Privacy Policy

1. Data controller

The controller responsible for processing personal data described in this policy is Cadenio. For privacy matters, contact us through the dedicated form below or at privacy@cadenio.com.

2. Scope

This policy covers data collected on our marketing site (including forms and cookies), in commercial interactions, and in the Cadenio application. It does not cover the privacy practices of linked third-party sites or services.

3. Data we collect

• Identity and contact: name, work email, company, job title.
• Account data: organization, profile, language/market preferences, and authenticated sessions.
• Operational data: process runs, comments, completed tasks, activity trails, and uploaded files in the product.
• Payment data: processed by our payment provider (Stripe). Cadenio does not store credit card data directly.
• Functional cookies: locale and market for localized experience. These do not require consent as they are strictly necessary.
• Analytics cookies: enabled only with explicit consent. Anonymous measurement is used by default for essential site statistics.
• Technical data: IP address (anonymized after use), browser type, operating system, and performance data for security and stability.

4. Purposes and lawful bases

• Contract performance: provide product access, authenticate sessions, operate workflows, and process payments.
• Legitimate interest: platform security, fraud prevention, operational improvements, essential anonymous audience measurement, and transactional communications.
• Consent: analytics cookies, additional marketing signals, and commercial communications where applicable. May be withdrawn at any time.
• Legal obligation: record retention for tax, regulatory, or judicial compliance when required by law.

5. Subprocessors and third parties

To deliver the service, we share personal data with selected subprocessors, subject to equivalent data protection agreements. Main categories include:

• Hosting and network infrastructure (e.g., cloud and CDN providers).
• Payment processing (Stripe).
• Transactional communication (system email and operational notifications).
• Error monitoring and platform performance.

We do not sell personal data to third parties or share it for third-party behavioral advertising purposes.

6. International transfers

Some of our subprocessors operate outside Brazil or the European Union. Where international personal data transfers occur, we apply contractual safeguards compatible with LGPD and GDPR, such as Standard Contractual Clauses (SCCs) or other mechanisms recognized by competent authorities.

7. Retention and deletion

• Account and operational data: retained for the duration of the contract and up to 90 days after termination for customer export.
• Audit trails and security logs: retained for up to 12 months for compliance and incident investigation.
• Payment data: retention per legal tax requirements (5 years in Brazil).
• Contact form data: retained for up to 24 months for commercial follow-up, unless deletion is requested earlier.

After the above periods, we apply secure deletion or irreversible anonymization.

8. Security

We implement technical and organizational controls including: tenant isolation with Row-Level Security, role-based access controls (RBAC), encryption in transit (TLS) and at rest, immutable audit trails, and secure session-based authentication.

In the event of a security incident with potential impact on personal data, we will notify the competent authorities (ANPD and/or GDPR supervisory authority) within 72 hours where required, and affected data subjects without undue delay.

9. Data subject rights

You have the following rights regarding your personal data:

• Access: confirm whether processing occurs and obtain a copy of your data.
• Correction: request update of incomplete, inaccurate, or outdated data.
• Deletion: request removal of unnecessary or non-compliant data.
• Portability: receive your data in a structured, machine-readable format.
• Objection: object to processing based on legitimate interest.
• Withdrawal of consent: withdraw consent at any time, without prejudice to prior processing.
• Complaint to supervisory authority: data subjects in the EU/EEA may lodge a complaint with their local data protection authority; in Brazil, with the ANPD (anpd.gov.br).

We respond to rights requests within 15 calendar days (LGPD) or 30 days (GDPR) from receipt. We may request identity verification before proceeding.

10. Minors

The service is not directed at persons under 18 years of age. We do not intentionally collect personal data from minors. If we identify such collection, we will delete that data promptly. Parents or guardians who identify improper processing may contact us through the form below.

11. DPA for B2B customers

Customers acting as independent controllers who require a Data Processing Addendum (DPA) for LGPD or GDPR compliance may request it through the contact form. The DPA covers subprocessing obligations, technical and organizational measures, and international transfer conditions.

12. Policy updates

We may update this policy to reflect legal, technical, or operational changes. For material changes, we will notify active users at least 14 days in advance. The last updated date indicates the current version.

13. Contact and privacy requests

To exercise data subject rights, request deletion, correction, portability, or any other privacy matter, use the dedicated form below or email privacy@cadenio.com.

Open privacy request