Aprender Dados respects your privacy and protects your personal data. This policy explains in plain language what data we collect, why we collect it, how we use it, and the rights you have over your data.
1. Who we are (Data Controller)
This policy is maintained by:
- Legal name: SERRANA ASSESSORIA EM MARKETING LTDA (operating as "Aprender Dados")
- CNPJ (Brazilian tax ID): 38.350.758/0001-22
- Headquarters: Brazil
- Founder & primary contact in the EEA: Bernardo Cambruzzi (based in the Netherlands)
- General contact: support@aprenderdados.com
- Privacy contact / DPO requests: privacy@aprenderdados.com
For the purposes of the GDPR, Aprender Dados acts as a data controller when collecting and processing personal data of students, leads and visitors. When third-party tools process data on our behalf, those tools act as processors (see section 5).
EU representative (Art. 27 GDPR): Aprender Dados does not currently have a formally designated EU representative. If our processing of EEA residents' data reaches the threshold that requires one, we will appoint a representative and update this policy. In the meantime, EEA residents can reach us at privacy@aprenderdados.com.
2. Personal data we collect
We collect only the data we need to deliver our service. The categories below cover everything we hold about you:
| Category | Data | Source |
|---|---|---|
| Account | Name, email, WhatsApp number | You provide it when signing up or buying a course |
| Payment | Payment method, transaction status, amount, date β no card data is stored by us | Collected by our payment processors (Kiwify for BRL, Stripe planned for USD/EUR) |
| Platform usage | Lessons watched, progress, mock exams answered, certificates issued | Our learning platform (MemberKit at alunos.aprenderdados.com) |
| Communications | Email history, WhatsApp messages, support tickets, conversations with our Athena AI tutor | Generated during support and tutoring interactions |
| Technical | IP address, browser type, operating system, pages visited, referral source (UTMs) | Automatically collected via cookies and analytics |
| Path Assessment | Career moment, self-assessed skills (SQL, Python, PySpark, Databricks, Lakehouse architecture), 90-day goals, weekly study time, language preference, phone number (WhatsApp) β no name, email or ID | You provide it by filling /assessment/ and sending it via WhatsApp |
We do not collect special categories of personal data (Art. 9 GDPR / Art. 11 LGPD) such as racial or ethnic origin, religious beliefs, health, biometrics, sexual orientation or political opinions.
About the Path Assessment: your phone number is stored hashed (SHA-256 with salt) and the link expires after 24 months. You can request immediate deletion by sending "forget me" to our WhatsApp β we wipe and confirm.
3. How we use your data
We process your personal data for the following purposes:
- To perform our contract with you: grant access to purchased courses, process payments, issue certificates, provide support.
- Service communications: notify you about lesson updates, maintenance, terms changes, new content in the course you bought.
- Marketing communications: send news, offers and educational content β only with your consent, with a one-click unsubscribe in every message.
- Service improvement: analyze aggregated usage of lessons to identify topics that need revision.
- Legal obligations: issue invoices, respond to tax or regulatory inquiries, defend against legal claims.
- Security: prevent fraud, piracy and misuse of our platform.
- Personalization (Path Assessment): generate a learning path tailored to the assessment responses you submit.
4. Legal basis for processing
Under GDPR Art. 6 (and corresponding articles of the UK GDPR and LGPD Art. 7), we rely on the following legal bases:
- Performance of a contract (Art. 6(1)(b) GDPR / Art. 7(V) LGPD): when you buy a course or subscribe to the Gold Plan, we process your data to deliver it.
- Consent (Art. 6(1)(a) GDPR / Art. 7(I) LGPD): for marketing emails, cookies that aren't strictly necessary, and the Path Assessment. You can withdraw consent at any time without affecting the lawfulness of prior processing.
- Legitimate interests (Art. 6(1)(f) GDPR / Art. 7(IX) LGPD): for security, fraud prevention, and product analytics on an aggregated basis. We balance our interests against your fundamental rights and freedoms.
- Legal obligation (Art. 6(1)(c) GDPR / Art. 7(II) LGPD): for tax records, accounting and responding to lawful requests from authorities.
- Pre-contractual steps (Art. 6(1)(b) GDPR / Art. 7(V) LGPD): when you submit the Path Assessment as a prospective student, we process your responses to provide the requested recommendation.
5. Sharing & processors
We share personal data only with the operators (processors) we need to run our service. Each processor is bound by a data processing agreement requiring confidentiality and adequate security:
| Processor | Purpose | Headquarters |
|---|---|---|
| Cloudflare | Hosting, CDN, DNS, security | USA (global) |
| MemberKit | Student platform, lesson delivery | Brazil |
| Kiwify | Payment processing (BRL), refunds, invoices | Brazil |
| Stripe (planned) | Payment processing (USD/EUR) | Ireland (EU) / USA |
| Meta (WhatsApp Business) | Messaging channel for support and Athena AI tutor | Ireland (EU) / USA |
| Google (Analytics, optional) | Aggregated traffic analytics, only with cookie consent | Ireland (EU) / USA |
| Groq (LLM inference) | Powers the Athena AI tutor responses | USA |
We do not sell your personal data. We do not share personal data with advertising networks beyond what's needed for cookie consent-based audience analytics.
6. International transfers
Aprender Dados is headquartered in Brazil and uses processors located in Brazil, the EEA, the UK, and the United States. When your data is transferred outside your country of residence, we rely on the following safeguards:
- For transfers from the EEA/UK to non-adequate countries: we rely on the European Commission's Standard Contractual Clauses (SCCs) or the equivalent UK International Data Transfer Agreement.
