Privacy Policy

1. Introduction

This Privacy Policy describes how INDDEX SISTEMAS DE GESTÃO INOVA SIMPLES (I.S.), enrolled with the CNPJ under No. 52.287.796/0001-09 ("Inddex", "we" or "controller"), responsible for the Inddex portal ("inddex.com.br"), collects, uses, stores, shares and protects users' personal data, in compliance with the Brazilian General Personal Data Protection Law (Lei nº 13.709/2018 — LGPD), the Brazilian Internet Civil Framework (Marco Civil da Internet, Lei nº 12.965/2014) and other applicable legislation.

By using Inddex, you declare that you have read and understood this Policy. If you do not agree with the terms described here, we ask that you do not use the platform.

2. Data Controller

The controller of the personal data collected through Inddex is:

• •Corporate name: INDDEX SISTEMAS DE GESTÃO INOVA SIMPLES (I.S.)
• •CNPJ: 52.287.796/0001-09
• •Address: Rua Coronel Passos Maia, 691, Sala 201, 2º andar, Edifício Rovilho Bortoluzzi, Centro, Xanxerê/SC, CEP 89.820-000, Brazil
• •Data Protection Officer (DPO) email: privacidade@inddex.com.br
• •General contact: falecom@inddex.com.br

3. Data Collected

3.1. Data provided by the user

• •Registration: full name, email address and password (stored as an irreversible cryptographic hash).
• •Communications: messages sent via contact forms or email.

3.2. Data collected automatically

• •Browsing data: IP address, browser type, operating system, pages accessed, date and time of access, time spent and referring URL.
• •Cookies and similar technologies: we use only cookies that are essential for the operation of the platform (session and authentication). See Section 8 for more details.

3.3. Business data displayed on the portal

Inddex displays registration data of legal entities (CNPJ, corporate name, address, CNAE, registration status, ownership structure, among others) from official public databases such as the Receita Federal do Brasil (RFB), the Boards of Trade (Juntas Comerciais) and other publicly accessible administrative records. The processing is based on art. 7, item II (compliance with a legal or regulatory obligation) and item IX (legitimate interest) of the LGPD, as well as art. 7, §6 (data manifestly made public).

4. Purposes of Processing

We process your personal data for the following purposes:

• •Service provision: enabling access to and use of the platform, including CNPJ queries, searches and premium features.
• •Account management: creation, maintenance and authentication of user accounts.
• •Communication: sending relevant notifications about the service, updates and technical support.
• •Service improvement: usage analysis to improve user experience, performance and features.
• •Compliance with legal obligations: responding to judicial, administrative and regulatory requests.

5. Legal Bases (LGPD)

The processing of personal data on Inddex is grounded on the following legal bases:

• •Performance of a contract (art. 7, V): for service provision and account management.
• •Compliance with a legal obligation (art. 7, II): to meet legal and regulatory obligations and to display business data obtained from official public records.
• •Legitimate interest (art. 7, IX): for service improvement and the processing of business data from public records.
• •Data manifestly made public (art. 7, §6): for registration data already disclosed by the data subject in official public records.

6. Data Sharing

Your personal data may be shared with:

• •Infrastructure providers: cloud hosting services (Microsoft Azure) for data storage and processing, with servers located in Brazil.
• •Payment processors: Mercado Pago (Mercado Livre Brasil) for processing subscriptions and credit packages, in accordance with the privacy policy of the respective operator.
• •Transactional email provider: SMTP of the provider configured by Inddex, exclusively for sending verification emails, password resets and service notifications.
• •Public authorities: when required by court order, administrative request or legal determination.

We do not sell, rent or trade your personal data to third parties for direct marketing purposes.

7. Storage and Security

• •Location: data is stored on servers located in Brazil (Microsoft Azure — Brazil South region).
• •Encryption: communications protected by TLS 1.3. Passwords stored with bcrypt hashing. Sensitive data encrypted at rest.
• •Access control: access restricted to authorized staff, with multi-factor authentication and the principle of least privilege.
• •Retention: personal data is kept for the period necessary to provide the service or to comply with legal obligations. Account data can be deleted upon request (Section 9).

8. Cookies and Tracking Technologies

8.1. Types of cookies used

• •Essential: necessary for the basic operation of the platform (session, authentication, preferences). They do not require prior consent under art. 7, V of the LGPD.

