Privacy Policy

At Core TI Expert, protecting the personal data you share with us is a fundamental commitment — not a checkbox. This policy explains, clearly and completely, what information we collect, why we collect it, how we protect it, and what rights you hold over your own data.

Last updated: June 18, 2025 — Effective immediately upon publication

Introduction

This Privacy Policy governs the collection, processing, storage and transfer of personal data by CORE SOLUCOES EM INFORMATICA E TECNOLOGIA LTDA, registered under CNPJ 45.856.266/0001-79, headquartered at Rua 1500, no. 416, Sala 04, Centro, Balneário Camboriú – SC, Brazil ("Core TI Expert", "we", "our" or "us"). This document applies to all visitors of our website and to individuals who contact us, request services, or otherwise interact with our digital channels.

We operate in compliance with Brazil's Lei Geral de Proteção de Dados Pessoais (LGPD — Federal Law 13.709/2018), the General Data Protection Regulation of the European Union (GDPR — Regulation 2016/679), and all other applicable data protection and privacy legislation. By accessing our website or submitting your information through any of our contact channels, you acknowledge that you have read and understood this policy.

This policy covers only our own website and services. It does not apply to third-party websites, platforms or services that may be accessible through links we publish — those providers operate under their own privacy practices, for which Core TI Expert bears no responsibility.

Information We Collect

We limit data collection strictly to what is necessary for the specific purposes described in this policy. The categories of personal data we may collect depend on how you interact with us.

2.1 — Information You Provide Directly

When you fill in a contact form, request a quote, subscribe to communications, or reach out to us by any channel, you may provide:

  • Identity data: full name, job title, and company or organization name.
  • Contact data: email address, telephone number (including WhatsApp), and business address.
  • Professional context: the nature of your IT challenge, the size of your organization, and any supporting detail you choose to share in a free-text message field.
  • Contractual data: information required to execute, manage and invoice service agreements — including billing addresses, tax identification numbers (CPF/CNPJ), and payment-relevant details handled via certified payment processors.

Providing this information is voluntary, but certain fields are necessary to process your request. Where a field is mandatory, this will be indicated clearly on the relevant form.

2.2 — Information Collected Automatically

When you visit our website, our servers and analytics tools automatically record certain technical data about your session. This may include:

  • Device and browser data: IP address (anonymized where required), browser type and version, operating system, screen resolution, and device type.
  • Session and navigation data: the pages you visit, the order in which you visit them, time and duration of each visit, hyperlinks you click, and the website that referred you to ours.
  • Performance data: page load times, error events, and interaction signals used to improve site performance.
  • Geolocation data (approximate): city or region derived from your IP address, never from GPS or device sensors without your explicit consent.
  • Cookie and tracking identifiers: first-party and third-party identifiers set in accordance with Section 4 below.

2.3 — Information From Third Parties

In certain cases, we may receive data about you from legitimate third-party sources, including:

  • Google Ads and similar advertising platforms that share aggregated or pseudonymous conversion data so we can measure the effectiveness of our advertising campaigns.
  • Business partners or referral contacts who suggest you as a prospective client — in which case we will inform you of this in the first communication we send.
  • Public business registries (such as the Receita Federal's CNPJ database), used solely for client due diligence and the legal formation of service contracts.
We do not purchase marketing lists. We do not acquire, rent or trade personal data from brokers or aggregators for any purpose. Every contact in our database came to us through a direct interaction or a clearly documented referral.

How We Use Your Information

Every use of your personal data is grounded in one of the legal bases recognized by the LGPD and GDPR: your consent, the performance of a contract, compliance with a legal obligation, or our legitimate interest — balanced always against your fundamental rights. The table below maps our core processing activities to their legal basis:

3.1 — Responding to Enquiries & Delivering Services

We use the contact details you submit to respond to your enquiry, schedule an assessment, prepare and send a service proposal, and — once engaged — to deliver and manage the IT services you have contracted. This is the primary and most essential use of your data, and it is grounded in the performance of a contract (or pre-contractual steps at your request).

3.2 — Sending Relevant Communications

With your explicit consent, we may contact you by email or WhatsApp to share updates about services that are directly relevant to your professional context — such as new managed IT plans, cybersecurity advisories, or Microsoft licensing changes that may affect your organization. You can withdraw this consent at any time, free of charge, by using the unsubscribe link in any message or by contacting us at the address in Section 11.

3.3 — Advertising Measurement & Improvement

We use anonymized and aggregated conversion data — provided by Google Ads and similar platforms — to understand how effective our advertising is and to improve the relevance of ads we serve. This processing is based on our legitimate interest in running an efficient, sustainable business. At no point does this activity result in profiling that produces legal or similarly significant effects on you.

3.4 — Website Analytics & Performance

Session and behavior data collected automatically allows our development team to identify usability issues, optimize page performance, and prioritize improvements. This processing rests on our legitimate interest in maintaining a functional, professional web presence.

