Privacy Policy
1. Who we are
Corporate name: Nvoip Plataforma de Comunicação Ltda
CNPJ: 30.910.196/0001-12
Address: Av. Barão do Rio Branco 5129, rooms 201 and 202, CEP 36026-500, Juiz de Fora – MG
O endereço do nosso site é: https://www.nvoip.com.br
This Policy explains how we collect, use, share and protect personal data and How can you exercise your rights. Our privacy policy is applicable to website visitors, leads, Customers and end users treated via CPaaS (Voice, WhatsApp, Chat, Social Networks), according to the role of Nvoip (controller or operator) indicated below. The policy extends to the site’s subdomains.
2. Scope and roles (controlling company x operator)
-
Controller: for data account and relationship (registration, billing, support, regulatory compliance, dashboard access logs, usage metrics) and visitor data of the website.
-
Operator (processor): quando we process data under customer instructions (e.g.: content and metadata of calls/WhatsApp, contacts served in chat, recordings, transcripts, metrics per queue/agent), including necessary sub-operators. (Based on the ANPD Agent and Officer Guide.)
3. Data we collect
3.1 Registration/account data: name, email, company, CNPJ/CPF, address, telephone, position, access credentials, internal IDs.
3.2 Billing and tax data: payment methods, billing/note history, audit trails.
3.3 Technical and platform usage data: IP, device/UA, access and event logs, configurations, integrations, tokens (masked), operational metrics.
3.4 Telecommunications data and messages (when operator): call metadata (CDR), queues, agents, recordings (if activated by the customer), WhatsApp messages (metadata and content when applicable to the contracted service), attachments sent by the customer/holder.
3.5 Support/service: tickets, recordings and support chats.
3.6 Cookies and similar technologies: strictly necessary, functional, performance/analytics and advertising (when enabled). See Section 8 (Cookies).
4. Purposes and legal bases
(a) Contract execution and preliminary procedures (onboarding, support, SLA, functionality delivery);
(b) Compliance with legal/regulatory obligation (e.g. Anatel requirements, tax and security obligations);
(c) Legitimate interest (continuous improvement, fraud/abuse prevention, security, product analytics – with balancing and impact tests on the owner);
(d) Consentimento, when necessary (e.g. marketing communications, non-essential cookies).
5. Sharing with third parties (operators/sub-operators)
Data Sharing. Personal data may be shared strictly when necessary, observed:
-
Service providers contracted to enable the execution of the contract and technical operation (e.g. hosting, message delivery, anti-fraud, support), under instructions from Nvoip and with security and confidentiality measures;
-
Public authorities and regulatory bodies, when there is a legal/regulatory obligation or valid requests;
-
Strategic partners upon consent of the holder, when applicable (e.g. marketing communications).
Nvoip does not sell personal data. In international transfers, we apply safeguards provided for in arts. 33 to 36 of the LGPD (contractual clauses, standards, suitability assessment), with transparency to the holder.
6. International transfers
When there is a transfer outside Brazil, we will adopt authorized mechanisms by the LGPD, as specific contractual clauses, and we will ensure adequate level of protection and transparency to the holder.
7. Information security
Aplicamos technical and organizational measures proportional to the risk: encryption in transit, access controls, segregation of environments, event recording, monitoring, vulnerability management, backups and periodic tests. (Without prejudice to applicable sectoral obligations.)
8. Cookies and tracking preferences
We use cookies strictly necessary (without consent) and, when enabled, functional/analytics/advertising (upon consent granular, with opt-out at any time). We display banner and preference center (“Manage cookies”).
Consent management: We register the consent and cookie preferences (date/time, banner/policy version and accepted categories), allowing amendment or revocation at any time in Preference Center. The banner presents granular option (ex.: funcionais, analytics, publicidade), according to ANPD Cookies Guide.
9. Data Retention and Disposal
9.1. General principles. Nvoip keeps data for as long as necessary to fulfill the purposes informed to the holder and/or the legal and regulatory obligations applicable, observing the principles of necessidade e minimization. At the end of the deadlines, Nvoip prioritizes irreversible anonymization of data; when legally required or technically applicable without affecting legal/regulatory obligations, it may carry out elimination. (LGPD, arts. 15 and 16).