- For transfers to/from Brazil: our processors comply with LGPD Art. 33 requirements for international transfer (adequate level of protection, specific safeguards, or consent).
- Where applicable, we participate in or rely on processors that are certified under frameworks like the EU-US Data Privacy Framework.
For details on a specific transfer, contact privacy@aprenderdados.com.
7. Cookies and similar technologies
Our public pages (lp.aprenderdados.com and en.aprenderdados.com) currently use only the cookies strictly necessary to serve the site (no advertising or tracking cookies by default). When we activate paid marketing campaigns, we will deploy a consent banner allowing you to accept or reject non-essential cookies (analytics, Meta Pixel, Google Ads) β with rejection set as the default, in line with the ePrivacy Directive and GDPR.
You can also configure your browser to refuse all cookies, but parts of our service may stop working.
8. How long we keep your data
We keep personal data only as long as we need it for the purpose it was collected, or to comply with legal obligations:
- Active students: for the entire duration of access to the purchased course or subscription, plus 5 years after termination for accounting and tax obligations under Brazilian law.
- Leads who never purchased: up to 24 months from last interaction (then automatically deleted).
- Path Assessment responses: 24 months from submission, automatically deleted via monthly cleanup. You can request immediate deletion at any time.
- WhatsApp conversations: up to 24 months from last message, then aggregated/anonymized for analytics.
- Marketing list: until you unsubscribe.
- Tax and accounting records: 5 years (Brazilian Civil Code / Tax Code requirement).
9. Security of your data
We apply technical and organizational measures appropriate to the risk, including:
- HTTPS/TLS encryption in transit for all our domains and processor APIs
- Encryption at rest where supported by the processor (Cloudflare, Stripe, MemberKit, Kiwify all encrypt at rest)
- SHA-256 hashing of phone numbers stored for the Path Assessment
- Role-based access control on internal systems
- Periodic review of processor compliance and security posture
- Incident response procedure with notification to data subjects and authorities within 72 hours when required by Art. 33 GDPR / Art. 48 LGPD
No system is 100% secure, but we work continuously to keep your data protected against unauthorized access, loss or misuse.
10. Your rights as a data subject
Depending on where you are, you have the rights below. The rights are similar but not identical across GDPR, UK GDPR and LGPD β we honor whichever framework applies to you:
Under the EU GDPR / UK GDPR (Art. 15β22)
- Right of access β get a copy of the personal data we hold about you
- Right to rectification β correct inaccurate or incomplete data
- Right to erasure ("right to be forgotten") β request deletion when no longer necessary, consent is withdrawn, or processing is unlawful
- Right to restriction of processing β limit how we use your data in specific situations
- Right to data portability β receive your data in a structured, commonly used, machine-readable format
- Right to object β to processing based on legitimate interests, and absolutely to direct marketing
- Right to withdraw consent β at any time, without affecting the lawfulness of prior processing
- Rights related to automated decision-making β we do not currently make decisions about you based solely on automated processing that produces legal effects (the Path Assessment is a recommendation, not a decision)
- Right to lodge a complaint β with your local supervisory authority (e.g., CNIL in France, ICO in the UK, AP in the Netherlands, AEPD in Spain, Garante in Italy, etc.)
Under the Brazilian LGPD (Art. 18)
- Confirmation and access to your data
- Correction of incomplete, inaccurate or outdated data
- Anonymization, blocking or deletion of unnecessary, excessive or non-compliant data
- Data portability to another service or product provider
- Withdrawal of consent at any time
- Opposition to processing based on legitimate interests
- Knowing with whom we share your data
- Right to lodge a complaint with the National Data Protection Authority (ANPD) at gov.br/anpd
To exercise any of these rights, email privacy@aprenderdados.com with the subject "Data subject request β [your request]". We respond within 30 days (GDPR) or 15 working days (LGPD), whichever is shorter for your case.
11. Children's data
Our service is not directed at children. We do not knowingly collect data from:
- Under the EU GDPR (Art. 8): children under 16 years old without verifiable parental consent (some Member States set this between 13 and 16).
- Under the UK GDPR: children under 13.
- Under the Brazilian LGPD (Art. 14): children under 12; adolescents 12β17 require parental or legal-guardian consent.
If you are a parent and your child has signed up without authorization, contact us at privacy@aprenderdados.com and we will delete the account.
12. Changes to this policy
We may update this policy from time to time to reflect changes in our service or in applicable law. When that happens, we update the "Last updated" date at the top and, for material changes, notify you by email or via a banner on our site.
13. Contact and supervisory authorities
For any privacy-related question, complaint or rights request:
- Email: privacy@aprenderdados.com
- General support: support@aprenderdados.com
- Legal entity: SERRANA ASSESSORIA EM MARKETING LTDA
- CNPJ: 38.350.758/0001-22
You can also contact the supervisory authority in your country if you believe your rights have been violated:
- πͺπΊ EU: your national Data Protection Authority β list at edpb.europa.eu
- π¬π§ United Kingdom: Information Commissioner's Office (ICO) β ico.org.uk
- π§π· Brazil: Autoridade Nacional de Proteção de Dados (ANPD) β gov.br/anpd
- π¨π Switzerland: Federal Data Protection and Information Commissioner (FDPIC) β edoeb.admin.ch