The platform does not use third-party advertising cookies, social media cookies or analytics services based on individual profiling. We do not perform cross-site tracking or display personalized ads. For aggregated, anonymized usage analysis, see Section 8.2 below.

8.2. Aggregated analytics (anonymized)

The platform collects aggregated usage metrics to identify useful pages, performance bottlenecks and the most relevant search terms. This processing is done with pseudonymized data:

• •Events: page view, search performed, click on a result, server response time.
• •Ephemeral identifiers: a random anon_id stored in the browser (localStorage) and a session_id (sessionStorage) renewed with each tab. These IDs contain no personal information and are not cross-referenced with your account.
• •IP: recorded only as a cryptographic hash (HMAC-SHA256) with a rotating daily salt, making re-identification unfeasible after 24 hours.
• •Inadvertently entered CPF: when a user types a CPF (the Brazilian individual taxpayer number) into the search field, the number is masked following the Receita Federal pattern (***DDDDDD**) before storage. A reversible cryptographic reference is kept exclusively to allow the DPO to locate specific searches in the event of a legal request by the data subject (art. 18 of the LGPD).
• •Retention: 180 days with automatic expiration.
• •Legal basis: legitimate interest (art. 7, IX of the LGPD) for product improvement, proportionate and limited to what is strictly necessary.

We automatically honor the Do Not Track (DNT) and Global Privacy Control (GPC) headers: when either of them is active in your browser, no analytics events are collected.

8.3. Cookie management

You can configure your browser to refuse cookies or to alert you when cookies are being sent. Note that disabling essential cookies prevents authentication and the restricted areas of the platform from working.

9. Data Subject Rights (LGPD, art. 18)

As a data subject, you have the following rights guaranteed by the LGPD:

• •Confirmation and access: confirm the existence of processing and access your data.
• •Correction: request the correction of incomplete, inaccurate or outdated data.
• •Anonymization, blocking or deletion: request the appropriate handling of unnecessary or excessive data.
• •Portability: request the portability of your data to another service provider.
• •Deletion: request the deletion of data processed on the basis of consent.
• •Withdrawal of consent: withdraw consent at any time.
• •Objection: object to the processing in the event of non-compliance with the LGPD.

To exercise any of these rights, use the LGPD request form or contact the Data Protection Officer directly at privacidade@inddex.com.br. We will respond within 15 business days, as provided for in art. 19, §1 of the LGPD.

9.1. How we process your request

1. Registration: your request receives a unique protocol number (e.g. LGPD-AAAA-XXXXXXXX) and is placed under review by the DPO.
2. Review: we validate identity (via the document attached to the form) and the legitimacy of the request, within 15 business days.
3. Execution: once granted, the corresponding public profile starts responding HTTP 410 Gone with noindex, nofollow, noarchive, and we send a removal request to Google Search Console (Indexing API) to speed up deindexing.
4. Receipt: we send by email, to the address provided in the request, a PDF receipt with the protocol number, completion date, scope applied, legal basis and a cryptographic integrity hash (SHA-256).
5. Reversal: the request is reversible at any time (art. 18, §2), upon request by the data subject mentioning the protocol number.

Google may take up to four weeks to fully remove results from its own cache, even after submission via the Indexing API. If you find residual results after this period, reply to the receipt email and we will arrange a new submission.

10. International Data Transfer

User data is stored and processed on servers located in Brazil (Microsoft Azure — Brazil South region). Any operations by partners involving international transfer (such as payment processors) are carried out in compliance with Chapter V of the LGPD, through standard contractual clauses or verification that the destination country offers an adequate level of data protection, as assessed by the Brazilian National Data Protection Authority (ANPD).

11. Minors

Inddex is not intended for individuals under 18 years of age. We do not knowingly collect data from minors. If we become aware that data from a minor has been collected, we will delete it immediately.

12. Changes to this Policy

We reserve the right to update this Privacy Policy at any time. Significant changes will be communicated through a notice on the platform or by email. The date of the last update will always be indicated at the top of this document.

13. Contact and Complaints

If you have questions, requests or complaints related to this Privacy Policy or to the processing of your personal data, contact us:

• •Data Protection Officer (DPO): privacidade@inddex.com.br
• •General contact: falecom@inddex.com.br

If you do not receive a satisfactory response, you have the right to file a complaint with the Brazilian National Data Protection Authority (ANPD) — www.gov.br/anpd.