3.5 — Legal & Regulatory Compliance

We may process and retain certain data — including contractual records and fiscal documents — to comply with Brazilian tax law, labor law, and accounting requirements, and to respond to lawful requests from competent authorities.

Cookies & Tracking Technologies

Our website uses cookies and similar technologies — small data files stored on your device — to make the site work correctly, remember your preferences, and help us understand how visitors engage with our content. Below is a transparent breakdown of each category.

Category Examples Purpose Can be disabled?
Strictly Necessary Session token, CSRF protection, load-balancing cookies Enable core website functionality. Without these the site cannot operate. No personal data is shared with third parties via these cookies. No — they are essential to service delivery
Performance & Analytics Google Analytics (_ga, _gid, _gat) Measure page views, session duration, referral sources, and user flow through our site. Data is aggregated and anonymized; IP addresses are truncated. Used exclusively for internal improvement decisions. Yes — via our cookie consent tool or your browser settings
Advertising & Conversion Google Ads conversion tag (gcl_au), Google Tag Manager container Record when a visit from a Google Ads click results in a contact form submission or phone call, so we can measure ROI. We do not use these identifiers for cross-site behavioral tracking or for retargeting individuals by name or email. Yes — via our cookie consent tool
Functional / Preferences Language preference, form auto-fill state Remember choices you have made (such as which service category interests you) to personalize your subsequent visits without requiring you to re-enter information. Yes — disabling will reset these preferences each visit

Managing Your Cookie Preferences

When you first visit our website, a consent banner allows you to accept all cookie categories or configure them individually. You can revisit and update your choices at any time by clicking the "Cookie Settings" link in our website footer. Additionally, all major browsers — Chrome, Firefox, Safari, Edge, and Opera — offer native controls for blocking or deleting cookies. Bear in mind that disabling certain cookies may impair some features of the site.

For Google Analytics specifically, you may install the official Google Analytics Opt-out Browser Add-on, which prevents data from being sent to Google Analytics on all websites you visit.

Sharing With Third Parties

Core TI Expert does not sell, lease, or trade your personal data. We share information only in the specific circumstances described below, and only to the minimum extent necessary for each purpose.

5.1 — Service Providers and Technology Partners

We work with a small number of trusted sub-processors that help us operate our business. Each is bound by a data processing agreement that prohibits them from using your data for any purpose other than providing their contracted service to us:

  • Google LLC — Google Analytics (website measurement), Google Ads (advertising conversion tracking), and Google Workspace (business email and document management). Google's data processing terms and Privacy Policy govern these interactions.
  • Microsoft Corporation — Where applicable, Microsoft 365 and Azure services are used internally and in the delivery of client IT solutions. Microsoft's Data Processing Addendum applies to all enterprise services.
  • Website hosting provider — Our hosting infrastructure provider stores website data on servers subject to ISO 27001-equivalent security controls. Physical servers are located in Brazil or the European Economic Area.
  • CRM and support tools — We may use a customer relationship management (CRM) platform to track service requests and project communications. We will identify the specific provider on request.

5.2 — Legal Obligations

We may disclose personal data to courts, regulatory authorities, law enforcement agencies, or tax authorities when required to do so by law, court order, or equivalent legal process under Brazilian or applicable international law. We will notify you of any such request to the extent legally permitted.

5.3 — Business Transfers

In the event of a merger, acquisition, asset sale, or corporate restructuring, personal data we hold may be transferred to the succeeding entity. Before any such transfer, we will publish a prominent notice on this page and — where required — seek renewed consent from affected individuals.

International transfers: Some of our sub-processors operate outside of Brazil. Where personal data is transferred to jurisdictions without an adequacy determination by the Brazilian National Data Protection Authority (ANPD), we ensure appropriate safeguards are in place — including Standard Contractual Clauses (SCCs) or equivalent mechanisms recognized under LGPD Article 33.

Data Retention

We retain personal data only for as long as necessary to fulfil the purpose for which it was collected, or to comply with legal, contractual, or regulatory obligations. Our default retention periods are as follows:

  • Pre-sales enquiry data (contact form submissions that did not convert into a contract): retained for up to 24 months from the date of your last interaction, after which the record is deleted or anonymized.
  • Active client data (contractual and service records): retained for the duration of the contract plus 5 years, in accordance with the Brazilian Civil Code statute of limitations and Receita Federal fiscal documentation requirements.
  • Accounting and fiscal records (invoices, tax receipts, CNPJ-linked documents): retained for a minimum of 10 years as required by Brazilian tax law.
  • Website analytics data: Google Analytics session data is retained by Google for a configurable period set at 14 months in our account. Aggregated, non-personal reports derived from analytics are kept indefinitely for historical benchmarking.
  • Cookie consent records: We retain logs of your consent decision for 12 months or until the consent is revoked, whichever comes first.
  • Marketing communications consent: Maintained for the duration of your subscription; withdrawal records are kept for 3 years to demonstrate compliance.

When a retention period expires, we securely delete or irreversibly anonymize the data concerned. Anonymized data — which can no longer identify you — may be retained indefinitely for statistical and service-improvement purposes.

