Privacy Policy

This Privacy Policy explains how Alecta Labs LLC ("Alecta", "we", "us") collects, uses, stores, shares and protects personal data when you visit our websites or use our products. We are committed to handling your data in a transparent, lawful and secure manner, in accordance with the Brazilian General Data Protection Law (Lei Geral de Proteção de Dados — Lei 13.709/2018, "LGPD") and, where applicable, the EU General Data Protection Regulation ("GDPR").

1. Who we are (data controller)

2. Scope of this Policy

This Policy covers personal data we process across our websites and digital products, including:

• alecta.company — our institutional website;
• cursolibre.com — our online courses platform;
• treinu.fit — our fitness application (in development).

Each product may publish its own complementary privacy notice with product-specific details. Where there is a conflict between this general Policy and a product-specific notice, the product-specific notice prevails for that product.

3. What data we collect

3.1 Data you provide directly

• Contact form (alecta.company): name, email address and the content of the message you send us.
• Account registration (cursolibre.com): name and email address. You may also choose to add a profile photo or display name.
• Customer support: any information you include when you contact us by email.

3.2 Data collected automatically

• Technical data: IP address, browser type and version, operating system, device type, screen resolution, language preference and approximate location (city/country derived from the IP).
• Usage data: pages visited, time spent on each page, navigation paths, video-playback events on courses (start, pause, completion).
• Cookies and similar identifiers: see section 7 below.

3.3 Data collected from third parties

• From our payment service providers: the result of payment authorisations (approved/declined), payment method type (card, Pix, boleto), the last four digits of the card and the country of issuance — for fraud-prevention and fiscal-record purposes. We do not receive your full card number, CVV or full PAN.

4. Why we collect it (purposes and legal bases)

We process personal data only for specific, legitimate purposes, and only on a valid legal basis:

• To provide the services you purchased (account creation, course access, content delivery) — legal basis: performance of a contract with you (LGPD art. 7, V; GDPR art. 6(1)(b)).
• To process payments through our third-party payment service providers — legal basis: performance of a contract; compliance with tax and accounting obligations (LGPD art. 7, II and VI).
• To respond to messages you send through our contact form — legal basis: your request; pre-contractual procedures (LGPD art. 7, V).
• To improve our products (analytics, performance) — legal basis: legitimate interest, balanced against your fundamental rights (LGPD art. 7, IX).
• To prevent fraud and abuse — legal basis: legitimate interest; legal obligation.
• To send service-related communications (purchase receipts, password resets, important notices) — legal basis: performance of a contract.
• To send promotional communications — only with your prior, specific and informed consent, which you may withdraw at any time.

5. Payment data and processors

All payments on our products are processed by third-party payment service providers. The specific provider used depends on your country and the payment method you choose. When you make a purchase, you provide your payment details directly to the relevant payment processor through their secure checkout. Your full card number, expiry date and CVV are never stored on Alecta servers.

Each payment processor is a separate data controller for the payment data it collects, and operates under its own privacy notice, available on its official website.

From our payment processors, we only receive the information necessary to complete and reconcile the transaction (transaction status, payment method, last four digits of the card, billing country). This is required for tax records, fraud prevention and customer support.

The current list of payment providers we work with is available on request at hello@alecta.company.

6. Who we share data with

We do not sell your personal data. We share it only with the following categories of third parties, and only as necessary for the purposes listed above:

• Payment service providers: to process your purchases. We work with multiple regional providers; the current list is available on request at hello@alecta.company.
• Cloud and hosting providers: infrastructure providers that host our application servers and databases (e.g., Hetzner Online GmbH).
• Email and contact-form delivery: Web3Forms.com, which delivers contact-form submissions to us by email.
• Analytics providers: only if and when implemented, and limited to anonymised or pseudonymised usage metrics.
• Legal and regulatory authorities: when we are required to disclose data by law, court order or to protect our legitimate rights.
• Successors: in the event of a merger, acquisition or asset sale, your data may be transferred to the successor entity, subject to the same protections.

7. Cookies and similar technologies

We use the minimum cookies necessary to operate our websites and improve your experience.

• Essential cookies: required for the website to function (session, security, language preference).
• Analytics cookies: to understand how visitors use our websites, in aggregated form. These are loaded only if you accept them, where required by law.

You can manage cookies through your browser settings. Blocking essential cookies may affect functionality.

8. How long we keep your data

• Account data: for as long as your account exists, plus 5 years after deletion for fiscal and legal-defence purposes.
• Purchase records: 5 years, in accordance with Brazilian fiscal-retention requirements.
• Contact-form messages: up to 24 months from the last interaction.
• Server logs: up to 6 months.

After the applicable retention period, data is deleted or anonymised.

9. How we protect your data

We apply technical and organisational measures appropriate to the risk, including:

• Encryption of data in transit (HTTPS/TLS) on all our websites;
• Encryption at rest for sensitive data stored in our databases;
• Access control and the principle of least privilege for our team;
• Regular security updates of our infrastructure;
• Logging and monitoring of suspicious activity.

No system is completely secure. If a security incident affects your personal data, we will notify you and the competent authority as required by law.

10. Your rights as a data subject

Subject to applicable law (LGPD, GDPR), you have the right to:

• Confirm the existence of processing of your data;
• Access your data and obtain a copy;
• Correct inaccurate, incomplete or outdated data;
• Request anonymisation, blocking or deletion of unnecessary or excessive data;
• Request portability to another service provider;
• Request information about public and private entities with which we have shared your data;
• Be informed about the consequences of refusing consent;
• Withdraw your consent at any time;
• Object to processing carried out on the basis of legitimate interest;
• Lodge a complaint with the supervisory authority — in Brazil, the ANPD (Autoridade Nacional de Proteção de Dados).

To exercise any of these rights, please email us at hello@alecta.company. We will respond within 15 days.

11. International data transfers

Alecta Labs LLC is headquartered in the United States and operates from Brazil. Your data may be transferred to, stored in or processed in countries other than your country of residence, including the United States, Brazil and the European Union (where some of our infrastructure providers are based). Whenever data is transferred internationally, we apply safeguards required by applicable law (LGPD art. 33–36; GDPR Chapter V).

12. Children's privacy

Our products are not directed to children under 13 years of age. We do not knowingly collect personal data from children under 13. If you believe a child has provided us with personal data without parental consent, please contact us at hello@alecta.company and we will promptly delete the data.

For minors between 13 and 18, parental or legal-guardian consent is required to use our services.

13. Changes to this Policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top of this page reflects the most recent change. Material changes will be communicated by email or by a prominent notice on our websites. Continued use of our services after the update constitutes acceptance of the revised Policy.

14. Data Protection contact

For any privacy or data-protection question, request or complaint:

If you are not satisfied with our response, you may contact the supervisory authority in your jurisdiction. For Brazil, the relevant authority is the ANPD (www.gov.br/anpd).