PRIVACY POLICY
PRIVACY POLICY
Hashdata values privacy and the protection of personal data and acts in compliance with applicable legislation, in particular Law No. 13,709/2018 (Brazilian General Data Protection Law – LGPD). This Privacy Policy describes how personal data is processed in the context of Hashdata’s websites, applications, and services, as well as the rights of data subjects.
This Policy should be interpreted together with the applicable contracts, including the Data Processing Agreement (DPA), reflecting Hashdata’s business model, which predominantly operates as a Personal Data Processor in a B2B SaaS environment.
1. Who We Are
Hashdata is a technology company that provides a data collection, analysis, and management platform under the Software as a Service (SaaS) model, accessible through the website www.hashdata.app and related applications.
For the purposes of data protection legislation:
-
Hashdata acts as a Processor when it processes personal data on behalf of its corporate clients, who act as Controllers and define the purposes and means of processing.
-
Hashdata acts as a Controller only in specific and limited situations, such as the processing of personal data related to visitors to its institutional websites, business contacts, suppliers, partners, and its own administrative or contractual relationships.
2. Scope of This Policy
This Privacy Policy applies to personal data processed by Hashdata in the following contexts:
-
access to and navigation on its institutional websites;
-
commercial, contractual, and administrative interactions with Hashdata; and
-
operation of the Hashdata platform, exclusively in cases where Hashdata acts as a Controller.
When Hashdata processes personal data on behalf of its clients, in its capacity as a Processor, such processing is governed by the contracts entered into with the client, including the DPA. In these cases, the client Controller is responsible for defining the purposes, legal bases, and other aspects of the processing.
3. Personal Data Processed
3.1 Personal data processed as Controller
When acting as a Controller, Hashdata may process the following categories of personal data:
-
identification and contact data, such as name, corporate email address, and professional information;
-
account, access, and authentication data related to the use of Hashdata websites and services;
-
technical and browsing data, such as IP address, browser and device type, date and time of access, as well as security records and access logs.
3.2 Personal data processed as Processor
Personal data entered, uploaded, or processed on the Hashdata platform by clients or users authorized by them are processed exclusively on behalf of and under the responsibility of the respective client, who acts as the Controller.
Hashdata does not define the content, nature, purposes, or legal bases of such data and limits its processing to documented instructions from the Controller and the applicable contractual terms.
4. Purposes of Processing
When acting as a Controller, Hashdata processes personal data for the following purposes:
-
enabling access to and use of its websites and services;
-
managing commercial, contractual, and administrative relationships;
-
ensuring security, integrity, monitoring, and fraud prevention;
-
complying with legal and regulatory obligations.
When acting as a Processor, Hashdata processes personal data exclusively for the provision of the contracted services, including data storage, organization, processing, and visualization, always in accordance with the Controller’s instructions.
Hashdata does not use personal data processed on the platform for its own purposes, such as internal analytics, benchmarking between clients, marketing, advertising, training of artificial intelligence models, monetization, or any use unrelated to the contract and the Controller’s instructions.
5. Legal Bases for Processing
Personal data processing is carried out based on the legal bases provided for in the LGPD, which may include:
-
performance of a contract or preliminary procedures related to a contract;
-
compliance with a legal or regulatory obligation;
-
legitimate interest, where applicable and assessed in a proportional manner;
-
consent, only when required by law.
For data processed on behalf of clients, the definition of the applicable legal basis is the exclusive responsibility of the Controller.
6. Data Sharing and Subprocessors
Hashdata does not sell personal data.
Personal data may be shared only:
-
with suppliers and technology partners strictly necessary for the provision of services, such as cloud infrastructure providers;
-
when required by law, court order, or competent authority.
All third parties and subprocessors are subject to contractual obligations regarding confidentiality, information security, and personal data protection.
7. International Data Transfers
Personal data may be transferred to and processed in other countries, including the United States, for hosting, processing, backup, and operational contingency purposes.
International transfers are carried out in compliance with the LGPD, through the adoption of appropriate safeguards, including contractual clauses, technical and administrative security measures, and governance mechanisms compatible with the level of risk.
8. Information Security
Hashdata adopts reasonable and proportionate technical and administrative security measures, considering the risks, the nature of the data processed, and the size of the organization, including, among others:
-
encryption of data in transit and at rest, where applicable;
-
role- and permission-based access control;
-
authentication mechanisms;
-
logging and monitoring of access and relevant operations;
-
use of reliable infrastructure providers and information security best practices.
Although no system is completely secure, Hashdata makes continuous efforts to prevent, detect, and mitigate risks.
9. Data Retention and Deletion
Personal data is retained only for as long as necessary to fulfill the stated purposes, perform contracts, or comply with legal and regulatory obligations.
After the applicable retention period, data is securely deleted or anonymized. There may be residual technical retention in backup and contingency systems for a limited period, during which the data remains inaccessible for operational use and protected by security controls.
10. Data Subject Rights
Under the LGPD, data subjects have rights, including confirmation of the existence of processing, access, correction, anonymization, blocking or deletion, portability (where applicable), and withdrawal of consent.
When Hashdata acts as a Controller, requests may be submitted through the channels indicated in this Policy.
When Hashdata acts as a Processor, requests must be directed to the respective client Controller, who is responsible for responding to data subjects.
11. Security Incidents
In the event of a security incident involving personal data, Hashdata will adopt appropriate containment, mitigation, and response measures.
When acting as a Processor, Hashdata will notify the Controller within a reasonable timeframe, considering the nature, severity, and complexity of the incident, in accordance with applicable legislation, including Article 48 of the LGPD. The assessment and any communication to the National Data Protection Authority and data subjects are the responsibility of the Controller.
12. Data Protection Officer (DPO) and Contact
For questions about this Policy or to exercise applicable rights when Hashdata acts as a Controller, data subjects may contact:
Email: LGPD@hashdata.app
Company: Hashdata
13. Updates to This Policy
This Privacy Policy may be updated at any time to reflect legal, regulatory, technological, or operational changes. The most recent version will always be available on the Hashdata website, indicating the date of the latest update.