Privacy Policy — Tá Seguro
🌐 Language / Idioma: Versão em português ← · English (current)
Last updated: April 11, 2026
In case of divergence of interpretation between the versions of this Policy in different languages, the Portuguese version prevails for all legal purposes. This English version is provided as a courtesy translation to facilitate review by international API service reviewers (Google API Services, Meta Platform Terms).
1. Controller Identification
1.1. The controller of personal data processed through the Tá Seguro platform is PAULO EDUARDO MENDES CANDIDO 94470634115, a legal entity registered with CNPJ (Brazilian National Registry of Legal Entities) No. 47.661.973/0001-35, with registered office at Avenida das Araucárias, 4155, Bloco C, Sala 1507, Sul (Águas Claras), Brasília-DF, CEP 71.936-250, Brazil ("Controller").
1.2. Data Protection Officer (DPO): Paulo Eduardo Mendes Cândido — Email: privacidade@taseguro.app.
2. Scope and Application
2.1. This Privacy Policy applies to all personal data collected, processed and stored by the Tá Seguro platform, available at https://taseguro.app and in derivative mobile applications.
2.2. By using the Platform, the User declares having read and understood this Policy, pursuant to the Brazilian General Data Protection Law (Law No. 13,709/2018 — "LGPD").
3. Data Collection Inventory
3.1. Registration Data
| Data | Purpose | Legal Basis (LGPD Art. 7) |
|---|---|---|
| Email address | Account creation, login, transactional communications | Contract performance (Art. 7, V) |
| Password (bcrypt hash) | User authentication | Contract performance (Art. 7, V) |
| Display name | Interface personalization | Contract performance (Art. 7, V) |
| Content niche (e.g., motherhood/family) | Analysis contextualization and onboarding | Contract performance (Art. 7, V) |
3.2. OAuth Authentication Data (external integrations — Pro plan exclusive)
3.2.1. Instagram
| Data | Purpose | Legal Basis |
|---|---|---|
| Instagram user ID | Identification of the connected account | Consent (Art. 7, I) |
| Access token (encrypted with AES-256-GCM) | Access to the Instagram API to list published posts | Consent (Art. 7, I) |
| Token expiration date | Authorization validity control | Consent (Art. 7, I) |
3.2.2. YouTube (Google)
| Data | Purpose | Legal Basis |
|---|---|---|
| Connected YouTube channel ID | Identification of the authorized channel for analysis | Consent (Art. 7, I) |
| Google OAuth access token (encrypted with AES-256-GCM) | Access to YouTube Data API v3 with youtube.force-ssl scope — used exclusively for read operations on the User's own videos (see Section 16 for scope usage details) | Consent (Art. 7, I) |
| Google OAuth refresh token (encrypted with AES-256-GCM) | Automatic renewal of the access token (Google access tokens expire every 1 hour) | Consent (Art. 7, I) |
| Access token expiration date | Authorization validity control and triggering of automatic renewal | Consent (Art. 7, I) |
| Initial connection date | Information displayed in the User's interface | Consent (Art. 7, I) |
Data extracted from YouTube videos (in transit during analysis, not stored after processing): video title, public description, tags, thumbnail and official captions (manual or auto-generated) — all strictly obtained from the User's own authorized channel. The Platform does not access third-party channels, does not publish, modify or delete any content, and does not collect data from the User's viewers.
The User may revoke YouTube access at any time:
- Within the Platform: Settings → Disconnect YouTube, OR
- Directly with Google: myaccount.google.com/permissions → locate "Tá Seguro" → Remove access.
3.3. Payment Data
| Data | Purpose | Legal Basis |
|---|---|---|
| Stripe customer ID | Link between account and subscription | Contract performance (Art. 7, V) |
| Stripe subscription ID | Billing cycle management | Contract performance (Art. 7, V) |
Note: sensitive financial data (credit card number, CVV, banking details) is collected and processed exclusively by Stripe, Inc. and never transits through Tá Seguro's servers. The Platform stores only reference identifiers provided by Stripe.
