Privacy Policy — Allan Mauricio Sanches Baptista de Alvarenga Ltda

This Privacy Policy describes how Allan Mauricio Sanches Baptista de Alvarenga Ltda ("we," "our" or "the Company") collects, uses, stores and protects personal data of our clients, website visitors and all persons whose data we process in connection with our IT support, maintenance and technology services in São Paulo, SP, Brazil.

As a registered limited liability company (Ltda) providing IT services, we are committed to full compliance with the LGPD (Lei nº 13.709/2018) and the tax obligations of ISS of the Municipality of São Paulo and SEFAZ-SP. IT support involves a particularly important LGPD dimension: when performing technical support, our technicians may access client IT systems that contain personal data belonging to the client's own employees, customers or operations. This creates obligations not only as a controller of our own business data, but also as a data processor and operator of client systems under Art. 39 of the LGPD.

Introduction and Scope

This Policy applies to all personal data processed in connection with our IT services — clients who engage us for helpdesk, maintenance, infrastructure, security or consulting services, website visitors who submit quote requests, and any person whose data we process. We distinguish between two types of data: (a) our own business data — data about our clients (as companies and individuals), for which we are the controller; and (b) client system data — personal data within client systems that our technicians may access during support — for which the client is the controller and we act as a processor/operator.

Identity of the Controller

Company name: Allan Mauricio Sanches Baptista de Alvarenga Ltda
Type: Sociedade Limitada (Ltda)
CNPJ: 48.278.835/0001-34
Activity (CNAE): IT Support, Maintenance and Technology Services
Registered address: Av. Paulista, 1106, Sala 01, 16° andar (virtual office), Bela Vista, São Paulo — SP, CEP 01310-914, Brazil
Email: privacy@allanmsbdalvarenga.com.br

Personal Data We Collect

A. Client business data (we are the controller):

Client identification: Company name, CNPJ or CPF, billing address, contact name, email and WhatsApp — for service engagement management, SLA tracking and NF-e issuance.
Service history and IT environment documentation: Records of support tickets, maintenance jobs performed, IT assets serviced and infrastructure documentation — retained as part of the client relationship and for NF-e documentation.
Remote access credentials (technical): Where remote support tools require, temporary access credentials or remote session tokens. These are operational access records, not personal data in themselves, but are handled with strict confidentiality.

B. Client system data (we are the processor / operator — LGPD Art. 39):

When performing IT support — whether remote or on-site — our technicians may access client systems. Those systems may contain personal data about the client's own employees, customers, patients or other data subjects. This is the client's data, for which the client is the controller. We process this data solely and exclusively to perform the technical task requested — not for any other purpose.
We do not copy, retain, analyse or share client system data beyond what is strictly necessary for the support task at hand. Access is logged per session and per technician.

C. Website and quote data:

Name, company, WhatsApp and service description when submitting a quote request via the website.
IP address, browser type and pages visited.

Purpose and Legal Basis

Purpose	Legal Basis (LGPD)
IT service delivery (support, maintenance, infrastructure)	Contract performance (Art. 7º, V)
Access to client systems for technical support (as operator)	Contract performance; Art. 39 — operator obligations
IT service history and asset documentation	Contract performance; Legitimate interest
Issuing NF-e / RPS per engagement	Contract performance; Legal obligation (Art. 7º, II)
ISS São Paulo — fiscal bookkeeping	Legal obligation (Art. 7º, II)
SEFAZ-SP — ancillary tax obligations	Legal obligation (Art. 7º, II)
Website analytics and improvement	Legitimate interest; Consent (cookies)

Sharing of Data

Client system data — absolute confidentiality commitment: Any personal data within client systems that our technicians access during support engagements is treated as strictly confidential information of the client. It is never copied, retained beyond the support session, analysed for any purpose other than performing the task, or shared with any third party — including other clients, suppliers, competitors or any commercial partner. Our technicians are contractually bound by this confidentiality obligation. This is not merely a legal requirement; it is a fundamental condition of professional IT service. A technician who misuses access to client systems violates both our operating standards and the LGPD.

SEFAZ-SP / Receita Federal: NF-e / RPS data — client CNPJ or CPF on service invoices, transmitted electronically.
ISS / Prefeitura de São Paulo: ISS bookkeeping on IT services rendered in São Paulo.
Legal authorities: When required by court order or administrative authority.
PROCON-SP / Senacon: When required under the CDC or commercial dispute resolution.

International Transfers

Our operation is based in São Paulo, SP. Our own client data is processed in Brazil. For remote support tools and cloud management platforms, data may transit international servers — we use only platforms with adequate data protection standards under Art. 33 of the LGPD. Tax records (NF-e / RPS) are processed exclusively in systems certified by the Receita Federal and SEFAZ-SP. When performing support on client cloud environments (e.g., Microsoft 365, AWS, Google Cloud), the international data transfer obligations of those environments are governed by the client's own data processing agreements with those platforms — not by ours.

Retention Periods

Client system data accessed during support: Not retained beyond the support session. Remote access session logs (technician ID, date, duration, client) are retained for 1 year for security audit purposes and then deleted.
Service history and IT asset documentation: Retained for the duration of the client relationship and for 5 years after the last engagement — for reference in ongoing support and consistent with the commercial statute of limitations.
NF-e / RPS (ISS São Paulo / SEFAZ-SP): Minimum 5 years as required by Brazilian federal and São Paulo state tax legislation.
Quote requests without engagement: Up to 1 year from the date of the request.
Website analytics: Aggregated and anonymised after 12 months.

