Privacy Policy
Your privacy matters. This policy describes, under the LGPD, how we handle personal data in DreamRoute.
1. Controller, operator and scope
This Privacy Policy describes how Potencializeme Negócios Digitais LTDA, registered under CNPJ no. 49.013.959/0001-50, with registered office at Rua Bom Jesus, 212, Sala 1904, Andar 19, Cond. AR 3000 — Juvevê, Curitiba/PR, CEP 80035-010, Brazil ("we", "Company") collects, uses, shares and protects personal data when you access or use DreamRoute, including Cronos and other AI-powered features (the "Service").
We act as Controller for account, billing, security, usage and business relationship data — where we determine the purposes and essential means of processing. For personal data contained in workspace content submitted by customers (Missions, tasks, comments, files about their clients, collaborators and third parties), we generally act as an operator (processor) on behalf of the customer, who remains the controller responsible for determining the purposes and lawful basis of that processing. Business (B2B) customers may request a Data Processing Addendum (DPA).
We process personal data primarily under the LGPD (Lei 13.709/2018). Other data protection laws, including the GDPR, may apply depending on the location of the user and the circumstances of the processing.
2. Data we collect
Account data (name, email) via our authentication provider; workspace content you create (Missions, tasks, comments, files); billing data processed by our payment provider (we do not store full card numbers); and usage/technical data (logs, IP, device and performance metrics) collected to operate and secure the Service, including application access records kept under the Marco Civil da Internet.
We also use cookies and similar technologies necessary for authentication, security and operation of the Service. Where applicable, analytics, observability or other non-essential technologies are used in accordance with the choices presented through our cookie controls. Additional information will be provided in our Cookie Policy.
3. Purposes of processing
To provide and maintain the Service; process payments and manage subscriptions; send transactional notifications; provide AI features; prevent fraud and abuse; comply with legal and regulatory obligations; and improve the product. We do not sell your personal data.
4. Legal bases (LGPD, art. 7)
We process personal data based on: performance of a contract with you and preliminary procedures; compliance with legal or regulatory obligations; your consent, where required; and our legitimate interests in operating, securing and improving the Service, always weighed against your rights.
5. Sharing and sub-processors
We share data with service providers and operators strictly as needed to run the Service, including: authentication, cloud database and file storage hosting, payment processing, email delivery, AI model providers, and observability/monitoring. We may also share data to comply with the law, court orders or legitimate requests from authorities. A current list of sub-processors — with the service, data category, region and purpose of each — is available on request through our privacy contact.
6. AI processing (Cronos)
AI features are optional and only run when you actively use them. When you use Cronos or another AI-powered feature, the prompts, instructions and workspace content necessary to fulfill your request may be transmitted to contracted AI service providers. These providers are required to process the data under contractual safeguards and only for the provision of the requested services. We do not permit AI providers to use customer workspace content, prompts or outputs to train general-purpose models, unless we clearly disclose this and obtain any legally required authorization.
We seek to minimize what is shared and to select providers offering appropriate safeguards. You should not submit sensitive personal data, confidential information or third-party data to AI features unless you are authorized to do so.
7. International transfers
Personal data may be processed in countries other than Brazil, including where our cloud, authentication, payment, monitoring and AI providers operate. When required, we rely on a valid transfer mechanism under the LGPD (art. 33) and ANPD regulations — such as an adequacy decision, the ANPD-approved standard contractual clauses or another legally permitted mechanism. Information about the applicable safeguards may be requested through our privacy contact.
8. Retention
We retain account and workspace data while the account is active. Following account deletion, production data is scheduled for deletion or anonymization, subject to limited retention in backups, fraud-prevention records and records required by law. Application access records are retained for the period required by the Marco Civil da Internet, generally six months. Billing and tax records are retained for the periods required under applicable legislation.
9. Your rights as data subject (LGPD, art. 18)
You may request: confirmation of processing; access; correction of incomplete, inaccurate or outdated data; anonymization, blocking or deletion of unnecessary or excessive data; portability, subject to applicable regulation; deletion of data processed with consent; information about sharing; and withdrawal of consent. Where applicable, you may also object to processing, request information about the criteria used in automated processing and request review of decisions made solely through automated processing that affect your interests.
You can initiate account deletion through your profile settings or submit a privacy request by emailing privacy@dreamroute.app. Certain information may remain temporarily in backups or be retained where necessary to comply with legal obligations, prevent fraud, resolve disputes or establish, exercise or defend legal claims. We may request information reasonably necessary to verify your identity before fulfilling a request, and will respond within the timeframes and in the manner required by applicable law. You may also petition the National Data Protection Authority (ANPD).
10. Security
We adopt technical and administrative measures to protect personal data from unauthorized access and accidental or unlawful destruction, loss, alteration or disclosure, including encryption in transit, access controls and tenant isolation. In the event of a security incident that may cause relevant risk, we will notify the ANPD and affected data subjects as required by the LGPD.
11. Children and adolescents
The Service is intended for business and professional use and is not directed to individuals under 18 years of age. Account holders must meet the minimum age and legal capacity requirements established in our Terms. If we learn that personal data was collected from a minor contrary to those requirements, we will take appropriate steps to delete or restrict it.
12. Changes and contact
We may update this Policy; material changes will be notified in-app or by email. Controller: Potencializeme Negócios Digitais LTDA, registered under CNPJ no. 49.013.959/0001-50, with registered office at Rua Bom Jesus, 212, Sala 1904, Andar 19, Cond. AR 3000 — Juvevê, Curitiba/PR, CEP 80035-010, Brazil. Privacy and data protection requests: privacy@dreamroute.app.