Privacy Policy

Legal Entity:

RENAN VALENTIN FERREIRA

CNPJ:

34.427.828/0001-42

Country:

Brazil

Product:

Tangerine Flow

Support Email:

hello@tangerinetail.com

Data Protection Officer (Encarregado de Dados Pessoais)

Name:

Renan Valentin Ferreira

Email:

hello@tangerinetail.com

The Data Protection Officer (Encarregado) is responsible for (LGPD Art. 41 par. 2): receiving complaints and communications from data subjects, receiving communications from ANPD, guiding our team on data protection practices, and executing other duties as determined by the controller or established by regulation.

We collect personal data in several ways:

Direct Provision

When you sign up for Tangerine Flow, create a user account, configure settings, or interact with our features, you directly provide us with personal data such as name, email address, phone number, business information, and account preferences.

WhatsApp Integration

When you integrate your WhatsApp account with Tangerine Flow, we receive and process contact information, message content, and conversation metadata from the WhatsApp Business API. This integration enables appointment scheduling and customer communication features.

Automated Collection

We automatically collect certain technical data when you use Tangerine Flow, including IP addresses, device identifiers, browser type, operating system, pages visited, time spent on features, and actions performed within the platform.

Third-Party Services

When you use payment processing through Stripe, analytics through partner services, or other integrated platforms, we receive data from these services according to their data sharing agreements with us.

Customer Contact Data

If you are a customer of a Tangerine Flow user organization, that organization collects and shares your contact information with us (via WhatsApp or through appointment scheduling), and we process this data on their behalf.

We process the following categories of personal data:

Account Information

Full name, email address, phone number, business name, business address, billing information, payment method details, account preferences, and language settings.

Contact and Communication Data

Phone numbers (including WhatsApp contacts), email addresses, message content, call records, conversation history, and metadata related to appointments and customer interactions.

Appointment Data

Appointment dates, times, service descriptions, duration, location information, cancellation/rescheduling history, customer notes, and confirmation status.

User Activity and Audit Data

Login timestamps, feature access logs, actions performed (scheduling, messaging, workflow execution), IP addresses, device information, browser type, operating system, and navigation patterns.

WhatsApp Data

WhatsApp Business Account information, contact lists, message content, media (images, documents), delivery status, read receipts, and metadata including sender/recipient information and timestamps.

Billing and Payment Data

Payment method information, transaction history, invoice data, refund records, and billing address information. Payment processing is handled by Stripe; we do not store complete payment card details.

Automation and Workflow Data

Configuration settings for automated workflows, trigger conditions, response templates, execution logs, and performance metrics.

Analytics Data

Aggregated and anonymized usage statistics, feature adoption rates, performance metrics, and analytics dashboards.

Consent Records

Documentation of your consent choices, including dates, purposes, and any updates or revocations.

Cookies and Tracking Data

Information stored through cookies, local storage, and similar technologies as described in Section 12.

Sensitive Data

If you or your organization processes sensitive personal data (such as health information, religious beliefs, or other data categories defined in LGPD Art. 11), we implement additional security and processing restrictions. You acknowledge that you have obtained proper consent before submitting such data.

We process personal data for specific purposes, each supported by a legal basis under LGPD Art. 7:

Contract Execution (LGPD Art. 7-V)

• Providing and maintaining the Tangerine Flow platform
• Processing appointment scheduling requests
• Delivering WhatsApp messaging automation services
• Managing user accounts and subscriptions
• Processing payments and issuing invoices
• Providing customer support and technical assistance

Consent (LGPD Art. 7-I and Art. 8)

• Sending marketing communications and product updates
• Using cookies and tracking technologies for analytics and user experience improvements
• Processing WhatsApp integration data beyond what is strictly necessary for service delivery
• Enabling optional features or integrations
• Data sharing with optional third-party services

Legitimate Interest (LGPD Art. 7-IX, assessed under LGPD Art. 10)

• Fraud prevention and security monitoring
• Improving and optimizing platform features and performance
• Conducting anonymized analytics to understand user behavior and trends
• Enforcing our Terms of Service and other legal obligations
• Protecting our legal rights and the rights of our users

Legal Obligation (LGPD Art. 7-II)

• Maintaining audit logs for security and compliance (LGPD Art. 37)
• Retaining access logs as required by Marco Civil da Internet Art. 15
• Maintaining consent records for regulatory proof
• Complying with court orders, regulatory requests, or legal investigations
• Fulfilling tax and accounting obligations under Brazilian law

For each processing activity, we have documented the legal basis and maintain a Record of Processing Activities (ROPA) as required by LGPD Art. 37. This information is available upon request.

