Data Protection · LGPD / GDPR

Data protection is part of the product, not an addendum.

We operate in compliance with Brazil's LGPD (Law 13.709/2018) and align practices with GDPR for international customers. This page details how Partenero collects, processes, protects and returns control over personal data, focused specifically on the context of Customer Success, Customer Experience and AI agents.

Last updated: May 15, 2026

Roles

Partenero acts in two distinct roles under LGPD/GDPR.

The distinction between controller and processor is essential: it defines who decides purposes, who responds to rights requests, and who answers to authorities.

Controller

When you browse partenero.com, submit contact forms, attend webinars, apply to job openings or receive our commercial communications. In these cases, Partenero decides purpose and means of processing and responds directly to the ANPD/supervisory authority and to you.

Processor

When customer companies use the Partenero platform to manage their own end customers (accounts, contacts, conversations, healthscore, tickets, AI handling). In these cases, the customer company is the Controller of the data, and Partenero processes data strictly per contractual instructions, with no reuse for own purposes.

Principles

The ten principles of Art. 6 LGPD applied day to day.

Purpose

Each processing purpose is declared before collection. We do not repurpose data without a new legal basis.

Adequacy

Processing remains compatible with the stated purpose. Material changes trigger new communication to the data subject.

Necessity

We collect the minimum necessary. Optional fields are marked as such in forms and screens.

Free access

Data subjects can review data, purposes, duration and sharing through a single, free channel.

Data quality

We keep active channels for correction and deletion. Internal bases have routine sanitation.

Transparency

This policy, the Privacy Policy and the Cookie Policy are public, updated and versioned.

Security

Technical and organizational layers detailed in the Security section of this page.

Prevention

Impact assessments (DPIA) precede material changes and new AI use cases.

Non-discrimination

We forbid use of data for discriminatory purposes or harm to vulnerable groups.

Accountability

We keep records, evidence and a response plan to demonstrate compliance when requested.

Legal bases

Each purpose has an explicit legal basis.

We use the hypotheses of Art. 7 (personal data) and Art. 11 (sensitive data, when applicable) of LGPD, equivalents under GDPR Art. 6/9. The basis applied to each processing activity is available on request to the DPO.

Contract performance (Art. 7, V)

Data necessary to deliver the platform to paying customers: provisioning, billing, support, integrations.

Legal obligation (Art. 7, II)

Tax and accounting retention, response to ANPD and other authorities.

Legitimate interest (Art. 7, IX)

B2B marketing with safeguards, fraud prevention, information security, product improvement based on aggregated and anonymized data.

Consent (Art. 7, I)

Analytics and marketing cookies, newsletter, optional surveys. Always revocable in one click.

Health protection / credit protection (Art. 7, VIII and X)

Applied only in specific cases, always documented and reviewed by the DPO.

Data processed

What we collect, by context.

Website visitors

  • Technical identifiers: IP address, user agent, pages visited, referrer.
  • Form data: name, business email, company, role, message.
  • Cookies and local storage per the Cookie Policy (link in the footer).

Customers (administrators and platform users)

  • Identification and contact: name, email, phone, role, optional photo.
  • Authentication: password hash, tokens, SSO and MFA records.
  • Billing: company name, tax ID, fiscal address, payment methods (tokenized via processor).
  • Platform use: screens accessed, actions, performance and audit logs.

Operational data (end customers of our customers)

  • Customer Success: account and contact identification, product events, healthscore, journey, NPS/CSAT, notes and tasks.
  • Customer Experience: conversation history (WhatsApp, email, chat, social media), attachments, transcripts, sentiment classification.
  • AI Agents: prompts, responses, sources consulted, actions taken (tool use), auditable logs per interaction.

Data we do not intentionally process

  • Sensitive data (Art. 5, II) is only processed if the customer inserts it into free-form fields. We do not request, do not index for profiling, and offer on-demand deletion routines.
  • Children's data: the platform is B2B and not intended for this audience. Identifications of this kind are treated as an incident and removed.
Data subject rights

The nine rights of Art. 18 LGPD (and GDPR equivalents).

As a data subject, you can exercise any of the rights below by writing to contato@partenero.com. The DPO responds within 15 days.

1

Confirmation

Know whether we process any personal data about you.

2

Access

Obtain a copy of the personal data we process.

3

Correction

Request correction of incomplete, inaccurate or outdated data.

4

Anonymization or blocking

Request anonymization, blocking or deletion of unnecessary or non-compliant data.

5

Portability

Receive your data in a structured format (CSV or JSON) or have it sent directly to another vendor.

6

Deletion

Request deletion of data processed under consent, subject to legal retention duties.

7

Sharing information

Know with which public and private entities your data has been shared.

