Privacy Policy (Brazil – LGPD)

Last updated: 6 September 2025

This Privacy Policy explains how Falando collects, uses, shares, and safeguards your personal data in Brazil, in accordance with the Lei Geral de Proteção de Dados Pessoais (LGPD – Law No. 13.709/2018). This document is provided for transparency and does not constitute legal advice.

1) Controller (Controlador)

Controller responsible for your personal data in Brazil:

Legal name: Patryk Mateusz Grabowski LTDA
CNPJ: 61.434.746/0001-06
Registered address: Rua Joaquina de Jesus 127 Lote 16, Vila Isolina Mazzei, São Paulo SP 02079-070, Brasil
Data Protection Officer (Encarregado/DPO):Patryk Grabowski — contact@falando.app

2) What data we collect

Account and Profile: email, display name (if provided), timezone, role (e.g., free user, paid user, admin), and avatar URL you upload. Authentication is provided by Supabase.
Learning Activity: items you study (grammar, vocabulary, listening), spaced-repetition progress, correctness, number of mistakes, timestamps, and related learning metadata, so we can power your study features.
Device/Log data: IP address and technical logs may be recorded by our infrastructure and service providers for security, abuse prevention, and reliability.
Authentication cookies and local storage: We use Supabase authentication cookies to securely manage your login sessions. These cookies contain encrypted session tokens that expire automatically (access tokens expire after 1 hour, but are automatically refreshed). We also use browser storage (e.g., IndexedDB/local storage) to cache content and improve performance. Optional analytics cookies (Google Analytics) are set only if you consent. You can clear site data in your browser settings at any time.
Audio/Text for Text-to-Speech (TTS): when you request audio, we send the relevant text to our TTS provider to generate speech.

3) Why we process your data (Purposes) and LGPD legal bases

Provide and operate the service (LGPD Art. 7, V – contract execution): account creation, authentication, study progress, content delivery, and customer support.
Personalize and improve the product (LGPD Art. 7, IX – legitimate interest): optimize content, performance, and features based on usage patterns, while respecting your rights and expectations.
Security and fraud prevention (LGPD Art. 7, IX – legitimate interest; Art. 11 – safety): protect accounts, investigate suspicious activity, and ensure platform integrity.
Payments and subscriptions (LGPD Art. 7, V – contract execution): if you purchase a paid plan, we process necessary billing data through a payment provider. We do not store your full card details on our servers.
Compliance with legal obligations (LGPD Art. 7, II): retain certain records as required by law.
Consent when required (LGPD Art. 7, I): for optional features or communications, we rely on your consent, which you may revoke at any time.

4) Third-party processors and international transfers

We work with service providers who act as data processors on our behalf. When personal data is transferred outside Brazil, we use appropriate safeguards consistent with the LGPD (e.g., contractual clauses and security measures).

Supabase (database, authentication, storage). Your account information, study progress, and uploaded avatar are processed/stored by Supabase.
OpenAI (Text-to-Speech): to generate audio, we send the text to be spoken to OpenAI's TTS API. According to OpenAI's documentation, API data is not used to train their models by default. Audio may be cached on your device for performance.
Payment provider (for paid plans): processed data may include your email and billing information. We do not store full card details on our servers.

Links: Supabase Privacy · OpenAI Privacy

5) Your rights under the LGPD

You have the following rights, subject to applicable legal conditions:

Confirmation of processing and access to your data
Correction of incomplete, inaccurate, or outdated data
Anonymization, blocking, or deletion of unnecessary or excessive data
Data portability to another service provider, upon express request
Deletion of personal data processed with your consent
Information about public and private entities with which we share data
Information about the possibility of not providing consent and the consequences
Revocation of consent at any time
Right to petition the ANPD about your data
Review of decisions made solely on automated processing that affect your interests

To exercise your rights, contact our DPO at contact@falando.app. We may need to verify your identity before responding. You can also contact Brazil's data protection authority (ANPD): https://www.gov.br/anpd/pt-br.

6) Retention

We retain personal data for as long as necessary to provide the service and fulfill the purposes described above, including legal, accounting, or reporting requirements. When no longer necessary, data will be deleted or anonymized as required by law.

7) Security

We employ administrative, technical, and organizational measures designed to protect personal data. No online system is 100% secure, but we continuously work to improve safeguards against unauthorized access, misuse, or disclosure.

8) Cookies, analytics, and local storage (GDPR/LGPD)

Falando does not require cookies to provide the core learning experience. We primarily use browser storage (IndexedDB/local storage) to cache content and speed up loading. This storage lives on your device and can be cleared in your browser settings.

We offer optional analytics cookies (Google Analytics) to understand how the product is used so we can improve it. These cookies are only set if you acceptthem in our cookie banner, and you can change your choice anytime via “Cookie settings” in the site footer. If you do not accept, analytics is not loaded.

Analytics cookies (set only with consent):

_ga (Google Analytics) — used to distinguish users; typical retention up to 2 years.
_ga_<container-id> (Google Analytics) — persists session state; typical retention up to 2 years.
_gid (Google Analytics) — used to distinguish users; typical retention around 24 hours.
_gat (Google Analytics) — used to throttle requests; typical retention about 1 minute.

Exact names and durations may vary by Google’s updates. We configure analytics to load only after consent and to stop when consent is withdrawn.

Authentication cookies (strictly necessary):

sb-ydgcqtcholscrspngsox-auth-token (Supabase) — contains encrypted JWT access token for authentication; expires after 1 hour but automatically refreshes.
sb-ydgcqtcholscrspngsox-auth-token.0 and sb-ydgcqtcholscrspngsox-auth-token.1 (Supabase) — additional authentication data for session management.
falando_role (Falando) — stores your user role (free user, paid user, admin) for theme and access control; persists until logout or manual deletion.

These cookies are essential for user authentication and cannot be disabled if you want to use account features. They are automatically set when you log in and cleared when you log out.

How to change your choice: click “Cookie settings” in the footer to open the preferences panel. You can also clear cookies and site data via your browser settings.

9) Children and adolescents

The platform is intended for general audiences and is not directed to children. Under the LGPD, processing personal data of children (under 12) requires specific and highlighted consent from a parent or legal guardian. We do not knowingly collect personal data from children without such consent. If you believe a child has provided personal data to us, please contact our DPO to request deletion.

10) Changes to this Policy

We may update this Privacy Policy as our practices evolve or as required by law. If we make material changes, we will take reasonable steps to notify you. Your continued use of the service after changes take effect indicates acceptance of the updated Policy.

11) Contact

If you have questions, requests, or complaints about this Privacy Policy or our data practices in Brazil, contact our DPO at contact@falando.app.