Privacy Policy

Site/Service: usecalendo.com ("Calendo")
General and privacy contact (LGPD): hello@usecalendo.com
Scope: Brazil and United States
Last update: 01/31/2026
Version: 1.0

Important (business registration in definition): at this time, there is no legal name, tax ID (CNPJ) or address formally defined to appear as "Controller" in this Policy.
This document was drafted to be published as is, but must be updated once the legal entity and address are established.

Privacy Policy (LGPD)

1. Purpose and principles

This Policy describes how we process personal data on Calendo, in compliance with the Lei Geral de Proteção de Dados Pessoais (LGPD) and principles such as:

• purpose and adequacy;
• necessity (minimization);
• free access and transparency;
• security and prevention;
• non-discrimination and accountability.

When there is a conflict between this Policy and the actual practice of the Service, the practice that is most protective of the data subject shall prevail, until duly corrected.

2. Who controls processing and LGPD channel

2.1. Controller (in definition)

At this time, the controlling legal entity and its registration data (legal name/CNPJ/address) have not yet been defined.

In the meantime, the official channel for contact, support and privacy requests is:

• Email (general and LGPD): hello@usecalendo.com

Once formalization (legal name/CNPJ/address) is in place, this Policy will be updated to reflect the controller.

2.2. Data Protection Officer (DPO)

Currently, there is no publicly appointed data protection officer. Until appointment, we will use hello@usecalendo.com as the institutional channel for:

• communications with data subjects;
• communications with the ANPD, when applicable.

3. Personal data we process

3.1. Data you provide directly

Depending on your interactions, we may process:

• Forms: name, email, phone.
• Newsletter: email (no double opt-in at this time).
• WhatsApp (click to WhatsApp): we may receive your number and conversation content, but conversations are not stored in CRM.
• Account/restricted area/dashboards (when applicable):
  • registration data (e.g. email; and eventually name and phone, depending on product configuration);
  • credentials and authentication tokens (stored in a protected/encrypted manner, when applicable);
  • data necessary to operate the dashboard and record actions in the system.
• Comments and reviews: the content you publish (comment/review text) and related metadata (e.g. date/time, user identification, when applicable).

Note: if the product requests new fields in the future, this Policy must be updated, and/or you will be informed at the time of collection.

3.2. Data collected automatically

We may collect automatically (depending on settings and cookie consent):

• browsing and device data (e.g. browser, operating system, resolution);
• IP address and access events (for security and analytics);
• pages visited, time spent and events;
• identifiers/cookies for strictly necessary and analytics.

3.3. Sensitive data and data of minors

Sensitive data is not collected intentionally and the Service is not directed at children/adolescents. If we identify sensitive data entered in comments or forms, we may remove and/or request correction.

4. How we collect data

We collect data through:

• forms and fields of the Service;
• newsletter sign-up;
• account registration/use and dashboard;
• comments and reviews;
• cookies and similar technologies (as per section 7);
• integrations and necessary technical logs.

5. Purposes of processing

We use personal data to:

• Respond to contact and support: handle requests and operational communication.
• Commercial follow-up: continue conversations started by the data subject.
• B2B segmentation (analytics): classify by niche and region for internal analysis.
• Measurement and improvement (analytics): measure use of the Site and page performance.
• Remarketing: carry out marketing/retargeting actions when applicable (for example, via campaigns and lists on marketing platforms), always respecting consent settings, opt-out and legal bases.

At this time, media pixels are not used on the site.

6. Legal bases

Depending on context, processing may be based on:

• Performance of pre-contractual procedures (e.g. responding to a contact).
• Legitimate interest (e.g. commercial follow-up with opt-out; analytics; security).
• Consent (e.g. when required for non-essential cookies; or when required for certain sends/communications, as the product evolves).
• Compliance with legal obligation (safeguard clause): when required by law, court order or legitimate authority request.

For marketing communications, legitimate interest with opt-out is used.

