Privacy Policy

Terms used below follow the definitions in Article 5 of Brazil's General Data Protection Law (LGPD, Law 13.709/2018):

• Personal data: any information relating to an identified or identifiable natural person.
• Data subject: the natural person to whom the personal data refers.
• Controller: the entity that decides on the processing of personal data — Fidens Partners.
• Processor (operator): a third party that processes personal data on behalf of the controller.
• Processing: any operation performed on personal data (collection, storage, use, sharing, deletion, etc.).

Fidens collects personal data only when you voluntarily provide it through our contact form. Specifically:

• Name — to address you correctly in our response.
• Company — to understand the institutional context of your inquiry.
• Email address — to reply to you.
• Message content — the subject of your inquiry.

We also process technical data necessary for the operation and security of the website (IP address, browser type, request timestamps) via our hosting provider. This data is not used for marketing, profiling, or tracking.

We list below the categories of data we may collect later, so that this policy remains transparent about possible future processing. Each of these will require a separate, explicit opt-in at the moment of collection:

• Newsletter or periodic communications — subscriber email and preferences.
• Event invitations — contact details for attendees of webinars or in-person sessions.
• Market insights distribution — opt-in distribution lists for institutional reports or commentary.
• Customer-relationship data — if a commercial relationship is established, we may process additional data necessary for contract execution and regulatory compliance.

Listing a category here does not authorize processing now. Each requires its own legal basis and, where applicable, fresh consent.

Today, we use personal data exclusively to:

• Respond to inquiries received through the contact form.
• Establish pre-contractual dialogue with potential counterparties.
• Maintain the security and integrity of the website (anti-spam, anti-abuse).

In the future, the purposes listed in Section 04 will apply only after specific consent or another lawful basis is established.

We rely on the following legal bases under LGPD Article 7 (and equivalent GDPR Article 6 principles for European visitors):

• Consent — when you submit the contact form, you consent to our use of your data to respond to you.
• Pre-contractual measures — when your inquiry concerns a potential commercial relationship.
• Legitimate interest — for security purposes (Turnstile challenge, rate limiting, fraud prevention), balanced against your rights.
• Compliance with legal obligations — when applicable law (judicial orders, ANPD requests) requires retention or disclosure.

We engage the following third parties to process data on our behalf, each under contractual data protection commitments:

• Cloudflare, Inc. — website hosting (Cloudflare Pages), content delivery, DNS, Turnstile (anti-bot challenge), and cookieless web analytics. Cloudflare processes IP addresses and request metadata for security and aggregate analytics.
• Resend (Resend Inc.) — transactional email delivery service that relays your contact-form submission to our inbox.
• Google LLC (Google Workspace) — provides the inbox at [email protected] where your message is received and managed.

Each operator has been selected for its security posture and contractual compliance with applicable data-protection regulations.

Fidens does not sell, rent, or trade your personal data. Sharing is limited to:

• The operators listed in Section 07, strictly to deliver the services for which they were engaged.
• Legal authorities, when compelled by judicial order, regulatory request (ANPD), or other applicable legal obligation.
• Professional advisors (legal, accounting) where strictly necessary and under confidentiality.

We do not share data with marketing partners, data brokers, or advertising networks.

We retain personal data for as long as it is necessary to fulfill the purposes for which it was collected — typically while the business relationship or contact thread remains active.

You may request deletion of your data at any time (see Section 12). Data may also be retained beyond the active period when required to comply with legal obligations, exercise or defend rights in judicial proceedings, or upon authorized request by competent authorities.

We review inactive records periodically and anonymize or delete data no longer necessary for the stated purposes.

This site does not use tracking cookies or third-party advertising cookies.

• Cloudflare Web Analytics — cookieless. Provides aggregate traffic measurement (page views, country-level data) without storing identifiers on your device.
• Browser localStorage — used solely to remember your theme preference (dark or light). Stored only on your device, never transmitted to us, and not used for tracking.
• Cloudflare Turnstile — anti-bot challenge that runs on the contact page. May set temporary storage entries for challenge state. Does not track browsing behavior across sites.

You can clear local storage at any time through your browser settings.

Some of our operators are located outside Brazil. Specifically:

• Resend operates from the United States.
• Cloudflare operates a global network and may route requests through data centers worldwide.
• Google Workspace operates globally, with primary processing in the European Union and United States.

International transfers are protected by appropriate safeguards including Standard Contractual Clauses, adequacy decisions, and the operators' own compliance frameworks (ISO 27001, SOC 2, GDPR, etc.).

