Data Protection - LGPD Compliance
1. About LGPD
The Lei Geral de Proteção de Dados (General Data Protection Law - LGPD, Law No. 13.709/2018) is Brazilian legislation that regulates personal data processing and establishes fundamental rights of privacy and data protection for individuals.
RICARDO ***** - ME, operator of the NUDINN platform, is fully committed to LGPD compliance and protecting data subjects' privacy.
This document complements our Privacy Policy and provides specific information about LGPD compliance, data subject rights, and our responsibilities as data controller and processor.
2. Roles and Responsibilities
2.1. Data Controller
Legal Name: RICARDO ***** - ME
CNPJ: 16.***.***/0001-80
Role: Data Controller (Art. 5, VI of LGPD)
As controller, we are responsible for decisions regarding personal data processing, including purposes, means, and forms of processing.
2.2. Data Protection Officer (DPO)
Name: Ricardo *****
Email: dpo@nudinn.com
Alternative Email: privacidade@nudinn.com
The Data Protection Officer is the communication channel between the controller, data subjects, and the National Data Protection Authority (ANPD). Responsibilities include:
- Accept complaints and communications from data subjects
- Provide clarifications about data processing
- Receive communications from ANPD and take action
- Guide employees on data protection practices
- Execute other duties determined by controller or ANPD
2.3. Data Processors
We use third-party service providers (processors) who process personal data on our behalf, always under contracts ensuring LGPD compliance:
- Stripe: Payment processing
- AWS/Google Cloud: Data hosting and storage
- Email Providers: Sending transactional communications
- Analytics: Analysis tools (anonymized data)
All processors are carefully selected, audited, and contractually obligated to process data strictly according to our instructions and in LGPD compliance.
3. Personal Data Processed
3.1. Data Categories
| Category | Data Types | Purpose | Legal Basis (Art. 7) |
|---|---|---|---|
| Identification | Name, CPF/Tax ID, email, phone, date of birth | Registration and account management | Contract performance (V) |
| Authentication | Password (hash), session tokens | Security and access control | Contract performance (V) |
| Financial | Income, expenses, balances, transactions, bank accounts | Financial management service provision | Contract performance (V) |
| Payment | Card data (tokenized), subscription history | Billing and invoicing | Contract performance (V) |
| Browsing | IP, browser, pages visited, cookies | Analytics, improvements, security | Legitimate interest (IX) |
| Marketing | Email, communication preferences | Newsletters and promotions | Consent (I) |
| Support | Messages, ticket history | Customer service | Contract performance (V) |
3.2. Sensitive Data
Important: We do not collect, process, or store sensitive personal data as defined by Art. 5, II of LGPD (racial/ethnic origin, religious belief, political opinion, union affiliation, genetic, biometric, health, or sexual life data).
3.3. Children's and Adolescents' Data
Our services are not intended for individuals under 18 years of age. Processing data of children and adolescents would only occur with specific consent from at least one parent or legal guardian (Art. 14 of LGPD).
If we identify inadvertent collection of minors' data, we will delete such data immediately.
4. Legal Bases for Processing
All personal data processing by NUDINN is based on one or more legal bases provided in Art. 7 of LGPD:
Art. 7, I - Consent
Application: Used for marketing communications, newsletters, non-essential cookies, and advanced analytics.
Characteristics: Free, informed, unambiguous, and specific consent. Can be revoked at any time without cost or prejudice to essential service use.
Art. 7, V - Contract Performance
Application: Fundamental for providing contracted services (financial management, alerts, recommendations, payment processing).
Characteristics: Data necessary to fulfill contractual obligations established in Terms of Use.
Art. 7, IX - Legitimate Interest
Application: Used for fraud prevention, platform security, analytics for improvements, protection of rights in legal proceedings.
Characteristics: Our legitimate interest is always balanced with your fundamental rights. We conduct documented Legitimate Interest Assessment (LIA).
Right to Object: You can object to processing based on legitimate interest (Art. 18, §2).
Art. 7, II - Compliance with Legal Obligation
Application: When required by law or regulation (e.g., tax, accounting obligations, judicial requests, record preservation per Marco Civil da Internet).
5. Data Subject Rights (Art. 18 of LGPD)
LGPD guarantees data subjects various rights regarding their personal data. NUDINN respects and facilitates exercise of all these rights:
1. Confirmation and Access
Art. 18, I and II
Confirm whether we process your data and access your personal data.
✓ Available via platform download or by request
2. Correction
Art. 18, III
Correct incomplete, inaccurate, or outdated data.
✓ Available in account settings or by request
3. Anonymization, Blocking, or Deletion
Art. 18, IV
Request anonymization, blocking, or deletion of unnecessary, excessive, or non-compliant data.
✓ Analyzed case by case respecting legal obligations
4. Portability
Art. 18, V
Receive your data in structured, commonly used, machine-readable format.
✓ Export in JSON/CSV format
5. Deletion
Art. 18, VI
Request deletion of consent-based data.
✓ Account deletion available on platform
6. Information on Sharing
Art. 18, VII
Know with which public and private entities we share your data.
✓ Information available in Privacy Policy
7. Information on Non-Consent
Art. 18, VIII
Be informed about consequences of not providing consent.
✓ We clearly inform when requesting consent
8. Consent Revocation
Art. 18, IX
Withdraw your consent at any time.
✓ Available in settings or via email
9. Opposition
Art. 18, §2
Object to processing based on legitimate interest.
