Privacy Policy

MamãoFy, the platform accessible at mamaofy.com.br, is the Data Controller under Art. 5, VI of the Brazilian General Data Protection Law (LGPD — Law 13.709/2018). It is responsible for decisions regarding the processing of personal data of the platform's users.

For privacy-related matters, data protection, and exercising data subject rights, the contact channel for the Data Protection Officer (DPO) is:

• Email: [email protected]
• Subject: include "LGPD — [Request type]" to prioritize handling

We commit to responding to personal data requests within 15 business days, as required by the LGPD.

Every personal data processing operation carried out by MamãoFy has a specific legal basis under Art. 7 of the LGPD:

• Consent (Art. 7, I): used for marketing communications, newsletters, and non-essential cookies. Consent may be withdrawn at any time
• Contract performance (Art. 7, V): processing required to deliver the contracted services — account creation, payment processing and delivery of purchased content
• Legal obligation (Art. 7, II): retention of tax and financial records as required by Brazilian tax law
• Legitimate interest (Art. 7, IX): fraud prevention, platform security, service improvement and usage analysis, provided it does not override the subject's fundamental rights and freedoms
• Exercise of rights (Art. 7, VI): in judicial, administrative or arbitration proceedings when necessary

We collect personal data in the following categories, depending on how you use the platform:

Identification and account data:

• Full name, email address, password (stored with secure hashing)
• Phone/mobile number and profile picture (avatar)
• Biography, professional summary and social networks (optional)
• Country, state, city and district of residence
• Preferred time zone and language

Financial data (instructors and buyers):

• Billing information required to process transactions (account holder name, CPF/CNPJ when required by the gateway)
• Bank details for revenue payouts (IBAN, account number — instructors only)
• Transaction history, active subscriptions and available credits
• Credit card data is NOT stored on MamãoFy servers; all tokenization is performed directly by MercadoPago

Authentication and security data:

• Social OAuth identifiers (Google ID, Facebook ID) — never the social network password
• TOTP secret and backup codes for multi-factor authentication (MFA)
• Login history (date, time, IP address and device)
• API token for external integrations (when requested)

Usage and behavior data:

• IP address, browser type and version, operating system
• Pages visited, session duration and interactions with platform features
• Learning progress in courses, quiz answers and issued certificates
• Use of AI features (message and prompt counts — without storing the prompt content on our servers)

Uploaded documents (instructors):

• Identity documents and professional certificates submitted voluntarily for account verification

We use your personal data exclusively for the following purposes:

• Service delivery: account creation and management, access to purchased courses and content, certificate issuance
• Transaction processing: subscription charges, AI credit purchases, payouts to instructors and affiliates
• Transactional communications: purchase confirmations, access notifications, security alerts and account updates
• Marketing communications (with consent): platform news, course launches, promotions and newsletter
• Personalization: tailoring the learning experience, content recommendations and preference settings
• Security and fraud prevention: detection of suspicious access, blocking of malicious IPs, protection of platform integrity
• Service improvement: aggregated and anonymized usage analysis to enhance the platform
• Legal compliance: retention of tax, financial and audit records as required by Brazilian law

Your personal data is never sold or transferred to third parties for commercial purposes. We share data only in the following circumstances and with the following types of recipients:

• MercadoPago (primary payment gateway): billing data required to process transactions. MercadoPago operates under Brazilian and international financial regulations. Privacy policy at mercadopago.com.br
• Stripe and PayPal (alternative gateways): when selected by the instructor as a payment method, buyer billing data is processed directly by these gateways
• xAI (AI provider, USA): prompts and context sent to AI tools (MamãoFy.AI, Creative AI) are processed by xAI. See Section 6 for international transfer details
• OpenRouter (intermediate AI provider, USA): used as fallback and for alternative AI models. See Section 6
• Firebase (Google, USA): optionally used for user authentication in specific platform flows
• MinIO / S3-compatible object storage: files uploaded by users (videos, documents, images) are stored in the object storage service configured for the platform
• Bunny CDN: content delivery service used for streaming course videos with improved performance
• Meta (WhatsApp Cloud API): when the instructor uses the Sender module for automated WhatsApp messaging, recipient data (phone number) is transmitted to Meta's API
• Email services (Mailgun, AWS SES, Postmark or configured SMTP): used to send transactional and marketing emails, according to platform configuration
• Instructors and organizations: basic student data (name, email, progress) is shared with the instructor responsible for the purchased course, exclusively for content delivery and support
• Authorities and legal obligation: when required by law, court order, government investigation or to protect MamãoFy's rights

