Privacy Policy
Transparent, LGPD & GDPR compliant. Last updated: 20 June 2026 | Effective: 1 July 2026
1. Controller and Scope
1.1 Data Controller
The data controller responsible for the processing of your personal data is Quantivus Technology LTDA, a company duly registered in Brazil under CNPJ [to be registered], with registered office at Rua Cesario Romani, 301, Sala 01, Jau, State of Sao Paulo, ZIP 17208-749, Brazil ("Quantivus", "we", "us", "our"). This policy applies to all personal data collected through quantivus.io, subdomains and any service operated by us.
1.2 Data Protection Officer (DPO / Encarregado de Dados)
In accordance with Art. 41 LGPD and Art. 37-39 GDPR we have appointed a Data Protection Officer. You can contact our DPO for any privacy related question, to exercise your rights or to lodge a complaint: dpo@quantivus.io | +55-11-99728-9278. The DPO acts as our Encarregado de Dados for the purpose of LGPD and is reachable via the same channels.
1.3 Scope of this Policy
This policy describes what personal data we collect, why we collect it, how we use it, who we share it with, how long we keep it, what rights you have and how you can exercise them. It covers our website, our products, our support channels and any other interaction you have with Quantivus.
2. Legal Basis for Processing (LGPD Art. 7 / GDPR Art. 6)
We only process your personal data when there is a lawful basis to do so. We rely on: (a) your explicit consent (LGPD Art. 7 I, GDPR Art. 6 (1) (a)), for analytics, marketing and optional cookies; (b) performance of a contract or pre-contractual measures (LGPD Art. 7 V, GDPR Art. 6 (1) (b)), when you engage us for services; (c) compliance with legal or regulatory obligations (LGPD Art. 7 II, GDPR Art. 6 (1) (c)); (d) our legitimate interest in operating, securing and improving our services (LGPD Art. 7 IX, GDPR Art. 6 (1) (f)), balanced against your rights; and (e) protection of credit (LGPD Art. 7 X) where applicable. We never rely on legitimate interest for sensitive personal data.
3. Categories of Personal Data Collected
Depending on how you interact with us we may collect: (i) identification data (name, email, phone, job title, company); (ii) authentication data (login, hashed password, MFA factors) for client portal access; (iii) technical data (IP address, browser type and version, operating system, screen resolution, referring page, timestamps, error logs); (iv) usage data (pages visited, features used, click paths, anonymised analytics events); (v) communication data (messages you send us via forms, email, chat or support tickets); (vi) billing data (company name, tax ID, invoicing address, payment reference); and (vii) content you provide us for the purpose of receiving our services (project artefacts, source code, documents). We do not intentionally collect sensitive personal data (Art. 5 II LGPD / Art. 9 GDPR) such as racial or ethnic origin, political opinions, religious beliefs, biometric or genetic data, health data or data concerning sexual orientation.
4. Purposes of Processing
We process your personal data for the following purposes: (1) responding to your contact requests, quotes and RFPs; (2) performing contracts, delivering services and providing support; (3) managing your client or vendor account; (4) invoicing, accounting and tax compliance; (5) maintaining and improving our website, products and infrastructure; (6) security monitoring, fraud prevention and incident response; (7) producing anonymised, aggregated statistics; (8) sending transactional communications (you cannot opt out of these); (9) sending marketing communications only when you have given specific, informed and freely given consent; (10) complying with applicable laws, court orders and regulator requests.
5. Cookies, Local Storage and Similar Technologies
We use cookies and the browser Local Storage API. Strictly necessary cookies are always set. Analytics and marketing cookies are only set after you have granted consent via our cookie banner. You can withdraw your consent at any time via the "Cookie settings" link in the footer. Detailed information on every cookie we use (name, provider, purpose, type, lifetime and category) is available in our Cookie Policy.
6. Sharing with Third Parties (Service Providers)
We do not sell your personal data. We share data only with carefully selected service providers acting as processors (operadores) on our behalf, under a written data processing agreement compliant with LGPD Art. 39 and GDPR Art. 28. Current categories of processors: (i) cloud infrastructure (hosting, database, storage); (ii) transactional email and chat support; (iii) accounting and invoicing; (iv) analytics (only with consent); (v) legal and tax advisors under confidentiality. Each processor is listed in our public register of operators, available on request from the DPO.
