Privacy Policy

We collect only the information necessary to provide our services. This includes: email address for account creation, display name (can be a nickname), daily progress data (check-ins, streak), and app preferences.

We do not collect unnecessary information such as real-time location, contact lists, browsing history, or any data not directly related to the app's functionality.

Optional data such as community posts and emotional check-ins are collected only when you voluntarily choose to share them.

Your data is used exclusively to: provide and improve Firmo90 services, personalize your experience in the app, send relevant notifications (which you can disable), and generate anonymous aggregated statistics to improve the app.

We never sell, rent, or share your personal information with third parties for marketing or advertising purposes.

Anonymized and aggregated data may be used for research and service improvement, but never in a way that allows identifying individual users.

All communications between the application and our servers are protected by TLS (Transport Layer Security) encryption. Sensitive data such as personally identifiable information receives an additional layer of encryption in the database.

We use industry-standard security best practices, including secure password hashing with bcrypt, short-lived JWT tokens, and regular security audits.

Our servers are hosted on cloud providers with internationally recognized security certifications.

You have the right to: access all data we have about you, request correction of incorrect data, request complete deletion of your account and data, export your data in a readable format, and revoke consent for data processing at any time.

To exercise any of these rights, you can use the options available in the app settings or contact us at support@firmo90.com.

We will respond to all privacy-related rights requests within 30 business days.

For users residing in the European Union or the European Economic Area, Firmo90 processes your data based on explicit consent (Art. 6(1)(a) and Art. 9(2)(a) GDPR) for the processing of sensitive health data.

You have the following data subject rights: right of access to your personal data, right to rectification of incorrect data, right to erasure (right to be forgotten), right to data portability, right to restriction of processing, and right to object to processing.

You have the right to lodge a complaint with the data protection supervisory authority in your country of residence.

Data Protection contact: support@firmo90.com

Account data (email, nickname): Retained for the duration of the account + 30 days after deletion.

Check-in and emotional data: 2 years from the date of collection.

Community posts and comments: 1 year after account deletion.

Payment records: 5 years (Brazilian fiscal obligation / Stripe requirement).

Server logs: 90 days.

Backup data: 90-day rolling retention.

All personally identifiable information (PII) is encrypted at rest with AES-256-GCM.

Emotional and addiction-related data is never shared with third parties.

AI processing for content moderation runs server-side, with no personal data sent to external AI providers.

Data is anonymized for aggregate analytics, making it impossible to identify individual users.

We use essential cookies only: Cloudflare security cookies and session management. No third-party advertising or tracking cookies are used.

The mobile application does not use cookies. Authentication is handled via JWT tokens stored securely on the device.

You can configure your browser to reject cookies, although this may affect some site features.

Stripe (USA, PCI-DSS Level 1): Payment processing and subscription management.

Amazon Web Services — AWS (Brazil sa-east-1 and USA, SOC 2 / ISO 27001): Hosting, backups and image analysis (Rekognition).

Firebase / Google Cloud (USA): Push notification delivery (FCM).

Sentry (USA): Error monitoring — PII filtered before sending.

Groq (USA): AI Coach inference — messages sent without personal identifiers, never used to train the model.

Cloudflare (Global): CDN, WAF and Turnstile (anti-bot CAPTCHA) — processes IP address and browser fingerprint for security only.

Google Analytics 4 (USA, optional): Aggregate site usage analytics, only loaded after explicit consent on the cookie banner.

Gmail SMTP (Google, USA): Transactional email delivery (sign-up confirmation, password reset).

International transfers: rely on LGPD Art. 33 II (contractual clauses offered by the providers) and Art. 33 IX (necessary for contract execution). Formal Data Processing Agreements (DPAs) and clauses equivalent to the EU SCCs are in the process of being formalized with each provider and will be made available on request from official launch.

Each provider was carefully selected based on their privacy policies and LGPD/GDPR compliance. We do not share personal data with advertising networks or data brokers.

To ensure community safety, we use automated content moderation systems, including: keyword filtering, AI-powered content analysis (Groq/LLaMA), and AI-powered image analysis (Amazon Rekognition).

These systems automatically check posts, comments, and images uploaded by users to detect content that violates our guidelines: explicit content, hate speech, harassment, spam, and self-harm incitement.

Violations may result in warnings, content censorship, temporary suspension, or permanent ban, depending on severity and recurrence.

Firmo90 is intended exclusively for users aged 18 and over. We do not knowingly collect, process, or store personal data of minors under 18.

At sign-up, we require a declared date of birth. Any user under 18 is automatically blocked by the system and cannot complete registration.

If we discover that a minor has registered (for example, using a falsified date of birth), the account is blocked immediately and all associated personal data is purged within 30 days, in compliance with applicable child protection legislation (LGPD Art. 14, COPPA, GDPR-K). Parents or legal guardians may request immediate deletion at support@firmo90.com.

If you have questions, concerns, or requests related to this privacy policy, please contact us:

General email: support@firmo90.com

Data Protection Officer (DPO), as required by LGPD Art. 41: Charles Machado — support@firmo90.com

We will respond within 48 hours on business days. For formal data subject requests (LGPD Art. 18 / GDPR rights), the deadline is up to 30 days in accordance with applicable legislation.