Privacy Policy

Your trust is what keeps our business in tune. This Privacy Policy explains how Diapasão collects, uses, shares, and protects personal data, in compliance with the Brazilian General Data Protection Law (Law No. 13,709/2018 — LGPD).

It applies to the website, the platform (e-commerce, management, POS, invoice, CRM, and AI customer service), and every point of contact with Diapasão.

Diapasão acts in two roles. With respect to your account data — registration, subscription, plan payment, and platform usage — we are the controller. With respect to the data you enter about your customers (CRM records, store customers, support conversations), we are only the operator: we process that data under your direction and on your behalf — you are its controller.

We collect only what is necessary to operate the platform and improve your experience:

• Registration: name, email, phone, CNPJ/CPF, and store details;
• Usage: pages visited, features used, access logs, and device;
• Operations: products, orders, invoices, and customer data that you register;
• Payment: billing data processed by partners (we do not store the full card number);
• Payouts and KYC: if you sell through the store, we collect banking and registration data (ID document, date of birth, mother's name) required by the payment partner to enable you as a recipient;
• Digital certificate: to issue invoices, you may send us your A1 certificate and password, which we store encrypted;
• Security: IP address, login attempt logs, and audit trails, to protect your account and prevent fraud.

We use personal data to:

• Provide, maintain, and improve the platform;
• Process subscriptions, payments, and invoice issuance;
• Offer support and communicate important notices;
• Personalize the experience and measure service performance;
• Comply with legal obligations and prevent fraud.

We process personal data based on the legal grounds set out in the LGPD, according to the purpose: performance of a contract, compliance with a legal obligation, legitimate interest, and, where applicable, your consent — which can be revoked at any time.

We do not sell your data. We share information only with providers that help the service run (sub-operators), always limited to their stated purpose and bound to protect the data:

• Pagar.me — payment processing, subscriptions, and marketplace split (Brazil);
• NFE.io — invoice issuance and transmission to SEFAZ (Brazil);
• OpenAI — generation of AI customer service responses (United States);
• Google Analytics and Microsoft Clarity — website audience metrics, subject to your consent (United States);
• Meta — marketing pixel and the WhatsApp and Instagram customer service channels (United States);
• Google — sign-in with your Google account, when you choose to use it (United States);
• Cloudflare — site delivery, security, and certificates (global network);
• Amazon Web Services / MinIO — file and media storage;
• GlitchTip / Sentry — error monitoring to keep the platform stable (no personal data by default);
• Email and WhatsApp providers you connect to the service yourself, and carriers for order delivery;
• Public authorities and SEFAZ, when required by law or court order.

All partners are required to handle the data with the same protection described here.

Some of the providers above — such as OpenAI, Google, Meta, Microsoft, and Cloudflare — process data on servers outside Brazil, primarily in the United States. In these cases, international data transfer complies with the LGPD and relies on contractual clauses and adequate protection guarantees required from these partners.

We share only what is necessary for each service's purpose. If you do not want customer service data to be processed by AI, the bot can be disabled and the conversation handled by a human agent.

We use cookies to keep you signed in, remember preferences, measure audience, and improve the platform. You control the use of cookies through the banner shown on your first visit, and you can review your choice at any time.

• Essential: indispensable for functioning and security (always on);
• Preferences: remember your settings;
• Analytics: measure audience to improve the service — Google Analytics and Microsoft Clarity;
• Marketing: measure campaigns and ads — Meta Pixel.

Analytics and marketing cookies are only activated with your consent; essential ones are always required. When this policy changes, the banner reappears so you can review your choice.

To review your choice at any time, use the “Manage cookies” link in the footer of any page.

We adopt technical and organizational measures to protect data, including encryption in transit, access control, and monitoring. No system is 100% immune, but we work continuously to reduce risks and to respond to incidents quickly and transparently.

• Isolation of each customer's data in the database, so that one customer cannot access another's data;
• Encryption at rest of sensitive data, such as the digital certificate and your password;
• Protection against login intrusion attempts (lockout after repeated failures) and audit trails of all actions taken.

The LGPD guarantees you, at any time, the right to:

• Confirm the existence of processing and access your data;
• Correct incomplete, inaccurate, or outdated data;
• Request anonymization, blocking, or deletion;
• Request data portability;
• Withdraw consent and object to processing.

To exercise any of these rights, write to privacidade@diapasao.com.br.

We keep personal data only for as long as necessary to fulfill the purposes of this policy and our legal obligations. Once the period ends, the data is securely deleted or anonymized.

• Tax and financial documents: for the retention period required by tax law;
• Registration and usage data: for the duration of your account and for the necessary period after closure;
• Customer service conversations: for as long as useful to the service, per your instructions;
• Cookie consent records: as evidence, linked to the policy version.

Diapasão's AI customer service is trained on your catalog and knowledge base and queries your inventory in real time to answer customers. To generate responses, the recent conversation history — which may contain the customer's personal data — is sent to our AI provider, OpenAI, which processes it in the United States solely to produce the response, without using it to train its own models.

This is automated processing: the bot may respond and decide to route the conversation to a human agent. You can, at any time, take over the conversation, disable the bot, or request human review of an automated response.

Diapasão maintains a Personal Data Protection Officer (DPO) responsible for serving data subjects and the national authority.

Contact our Data Protection Officer at dpo@diapasao.com.br. We will respond as quickly as possible, within the limits of the law.