Privacy Policy

1. Controller Identification

The controller of personal data processed through this Platform is the legal entity operating DateCerto, registered under the CNPJ indicated below. To exercise your rights as a data subject, contact our Data Protection Officer (DPO).

2. Personal Data Collected

We collect the following categories of personal data:

3. Legal Bases for Processing

Personal data processing is carried out based on the following legal bases provided by the LGPD:

• Consent (Articles 7(I) and 11(I)): for sensitive data, including sexual orientation, kink preferences, and intimate photos. Consent is collected in a specific, free, informed, and unequivocal manner.
• Contract performance (Article 7(V)): for account operation, matching, messaging, and provision of contracted Services.
• Legitimate interest (Article 7(IX)): for Platform security, fraud prevention, and Service improvement, based on a documented proportionality assessment.
• Legal obligation (Article 7(II)): for access log retention (Marco Civil da Internet, Article 15), tax obligations, and compliance with court orders.
• Protection of life (Article 7(VII)): in emergency situations posing risk to the physical integrity of the data subject or third parties.

4. Processing Purposes

Personal data is processed for the following specific purposes:

1. Creation, maintenance, and administration of the User's account.
2. Profile search, discovery, and compatibility matching.
3. Messaging and communications between Users.
4. Content moderation, abuse prevention, and Platform safety assurance.
5. Payment processing and subscription management.
6. Aggregate statistical analysis (via Umami, without collecting personally identifiable data).
7. Compliance with legal and regulatory obligations.
8. Age verification to ensure access is limited to individuals 18 years or older.

5. Data Sharing

Personal data may be shared in the following circumstances:

• Service providers: Cloudflare (media storage via R2), Segpay (payment processing), and transactional email provider, strictly for the purpose of delivering the contracted service.
• Public authorities: exclusively by court order, pursuant to Article 22 of the Marco Civil da Internet, or by substantiated request from a competent authority as provided by law.
• Other Users: profile information is visible according to the privacy settings chosen by the User.

The Platform does NOT sell, rent, or commercialize its Users' personal data to third parties.

The Platform does NOT share personal data for behavioral advertising or third-party ad targeting purposes.

6. International Transfers

Personal data may be stored and processed on servers located outside Brazil: application servers in Germany (Hetzner) and media storage on Cloudflare's global network (R2). These transfers are conducted pursuant to Standard Contractual Clauses and an adequate level of protection assessment, in compliance with ANPD Resolution CD/ANPD No. 19/2024 and Article 33 of the LGPD.

7. Data Retention

Personal data is retained for the following periods:

• Active account data: for as long as the account remains active on the Platform.
• After account deletion: up to 30 (thirty) days for backup recovery and operational integrity purposes.
• Access logs: 6 (six) months, pursuant to Article 15 of the Marco Civil da Internet (Law No. 12,965/2014).
• Financial transaction data: 5 (five) years, pursuant to tax and accounting legislation.
• Moderation and report records: 2 (two) years after resolution.
• Banned User identifiers: indefinitely, exclusively for safety and recidivism prevention purposes.

8. Data Subject Rights (Article 18 of the LGPD)

The User, as a personal data subject, has the following rights:

1. Confirmation of the existence of personal data processing.
2. Access to personal data processed by the Platform.
3. Correction of incomplete, inaccurate, or outdated data.
4. Anonymization, blocking, or deletion of unnecessary, excessive, or non-compliant data under the LGPD.
5. Data portability in a structured and commonly used format (JSON/CSV), upon request to the DPO.
6. Deletion of personal data processed based on consent.
7. Information about public and private entities with which data has been shared.
8. Information about the possibility of withholding consent and the consequences of refusal.
9. Revocation of consent at any time, without retroactive effect on processing already carried out.

To exercise your rights, contact the DPO at dpo@datecerto.com or use the options available in your account settings. The response deadline is up to 15 (fifteen) days, pursuant to Article 18, §5, of the LGPD.

9. Consent and Revocation

Consent for processing sensitive data is collected on a granular, per-purpose basis at registration and during Platform use. Each consent is recorded with date, time, and context.

The User may revoke their consent at any time through account privacy settings or by request to the DPO, without the need for justification.

Revoking consent may impact features that depend on the consented data. For example, revoking consent for sexual orientation data will prevent the use of search filters based on that information.

10. Sensitive Data

The Platform processes sensitive data — including sexual orientation, sexual preferences, kink data, and potential facial biometric data — with enhanced protection.

Protection measures include: specific and prominent consent for each category; access restricted to automated systems and trained moderation staff; encryption in transit and at rest; granular visibility controls for the User; and purpose strictly limited to Service provision.

11. Camouflage Mode (SFW)

The Platform offers a safety feature called Camouflage Mode, which visually transforms the interface into a vehicle marketplace. This feature operates entirely on the User's device (client-side) — Camouflage Mode activation is neither recorded nor transmitted to servers. The Platform does not track or store information about the use of this feature.

12. Cookies and Tracking Technologies

The Platform uses Umami as its analytics tool. Umami operates without cookies and does not collect personally identifiable data, in accordance with privacy best practices.

Essential cookies are used exclusively for: maintaining the User's session, language preference, and Camouflage Mode configuration.

The Platform does NOT use third-party tracking cookies.

The Platform does NOT use cookies for advertising or retargeting purposes.

13. Data Security

The Platform adopts the following technical and organizational security measures: data encryption in transit (TLS) and at rest; private networking via Tailscale for inter-service communication; role-based access controls (RBAC); access monitoring and logging; and periodic vulnerability assessments.

No security system is infallible. The Platform cannot guarantee absolute protection against unauthorized access, and recommends that Users employ strong and unique passwords and enable available security features.

14. Security Incidents

In the event of a security incident that may pose risk or relevant damage to data subjects, the Platform will notify the National Data Protection Authority (ANPD) within 3 (three) business days, pursuant to ANPD Resolution CD/ANPD No. 15/2024.

Affected Users will be notified within a reasonable timeframe, with information about: the nature of the affected data; the risks involved; the measures taken to mitigate the effects; and recommendations for the data subject.

The Platform will maintain an updated incident response plan and will fully cooperate with competent authorities in investigation and remediation.

15. Protection of Minors

The Platform is exclusively for individuals aged 18 and over. We do not knowingly collect personal data from children or adolescents. In compliance with Law No. 2,628/2022, we employ age verification mechanisms. If a User is found to be under 18, their account will be immediately terminated and all associated personal data will be deleted.

16. Changes and Contact

Material changes to this Policy will be communicated with at least 30 (thirty) days' notice, via email and in-app notification.

Complaints to ANPD: www.gov.br/anpd — The National Data Protection Authority is the body responsible for overseeing personal data protection in Brazil.

The User may also exercise their rights before consumer protection agencies (Procon) in their locality.