Privacy Policy - TrustThis

When you register on our platform, we collect mandatory personal data including full name, email address, password (stored in encrypted form), company/organization, position/role, and contact phone number.

Optionally, you may provide additional information such as profile photo, professional biography, professional certifications, and professional social networks.

When you request an audit, we collect data from the audited company, such as corporate name, tax ID, business address, industry sector, company size, and responsible contacts (names and emails).

Additionally, we collect information about the software or system to be audited, including software/system name, application type, main features, types of data processed, estimated number of users, and basic technical architecture.

During the audit process, technical documents may be collected such as privacy policies, terms of use, technical documentation, security reports, certifications, and third-party contracts.

Compliance evidence may also be collected, including interface screenshots, system logs (anonymized), operational procedures, training records, and process documentation.

We automatically collect technical data during your browsing, including IP address, browser type, operating system, screen resolution, pages visited, time spent, and access origin (referrer).

We also collect platform interaction data, such as clicks and actions performed, forms filled out, downloads made, searches conducted, and configuration preferences.

When you contact us, we collect information from direct communications, including email content, chat messages, phone calls (when recorded), contact forms, and support tickets.

Legal Basis: Contract execution (Art. 7, V, LGPD)

We use your data to conduct privacy and security audits, prepare compliance reports, generate scores and ratings, provide improvement recommendations, track compliance evolution, and issue audit certificates.

Legal Basis: Contract execution (Art. 7, V, LGPD)

We process data to create and maintain your user account, authenticate platform access, personalize user experience, provide technical support, process payments, and manage subscriptions and plans.

Legal Basis: Legitimate interest (Art. 7, IX, LGPD) and Consent (Art. 7, I, LGPD)

To promote market transparency, we publish aggregated company scores, create industry rankings, make public compliance information available, generate market statistics, and promote best practices.

Legal Basis: Legitimate interest (Art. 7, IX, LGPD)

We analyze data to improve audit methodologies, develop new features, optimize platform performance, identify market trends, and improve user experience.

Legal Basis: Consent (Art. 7, I, LGPD)

With your explicit consent, we send privacy newsletters, communicate service updates, share educational content, promote events and webinars, and conduct satisfaction surveys.

Legal Basis: Legal obligation compliance (Art. 7, II, LGPD)

When necessary, we process data to respond to requests from authorities, comply with court decisions, respond to regulatory investigations, maintain accounting records, and fulfill tax obligations.

We share data with essential service providers, including cloud infrastructure providers, payment services, communication tools, analytics and monitoring systems, and backup and security services.

Conditions: All providers sign data processing agreements with specific protection and confidentiality clauses.

Permitted public information includes aggregated company scores (without internal details), industry rankings, anonymized market statistics, information already publicly available, and data with express consent.

On the other hand, we always keep private specific vulnerability details, internal company documents, confidential audit data, personal information of employees, and specific operational procedures.

We may share data when required by law or regulation, determined by court order, requested by competent authorities, necessary for protection of rights, or required for official investigations.

If it is necessary to transfer data to other countries, we will use only countries with adequate level of protection, implement appropriate contractual safeguards, obtain specific consent when necessary, and ensure compliance with local regulations.

User account data is kept while the account is active. After cancellation, we retain data for 30 days to allow reactivation, proceeding with permanent deletion 90 days after cancellation.

Audit data has differentiated retention periods: complete reports are kept for 5 years for historical purposes, submitted documents for 3 years, public scores are kept indefinitely in anonymized format, and technical evidence for 2 years.

Regarding communication data, support emails are retained for 2 years, system logs for 1 year, call recordings for 6 months, and customer service chat history for 1 year.

Financial data follows applicable tax legislation: payment information is kept as required by law, invoices and receipts for 5 years, and card data is not stored (we use tokenization).

When defining retention periods, we consider the need for continuous service provision, legal and regulatory obligations, defense of rights in legal proceedings, legitimate interest in maintaining history, and specific requests from data subjects.

Our secure data deletion involves removing data from all systems, updating backups to reflect deletion, clearing cached copies, notifying third parties for deletion, and generating deletion certificate.

There are exceptions to deletion for anonymized data used in statistics, information necessary for legal compliance, data in legal dispute, and critical security information.

According to LGPD, you have the following rights:

Confirmation and Access (Art. 18, I and II): You can confirm whether we process your personal data, access your personal data, and obtain a copy of the data in a structured format.

Correction and Update (Art. 18, III): You have the right to correct incomplete, inaccurate or outdated data and update information when necessary.

Anonymization and Deletion (Art. 18, IV and VI): You can request anonymization of unnecessary data, request deletion of data processed with consent, and eliminate unnecessary or excessive data.

Portability (Art. 18, V): You can receive data in structured format, transfer data to another controller, and obtain data in interoperable format.

