Privacy Policy

LUMENCODE SERVIÇOS LTDA, registered under CNPJ 52.632.781/0001-30, with headquarters at Rua Paulo Prado, 63, Bloco 4, Apt 205, Oswaldo Cruz, Rio de Janeiro/RJ, Brazil, ZIP 21.341-130 — referred to as "Provider" — is the data controller for personal data processed through the WitBoardAI platform (witboardai.com).

In compliance with the Brazilian General Data Protection Law (LGPD — Lei 13.709/2018), we have designated a Data Protection Officer (Encarregado). Contact: noreplywitboardai@gmail.com. The DPO is responsible for receiving complaints and communications from data subjects and regulatory authorities.

We collect the following categories of personal data: (i) Identity data: full name, email address; (ii) Authentication data: credentials and session tokens managed by our authentication provider; (iii) Billing data: payment method details processed by our payments provider; (iv) Usage data: feature interactions, board activity, AI prompts and outputs; (v) Technical data: IP address, browser type, locale, timestamps; (vi) Communications: support requests and email correspondence.

Processing of personal data is based on: (i) Contract performance — processing necessary to deliver the Service contracted by the Customer; (ii) Legitimate interest — analytics to improve the Service, fraud prevention, security monitoring; (iii) Legal obligation — compliance with applicable laws, tax records; (iv) Consent — where explicitly requested for marketing communications.

We process personal data to: provide and maintain the Service; authenticate users and manage access; process payments and billing; send transactional notifications (invitations, receipts, alerts); monitor and improve service performance; comply with legal and regulatory obligations; respond to support requests.

We share personal data with third-party sub-processors necessary to operate the Service. A complete, up-to-date list is available at witboardai.com/legal/subprocessors. All sub-processors are contractually bound to process data only on our instructions and maintain appropriate security standards.

Some sub-processors are located outside Brazil (notably in the United States). Transfers are made in accordance with LGPD requirements, relying on Standard Contractual Clauses or the adequacy decisions recognized by the Brazilian Data Protection Authority (ANPD).

We retain personal data for as long as the Customer account remains active plus 90 days (export window after termination). Billing records are retained for 5 years as required by Brazilian fiscal law. After the retention period, data is securely deleted or anonymized.

Under the LGPD, data subjects have the right to: (i) confirm the existence of processing; (ii) access their personal data; (iii) correct inaccurate data; (iv) anonymize, block, or delete unnecessary data; (v) portability to another service provider; (vi) information about sharing; (vii) revoke consent; (viii) object to processing based on legitimate interest. To exercise these rights, contact noreplywitboardai@gmail.com.

We use strictly necessary cookies for authentication session management. We do not use advertising, tracking, or third-party analytics cookies. You may disable cookies in your browser settings; however, the Service will not function without authentication cookies.

We implement appropriate technical and organizational measures to protect personal data, including: TLS encryption in transit; encryption at rest for sensitive fields; access controls with role-based permissions; regular security reviews. However, no system is completely secure, and we cannot guarantee absolute security.

In the event of a personal data breach, we will notify the affected Customers and the ANPD within the timeframes required by law. Notifications will include the nature of the breach, affected data categories, and remediation steps taken.

The Service is intended exclusively for legal entities (B2B). We do not knowingly process personal data of individuals under 18 years of age. If we become aware of such processing, we will promptly delete the data.

We may update this Privacy Policy periodically. Material changes will be communicated via email or in-app notification with at least 30 days advance notice. Continued use of the Service after the notice period constitutes acceptance.

Version 1.0 — Effective May 18, 2026.