3.4. Usage Data
| Data | Purpose | Legal Basis |
|---|---|---|
| Analysis history (content type, result, date) | Service delivery, User history | Contract performance (Art. 7, V) |
| Analysis report (overall result, criteria, suggestions) | Core product functionality | Contract performance (Art. 7, V) |
| Content label (file name or initial text snippet) | Content identification in history | Contract performance (Art. 7, V) |
| Analysis count per cycle | Plan quota control | Contract performance (Art. 7, V) |
3.5. Technical Data
| Data | Purpose | Legal Basis |
|---|---|---|
| IP address | Security, fraud prevention, access logs (Brazilian Civil Framework for the Internet, Art. 15) | Legal obligation compliance (Art. 7, II) |
| Browser User-Agent | Compatibility and error diagnostics | Legitimate interest (Art. 7, IX) |
| Access date and time | Application access logs (Brazilian Civil Framework for the Internet, Art. 15) | Legal obligation compliance (Art. 7, II) |
4. Data NOT Collected
4.1. User content files (video, image, text) are processed exclusively in volatile memory and immediately discarded after the analysis report is generated. No original file is stored on disk, database or cloud storage service.
4.2. The Platform does not collect data from minors. The service is intended exclusively for adult content creators (over 18 years old). The Platform analyzes content that may involve images or references to children and adolescents, but does not collect, store or process personal data of minors.
5. Sharing with Third Parties
5.1. The Controller shares personal data with the following third parties, strictly to the extent necessary for service provision:
| Third Party | Country | Shared Data | Purpose |
|---|---|---|---|
| Supabase, Inc. | United States | All registration, usage and technical data | Database and authentication infrastructure |
| Vercel, Inc. | United States | Technical data (IP, User-Agent, access logs) | Application hosting |
| Stripe, Inc. | United States | Email, payment data (collected directly by Stripe) | Payment processing |
| Anthropic, PBC | United States | Content text or transcription (in transit, not stored) | Educational AI-driven content analysis |
| OpenAI, Inc. | United States | Video audio (in transit, not stored) | Video transcription |
| Meta Platforms, Inc. | United States | OAuth token, Instagram ID (Pro plan only) | Access to the User's published posts |
| Google LLC | United States | Google OAuth token, YouTube channel ID, public metadata and captions of videos from the User's own channel (Pro plan only) | OAuth authentication and access to YouTube Data API v3 (youtube.force-ssl scope) for analysis of videos published by the User. Although this scope grants broad permissions at the OAuth protocol level, Platform usage is strictly limited to read operations, as described in Section 16. |
| Resend, Inc. | United States | User's email, display name | Sending transactional emails |
5.2. Each third party listed above has its own privacy policy. The Controller has selected providers that offer adequate data protection guarantees pursuant to Art. 46 of the LGPD.
5.3. The Controller does not sell, rent or commercialize Users' personal data to third parties for advertising or marketing purposes.
6. International Data Transfer
6.1. The infrastructure services used by the Platform (Supabase, Vercel, Stripe, Anthropic, OpenAI, Meta, Google, Resend) process data on servers located in the United States of America.
6.2. International data transfer is carried out based on Art. 33, item IX, of the LGPD, being necessary for contract performance or preliminary procedures related to a contract to which the data subject is a party, at the request of the data subject.
6.3. The Controller adopts technical and organizational measures to ensure an adequate level of protection for transferred data, including encryption in transit (TLS/HTTPS) and selection of providers with recognized security certifications.
7. Protection of Children's and Adolescents' Data
7.1. The Platform is not directed to minors under 18 years of age and does not intentionally collect personal data from children or adolescents, pursuant to Art. 14 of the LGPD.
7.2. The Platform analyzes content from adult creators that may contain references, images or representations of children and adolescents. This analysis has an exclusively educational and guiding purpose, identifying possible points of attention in light of child protection legislation (ECA Digital — Brazilian Law No. 15,211/2025), and files are discarded after processing.
7.3. If the Controller identifies that personal data of a minor under 18 has been inadvertently collected, such data will be immediately deleted.
8. Data Subject Rights (LGPD, Art. 18)
8.1. The User, as a personal data subject, may exercise the following rights at any time by submitting a request to the Data Protection Officer (DPO):
8.1.1. Confirmation of existence of processing of their personal data.
8.1.2. Access to the personal data processed by the Controller.
8.1.3. Correction of incomplete, inaccurate or outdated data.
8.1.4. Anonymization, blocking or deletion of unnecessary, excessive or data processed in non-compliance with the LGPD.
8.1.5. Portability of data to another service or product provider, in an interoperable format, respecting trade and industrial secrets.
8.1.6. Deletion of personal data processed based on consent, except in the retention scenarios provided in Art. 16 of the LGPD.
8.1.7. Information about public and private entities with which the Controller has shared data.
8.1.8. Information about the possibility of not providing consent and about the consequences of denial.
8.1.9. Consent revocation at any time, through express statement, pursuant to Art. 8, §5, of the LGPD.
8.1.10. Objection to processing carried out based on a consent waiver hypothesis, when irregularity is verified.
8.1.11. Petition to the Brazilian National Data Protection Authority (ANPD), pursuant to Art. 18, §1, of the LGPD.
8.2. Requests must be sent to the DPO email indicated in clause 1.2 and will be answered within up to 15 (fifteen) business days, as regulated by the ANPD.
