Privacy Policy

1. Controller and data protection officer (DPO)

The controller responsible for processing personal data described in this policy is GGSA Consultoria em TI Ltda., CNPJ 49.390.014/0001-58, headquartered in São Paulo, Brazil, operating under the Cadenio brand. The designated data protection officer (LGPD art. 41 / GDPR art. 37) can be reached through the dedicated form below or at privacy@cadenio.com.

2. Scope and roles (controller vs. processor)

This policy covers personal data collected in three contexts: (a) marketing site cadenio.com (forms, blog, cookies); (b) commercial and support interactions; (c) Cadenio platform (multi-tenant SaaS application). It does not cover the privacy practices of linked third-party sites or services, even when accessed via links.

Roles: Cadenio acts as controller (LGPD/GDPR) for visitor data on the marketing site, leads, commercial contacts, billing data, and account administrator data. For content uploaded to the platform by the contracting organization (including personal data of its staff, customers, and partners), Cadenio acts as processor (LGPD operador / GDPR processor), following the customer's documented instructions and DPA. Rights requests from data subjects whose data was inserted by a customer organization must be directed, first, to that organization.

3. Information you provide to us

• Identity and contact: name, work email, company, job title, phone number (when provided).
• Account data: organization, profile, optional photo, language/market preferences, settings, and authenticated sessions.
• Customer content: workflows, process runs, comments, completed tasks, attachments, submitted forms, and other data inserted by authorized users on the platform.
• Invitations: when you invite colleagues to the platform, you provide their email addresses. Such data is used solely to send the invitation and record acceptance.
• Payment data: processed by our provider (Stripe). Cadenio only stores non-sensitive metadata (last 4 digits, brand, expiration) — never the full card number or CVV.
• Support communications: messages, emails, and attachments sent to the support team are retained for ticket resolution and service improvement.

4. Information we collect automatically

• Server logs: IP address (hashed immediately after authentication for logged-in users), browser type, operating system, pages visited, referrer, actions performed, and timestamps. Used for security, fraud prevention, and diagnostics.
• Strictly necessary cookies: locale and market for localized experience, plus session tokens. Do not require consent as they are essential to the service.
• Analytics and performance cookies: enabled only with explicit consent via banner. By default we use anonymous/aggregated measurement for essential statistics. Preferences can be changed at any time through the footer banner.
• Web beacons / tracking pixels in marketing emails: used, with consent, to measure opens and clicks. Transactional and support emails do not track individual behavior.
• Product performance data: latency, errors, and technical metrics, without direct association to individuals whenever possible, for stability and diagnostics.
• Do Not Track / Global Privacy Control signals: we honor browser signals to disable non-essential cookies, treating them as a refusal of consent.

5. Information received from third parties

We may receive personal data from legitimate sources, such as: (i) administrators who create member accounts on behalf of a customer organization; (ii) federated authentication providers (social login/SSO), limited to data strictly necessary to authenticate; (iii) commercial partners and public sources (LinkedIn, business registries) for legitimate B2B prospecting, subject to transparency and objection requirements.

6. How we use information

• Service operation: provide platform access, authenticate sessions, run workflows, process payments, and send transactional communications.
• Support: respond to tickets, investigate issues, and improve the experience. The support team only accesses customer content when strictly necessary and with audit logging.
• Security: fraud prevention, abuse detection, incident monitoring, and compliance with legal and regulatory obligations.
• Product improvement: aggregated, de-identified analytics to understand usage, identify improvements, and prioritize roadmap.
• Marketing and relationship: commercial communications (newsletter, content, events) sent only based on consent or legitimate interest in B2B relationship with active administrators. An opt-out mechanism is always provided.
• Legal compliance: meeting tax, regulatory obligations, court orders, and requests from competent authorities.

7. Lawful bases for processing

• Contract performance (LGPD art. 7(V) / GDPR art. 6(1)(b)): platform provisioning, authentication, billing.
• Legitimate interest (LGPD art. 7(IX) / GDPR art. 6(1)(f)): platform security, fraud prevention, operational improvement, essential anonymous measurement, and B2B relationship with administrators.
• Consent (LGPD art. 7(I) / GDPR art. 6(1)(a)): analytics cookies, direct marketing, and any processing that requires express approval. May be withdrawn at any time, without affecting prior processing.
• Legal or regulatory obligation (LGPD art. 7(II) / GDPR art. 6(1)(c)): tax, accounting, regulatory, or judicial retention.
• Exercise of rights (LGPD art. 7(VI) / GDPR art. 6(1)(f)): defense in judicial, administrative, or arbitration proceedings.

