Privacy Policy

Helder André, operating under the legal entity Agência Criativar Comunicação LTDA, CNPJ 52.984.921/0001-30, headquartered in Jacareí–SP, Brazil. Data Protection Officer (DPO): helder@helderandre.com.

We collect three categories of data:

• (a) Website visitor data

  Session cookies, anonymous navigation data, truncated IP address, and form data (name, email, phone, company, message) when you voluntarily contact us.

• (b) Lead data via Meta APIs

  When a client contracts Lead Ads integration services, we receive lead data generated by the client's campaigns via the Meta Marketing API webhook. Fields vary per form but typically include: full name, email, phone, and custom fields configured by the advertiser (job title, company, interest, etc.).

• (c) Client data (contracting parties)

  For contracted clients: legal name, CNPJ, billing data, and contact data of the client's technical lead.

(a) Site data: to respond to your contact and provide the services requested. (b) Meta lead data: to forward the lead to the CRM or destination specified by the contracting client, and to maintain delivery audit logs. I act as processor of this data (LGPD Art. 5º, VII) — the controller is the contracting client (the Facebook/Instagram advertiser). (c) Client data: billing, contractual communication, and compliance with tax obligations.

We process data under the legal bases set out in LGPD: data subject consent (contact form), contract execution (clients and forwarded leads), and legitimate interest (aggregated analytics, anti-fraud audit). For users under GDPR, we apply the same bases under Article 6 of the European regulation.

Meta lead data is buffered for the minimum time required for successful CRM delivery, with a maximum of 7 calendar days. After confirmed delivery, the payload is deleted. I retain an audit log for 12 months with a hashed identifier (no personal data in clear) for incident investigation. Website form data is retained for 24 months or until deletion is requested. Client data is retained while the contract is active and for 5 years after termination, for tax compliance.

We share data strictly with processors necessary to operate the services:

• Vercel Inc. (USA) — site and API hosting (under standard Vercel DPA + SCC clauses).
• Supabase / Neon (USA / EU) — Postgres database for lead buffering and audit log.
• Meta Platforms, Inc. (USA) — receipt of Lead Ads webhooks. We do not send personal data to Meta; we only receive.
• Contracting client CRMs — RD Station, HubSpot, Pipedrive, Bitrix24, Salesforce, or another endpoint specified. The client becomes the data controller from the moment of delivery.

We do not sell personal data to third parties under any circumstances.

Under LGPD (Art. 18) and GDPR (Arts. 15–22), you have the right to:

• Confirm the existence of processing of your data.
• Access the data we hold about you.
• Correct incomplete, inaccurate, or outdated data.
• Request anonymization, blocking, or deletion of unnecessary or non-compliant data.
• Request data portability to another service provider.
• Revoke consent at any time.

To exercise any right, write to helder@helderandre.com or use the form at /en/data-deletion. We respond within 15 business days.

We adopt reasonable technical and administrative measures to protect data: encryption in transit (TLS 1.3) and at rest (AES-256), role-based access control (least privilege), immutable operation logs, and continuous integrity monitoring. In the event of a security incident with risk to data subjects, we notify the ANPD and affected subjects within 72 hours, as required by LGPD.

We use only strictly necessary cookies (session, language preference) and aggregated analytics cookies (Vercel Analytics) that do not individually identify the user. We do not use third-party remarketing tracking pixels on this site.

Our services are intended for businesses and professionals. We do not intentionally collect data from children or adolescents under 18. If we identify such collection, we will delete the data immediately.

We may update this policy to reflect legal, operational, or product changes. The last update date appears at the top of the document. Material changes will be communicated by email to contracting clients and by a banner on the site.

This policy is governed by the laws of the Federative Republic of Brazil, in particular the Brazilian General Data Protection Law (Law 13,709/2018). The jurisdiction of Jacareí, SP, is elected to resolve any disputes, except where otherwise required by law.