7. International Data Transfers
Quantivus is headquartered in Brazil and some of our processors may be located outside Brazil, including the European Economic Area and the United States. Any international transfer is performed only on the basis permitted by LGPD Art. 33-36 and GDPR Art. 44-50, in particular: (a) adequacy decisions of the ANPD or the European Commission; (b) standard contractual clauses approved by the competent authority; (c) binding corporate rules; or (d) your explicit consent after you have been informed of the possible risks. You can request a copy of the safeguards applied to your transfer from the DPO.
8. Data Retention
We retain personal data only for as long as necessary for the purposes described in this policy or as required by law. Typical retention periods: (i) contact form and chat messages: 24 months from last interaction; (ii) client contract data and invoicing: 10 years after termination as required by Brazilian tax law (CTN Art. 173/174, Commercial Code); (iii) server logs: 6 months; (iv) analytics events: 13 months; (v) backups: 12 months rolling. After expiry, data is securely deleted or irreversibly anonymised.
9. Your Rights as a Data Subject (LGPD Art. 18 / GDPR Art. 15-22)
You have the following rights, exercisable free of charge and at any time, by contacting the DPO at dpo@quantivus.io: (1) confirmation of the existence of processing; (2) access to your data; (3) correction of incomplete, inaccurate or outdated data; (4) anonymisation, blocking or deletion of unnecessary or excessive data; (5) portability; (6) deletion of personal data processed with your consent; (7) information about public and private entities with which we shared your data; (8) information about the option to refuse consent and the consequences; (9) revocation of consent; (10) review of automated decisions. We respond within 15 days under LGPD and within 1 month under GDPR (extendable by 2 months for complex requests). You may also lodge a complaint with the ANPD or with your local EU DPA.
10. Security Measures (LGPD Art. 46 / GDPR Art. 32)
We implement technical and organisational measures to protect personal data against unauthorised access, disclosure, loss, alteration or destruction, including: TLS 1.3 in transit; AES-256 encryption at rest; zero-trust network segmentation; least-privilege access control with mandatory MFA; role based access control; centralised logging and SIEM monitoring; quarterly penetration testing; documented incident response plan with 24 hour notification window; vendor risk management; regular staff privacy and security training. Detailed measures are described in our Security Policy.
11. Children and Adolescents
Our services are not directed to children under 18. We do not knowingly collect personal data from children. If you believe we have collected data from a minor, please contact the DPO so we can promptly delete it, in accordance with LGPD Art. 14 and GDPR Art. 8.
12. Automated Decision Making and Profiling
We do not subject you to decisions based solely on automated processing that produce legal effects or significantly affect you (LGPD Art. 20 / GDPR Art. 22). Where AI-assisted features are used (for example, AI-assisted code review or analytics summaries), a human is always in the loop before any decision is communicated to you.
13. Changes to this Policy
We may update this policy to reflect changes in our practices, our services or applicable law. The "Last updated" date at the top indicates when the current version came into force. Material changes will be notified to you by email (when we have a current address) and/or via a banner on the website. The previous versions of this policy are available on request from the DPO.
14. Right to Lodge a Complaint with a Supervisory Authority
If you believe that our processing of your personal data is not compliant with LGPD or GDPR, you have the right to lodge a complaint with the competent supervisory authority: Brazil: Autoridade Nacional de Protecao de Dados (ANPD) - https://www.gov.br/anpd/ - complaints portal https://www.gov.br/anpd/pt-br/canais_atendimento/cidadao. EU/EEA: the Data Protection Authority of your habitual residence, place of work or place of the alleged infringement. A list is available at https://edpb.europa.eu. Lodging a complaint with a supervisory authority does not preclude any other remedy.
15. Contact
For any privacy related question or to exercise your rights, please contact: Quantivus Technology LTDA - Attn: Data Protection Officer - Rua Cesario Romani, 301, Sala 01, Jau, SP, 17208-749, Brazil - dpo@quantivus.io - +55-11-99728-9278. We will respond within the legal deadlines applicable to your jurisdiction.
Questions about your privacy?
Our DPO replies within 15 days (LGPD) / 1 month (GDPR) to every request.