Privacy Policy

1. Scope of this Policy

This Policy applies to:

• vestigio.io;
• its subdomains;
• applications, dashboards, APIs, pixels, snippets, integrations, and other surfaces operated by Vestigio;
• trial accounts, free trials, paid plans, AI credits, and other features we make available.

2. Data we may collect

We may collect and process, as applicable, the following categories of data:

3. Nature of analyses performed by Vestigio

Vestigio may analyze:

• data publicly accessible on the internet;
• structures and visible elements of websites, stores, pages, and digital surfaces;
• data observable through common browsing;
• results of automated interactions equivalent to those of a regular customer or visitor;
• data collected through pixel, snippet, or integration authorized by you.

You are solely responsible for registering, connecting, or installing Vestigio only in assets, environments, accounts, domains, pages, and integrations for which you hold legitimate authorization.

Vestigio is not liable for acts performed by you outside the platform, nor for improper use of the Services on third-party assets without adequate authorization.

4. Purposes of processing

We may process data to:

• create, authenticate, maintain, and administer your account;
• provide, operate, run, monitor, and improve the Services;
• process audits, analyses, findings, reports, answers, suggestions, and outputs;
• offer and manage free trials, paid plans, and AI credits;
• process billing, payments, renewals, reconciliations, and financial history;
• respond to tickets, inquiries, and support requests;
• detect, prevent, and investigate fraud, abuse, misuse, technical failures, and security incidents;
• monitor performance, stability, availability, and integrity of the platform;
• comply with legal, regulatory, contractual, and rights-defense obligations;
• conduct legitimate operational, administrative, technical, and commercial communications;
• support integrations authorized by you;
• maintain audit trails, logs, and operational evidence.

5. Legal bases

When applicable, Vestigio may process personal data based on one or more of the following legal grounds:

• performance of a contract or preliminary procedures related to a contract;
• compliance with a legal or regulatory obligation;
• regular exercise of rights in judicial, administrative, or arbitration proceedings;
• legitimate interest, within the limits of applicable law;
• consent, where required;
• fraud prevention and security of the data subject and platform.

6. Payments

Vestigio payments may be processed by Paddle and by partners, sub-processors, or financial institutions involved in the billing flow. Vestigio does not store full sensitive card data when processing occurs through specialized third parties, but may store transaction identifiers, payment status, plan, billing history, invoices, financial metadata, and information necessary for subscription management.

7. Cookies, pixels, analytics, and similar technologies

Vestigio may use cookies, local storage, pixels, tags, scripts, logs, identifiers, and similar technologies for:

• authentication and security;
• site and application functionality;
• storage of preferences;
• usage and performance measurement;
• analytics;
• Service improvement;
• attribution and behavior analysis;
• campaign support and traffic measurement.

Vestigio may currently use, among others:

• Google Analytics;
• Meta Pixel;
• Vestigio Pixel.

Tools, vendors, and technologies may be changed, added, or removed over time.

8. Data sharing

Vestigio does not sell personal data.

We may share data, to the extent necessary, with:

• payment processors and financial partners;
• hosting, infrastructure, observability, analytics, email, security, authentication, and support providers;
• platforms and integrations connected by you;
• companies of the same economic group, affiliates, successors, or acquirers, in the event of corporate reorganization, merger, acquisition, or asset sale;
• consultants, auditors, legal, accounting, and technical advisors, under confidentiality obligations;
• administrative, regulatory, or judicial authorities, when required by law or valid order.

9. International data transfer

Your data may be stored, processed, or accessed on servers and systems located outside Brazil, including by technology and infrastructure providers. In such cases, Vestigio will adopt reasonable measures to ensure adequate protection in compliance with the LGPD (Brazilian General Data Protection Law) and other applicable regulations.

10. Data retention

Vestigio may retain data for the time necessary to fulfill the purposes of this Policy, meet legal and regulatory obligations, preserve evidence, exercise rights, and maintain operational continuity of the platform.

Without prejudice to legal deadlines or specific retention needs:

• operational data related to analyses, findings, reports, snapshots, outputs, and equivalent materials may be retained for up to 30 (thirty) days;
• financial, tax, contractual data, security logs, and records necessary for the defense of rights may be retained for longer periods, as required by law, regulation, or duly justified legitimate interest.

11. Information security

Vestigio adopts reasonable technical, administrative, and organizational measures to protect data against unauthorized access, destruction, loss, alteration, improper disclosure, or any form of inappropriate or unlawful processing.

Vestigio seeks to operate with controls aligned with the LGPD and recognized market best practices for security, governance, and control, including reference to frameworks and standards widely used in the market, such as those associated with auditable environments and corporate compliance programs.

Nonetheless, no environment is absolutely inviolable, and we cannot guarantee absolute security.

12. Data subject rights

Under applicable law, you may request, where applicable:

• confirmation of the existence of processing;
• access to data;
• correction of incomplete, inaccurate, or outdated data;
• anonymization, blocking, or deletion;
• portability;
• information about data sharing;
• review of automated decisions, where applicable;
• revocation of consent, where that is the legal basis;
• objection to specific processing, under legal terms.

13. Data deletion instructions

If you wish to request the deletion of your data, send an email to support@vestigio.io with the subject “Data deletion request” and, if possible, include:

• account or company name;
• registered email;
• related domain or asset;
• description of the data or account to be deleted.

Vestigio will process valid deletion requests within 7 (seven) days, when legally and technically possible, except in cases of mandatory retention, fraud prevention, security, compliance with legal obligations, preservation of evidence, and regular exercise of rights.

14. Minors

Vestigio is not intended for minors under 18 years of age without the applicable legal and contractual authorization.

15. Changes to this Policy

Vestigio may update this Policy at any time. The version in force will always be the most recently published on our official channels.

16. Contact

For questions, privacy requests, data deletion, or support, contact us through: