← Back to home
Document under legal review
This text is a preparatory draft. The definitive Privacy Policy will be published after review and approval by a lawyer specializing in digital law and data protection, prior to the public launch of the platform.
01 Data Controller
The controller of personal data collected through the edupay platform is Estudio Site Ltda., a Brazilian company headquartered in Niteroi, State of Rio de Janeiro.
This Privacy Policy describes how we collect, use, store and protect the personal data of Tenants (educational institutions) who use the platform.
02 Data We Collect
Tenant data (your institution):
- Full name or company name, tax ID
- Contact email and phone
- Billing data (credit card — stored and processed by Stripe, never by Estudio Site)
- Usage data: access logs, IP address, device and browser
- Institution settings: logo, colors, student portal domain
Student data (entered by the Tenant):
Student names, tax IDs, emails, phone numbers, addresses and financial data are entered directly by the Tenant. The processing of such data follows clause 10 of this Policy.
03 How We Use Your Data
We use the collected data to:
- Provide contracted services: create and manage the Tenant's account, process subscription billing and make platform features available
- Service-related communications: account confirmations, operational alerts, technical support and notifications about changes to the Terms
- Security and fraud prevention: monitor suspicious access and protect platform integrity
- Product improvements: aggregate usage analysis to improve features, without individual identification
- Compliance with legal obligations: responding to judicial or regulatory requests
04 Legal Basis
Data processing by Estudio Site is based on the following legal bases under applicable data protection law:
- Contract performance: data necessary to provide the services contracted by the Tenant
- Legitimate interest: usage and security data for platform improvement and protection
- Legal obligation: retention of records in accordance with tax and regulatory requirements
05 Data Sharing
Estudio Site does not sell personal data. Data may only be shared with:
- Stripe Inc.: for subscription billing processing. Stripe operates as a sub-processor, subject to its own privacy policy
- Infrastructure providers (e.g., Amazon AWS): server hosting and data storage, under contractual confidentiality obligations
- Public authorities: when required by law, court order or applicable regulation
Any other sharing requires the Tenant's express consent.
06 Data Retention
Tenant data is retained throughout the active subscription. After cancellation, data is available for export for 30 (thirty) days.
After this period, data is anonymized or deleted, except for records whose retention is required by law (e.g., tax and accounting data — minimum 5 years).
Security logs (access, IPs) are retained for up to 6 (six) months, in accordance with applicable internet regulation.
07 Your Rights
Under applicable data protection law, the Tenant has the right to:
- Confirm the existence of processing and access the data we hold
- Correct incomplete, inaccurate or outdated data
- Request anonymization, blocking or deletion of unnecessary or unlawfully processed data
- Request portability of data to another service provider
- Obtain information about entities with whom we share data
- Revoke consent, where processing is based on that legal basis
To exercise your rights, contact us through the support channel available on the platform or by email as indicated in clause 12.
08 Security
We adopt technical and organizational measures to protect personal data against unauthorized access, loss, alteration or improper disclosure:
- Encryption in transit (TLS 1.2+) and at rest for sensitive data
- Tenant-level data isolation — each institution accesses only its own data
- Role-based access control (RBAC) for team members
- Access monitoring and suspicious activity alerts
- Regular backups with controlled retention
In the event of a security incident that may affect your data, we will notify the Tenant and the relevant data protection authority within legal timeframes.
09 Cookies
edupay uses the following types of cookies:
- Essential cookies: required for platform operation (authenticated session, CSRF, language preference). Cannot be disabled.
- Analytical cookies: used to measure aggregate platform usage and improve the experience. Do not collect personally identifiable data.
No third-party advertising cookies are used on the platform.
10 Student Data
By entering student data on the platform, the Tenant assumes the role of data controller for that data. Estudio Site acts as a data processor, processing the data solely in accordance with the Tenant's instructions.
The Tenant is responsible for:
- Obtaining the necessary authorizations from students for the processing of their personal data
- Ensuring that the purposes of processing comply with applicable data protection law
- Responding to data subject rights requests (students) relating to data they entered on the platform
Estudio Site does not use student data for any purpose beyond operating the services contracted by the Tenant.
11 Changes to this Policy
Estudio Site may update this Policy periodically. Relevant changes will be communicated to the Tenant with at least 15 (fifteen) days advance notice, by email or notification within the platform.
Continued use of the platform after the effective date of changes constitutes acceptance of the new Policy. If the Tenant disagrees, they may cancel the subscription under the Terms of Use, without any penalty.
12 Contact and DPO
For questions about this Policy, exercise of data protection rights, or security incident reports, please contact us:
- Support channel: available on the platform dashboard after login.
- Email: address published on the Estudio Site institutional website.
- Data Protection Officer (DPO): to be appointed before the public launch of the platform, in accordance with applicable data protection law.
You may also contact the relevant national data protection authority in your country.
