Privacy Policy

Peritiq - Privacy Policy

Effective Date: December 27, 2025

1. Introduction and Scope

This Privacy Policy describes how Escola Amarela Servicos LTDA ("Provider," "we," "us," or "our") collects, uses, and protects personal data in connection with your use of our Peritiq service (the "Service").

This policy applies to all individuals who interact with the Service, including website visitors, trial users, and authorized users of a paying customer ("Customer," "you," "your").

By accessing or using the Service, you acknowledge and agree to the practices described in this Privacy Policy. This policy is incorporated by reference into our Terms of Service.

2. Our Role: Data Controller and Data Processor

We act in two distinct capacities under the EU General Data Protection Regulation (GDPR) and the Brazilian Lei Geral de Proteção de Dados (LGPD):

  • Data Controller: We act as the Data Controller for the personal data we collect directly from you to establish and manage your account and process payments. This includes Account Information, Payment Information, and Security Monitoring Data. We determine the purposes and means of processing this data.
  • Data Processor: We act as the Data Processor for the data you provide to us for processing through the Service. This includes "Uploaded Content" and the "Generated Content" derived from it. You are the Data Controller for this data. We process it only on your behalf and in accordance with your documented instructions (as set forth in our Terms of Service and this policy).

3. Data We Process as Data Controller

We collect and control the following data:

3.1. Account Information

  • Your name, email address, company name, and job title (if provided)
  • Your hashed password (we never store passwords in plaintext)
  • Your preferred language and communication preferences
  • Account creation date, last login timestamp, and account status

3.2. Payment & Billing Information

  • When you subscribe to a paid plan, our third-party payment processor, Stripe, will collect your payment details (e.g., credit card number, billing address).
  • We do not collect or store your full payment card information.
  • We only receive and store a unique Stripe ID (token), the last four digits of your card, card expiration date, and billing country for subscription management.
  • If you register via a payment flow, we will use the name and email provided to Stripe to create your Service account.

3.3. Technical Log Data

  • IP address (stored as a one-way hash for security purposes)
  • Browser type and version (user agent string)
  • Device type and operating system
  • Access times and referring URLs
  • Approximate geographic location (country/region) derived from IP address for currency selection and content localization. We do not collect precise geolocation data.

3.4. Device & Session Security Data

  • Device fingerprints (a hash derived from browser and device characteristics) to detect unauthorized access attempts
  • Session tokens and CSRF tokens for security
  • This data helps us prevent account takeover, detect suspicious login patterns, and protect your account.

3.5. Security Monitoring Data

  • Failed login attempts (including IP hash, user agent, and timestamp)
  • Rate-limit events (tracking excessive API requests to prevent abuse)
  • Successful login history for security auditing
  • This data is used exclusively for fraud prevention, abuse detection, and account security.

3.6. Usage Metadata

  • Credit consumption tracking (which content you access)
  • Content download history
  • Feature usage patterns for service improvement
  • We do not save or log the content of your chat messages.

3.7. Assessment & Questionnaire Data

  • When you complete assessments or questionnaires through the Service, we store your responses in association with your user account.
  • This data is used to generate personalized analysis results for you.
  • Your responses may contribute to anonymized, aggregated benchmarks (no individual identification is possible).
  • Assessment session metadata (start time, completion time, status) is retained for service functionality.

3.8. User-Generated Content

  • If you submit testimonials, reviews, or endorsements, we store: your rating, title, comment text, display name (first name + last initial), job title, and company name.
  • Your full name and email address are stored but not publicly displayed.

3.9. Voluntary Feedback

  • Any suggestions, feedback, or ideas you voluntarily provide to us regarding the Service.

4. Data We Process as Data Processor

On your behalf and as your Data Processor, we process the following data for which you are the Data Controller:

  • Uploaded Content: Any documents, files, or data you or your users upload, transmit, or otherwise provide to the Service for processing by the RAG system.
  • Generated Content: The AI-generated responses and data produced by the Service based on your Uploaded Content.

Your Obligations as Data Controller: You represent and warrant that you have all necessary rights, consents, and a valid legal basis to provide the Uploaded Content to the Service for processing as described in this policy and our Terms of Service.

