§1 Who is the controller
Controller: Data Riders Consultoria e Educação LTDA, CNPJ 29.742.713/0001-02, headquartered in Belo Horizonte/MG, Brazil. For privacy questions or to exercise your rights, write to [email protected] or [email protected].
§2 Data we collect
We collect only what is necessary for the purposes described in this policy.
- Contact & newsletter forms: name, email, company, message or subject. Voluntary.
- Event / Academy registrations: name, email, role, organization and any professional data the participant provides.
- Data Riders Agent (chat widget): messages typed, questions asked, email if provided. See §3.
- Analytics & cookies: technical browser data (truncated IP, user-agent, pages visited, referrer). See §4 and the Cookies Policy.
- Documents uploaded to agents (GISTM.ai, AquaTwin, ISO 14001 etc.): handled per the life-cycle table in the Trust Center (≤ 30‑day retention by default).
- Resumes (Careers): name, contact details, professional history. Kept for up to 24 months.
§3 Data Riders Agent (chat widget)
The Data Riders Agent is a chat widget embedded on every page footer. When you interact with it:
- What is collected: messages sent, timestamps, originating page (URL), an anonymous session ID (generated in your browser) and, if you provide it, your email and name.
- localStorage: the widget stores a local ID (
dr_agent_session_id) and the recent conversation history in your browser to preserve context across pages. This data lives in your browser; you can clear it at any time by clearing the site's storage. - Model provider: messages are routed to an AI model hosted on Amazon Bedrock (preferred) or OpenAI/Anthropic, configured not to use your data to train foundation models.
- Server-side retention: widget transcripts are kept up to 90 days for troubleshooting and agent improvement, then deleted. Messages flagged as sensitive can be deleted on request.
- What we do not do: we do not link your chat session to advertising; we do not share your messages with third parties for marketing; we do not train foundation models with your chat.
- How to request deletion: send the session ID (visible by clicking "ℹ" inside the widget) to [email protected] — we respond within 15 business days.
§4 Analytics & cookies
We use the following tools, all configured for privacy:
- Microsoft Clarity (heatmaps and session replay) — does not capture sensitive field content; automatic masking on
type=passwordand forms taggeddata-clarity-mask. - Google Analytics 4 (only if you consent) — IPs anonymized; no demographic advertising features.
- LinkedIn Insight Tag (only if you consent) — used to measure B2B campaign effectiveness; no cross-matching with sensitive personal data.
- Strictly necessary cookies (session, language, consent preference) are set without prior consent, per LGPD/GDPR.
Details in the Cookies Policy.
§5 Legal bases (LGPD/GDPR)
- Contract performance (LGPD art. 7º, V; GDPR art. 6(1)(b)) — for contracted services (audits, agents in production).
- Legitimate interest (LGPD art. 7º, IX; GDPR art. 6(1)(f)) — for newsletters to professional contacts, security, fraud prevention.
- Consent (LGPD art. 7º, I; GDPR art. 6(1)(a)) — for non-essential cookies and marketing communications.
- Legal obligation (LGPD art. 7º, II; GDPR art. 6(1)(c)) — tax records, accounting retention, response to authorities.
§6 Purposes
- Delivery of contracted services and customer support.
- Operation of the website and agents (authentication, chat response, report generation).
- Information security, fraud prevention and incident response.
- Sending professional newsletters (with unsubscribe link in every email).
- Aggregate metrics and anonymized analytics to improve the site and the agents.
- Legal, accounting and regulatory compliance.
§7 Sharing with third parties
We share personal data only with sub-processors publicly listed at /en/sub-processors/ (AWS, managed SaaS platform, model providers, email/CRM tools, analytics platforms). We do not sell personal data. Where legally compelled, we may share with authorities, always within the scope of the request.
§8 International transfer
Part of the processing happens on servers in the United States and the European Union (AWS regions us‑east‑1 and eu‑west‑1; managed SaaS platform in the US). We rely on Standard Contractual Clauses (SCCs) and equivalent LGPD mechanisms to ensure an adequate level of protection.
§9 Retention & deletion
- Customer documents in agents: ≤ 30 days (see full table).
- Data Riders Agent messages: ≤ 90 days.
- Newsletter: until voluntary unsubscribe; backups for additional 35 days.
- Resumes: up to 24 months.
- Application logs: 12 months (configurable by contract).
- Contractual and tax data: legal retention (up to 5 years).
§10 Data subject rights (LGPD art. 18 / GDPR art. 15‑22)
You may, at any time and free of charge:
- Confirm whether we process your data;
- Access, correct, anonymize or delete unnecessary or unlawfully processed data;
- Request portability to another provider;
- Withdraw consent and object to processing based on legitimate interest;
- Request information on sharing and sub-processors;
- Lodge a complaint with the ANPD (Brazil) or your local DPA in the EU.
Requests: [email protected] — we respond within 15 business days.
§11 Security
We maintain technical and organizational controls described in detail at the Trust Center: TLS 1.2+, encryption at rest, least-privilege IAM, MFA, continuous monitoring and documented incident response.
§12 Changes
This policy may be updated periodically. Material changes will be communicated via a banner on the site and by email to active subscribers. Current version: 2026‑04‑27 (G40).
§13 Contact & DPO
Data Protection Officer (DPO): Fernando Damasio · [email protected] · [email protected].