DashifyEN
DRAFT — pending legal review. Not yet legally binding.

Note: This is a reference translation from the Brazilian Portuguese original. In case of conflict, the Portuguese version prevails.

Privacy Policy

Your privacy matters to us. This Privacy Policy describes how DASHIFY AUTOMACAO & INTELIGENCIA ARTIFICIAL LTDA-ME ("Dashify", "we") collects, uses, shares and protects the personal data of data subjects ("you", "Data Subject") in the context of the platform, services and products we offer.

This Policy was drafted in compliance with the Brazilian General Data Protection Law (LGPD — Lei nº 13.709/2018) and the European Union General Data Protection Regulation (GDPR — EU Regulation 2016/679). Where the two regimes diverge, we will apply the rule that is more protective of the Data Subject.

1. Who is the Data Controller

DASHIFY AUTOMACAO & INTELIGENCIA ARTIFICIAL LTDA-ME

  • CNPJ: 63.878.205/0001-94
  • Address: Rua J72, nº 15, Bairro Jaó, Goiânia/GO, Brasil
  • Contact email: dashify@dashify.net

The Controller is the legal entity that makes decisions about the processing of your personal data.

When we act as a Processor (Processor under the GDPR) — for example, processing data on behalf of a customer who uses our platform — the Controller is our customer, and this Policy applies on a supplementary basis. In such cases, we recommend that you consult the privacy policy of the specific Controller.

2. Data Protection Officer (DPO)

The Data Protection Officer (DPO) is the communication channel between Dashify, Data Subjects and the national supervisory authority (ANPD in Brazil; national supervisory authorities in EU Member States).

  • DPO email: dashify@dashify.net
  • DPO name: Arnaldo Santos (also acting as the representative for processing subject to European jurisdiction, pursuant to GDPR art. 27)

You may contact the DPO at any time to exercise your rights, clarify questions about processing, or submit complaints.

3. Definitions

For the purposes of this Policy:

  • Personal Data: information relating to an identified or identifiable natural person.
  • Sensitive Personal Data: personal data concerning racial or ethnic origin, religious belief, political opinion, trade union membership or membership of a religious, philosophical or political organisation, data relating to health or sexual life, genetic or biometric data (when linked to a natural person).
  • Processing: any operation performed on personal data, such as collection, storage, classification, use, transmission, deletion, etc.
  • Data Subject: the natural person to whom the personal data relates.
  • Controller: the person who makes decisions about processing.
  • Processor: the person who processes data on behalf of the Controller.
  • Consent: a freely given, informed and unambiguous indication by which the Data Subject agrees to processing.

4. Categories of Personal Data We Process

Depending on the product, service or platform module you use, we may process the following categories of data:

4.1. Identification and contact data

  • Full name
  • Identity document (CPF, CNPJ, RG, passport, as applicable)
  • Email
  • Phone number
  • Postal address
  • Profile photo (avatar)

4.2. Authentication data

  • Password (always stored in encrypted/hashed form, never in plain text)
  • Session tokens
  • Access history (IP address, date/time, device, user agent)

4.3. Platform usage data

  • Pages and features accessed
  • Actions performed
  • Preferences and settings
  • Cookies and similar identifiers (see Cookie Policy)

4.4. Communication data

  • Content of messages exchanged through channels offered by the platform (chat, email, SMS, WhatsApp, voice)
  • Records and transcripts of telephone calls initiated or received through our voice modules, subject to consent or prior notice, as applicable
  • Audio recordings and their transcripts

4.5. Location data

  • IP address
  • Geographic coordinates, when the Data Subject expressly authorises this

4.6. Payment data (where applicable)

  • Card data is processed exclusively by PCI-DSS-certified payment gateways; Dashify does not store full card details.
  • Transaction history
  • Billing data

4.7. Sensitive data (only when strictly necessary)

Certain platform modules may process sensitive data, for example health data, dietary information, clinical condition (ICD codes) or biometric voice data. Such processing occurs only with specific and explicit consent or another applicable legal basis, and is subject to additional safeguards (enhanced access controls, masking, access logging).

4.8. Data relating to minors

Our services are not directed at children and adolescents. Where, in a specific scenario, processing involves data of a minor (for example, in a client application focused on education or healthcare), processing will be carried out in the best interests of the minor and only with the specific and explicit consent of at least one parent or legal guardian (LGPD art. 14) or in accordance with the applicable rules of the GDPR (art. 8).