Some services used by MamãoFy have servers located outside Brazil, implying international transfer of personal data under Chapter V of the LGPD:

• xAI (United States): primary artificial intelligence provider. Data sent to this service is subject to U.S. law. xAI operates under data processing agreements aligned with international privacy standards
• OpenRouter (United States): AI model intermediary used as fallback. Transmitted data is limited to prompt content and conversation context
• Firebase / Google (United States): used for authentication features. Google is certified under international privacy frameworks
• PayPal (United States): alternative payment gateway for international transactions when enabled
• Stripe (United States): alternative payment gateway when enabled by the instructor

These transfers rely on the adequate safeguards set out in Art. 33 of the LGPD, including specific contractual clauses with each provider. For details on the specific safeguards of each provider, contact us at [email protected].

We use cookies and similar technologies to improve your platform experience. Consent for non-essential cookies is collected through our consent banner, in compliance with the LGPD.

Types of cookies used:

• Essential cookies (required): necessary for basic platform operation — authentication, session management, CSRF security and language preferences. They cannot be disabled without breaking platform functionality
• Performance cookies (optional): collect information on how you use the platform (pages visited, session time) to help us identify improvements. Data is used in aggregate and does not identify users individually
• Personalization cookies (optional): allow us to remember your preferences (theme, language, layout) and personalize your experience across sessions

We do not natively use third-party behavioral advertising cookies (such as Facebook or Google Ads remarketing pixels) on the platform. Instructors using the Landing Pages module may configure their own pixels on their pages, in which case they are responsible for such processing.

You can manage your cookie preferences at any time through your account settings panel or by reconfiguring the consent banner. Disabling non-essential cookies does not affect access to the platform's core features.

As a personal data subject, you have the following rights under Art. 18 of the LGPD, which can be exercised at any time:

• I — Confirmation and access: confirm whether we process your personal data and request a complete copy of the data we hold about you
• II — Correction: request correction of incomplete, inaccurate or outdated data
• III — Anonymization, blocking or deletion: request that unnecessary, excessive or unlawfully processed data be anonymized, blocked or deleted
• IV — Portability: request transfer of your data to another service or product provider, upon express request, in a structured and interoperable format
• V — Consent-based deletion: request deletion of personal data processed solely on consent, except for cases provided by law
• VI — Information on sharing: be informed about the public and private entities with which we share your data
• VII — Information on non-provision: be informed about the option to withhold consent and the consequences of doing so
• VIII — Consent withdrawal: withdraw consent at any time, without prejudice to the lawfulness of processing already carried out
• IX — Objection: object to data processing based on legal grounds other than consent, in case of LGPD non-compliance
• Review of automated decisions: request review of decisions taken solely on automated processing that affect your interests

To exercise any of the rights listed in Section 8, you can:

• Account panel: go to Settings → Privacy to manage data, communication preferences, and request account deletion directly from the platform
• Email the DPO: send your request to [email protected] with subject "LGPD — [Request type]" (e.g. "LGPD — Data access" or "LGPD — Deletion")
• Contact form: visit mamaofy.com.br/contact

To ensure the security and authenticity of the request, we may ask you to verify your identity before processing. We will respond within 15 business days of receipt. If we cannot meet this deadline, we will inform you of the reason and the expected completion date.

If you believe your right has been violated, you may also file a complaint with the Brazilian National Data Protection Authority (ANPD) at www.gov.br/anpd.

