Privacy Policy

Last updated: 21 de março de 2026

1. Introduction

Baseportal Tecnologia Ltda. ('Baseportal', 'we', 'our') is committed to protecting the privacy and personal data of its users, customers, and visitors. This Privacy Policy transparently describes how we collect, use, store, share, and protect your personal data when you access our website, use our platform, or interact with our services.

This policy applies to all products and services offered by Baseportal, including the SaaS business management platform, the institutional website (baseportal.io), the client portal, third-party integrations, and any communications made by us. By using our services, you declare that you have read and understood this Privacy Policy. This policy is supplementary to our Terms of Use.

2. Data Controller

For the purposes of the Brazilian General Data Protection Law (LGPD) and the General Data Protection Regulation (GDPR), the controller of your personal data is:

Company: Baseportal Tecnologia Ltda.

Address: Av. Paulista, 171 - São Paulo, SP, Brasil

Privacy Email: privacy@baseportal.io

DPO Email: dpo@baseportal.io

3. Definitions

For a better understanding of this Privacy Policy, the following terms are defined:

Personal Data: Any information relating to an identified or identifiable natural person, such as name, email, tax ID, IP address, among others.

Sensitive Data: Personal data concerning racial or ethnic origin, religious conviction, political opinion, trade union membership, health or sexual life data, genetic or biometric data.

Data Subject: The natural person to whom the personal data being processed relates.

Controller: The natural or legal person responsible for decisions regarding the processing of personal data.

Processor: The natural or legal person that processes personal data on behalf of the controller.

Processing: Any operation performed on personal data, including collection, storage, use, sharing, deletion, among others.

Consent: A free, informed, and unambiguous expression by which the data subject agrees to the processing of their personal data for a specific purpose.

ANPD: Brazilian National Data Protection Authority, the public administration body responsible for overseeing, implementing, and enforcing compliance with LGPD.

4. Data We Collect

4.1 Data Provided Directly by You

  • Identification data: full name, tax ID (CPF/CNPJ), company name, job title, and department
  • Contact data: email address, phone number, postal address
  • Access data: login credentials (email and encrypted password), authentication preferences
  • Financial data: credit or debit card information (processed by Stripe, not stored by us), billing data, and invoices
  • Content data: files, documents, messages, forms, collection records, and any content created or uploaded to the platform
  • Communication data: messages sent to our support team, feedback, satisfaction surveys, and communications via WhatsApp
  • Preference data: language, timezone, notification settings, and interface customization

4.2 Data Collected Automatically

  • Device data: device type, operating system, browser version, screen resolution, and device identifiers
  • Connection data: IP address, internet provider, approximate geographic location (country/city) derived from IP
  • Usage data: pages visited, features used, access frequency and duration, clicks, scrolling, and interface interactions
  • Performance data: page load times, application errors, technical performance metrics
  • Cookie data: session identifiers, stored preferences, authentication tokens, and analytics tracking data (detailed in section 15)
  • Audit logs: record of actions performed on the platform, including creation, editing, and deletion of records, with date, time, and user identification

4.3 Data Received from Third Parties

We may receive personal data from third-party sources, including:

  • Authentication providers: profile data when you use social login (Google), such as name, email, and profile picture
  • Payment providers: transaction confirmations, payment status, and basic billing data provided by Stripe
  • Customer-activated integrations: data received through integrations with WhatsApp, email services, and other tools connected by the Customer

4.4 Sensitive Data

Baseportal does not request or intentionally collect sensitive data (such as health data, biometrics, sexual orientation, religious or political beliefs). If the Customer enters sensitive data in their records, collections, or forms, the Customer assumes responsibility for ensuring an adequate legal basis for processing such data under LGPD (Art. 11) and GDPR (Art. 9), including obtaining specific and explicit consent from data subjects when necessary.

5. Legal Bases for Processing

All processing of personal data by Baseportal is based on one or more legal bases provided by LGPD (Art. 7) and GDPR (Art. 6). The main bases used are:

Contract performance (LGPD Art. 7, V / GDPR Art. 6(1)(b)): Processing necessary for the provision of contracted services, including account creation, subscription management, payment processing, and delivery of platform features.

Consent (LGPD Art. 7, I / GDPR Art. 6(1)(a)): When you provide free, informed, and unambiguous consent for specific purposes, such as receiving marketing communications, participating in surveys, or activating optional features.