Security Measures

All remote support sessions logged with technician ID, client, date, time and duration — audit trail maintained for 1 year;
Remote access to client systems performed via industry-standard encrypted remote support tools — not via consumer-grade applications;
Temporary access credentials for client systems deleted immediately after the support session is completed;
Client IT environment documentation stored in access-controlled systems — not accessible to any party other than the assigned technician and the managing partner;
NF-e / RPS issued using a certified digital certificate (A1/A3) approved by the Receita Federal;
Website encrypted (HTTPS);
Incident response procedures in accordance with LGPD Art. 48.

Your Rights under the LGPD

Our client business data:

Confirmation and Access (Art. 18, I–II): Confirm what personal data we hold about you and receive a copy.
Deletion (Art. 18, IV): Request deletion — subject to mandatory fiscal retention (NF-e: 5 years) and service history retention for ongoing support.
Portability (Art. 18, V): Receive your data in a structured format.
Complaint to the ANPD (Art. 18, §1º): Lodge a complaint at www.gov.br/anpd.

Personal data within client systems (you are the controller): If you are a client and wish to exercise LGPD rights on behalf of your own employees or customers whose data may have been accessed during support, you should contact us to review the session access log for the relevant engagement. We can confirm what systems were accessed, by which technician and at what time — so you can make an informed assessment of any data exposure.

We respond within 15 business days.

Cookies and Tracking

Our website may use cookies for essential functionality and aggregated performance analytics. We do not use behavioural tracking or advertising cookies. Cookie preferences can be managed through your browser settings.

Minors

Our IT support and technical services are directed exclusively at businesses and professional clients. We do not provide services directly to minors and do not collect data from minors. If a client's IT systems contain data about minors (e.g., a school's student management system), any support access to those systems is subject to our heightened care obligations as a processor — in particular, LGPD Art. 14 protections for children's data — and is documented in the session access log.

IT System Access, LGPD as Processor, and ISS São Paulo

The IT service provider as LGPD processor — Art. 39: When an IT support company accesses a client's systems to perform maintenance, resolve incidents or manage infrastructure, it is acting as a data processor (operador) under LGPD Art. 39 — processing personal data on behalf of the client (the controller). The LGPD Art. 39 establishes that the operator must: (a) process data only in accordance with the controller's instructions; (b) keep the data confidential; (c) implement technical and administrative security measures; (d) be subject to audit by the controller. For IT support companies, this translates into practical obligations: no browsing or reading of client files beyond what is necessary for the task, no copying of client data to personal or company devices, no accessing systems after the support session has ended, and a full audit trail of all system access. Our access logging practice directly fulfils these obligations. We offer a standard data processing agreement (DPA / Acordo de Tratamento de Dados — Art. 39 LGPD) to any client who requests written documentation of our processor obligations — particularly for clients in regulated sectors (healthcare, legal, financial, education) whose data has heightened sensitivity.

Remote access tools and LGPD compliance: Remote IT support involves the use of remote desktop and remote access tools (such as AnyDesk, TeamViewer, remote access via VPN, or RDP). The use of these tools in support of LGPD-regulated client environments requires care: (a) remote sessions should be conducted only with the client's express consent and awareness; (b) session recordings, where enabled, should be disclosed to the client and retained for the shortest period necessary; (c) access credentials should be temporary and revoked immediately after the session. Our remote support practice follows these principles. Clients who operate in sectors subject to specific LGPD sectoral guidance (e.g., healthcare under CFM/COFFITO, financial under Bacen/CVM, education under ANPD guidance) should inform us of their sector so we can apply the appropriate heightened care during remote access.

ISS São Paulo and NF-e / RPS for IT services: IT support, maintenance and technology consulting services are subject to ISS (Imposto Sobre Serviços) levied by the Municipality of São Paulo — one of the highest ISS rates in Brazil for technology services. The NF-e or RPS (Recibo de Prestação de Serviços) for each engagement is issued with the client's CNPJ or CPF and ISS São Paulo correctly applied, itemising the services performed. For companies that engage IT support as a business expense, the NF-e is: (a) deductible for IRPJ/CSLL purposes as a technology service expense; (b) required for corporate expense reimbursement documentation; (c) the formal fiscal document for audit and accounting compliance. The registered address of Allan Mauricio Sanches Baptista de Alvarenga Ltda is a virtual office at Av. Paulista, 1106 — this is a legitimate and common business practice in São Paulo for IT professionals, consultants and service companies that operate primarily at client sites and remotely. The virtual office provides a formal legal domicile without requiring a physical commercial space, and all tax obligations (ISS São Paulo, SEFAZ-SP) are met under this address.

Updates to this Policy

This Policy may be updated to reflect changes in our activities, in the LGPD, in ANPD guidance on IT service providers and processor obligations, or in the tax legislation of the Municipality of São Paulo or the State of São Paulo. Material changes will be communicated by email or WhatsApp to active clients.

Contact and Data Protection Officer

All privacy requests — including requests to review session access logs, requests for a data processing agreement (DPA) under Art. 39 LGPD, or general LGPD enquiries — should be directed to our Data Protection Officer (LGPD Art. 41):

💻

Privacy — Allan M. S. B. de Alvarenga Ltda

CompanyAllan Mauricio Sanches Baptista de Alvarenga Ltda

CNPJ48.278.835/0001-34

AddressAv. Paulista, 1106, Sala 01, 16° andar, Bela Vista, São Paulo — SP, CEP 01310-914

Emailprivacy@allanmsbdalvarenga.com.br

WhatsApp+55 (11) 9 0000-0000

HoursMon–Fri: 08:00–18:00

DPAData Processing Agreement (Art. 39 LGPD) available upon request for clients in regulated sectors

ResponseWithin 15 business days of receipt.

You also have the right to lodge a complaint with the Brazilian national data protection authority:
ANPD — Autoridade Nacional de Proteção de Dados
www.gov.br/anpd

Privacy Policy.