Privacy Policy | TwoBrains Technology

This Privacy Policy describes how TwoBrains Technology ("TwoBrains", "we") collects, uses, stores, shares, and protects personal data of users of our websites, mobile applications, and services (collectively, the "Services"). This policy is aligned with Brazil's General Data Protection Law (Law 13,709/2018 — LGPD), the European General Data Protection Regulation (GDPR), the Brazilian Internet Civil Framework (Law 12,965/2014), and the privacy guidelines of the Apple App Store and Google Play Store.

1. Data controller

The controller of the personal data processed under the Services is: TwoBrains Technology Address: Goiânia/GO, Brazil Website: https://twobrainstechnology.com Data Protection Officer (DPO): [email protected] You can contact our DPO at any time at the email above to clarify questions, exercise rights, or file complaints regarding the processing of your data.

2. Data we collect

We collect the following categories of personal data, always to the extent strictly necessary for the stated purpose: (a) Registration data you provide directly: full name, email, phone, company, and role (in contact forms, proposals, and the blog). (b) Data generated through use of the apps: device identifiers (IDFA on iOS / Advertising ID on Android, subject to consent), model, OS, app version, IP address, language, time zone, usage events, performance metrics, and crash logs. (c) Location data: approximate (IP-derived) by default; precise (GPS) only when the app explicitly requests your authorization, exclusively for the feature that prompted the request. (d) Communication data: content of messages sent through support channels, tickets, and survey responses. (e) Payment data (where applicable): processed directly by third-party gateways (e.g., Stripe, Mercado Pago, Pagar.me). We do not store full card numbers on our servers. (f) Public social-network data: only when you choose to authenticate in our Services via social login (Google, Apple, LinkedIn). We do not intentionally collect sensitive personal data (racial origin, political opinion, religion, health, biometrics, sexual life). If this happens incidentally, processing will only occur with your specific and prominent consent (LGPD art. 11).

3. Why we use your data (purposes)

We use your personal data for the following purposes: • Provide, maintain, and improve our Services; • Respond to commercial contacts, proposals, and inquiries; • Authenticate users and prevent fraud, abuse, and unauthorized access; • Personalize features and content according to your preferences and language; • Analyze performance, identify errors, and prioritize technical improvements; • Send operational notifications and, with consent, marketing communications; • Comply with legal and regulatory obligations and respond to authorities; • Protect TwoBrains, users, and third-party rights in legal or administrative proceedings.

4. Legal bases

Pursuant to LGPD arts. 7 and 11 (and GDPR art. 6, where applicable), we process your personal data on one of the following bases: • Performance of a contract or pre-contractual steps: to provide the contracted Services; • Consent: for marketing communications, optional push notifications, measurement cookies, and precise location; • Compliance with legal or regulatory obligation: tax/accounting retention, response to authorities; • Legitimate interest: information security, fraud prevention, product improvement, balanced against your fundamental rights; • Regular exercise of rights in legal, administrative, or arbitration proceedings. Where processing is based on consent, you may withdraw it at any time, without affecting the lawfulness of processing already carried out.

5. Permissions requested by the apps

Our apps may request the permissions below. Each is requested only when you use a feature that depends on it, and can be revoked at any time in your operating-system settings: • Camera: to capture photos and documents on your request; • Microphone: to record voice notes and calls, where applicable; • Photo Library: to attach images to in-app content; • Location (precise or approximate): only for location-based features; • Push notifications: to inform you about relevant app events; • Storage: to save files generated or received on your device; • Biometrics (Face ID / Touch ID / fingerprint): for secure local authentication — biometric data NEVER leaves your device and is NEVER sent to our servers. Denying a permission does not prevent general use of the app, only the specific features that depend on it.

6. Cookies, SDKs, and similar technologies

On the website we use strictly necessary cookies (session, security), preference cookies (language, theme), and, with consent, audience-measurement cookies (Google Analytics) and media cookies (Google reCAPTCHA for form protection). On the apps, we may integrate third-party SDKs for specific purposes: • Firebase / Google Analytics for Firebase — usage and performance metrics; • Firebase Crashlytics — crash reports; • Firebase Cloud Messaging (FCM) and Apple Push Notification service (APNs) — push notifications; • Google reCAPTCHA — bot protection on forms; • Sentry (or equivalent) — runtime error monitoring. The current list of SDKs and their purposes is available on the app's Apple App Store "Privacy Nutrition Labels" and Google Play "Data Safety" sections.

7. Sharing data with third parties

We do not sell, rent, or make your personal data available to third parties for marketing purposes unrelated to ours. We share data strictly under the following circumstances: • Processors acting on our behalf: hosting (Amazon Web Services, São Paulo region — sa-east-1), transactional email (Twilio SendGrid), content management (Strapi), payment gateways, analytics and monitoring platforms; • Public, judicial, or administrative authorities, when required by law or valid court order; • Partners in corporate transactions, mergers, acquisitions, or reorganizations, always observing confidentiality and data-subject rights. All processors are contractually bound to handle your data in compliance with this Policy and applicable law.

