Privacy Policy

1. Data Controller

The controller responsible for processing your personal data is:

• Company: Expresso Assinatura
• Address: Brazil
• Data Protection Officer (DPO): Data Protection Officer — privacy@expresso.marketing

For users located in the European Union, the same entity above acts as data controller. Where required, we will designate an EU representative pursuant to Article 27 GDPR.

2. Data We Collect

We collect the following categories of personal data:

• Account registration: name, email address, password (stored as bcrypt hash — never in plain text)
• Email signatures: name, job title, company, phone, address, social media links, photo, logo — voluntarily provided by you
• Payment data: transaction history (no card numbers stored — processed by a PCI-DSS certified payment gateway)
• Access logs: IP address, user agent, timestamps and actions (for security and audit purposes)
• Cookie consent records: your preferences and consent timestamp as required by LGPD and GDPR
• Cookies: based on your consent — see our Cookie Policy

3. Purposes and Legal Bases

Pursuant to Article 7 LGPD and Article 6 GDPR, each processing activity has a specific legal basis:

4. Data Sharing

We do not sell your data. We share it only with vendors necessary to deliver our service, all bound by data protection agreements:

• Infrastructure and hosting: servers and database needed to operate the platform
• Payment gateway: to process financial transactions (PCI-DSS certified)
• Transactional email service (ZeptoMail): to send notifications, confirmations, and service-related communications

For B2B customers who use our platform to manage employees' email signatures, we act as a data processor under Article 39 LGPD and Article 28 GDPR. A Data Processing Agreement (DPA) is available upon request at privacy@expresso.marketing.

5. International Data Transfers

Some of our vendors may process data on servers outside Brazil. When this occurs, we ensure appropriate safeguards are in place:

• Standard Contractual Clauses (SCCs) approved by the European Commission under Article 46(2)(c) GDPR
• European Commission adequacy decisions where applicable
• Specific transfer contracts under Article 33 LGPD and ANPD regulations

6. Data Retention

• Account data: for the duration of the active account + 5 years after closure
• Audit logs: 2 years
• Payment data: 5 years (tax obligation)
• Analytics cookies: 12 months
• Cookie consent records: 5 years (compliance evidence)
• LGPD/GDPR requests: 5 years after completion

After these periods, data is securely deleted or irreversibly anonymised.

7. Your Rights

Under Articles 15–22 GDPR and Article 18 LGPD, you have the right to:

• Access: confirm whether we process your data and obtain a copy
• Rectification: correct inaccurate or incomplete data
• Erasure (right to be forgotten): request deletion of your personal data (subject to legal obligations)
• Data portability: receive your data in a structured, machine-readable format
• Restriction: limit processing in certain circumstances
• Objection: object to processing based on legitimate interests
• Withdraw consent: at any time, without affecting the lawfulness of prior processing
• Lodge a complaint: with the ANPD (Brazil) or your national supervisory authority (EU residents)

Response times: LGPD — 15 business days; GDPR — 1 calendar month (extendable by 2 further months for complex requests, with notice). Exercise your rights via our Privacy Portal.

8. Automated Decision-Making and Profiling

We do not carry out solely automated decision-making that produces legal or similarly significant effects on you (Article 22 GDPR; Article 20 LGPD). Interface personalisation features use only technical session data and do not constitute profiling for commercial or discriminatory purposes.

9. Security Incident Notification

In the event of a personal data breach, we follow this procedure:

• GDPR (Art. 33–34): notification to the competent supervisory authority within 72 hours of becoming aware; notification to affected individuals without undue delay when the risk to their rights is high
• LGPD (Art. 48): communication to the ANPD and affected individuals within a reasonable timeframe in accordance with current regulations

10. Security

We implement technical and organisational measures proportionate to the risk, including: bcrypt password hashing, HTTPS/TLS encryption, role-based access control (RBAC), email verification, audit logging, and monitoring for suspicious activity. We apply privacy by design and privacy by default principles (Article 25 GDPR; Article 46 LGPD).

11. Cookies

For detailed information on the cookies we use, legal bases, and how to manage your preferences, see our Cookie Policy.

12. Records of Processing Activities

We maintain a Record of Processing Activities (ROPA) as required by Article 30 GDPR. The record is available to supervisory authorities upon request.

13. Contact and DPO

To exercise your rights, ask questions, file a complaint, or request our DPA:

• DPO: Data Protection Officer
• Email: privacy@expresso.marketing
• Privacy Portal: assinatura.expresso.marketing/lgpd