Where we rely on legitimate interest (Art. 7-IX), we conduct a balancing test to ensure that only strictly necessary data is processed and that your fundamental rights and freedoms are not overridden. ANPD may request a Data Protection Impact Assessment (RIPD) for any processing based on legitimate interest.

We share personal data in the following circumstances:

Service Providers and Processors

We share data with third-party service providers who process data on our behalf under data processing agreements. These include:

• Meta/WhatsApp: We share WhatsApp account information and message metadata to enable WhatsApp integration
• Stripe: We share billing and payment information for payment processing
• Amazon Web Services (AWS): We share user data for cloud infrastructure and storage
• Vercel: We share technical data for web hosting and deployment

Organization Access

If you are a user of an organization account, that organization's administrators have access to your data as necessary to manage the account and provide services. We act as a data processor on behalf of these organizations.

End-User Customers

Organizations using Tangerine Flow control how they share customer contact data with us. We process this data as a data processor following their instructions.

Legal Requirements and Protection

We may disclose personal data when required by law, including to law enforcement, regulatory authorities (such as ANPD), or court orders. We may also disclose data to protect our legal rights, enforce ourTerms of Service, or protect the safety of our users.

Business Transfers

If Tangerine Flow is sold, merged, or transferred, your personal data may be transferred as part of that transaction. We will provide notice before your data becomes subject to a different privacy policy.

Anonymized Data

We may share aggregated, anonymized data for research, analytics, and business purposes. Data is considered anonymized under LGPD Art. 12 when it cannot reasonably be used to identify an individual, considering available means at the time of processing.

AI and LLM Services

We are developing optional features that may use artificial intelligence and large language models. When enabled, we may share anonymized or encrypted data with AI service providers (such as OpenAI or Anthropic). You will receive explicit notice and consent options before any such sharing occurs.

Additional Messaging Platforms

If you integrate additional messaging platforms (beyond WhatsApp), we will share relevant data with those platforms' APIs to enable functionality. Each integration will have its own terms and consent requirements.

Analytics and Insights Tools

We may integrate with analytics tools in the future to improve our service. Any such integration will be disclosed in advance with appropriate consent options.

Tangerine Flow operates globally, and your personal data may be transferred to, stored in, and processed in countries outside of Brazil. These transfers are necessary to provide our service and operate our infrastructure.

Third-Party Transfer Locations

• WhatsApp Business API (Meta): United States
• Stripe: United States and multiple international locations
• Amazon Web Services (AWS): Multiple global regions (including United States, Europe, and others depending on your configuration)
• Vercel: United States and Europe

Under LGPD Art. 33, we rely on contractual clauses with adequate guarantees of compliance with LGPD principles, data subject rights, and the data protection regime (Art. 33-II), as well as specific and highlighted consent where applicable (Art. 33-VIII). These mechanisms ensure adequate protections equivalent to those provided by Brazilian law. As ANPD formalizes standard contractual clauses, we will adopt them.

Future International Transfers

As we integrate additional services (AI/LLM providers, analytics tools, or messaging platforms), we will evaluate each service provider's data protection practices and execute appropriate data transfer agreements before enabling integration.

You have the right to request information about the specific safeguards applied to your data in international transfers. Contact our Data Protection Officer at hello@tangerinetail.com.

Under LGPD, you have the following rights regarding your personal data:

Right of Confirmation and Access (LGPD Art. 18-I and Art. 19)

You have the right to request confirmation of whether we process your personal data and to obtain a copy of the data we hold about you, including:

• All personal data we collect and maintain
• The purposes for which we process it
• The categories of recipients with whom we share it
• Information about international data transfers
• The retention periods we apply

To exercise this right, submit a request to hello@tangerinetail.comwith the subject “Subject Access Request.” We will provide a simplified response immediately upon request. A complete declaration of your data will be provided within 15 days as required by LGPD Art. 19.

Right of Correction (LGPD Art. 18-II)

You have the right to request correction of inaccurate, incomplete, or outdated personal data. You can update certain information directly in your account settings, or submit a written request to hello@tangerinetail.com.

