Privacy Policy

Version 1.0 · Effective since April 20, 2026

1. Introduction

This Privacy Policy describes how Softaliza Tecnologias LTDA, a private legal entity registered under CNPJ no. 34.394.467/0001-85, headquartered at Av. Roraima, 1000 – Prédio 02 – ITSM – Sala 18, Santa Maria/RS, ZIP 97105-900 (“Assocializa”, “we”), collects, uses, stores and shares personal data of the users and members who use the Assocializa platform (the “Platform”).

This Policy is prepared in accordance with Brazilian Law no. 13.709/2018 (the “General Personal Data Protection Law” or “LGPD”) and applies to any natural person who accesses, registers on or uses the Platform.

The Platform is intended exclusively for individuals aged 18 or over. We do not knowingly collect data from minors; if we identify that a minor has registered, the account will be blocked and the data deleted, in accordance with Article 14 of the LGPD.

2. Who is the Data Controller

The controller is the natural or legal person responsible for decisions regarding the processing of personal data. For the purposes of this Policy, the controller is:

Company name: Softaliza Tecnologias LTDA
CNPJ: 34.394.467/0001-85
Address: Av. Roraima, 1000 – Prédio 02 – ITSM – Sala 18 — Santa Maria/RS, ZIP 97105-900
Contact: contato@softaliza.com.br · Tel. (55) 99213-3632

Associations that use the Platform to manage their membership rosters are generally independent controllers of their own members’ data, while Assocializa acts as a processor when handling such data on behalf of the association. Details about controller/processor roles are set out in the agreement signed with each association.

3. Data Protection Officer (DPO)

In compliance with Article 41 of the LGPD, Softaliza Tecnologias LTDA has appointed a Data Protection Officer (DPO), responsible for receiving complaints, providing clarifications and interacting with the Brazilian National Data Protection Authority (ANPD):

Name: Roger Mateus Karnopp
Email: contato@softaliza.com.br
Phone: (55) 99213-3632

To exercise any of the rights set out in Article 18 of the LGPD, please use the channel at /lgpd/solicitacao.

4. What Personal Data We Collect

We collect the following categories of data:

4.1. Registration data provided by you

Full name
Email address
Phone number (with country code)
Date of birth
Nationality and, where applicable, identification document: CPF, CNPJ or passport
Full address (ZIP, street, number, complement, neighborhood, city, state and country)
Profile picture (optional)
Scanned documents required by the association (e.g. proof of address, ID, professional card)
Custom fields requested by the association you are affiliated with

4.2. Payment data

Credit card data (number, name, expiration, CVV) are tokenized directly by the payment gateways (Pagar.me and Stripe) and are never stored on our servers in readable form.
We store only gateway identifiers (card token, brand, last four digits and expiration month/year) to display to the cardholder and to process recurring charges.
Transaction data (amount, date, status, method — PIX, boleto, card) are kept for tax and accounting purposes.

4.3. Data collected automatically

IP address
Browser type and version; operating system
Pages accessed, date/time and session duration
Cookies and similar technologies (see specific section below)

4.4. Sensitive data

In general, the Platform does not request sensitive personal data (racial or ethnic origin, religious belief, political opinion, health or sex-life data, genetic or biometric data). However, associations may — through their custom fields — request information that falls under this category. In such cases, collection and use follow Article 11 of the LGPD and depend on specific, highlighted consent or another applicable legal basis.

5. Purposes of Processing

We use your data for the following purposes:

Create and authenticate your account, manage your affiliation with associations and enable you to use the Platform’s features;
Process payments for monthly fees, annual dues and contributions;
Issue receipts, vouchers and tax documents when required;
Send transactional communications (registration confirmation, password recovery, payment confirmation, support replies);
Send marketing communications about news and opportunities, only upon explicit opt-in;
Comply with legal, regulatory and contractual obligations (e.g. tax record retention, responding to requests from ANPD or the Judiciary);
Ensure the security of the Platform, prevent fraud, abuse and unauthorized access;
Improve the Platform through aggregated analytics.