Under LGPD Article 18 (and equivalent provisions of other applicable data-protection laws), you have the right to:

• Confirm the existence of processing of your personal data.
• Access your personal data we hold.
• Correct incomplete, inaccurate, or outdated data.
• Anonymize, block, or delete unnecessary, excessive, or non-compliant data.
• Port your data to another service provider, where applicable.
• Delete personal data processed based on consent.
• Obtain information about public and private entities with which we have shared your data.
• Be informed about the possibility of refusing consent and the consequences of doing so.
• Revoke consent at any time.
• Petition the National Data Protection Authority (ANPD) regarding the processing of your data.

Send a request to [email protected] identifying yourself and the right you wish to exercise. We will respond within the timeframes established by applicable law — generally 15 days under LGPD.

We may request additional information to verify your identity before fulfilling the request, to protect your data from unauthorized access.

We implement technical and administrative measures appropriate to the nature of the data we process:

• Encrypted transmission — all data transmitted via the site uses TLS/HTTPS. HSTS is enabled with preload.
• Security headers — Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy.
• Anti-bot and anti-abuse — Cloudflare Turnstile on the contact form and WAF rate limiting on the API endpoint.
• Access control — administrative access to the inbox and infrastructure is restricted to authorized partners under MFA.
• Logging — operational logs are retained for security investigation and incident response.

No system can guarantee absolute security. We commit to investigating and notifying material incidents in accordance with applicable law.

We may revise this Privacy Policy from time to time to reflect changes in our practices, in the technologies we use, or in applicable law.

Material updates will be announced on this page with an updated "Last updated" date and version number. We encourage you to review this policy periodically.

Current version: 1.0 · Last updated: May 25, 2026.

Application: Residents of the European Economic Area (EU + Iceland + Liechtenstein + Norway) and the United Kingdom.

Supervisory authorities: Each Member State has its own. Examples: France CNIL, Germany BfDI, Spain AEPD, Portugal CNPD, Italy Garante, Netherlands AP, United Kingdom ICO. Full list at edpb.europa.eu. You have the right to lodge a complaint with the supervisory authority of your habitual residence.

Legal bases (GDPR Art. 6):

• Consent — Art. 6(1)(a)
• Performance of contract or pre-contractual measures — Art. 6(1)(b)
• Compliance with legal obligation — Art. 6(1)(c)
• Legitimate interests — Art. 6(1)(f), balanced against your rights

Additional rights under GDPR (beyond those in Section 12):

• Right to object to processing based on legitimate interest (Art. 21)
• Right not to be subject to fully automated decision-making (Art. 22) — not applicable, as Fidens does not make automated decisions with legal effects
• Right to data portability in a structured, machine-readable format (Art. 20)

Data Protection Officer (DPO): Designation under Art. 37 is not mandatory for Fidens (processing is not large-scale and does not involve special categories of data in large scale). For data-protection inquiries, use the controller channel at [email protected].

International transfers: Processing occurs primarily in Brazil. Data may transit to servers in the US (Resend) and the EU (Google Workspace) under Standard Contractual Clauses (SCCs) approved by the European Commission, and equivalent safeguards.

Response timeframe: 30 days from receipt of the request (GDPR Art. 12(3)), extendable by 60 days for complex requests with notice.

Application: Residents of the State of California, United States.

Specific rights (Cal. Civ. Code § 1798.100 et seq.):

• Right to Know — what personal information we collect, use, disclose, and share (§ 1798.110/115)
• Right to Delete personal information (§ 1798.105)
• Right to Correct inaccurate information (§ 1798.106 — CPRA)
• Right to Opt-Out of Sale or Sharing (§ 1798.120)
• Right to Limit Use of Sensitive Personal Information (§ 1798.121 — CPRA)
• Right to Non-Discrimination for exercising these rights (§ 1798.125)

Categories of personal information we have collected in the last 12 months:

• Identifiers — name, email address
• Commercial information — company name (in the context of contact)
• Internet or other electronic network activity — technical data (IP address, browser type) via our hosting provider

Categories we do NOT collect: sensitive personal information (CPRA definition), biometric data, precise geolocation, government identifiers, health data, financial account information.

"Do Not Sell or Share My Personal Information": Fidens does not sell or share personal information for cross-context behavioral advertising, as defined under CCPA/CPRA. No opt-out mechanism is required because no such sharing occurs.

How to exercise California rights: Email [email protected]. Response within 45 days, extendable by 45 days with notice (Cal. Civ. Code § 1798.130).