Right of Anonymization, Blocking, or Deletion (LGPD Art. 18-III)

You have the right to request that we anonymize, block, or delete personal data under certain circumstances:

• If the data is no longer necessary for the purpose for which it was collected
• If you withdraw consent that was the basis for processing
• If you object to processing based on legitimate interest
• If processing violates LGPD requirements

Please note: We may not be able to delete data if we are legally obligated to retain it (such as audit logs, access logs, or tax records). In such cases, we will block the data from further processing.

Right to Data Portability (LGPD Art. 18-VI)

You have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another organization. We will provide a data export within 15 days of your request.

Right to Deletion of Consent-Based Data (LGPD Art. 18-VI)

For any data processed solely on the basis of your consent (such as marketing communications), you have the right to request deletion of that data at any time, regardless of whether it was initially necessary for the service.

Right to Information on Shared Entities (LGPD Art. 18-VII)

You have the right to request information about the organizations with whom we share your personal data, including their contact details and the purposes for which your data is shared.

Right to Know the Consequences of Consent Denial (LGPD Art. 18-VIII)

If you decline consent for optional processing (such as marketing communications), you have the right to receive clear information about the consequences of that decision.

Right to Revoke Consent (LGPD Art. 8)

You can revoke your consent for any processing at any time through a free and easy procedure, as required by LGPD Art. 8 par. 5. You may revoke consent through your account settings within the platform, or by emailing hello@tangerinetail.com specifying which processing activities you are withdrawing consent for. Revocation does not affect the lawfulness of processing that occurred prior to your withdrawal.

How to Exercise Your Rights

To exercise any of these rights, submit a written request to:

Email: hello@tangerinetail.com
Subject Line: “LGPD Data Subject Request - [Specify Right: Access/Correction/Deletion/Portability/Other]”

Include:

• Your full name and account email address
• Clear description of which right you are exercising
• Any relevant account or transaction details
• A copy of a government-issued ID (for identity verification)

We will verify your identity and provide a simplified response immediately. A complete declaration will be provided within 15 days as required by LGPD Art. 19. If we deny your request, we will provide a detailed explanation of the legal basis for the denial.

Verification: We will verify your identity by requesting government-issued identification or other appropriate means to ensure we are responding to the legitimate data subject.

LGPD Art. 20 protects your right to human intervention when automated decision-making is used:

Current Automated Processes

Tangerine Flow currently uses automated decision-making in limited ways:

• Feature recommendations based on usage patterns
• Fraud detection for payment processing (handled by Stripe)
• Appointment conflict detection and availability calculations

These automated processes do not produce legal or significant effects on your rights that would require human review under LGPD Art. 20(4).

Future Automated Decision-Making

As we develop new features using artificial intelligence and machine learning (including AI/LLM integration), we will implement appropriate safeguards:

• Transparency: We will disclose when automated decision-making is being used
• Explainability: We will provide information about the criteria, significance, and consequences of the automated process
• Human Review: For decisions with legal or significant effects, you will have the right to request human intervention and review by our staff
• Appeal: You may contest automated decisions and request reconsideration

You have the right to request information about:

• The existence of automated decision-making affecting your data
• The logic, significance, and consequences of the automated process
• Meaningful information about the automated decision-making process
• Human review of an automated decision

To request this information or to appeal an automated decision, contact hello@tangerinetail.com with details of the decision you are challenging.

ANPD may audit our automated decision-making processes at any time to verify compliance and assess whether processing results in discriminatory outcomes (Art. 20 par. 2).

We retain personal data for the minimum period necessary to achieve the purpose for which it was collected, in accordance with LGPD Art. 15. Retention periods vary by data category:

Appointment Records

Retained while your account is active. After account deletion, retained for 2 years to satisfy tax obligations and potential dispute resolution under Brazilian civil law.

Chat and Message Histories

Retained according to your organization's configured retention policy. The default retention period is 365 days from the date of the message. Earlier deletion is available on request. WhatsApp messages that are deleted from our platform are removed from our systems.

Audit Logs (LGPD Art. 37)

Retained for a minimum of 5 years from the date of the logged event. This is a legal obligation to maintain records of system access and data processing.

Access Logs (Marco Civil da Internet Art. 15)

Retained for a minimum of 6 months from the date of access. This is a legal obligation under Brazilian internet law.

Consent Records

Retained for 5 years after consent is revoked. This retention period provides proof of historical consent/revocation for regulatory compliance.

User Account Data

Retained while your account is active. Upon account termination or deletion request, non-obligatory data is deleted within 30 days. Obligatory data (audit logs, payment records) is retained per the above periods.