6. Legal Bases for Processing

Each processing activity we carry out is based on at least one of the legal bases in Article 7 (or Article 11, for sensitive data) of the LGPD:

Performance of a contract — to create and maintain your account, enable your membership and process payments (art. 7, V).
Compliance with a legal or regulatory obligation — to keep tax records of transactions and respond to judicial orders and authorities (art. 7, II).
Legitimate interest — for fraud prevention, Platform security, audit logs and service-related communications (art. 7, IX), always with a prior balancing assessment.
Consent — for sending marketing communications, use of non-essential cookies and any processing of sensitive data, always given freely, in an informed, specific and revocable manner (arts. 7, I and 11, I).

7. Data Sharing

We share personal data only with the following categories of third parties, who act as processors:

Supabase (database and file storage) — infrastructure provider hosting the Platform’s data;
Vercel — hosting provider for the web application;
Pagar.me and Stripe — payment gateways responsible for processing and tokenizing card data;
SendGrid (Twilio) — provider of transactional email delivery and notifications;
Associations you are affiliated with — receive the data required to manage your membership; each association is an independent controller of its members’ data;
Competent authorities — when required by law, by a judicial order or by a regular request from an administrative authority.

We do not sell personal data. We do not share data with third parties for third-party behavioral advertising purposes.

8. International Transfers

Some of the processors listed above may store or process data outside Brazil (for example, in the United States and the European Union). In such cases, the transfer is carried out under the scenarios of Article 33 of the LGPD, with standard contractual clauses and the adoption of appropriate technical and organizational measures.

9. Data Retention

We retain data for the following periods:

Registration and membership data: while your account remains active and for up to 6 months after your voluntary termination, for operational purposes and possible reactivation.
Payment and transaction data: for up to 5 years, as required by tax and accounting rules (Law 10.406/2002, art. 206, §5, I and related tax regulations).
Access and audit logs: for up to 6 months, in compliance with the Brazilian Internet Framework (Law 12.965/2014, art. 15).
LGPD requests and consents: for 5 years after the end of the relationship, for compliance evidence.
Documents uploaded by the member: for up to 90 days after the expiration date indicated by the association, after which the file is deleted and only audit metadata are preserved.

Once these periods have elapsed, the data are deleted or anonymized, as applicable.

10. Your Rights (Art. 18 of the LGPD)

As a data subject, you have the right to:

Confirm the existence of processing of your data;
Access your data (including obtaining a copy in a structured format);
Correct incomplete, inaccurate or outdated data;
Request anonymization, blocking or deletion of unnecessary, excessive data or data processed in breach of the LGPD;
Portability of your data to another service provider;
Deletion of data processed based on consent (subject to legal retention obligations);
Obtain information on public and private entities with which we share data;
Withdraw consent at any time;
File a petition before the ANPD regarding your data.

You can exercise these rights at /lgpd/solicitacao, or by writing to the DPO at contato@softaliza.com.br. We will respond within 15 days, with the possibility of extension for justified reasons.

11. Information Security

We adopt technical and administrative measures compatible with the state of the art, including:

Encryption in transit (TLS) for all traffic;
Role-based access control (RBAC) and Row Level Security at the database level;
Secure authentication, with passwords stored as hashes;
Tokenization of card data at the payment gateways;
Monitoring, auditing and centralized logging of sensitive operations;
Automated backups and an incident response plan, with notification of the ANPD and of data subjects in the cases of Article 48 of the LGPD.

12. Cookies

We use three categories of cookies:

Necessary: essential for the Platform to work (session, authentication, basic preferences). They do not depend on consent.
Analytics: help us understand usage and improve the experience (aggregated measurement). Only with your consent.
Marketing: personalize communications and advertisements. Only with your consent.

You can review and withdraw your choices at any time on the page /perfil/consentimentos (if you are signed in) or by clearing cookies in your browser.

13. Changes to this Policy

We may update this Policy from time to time. Whenever there are material changes, we will notify you through the registered email address and request renewed acceptance when necessary. The version history is available upon request to the DPO.

14. Contact

If you have any questions about this Policy or about the processing of your data, please contact the DPO:

Email: contato@softaliza.com.br
Phone: (55) 99213-3632
Postal address: Av. Roraima, 1000 – Prédio 02 – ITSM – Sala 18 — Santa Maria/RS, ZIP 97105-900