Privacy Policy.

This Policy applies to all personal data processed by our administrative services company — including business clients who engage our services, their employees and operational contacts whose data we encounter in the course of delivering back-office, document management, virtual reception or data entry services, and website visitors. Our primary relationship is B2B — we work for businesses. However, in delivering administrative services, we routinely encounter data about the employees, customers and third parties of our client businesses.

A. Client businesses (contracting parties):

• Company name, CNPJ and the name, role, phone and email of the responsible commercial or operational contact at the client business.
• Operational instructions, process specifications and service scope documentation required to deliver the contracted administrative services.
• Billing data for NFS-e issuance (CNPJ and contact).

B. Third-party data encountered in service delivery (operador role):

• In delivering back-office operations, document management, data entry, virtual reception and other administrative services, we routinely encounter personal data of the client's own employees, customers and business contacts — names, contact details, addresses, order histories, correspondence and all the personal data that flows through a typical business operation.
• We process this third-party data exclusively as operador under LGPD Art. 39 — on the documented instructions of the client (who is the data controller for their own stakeholders' data), for the purpose of delivering the contracted service, and for no other purpose.
• For virtual reception services: caller name, phone number and message content — processed to fulfil the reception function on behalf of the client.

C. Website visitors: IP address, browser type, pages visited and access times; name, phone and message when submitting an enquiry form.

• Client businesses (service deliverables): Processed documents, data outputs, reception logs and all service deliverables are provided to the commissioning client — this is the purpose of the service.
• SEFAZ-SP / Receita Federal: Tax data for NFS-e issuance and fiscal compliance.
• Prefeitura de Mogi das Cruzes (ISS): For ISS/ISSQN obligations on administrative service activities.
• PROCON-SP: When required in a consumer dispute mediation under the CDC.
• Legal authorities: When required by a competent judicial or administrative order.

Our administrative services operate primarily within Brazil and the Alto Tietê region. Client operational data and service deliverables are stored in Brazil. Any technology platforms for document management, virtual reception or operational communication that operate on international servers do so only under the guarantees of Art. 33 of the LGPD or recognised adequacy mechanisms. We disclose specific platforms used on client request.

• NFS-e and fiscal records: Minimum 5 years under federal and state tax legislation (CTN, Art. 174; SEFAZ-SP).
• Client service contracts and operational records: Duration of the client relationship plus 5 years for contractual, fiscal and dispute documentation.
• Third-party data processed as operador (e.g. client customer data, reception logs): Retained only for the duration required to deliver the service and any post-service dispute period. On contract termination, client data and third-party data processed on the client's behalf is returned to the client or deleted, as instructed — we do not retain client operational data beyond the service engagement without explicit instruction.
• Contact and enquiry data (no service commenced): Up to 1 year from last contact.
• Website analytics: Aggregated and anonymised after 12 months.

• Client operational data and documents accessible only to the team members directly delivering that client's service — strict access controls per client engagement;
• No client's data ever accessible to staff working on a different client's account — logical separation enforced throughout;
• Physical document management facilities secured with access control;
• Virtual reception communications handled via secure channels;
• Encryption in transit (HTTPS/TLS) for all digital communications and file transfers;
• PCI-DSS certified payment platforms — card data never retained;
• As a Ltda, formal internal data handling and information security protocols maintained;
• Incident response procedures and breach notification per LGPD Art. 48.

• Confirmation and Access (Art. 18, I–II): Confirm whether we hold your data and receive a copy.
• Correction (Art. 18, III): Request correction of inaccurate data.
• Anonymisation / Blocking / Deletion (Art. 18, IV): Request deletion — subject to fiscal and contractual retention obligations.
• Portability (Art. 18, V): Receive your data in a structured format.
• Deletion of consent-based data (Art. 18, VI): Request deletion of data processed by consent.
• Information on sharing (Art. 18, VII): Find out which entities your data has been shared with.
• Withdrawal of Consent (Art. 8º, §5º): Withdraw consent at any time.
• Complaint to the ANPD (Art. 18, §1º): Lodge a complaint at www.gov.br/anpd.

We respond within 15 business days. For requests relating to data processed as operador in a client's service engagement, we will forward the request to the relevant client controller per LGPD Art. 39.

Our website may use cookies for essential functionality and aggregated performance analysis. We do not use behavioural tracking or advertising cookies. Preferences can be managed through browser settings.

Our administrative services are engaged by businesses — adults acting in a professional capacity. We do not intentionally collect personal data from children under 13 directly. Where third-party data processed as operador in a client service may include data about minors (for example, in data entry for a client whose customers include minors), we process that data under the client's LGPD framework and applicable LGPD Art. 14 requirements, and advise clients of their obligations as controllers for such data.

In our own right, we do not collect sensitive personal data as defined in LGPD Art. 5º, II. In delivering administrative services as operador for clients, we may encounter sensitive data belonging to the client's stakeholders — for example, in document management or data entry for clients in health, legal or HR sectors. In all such cases, we apply LGPD Art. 11 heightened handling requirements and require the client to confirm the applicable legal basis and their compliance framework before accepting that service scope.

This Policy may be updated to reflect changes in our activities, the LGPD, ANPD guidance or applicable tax legislation. Material changes will be communicated via our website or directly to active clients by email or WhatsApp.

All privacy requests, questions and complaints should be directed to our Data Protection Officer (Encarregado — LGPD Art. 41):