1. What is the LGPD
The LGPD - Law 13,709/2018 - is the Brazilian law that regulates the processing of personal data by public and private organizations, in force since August 2020. Inspired by the European General Data Protection Regulation (GDPR - Regulation EU 2016/679), it requires every processing operation (collection, storage, use, sharing, deletion) to be based on a specific legal ground. The law is enforced by the ANPD (National Data Protection Authority) and provides for administrative sanctions ranging from warnings to fines of 2% of revenue, capped at BRL 50 million per infraction. Steply processes all personal data under these parameters, with documented governance and periodic process review.
2. Data we process
Steply processes three categories of personal data. (a) Identifier data provided voluntarily through the briefing form: name, email, phone, company and project description. (b) Browsing data collected via Google Analytics 4 with prior consent - truncated IP address, user-agent, pages visited, click events, time on page and referrer. (c) Remarketing data collected only with explicit consent through LinkedIn Insight Tag and Google Ads, used for campaign measurement and lookalike audiences. We do not collect sensitive data (racial origin, religious belief, political opinion, health, sex life, biometrics) or data from minors.
3. Processing purposes
We process personal data for four clear and specific purposes: (i) responding to commercial contacts initiated by the data subject through the briefing form or official channels; (ii) sending technical materials, proposals or content explicitly requested by the data subject; (iii) measuring website performance and identifying experience improvement points through aggregated analytics data; (iv) carrying out advertising remarketing on third-party platforms when express consent is given. None of these purposes involve selling data to third parties, automated profiling with legal effects or automated decisions affecting the data subject.
4. Legal bases (LGPD Art. 7)
Steply uses three legal bases provided in Article 7 of the LGPD. (I) Consent - for analytics and marketing cookies, collected through a granular banner before any tracking script loads. (V) Performance of contract or pre-contractual procedures - to process data submitted via the briefing form when the data subject requests a commercial proposal. (IX) Legitimate interest - for security, fraud prevention and maintenance of technical site logs. For data subjects in the European Union, these bases correspond to Article 6 of the GDPR - items (a) consent, (b) contract and (f) legitimate interests, respectively. Each basis is internally documented with the corresponding proportionality and necessity assessment.
5. Data subject rights (LGPD Art. 18 / GDPR Arts. 15-22)
The data subject is entitled, at any time and free of charge, to: (1) confirmation that processing exists; (2) access to the data; (3) correction of incomplete, inaccurate or outdated data; (4) anonymization, blocking or deletion of unnecessary, excessive or non-compliant data; (5) portability of the data to another provider; (6) deletion of data processed with consent; (7) information about public and private entities with which Steply has shared data; (8) information about the possibility of not providing consent and its consequences; (9) withdrawal of consent; and (10) opposition to processing carried out under one of the consent-exemption hypotheses, in case of non-compliance with the law. These rights correspond to Articles 15 to 22 of the GDPR and may be exercised through the channels described below.
6. How to exercise your rights
To exercise any of the rights listed above, send an email to privacidade@steply.com.br containing: (i) identification of the data subject (full name and email used in the original contact, or another verification method); (ii) a clear description of the request (access, correction, deletion, portability, withdrawal, opposition, etc.). Steply will respond within 15 business days, as recommended by the ANPD. If the request involves deletion, we will perform the procedure and send written confirmation, keeping only the minimum necessary to comply with legal obligations. If the data subject disagrees with the response received or does not get a reply, the complaint can be escalated directly to the ANPD - National Data Protection Authority - through the official website gov.br/anpd.
7. Cookies - preferences and control
On the first visit, the site shows a granular consent banner with three independent categories: Necessary (always on, essential to the site's operation - session, security, language preference); Analytics (Google Analytics 4, enabled only after acceptance); Marketing (Google Ads and LinkedIn Insight Tag, enabled only after explicit acceptance). Before any acceptance, no tracking script, pixel or third-party cookie is loaded - only strictly necessary ones. The data subject can review and change choices at any time by clicking "Cookie preferences" in the site footer or using the button below. Withdrawal takes effect immediately and does not affect prior processing based on the consent then in force.
Manage cookie preferences
8. Sharing and processors
Steply, as Controller, shares personal data with a restricted set of Processors strictly necessary for service provision, all under contract with specific data protection clauses (DPA - Data Processing Agreement). Current processors: Google LLC (Google Analytics 4 and Google Ads, analytics and remarketing data); Microsoft Corporation / LinkedIn (LinkedIn Insight Tag, B2B remarketing data); Hostinger, Vercel and AWS (hosting, CDN and asset storage); transactional email provider (sending replies and requested materials). International data transfers occur to countries with an adequate level of protection or through standard contractual clauses (SCCs), as required by LGPD Article 33 and GDPR Chapter V.
9. Data retention
We apply retention periods proportional to each processing purpose. Briefing form data: kept while the active commercial relationship lasts and for a further 5 years after the last contact - the statute-of-limitations period under the Brazilian Civil Code (Article 206). Site access logs (IP, date/time, user-agent): 6 months, as required by Article 15 of the Brazilian Internet Civil Framework (Law 12,965/2014). Analytics cookies (Google Analytics 4): up to 24 months per event. Marketing cookies (Google Ads, LinkedIn): up to 13 months per event. Once the applicable period ends, data is irreversibly deleted or anonymized, unless a longer legal retention obligation applies (for example, tax or accounting obligations).
10. Data Protection Officer (DPO) and contact channel
Steply maintains a Data Protection Officer (DPO), as required by LGPD Article 41, responsible for receiving communications from data subjects and from the ANPD, providing internal guidance and taking appropriate measures. DPO: Steply Data Protection Team. Official channel for all privacy matters: privacidade@steply.com.br. Postal correspondence address: domain steply.com.br (Brazil). For phone escalation, use the official WhatsApp +55 31 8267-3330. Every communication through these channels is treated confidentially and logged for accountability purposes, in line with the principle of LGPD Article 6, X.