8.3. The Controller may request additional information to verify the requester's identity in order to prevent fraud.
9. Retention Periods
| Data Type | Retention Period | Justification |
|---|---|---|
| Registration data (profile) | While the account is active, or until deletion request | Contract performance |
| Analysis history — Criador Plan | 30 (thirty) calendar days | Product rule; automatic deletion via scheduled job |
| Analysis history — Pro Plan | 12 (twelve) months | Product rule; automatic deletion via scheduled job |
| Payment data (Stripe IDs) | While subscription is active + 5 years after termination | Legal obligation compliance (Brazilian National Tax Code, Art. 173) |
| Access logs (IP, date/time) | 6 (six) months | Legal obligation compliance (Brazilian Civil Framework for the Internet, Art. 15) |
| Instagram OAuth token | While Pro plan is active; revoked upon downgrade or cancellation | User consent |
| Terms and Privacy Policy acceptance records | 5 (five) years counted from each acceptance event | Legal obligation compliance and regular exercise of rights in proceedings (LGPD, Art. 16, I and II); prescription of indemnification claims (Brazilian Civil Code, Art. 206, §3, V); tax retention (Brazilian National Tax Code, Art. 173) |
9.1. After each retention period ends, data is automatically deleted by a scheduled routine (pg_cron) or upon User request.
9.2. Account deletion by the User will result in the removal of all personal data, except for data whose retention is legally required.
9.3. Acceptance records of the Terms of Use and this Privacy Policy contain the hash (SHA-256) of the IP address, the browser identifier (user-agent), the date and time of acceptance, the version of the accepted documents and the acceptance context (registration or payment), in addition to an immutable record of the User's email and name at the time of acceptance. These records are preserved for 5 (five) years regardless of account deletion, based on the LGPD (Art. 16, I and II), to enable the regular exercise of rights in eventual judicial or administrative proceedings. After this period, they are automatically deleted by the system.
10. Data Security
10.1. The Controller adopts the following technical and administrative measures to protect personal data (LGPD, Art. 46):
10.1.1. Encryption in transit: all communication between the User and the Platform is carried out via HTTPS/TLS.
10.1.2. Encryption at rest: Instagram OAuth tokens are encrypted with AES-256-GCM before storage. Passwords are stored as hashes (bcrypt), never in plain text.
10.1.3. Row Level Security (RLS): the database uses Row Level Security to ensure that each User accesses only their own data.
10.1.4. Rate limiting: protection against brute force attacks and abuse on authentication and API routes.
10.1.5. Security headers: Content-Security-Policy, Strict-Transport-Security (HSTS), X-Content-Type-Options, X-Frame-Options are applied on all routes.
10.1.6. HttpOnly cookies: session tokens are stored in HttpOnly cookies, inaccessible via JavaScript, protecting against XSS attacks.
10.1.7. Input validation: all User inputs are validated and sanitized with Zod before processing.
10.1.8. Webhook authentication: Stripe webhooks are verified by HMAC signature to prevent fake event injection.
10.1.9. In-memory processing: content files are processed in volatile memory and immediately discarded after analysis, without disk writing or persistent storage.
11. Cookies and Tracking Technologies
11.1. The Platform exclusively uses essential cookies (strictly necessary) for service operation:
| Cookie | Type | Purpose | Duration |
|---|---|---|---|
| Supabase session cookie (HttpOnly) | Essential | Maintenance of the User's authenticated session | Session (JWT 1h + refresh token 30 days) |
11.2. The Platform does not use analytics cookies, marketing cookies, tracking pixels, fingerprinting or any tracking technology for advertising purposes.
11.3. Since only strictly necessary cookies are used, specific cookie consent is not required, pursuant to ANPD guidelines.
12. Security Incident
12.1. In the event of a security incident that may cause relevant risk or damage to data subjects, the Controller will notify the Brazilian National Data Protection Authority (ANPD) and affected subjects within a reasonable time frame, pursuant to Art. 48 of the LGPD, containing:
12.1.1. Description of the nature of the affected personal data.
12.1.2. Information about the affected subjects.
12.1.3. Indication of the technical and security measures used to protect the data.
12.1.4. Risks related to the incident.
12.1.5. Measures that were or will be adopted to reverse or mitigate the effects of the damage.
13. Changes to this Policy
13.1. The Controller may update this Policy at any time. Changes will be communicated to the User with a minimum notice of 15 (fifteen) days by email, indicating the modified sections.
