How we handle your personal data

1. Who we are · data controller

MyDatAgent, hereinafter "MDA", is a Brazilian company based in São Paulo (CNPJ 00.000.000/0001-00). We act as a controller of personal data collected on our website and as an operator of data that customers entrust to us for processing via our platform.

2. What data we collect

We collect only what's necessary to deliver our services. The categories are:

We don't collect sensitive data (health, biometrics, religion, etc.) through the public website. For customers in production, sensitive data may be processed per specific contract (DPA).

3. How we use your data

• Respond to your contact and schedule demos or technical conversations;
• Send relevant technical content (whitepapers, blog posts, product updates) — you can unsubscribe anytime;
• Improve the site and product through aggregated usage analysis (without individual identification);
• Prevent fraud and ensure the security of our infrastructure;
• Comply with legal obligations (tax, regulatory, judicial).

We never sell your data. We never use your registration data to train public AI models. We practice what we preach.

4. Who we share with

We share data only with strictly necessary operators:

• HubSpot · CRM and marketing — with DPA and ANPD standard clauses;
• AWS Brazil (sa-east-1) · hosting our infrastructure;
• Google Workspace · corporate email and calendar;
• Payment providers · only for active customers with contracts.

All operators sign a data processing agreement (DPA) and are bound by the same security and privacy standards we follow.

5. International transfer

Our product infrastructure operates entirely in a Brazilian datacenter (AWS sa-east-1). Some operational tools (HubSpot, Google Workspace) may process data in the United States under contractual guarantees (ANPD/EU Standard Clauses). For use of our production AI platform, we guarantee by contract (DPA) that no customer data crosses borders.

6. Your rights as a data subject

Per article 18 of LGPD, you have the right to:

1. Confirm whether your data is being processed;
2. Access the data we hold about you;
3. Correct incomplete, inaccurate, or outdated data;
4. Anonymize, block, or delete unnecessary or non-compliant data;
5. Port your data to another provider;
6. Delete data processed with your consent;
7. Obtain information on who we share your data with;
8. Revoke consent at any time;
9. Request review of automated decisions that affect you.

To exercise any right, contact the DPO: dpo@mydatagent.ai — response within 15 business days.

7. How long we keep your data

• Lead registration — up to 3 years after last contact (then anonymized);
• Active customer — during contract + 5 years for tax compliance;
• Navigation logs — 6 months;
• Marketing communications — until you unsubscribe.

8. How we protect your data

We implement technical and organizational measures aligned with international best practices:

• Encryption in transit (TLS 1.3) and at rest (AES-256);
• Access based on least privilege principle (RBAC) with mandatory Single Sign-On;
• Automatic PII masking (Microsoft Presidio) in any flow touching AI;
• Auditable and immutable logs of all sensitive operations;
• Certifications SOC 2 Type I & II and ISO/IEC 27001.

In case of a security incident, we notify ANPD and affected data subjects within 72 hours, per LGPD article 48.

9. Changes to this Policy

We may update this policy to reflect regulatory or operational changes. Material changes will be communicated at least 30 days in advance via email and/or prominent notice on the site. The current version published on this page is always the one in effect, with the date and version number at the top.