1. Data collection
We collect only the data strictly necessary to serve you. Through the contact and briefing forms we collect: name, work email, phone (optional), company name and the project description you submit. Through site navigation we automatically collect technical logs (truncated IP address, browser type, operating system, pages visited and access times) and cookies, only after your consent on the banner. We do not buy lists, do not enrich data with third parties and do not collect sensitive data (racial origin, religion, health, biometrics).
2. Purposes of processing
We process your data for specific and legitimate purposes: (i) responding to requests submitted through the contact and briefing forms; (ii) sending materials, commercial proposals and content you request; (iii) performing anonymous statistical analysis of site usage via Google Analytics 4, to understand what works and what needs to improve; (iv) targeted marketing with your explicit consent, using LinkedIn Insight Tag and Google Ads to measure campaigns. We never sell your data or use it for automated decisions that significantly affect you.
3. Legal bases (LGPD/GDPR)
All processing is supported by a legal basis expressly set out in LGPD: (a) consent (Art. 7, I) for analytics and marketing cookies, promotional communications and material delivery; (b) performance of a contract or pre-contractual steps (Art. 7, V) to respond to briefings, prepare proposals and formalize projects; (c) legitimate interest (Art. 7, IX) for information security, fraud prevention and continuous site improvement, always balanced against your rights and expectations. For users in the EEA/UK we apply the GDPR equivalents (Art. 6 (1) (a), (b) and (f)).
4. Sharing with third parties
Steply only shares data with operators strictly necessary for site operation and customer service: Google LLC (Google Analytics 4 and Google Ads, for measurement and remarketing), Microsoft Corporation / LinkedIn (LinkedIn Insight Tag, for B2B campaign measurement), our transactional email provider and the hosting provider that serves this site. ALL analytics and marketing scripts are blocked by default and only activated after your acceptance on the cookie banner. There is no international data transfer without Standard Contractual Clauses (SCC) or an equivalent safeguard recognized by ANPD/European Commission.
5. Cookies and similar technologies
We use three categories of cookies. (1) Necessary: strictly functional (language preference, session, security); these do not require consent because without them the site does not work. (2) Analytics: Google Analytics 4 to understand aggregated and anonymized usage; only loads after consent. (3) Marketing: LinkedIn Insight Tag and Google Ads to measure campaigns and remarketing; only load after explicit consent. You can review, change or withdraw your preferences at any time through the banner or our LGPD page (/lgpd), where we also list each cookie individually with its purpose and retention period.
6. Data subject rights
As a data subject, you have the right to: (i) confirm the existence of processing; (ii) access your data; (iii) correct incomplete, inaccurate or outdated data; (iv) anonymize, block or erase unnecessary or unlawfully processed data; (v) port your data to another provider; (vi) erase data processed based on consent; (vii) be informed about entities with whom we share your data; (viii) withdraw consent; (ix) object to processing carried out under a legal basis that does not require consent. All these rights are set out in Art. 18 of LGPD and, for EU/UK users, in Arts. 15 to 22 of GDPR.
7. Retention and security
We keep your data only for as long as strictly necessary to fulfill the stated purposes. Contact and briefing data are retained while there is an active relationship and, after termination, for the statutory limitation period of any contractual obligations. Technical access logs are retained for 6 months, in accordance with the Brazilian Internet Civil Framework. We apply technical and organizational measures recognized by the industry: traffic always over HTTPS (TLS 1.2+), encryption at rest for sensitive data, role-based access control, principle of least privilege, integrity monitoring and periodic vendor review.
8. Data Protection Officer (DPO) and contact
To exercise any of the rights described, clarify doubts about this policy or report an incident, send an email to privacidade@steply.com.br. We respond to data subject requests within 15 business days, in accordance with LGPD. For operational details - full list of cookies, vendors, international transfers and how to manage your preferences granularly - see our dedicated LGPD page at /lgpd. This policy may be updated periodically; when there are material changes, we will notify you through registered channels or a prominent notice on the site. General contact: contact@steply.com.br.