We retain your personal data for the period strictly necessary to fulfill the purposes for which it was collected or to comply with legal obligations:

• Active account data: kept throughout the duration of the contractual relationship
• Data after account closure: kept for up to 90 days for internal audit and possible disputes, after which it is anonymized or deleted
• Financial and tax data: kept for 5 years after the transaction, as required by Brazilian tax law (art. 195 CTN and related legislation)
• Audit and access logs: kept for up to 6 months, pursuant to the Brazilian Marco Civil da Internet (Law 12.965/2014, art. 15)
• Instructor course content: kept while the instructor maintains an active account or until express removal request

After the retention periods expire, data is securely deleted or irreversibly anonymized.

MamãoFy implements state-of-the-art technical and organizational measures to protect your personal data:

• Encryption in transit: all communication between your browser and the platform uses HTTPS/TLS
• Encryption at rest: sensitive stored data is encrypted (AES-256-CBC)
• Multi-factor authentication (MFA): available to all users, supporting TOTP (Google Authenticator, Authy) and backup codes
• Role-based access control: access to personal data is restricted to staff with a justified operational need
• Security headers: the platform implements HTTP security headers (Content Security Policy, X-Frame-Options, X-XSS-Protection)
• Monitoring: access logs and suspicious activity are monitored continuously
• File validation: user-uploaded files go through content verification before storage
• Card data: not stored on our servers; all tokenization is performed directly by the certified payment gateway

In the event of a security incident that may pose a relevant risk to data subjects, we will notify the ANPD and affected subjects within the legal timeframes.

The MamãoFy platform is not directed to children under 13. For users between 13 and 17, we require express consent from parents or legal guardians for registration and use, as per Art. 14 of the LGPD.

By registering, the user declares to be 18 years or older or to have authorization from a legal guardian. If we become aware that minor data has been collected without proper consent, we will take the necessary steps to delete it promptly.

Legal guardians who identify minor data collected without their consent should contact us immediately at [email protected].

MamãoFy integrates artificial intelligence tools in different platform contexts. Here is how your data is handled in each:

• MamãoFy.AI and Creative AI: prompts and contexts you send for content generation are transmitted to xAI (or to OpenRouter as fallback) for processing. MamãoFy does not store the content of your prompts on its own servers after the response is returned. The conversation history visible in the interface is stored linked to your account for experience continuity
• Tutor AI: lesson texts and questions sent to the tutor are processed by OpenRouter with models configured by the platform. Conversation context is kept temporarily for session coherence
• Social Planner: social media content you connect to the platform (posts, metrics) is processed to generate suggestions. This data is stored linked to your account while the integration is active
• Use of data for model training: MamãoFy does not use your personal data or prompt content to train its own AI models. The use of data by external providers (xAI, OpenRouter) is governed by those providers' privacy policies
• Usage monitoring: the volume of AI tool usage (message count, not content) is stored in your account for plan limit control and abuse detection

MamãoFy adopts a strict anti-spam policy for all communications sent through the platform:

• All marketing communications sent by the platform include an unsubscribe link. Clicking it stops emails in the selected category
• Transactional communications (purchase confirmations, security notifications) are sent regardless of marketing preferences, as they are necessary for service delivery
• It is strictly forbidden to use the platform's email or WhatsApp features (Sender module) to send unsolicited, misleading messages, or messages in violation of the CAN-SPAM Act or Brazilian anti-spam law
• Violation of this policy may result in immediate suspension of access to the Sender module and, in severe cases, account termination
• MamãoFy fully complies with Art. 43 of the Brazilian Marco Civil da Internet regarding communication log storage and processing

MamãoFy reserves the right to update this Privacy Policy at any time to reflect changes in our services, applicable law or our data processing practices. Relevant changes will be communicated at least 15 days in advance by email or platform notification.

The effective date of this policy is shown at the top of the page. We recommend reviewing it periodically. Continued use of the platform after the effective date of changes implies acceptance of the new terms.

Previous versions of this Privacy Policy may be requested at [email protected].