Data Protection

01 What is LGPD

The Lei Geral de Proteção de Dados Pessoais (LGPD — Law No. 13,709/2018) is the Brazilian law that regulates the processing of personal data by individuals and legal entities, with the aim of protecting the fundamental rights of freedom and privacy.

The law applies to any operation carried out with personal data — collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, archiving, storage, deletion, evaluation, control, modification, communication, transfer, dissemination or extraction.

edupay was developed with data protection as a design requirement from the outset, not as a subsequent adaptation.

02 Roles and Responsibilities

• Controller (art. 5, VI): the natural or legal person who makes decisions about the processing of data. In the context of edupay, Estudio Site is the controller of Tenant data (account, billing, usage data). The Tenant is the controller of their students' data.
• Processor (art. 5, VII): the natural or legal person who carries out processing on behalf of the controller. Estudio Site acts as processor of student data entered by the Tenant.
• Data subject (art. 5, V): the natural person to whom the personal data being processed refers. In edupay, data subjects are Tenants (institution managers) and registered students.
• Data Protection Officer — DPO (art. 5, VIII): the person appointed by the controller to act as a communication channel between the controller, data subjects and the ANPD. Estudio Site will appoint its DPO before the public launch of the platform.

03 Processing Principles

Data processing in edupay follows the principles established in art. 6 of LGPD:

• Purpose: processing only for legitimate, specific and explicitly informed purposes
• Adequacy: compatibility of processing with the stated purposes
• Necessity: limitation to the minimum necessary for the purposes
• Free access: guarantee of easy consultation about the form and duration of processing
• Data quality: guarantee of accuracy, clarity, relevance and currency
• Transparency: clear and accessible information about processing
• Security: technical and administrative measures to protect data
• Prevention: adoption of measures to prevent harm
• Non-discrimination: prohibition of unlawfully discriminatory use
• Accountability: demonstration of the adoption of effective compliance measures

04 Legal Basis

Art. 7 of LGPD establishes ten legal bases for personal data processing. edupay relies on the following:

• Contract performance (item V): processing necessary to execute the edupay service contract with the Tenant
• Legitimate interest (item IX): processing of usage and security data for platform protection and improvement, with data minimization
• Legal or regulatory obligation (item II): retention of records in accordance with internet and tax legislation

05 Data Collected and Purposes

Tenant data processed by Estudio Site:

• Registration data: name/company name, tax ID, email, phone
• Payment data: Stripe account reference (card is not stored by Estudio Site)
• Access data: logs, IPs, device, session timestamps

Student data processed by Estudio Site (as processor, on behalf of the Tenant):

• Personal data: name, tax ID, email, phone, address
• Financial data: installment amounts, due dates, payment status
• Contract data: contract content, acceptance date/time/IP, SHA-256 hash

06 Data Subject Rights

Art. 18 of LGPD grants data subjects the following rights, which may be exercised at any time:

• Confirmation: to know whether their personal data is being processed
• Access: to obtain a copy of the personal data being processed
• Correction: to request correction of incomplete, inaccurate or outdated data
• Anonymization, blocking or deletion: of unnecessary, excessive or unlawfully processed data
• Portability: transfer of data to another service provider
• Deletion: of personal data processed with consent
• Information: about public and private entities with whom data was shared
• Consent withdrawal: where processing is based on consent
• Objection: to processing carried out under other legal bases, in case of non-compliance
• Review of automated decisions: request for review of decisions taken solely on the basis of automated processing

07 How to Exercise Rights

• Tenants — rights over account data: Access the support channel on the platform or send a request to the DPO email address. We will respond within 15 business days.
• Students — rights over data entered by the Tenant: Students must contact their educational institution (Tenant) directly. The Tenant, as controller, is responsible for handling their students' requests. Estudio Site will support the Tenant in requests requiring technical action on the platform.

08 Security Measures

edupay implements the following technical and organizational security measures:

• TLS 1.2+ encryption for all data in transit
• Encryption at rest for sensitive database fields
• Multi-tenant architecture with complete data isolation between institutions
• Role-based access control (RBAC) with least-privilege principle
• Authentication with brute-force protection and suspicious session blocking
• Audit logs recording sensitive actions (contract acceptance, data changes)
• Encrypted backups with controlled retention policy
• Periodic security reviews and dependency updates

09 Incident Notification

In the event of a security incident that may cause relevant risk or harm to data subjects (art. 48 of LGPD), Estudio Site will:

• Notify the affected Tenant as soon as possible, with a description of the incident and measures taken
• Report the incident to the national data protection authority within a reasonable timeframe
• Maintain a record of the incident and response actions for accountability purposes

10 International Transfer

Personal data processed by edupay may be stored on servers located outside Brazil (e.g., Amazon AWS, Stripe infrastructure). These international transfers are carried out in accordance with applicable data protection law:

• To countries with a level of data protection recognized as adequate
• With adequate contractual safeguards (standard clauses, data processing agreements)

11 Tenant Obligations

When using edupay to manage student data, the Tenant assumes the following obligations as data controller:

• Identify and document the legal basis for each purpose of processing student data
• Prepare and make available a privacy notice to students informing them about the data processing carried out through the platform
• Handle data subject rights requests from students within an adequate timeframe
• Ensure that contracts used on the platform comply with applicable consumer protection and educational law
• Maintain a record of processing activities as required by applicable data protection law
• Notify Estudio Site if they become aware of any misuse of student data involving the platform

12 DPO and ANPD

• Data Protection Officer (DPO): Estudio Site will formally appoint its DPO before the public launch of the platform. The DPO's name and contact channel will be published on this page.
• National Data Protection Authority: The national data protection authority is responsible for overseeing compliance with data protection law. Data subjects who believe their rights have been violated may file a complaint directly with the authority.

For questions about data protection or exercising your rights, use the support channel on the platform (after login) or the contact email published on the Estudio Site website.