8. Sharing and disclosure

We do not sell personal data, do not share it for cross-context behavioral advertising, and do not use it to train proprietary or third-party AI models without express consent. We only share personal data in the following cases:

• Sub-processors: cloud hosting, database, transactional email, payment processing (Stripe), error monitoring, support, and AI providers, all under contract with obligations equivalent to this policy.
• Professional advisors: lawyers, auditors, and accountants under confidentiality duty, to the extent necessary for defense of rights or legal compliance.
• Competent authorities: disclosure compelled by law, court order, or substantiated administrative request, or when reasonably necessary to protect Cadenio's, customers', or third parties' rights, safety, or property. Where legally possible, we will notify the affected customer before disclosure.
• Corporate transactions: in the event of a merger, acquisition, asset sale, corporate reorganization, or insolvency, personal data may be transferred as part of the business, with reasonable prior notice and the same protections of this policy carried over to the successor.
• With your consent: for any other purpose not contemplated in this policy, with specific, granular, and informed consent.
• De-identified / aggregated data: statistics and metrics that do not allow identification of individuals may be freely published or shared.

The current sub-processor list is available upon request through the contact form, including a prior-notice mechanism for new sub-processors where required by the customer's DPA.

9. International transfers

Some sub-processors operate outside Brazil or the European Union (notably in the United States and the EU). Where international personal data transfers occur, we apply safeguards compatible with the LGPD (art. 33) and GDPR (Chapter V), including Standard Contractual Clauses (SCCs) or other mechanisms recognized by competent authorities (ANPD, European Commission, ICO). Copies of these safeguards are available upon request.

10. Retention and deletion

• Account and operational data: retained for the contract term and up to 90 days after termination for customer export, unless earlier deletion is requested.
• Audit trails and security logs: retained for up to 12 months for compliance and incident investigation.
• Payment and tax data: 5-year retention, as required by Brazilian tax law (Decree-Law 486/1969 and applicable tax authority rules).
• Contact / marketing form data: retained for up to 24 months for commercial follow-up, unless earlier deletion is requested.
• Backups: retained per operational rotation (up to 30 days for incrementals, up to 12 months for recovery snapshots) and discarded at end of cycle.

After the above periods, we apply secure deletion or irreversible anonymization, except for minimum retention required by law or for defense in judicial, administrative, or arbitration proceedings.

11. Security and incident notification

We implement technical and organizational controls including: tenant isolation with Row-Level Security, role-based access controls (RBAC), encryption in transit (TLS) and at rest, immutable audit trails, secure session-based authentication, vulnerability management, environment segregation, and periodic access reviews. Nevertheless, no method of electronic transmission or storage is 100% secure.

In the event of a security incident with potential impact on personal data, we will notify the competent authorities (the ANPD per LGPD art. 48 and/or the GDPR supervisory authority within 72 hours, where required) and affected data subjects without undue delay, as required by law.

12. Data subject rights

You have the following rights regarding your personal data (LGPD art. 18, GDPR arts. 15-22, and applicable local law):

• Confirmation and access: confirm whether processing occurs and obtain a copy of your data in an understandable format.
• Correction: request update of incomplete, inaccurate, or outdated data.
• Anonymization, blocking, or deletion: of unnecessary, excessive, or non-compliant data.
• Portability: receive your data in a structured, machine-readable format, or request transmission to another provider (subject to technical feasibility and third-party trade secret limits).
• Objection and restriction: object to or restrict processing based on legitimate interest.
• Withdrawal of consent: at any time, without prejudice to prior processing.
• Information about sharing: identification of public and private entities with which use was shared.
• Complaint to supervisory authority: data subjects in Brazil may file a complaint with the ANPD (anpd.gov.br); data subjects in the EU/EEA, with their national data protection authority; in the UK, with the ICO.

Identity verification: to protect your privacy, we may request additional information to confirm the requester's identity before responding. Authorized agent: you may designate a representative to exercise rights on your behalf, upon verifiable written authorization.

Response time: up to 15 calendar days (LGPD) or 30 days (GDPR) from receipt of the verified request, extendable in justified cases with notice to the data subject. Rights may be limited by legal exceptions (e.g., mandatory tax retention or defense of rights).

When we act as processor (data inserted by a customer organization), please direct the request first to the contracting organization; we will assist the customer per the applicable DPA.

