Privacy Policy

Caccao LTDALast updated: October 20, 2025

1. Introduction

Welcome to our Privacy Policy.

At Caccao LTDA (referred to herein as "Caccao"), we provide a software-as-a-service platform ("SaaS") intended for business clients ("Clients") and their user accounts ("User(s)") to access the platform.

This Policy explains how we collect, use, disclose, store, and protect the personal data you or your organization provides to us, as well as your rights regarding this data — with special attention to Brazilian legislation, including LGPD. By accessing or using our services or interacting with us (for example, by registering, purchasing, or using the SaaS), you declare that you have read, understood, and agree to the terms of this Policy. If you are a user on behalf of a client organization, you acknowledge that you are authorized to do so or that you inform the organization to do so.

2. Data Controller

The personal data controller for the purposes of this Policy is: Caccao LTDA, a private legal entity registered under CNPJ No. 55.794.841-0001/00, headquartered at Rua Doutor Celso Dario Guimarães, 73, Jardim Morumbi, in the city of São Paulo/SP, ZIP Code 05.655-030 ("Controller").

3. Categories of Personal Data We Collect

3.1 Data provided directly

  • Full name, surname
  • Position, role
  • Company or organization
  • Professional email address
  • Username and password for access
  • Payment or billing data (e.g., company name, tax ID, address, bank or card details, when applicable)
  • Contact information of company representatives (when Client)
  • Other data that the User or Client provides via forms, contracts, or interaction with the platform

3.2 Automatically collected data

  • IP address
  • Device type, operating system, browser
  • Access log data, platform usage (e.g., pages accessed, features used, date and time of access)
  • Cookies, device or session identifiers
  • Error, performance, infrastructure data (when applicable)

3.3 Third-party or public data

  • Information that the client company or you authorize or integrate (e.g., via integrations, APIs, partners)
  • Publicly available data (e.g., public profiles, social media data, when permitted by the client company and applicable law)

4. Purposes of Data Processing

  • To provide the SaaS platform, manage registration, licensing, support, billing, collection, and commercial contact.
  • To personalize and improve the platform, monitor usage, analyze performance, and develop new features.
  • For internal administrative purposes: platform security, auditing, fraud prevention, backup, technical diagnostics.
  • To communicate with the Client or User about updates, maintenance, new features, security alerts.
  • For marketing purposes (when applicable and with adequate legal basis): sending communications about events, news, offers — always respecting the right to opt out of such communications.

5. Legal Basis (LGPD)

In compliance with LGPD, the main legal bases for the above processing include:

  • Performance of a contract or pre-contractual procedures (art. 7, I).
  • Compliance with legal or regulatory obligations (art. 7, II).
  • Regular exercise of rights in judicial, administrative, or arbitration proceedings (art. 7, IX).
  • Legitimate interest of the company (art. 7, IX) — for example, platform security, product improvement, and fraud prevention, always balanced with the rights of data subjects and adopting appropriate safeguards.
  • Consent (art. 7, I) — only when applicable and when requested, with the possibility of revocation.

6. Data Sharing and Disclosure

We may share your personal data in the following circumstances:

  • With companies in our group or partner companies that provide technical services (e.g., hosting, system maintenance, support, data analysis), acting as our processors or sub-processors, under contracts that require compliance with this Policy and security standards.
  • With payment, billing, or collection providers, when necessary for contract execution or billing.
  • In case of merger, acquisition, corporate reorganization, or asset sale: data may be transferred to the successor, subject to the guarantees provided in this Policy.
  • When required by law, court order, competent authority, or to protect our rights, platform security, or third parties.
  • When there is specific consent from the data subject for disclosure.

7. International Data Transfer

We may transfer or store personal data on servers located in other countries (outside Brazil). In these cases, we adopt appropriate security measures and assess whether the destination country offers an adequate level of protection or whether contractual safeguards have been implemented to ensure data security and protection in accordance with LGPD (arts. 33 and 34). You declare your agreement with such transfers when using our services.

8. Data Retention

We will retain your personal data only for as long as necessary to fulfill the purposes described in this Policy, or as required by legal, regulatory, or contractual obligations. After this period, data will be anonymized or securely deleted. Retention criteria include:

  • Active registration data: for the duration of the contractual relationship.
  • Usage data: for [e.g., 6 to 24] months after account termination or deactivation, unless retention is necessary for defense of rights or legal compliance.
  • Fiscal/accounting data: for the period required by applicable legislation (e.g., 5 years, or as required).

9. Information Security

We implement reasonable technical and organizational measures to protect personal data against unauthorized access, destruction, loss, alteration, communication, or any form of improper or unlawful processing. Examples: encryption, access control, logs, firewalls, backups. While we strive to protect your data, no system is completely secure, and we cannot guarantee absolute security.

10. Data Subject Rights

You, as a personal data subject, have the following rights provided by LGPD:

  • Access to personal data.
  • Correction of incomplete, inaccurate, or outdated data.
  • Anonymization, blocking, or deletion of unnecessary, excessive, or non-compliant data.
  • Data portability to another service or product provider, upon express request.
  • Deletion of personal data processed based on consent, except in cases provided by LGPD.
  • Information about public and private entities with which we share data.
  • Information about the possibility of not providing consent and the consequences of refusal.
  • Revocation of consent, when applicable, through express manifestation.
  • Others provided by applicable legislation.

To exercise any of these rights, send a request to the email: gustavo.zago@caccao.com.br.

11. Use of Cookies and Similar Technologies

We use cookies and similar technologies to:

  • Enable platform functionality and authentication.
  • Measure audience, performance, platform usage, and improve experience.

You can configure your browser to refuse cookies or be notified about them. Refusal may impact the functionality of parts of the platform.

12. Changes to This Policy

We may change this Privacy Policy periodically, for example, to reflect changes in our practices or regulations. Before implementing significant changes that affect your rights, we will notify clients and/or users by email or via the platform. The new version will be published on this page with a revised 'last updated' date.