5. Legal Bases for Processing

The LGPD and the GDPR require every processing of personal data to have a legal basis. We process your data on the following bases (as applicable):

PurposeLGPD legal basisGDPR legal basis
Registration, authentication and platform usePerformance of contract (art. 7, V)Performance of contract (art. 6(1)(b))
Compliance with legal and fiscal obligationsLegal obligation (art. 7, II)Legal obligation (art. 6(1)(c))
Data Subject service and supportPerformance of contract and legitimate interests (art. 7, V and IX)Performance of contract and legitimate interests (art. 6(1)(b) and (f))
Marketing communications and updatesConsent (art. 7, I)Consent (art. 6(1)(a))
Processing of sensitive dataSpecific consent (art. 11, I) or other grounds under art. 11Explicit consent (art. 9(2)(a)) or other grounds under art. 9
Fraud prevention and securityLegitimate interests (art. 7, IX)Legitimate interests (art. 6(1)(f))
Defence in judicial, administrative or arbitral proceedingsExercise of legal rights (art. 7, VI)Defence of rights (art. 6(1)(f))
Automated decisions and profilingConsent or performance of contract, with right to reviewConsent or performance of contract (art. 22)

Where processing is based on legitimate interests, we carry out a prior balancing assessment (Legitimate Interest Assessment — LIA) between our interests, the Data Subject's rights and freedoms, and their legitimate expectations. You may request further information about that assessment at any time.

6. Specific Purposes of Processing

Data is processed for specified, explicit and informed purposes communicated to the Data Subject, including:

  1. Identification and authentication of the Data Subject on the platform.
  2. Provision of contracted services (CRM, voice, AI, automation, integrations).
  3. Communication with the Data Subject about operations, support, product updates and security.
  4. Compliance with legal, regulatory and fiscal obligations.
  5. Statistical analysis and product improvement (in aggregated and/or anonymised form wherever possible).
  6. Fraud, abuse and attack prevention against the platform and its users.
  7. Marketing and commercial communication, subject to consent, which may be revoked at any time.

7. Sharing of Data with Third Parties

We share personal data only with trusted parties, under a data processing agreement (DPA) or equivalent clauses, and only to the extent strictly necessary for the purpose. The categories of third parties include:

7.1. Technical sub-processors

  • Cloud hosting and infrastructure providers (servers, databases, object storage).
  • Transactional email providers (sending confirmations, password recovery, notifications).
  • Push notification providers (e.g. Google Firebase Cloud Messaging — FCM).
  • Telephony and VoIP providers (e.g. Asterisk, SIP/trunk providers).
  • AI providers (e.g. Google Gemini, ElevenLabs) — used for transcription, voice synthesis, conversation and natural language processing. See the AI Use Notice for further details.
  • Map and geolocation providers, where applicable.
  • Certified payment gateways, where applicable.

7.2. Partners and Controller-clients

Where Dashify acts as a Processor, we may share data with the Controller that has engaged us (for example, a client company that uses the platform to manage its own leads).

7.3. Public and judicial authorities

We may share data when required by law, court order, ANPD request or European supervisory authority request, or for the defence of our rights in administrative, judicial or arbitral proceedings.

7.4. In the event of corporate transactions

In the event of a merger, acquisition, corporate reorganisation or asset sale, personal data may be transferred to the successor entity, with prior notice to Data Subjects where legally required.

7.5. Sub-processor list

We maintain an updated list of our main sub-processors, which is available upon request to the DPO.

8. International Data Transfers

Some sub-processors are located outside Brazil and outside the European Economic Area (EEA). When this occurs:

  • For Data Subjects in Brazil, we comply with art. 33 of the LGPD, transferring data only to countries with an adequate level of protection recognised by the ANPD, or subject to appropriate safeguards (standard contractual clauses, binding corporate rules, certifications).
  • For Data Subjects in the EEA, we comply with arts. 44 to 49 of the GDPR, preferring the Standard Contractual Clauses (SCCs) issued by the European Commission or other mechanisms provided for in the Regulation.

You may request from the DPO a list of destination countries and the safeguards adopted.

9. Retention Periods

Personal data is kept for no longer than strictly necessary to fulfil the purposes for which it was collected. Where applicable, we retain data for additional periods to comply with:

  • Tax and accounting obligations (in Brazil, as a rule, 5 years);
  • Employment and social security obligations (where applicable);
  • Defence in judicial or administrative proceedings (until the final decision or the applicable limitation period);
  • Specific obligations prescribed by law.

Once the retention period ends, data is deleted, anonymised or blocked securely, as appropriate.

Details on retention for each data category are set out in our Retention Policy (an internal document available upon request).

