Privacy Policy

1. Who we are

This Privacy Policy describes how 54.024.643 Vinicius Gabriel Lima da Costa (CNPJ 54.024.643/0001-02), trading as Codelab ("we", "us", "our"), collects, uses, stores, and protects your personal data when you use our website and services (the "Service").

We act as the data controller (controlador de dados) under the Brazilian General Data Protection Law (Lei Geral de Proteção de Dados, or LGPD, Law 13.709/2018).

2. Data we collect

2.1 Data you provide

• Account data: name, email address, password (stored in hashed form);
• Billing data: CPF/CNPJ, billing address, and payment card or PIX details, processed by our third-party payment providers; we do not store full card numbers;
• Communications: any information you send us through email, support tickets, or forms.

2.2 Data collected automatically

• Usage data: courses viewed, lesson progress, interactions with the Service;
• Technical data: IP address, browser type and version, operating system, device identifiers, referral URL, timestamps;
• Cookies and similar technologies (see section 7).

3. How we use your data

We process your personal data for the following purposes:

• Service delivery: create and manage your account, grant access to purchased courses, track your learning progress;
• Payments: process transactions, issue invoices, prevent fraud;
• Support: respond to questions, resolve issues, provide technical assistance;
• Communications: send transactional emails (receipts, account updates) and, with your consent, marketing communications;
• Improvement: analyze usage to improve content, features, and user experience;
• Legal compliance: comply with tax, accounting, and regulatory obligations.

4. Legal bases for processing (LGPD)

We rely on the following legal bases defined in Article 7 of the LGPD:

• Execution of a contract to which you are a party (Art. 7, V);
• Compliance with legal or regulatory obligations (Art. 7, II);
• Legitimate interests of the controller, balanced against your fundamental rights (Art. 7, IX);
• Consent for purposes such as marketing emails (Art. 7, I). You may withdraw your consent at any time.

5. Sharing your data

We share personal data only with trusted third parties that help us operate the Service. These include:

• Payment processors (e.g., Pagou.ai, Paddle, Stripe) to process transactions;
• Email service providers for transactional and (with consent) marketing emails;
• Cloud hosting and infrastructure providers for storage, delivery, and security;
• Analytics providers for aggregate usage statistics;
• Government authorities or courts when required by law.

All processors are contractually bound to protect your data and use it only for the specific purposes we authorize.

6. International transfers

Some of our processors may be located outside Brazil. When your personal data is transferred internationally, we ensure adequate safeguards are in place pursuant to Articles 33 to 36 of the LGPD, such as transfer to countries with adequate protection or through contractual clauses approved by the ANPD.

7. Cookies and similar technologies

We use cookies and similar technologies to:

• Keep you signed in to your account (essential);
• Remember your preferences and settings (functional);
• Measure how visitors use the Service so we can improve it (analytics).

You can control cookies through your browser settings. Blocking essential cookies may affect the functionality of the Service.

8. Data retention

We retain your personal data only for as long as necessary to fulfill the purposes described in this Policy, or as required by law. Typical retention periods:

• Account data: while your account is active, plus up to 3 years after closure;
• Billing records: at least 5 years, as required by Brazilian tax law;
• Support communications: up to 2 years;
• Marketing consent records: until consent is withdrawn, plus a short evidence period.

9. Your rights under the LGPD

You have the following rights with respect to your personal data (Art. 18 of the LGPD):

• Confirmation of the existence of processing;
• Access to your data;
• Correction of incomplete, inaccurate, or outdated data;
• Anonymization, blocking, or deletion of unnecessary or excessive data;
• Data portability to another service provider;
• Deletion of data processed based on your consent;
• Information about public and private entities with which we have shared your data;
• Information about the possibility of not providing consent and the consequences of refusal;
• Withdrawal of consent at any time;
• Opposition to processing that violates the LGPD.

To exercise any of these rights, contact us at the email below. We will respond within the legal timeframe (15 days, extendable once).

10. Security

We apply reasonable technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These include encryption in transit (HTTPS), access controls, secure hosting, and periodic reviews. No system is perfectly secure; we will notify you and the ANPD of any security incident that poses significant risk to your rights, in accordance with Art. 48 of the LGPD.

11. Children's data

The Service is not directed at children under 13. We do not knowingly collect personal data from children under 13. If you believe we have collected data from a minor, please contact us so we can delete it.

12. Changes to this Policy

We may update this Privacy Policy from time to time. The "Last updated" date above indicates when it was last revised. Material changes will be communicated through the Service or by email.

13. Contact us and reporting

For privacy requests, questions, or complaints, contact our Data Protection Officer (Encarregado):

You also have the right to lodge a complaint with the Brazilian National Data Protection Authority (ANPD) at gov.br/anpd.