Payment and Billing Data

Retained for 5 years from the date of transaction to satisfy Brazilian tax and accounting obligations (Lei 6.404/1976).

Cookies and Tracking Data

Retained per the cookie expiration periods described in Section 12.

When data reaches the end of its retention period, we delete or anonymize it, unless we are legally required to retain it longer. You may request deletion of data before the retention period expires if no legal obligation prevents deletion.

If you request anonymization or blocking under LGPD Art. 18, we will cease further processing while retaining the blocked data for the duration of any legal obligation.

Tangerine Flow is not designed for, and we do not knowingly collect data from, individuals under 18 years of age. The service is intended for use by adults managing business operations.

Under Brazilian law (Estatuto da Criança e do Adolescente - Lei 8.069/1990), children are individuals under 12 and adolescents are individuals aged 12 to 17. In accordance with LGPD Art. 14, processing of children's data requires specific and highlighted consent from at least one parent or legal guardian (Art. 14 par. 1). Processing must be carried out in the child's best interest.

If we discover that we have collected data from a child (under 12) without verified parental consent, we will delete that data immediately. Parents or guardians who believe their child's data has been collected should contact us at hello@tangerinetail.com.

Special Case - Organizational Processing of Minors' Data

If your organization (such as a healthcare provider, educational institution, or family business) uses Tangerine Flow and your workflows involve processing minors' data:

1. You are responsible for obtaining proper parental or guardian consent before submitting minors' data to Tangerine Flow
2. You must comply with LGPD Art. 14, which imposes stricter consent requirements for minors' data
3. You must inform minors (where appropriate) about how their data is processed
4. We recommend implementing additional access controls and consent tracking for minors' data

Tangerine Flow will not be held responsible for your organization's failure to obtain appropriate consent for minors' data. You bear full responsibility for compliance with Art. 14 of the LGPD.

We implement technical and organizational security measures to protect personal data against unauthorized access, alteration, disclosure, or destruction. In accordance with LGPD Art. 46 par. 2, security and privacy measures are incorporated from the design phase of our products and services through their execution (privacy by design).

Technical Safeguards

• Encryption: Data in transit is encrypted using HTTPS/TLS protocols. Sensitive data at rest is encrypted using industry-standard encryption algorithms.
• Access Controls: User authentication via secure credentials, role-based access control, and API authentication tokens.
• Infrastructure: Hosting on Amazon Web Services (AWS) and Vercel, which implement SOC 2 Type II controls and DDoS protection.
• Monitoring: Continuous security monitoring, intrusion detection, and automated threat detection.
• Updates: Regular security patching and vulnerability assessments.

Organizational Safeguards

• Personnel Policies: Data protection training for employees, confidentiality agreements, and access restrictions based on job necessity.
• Incident Response: Documented procedures for detecting, investigating, and responding to security incidents.
• Breach Notification: Commitment to notify ANPD and affected individuals within 3 business days of discovering a significant data breach (LGPD Art. 48). Notifications will include the nature of affected data, information about affected data subjects, security measures in place, related risks, and mitigation measures adopted.
• Vendor Management: Security assessments of third-party processors, data processing agreements, and contractual security requirements.

Limitations

While we employ industry-standard security measures, no system is completely secure. Transmission of data over the internet carries inherent risks. If you have security concerns, contact hello@tangerinetail.com immediately.

Privacy Governance

In accordance with LGPD Art. 50, we maintain a privacy governance program that includes internal policies and procedures, risk-based data protection assessments, incident response plans, and continuous monitoring and improvement of our data protection practices.

For information about our current security certifications or practices, please contact our Data Protection Officer.

Tangerine Flow uses cookies, local storage, and similar tracking technologies to improve your experience and gather analytics data.

Types of Cookies

Essential Cookies

Required for basic platform functionality, such as maintaining your login session, CSRF protection, and routing. These are necessary for the service to operate and cannot be disabled.

Analytics Cookies

Used to understand how users interact with Tangerine Flow, including which features are most popular, user journey patterns, and performance metrics. These enable us to improve the platform. You can disable analytics cookies through your browser settings or an opt-out mechanism if provided.

Preference Cookies

Store your settings and preferences, such as language selection, UI customization, and notification preferences.

Third-Party Cookies

Services like AWS and Vercel may set their own cookies. These are governed by their privacy policies. You can control third-party cookies through browser settings.