7. Cookies and similar technologies

7.1. Current tools

• Google Analytics 4
• Google Tag Manager
• Google Search Console

7.2. Banner/consent management

The Service uses a proprietary cookie banner/management solution. As a rule:

• strictly necessary cookies may be used for operation;
• performance/analytics cookies may depend on consent according to implementation and best practices.

7.3. How to manage cookies

You can:

• adjust preferences via the Service banner (when displayed);
• manage cookies in your browser;
• delete existing cookies.

Disabling may affect parts of the functionality.

8. Sharing with third parties and processors

• DigitalOcean (infra/hosting/servers)
• Google (analytics and associated services)
• Meta (services/platforms, when applicable)
• Resend (email delivery)

There is no sharing with commercial partners (co-marketing etc.).

In addition, sharing may occur:

• to comply with legal/judicial obligation, when applicable;
• to protect rights, security and integrity of the Service (e.g. abuse/fraud investigation).

9. International transfer

As the Service operates in Brazil and the US and uses global providers (DigitalOcean, Google, Meta, Resend), your data may be processed or stored outside your country, according to the infrastructure of the providers.

In such cases, we seek to adopt reasonable compliance and security measures (contracts, best practices and technical controls), as applicable.

10. Retention and disposal

• retention for an indefinite period;
• newsletter with opt-out;
• customer data kept until voluntary request for deletion;
• "in principle" full deletion when requested.

To align with principles of necessity and governance, we adopt (and recommend formally maintaining) the following operational rules:

1) While there is an active relationship/account: we retain data necessary to operate the Service.

2) Leads and contacts: we keep them while there is a legitimate purpose (e.g. follow-up), and we periodically review to delete/anonymize what is no longer necessary.

3) Newsletter: we keep until opt-out; after that, we remove the email from the lists and may keep a minimal "do not contact" record to respect your choice.

4) Deletion requests: we delete or anonymize the requested data whenever possible, except when there is a need for minimum retention for legal obligation, fraud prevention or security.

Note: "delete everything" may not be feasible in specific scenarios (e.g. evidence of abuse, legal compliance). When that occurs, we will explain the reason and limit retention to the minimum necessary.

11. Security and incidents

• SSL/HTTPS;
• role-based access control;
• backups;
• encryption;
• permission management.

Even with security measures, no system is fully immune.

Currently, there is no formal process for incident communication. Nevertheless, in case of a relevant incident involving personal data, we will:

• contain and mitigate the incident;
• assess impact and need for notification;
• communicate to data subjects and/or authorities when required or advisable.

12. Data subject rights

Under the LGPD, you may request:

• confirmation of the existence of processing;
• access to data;
• correction;
• anonymization, blocking or deletion (when applicable);
• portability (when applicable);
• information about sharing;
• revocation of consent (when applicable);
• objection to processing where applicable;
• review of automated decisions, when applicable.

To exercise your rights: hello@usecalendo.com.

For your security, we may request identity confirmation before fulfilling requests (especially for sensitive requests such as deletion).

13. Children and adolescents

The Service is not directed at children/adolescents and does not seek to collect data from minors. If you are a legal guardian and identify improper use by a minor, please contact us so we can assess and take measures.

14. Changes to this Policy

We may update this Policy to reflect legal, technical or operational changes. The current version will be the one published on the Service, with update date.

Relevant changes may be communicated by email, notice on the site or other reasonable means.

15. Contact

• General and LGPD channel: hello@usecalendo.com

Appendix A — Cookie categories

A.1. Strictly necessary

Cookies and identifiers essential for:

• site operation;
• basic security;
• session and essential preference maintenance.

These cookies generally cannot be disabled without compromising the operation of the Service.

A.2. Performance / Analytics

Cookies and identifiers used for:

• measuring site access and use;
• understanding pages and flows;
• improving performance and experience.

On Calendo, this includes, for example, tools such as Google Analytics 4, when enabled.

Appendix B — Main providers/infra (reference)

Informative list based on the current configuration provided. May vary over time.

• DigitalOcean: infrastructure/servers.
• Google: analytics and associated services (e.g. GA4, GTM, Search Console).
• Resend: email delivery (newsletter/transactional, as per configuration).
• Meta: services/marketing platform (when applicable).