Privacy Policy.

This Policy applies to all personal data processed by our software development company — including business clients who commission software projects, their technical contacts and project stakeholders, end users of software we develop (where we encounter that data during development), website visitors and anyone whose data is processed in connection with our activities. Our primary relationship is B2B — we build software for companies.

• Client identification data: Company name, CNPJ and the name, role, phone and email of the responsible technical or commercial contact — collected when businesses commission software projects or request quotations.
• Project specification data: Technical briefs, architecture requirements, system specifications, user stories and all project documentation provided by the client — used exclusively for the development of the commissioned software.
• Development access data (project-specific): Where development requires access to client systems, APIs, databases or staging environments — access credentials and system data provided for development purposes. This data is handled with the highest confidentiality and deleted after project completion.
• Test and sample data (operador role): Where a client provides sample data or test datasets containing personal data of their users or customers for software testing purposes — we process this data as operador under LGPD Art. 39, only as required for the testing scope. We actively advise clients to use anonymised or synthetic test data wherever possible.
• Billing data: Company name and CNPJ for NFS-e issuance — in compliance with SEFAZ-SP and ISS/Prefeitura de Itapecerica da Serra requirements.
• Contact and enquiry data: Messages via WhatsApp, telephone or online form.
• Technical website data: IP address, browser type, pages visited and access times.

• SEFAZ-SP / Receita Federal: Tax data for NFS-e issuance and applicable federal and state tax compliance.
• Prefeitura de Itapecerica da Serra (ISS): For ISS/ISSQN obligations on software development service activities.
• Third-party development tools and services: Where development requires use of cloud services, CI/CD platforms, testing environments or development infrastructure — minimum necessary data is processed through those services under appropriate terms. We disclose the specific services used to clients on request.
• PROCON-SP: When required in a consumer dispute mediation under the CDC.
• Legal authorities: When required by a competent judicial or administrative order.

Client project data, source code, specifications and any data encountered during development are never shared with third parties without explicit client authorisation.

Our primary base is in Itapecerica da Serra, SP. Development work may use internationally hosted cloud services (version control, CI/CD, deployment). Where international transfers occur, they are under the guarantees of Art. 33 of the LGPD or recognised adequacy mechanisms. We disclose the specific cloud services and hosting regions used in each project to clients on request and in our Data Processing Agreements.

• NFS-e and fiscal records: Minimum 5 years under federal and state tax legislation (CTN, Art. 174; SEFAZ-SP).
• Client contract and project records: 5 years from project completion — for contractual, fiscal and intellectual property documentation.
• Development access credentials (client systems): Deleted immediately upon project completion or access revocation by the client. We do not retain credentials beyond project scope.
• Test and sample data (containing client user data): Deleted at the end of the testing phase or project completion — not retained beyond the minimum period required for the development scope. Clients are notified of deletion.
• Contact and enquiry data (no project commissioned): Up to 1 year from last interaction.
• Website analytics: Aggregated and anonymised after 12 months.

• Client project specifications, code repositories and system access restricted to team members directly involved in the commissioned project;
• Version control repositories private and access-controlled per project;
• Development environment credentials stored in encrypted credential management — never in plaintext or version control;
• Test data containing personal data anonymised or deleted immediately after use;
• Encryption in transit (HTTPS, TLS) for all client communications and file transfers;
• PCI-DSS certified payment platforms — card data never retained;
• As a Ltda, formal internal data handling and security protocols maintained;
• Incident response procedures and breach notification per LGPD Art. 48.

• Confirmation and Access (Art. 18, I–II): Confirm whether we hold your data and receive a copy.
• Correction (Art. 18, III): Request correction of inaccurate data.
• Anonymisation / Blocking / Deletion (Art. 18, IV): Request restriction or deletion — subject to fiscal and contractual retention obligations.
• Portability (Art. 18, V): Receive your data in a structured format.
• Deletion of consent-based data (Art. 18, VI): Request deletion of data processed by consent.
• Information on sharing (Art. 18, VII): Find out which third-party services or entities your data was shared with during a project.
• Withdrawal of Consent (Art. 8º, §5º): Withdraw consent at any time.
• Complaint to the ANPD (Art. 18, §1º): Lodge a complaint at www.gov.br/anpd.

We respond within 15 business days. For requests relating to data processed as operador in a client project, we will refer the request to the relevant client controller per LGPD Art. 39.

Our website may use cookies for essential functionality and aggregated performance analysis. We do not use behavioural tracking cookies for advertising without prior consent. Preferences can be managed through browser settings.

Our software development services are engaged by businesses — adults in professional capacity. We do not intentionally collect data from children under 13. Where software we develop is intended to serve platforms or products accessed by minors, we advise clients on the applicable LGPD requirements for processing children's data under LGPD Art. 14, including the requirement for parental or guardian consent, and incorporate appropriate technical controls in the software architecture.

As a custom software development company, two principles guide our practice beyond standard LGPD compliance:

We actively recommend the use of anonymised or synthetic test data during development and testing. Where clients provide real user data for testing, we handle it under the strictest confidentiality and delete it at project completion.

This Policy may be updated to reflect changes in our activities, the LGPD, ANPD guidance or applicable tax legislation. Material changes will be communicated via our website or directly to active clients by email or WhatsApp.

All privacy requests, questions and complaints should be directed to our Data Protection Officer (Encarregado — LGPD Art. 41):