13. Automated decisions and profiling

The platform applies automated decisions in limited contexts, without behavioral profiling or credit scoring:

• Temporary login lockout for excessive invalid attempts (default: 5 attempts, 15-minute lockout, configurable by account administrator).
• Access block based on billing status (canceled or paused plans, with grace period).
• Rate limiting on authentication and API endpoints to protect against automated attacks.
• Automated moderation of inputs to AI features, as described in the Terms of Service.

Right to human review (LGPD art. 20): data subjects affected by automated decisions that produce effects in their sphere may request review by a natural person and a description of the criteria and procedures used, subject to trade-secret and information-security limits.

14. Marketing communications and opt-out

We send marketing communications (newsletter, content, events, product updates) only based on consent or legitimate interest in B2B relationship with administrators of active accounts. Every message includes an unsubscribe link (opt-out). You may also withdraw consent or unsubscribe at any time through the privacy form or by emailing privacy@cadenio.com.

Transactional communications (payment confirmation, security alerts, contract changes) are essential to the service and do not require marketing consent.

15. Sensitive personal data

Cadenio does not request, nor is it intended to process, sensitive personal data as defined by LGPD art. 5(II) (racial or ethnic origin, religious belief, political opinion, union membership, health, sex life or orientation, genetic, or biometric data), or GDPR special categories. The customer is solely responsible for the content it inserts into the platform; using the platform to process such data requires a specific written addendum (DPA with sensitive-data scope); without it, insertion is prohibited under the Terms of Service.

16. Children and adolescents

The service is intended exclusively for business use by persons over 18 years of age. We do not intentionally collect personal data from children (under 12) or adolescents (12 to 18), per LGPD art. 14 and the Brazilian Statute of Children and Adolescents (ECA). If we identify improper collection, we will delete the data promptly. Parents or guardians who identify improper processing may contact us through the form below.

17. Notice to end users (administration by the organization)

When an organization (for example, your employer) contracts the service and creates a member account for you, that organization is the administrator and primary controller of data in your account. Cadenio acts as processor. Administrators may, at their discretion and within the contracted plan: (i) require password reset; (ii) restrict, suspend, or terminate your access; (iii) access data in your account; (iv) modify permissions and assignments; (v) access activity logs. Use of the platform is also subject to your organization's internal policies. Privacy requests should be directed, first, to the organization administrator.

18. DPA for B2B customers

Customers acting as independent controllers who require a Data Processing Addendum (DPA) for LGPD or GDPR compliance may request it through the contact form. The DPA covers sub-processing obligations, technical and organizational measures, international transfer conditions, retention, and support for data-subject rights.

19. Third-party sites and services

The site and platform may contain links to sites or services operated by third parties (e.g., integrations with Google, Slack, Stripe, social networks). Cadenio does not control such sites and is not responsible for their privacy practices. When you access them, your interaction is subject to the third party's policy. We recommend reading those terms before use.

20. Jurisdiction-specific provisions

• Brazil (LGPD): exercise rights under LGPD art. 18 via the privacy form or privacy@cadenio.com. Complaints may be addressed to the ANPD (anpd.gov.br).
• EU / EEA (GDPR): exercise GDPR art. 15-22 rights through the channels above. Complaints may be addressed to your country's supervisory authority.
• United Kingdom (UK GDPR): equivalent rights may be exercised through the same channels; complaints to the ICO (ico.org.uk).
• California, USA (CCPA/CPRA): California residents may request access, deletion, correction, and opt-out of sale/sharing. We reaffirm: Cadenio does not sell personal data nor share it for cross-context behavioral advertising (CCPA sense).
• Switzerland (FADP): residents may exercise equivalent rights through the privacy form.

If an applicable jurisdiction grants additional rights not listed above, such rights will be honored to the extent required by mandatory local law.

21. Policy updates

We may update this policy to reflect legal, technical, or operational changes. For material changes, we will notify active users at least 14 days in advance by email, in-product banner, or website notice. The last updated date indicates the current version. Upon request, we provide prior versions of the policy for audit and historical purposes.

If you do not agree with material changes, you must stop using the service and request account termination before the new policy's effective date.

22. Contact and privacy requests

To exercise data subject rights, request deletion, correction, portability, review of automated decisions, or any other privacy matter, use the dedicated form below or email privacy@cadenio.com.

Postal address: GGSA Consultoria em TI Ltda. — São Paulo, Brazil. (Full address available upon request for legal purposes.)

Open privacy request