8

Information on non-consent

Know the consequences of not granting consent and how to deny it.

9

Consent revocation

Revoke any granted consent, at any time, at no cost.

Note: Requests related to operational data inserted by a Partenero customer (you are an end customer of a company that uses the platform) are first directed to the Controller company. We automatically forward when applicable.

AI and automated decisions

Specific governance for generative agents.

We have operated AI agents in production since 2024. LGPD provides specific rights when automated decisions occur (Art. 20). Here is how we comply:

Customer data does not train public models

Contracts with OpenAI, Anthropic and Google include zero-retention clauses and prohibition of training use. Provider logs are kept at most 30 days for abuse detection. On Enterprise plans, we offer model pinning and dedicated deployments when required.

Right to human review

When an agent takes decisions with material effect on the data subject (e.g., exchange approval, discount granting, escalation), we offer review by a natural person upon request. The flow is configurable per customer.

Full auditability

Every agent action logs: prompt sent, sources consulted (RAG), tools called, parameters, generated response, confidence level and execution identifier. Logs remain available for 180 days.

Configurable guardrails

PII detection, topic blocklists, automatic masking, and human fallback when the model indicates low confidence. Each customer configures their own guardrails without code.

Subprocessors

Who helps us operate.

We maintain a public, versioned list of subprocessors. Material additions are communicated to customers 30 days in advance, with a right to object.

Cloud infrastructure

Amazon Web Services (sa-east-1 primary, us-east-1 backup).

Edge and security

Cloudflare (DDoS, WAF, CDN).

AI models

OpenAI, Anthropic and Google (under zero-retention contracts).

Communication

Meta WhatsApp Business API, Twilio (SMS/voice), SendGrid (transactional email).

Observability

Datadog and Sentry (logs and errors, no PII in payload).

Payments

Stripe (card) and local provider for boleto and PIX.

International transfer

Where your data lives.

Data of Brazilian customers resides in Brazil (AWS sa-east-1, São Paulo) by default. Encrypted backups may be replicated to us-east-1 (Virginia, USA) for resilience. In all cases, we adopt standard clauses aligned with ANPD recommendations and GDPR (SCCs) to ensure adequate protection.

Primary residency

São Paulo, Brazil (AWS sa-east-1).

Geographic backup

Virginia, USA, encryption at rest (AES-256) and in transit (TLS 1.3).

AI models

Regional endpoints when available. For customers requiring full Brazilian residency, we offer models hosted in SP.

Retention

How long we keep data.

Active accountFor the duration of the contract, plus what is necessary to deliver the service.
After cancellation60 days for portability and export. After this period, we delete or anonymize.
BackupsRolling 90-day window. Backups expire automatically.
Audit logs180 days for application logs, 12 months for security logs.
Legal obligationsTax and accounting documents may be retained for up to 5 years, per applicable law.
MarketingMarketing bases are reviewed every 12 months. Inactive contacts are anonymized.
Security

Technical and organizational layers.

Encryption

TLS 1.3 in transit, AES-256 at rest, key management via AWS KMS.

Access control

Granular RBAC, SSO/SAML, MFA mandatory for admins, IP allowlist on Enterprise.

Audit

Immutable logs of access, changes and exports. Trail by user, device and IP.

Formal program

SOC 2 Type II underway (2026 completion), ISO 27001 underway, annual third-party pentest, private bug bounty program.

Continuity

RPO 1h, RTO 4h. Semiannual DR tests with report available under NDA.

People

Mandatory annual training on LGPD and security. Background check for teams with production access. Principle of least privilege.

Incidents

How we respond to security incidents.

  • Formal incident response plan, tested annually in tabletop exercises.
  • 24/7 detection via SIEM and pipeline observability alerts.
  • Communication to affected customers within 72 hours of incident confirmation.
  • Notification to ANPD within a reasonable timeframe per Resolution CD/ANPD No. 15/2024.
  • Public postmortem for high-severity incidents, with root cause and action plan.
Updates

How this policy evolves.

We update this page whenever we change relevant practices. Material changes are communicated to active customers 30 days in advance, by email and in-product. Previous versions remain available in history, accessible on request.

Data Protection Officer

Direct channel with our Data Protection Officer.

Partenero's DPO is the contact point for data subjects, customers and authorities. We do not use intermediate forms: you write, a person responds.

SLA

Reply within 15 business days (Art. 19, LGPD).

Postal address

Bizware Soluções em Informatica LTDA · Av. Pres. Juscelino Kubitschek, 2.041 · Torre B · São Paulo, SP · 04543-011 · Brazil

trust by design

Want to see how we handle privacy in the product?

30 minutes with a specialist, with a tour of privacy and audit controls. No generic demo.