13.2. The updated version will be published at https://taseguro.app/privacidade with the new "Last updated" date.
13.3. Continued use of the Platform after the 15-day period will be considered acceptance of the updated Policy.
14. Data Protection Officer (DPO) Contact
14.1. To exercise the rights provided in clause 8, make inquiries about data processing or register complaints, the User may contact the Data Protection Officer (DPO):
- Name: Paulo Eduardo Mendes Cândido
- Email: privacidade@taseguro.app
- Address: Avenida das Araucárias, 4155, Bloco C, Sala 1507, Sul (Águas Claras), Brasília-DF, CEP 71.936-250, Brazil
14.2. If dissatisfied with the Controller's response, the subject may submit a petition to the Brazilian National Data Protection Authority (ANPD) — www.gov.br/anpd.
15. Applicable Law and Jurisdiction
15.1. This Policy is governed by Brazilian law, in particular by the LGPD (Law No. 13,709/2018), the Brazilian Civil Framework for the Internet (Law No. 12,965/2014) and the Brazilian Consumer Protection Code (Law No. 8,078/1990).
15.2. The jurisdiction of the consumer User's domicile is elected as competent to settle any disputes, pursuant to Art. 101, item I, of the Brazilian Consumer Protection Code.
16. Google API Services — Limited Use Compliance
This section describes the specific use of data obtained through Google APIs (specifically the YouTube Data API v3) by the Tá Seguro Platform, in compliance with the Google API Services User Data Policy and with the Limited Use requirements.
16.1. Adherence to Limited Use Requirements. The use of Google user data by the Tá Seguro Platform adheres to the Limited Use Requirements of the Google API Services User Data Policy, including the Limited Use requirements.
16.2. Data accessed. The Platform accesses, through the https://www.googleapis.com/auth/youtube.force-ssl scope, only the following data from the YouTube channel authorized by the User themselves:
- List of videos published on the User's channel (ID, title, description, tags, duration, publication date, public thumbnails, view count).
- Official captions (manual or auto-generated) of videos from the User's own channel.
- Identifier of the connected YouTube channel (for linking to the Tá Seguro account).
16.3. Data usage. The accessed data is used exclusively to:
- Generate the compliance analysis report of content published by the User in light of Brazilian Law No. 15,211/2025 (ECA Digital) and Decree No. 12,880/2026.
- Display the User's videos visual grid in the Platform interface for selection of content to analyze.
16.4. What the Platform does NOT do with YouTube data:
- Does not display advertisements based on YouTube data or use it for any advertising purpose.
- Does not transfer YouTube data to third parties, except: (a) to AI providers strictly necessary to execute the analysis (Anthropic/Claude API, with a non-training policy on customer data via API), and (b) in compliance with a court order or request from a competent authority.
- Does not use YouTube data to determine credit, for lending purposes or for any financial purpose.
- Does not allow human reading of YouTube data, except: (a) with explicit and affirmative User consent; (b) for security purposes (for example, abuse investigation); (c) to comply with applicable law; or (d) when the data is aggregated and used for anonymized internal operations in compliance with applicable privacy laws.
- Does not publish, modify, comment on, rate or delete any video, playlist, comment or content on the User's channel. Although the
youtube.force-sslscope grants broad write permissions at the OAuth protocol level, the Platform's source code implements exclusively read operations on the YouTube Data API v3. No call that modifies, creates, or removes content is implemented anywhere in the codebase. This broader scope is used due to a technical limitation of the YouTube Data API v3, which does not offer a granular read-only scope for thecaptions.listandcaptions.downloadendpoints — essential for analyzing the video's caption content. - Does not access third-party YouTube channels — only the own channel connected by the authenticated User.
16.5. Storage and retention. The Google OAuth tokens (access and refresh) are stored in encrypted form (AES-256-GCM) in an internal-use database, used exclusively to execute analyses requested by the User and immediately removed upon disconnection of the YouTube account or deletion of the Tá Seguro account. The metadata extracted from videos (title, description, tags, captions, thumbnail) is processed in transit during report generation and is not stored after analysis — only the final report (evaluation by ECA Digital criterion, Portuguese text) is persisted, and this report does not contain a full copy of the original video data.
16.6. Access revocation. The User may revoke the Tá Seguro Platform's access to their YouTube data at any time, through two independent paths:
- Within the Platform: Settings → YouTube section → "Disconnect YouTube" button. The Platform immediately removes all YouTube fields from the profile (tokens, channel ID, dates).