Legitimate interest (LGPD Art. 7, IX / GDPR Art. 6(1)(f)): For Baseportal's legitimate purposes that do not override your fundamental rights, such as service improvement, platform security, fraud prevention, aggregate usage analysis, and customer support.

Legal obligation (LGPD Art. 7, II / GDPR Art. 6(1)(c)): When processing is necessary for compliance with a legal or regulatory obligation, such as retention of tax data, accounting records, and responding to requests from competent authorities.

Regular exercise of rights (LGPD Art. 7, VI): For the regular exercise of rights in judicial, administrative, or arbitral proceedings, including defense in litigation and preservation of evidence.

Credit protection (LGPD Art. 7, X): For credit analysis, collection management, and default prevention purposes, under applicable legislation.

6. How We Use Your Data

The personal data collected is used for the following specific purposes:

  • Service delivery: provide, operate, maintain, and improve the Baseportal platform and all its features
  • Account management: create and manage your account, authenticate access, process subscriptions, and manage permissions
  • Payment processing: process financial transactions, issue invoices, manage billing, and provide tax information
  • Operational communication: send service notifications, security updates, terms changes, transaction confirmations, and system alerts
  • Customer support: respond to requests, resolve technical issues, provide assistance, and manage support tickets
  • Service improvement: analyze usage patterns, identify bugs, optimize performance, develop new features, and personalize the user experience
  • Security and fraud prevention: monitor suspicious activities, detect unauthorized access, prevent abuse, and protect platform integrity
  • Marketing and commercial communication: send information about new features, promotions, and relevant content (exclusively with prior consent and with the option to unsubscribe at any time)
  • Legal compliance: fulfill legal, regulatory, tax, and accounting obligations, respond to authority requests, and cooperate with legitimate investigations
  • Aggregate analytics: generate anonymized and aggregated statistics about platform usage for internal reporting, benchmarking, and continuous service improvement

7. Data Sharing

Baseportal may share your personal data only under the following circumstances and with appropriate safeguards:

  • Sub-processors: with essential service providers that assist in platform operations (detailed in section 8), under contracts that ensure an adequate level of data protection
  • Customer-activated integrations: when the Customer activates integrations with third-party services (WhatsApp, email providers, Stripe), the necessary data is shared according to the requested functionality
  • Legal obligation: when required by law, regulation, court order, or request from a competent authority (ANPD, Public Prosecutor's Office, Judiciary)
  • Protection of rights: when necessary to protect the rights, property, or safety of Baseportal, its users, or the public, including investigation of Terms of Use violations
  • Corporate transactions: in the event of a merger, acquisition, corporate reorganization, or asset sale, your data may be transferred to the successor entity, maintaining the protection obligations set forth in this policy
  • With consent: in any other circumstance, only with your express and informed consent

BASEPORTAL DOES NOT SELL, RENT, OR TRADE PERSONAL DATA OF ITS USERS TO THIRD PARTIES FOR MARKETING, ADVERTISING, OR ANY OTHER COMMERCIAL PURPOSE.

8. Sub-processors and Partners

To provide our services, we use the following sub-processors that may have access to personal data:

Amazon Web Services (AWS) — Infrastructure hosting, data storage, and backups (servers in the US and EU)

Cloudflare R2 — File storage and content distribution with global redundancy

Stripe — Payment processing, subscription management, and billing data

OpenAI / Anthropic — Artificial intelligence feature processing (assistants and analysis)

Brevo / SendGrid / Amazon SES — Transactional email delivery and system notifications

Ably — Real-time communication (WebSocket) for instant platform updates

Google Analytics / Facebook Pixel — Website usage analysis and marketing metrics (anonymized data)

Baseportal will notify Customers at least 30 days in advance of the addition or replacement of sub-processors. The complete and updated list of sub-processors is available upon request at privacy@baseportal.io.

