Skip to main content
SecondBrainCore logo
Login

Privacy Policy

Last updated: April 2026 · Version 1.0-DRAFT

1. Data Controller Identity and Contact

SecondBrainCore is the data controller responsible for the processing of your personal data as described in this Privacy Policy.

SecondBrainCore
Email: legal@secondbraincore.com
Address: [To be completed prior to public launch]

2. Data Protection Officer (DPO) Contact

As required by the LGPD (Art. 41) and the GDPR (Art. 37), we have appointed a Data Protection Officer (DPO) to oversee our data processing activities.

Our Data Protection Officer can be contacted at: dpo@secondbraincore.com

3. Data We Collect

We collect the following categories of personal data:

  • Account data: email address, unique user identifier (provided by your SSO provider — Google Workspace or Microsoft Entra ID), display name (when provided by the provider).
  • Usage data: IP address (anonymized), browser and device information, pages accessed, session duration, language preference (sbc-locale cookie).
  • Purchase intent: name, email, company, plan of interest, and contact information submitted through plan interest or Enterprise contact forms.
  • Audit logs: records of actions performed in the Service (access, export, configuration changes), retained for 7 years for compliance purposes.

We do not collect sensitive personal data (such as biometric, religious, health, or sexual orientation data) as part of normal use of the Service.

4. Legal Bases for Processing (LGPD Art. 7)

We process your personal data on the following legal bases as provided by the LGPD (Art. 7) and the GDPR (Art. 6):

  • Contract performance: processing necessary to provide the contracted Service (LGPD Art. 7, V; GDPR Art. 6(1)(b)).
  • Legitimate interest: service improvement, fraud prevention, platform security (LGPD Art. 7, IX; GDPR Art. 6(1)(f)).
  • Legal obligation: retention of audit logs as required by tax and compliance laws (LGPD Art. 7, II; GDPR Art. 6(1)(c)).
  • Consent: use of analytics and marketing cookies — collected through the cookie consent banner (LGPD Art. 7, I; GDPR Art. 6(1)(a)).

5. How We Use Your Data

We use your personal data to:

  • Provide, operate, and maintain the Service;
  • Authenticate users and manage access control;
  • Process contact requests and purchase intents;
  • Improve and personalize the Service experience;
  • Detect, prevent, and respond to fraud, abuse, and security incidents;
  • Comply with legal and regulatory obligations;
  • Send service-related communications (transactional, not marketing).

6. Data Sharing

We do not sell, rent, or share your personal data with third parties for marketing purposes. We may share personal data only with subprocessors that assist us in providing the Service, listed on our Subprocessors page .

We may also disclose personal data when required by law or court order, in response to requests from governmental authorities, or to protect the legal rights, property, or safety of SecondBrainCore, our customers, or the public.

7. International Transfers

Data may be transferred to and processed in the United States by Cloudflare, Inc., subject to Standard Contractual Clauses (SCCs) approved by the European Commission and adopted by ANPD. Cloudflare maintains a GDPR-compliant DPA covering such transfers.

We take steps to ensure that any international transfers of personal data are conducted in accordance with the requirements of the LGPD (Art. 33) and the GDPR (Chapter V), including evaluating adequate transfer mechanisms.

8. Data Retention Periods

We retain personal data only for as long as necessary for the purposes for which it was collected, as follows:

  • Session data: 30 days after session termination.
  • Leads and purchase intents: 2 years after last contact.
  • Audit logs: 7 years, as required by Brazilian tax and compliance laws.
  • Active account data: while the account is active plus 90 days after termination.

9. Your Rights (LGPD Art. 18)

Under the LGPD (Art. 18) and the GDPR (Arts. 15-22), you have the following rights regarding your personal data:

  • Confirmation of processing: right to confirm whether we process your personal data.
  • Access: right to access the personal data we hold about you.
  • Correction: right to request correction of incomplete, inaccurate, or outdated data.
  • Anonymization, blocking, or deletion: right to request anonymization, blocking, or deletion of unnecessary, excessive, or non-compliant data.
  • Portability: right to receive your personal data in a structured, commonly used, machine-readable format.
  • Deletion of consent-based data: right to request deletion of data processed based on your consent, except in cases provided by law.
  • Information about sharing: right to be informed about the public and private entities with which we share your data.
  • Right to refuse consent: right to be informed about the possibility of not providing consent and the consequences of such refusal.
  • Revocation of consent: right to revoke consent at any time, without prejudice to the lawfulness of processing carried out before revocation.

10. Cookie Policy Reference

The use of cookies and similar technologies is described in our Cookie Policy . You can manage your cookie preferences at any time through the cookie consent banner displayed on the site.

11. Security Measures

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:

  • Encryption in transit (TLS 1.2+) and at rest;
  • Tenant-level data isolation;
  • Multi-factor authentication via SSO (Google Workspace / Microsoft Entra ID);
  • Web Application Firewall (WAF) and bot protection;
  • Role-based access control (RBAC);
  • Comprehensive audit logs for all data access actions;
  • 72-hour incident response and notification procedures as required by LGPD/GDPR.

12. Children's Data

The Service is intended exclusively for organizations and their authorized representatives (B2B). We do not intentionally collect personal data from individuals under 18 years of age. If you believe we have inadvertently collected data from a minor, please contact dpo@secondbraincore.com immediately to request deletion.

13. Updates to this Policy

We may update this Privacy Policy periodically to reflect changes in our practices, technologies, legal requirements, or other factors. We will notify you of material changes by email or through a prominent notice on the Service at least thirty (30) days in advance.

The "Last updated" date at the top of this page indicates when this Policy was last revised. Your continued use of the Service after the effective date of changes constitutes acceptance of the revised Policy.

14. How to Exercise Your Rights

To exercise any of the rights listed in Section 9, or to make any privacy-related request, please contact our DPO at: dpo@secondbraincore.com

We will respond to your request within 15 business days, as required by the LGPD. For more complex requests, we may extend this deadline by an additional 30 days with prior notice.

You may also lodge a complaint with the Autoridade Nacional de Proteção de Dados (ANPD) at www.gov.br/anpd. For customers in the European Union, you may lodge a complaint with your country's data protection supervisory authority.