Cookie Management

You can control cookies through your browser settings:

• Chrome, Firefox, Safari, Edge: Settings > Privacy > Cookies
• Most browsers allow you to delete existing cookies and block new ones

Disabling cookies may affect platform functionality. Analytics cookies can be disabled without affecting core service delivery.

Local Storage and Similar Technologies

We may use browser local storage, session storage, and similar technologies for the same purposes as cookies. These function similarly and can be cleared through browser settings (usually under Developer Tools > Application > Storage).

Pixel Tags and Web Beacons

We may use transparent pixel tags in email communications to track whether emails are opened. You can disable image loading in your email client to prevent this tracking.

Tracking Pixels

Pages may include tracking pixels from analytics providers. These are processed according to the analytics provider's privacy policy.

Consent for Non-Essential Tracking

Under LGPD Art. 7-I, non-essential cookies and tracking technologies require your explicit consent. Non-essential cookies are not loaded until you provide consent. When you first access Tangerine Flow, you will be presented with a cookie consent banner where you can accept or decline non-essential tracking before any such technologies are activated.

Google Analytics

Our public marketing website (tangerineflow.com.br) uses Google Analytics 4 (Measurement ID G-86LCWCEF3C), provided by Google LLC, to measure traffic and understand how visitors use the site.

• Cookies set: _ga and _ga_G-86LCWCEF3C, used to distinguish unique visitors and persist a session identifier.
• Data collected: client identifier, pages visited, referrer, approximate location derived from IP address, device and browser metadata, and interaction events.
• Legal basis: your free, informed, and specific consent (LGPD Art. 7-I and Art. 8). Google Analytics is loaded with Google Consent Mode v2 and analytics_storage defaulted to denied until you accept; no analytics cookies are written and no personal data is sent to Google before then.
• Retention: 14 months at Google Analytics, after which event-level data is deleted automatically.
• International transfer: Google processes the data in the United States and other countries under contractual safeguards consistent with LGPD Art. 33.

You can withdraw consent at any time using the “Preferências de cookies” link in the website footer, through your account settings on the platform, or by contacting hello@tangerinetail.com. Withdrawing consent deletes the Google Analytics cookies stored in your browser and stops further data collection on subsequent visits.

We may update this Privacy Policy periodically to reflect changes in our practices, technology, legal requirements, or other factors. Changes will be effective immediately upon posting the updated policy to our website.

Notice of Material Changes

For material changes that adversely affect your privacy rights, we will provide notice by:

• Prominent posting on our website
• Email notification to the address associated with your account (if applicable)
• Pop-up or banner notification when you next access the platform

The “Effective Date” at the top of this policy indicates the last date of significant revision.

Your Continued Use

For processing activities based on consent (LGPD Art. 7-I), changes to the scope or purpose of processing will require your renewed consent before taking effect. For processing based on other legal bases, your continued use of Tangerine Flow following notification constitutes your acceptance. If you do not agree with the changes, you may terminate your account.

Archival Versions

Previous versions of this Privacy Policy are available upon request by contacting hello@tangerinetail.com. You may request the version that was in effect when your data was collected.

For privacy inquiries, data subject requests, complaints, or concerns, please contact:

Data Protection Officer (Encarregado de Dados Pessoais)

Name:

Renan Valentin Ferreira

Email:

hello@tangerinetail.com

Company

RENAN VALENTIN FERREIRA
CNPJ: 34.427.828/0001-42
Brazil

Response Time

We will acknowledge receipt of your inquiry within 2 business days and provide a substantive response within 15 days as required by LGPD Art. 19, unless the request is complex and requires additional time (up to 15 additional days).

If you are not satisfied with our response or believe we have violated the LGPD, you have the right to lodge a complaint with:

ANPD (Autoridade Nacional de Proteção de Dados)

Website:

https://www.gov.br/anpd/

Email:

ouvidoria@anpd.gov.br

You may also submit complaints to PROCON (Fundação de Proteção e Defesa do Consumidor) if you believe your consumer rights have been violated in connection with your personal data.

Regulatory Contact Information

Rights Summary

You have the right to:

• Confirm and access your personal data
• Correct inaccurate or incomplete data
• Delete or anonymize your data (subject to legal obligations)
• Request data portability
• Revoke consent
• Know the consequences of consent denial
• Request information about data sharing
• Request human review of automated decisions
• Lodge a complaint with ANPD

Contact us with the subject line “LGPD Data Subject Request” to exercise any of these rights.