Privacy Policy

2) Personal data collected

We only collect the minimum necessary to provide our services (data minimisation principle):

• Basic identification: name, CPF (data subject), e-mail addresses, phone numbers.
• Usage data: access logs, pages visited, device/session identifiers.
• Preferences: language, consents, privacy settings.
• Communications: messages sent, support requests and DSARs.

We do not request special category data by default. When necessary, processing will follow an appropriate legal basis and additional safeguards.

3) Purposes and legal bases

We process data for purposes such as:

• Provision of services and performance of a contract (registration, authentication, use of features).
• Handling requests (support, DSARs, necessary communications).
• Compliance with legal/regulatory obligations (records, mandatory retention).
• Improvement and security (monitoring, fraud prevention, auditing and performance).
• Optional communications (marketing based on consent, with the possibility to withdraw it).

Legal bases (LGPD): consent; performance of a contract; compliance with legal/regulatory obligations; legitimate interests (after assessment); exercise of rights in judicial, administrative or arbitration procedures; protection of credit, where applicable.

Bases (GDPR, where applicable): Art. 6(1)(a–f) — consent, contract, legal obligation, vital interests (where relevant), public task (where relevant), legitimate interests.

4) Sharing and processors

We may share data with processors (service providers) that help us deliver the service, always under contracts, security controls and instructions for processing in accordance with the law.

• Infrastructure: cloud providers (e.g. AWS – EC2, S3, CloudFront).
• Monitoring and security: observability and protection tools.
• Communication: e-mail and transactional messaging providers.
• Billing: payment gateways (where applicable).

We do not sell personal data. Sharing with authorities may occur for legal compliance.

5) Cookies and similar technologies

We use cookies to provide and improve the service:

• Strictly necessary: essential for operation (login, security, load balancing).
• Functional: preferences (language, layout).
• Performance/Analytics: aggregated and anonymised usage metrics.
• Marketing (optional): only with prior consent.

You can manage your preferences in the Cookie Manager or in your browser settings.

6) Data subject rights (DSARs)

Under the LGPD, you may request: confirmation of processing; access; rectification; anonymisation/erasure; portability; information about sharing; withdrawal of consent; and review of automated decisions.

We handle requests via the Data Subject Portal (where available) or via the DPO’s e-mail. We provide an immediate simplified response and, where applicable, a full response within up to 15 days.

For your security, we may request identity verification. Some requests may not be granted due to legal restrictions or risks to rights and trade secrets — in such cases, we will explain the reason.

7) Retention periods

We keep data only for as long as necessary to fulfil the purposes and legal/contractual obligations. At the end of these periods, we adopt secure deletion or anonymisation, as applicable.

8) Information security

We apply technical and organisational measures appropriate to the risk, such as:

• Encryption in transit (HTTPS/TLS) and, where applicable, at rest.
• Role-based access control, least privilege and strong authentication (2FA).
• Logging and auditing of relevant events.
• Backups and business continuity practices.
• Regular security assessments and testing.

No system is 100% secure. In the event of a significant incident, we will take appropriate measures and issue notifications as required by law.

9) International transfers

Where processing takes place outside Brazil, we will adopt mechanisms provided for in the LGPD (Art. 33 et seq.), such as contractual clauses, safeguards and risk assessments, ensuring adequate protection and transparency for data subjects.

10) Children’s and adolescents’ data

Our service is not directed at children. In situations involving minors, we will follow legal requirements, including specific and highlighted consent from at least one parent or legal guardian.

11) Updates to this Policy

This Policy may be updated to reflect regulatory, technical or business changes. We will publish the new version with an updated effective date.

12) DPO contact

For questions, requests or complaints related to privacy, please contact our Data Protection Officer (DPO):

• E-mail: en.privacy@unova.digital
• Subject: “Privacy — DSAR”
• Suggested content: description of the request, minimum identification data and, where applicable, supporting documentation.