✓ Analyzed case by case considering fundamental rights
10. Review of Automated Decisions
Art. 20
Request review of decisions made solely based on automated processing.
✓ Human review available upon request
How to Exercise Your Rights
To exercise any of the above rights, you can:
- Through Platform: Account Settings > Privacy and Data
- Email to DPO: dpo@nudinn.com or privacidade@nudinn.com
- Support Channel: suporte@nudinn.com
Response Timeframes
- Standard timeframe: Up to 15 days from request
- Extension: May be extended by another 15 days with justification (complexity, volume of requests)
- Communication: You will be informed about your request status
Identity Verification
To protect your data, we may request additional information to verify your identity before processing requests related to data access, correction, or deletion.
6. Data Retention
We retain your personal data only as long as necessary for the purposes for which it was collected, respecting legal obligations and limitation periods:
| Data Type | Retention Period | Justification |
|---|---|---|
| Active account data | Duration of relationship | Contract performance |
| Closed account data | Up to 5 years after closure | Tax obligations (5 years) and litigation defense |
| Access logs (IP) | 6 months | Marco Civil da Internet (Art. 15) |
| Payment data | 5 years after last transaction | Tax and accounting obligations |
| Marketing communications | Until revocation or 2 years without interaction | Consent / Legitimate interest |
| Support tickets | 3 years after resolution | Service quality and defense |
| Anonymized data | Indefinitely | Does not allow identification (Art. 12 LGPD) |
After retention periods, data is securely and irreversibly deleted through sanitization processes preventing recovery.
7. Security and Data Protection
In compliance with Art. 46 of LGPD, we adopt technical and administrative security measures capable of protecting personal data from unauthorized access and accidental or unlawful situations:
- Encryption: SSL/TLS in transit, AES-256 at rest
- Access Control: Multi-factor authentication, principle of least privilege
- Monitoring: SIEM, audit logs, intrusion detection
- Testing: Semi-annual pentests, security audits
- Backups: Encrypted and geographically distributed
- Training: Continuous team training on LGPD and security
For complete details about our security practices, see our dedicated page: Information Security.
8. Security Incident Communication
In compliance with Art. 48 of LGPD, in case of security incident that may pose relevant risk or harm to data subjects:
8.1. Communication to ANPD
- Timeframe: Within reasonable time (generally 72 hours after detection)
- Content: Incident description, affected data, measures taken, potential impacts
8.2. Notification to Affected Data Subjects
- Timeframe: Immediate, after preliminary analysis
- Method: Email, in-app notification, and/or public statement
- Content:
- Incident nature
- Types of affected data
- Technical protection measures adopted
- Incident-related risks
- Measures data subjects can take to mitigate adverse effects
- Contact channel for clarifications
8.3. Communication Waiver
Communication may be waived when (Art. 48, §4):
- Affected data is incomprehensible to third parties (robust encryption)
- Technical protection measures render data inaccessible
- Subsequent measures eliminated risk of harm
9. International Data Transfer
Some of our service providers (processors) may be located or process data outside Brazil. We ensure such international transfers comply with LGPD (Art. 33):
9.1. Adequacy Mechanisms
- Countries with Adequate Level: Transfers to countries recognized by ANPD as having adequate protection level
- Standard Contractual Clauses (SCC): Contracts based on approved Standard Contractual Clauses
- Certifications: Providers certified with ISO 27001, SOC 2 Type II, Privacy Shield (when applicable)
- Specific Safeguards: Contractual clauses ensuring protection equivalent to LGPD
9.2. Transparency
We clearly inform in the Privacy Policy which providers may process data internationally. Main destinations:
- United States: AWS, Google Cloud, Stripe (certified/adequate)
- European Union: Some backup servers and CDN
10. Automated Decisions and Profiling
NUDINN uses Artificial Intelligence algorithms for financial analysis, projections, and recommendations. We ensure transparency and control over this processing:
10.1. Transparency
- We clearly inform when decisions are made by automated systems
- We explain the logic, criteria, and importance of automated processing
- We provide information about consequences for data subjects
10.2. Right to Human Review
Per Art. 20 of LGPD, you have the right to request human review of decisions made solely based on automated processing that affect your interests.
To request human review of system alerts or recommendations, contact suporte@nudinn.com.
10.3. Profiling Limitations
We do not use automated profiling for decisions producing significant legal effects or affecting fundamental rights (e.g., credit granting, discrimination). Our AI use is limited to personal financial recommendations.
11. Frequently Asked Questions about Data Protection
What is personal data?
Information related to identified or identifiable natural person (Art. 5, I). Examples: name, CPF/Tax ID, email, IP, location data.
Can I request deletion of all my data?
Yes, you can request account and data deletion. However, we may retain some data for the necessary period to fulfill legal obligations (e.g., tax records for 5 years).
How do I know my data is secure?
We implement multiple security layers including encryption, access controls, 24/7 monitoring, and regular audits. See details on our Security page.
Do you sell my data?
No. We never sell, rent, or trade user personal data.
What happens if I revoke my consent?
Consent revocation for marketing communications does not affect essential platform service use. You simply stop receiving newsletters and promotions.
12. Contact - Data Protection Officer (DPO)
To exercise your rights, clarify doubts about data protection, or submit complaints related to personal data processing:
RICARDO ***** - ME
CNPJ: 16.***.***/0001-80
Data Protection Officer (DPO): Ricardo *****
DPO Email: dpo@nudinn.com
Privacy Email: privacidade@nudinn.com
General Support: suporte@nudinn.com
We respond to all data protection requests within 15 days, as established by legislation.