- Directly with Google: myaccount.google.com/permissions → locate "Tá Seguro" → Remove access.
16.7. Reference documentation. The use of Google data by the Platform is also subject to:
16.8. Contact for specific questions about Google data usage. Use the DPO email indicated in section 14 (privacidade@taseguro.app), identifying in the subject line "Google API / YouTube".
17. Meta Platform Terms — Instagram Graph API Compliance
This section describes the specific use of data obtained through Meta Platforms, Inc. APIs (specifically the Instagram Graph API) by the Tá Seguro Platform, in compliance with the Meta Platform Terms and the Meta Developer Policies, including the Limited Platform Use policies.
17.1. Adherence to Meta Platform Terms. The use of Meta user data by the Tá Seguro Platform adheres to the Meta Platform Terms, Meta Developer Policies, Instagram Platform Policy and the Limited Platform Use policy.
17.2. Data accessed. The Platform accesses, through the instagram_business_basic scope of the Instagram Graph API (authorized by the User themselves via OAuth), only the following data from the Instagram account authorized by the User themselves:
- Instagram user identifier (for linking to the Tá Seguro account).
- Public username of the connected Instagram account.
- List of posts published on the User's own feed (last 100 most recent), containing: post identifier, media type (IMAGE / VIDEO / CAROUSEL_ALBUM), thumbnail and media URLs hosted on Meta's official CDNs, caption, publication date/time ("timestamp") and public permalink.
- Carousel children (when applicable): identifier, type and media URLs of the individual items of CAROUSEL_ALBUM posts.
17.3. Data usage. The accessed data is used exclusively to:
- Generate the compliance analysis report of content published by the User in light of Brazilian Law No. 15,211/2025 (ECA Digital) and Decree No. 12,880/2026.
- Display the User's posts visual grid in the Platform interface for selection of content to analyze.
17.4. What the Platform does NOT do with Meta/Instagram data:
- Does not display advertisements based on Instagram data or use it for any advertising, targeting or remarketing purpose.
- Does not transfer Instagram data to third parties, except: (a) to AI providers strictly necessary to execute the analysis (Anthropic/Claude API and OpenAI/Whisper API, both with non-training policies on customer data via API), and (b) in compliance with a court order or request from a competent authority.
- Does not use Instagram data to determine credit, for lending purposes or for any financial purpose.
- Does not allow human reading of Instagram data, except: (a) with explicit and affirmative User consent; (b) for security purposes (for example, abuse investigation); (c) to comply with applicable law; or (d) when the data is aggregated and used for anonymized internal operations in compliance with applicable privacy laws.
- Does not publish, modify, comment on, like, react to or delete any post, story, comment or content on the User's account — the granted
instagram_business_basicscope is strictly read-only. - Does not access third-party Instagram accounts, follower profiles, followers/following lists, direct messages, stories, audience insights or any data beyond posts published on the authenticated User's own feed.
- Does not perform scraping, crawling or mass ingestion of data beyond what the Graph API returns in authorized calls.
17.5. Storage and retention. The Meta OAuth tokens (long-lived Instagram access token) are stored in encrypted form (AES-256-GCM) in an internal-use database, used exclusively to execute analyses requested by the User and immediately removed upon disconnection of the Instagram account or deletion of the Tá Seguro account. The metadata extracted from posts (caption, thumbnail URL, media URL, media type, permalink) is processed in transit during report generation and is not stored after analysis — only the final report (evaluation by ECA Digital criterion, Portuguese text) is persisted, and this report does not contain a full copy of the original post data. Thumbnail URLs are neither downloaded nor stored by the Platform: when displayed in the visual grid, they are loaded directly from the User's browser from Meta's official CDNs (*.cdninstagram.com, *.fbcdn.net).
17.6. Access revocation. The User may revoke the Tá Seguro Platform's access to their Instagram data at any time, through three independent paths:
- Within the Platform: Settings → Instagram section → "Disconnect Instagram" button. The Platform immediately removes all Instagram fields from the profile (token, username, ID, expiration date).
- On Instagram: instagram.com/accounts/manage_access → locate "Tá Seguro" → Remove.
- Via Meta (Facebook): facebook.com/settings?tab=business_tools → locate "Tá Seguro" → Remove.
17.7. Reference documentation. The use of Meta data by the Platform is also subject to:
- Meta Platform Terms
- Meta Developer Policies
- Instagram Platform Policy
- Meta Data Policy
- Instagram Data Policy
17.8. Contact for specific questions about Meta/Instagram data usage. Use the DPO email indicated in section 14 (privacidade@taseguro.app), identifying in the subject line "Meta API / Instagram".