Privacy Policy (Brazil – LGPD)

PATRYK MATEUSZ GRABOWSKI LTDA (CNPJ 61.434.746/0001-06), Rua Joaquina de Jesus 127 Lote 16, Vila Isolina Mazzei, São Paulo SP, 02079-070. For any data-protection request write to contact@falando.app.

We process the following categories of personal data:

• Account data – e-mail address, display name, avatar (optional), and authentication tokens.
• Study data – vocabulary progress, grammar scores, review schedules, daily-quest streaks, belt ranks, badges, and content-generation logs.
• Payment data – processed entirely by Stripe; we store only a masked card reference and subscription status.
• Device & usage data – IP address, browser type, operating-system version, pages visited, and session duration (via Vercel Analytics).
• User-generated content – text you paste or type in exercises, voice recordings submitted in the oral-exam and bate-papo modes, and imported BYOC articles/video URLs.
• Cookies & local storage – authentication tokens and UI-preference flags (theme, TTS voice, language).

Each processing activity relies on a specific LGPD legal basis:

• Contract performance (Art. 7 I) – providing the learning platform and paid-plan features.
• Legitimate interest (Art. 7 IX) – improving content, preventing fraud, and generating anonymised analytics.
• Consent (Art. 7 I) – sending promotional e-mails or optional notifications (you may withdraw consent at any time).
• Legal obligation (Art. 7 II) – keeping tax and billing records as required by Brazilian law.
• Exercise of rights (Art. 7 VI) – defending claims in administrative or judicial proceedings.
• Protection of credit (Art. 7 X) – processing payment data through Stripe to prevent chargebacks.

We share data only with processors that need it to run the service:

• Supabase (database hosting, US/EU) – account and study data.
• OpenAI / Anthropic (AI providers, US) – exercise text sent for evaluation; no personal identifiers are included.
• Stripe (payment processing, US) – billing and card data.
• Vercel Analytics (hosting & analytics, US) – anonymised usage events.

International transfers rely on Standard Contractual Clauses or equivalent safeguards (LGPD Art. 33). We do not sell or rent personal data to third parties.

We use only essential cookies (authentication session) and UI-preference flags stored in localStorage. We do not use advertising or third-party tracking cookies.

Under the LGPD you may, at any time:

• Confirm whether we process your data.
• Access a copy of your data.
• Correct inaccurate data.
• Anonymise, block, or delete unnecessary data.
• Request data portability.
• Delete your data (request via Settings → Delete Account or e-mail us at contact@falando.app).
• Know which entities we share data with.
• Be informed about denying consent and its consequences.
• Withdraw consent for optional processing.

We keep personal data only while your account is active or as legally required (e.g., tax records for five years). After account deletion we erase or anonymise all personal data within 30 days. Data is encrypted in transit (TLS 1.2+) and at rest (AES-256). Access is restricted to authorised personnel on a need-to-know basis.

Falando is available to users aged 13 and over. Users between 13 and 18 must have parental or guardian consent. We do not knowingly collect data from children under 13; if we discover such data we will delete it promptly.

We may update this policy to reflect legal or product changes. Material updates will be announced via in-app notification at least 15 days before they take effect. For questions or data-subject requests, contact contact@falando.app.