10. Data Subject Rights

You have the right, at any time and upon request to the DPO, to:

RightLGPDGDPR
Confirmation that processing existsart. 18, Iart. 15
Access to dataart. 18, IIart. 15
Correction of incomplete, inaccurate or outdated dataart. 18, IIIart. 16
Anonymisation, blocking or deletion of unnecessary, excessive or non-compliant dataart. 18, IVart. 17 ("right to erasure")
Portability to another providerart. 18, Vart. 20
Deletion of data processed on the basis of consentart. 18, VIart. 17
Information about entities with whom data was sharedart. 18, VIIart. 15(1)(c)
Information about the possibility of not providing consent and the consequencesart. 18, VIIIart. 13(2)(e)
Withdrawal of consentart. 8, §5art. 7(3)
Objection to processingart. 18, §2 (in certain cases)art. 21
Restriction of processingart. 18
Review of automated decisionsart. 20art. 22
Complaint to the supervisory authorityANPDnational supervisory authority

How to exercise your rights: send your request to the DPO at dashify@dashify.net, identifying yourself adequately and clearly describing the right you wish to exercise.

Response time:

  • As a rule, we respond to requests within 15 (fifteen) calendar days, pursuant to art. 19 of the LGPD;
  • For requests under the GDPR, the deadline is 1 (one) month, extendable by a further 2 months in complex situations (art. 12(3)).

Some rights may be limited due to legal obligations, defence of rights in proceedings, fraud prevention, or overriding legitimate interests. In such cases, we will formally justify any non-compliance.

11. Automated Decisions and Profiling

Some platform features may involve automated decisions (including profiling, lead scoring, AI-generated suggestions). You have the right to request:

  • Clear and adequate information about the criteria and procedures used;
  • Human review of automated decisions that affect your interests (LGPD art. 20; GDPR art. 22).

We do not carry out automated decisions producing legal or similarly significant effects on Data Subjects without a valid legal basis and review mechanisms.

12. Cookies and Similar Technologies

We use cookies and similar technologies for purposes essential to the operation of the platform, performance improvement, statistical analysis and, subject to consent, marketing. For details on cookie categories, purposes and how to manage them, see our Cookie Policy.

13. Use of Artificial Intelligence (AI)

The platform uses AI models and services for various purposes, including voice conversation, transcription, voice synthesis, text analysis and automation. For details on providers, data transmitted, retention and your related rights, see the Artificial Intelligence Use Notice.

14. Voice Recording and Transcription

Certain platform modules involve telephone calls with automatic recording and transcription. These features operate subject to prior notice and/or consent, in accordance with applicable rules. For details, see the Voice Recording and Transcription Notice.

15. Geolocation

Where the collection of precise location data is required for a specific feature, we will request your explicit authorisation. For details, see the Geolocation Notice.

16. Push Notifications

Subject to consent, we may send push notifications to your device. You may withdraw that authorisation at any time in your device or platform settings. See the Push Notifications Notice for details.

17. Information Security

We adopt technical and organisational measures proportionate to the risk of processing, including:

  • Password encryption using strong algorithms;
  • Encryption in transit (TLS) and, where applicable, at rest;
  • Role-based access control and least-privilege principle;
  • Access logs for sensitive data;
  • Protected and periodically tested backups;
  • Periodic vendor assessment;
  • Incident response plan;
  • Staff training.

Even though we follow best industry practices, no system is absolutely immune. In the event of a security incident that may cause significant risk or harm to Data Subjects, we will notify the ANPD and the affected Data Subjects within a reasonable period, pursuant to LGPD art. 48 and GDPR arts. 33–34.

18. Children and Adolescents

Our services are not directed at children or adolescents. If we identify the inadvertent collection of a minor's data without parental consent, we will delete the data as soon as we become aware. Parents and guardians may contact the DPO at any time.

19. Changes to This Policy

This Policy may be updated periodically. The current version will always be available on the platform, with the date of the last revision. Material changes will be communicated in advance through official channels. Continued use of the platform after the new version is published will be interpreted as acknowledgement of the update, except where the law requires fresh consent.

Version: 1.0.0 (DRAFT) Last reviewed: 2026-05-15

20. Governing Law and Jurisdiction

This Policy is governed by Brazilian law, without prejudice to the direct application of the GDPR to processing subject to European jurisdiction. For disputes that cannot be resolved administratively, the courts of the Data Subject's domicile shall have jurisdiction where the Data Subject is a consumer, or the courts of the district where Dashify's registered office is located in other cases, without prejudice to courts of mandatory jurisdiction provided for by law.

21. How to Contact Dashify About Privacy