Clav

Privacy Notice

Version 1.0 — Last updated: June 1, 2026

1. Who We Are

Clav Soluções em Software Ltda ("Clav"), registered under CNPJ 63.829.686/0001-48, with headquarters at Alameda Rio Negro, 503, Room 2005, Alphaville, Barueri – SP, is a technology company that develops verification, compliance, and licensing automation solutions for organizations, provided through a SaaS platform and via API ("Platform").

2. Scope and Our Role

Clav acts in two distinct roles in the processing of personal data, depending on the context:

  • As a controller, Clav: determines the purpose and means of processing personal data for its own ends — such as in the institutional website form and access records.
  • As an operator, Clav: processes personal data entered by clients (contracting organizations) into the Platform, under their instructions. Responsibility for the legality of such processing (including obtaining authorizations from data subjects, when required) lies with the controlling client. Data subjects who wish to exercise their rights regarding such data must do so directly with the organization that contracted the service. If necessary, Clav may indicate the responsible controller to the data subject.

3. Contact Channel

To exercise your rights as a data subject, or in case of questions, complaints, or suggestions about this Notice or about Clav's data processing practices, contact us through the channel below:

DPO email: [email protected]

Data Protection Officer (DPO): Luana do Amaral Peterle

Requests are answered during business hours, Monday to Friday, within up to 15 days from receipt of the request, pursuant to Art. 19 of the LGPD.

4. Definitions

To facilitate the understanding of this Notice, we present the main concepts used:

  • Data subject: Natural person to whom the personal data being processed refers.
  • LGPD: Federal Law No. 13.709/2018, which governs the processing of personal data in Brazil.
  • Personal Data: Any information related to a natural person who is identified or who, in combination with other data, can be identified.
  • Controller: Natural or legal person who decides on the purpose and means of processing personal data.
  • Operator: Natural or legal person who carries out the processing of data on behalf of the controller.
  • Legal Bases: Legal grounds provided for in Arts. 7 and 11 of the LGPD that legitimize the processing of personal data.
  • Consent: Free, informed, and unequivocal authorization by which the data subject agrees to the processing of their data for a previously determined purpose.
  • Deletion: Removal of data or a set of data stored in a database.
  • Data sharing: Communication, transfer, or interconnection of personal data between controllers or with operators.
  • ANPD: National Data Protection Authority, a federal public administration body responsible for ensuring the protection of personal data, overseeing compliance with the LGPD, issuing rules and procedures on data protection, and applying sanctions in case of non-compliance with the legislation.
  • Platform: Digital regulatory infrastructure platform developed by Clav to support organizations subject to regulatory supervision in managing regulatory requirements, compliance controls, licensing processes, certifications, and evidence, providing visibility, traceability, and continuous monitoring of regulatory compliance.

5. To Whom This Notice Applies

This Privacy Notice is intended for:

  • users who register and use the Clav Platform;
  • visitors of the institutional website who interact with the contact form;
  • third parties whose personal data may be contained in documents submitted for processing on the Platform — in this case, Clav acts as an operator under the instruction of the controlling client, and the rights of such data subjects must be exercised directly with the organization that contracted the Platform.

This Notice does not apply to anonymized or aggregated data, as these do not allow the identification of a natural person.

6. Source of Personal Data and Purposes

The processing of personal data is carried out in compliance with the LGPD and with the principles of necessity, adequacy, and proportionality. Clav collects personal data from the following sources:

6.1 Technical logs automatically collected by the Platform (controller role)

Clav automatically collects, on its own initiative and independently of client instruction, the following technical data generated by the use of the Platform, acting as a controller for the purposes indicated:

Personal dataPurposeLegal basis (LGPD)
Platform usage behavior data (actions performed, event logs, usage metrics)Continuous product improvement; technical diagnostics; identification of errors and usage patternsLegitimate interest (Art. 7, IX)
IP address, access logs, browser, device, and operating system informationPlatform security, technical diagnostics, and compliance with legal obligationsContract performance (Art. 7, V) and legitimate interest (Art. 7, IX)

6.2 Through completion of the "Request Access" form on the institutional website

By filling out the form available on the institutional website (clav.tech), the visitor provides the following data for the purpose of initial commercial contact:

Personal dataPurposeLegal basis (LGPD)
Full name, email, company, and the website of the company they work forQualification of potential clients; follow-up by the Clav teamConsent (Art. 7, I)

6.3 Through document upload on the Platform (operator role)

The Platform allows clients (contracting organizations) to upload and store documents that may contain personal data of third parties. With respect to the personal data contained in such documents, Clav acts, as a rule, as an operator, carrying out the processing on behalf of and in accordance with the instructions of the contracting organization, which remains responsible for decisions related to the purposes and means of processing.

The documents are used exclusively for the provision of the contracted services, and their content is not accessed or used by Clav for commercial purposes or any other purposes of its own incompatible with the provision of the services.

As an additional security measure, the Platform provides an optional encryption feature for stored documents. When this feature is used, the content of the documents remains inaccessible to Clav, being accessible only by the contracting organization and the users it authorizes.

7. Data That Clav Does Not Collect

Clav expressly declares that it does not collect sensitive personal data — such as health data, biometrics, racial or ethnic origin, religious beliefs, political opinions, or genetic data — intentionally or systematically. If such data is eventually included by the user in documents submitted via upload, the processing will be restricted to the purposes of the contracted service, as set out in Section 6.