In telecommunications services with numbering resources, Anatel requires the storage of certain records for specific minimum periods; Nvoip complies with these sectoral rules.
9.2. Rules by data category. Without prejudice to longer legal/regulatory deadlines, the following guidelines apply, where appropriate:
-
Account registration, user profiles and settings on the Dashboard: maintained during the term of the contract and for 6 (six) months after its closure. Accounts without movement for 6 (six) months are closed automatically; any new movement reactivates the account and restarts the count. After the deadlines, the data is anonimizados (by default), unless there is a legal/regulatory obligation that imposes additional conservation.
-
Application access logs (panel/portal): maintained by minimum term of 6 (six) months, according to the Civil Rights Framework for the Internet, and may be maintained for an additional period as long as necessary for the security, fraud prevention and defense of rights during the contractual term; in the end, anonymized or deleted.
-
CDR/Ticketing and call metadata (services that allow telephone traffic): maintained by 5 (five) years (Res. Anatel nº 738/2020, art. 65-J, I).
-
Call recordings (URA/attendance): 36 (thirty-six) months ou 5 (five) years, depending on the plan purchased. The recordings are maintained only as long as the contract remains active; after canceling the service, the recordings are excluded within 6 (six) months.
-
Billing/accounting (notes, invoices, receipts, taxes): 5 (five) years (tax practice and defense of rights).
-
Support tickets and attachments: maintained during the relationship and, after, kept for an additional period necessary to defend rights (e.g. until 5 years). Upon customer request, Nvoip anonimiza the content (removal of personally identifiable data), salvas conservation hypotheses due to legal/regulatory obligation.
-
Marketing (leads/consents/opt-out): until revocation of consent ou opt-out exercise, or for a period compatible with the commercial cycle, with revalidation when applicable.
-
Security incident records: minimum of 5 (five) years, including incidents not communicated to the ANPD and the holders, in accordance with the Security Incident Reporting Regulation (Res. CD/ANPD nº 15/2024, art. 10); when communicated, deadlines for 3 business days for communication and 20 working days to complement information.
9.3. International transfer, operators and sub-operators. When there is international transfer of data (e.g. cloud usage), Nvoip will adopt the assumptions and safeguards of arts. 33 to 36 of the LGPD and will require operators/sub-operators contractual obligations of confidentiality and security (art. 39). (Legal basis and details are contained in the “Sharing” and “Legal Basis” sections.)
9.4. Backups and restore windows. Backups follow technical retention windows; effective deletion/anonymization It also occurs at the end of the validity of backups that still contain personal data.
9.5. Prevalence of specific norm. In case of divergence between these guidelines and legal/regulatory obligations (ex.: Anatel ou Civil Rights Framework for the Internet), the specific standard prevails, including minimum storage periods.
10. Rights of holders and prazos
You can request: confirmation of treatment; access; correction; anonymization, blocking or deletion; portability; information about shares; opposition; automated decision review (if any).
-
Immediate (simplified) confirmation; access/complete declaration within 15 days.
-
Other rights: response within a deadline compatible with the complexity, preferably within 15 days.
11. How to exercise your rights
Send your request to Person in Charge (DPO): [email protected]. To protect you, we may confirm your identity. If we act as operadora for a customer, encaminharemos your request to controlador where appropriate, maintaining traceability.
12. Automated decisions and profiling
When there are relevant automated decisions (e.g., detection of abuse/fraud, blocking of malicious traffic), we will inform general criteria and we will offer means of human review, when required by law.
13. Security incidents
If an incident could result in relevant risk or damage, we will notify ANPD and holders within 3 business days from knowledge, You can provide additional information within 20 business days, according to RCIS (Res. CD/ANPD nº 15/2024). We will maintain registro of incidents in accordance with regulation.
14. Children and teenagers
Our services are B2B and B2C. We do not direct the website to children or teenagers. If we identify data from children/adolescents without the appropriate legal basis, eliminaremos safely.
15. Updates to this Policy
We will indicate the effective date e a version when updating this Policy. Material changes will be communicated via product/website channels.
16. Contact of the Person in Charge (DPO)
Kelvym Roger Campos (CTO) – [email protected]