Information about Sharing (Art. 18, VII): You have the right to know with whom we share your data, understand the purposes of sharing, and understand legal bases used.

Consent Revocation (Art. 18, IX): You can withdraw consent at any time, maintain data processed with other legal bases, and be informed about the consequences of revocation.

You can exercise your rights through our main channel by sending an email to team@trustthis.org, filling out the online form at https://trustthis.org/direitos-lgpd, or accessing the user portal in the "My Rights" section.

To process your request, we need information such as full name, registered email, identification document, specific description of the request, and proof of identity (when necessary).

Our response times are: acknowledgment of receipt within 48 hours, initial response within 15 days, complete service within 30 days, and for complex cases up to 60 days (with justification).

Some rights may be limited when necessary for compliance with legal obligations, required for regular exercise of rights, essential for protection of life or safety, indispensable for health protection, or fundamental for meeting public interest.

To protect your data, we may request official identification document, confirmation of registered information, answers to security questions, verification by email or phone, and digital signature when applicable.

We implement multi-layer encryption: data in transit is protected with TLS 1.3, data at rest with AES-256, passwords are stored with hash and salt using bcrypt, and sensitive communications use end-to-end encryption.

Our access control includes mandatory multi-factor authentication, role-based access control (RBAC), application of the principle of least privilege, periodic access review, and detailed audit logs.

Our infrastructure features servers in certified data centers, redundancy and high availability, 24/7 monitoring, automated and regularly tested backups, and environment isolation.

We maintain strict policies and procedures, including Information Security Policy, incident response procedures, mandatory employee training, confidentiality agreements, and periodic security reviews.

Our personnel management includes background checks, data protection training, need-based access, activity monitoring, and secure offboarding process.

We use advanced monitoring systems, including SIEM (Security Information and Event Management), anomaly detection, behavioral analysis, real-time alerts, and event correlation.

We conduct regular security testing, such as annual penetration testing, vulnerability assessments, code reviews, incident simulations, and security audits.

We follow a structured incident response process that involves: initial detection and analysis, containment and eradication, recovery and monitoring, communication to affected parties, and lessons learned with implementation of improvements.

Our incident communication follows established deadlines: notification to ANPD within 72 hours (when applicable), to data subjects within a reasonable time, to authorities according to legislation, to media when necessary, and to partners according to contracts.

We use essential cookies for user authentication, session maintenance, security preferences, and basic platform functionalities.

Performance cookies are used for platform usage analysis, performance optimization, technical problem identification, and user experience improvement.

We also use functionality cookies for interface personalization, preference memory, language settings, and browsing history.

You have full control over cookies through the consent banner, preference center, option to accept or reject by category, and can revoke consent at any time.

Additionally, you can configure cookies directly in the browser, following instructions for major browsers. We inform about the impact of disabling and offer available alternatives.

We use Web Beacons for email opening analysis, interaction tracking, and communication effectiveness measurement.

Local Storage is used for preference storage, temporary data caching, and platform performance improvement.

As preventive measures, we request a declaration of legal age at registration, verify corporate email, analyze professional information, and monitor age indicators.

If we identify data from minors, we proceed with immediate account suspension, contact legal guardians, delete collected data, review verification processes, and implement improvements.

We conduct regular reviews of this policy through mandatory annual analysis, reviews motivated by legal changes, updates for new services, and improvements based on feedback.

We communicate changes through email notification, platform notice, highlighting of main changes, and when necessary, offer an adaptation period.

For substantial changes, new consent may be requested, a transition period will be offered, we provide cancellation option without penalties, and communicate with a minimum notice of 30 days.

For privacy questions, contact us via email at team@trustthis.org, phone [PHONE], or in person at our address at Avenida Paulista, 807 – Suite 2315, Bela Vista, ZIP: 01311-915, São Paulo – SP, Brazil. Our business hours are Monday to Friday, 9am to 6pm.

For general support, you can contact us by email at team@trustthis.org, online chat available at https://trustthis.org/chat, or through the form at https://trustthis.org/contato.

For specific questions, we provide dedicated channels: security@trustthis.org for security issues, compliance@trustthis.org for compliance matters, and parceiros@trustthis.org for partnership opportunities.

We maintain an independent ombudsman channel via email at ouvidoria@trustthis.org, with anonymous form available, structured investigation process, and commitment to respond within 15 business days.

This Privacy Policy is governed by Brazilian legislation, especially the General Data Protection Law (Law No. 13,709/2018), Brazilian Civil Rights Framework for the Internet (Law No. 12,965/2014), Consumer Protection Code (Law No. 8,078/1990) Brazilian Civil Code (Law No. 10,406/2002).

The National Data Protection Authority (National Data Protection Authority (ANPD) is the competent body to oversee compliance with LGPD in Brazil. To contact ANPD, visit the website gov.br/anpd or send an email to atendimento@anpd.gov.br.