When we conduct international data transfers, we ensure compliance with Chapter V of LGPD (Articles 33-36) through:

• Standard Contractual Clauses: Contracts with international suppliers include data protection clauses equivalent to those required by LGPD
• Country Adequacy: We prioritize countries recognized as adequate by ANPD (when applicable)
• International Certifications: Providers with ISO 27001, SOC 2, Privacy Shield (when relevant)
• Specific Consent: When necessary, we request your explicit consent for international transfers

12. Children's Privacy

The Complyer Service is intended exclusively for corporate and business use. We do not intentionally collect personal data from individuals under 18 years old.

If we become aware that we have inadvertently collected data from minors, we will take immediate steps to delete such information from our servers. Parents, legal guardians or representatives may contact us at [email protected] if they identify such a situation.

13. Security Incident Notification

Per Article 48 of LGPD, in the event of a security incident that could create risk or relevant harm to data subjects, we will take the following measures:

• Immediate Communication to Data Subject: We will notify you within a reasonable timeframe (maximum 72 hours) about the incident, nature of affected data, possible consequences and measures taken
• ANPD Notification: We will communicate to the National Data Protection Authority as per established procedures
• Corrective Measures: We will take immediate actions to contain the incident, investigate causes and implement security improvements
• Transparency: We will publish a public statement if the incident affects a large number of users

14. Changes to This Privacy Policy

We may update this Privacy Policy periodically to reflect changes in our practices, legislation or for other operational, legal or regulatory reasons.

Notification of Changes:

• Substantial changes will be notified by email with minimum 10 days' notice
• We will publish a prominent notice on our website about the changes
• The "Last updated" date at the top of this page will be updated
• We will keep previous versions available for consultation upon request

We recommend you review this Policy periodically to stay informed about how we protect your data. Your continued use of the Service after changes constitutes acceptance of the revised Policy.

15. Data Protection Officer (DPO)

As per Article 41 of LGPD, we appoint a Data Protection Officer (DPO) to act as a communication channel between CodeCortex, data subjects and ANPD.

DPO Responsibilities:

• Accept complaints and communications from data subjects
• Provide clarifications about exercise of rights
• Receive communications from ANPD and take action
• Orient employees about data protection practices

16. Right to Complain to ANPD

Without prejudice to any other administrative or judicial remedy, you have the right to file a complaint with the National Data Protection Authority (ANPD) if you consider that the processing of your personal data violates LGPD.

17. Jurisdiction and Applicable Law

This Privacy Policy is governed by and interpreted in accordance with the laws of the Federative Republic of Brazil, particularly:

• General Data Protection Law (Law No. 13.709/2018 - LGPD)
• Internet Civil Rights Framework (Law No. 12.965/2014)
• Consumer Protection Code (Law No. 8.078/1990)
• Brazilian Civil Code (Law No. 10.406/2002)

Any disputes related to this Policy will be submitted to the exclusive jurisdiction of the courts of the Judicial District of São Paulo, State of São Paulo, Brazil.

18. Contact and Company Information

If you have questions, comments or requests about this Privacy Policy or about our data processing practices, please contact us:

Document in compliance with: LGPD (Law No. 13.709/2018), Internet Civil Rights Framework (Law No. 12.965/2014), ANPD Resolution CD/ANPD No. 2/2022 (Small Data Processing Agents).

Last review and legal approval: January 2026