Data Security

We apply technical and organizational measures proportionate to the sensitivity of the data we hold and the risks involved. While no security system is infallible, our controls are reviewed regularly and updated as threats evolve.

Technical Measures

  • All website traffic is transmitted over HTTPS using TLS 1.2 or higher. HTTP connections are permanently redirected to HTTPS.
  • Contact form data is transmitted encrypted at the application layer and stored in access-controlled databases that are not directly exposed to the public internet.
  • Internal systems that hold client data are protected by multi-factor authentication (MFA) for all accounts, combined with role-based access control so team members can only access data relevant to their function.
  • Our IT infrastructure undergoes periodic vulnerability assessments and patch management cycles, consistent with the managed security services we offer our own clients.
  • Backups of client data are encrypted at rest and stored in geographically separate locations to ensure continuity following a disaster or ransomware incident.

Organizational Measures

  • All employees and contractors who handle personal data receive data protection training and are bound by confidentiality obligations.
  • We maintain an internal incident response plan. In the event of a data breach affecting your rights and freedoms, we will notify the ANPD within 72 hours of becoming aware of it, and we will notify you directly if you are likely to be at high risk, without undue delay.
  • Third-party sub-processors are subject to security due diligence before onboarding and to contractual clauses aligned with LGPD Article 46 and GDPR Article 28.

Your Rights

Under the LGPD (and, where applicable, the GDPR), you hold a robust set of rights with respect to your personal data. These rights are not bureaucratic formalities — we genuinely support you in exercising them. A summary of each right is below.

Right of Access

Confirm whether we hold data about you and receive a copy of it in a clear, portable format.

Right to Correction

Request that inaccurate, incomplete or outdated information about you be corrected without delay.

Right to Deletion

Ask us to erase personal data we hold about you, subject to our legal retention obligations.

Right to Object

Object to processing based on legitimate interests — including direct marketing — at any time.

Right to Restriction

Request that we suspend processing while you contest accuracy or our legal basis for processing.

Right to Portability

Receive your data in a structured, machine-readable format to transfer to another provider.

Right to Withdraw Consent

Revoke any consent you have given at any time. Withdrawal does not affect the lawfulness of prior processing.

Right to Lodge a Complaint

File a complaint with Brazil's ANPD (gov.br/anpd) or the supervisory authority in your country of residence.

How to Exercise Your Rights

To submit a data rights request, contact our Data Protection Officer at contato@coretiexpert.online, clearly stating your name, the right you wish to exercise, and — to help us locate your records — the email address or phone number you used when contacting us previously. We will acknowledge your request within 5 business days and fulfil it within 15 calendar days (extendable by a further 15 days for complex requests, with advance notice to you). We will not charge a fee for legitimate rights requests.

To verify your identity before releasing or deleting data, we may ask you to confirm details that only you would know. This step protects your data from unauthorized access by third parties claiming to act on your behalf.

Children's Privacy

Our website and services are directed exclusively at businesses and professionals. We do not knowingly collect, solicit, or process personal data from individuals under the age of 18. Our contact forms and advertising campaigns are not targeted at minors, and our service offerings have no consumer or educational component that would attract underage users.

If you are a parent or guardian and believe that a minor has inadvertently submitted personal data through our website, please contact us immediately at contato@coretiexpert.online. Upon verification, we will delete the relevant data without delay and without requiring the minor to exercise a formal rights request.

Under Article 14 of the LGPD, the processing of children's personal data requires parental or guardian consent. As we do not intend to serve minors, any such data that reaches us is processed solely for the purpose of deleting it and is not used for any other purpose.

Changes to This Policy

Privacy law, technology, and our own services evolve over time. We review this policy at least annually and whenever a material change to our data processing activities occurs. When we make substantive updates — changes that affect how we use your data or your rights — we will:

  • Update the "Last updated" date at the top of this page immediately.
  • Display a prominent notice on our website homepage for at least 30 days following the update.
  • Send a direct email notification to individuals in our active marketing list whose data is meaningfully affected by the change.

Minor edits — such as correcting typographical errors, clarifying existing language without changing its substance, or updating contact details — will be reflected in the policy without a specific notification, though the "Last updated" date will still be revised.

Your continued use of our website and services after a material change has been communicated constitutes acknowledgment of the updated policy. If you do not agree with a change, you are entitled to withdraw any consent and request deletion of your data before the change takes effect, by contacting us at the address in Section 11.

We maintain an archive of previous versions of this policy. If you require a copy of the version that was in effect during a specific period, please make a written request to our Data Protection Officer.

Contact & Data Protection Officer

For any questions about this Privacy Policy, to exercise your data rights, to report a suspected security incident, or to submit a data processing objection, please reach out to us through the details below. We take every enquiry seriously and will respond promptly.

If you are not satisfied with our response, you have the right to escalate your concern to Brazil's National Data Protection Authority at gov.br/anpd, or — for individuals located within the European Economic Area — to the data protection supervisory authority of your EU member state.