Last updated: April 5, 2026
Trace Documents respects your privacy and protects your personal data in accordance with the Brazilian General Data Protection Law (LGPD — Law 13,709/2018) and other applicable regulations. This policy describes what data we collect, how we use it, who we share it with, and your rights as a data subject.
We collect: (a) account data — name, email, password hash, tax ID (optional); (b) usage data — uploaded documents, generated fingerprints, access logs, notification preferences; (c) technical data — IP address (encrypted), browser user agent, cookies; (d) payment data — MercadoPago/Stripe transaction IDs, amounts, payment method (we do not store card data directly).
We use your data for: (a) authentication and account management (legal basis: contract performance); (b) fingerprint generation and document protection (contract); (c) leak detection (legitimate interest); (d) payment processing and invoice generation (legal obligation/contract); (e) transactional notifications and, when authorized, marketing communications (consent); (f) aggregated, anonymous usage analysis for service improvement (legitimate interest); (g) security auditing and fraud prevention (legal obligation).
We do not sell personal data. We share information only with: (a) payment processors — MercadoPago and Stripe, to process transactions; (b) cloud infrastructure — Microsoft Azure, for hosting and storage; (c) email service — SendGrid, for notification delivery; (d) competent authorities — when required by law or court order. All third parties operate under Data Processing Agreements (DPA) compliant with LGPD.
We apply differentiated retention periods: protected documents per the contracted plan (30 to 365 days); audit logs for 2 years (compliance); payment data for 5 years (tax obligation); access logs (IP, user agent) for 6 months; inactive accounts for 2 years, after which they are anonymized. Anonymized data may be kept indefinitely for aggregate statistics.
You have the right to: access and export your data (portability); correct incomplete or inaccurate information; request deletion of your data (right to be forgotten); revoke consents at any time; request information about third-party sharing; request anonymization or blocking of unnecessary data. To exercise your rights, access your account settings or contact our Data Protection Officer (DPO). Response time is up to 15 days.
We use essential cookies for platform operation (authentication, session). Non-essential cookies — analytics and marketing — are activated only with your explicit consent, which can be managed at any time in your account privacy settings.
We implement technical and organizational measures: encryption in transit (TLS 1.2+) and at rest (AES-256); password hashing with bcrypt; IP encryption in audit logs with rotatable keys; role-based access control (RBAC); automated security monitoring and alerts; multi-factor authentication (MFA); security testing (SAST, DAST, dependency scanning).
Trace Documents is not intended for users under 18 years of age. We do not intentionally collect data from minors. If we learn that a minor's data has been collected, it will be deleted immediately.
We may update this policy periodically. Significant changes will be communicated via email or platform notification. Continued use of the service after changes constitutes acceptance of the new version.
Our Data Protection Officer is available to answer questions about personal data processing and to receive requests to exercise your rights.
View DPO contact information →