8. International data transfers

TwoBrains hosts data primarily in AWS data centers in the São Paulo, Brazil region (sa-east-1). Some support services (analytics, push notifications, transactional email, monitoring) may involve data transfers to the United States or other countries where our providers operate. When this occurs, we ensure the transfer complies with Chapter V of the LGPD: country with adequate level of protection, standard contractual clauses, certifications, or specific consent, as applicable. For users subject to GDPR, we apply the Standard Contractual Clauses (SCCs) approved by the European Commission.

9. How long we keep your data

We retain personal data for as long as necessary to fulfill the purposes for which it was collected, subject to legal and regulatory deadlines: • Registration and commercial-contact data: up to 5 (five) years after the last interaction, unless you request deletion sooner; • Tax and accounting data: for the legally mandated retention period (typically 5 years); • Application access logs: 6 (six) months, per art. 15 of the Brazilian Internet Civil Framework; • Usage data, metrics, and crash reports: aggregated/anonymized after 12 (twelve) months; • Backups: standard cycle of 7 to 35 days (PITR), with automatic purge. After these periods, data is irreversibly deleted or anonymized, except where retention is necessary for the regular exercise of rights in legal, administrative, or arbitration proceedings.

10. How we protect your data

We adopt appropriate technical and organizational measures to protect your personal data, including: • Encryption in transit (TLS 1.2+) on all connections; • Encryption at rest in databases and object storage; • Role-based access control (RBAC) with least-privilege principle and multi-factor authentication; • Environment segregation (development, staging, production); • Automated backups with controlled retention (PITR) and periodic recovery tests; • Continuous monitoring, security alerts, and periodic review of IAM policies; • Data Protection Impact Assessment (DPIA) for new high-risk processing. Despite these measures, no system is completely immune to failures. In the event of a security incident that may pose relevant risk or harm to data subjects, we will notify those affected and the Brazilian Data Protection Authority (ANPD) within a reasonable time, per art. 48 of LGPD.

11. Your rights as a data subject

Pursuant to LGPD art. 18 (and GDPR arts. 15-22), upon request you have the right to: • Confirm the existence of processing; • Access your data; • Correct incomplete, inaccurate, or outdated data; • Anonymize, block, or delete unnecessary, excessive, or non-compliant data; • Port data to another provider; • Delete data processed based on consent; • Information about public and private entities with which we share your data; • Information about the option not to consent and the consequences; • Withdraw consent at any time; • Review automated decisions that affect your interests (LGPD art. 20). To exercise any right, write to [email protected]. We will respond within 15 (fifteen) days and may request reasonable identity verification to prevent unauthorized access.

12. Account and data deletion

You can request deletion of your account and associated data: • Directly in the app, where this feature is available ("Delete my account" in settings), in compliance with Apple Guideline 5.1.1(v) and Google Play policy; • By emailing [email protected], indicating the registered email. Deletion is processed within 30 (thirty) days. Some data may be retained for the minimum legal period (tax records, mandatory access logs, defense in proceedings), but will be segregated and processed only for the purpose justifying retention.

13. Children and adolescents

Our Services are not directed to children under 13. We do not intentionally collect personal data from children. If we identify undue collection, we will delete the data immediately. Parents or guardians who notice undue use of the Services by children may contact us at [email protected] for removal. Processing of adolescents' data (13-18 years) follows the best interest of the data subject, with specific consent from at least one parent or legal guardian, as per LGPD art. 14.

14. Marketing, opt-out, and do-not-track

Marketing communications are sent only after your consent. You can opt out at any time by clicking the "unsubscribe" link in each email or by disabling push notifications in app settings. We respect Do-Not-Track ("DNT") signals when recognizable by the browser. In some cases we will still use strictly necessary cookies for site operation.

15. Automated decisions

Occasionally we use automated logic (including artificial intelligence models) for content personalization, fraud prevention, and support. You have the right to request review of automated decisions affecting your interests under LGPD art. 20. Where applicable, we will indicate the criteria and procedures used, subject to commercial and industrial secrecy.

16. Updates to this policy

We may update this Privacy Policy to reflect legal, technical, or business changes. The last update date appears at the top of this page. In case of materially relevant changes, we will notify you by email (if registered) or by prominent notice on the Services before changes take effect. Continued use of the Services after an update means agreement with the new version.

17. Governing law and venue

This Policy is governed by the laws of the Federative Republic of Brazil. Any disputes shall be settled in the courts of Goiânia/GO, except where mandatory legal provisions apply (in particular, consumer venue in consumer relations).

18. How to contact us

For any questions, requests, or complaints related to this Policy or the processing of your personal data, contact our Data Protection Officer: Email: [email protected] Website: https://twobrainstechnology.com You may also lodge a complaint with the Brazilian Data Protection Authority (ANPD) — https://www.gov.br/anpd/.