9. International Data Transfers

Your personal data may be transferred to and processed on servers located outside Brazil, primarily in the United States and the European Union. These transfers are carried out with the following safeguards:

  • Standard Contractual Clauses (SCCs) approved by ANPD for transfers under LGPD, pursuant to Resolution CD/ANPD No. 19/2024
  • Standard Contractual Clauses (SCCs) approved by the European Commission for transfers under GDPR (Implementing Decision 2021/914)
  • Verification of adequacy decisions issued by competent authorities, when available for the destination country
  • Complementary technical and organizational measures, including end-to-end encryption, pseudonymization, and strict access controls

10. Data Security

Baseportal implements appropriate technical and organizational security measures, designed to protect your personal data against unauthorized access, destruction, loss, alteration, disclosure, or any form of improper processing:

  • TLS 1.2+ encryption for all data in transit and AES-256 for data at rest
  • Multi-tenant architecture with strict logical isolation between organizations (team_id), preventing cross-access of data
  • Role-Based Access Control (RBAC) with granular permissions and the principle of least privilege
  • Secure authentication with password hashing (bcrypt), social authentication support (OAuth 2.0), and JWT tokens with expiration
  • Automatic daily backups with geographic redundancy and periodic restoration testing
  • Continuous security monitoring, vulnerability analysis, periodic penetration testing, and patch management
  • Immutable audit logs recording all operations performed on the platform, with retention as required by law

In the event of a security incident involving personal data, Baseportal will follow its incident response plan, which includes: (i) immediate containment of the incident; (ii) risk and impact assessment; (iii) notification to ANPD and the competent supervisory authority within legal deadlines; (iv) notification to affected data subjects when the incident may pose a relevant risk or harm; and (v) complete documentation of the incident and measures taken.

11. Data Retention and Deletion

Your personal data is retained only for as long as necessary to fulfill the purposes for which it was collected. The main retention periods are:

  • Active account data: maintained throughout the contract term and for the period necessary after termination to fulfill legal obligations
  • Billing and tax data: retained for at least 5 (five) years after the end of the contractual relationship, as required by Brazilian tax legislation
  • Communication and support data: retained for up to 2 (two) years after the resolution of the last ticket or communication
  • Audit and security logs: retained for up to 6 (six) months for security and incident investigation purposes
  • Marketing data: retained until consent is revoked or deletion is requested, whichever comes first

After account closure, the Customer will have 30 (thirty) days to export their data. After this period, all Customer Data will be permanently deleted from Baseportal's active systems within 30 (thirty) days, and from backup copies within 90 (ninety) days. Deletion is irreversible. Data that must be retained due to legal obligations will be anonymized or kept separately, with restricted access, until the end of the legal retention period.

12. Your Rights under LGPD

In compliance with the Brazilian General Data Protection Law (Law 13,709/2018), you, as a personal data subject, have the following rights:

  • Confirmation and access: obtain confirmation of the existence of processing and access your collected personal data (Art. 18, I and II)
  • Correction: request correction of incomplete, inaccurate, or outdated personal data (Art. 18, III)
  • Anonymization, blocking, or deletion: request anonymization, blocking, or deletion of unnecessary, excessive, or non-compliant data under LGPD (Art. 18, IV)
  • Portability: request data portability to another service or product provider, in a structured and interoperable format (Art. 18, V)
  • Consent-based deletion: request deletion of personal data processed based on consent, except in cases of legal retention requirements under Art. 16 of LGPD (Art. 18, VI)
  • Sharing information: obtain information about public and private entities with which Baseportal shares data (Art. 18, VII)
  • Consent information: be informed about the possibility of not providing consent and the consequences of refusal (Art. 18, VIII)
  • Consent withdrawal: withdraw consent at any time, free of charge and in a facilitated manner (Art. 18, IX)
  • Automated decision review: request review of decisions made solely based on automated processing of personal data that affect your interests (Art. 20)

To exercise any of these rights, contact our Data Protection Officer (DPO) at dpo@baseportal.io. Requests will be addressed within 15 (fifteen) days, as established by LGPD, which may be extended with justification to the data subject.

13. Your Rights under GDPR

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have the following additional rights under the General Data Protection Regulation (GDPR):

  • Right of access (Art. 15): obtain confirmation and a copy of your personal data being processed, including information about purposes, data categories, and recipients
  • Right to rectification (Art. 16): request correction of inaccurate or incomplete personal data without undue delay
  • Right to erasure (Art. 17): request deletion of your personal data when there is no longer a legitimate need for processing ('right to be forgotten')
  • Right to restriction of processing (Art. 18): restrict the processing of your personal data in specific circumstances, such as when you contest the accuracy of the data
  • Right to data portability (Art. 20): receive your personal data in a structured, commonly used, and machine-readable format, and transmit it to another controller
  • Right to object (Art. 21): object to the processing of personal data based on legitimate interests or for direct marketing purposes
  • Right regarding automated decisions (Art. 22): not be subject to decisions based solely on automated processing, including profiling, that produce significant legal effects
  • Right to withdraw consent (Art. 7(3)): withdraw your consent at any time, without affecting the lawfulness of processing carried out before withdrawal

You have the right to lodge a complaint with the competent supervisory authority in your country of residence. Requests under GDPR will be addressed within 30 (thirty) days, which may be extended by an additional 60 (sixty) days in complex cases, upon notification to the data subject.

