Skip to main content
CGEYE

Legal

Privacy Policy

Last updated: May 2026

1. Who we are

CGEYE CRIAÇÃO E TECNOLOGIA LTDA ("CGEYE"), registered under CNPJ 55.029.782/0001-83, based in São Paulo, Brazil, is the data controller for personal data collected through this website (cgeye.tech). This Privacy Policy describes how we collect, use, store and protect your personal data in compliance with the Brazilian General Data Protection Law (LGPD — Law No. 13,709/2018).

2. Data we collect

We collect the following personal data: • Data you provide: name, email, company, and message submitted via the contact form (cgeye.tech/contato). • Subscription data: name, email, and payment data when purchasing subscription services. • Purchase data: information required to process transactions in the digital store. • Browsing data: pages visited, time on site, and device type, collected anonymously and in aggregate by Vercel Analytics (no cookies, no personal identification). • Newsletter opt-in: email and language preference when you subscribe to our communications. We do not intentionally collect sensitive personal data (LGPD Article 5(II)), such as health, biometric, religious, political, or racial data.

3. Purpose of processing

We use your personal data solely to: • Respond to your messages and contact requests. • Send commercial proposals when requested. • Process purchase transactions and service subscriptions. • Send marketing communications (newsletter) only with your explicit consent. • Improve the site experience based on anonymous browsing data. • Comply with legal and regulatory obligations.

4. Legal basis (LGPD Article 7)

The processing of your personal data is based on the following legal grounds: • Consent (Art. 7(I)): when you complete the contact form or subscribe to our newsletter. You may revoke consent at any time. • Contract performance (Art. 7(V)): when making a purchase or hiring CGEYE services. • Legitimate interest (Art. 7(IX)): for anonymous, aggregate analysis of site usage. • Legal obligation (Art. 7(II)): to comply with tax and regulatory requirements.

5. Third-party data processors

We do not sell, rent, or share your personal data with third parties for marketing purposes. We use the following data processors: • Vercel (USA) — site hosting and serverless functions. • Supabase (USA) — database, authentication, and data storage. • Sanity (USA/Global) — content management system. • Resend (USA) — transactional email and newsletter delivery. • Google Workspace (USA) — corporate email and internal productivity tools. • Google Cloud (USA) — OAuth authentication and AI infrastructure. • Anthropic (USA) — AI-assisted internal drafts (no visitor personal data sent). • Trigger.dev (USA) — internal task automation (no customer personal data processed directly). • ElevenLabs (USA) — voice synthesis for CGEYE Digital Employee profiles (no visitor data). • HeyGen (USA) — video avatars for CGEYE Digital Employee profiles (no visitor data). • Higgsfield AI (USA) — image generation for internal creative use (no visitor data). • ManyChat (USA) — Instagram lead capture (only when you engage with specific campaigns). • NOWPayments (Multi-jurisdiction) — cryptocurrency payment processing (when applicable). • 1Password (Canada) — secure internal credential management. • Obsidian Sync (USA) — encrypted synchronization of internal documents. • Competent authorities, when required by law.

6. Storage, security and retention

Your data is stored on secure servers with encryption in transit (TLS 1.2+) and at rest. We apply appropriate technical and organizational measures to protect your data. Retention periods by category: • Contact form messages: 2 years (or contract duration + 5 years if a commercial relationship is established). • Subscription and transaction records: 5 years from completion (fiscal requirement). • Newsletter subscribers: until unsubscribe + 30 days audit trail. • User accounts: active + 6 months after last login; subsequently anonymized. • Site access logs: 90 days. After the applicable retention period, data is securely deleted or anonymized.

7. Your rights (LGPD Article 18)

You have the right to: • Confirmation that your data is being processed. • Access to your personal data. • Correction of incomplete, inaccurate, or outdated data. • Anonymization, blocking, or deletion of unnecessary data. • Data portability to another service provider. • Deletion of data processed with consent. • Information about processors with whom we share data. • Revocation of consent at any time. • Opposition to processing based on legitimate interest. To exercise your rights, complete our form at cgeye.tech/privacidade/solicitacao or write to dpo@cgeye.tech. We respond within 15 days (LGPD Article 19).

8. Cookies

This website does not use tracking or advertising cookies. Vercel Analytics collects anonymous, aggregate browsing data without cookies and without personal identification — compliant with both LGPD and GDPR. Strictly necessary technical cookies may be used for site functionality (e.g., language preference, authentication session). These do not require your consent as they are essential for basic technical operation.

9. International data transfers (LGPD Articles 33-36)

Several of our processors handle data outside Brazil (primarily the USA). These transfers are made on the basis of: • Standard Contractual Clauses (SCCs) incorporated in processor DPAs (Data Processing Agreements). • Explicit data subject consent (Art. 33(I)), where applicable. We only work with processors that provide a level of data protection compatible with the LGPD. The full processor list with locations appears in Section 5.

10. Automated decision-making

CGEYE uses automated systems to: • Auto-reply on Instagram (via ManyChat, following your initial interaction). • Organize and classify inbound contacts. • Generate AI-assisted communication drafts for internal review. No consequential decision (commercial proposal, contract, client communication) is made solely by automated systems. All pass through human review. If you believe an automated decision has negatively affected you, you may request human review at dpo@cgeye.tech.

11. Children and adolescents

CGEYE does not knowingly collect data from individuals under 18. Our services target businesses and adult professionals. Processing data from children under 12 requires parental or guardian consent (LGPD Article 14). If we identify that a minor's data was collected without adequate consent, we will delete it immediately. If you are a legal guardian and identified this situation, contact dpo@cgeye.tech.

12. Security incidents

In the event of an incident that may cause relevant risk to data subjects, CGEYE commits to: • Notify ANPD within 72 hours of confirmation (LGPD Article 48). • Inform affected data subjects in the same timeframe. • Publish an incident summary and corrective measures when appropriate.

13. Data Protection Officer (DPO)

Our Data Protection Officer (Encarregado, LGPD Article 41) is: Marino Sallowicz Email: dpo@cgeye.tech Response: within 24 business hours for acknowledgement; resolution within 15 days. Contact the DPO to exercise your rights, report concerns, or request information about your data.

14. Changes to this policy

We may update this Policy periodically. Significant changes will be communicated on this page with the update date. We recommend regular review.

Data Protection Officer (DPO) (DPO): dpo@cgeye.tech