Our Obligations as Data Processor: When processing your Uploaded Content and Generated Content, we will: a) Process this data only to provide, secure, and monitor the Service as instructed by you; b) Never use your Uploaded Content or Generated Content to train any general, public AI models or for any purpose other than providing the Service directly to you; c) Implement appropriate technical and organizational measures to ensure the security and confidentiality of this data (see Section 8); d) Provide reasonable assistance to you (at your expense) to help you fulfill your obligations to respond to Data Subject Rights requests from your users; and e) Ensure that our personnel authorized to access this data are bound by strict confidentiality obligations.

5. Legal Basis for Processing (GDPR & LGPD)

We only process your personal data (as Controller) when we have a valid legal basis:

Processing Activity Data Processed Legal Basis (GDPR / LGPD)
Providing the Service (Account creation, authentication, management) Account Information Art. 6(1)(b) GDPR / Art. 7(V) LGPD (Performance of a Contract)
Processing payments and managing subscriptions Payment Information, Account Information Art. 6(1)(b) GDPR / Art. 7(V) LGPD (Performance of a Contract)
Securing the platform, preventing fraud, and detecting abuse Technical Log Data, Device & Session Security Data, Security Monitoring Data Art. 6(1)(f) GDPR / Art. 7(IX) LGPD (Legitimate Interest)
Managing the Credit System Usage Metadata Art. 6(1)(b) GDPR (Performance of a Contract)
Generating personalized assessment results Assessment & Questionnaire Data Art. 6(1)(b) GDPR / Art. 7(V) LGPD (Performance of a Contract)
Creating anonymized benchmarks Assessment Data (aggregated, de-identified) Art. 6(1)(f) GDPR / Art. 7(IX) LGPD (Legitimate Interest)
Displaying testimonials and reviews User-Generated Content Art. 6(1)(a) GDPR / Art. 7(I) LGPD (Consent)
Responding to your inquiries and using your feedback Account Information, Feedback Art. 6(1)(f) GDPR / Art. 7(IX) LGPD (Legitimate Interest)
Complying with financial, tax, and legal obligations Payment Information, Account Information Art. 6(1)(c) GDPR / Art. 7(II) LGPD (Legal Obligation)
Preventing trial abuse and enforcing one-trial policy Email Hash (fraud prevention) Art. 6(1)(f) GDPR / Art. 7(IX) LGPD (Legitimate Interest in fraud prevention)

6. Data Sharing and Sub-processors

We do not sell, rent, or lease your personal data. We engage the following third-party sub-processors to provide the Service, and we have appropriate data processing agreements in place with each:

  • Hostinger (EU): Provides application hosting and user database management (for Account Information) in its European data centers.
  • Cloudflare (EU/Global): Provides RAG processing, vectorization, and storage for your Uploaded Content and Generated Content primarily in European data centers. Cloudflare Workers may process Usage Metadata and session tokens in their global network for low-latency responses.
  • Stripe (USA): Our payment processor. Your Payment Information is sent directly to Stripe. Stripe is certified under the EU-U.S. Data Privacy Framework.
  • Escola Amarela (Brazil): As the parent company, our administrative, billing, and support staff in Brazil may access Account Information.

7. International Data Transfers

Your Uploaded Content and Generated Content are processed and stored exclusively within the European Union (EU) by our sub-processors.

Your Account Information and Payment Information may be transferred internationally as follows:

  • To Brazil: Your Account Information may be accessed from Brazil by our parent company for administrative and support purposes. This transfer is safeguarded by the execution of the European Commission's Standard Contractual Clauses (SCCs).
  • To the USA: Your Payment Information is processed by Stripe, a US-based company. This transfer is safeguarded by Standard Contractual Clauses (SCCs) and the EU-U.S. Data Privacy Framework, ensuring an adequate level of data protection.

8. Data Security

We implement and maintain appropriate technical and organizational measures (TOMs) to protect all personal data against unauthorized access, disclosure, alteration, destruction, or loss. These measures include:

  • Encryption: Passwords are securely hashed using bcrypt. All data is encrypted in transit (TLS 1.2 or higher) and at rest (AES-256). Sensitive fields such as email addresses are encrypted at the database level.
  • Pseudonymization: Email addresses are hashed for lookup purposes, reducing exposure in case of database breach.
  • Tenant Separation: Your Uploaded Content and Generated Content are logically and securely segregated in their own dedicated namespace.
  • Access Controls: Access to personal data is strictly limited to authorized personnel on a need-to-know basis, and administrative access requires multi-factor authentication.
  • Security Monitoring: We employ automated systems to detect and respond to suspicious activity, including brute-force login attempts and unusual access patterns.
  • CSRF Protection: All state-changing operations require valid CSRF tokens to prevent cross-site request forgery attacks.
  • Rate Limiting: API endpoints are rate-limited to prevent abuse and denial-of-service attacks.