14. Artificial Intelligence and Your Data

Baseportal offers artificial intelligence features integrated into the platform. Regarding the processing of personal data by these features:

  • Baseportal does NOT use your personal data or Customer Data to train, develop, or improve its own or third-party artificial intelligence models
  • Data sent for processing by AI features is transmitted to providers (OpenAI and Anthropic) exclusively to generate the requested response, according to their respective privacy policies
  • AI providers contracted by Baseportal are contractually required not to retain data beyond what is necessary for immediate processing and not to use it for model training
  • AI features that process personal data are subject to the same legal bases, safeguards, and data subject rights described in this policy
  • Automated decisions based on AI that may significantly affect data subjects' rights are subject to the right of human review, as provided by LGPD (Art. 20) and GDPR (Art. 22)

15. Cookies and Tracking Technologies

We use cookies and similar technologies (web beacons, pixels, local storage) on our website and platform. Cookies are classified into the following categories:

Strictly necessary: Essential for the operation of the website and platform (session authentication, CSRF security, language preference, load balancing). They do not require consent and cannot be disabled.

Functional: Store your preferences and customizations (dark/light theme, layout settings, partially filled form data). They improve your experience but are not essential.

Analytics and performance: Collect anonymized data about how you use our website and platform (Google Analytics). They help us understand browsing patterns, identify issues, and improve our services.

Marketing and advertising: Used to measure the effectiveness of our advertising campaigns and display relevant content (Google Tag Manager, Facebook Pixel). They may track your activity across different websites.

You can manage your cookie preferences at any time through your browser settings or the cookie consent mechanism provided on our website. Disabling non-essential cookies may affect the functionality of certain features. Third-party cookies are subject to the respective providers' privacy policies. For more information about specific cookies, please contact us.

16. Children's Privacy

Baseportal is not directed at individuals under 18 years of age and does not intentionally collect personal data from children or adolescents. Our platform is intended exclusively for business and professional use. If we become aware that personal data from a minor has been collected without verifiable consent from their legal guardian, we will take immediate steps to delete such data from our systems. If you believe a minor has provided personal data to Baseportal, please contact us immediately at dpo@baseportal.io.

17. Marketing and Communications

Baseportal may send marketing communications about new features, updates, promotions, and relevant content exclusively when you have provided prior and express consent. Operational communications related to the contracted service (system notifications, security updates, terms changes, billing information) do not depend on consent and are sent based on contract performance.

You may revoke consent for marketing communications at any time through the unsubscribe link in all marketing emails, through notification settings on the platform, or by contacting us directly. Revocation will be processed within 5 (five) business days. Revoking marketing consent does not affect the sending of essential operational communications.

18. Changes to this Policy

Baseportal may update this Privacy Policy periodically to reflect changes in our practices, new features, or legislative changes. Substantial changes will be communicated with a minimum of 30 (thirty) days advance notice via email to the registered address and/or through a prominent notice on the platform. Minor changes (such as editorial corrections) may be made without prior notice. We recommend that you review this policy regularly. The date of the last update is always indicated at the top of this page. Continued use of the services after the effective date of changes constitutes acceptance of the updated policy.

19. Contact and Data Protection Officer (DPO)

If you have questions, concerns, or requests related to this Privacy Policy, the processing of your personal data, or the exercise of your rights as a data subject, please contact us:

Privacy Email: privacy@baseportal.io

Phone: +55 11 97436-7680

Address: Av. Paulista, 171 - São Paulo, SP

Data Protection Officer (DPO)

As required by LGPD (Art. 41) and GDPR (Art. 37), Baseportal has designated a Data Protection Officer (DPO) to: (i) receive complaints and communications from data subjects and ANPD, and provide clarifications; (ii) guide employees and contractors on data protection practices; (iii) perform duties determined by the controller or complementary regulations; and (iv) act as a point of contact for European supervisory authorities when applicable. Response times: 15 days (LGPD) or 30 days (GDPR), depending on the applicable jurisdiction.

DPO Email: dpo@baseportal.io

© 2026 Baseportal. All rights reserved.