DataAgreements
PTEN

Legal document

Privacy Policy

Last updated: May 1, 2026

This Policy describes how Data Agreements collects, uses, shares and protects personal data when you use our platform. We are committed to transparency and compliance with Brazil’s General Data Protection Law (LGPD — Law 13.709/2018) and the EU General Data Protection Regulation (GDPR — Regulation EU 2016/679).

1. Who we are

Data Agreements (“we”) is the controller of personal data processed on this platform for signup, authentication, billing and service-delivery purposes. For privacy questions, contact us at dataagreements@gmail.com.

2. Data we collect

2.1. Signup data

  • Name, email and password (the password is stored hashed by our authentication provider);
  • When you sign in with Google: email, name and profile picture provided by Google;
  • Optional profile data (company, role, country, segment, preferred language).

2.2. Usage data

  • Content of messages sent to the AI agent and answers generated;
  • Documents you choose to upload for analysis (RAG);
  • Usage metrics: tokens consumed, number of queries, deliverable types generated, plan in use;
  • Technical logs: IP, user agent, date/time, page visited, session identifiers.

2.3. Payment data

When you subscribe to a paid plan, card and payment-method details are collected and processed directly by Stripe. We do not store full card numbers on our servers. We receive only subscription identifiers and metadata (last 4 digits, brand, status, amount, currency).

2.4. Cookies and similar technologies

We use essential cookies to keep your session authenticated and to protect against fraud (CSRF). We may use aggregated analytics cookies to understand product usage. You can disable non-essential cookies in your browser settings.

3. How we use your data

  • Operate and provide the Service (authentication, agent answer generation, semantic search over your documents);
  • Manage plans, billing, renewals and cancellations;
  • Send transactional communications (confirmations, receipts, usage alerts, plan expiration);
  • Comply with legal, regulatory and tax obligations;
  • Prevent fraud, abuse and Terms violations;
  • Improve the product based on aggregated and anonymized metrics.

We do not sell your personal data. We do not use the content of your messages or your documents to train AI models.

4. Legal bases (LGPD and GDPR)

  • Performance of contract (LGPD art. 7, V / GDPR art. 6.1.b): to provide the Service you have signed up for;
  • Legal obligation (LGPD art. 7, II / GDPR art. 6.1.c): for tax and accounting retention;
  • Legitimate interests (LGPD art. 7, IX / GDPR art. 6.1.f): for fraud prevention, security and aggregated improvements;
  • Consent (LGPD art. 7, I / GDPR art. 6.1.a): for optional marketing communications (you may withdraw consent at any time).

5. Who we share with (subprocessors)

To operate the Service, we share strictly necessary data with the following providers, all contractually obligated to maintain adequate security and privacy standards:

ProviderPurposeLocation
SupabaseAuthentication, database, document storageUSA / EU
VercelApplication hosting and logsUSA / global
AnthropicAI model (Claude) generating the agent’s answersUSA
OpenAIGeneration of embeddings for semantic document searchUSA
StripePayment processingUSA / Ireland
GoogleGoogle sign-in (OAuth)USA
Transactional email providerSending confirmation emails, receipts and alertsUSA / EU

Where applicable, we configure these providers with minimum-retention options and disable use of data for model training.

6. International data transfers

Because we use global providers, your data may be transferred outside Brazil or the European Union, particularly to the United States. These transfers occur under adequate safeguards (European Commission Standard Contractual Clauses, Data Privacy Framework certifications, or LGPD article 33 hypotheses), preserving the level of protection required by applicable law.

7. Data retention

  • Signup data: kept while your account is active.
  • Conversations with the agent: kept so you can review your history; you may delete them at any time from the dashboard.
  • Uploaded documents: kept while you keep them in the dashboard; on deletion they are removed from the database and storage within 30 days.
  • Billing data: retained for the minimum legal period (5 years for tax purposes in Brazil), even after account closure.
  • Technical logs: kept for up to 12 months for audit, security and fraud prevention.

8. Your rights

Under the LGPD and the GDPR, you have the right to:

  • confirm whether your data is being processed;
  • access and obtain a copy of your data;
  • correct incomplete, inaccurate or outdated data;
  • request anonymization, blocking or deletion of unnecessary data or data processed unlawfully;
  • portability of data;
  • withdraw consent, where consent is the legal basis;
  • object to processing based on legitimate interests;
  • (GDPR) lodge a complaint with the EU data protection authority;
  • (LGPD) lodge a complaint with the Brazilian Data Protection Authority (ANPD).

To exercise any right, write to dataagreements@gmail.com. We will respond within 15 days.

9. Security

We adopt reasonable technical and organizational measures to protect your data, including: encryption in transit (TLS), encryption at rest in the database and storage, role-based access control (RBAC), Row Level Security (RLS) policies in the database, HttpOnly cookie authentication, segregation between production and development data, and periodic permission reviews. No system is 100% secure — you are responsible for keeping your password confidential and using multi-factor authentication when available.

10. Children

The Service is not directed to anyone under 18. We do not knowingly collect data from children or adolescents. If we become aware that we have collected data from a minor without proper consent, we will delete that data.

11. Automated decision-making

The AI agent generates answers, scorecards and reports automatically. These outputs are support tools and do not constitute automated decisions with significant legal effect — every final decision must be made by you or a qualified professional with human review. If you use the Service to support decisions affecting third parties, it is your responsibility to ensure such review.

12. Changes to this Policy

This Policy may be updated from time to time. When changes are material, we will notify you by email or in-app. The “Last updated” date at the top of this page indicates when the current version became effective.

13. Contact

Data Protection Officer (DPO) and privacy questions: dataagreements@gmail.com.