Privacy Policy

We collect only the information necessary to provide our services. This includes: email address for account creation, display name (can be a nickname), daily progress data (check-ins, streak), and app preferences.

We do not collect unnecessary information such as real-time location, contact lists, browsing history, or any data not directly related to the app's functionality.

Optional data such as community posts and emotional check-ins are collected only when you voluntarily choose to share them.

Your data is used exclusively to: provide and improve Firmo90 services, personalize your experience in the app, send relevant notifications (which you can disable), and generate anonymous aggregated statistics to improve the app.

We never sell, rent, or share your personal information with third parties for marketing or advertising purposes.

Anonymized and aggregated data may be used for research and service improvement, but never in a way that allows identifying individual users.

All communications between the application and our servers are protected by TLS (Transport Layer Security) encryption. Sensitive data such as personally identifiable information receives an additional layer of encryption in the database.

We use industry-standard security best practices, including secure password hashing with bcrypt, short-lived JWT tokens, and regular security audits.

Our servers are hosted on cloud providers with internationally recognized security certifications.

You have the right to: access all data we have about you, request correction of incorrect data, request complete deletion of your account and data, export your data in a readable format, and revoke consent for data processing at any time.

To exercise any of these rights, you can use the options available in the app settings or contact us at support@firmo90.com.

We will respond to all privacy-related rights requests within 30 business days.

For users residing in the European Union or the European Economic Area, Firmo90 processes your data based on explicit consent (Art. 6(1)(a) and Art. 9(2)(a) GDPR) for the processing of sensitive health data.

You have the following data subject rights: right of access to your personal data, right to rectification of incorrect data, right to erasure (right to be forgotten), right to data portability, right to restriction of processing, and right to object to processing.

You have the right to lodge a complaint with the data protection supervisory authority in your country of residence.

Data Protection contact: privacidade@firmo90.com

Account data (email, nickname): Retained for the duration of the account + 30 days after deletion.

Check-in and emotional data: 2 years from the date of collection.

Community posts and comments: 1 year after account deletion.

Payment records: 5 years (Brazilian fiscal obligation / Stripe requirement).

Server logs: 90 days.

Backup data: 90-day rolling retention.

All personally identifiable information (PII) is encrypted at rest with AES-256-GCM.

Emotional and addiction-related data is never shared with third parties.

AI processing for content moderation runs server-side, with no personal data sent to external AI providers.

Data is anonymized for aggregate analytics, making it impossible to identify individual users.

We use essential cookies only: Cloudflare security cookies and session management. No third-party advertising or tracking cookies are used.

The mobile application does not use cookies. Authentication is handled via JWT tokens stored securely on the device.

You can configure your browser to reject cookies, although this may affect some site features.

Stripe (PCI-DSS compliant): Payment processing and subscription management.

Amazon Web Services — AWS (SOC 2, ISO 27001): Server hosting, data storage, and image analysis (Rekognition).

Firebase / Google Cloud: Push notification delivery.

Sentry: Error monitoring (anonymized data, no PII).

Groq: AI content analysis (no personally identifiable data is sent).

Each provider was carefully selected based on their privacy policies and compliance with data protection regulations. We do not share personal data with advertising networks or data brokers.

To ensure community safety, we use automated content moderation systems, including: keyword filtering, AI-powered content analysis (Groq/LLaMA), and AI-powered image analysis (Amazon Rekognition).

These systems automatically check posts, comments, and images uploaded by users to detect content that violates our guidelines: explicit content, hate speech, harassment, spam, and self-harm incitement.

Violations may result in warnings, content censorship, temporary suspension, or permanent ban, depending on severity and recurrence.

Users under 18 have restricted features: they cannot use private chat, human accountability partners, or send friend requests. Minors use an AI partner for support and accountability.

These restrictions exist to protect minors from inappropriate contact with adults, in compliance with applicable child protection legislation.

If you have questions, concerns, or requests related to this privacy policy, please contact us:

General email: support@firmo90.com

Data Protection Officer (DPO), as required by LGPD Art. 41: Charles Machado — dpo@firmo90.com

We will respond within 48 hours on business days. For formal data subject requests (LGPD Art. 18 / GDPR rights), the deadline is up to 30 days in accordance with applicable legislation.