Clav does not intentionally collect or process personal data of children and adolescents. Its products and services are intended exclusively for persons aged 18 or older. If unintentional processing of minors' data is identified, the data will be immediately deleted, unless otherwise required by law.

8. Sharing Personal Data with Third Parties

Clav does not disclose or share personal data with third parties for commercial or advertising purposes. Sharing occurs only in the following cases:

  • Service providers (operators): Clav uses technology vendors to enable its operations, such as cloud hosting, authentication, storage, and security services. These vendors process personal data exclusively under Clav's instruction and contractually commit to information security and data protection obligations.
  • Certifiers and third parties integrated under client instruction: the Platform allows the client organization's administrator to configure integrations with certifiers and other third parties via API. In these cases, sharing occurs exclusively under the express instruction of the client, who determines which data will be transmitted and to which recipient. Clav acts as an operator in this flow. Responsibility for the adequacy of sharing with third-party recipients lies with the client that configures it.
  • Public authorities: when required by law, court order, or request from a competent authority.
  • Exercise of rights: when necessary to protect the rights, property, or safety of Clav, its users, or third parties.
  • Corporate operations: in the event of a merger, acquisition, spin-off, or business restructuring, data may be shared with the parties involved, maintaining the level of protection provided for in this Notice.

Clav remains responsible for the processing carried out by the operators with which it shares data on its own initiative. For the sharing configured by the client via the Platform, as per item b above, responsibility for the processing carried out by the third-party recipient lies with the client that instructed it.

9. Data Storage and International Transfers

Clav's hosting infrastructure is located in Brazil, in the sa-east-1 (São Paulo) region, which means that the personal data processed by Clav is stored within national territory.

If there is a change in the hosting infrastructure that implies a change in the country of storage, this Notice will be updated and data subjects will be notified by email or notice on the platform before the migration, with the valid international transfer mechanisms provided for in the LGPD and ANPD regulations being adopted.

10. Retention and Disposal of Personal Data

Personal data is retained for as long as necessary to fulfill the purposes described in this Notice and for the minimum period required by applicable law:

  • Platform technical logs (usage behavior, IP, access date/time): retained for as long as necessary for the purposes of security, improvement, and technical diagnostics of the product, observing the minimum period of 6 months for access logs, pursuant to Art. 15 of Law No. 12.965/2014 (Brazilian Civil Rights Framework for the Internet).
  • Website form data: kept for as long as necessary for commercial contact and, if it does not result in a contract, deleted within 2 years.
  • Data processed as an operator (user registrations, documents via upload): retained for as long as necessary for the provision of the service contracted with the client. The client, as controller, may determine deletion at any time; Clav will delete the data within the periods provided for in the service contract, subject to legal retention requirements.
  • Institutional website access data (IP, date and time of browsing): retained for a minimum period of 6 months, in compliance with Art. 15 of Law No. 12.965/2014 (Brazilian Civil Rights Framework for the Internet).

Once the applicable retention periods have ended and there is no legal basis for keeping the data, the personal data will be deleted or anonymized, as applicable.

11. Data Security

Clav adopts appropriate technical and administrative measures to protect personal data against unauthorized access, loss, alteration, or improper disclosure. Among the measures implemented are access controls, multi-factor authentication (MFA), backup policy, and document encryption (optional, at the discretion of the client organization's administrator).

Clav employs minimization techniques and, whenever possible and compatible with the purposes of the processing, adopts pseudonymization mechanisms.

In the event of a security incident that may result in relevant risk or harm to data subjects, Clav will take the appropriate containment measures and will communicate the incident to the ANPD and affected data subjects, pursuant to Art. 48 of the LGPD and ANPD Board Resolution No. 15/2024.

12. Rights of Data Subjects

The data subject may exercise, at any time and free of charge, the following rights provided for in Art. 18 of the LGPD, by request to the DPO through the channel indicated in Section 3:

  • confirmation of the existence of processing and access to data;
  • correction of incomplete, inaccurate, or outdated data;
  • anonymization, blocking, or deletion of unnecessary or excessive data, or data processed in non-compliance with the LGPD;
  • data portability;
  • deletion of data processed based on consent;
  • information about sharing with third parties and about the consequences of not providing consent;
  • withdrawal of consent;
  • review of decisions made based on automated processing, when applicable.

In some cases, Clav may have legitimate reasons not to fully comply with a request — such as when retention is mandatory by law or regulation, or when compliance could violate the rights of third parties. In such cases, Clav will justify the limitation to the data subject.

Attention: when Clav acts as an operator — that is, in the processing of data entered by clients into the Platform (such as user registrations and documents submitted via upload) —, the rights provided for in this section must be exercised directly with the controlling client, which is the organization that contracted the Platform. Clav does not have the autonomy to fulfill these requests without instruction from the responsible controller. If necessary, Clav may indicate to the data subject the competent organization to receive the request.

If the data subject does not obtain a satisfactory response, they may file a complaint with the ANPD: https://www.gov.br/anpd.

13. Modifications to This Notice

Clav may modify this Notice at any time to reflect changes in services, applicable legislation, or privacy practices. Updated versions will be published on the institutional website. In the event of material changes that affect data subjects, notification will be made by email or prominent notice on the platform before the changes take effect.

We recommend that the data subject periodically check this Notice to stay informed about any updates.