Privacy Policy

2.1 Registration and onboarding data

• Full name and CPF/CNPJ (Brazilian tax identification numbers)
• Contact email address
• Phone number and postal address
• Payment details (processed by certified third-party payment processors)
• Credentials for accessing contracted services

2.2 Service usage data

• Server access logs
• Performance and resource-usage data
• Technical support information
• Corporate email metadata (not message content)
• Automation and project data (where applicable)

2.3 Browsing data

• Cookies and similar technologies
• IP address and approximate geographic location
• Device and browser information
• Pages visited and time spent

3.1 Hosting service delivery

• Provisioning and maintaining servers
• Technical support for machine learning and automation projects
• Performance and security monitoring
• Backup and disaster recovery

3.2 Corporate email services

• Provisioning corporate email accounts
• Ensuring high deliverability rates
• Webmail maintenance
• Spam and malware protection

3.3 Other purposes

• Billing and invoicing
• Communications about services and updates
• Compliance with legal obligations
• Continuous service improvement

The processing of your personal data is carried out on the following legal bases set out in the LGPD (Law 13,709/2018 — Brazilian General Data Protection Law):

• Contract performance (art. 7, V): to deliver hosting and corporate email services. Equivalent to the contractual basis under the GDPR.
• Legitimate interest (art. 7, IX): for service improvement and infrastructure security, always balanced against data subject rights.
• Compliance with a legal obligation (art. 7, II): to meet judicial, regulatory and tax requirements.
• Consent (art. 7, I): for marketing communications and non-essential cookies, obtained through express opt-in and revocable at any time.

5.1 Processors (operadores)

• Infrastructure providers: for server hosting and secure data storage.
• Payment processors: for secure processing of financial transactions.
• Support partners: technical service providers engaged under confidentiality agreements and data protection clauses.

5.2 Competent authorities

We may share data when required by law, court order, ANPD (Autoridade Nacional de Protecao de Dados — Brazil's national data protection authority) or other competent authorities, or to protect the rights, property or safety of Rollin Host, our users or third parties.

5.3 What we do not do

We do not sell, rent or transfer personal data to third parties for their own commercial purposes. International data transfers are carried out only with the safeguards required by the LGPD (art. 33 et seq.).

6.1 Data location

Your data is stored on servers located in Brazil and, in specific cases, in international data centers that provide a level of protection equivalent to that required by the LGPD, always subject to appropriate safeguards.

6.2 Technical and organizational security measures

• Encryption of data in transit (TLS 1.3) and at rest (AES-256)
• Strict access controls with two-factor authentication
• 24/7 security monitoring and intrusion detection
• Automated backup and geographic redundancy
• Regular data protection training for staff

6.3 Backup policy

• Incremental backup available as an add-on service
• Customized retention period according to contractual needs
• Fast recovery in the event of failure

Personal data is retained for as long as necessary to fulfill the purpose for which it was collected, subject to applicable legal retention requirements:

• Registration data: for the duration of the contract + 5 years (tax obligations and Brazilian Civil Code).
• Access logs: 12 months (security, audit and Marco Civil da Internet — Law 12,965/2014, Brazil's internet rights framework).
• Support data: 3 years after ticket resolution.
• Corporate emails: per the retention policy set by the customer (who acts as controller with respect to their own users' data).
• Project data: for the duration of the contract + the agreed backup period.
• Marketing data (consent-based): until consent is withdrawn by the data subject.

After the applicable period expires, data is securely deleted or anonymized, unless a longer legal retention obligation applies.

Under the LGPD (art. 18), you have the following rights over your personal data:

• Confirmation and access (art. 18, I and II): to know whether we process your data and to access information about it.
• Correction (art. 18, III): to correct incomplete, inaccurate or outdated data.
• Anonymization or erasure (art. 18, IV): to request anonymization or deletion of unnecessary, excessive or unlawfully processed data.
• Portability (art. 18, V): to request transfer of your data to another service or product provider, upon express request.
• Information about sharing (art. 18, VII): to know which public and private entities we share your data with.
• Information about refusal of consent (art. 18, VIII): to be informed of the possibility of withholding consent and the consequences of doing so.
• Withdrawal of consent (art. 18, IX): to withdraw consent at any time, without affecting the lawfulness of processing carried out prior to withdrawal.
• Review of automated decisions (art. 20): to request human review of decisions made solely on the basis of automated processing of personal data.
• Complaint to the ANPD (art. 18, paragraph 1): to lodge a complaint with the Autoridade Nacional de Protecao de Dados (ANPD), Brazil's data protection supervisory authority.

To exercise any right, please identify yourself with your registration details. We reserve the right to verify your identity before processing the request, as a security measure to protect your own data.

10.1 Types of cookies used

• Essential cookies: required for the technical operation of the website and client portal. No consent required (legal basis: legal obligation / legitimate interest).
• Performance cookies: for usage analytics and feature improvements (Google Analytics). Consent required.
• Marketing cookies: for personalization and retargeting (Facebook Pixel). Consent required.
• Third-party cookies: placed by external services when embedded content is displayed.

10.2 Managing cookies

You can manage your cookie preferences through your browser settings or via our consent panel (cookie banner) on the website. Withdrawing consent for non-essential cookies does not affect access to contracted services.

This Privacy Policy may be updated periodically to reflect changes in our services, applicable law or our data processing practices. We will notify you of material changes through our communication channels with at least 30 days advance notice.

The most recent version will always be available on this page, with the update date indicated in the document header. Continued use of the services after material changes take effect will constitute acceptance of the updated terms.

In accordance with art. 41 of the LGPD, we have designated an Encarregado de Protecao de Dados — known internationally as a Data Protection Officer (DPO) — responsible for receiving communications from data subjects and the ANPD, providing clarification and taking appropriate action.