9. Data Retention

We retain personal data for no longer than is necessary for the purposes for which it was collected.

Data Category Retention Period Basis
Account Information Duration of subscription + 7 years Legal obligation (tax/financial records)
Payment & Billing Data 10 years from transaction date Legal obligation (tax/financial records)
Uploaded Content & Generated Content Duration of active subscription + 30 days Contract performance
Assessment & Questionnaire Data Duration of active subscription + 30 days Contract performance
Technical Log Data 90 days (rolling) Legitimate interest (security/debugging)
Security Monitoring Data (login attempts, rate limits) 30 days Legitimate interest (security)
Email Hash (fraud prevention) Indefinite Legitimate interest (fraud prevention)
User-Generated Content (Testimonials) Until withdrawal of consent or account deletion Consent
Chat Messages NOT STORED N/A

Backup Retention: Data contained in routine infrastructure backups will be deleted in accordance with our standard backup retention cycles (generally not exceeding 180 days) and will remain encrypted and inaccessible until overwritten.

Fraud Prevention Data: To enforce our one-time trial policy and prevent abuse, we retain a secure, one-way cryptographic hash of your email address even after account deletion. We process this data exclusively for fraud prevention, as permitted by GDPR (Art. 6(1)(f); Art. 17(3)(e)) and LGPD (Art. 7, IX; Art. 16, II).

10. Your Data Subject Rights (GDPR & LGPD)

Your rights depend on our role as Controller or Processor:

10.1. Data for which We are the Controller (Your Account Data)

You have the following rights regarding the personal data we control:

  • Right to Access: Request a copy of your personal data. You can export your data at any time through your account settings or by contacting us.
  • Right to Rectification: Request correction of inaccurate data. You can update most information directly in your account settings.
  • Right to Erasure ("Right to be Forgotten"): Request deletion of your data, subject to our legal retention obligations. Note that we will retain email hashes for fraud prevention.
  • Right to Restrict Processing: Request that we limit how we use your data in certain circumstances.
  • Right to Data Portability: Request your data in a structured, commonly used, machine-readable format (JSON).
  • Right to Object: Object to our processing of your data based on legitimate interests. We will cease processing unless we demonstrate compelling legitimate grounds.
  • Right to Withdraw Consent: Where processing is based on consent (e.g., testimonials, newsletter), you may withdraw consent at any time without affecting the lawfulness of prior processing.
  • Right to Lodge a Complaint: You have the right to lodge a complaint with a supervisory authority (e.g., your local EU Data Protection Authority or the Brazilian ANPD - Autoridade Nacional de Proteção de Dados).

To exercise these rights, please contact our Data Protection Team at privacy@peritiq.com. We will respond within 30 days (or as required by applicable law).

10.2. Data for which You are the Controller (Your Uploaded Content)

As the Data Controller for your Uploaded Content, you are responsible for handling Data Subject Rights requests from your own users (e.g., your employees). If we receive such a request directly, we will forward it to your account's Administrator to handle. We will provide reasonable assistance as required by law.

11. Cookies and Tracking Technologies

We use essential cookies required for the Service to function properly:

  • Session Cookies: Used to maintain your logged-in state and security tokens. These are strictly necessary and cannot be disabled.
  • CSRF Tokens: Used to prevent cross-site request forgery attacks.
  • Language Preference: Used to remember your selected language.

We do not use third-party tracking cookies, advertising cookies, or analytics cookies that track you across websites. We use Cloudflare's bot protection (Turnstile) which may set cookies for security purposes.

12. Children's Privacy

The Service is not intended for use by individuals under the age of 16 (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child without appropriate consent, we will take steps to delete that information.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. We will notify you of any material changes by:

  • Posting a notice on the Service
  • Sending an email to the address associated with your account
  • Updating the "Effective Date" at the top of this policy

We encourage you to review this policy periodically. Your continued use of the Service after the effective date of any changes constitutes your acceptance of the updated policy.

14. Contact Us

If you have any questions about this Privacy Policy, your personal data, or wish to exercise your rights, please contact us:

  • Data Protection Team: privacy@peritiq.com
  • General Inquiries: hi@peritiq.com
  • Postal Address: Escola Amarela Serviços Ltda, Rua da Paz 1313, São Paulo - SP, Brazil