Privacy Policy — Digital Ileus
Digital Ileus
64.552.315 BRUNA DE LIMA TAMELINI  ·  CNPJ: 64.552.315/0001-24
Privacy Policy
Last updated: May 27, 2026

1. Data Controller and Data Protection Officer (DPO)

Digital Ileus, operated by 64.552.315 BRUNA DE LIMA TAMELINI, CNPJ No. 64.552.315/0001-24, Rua Antônio Josué Laraia, 100, Pouso Alegre, Minas Gerais, Brazil, is the Controller of personal data collected on this platform, pursuant to Brazilian Federal Law No. 13.709/2018 (Lei Geral de Proteção de Dados — LGPD).

Data Protection Officer (DPO): Bruna de Lima Tamelini

DPO Contact: suporte@digitalileus.com

The DPO is the official channel for exercising data subject rights, obtaining clarifications on personal data processing, and communication with the Brazilian National Data Protection Authority (ANPD).

2. Personal Data Collected

Digital Ileus collects the following personal data:

a) Data directly provided by the user:

  • Full name
  • Email address
  • CPF (Brazilian tax ID, for fiscal purposes and electronic invoice issuance)
  • Phone number (optional, only when voluntarily provided)
  • Mailing address (when required for tax purposes)

b) Payment data:

  • Credit and debit card data are collected and processed exclusively by Stripe, Inc., certified at PCI-DSS Level 1. Digital Ileus does not store, view, process, or have access to card data under any circumstance.
  • The checkout is operated by KashPay, which may record browsing behavior during the purchase process (time on page, cart abandonment, clicks) for automation and sales recovery purposes.

c) Navigation data collected automatically:

  • IP address and approximate geolocation
  • Device type, operating system, and browser
  • Pages visited, session duration, and referral source
  • Cookie and similar technology data (detailed in section 7)

d) Data of minors:

Digital Ileus does not intentionally collect data from individuals under 14 (fourteen) years of age. Minors between 14 and 18 may only use the platform with the express consent of their parents or legal guardians, who shall be considered the data subjects for purposes of this Policy, pursuant to Art. 14 of the LGPD. Should Digital Ileus identify that data from a minor was collected without proper consent, such data will be immediately deleted.

3. Purpose and Legal Basis for Processing

All personal data is processed for specific, explicit, and legitimate purposes, under the legal bases of the LGPD indicated below:

  • User registration and digital product delivery: performance of a contract (LGPD, Art. 7, V);
  • Issuance of electronic invoices and compliance with tax and accounting obligations: compliance with a legal obligation (LGPD, Art. 7, II);
  • Sending purchase confirmations, access credentials, and customer support: performance of a contract (LGPD, Art. 7, V);
  • Sending marketing communications, news, and offers: freely given, informed, and unambiguous consent of the data subject (LGPD, Art. 7, I) — revocable at any time;
  • Fraud prevention and detection: legitimate interest of Digital Ileus in protecting the integrity of transactions and legitimate users, following a balancing assessment confirming this interest does not unduly override data subjects' rights (LGPD, Art. 7, IX);
  • Platform improvement and aggregated behavior analysis: legitimate interest, with data processed in anonymized or aggregated form wherever possible (LGPD, Art. 7, IX).

Digital Ileus will not use collected personal data for purposes other than those described above without new communication and, when necessary, new consent from the data subject.

4. Sharing of Data with Third Parties

Digital Ileus does not sell, rent, assign, or trade personal data to third parties. Sharing occurs exclusively with the following operational partners, strictly necessary for service provision:

  • Stripe, Inc. (USA) — payment processing and fraud prevention. Data shared: transaction information, email, and data required for payment processing. Stripe is PCI-DSS certified and maintains contractual safeguards (Standard Contractual Clauses) for international data transfers. Privacy policy: stripe.com/privacy
  • KashPay (Brazil) — checkout platform and sales automation. Data shared: email, checkout browsing behavior, and cart recovery data. Digital Ileus requires KashPay to process such data in compliance with the LGPD. Privacy policy: kashpay.com.br
  • Email marketing and CRM tools used by Digital Ileus — only name and email, for sending communications previously authorized by the data subject. Digital Ileus commits to updating this Policy whenever a new provider of this type is adopted.
  • Government, regulatory, or judicial authorities — when required by law, regulation, court order, or for the defense of rights in administrative or judicial proceedings.

All third-party providers are selected based on their ability to guarantee a level of data protection compatible with the LGPD and are contractually required to process personal data only for the authorized purposes.

5. Data Security

Digital Ileus adopts appropriate and proportionate technical and organizational measures to protect personal data against unauthorized access, loss, destruction, alteration, or improper disclosure, including:

  • Encrypted data traffic via HTTPS/TLS protocol;
  • Access to data restricted to authorized personnel strictly necessary for each purpose;
  • Payment data processing by a PCI-DSS Level 1 certified platform (Stripe);
  • Transaction monitoring and fraud prevention via Stripe Radar.

In the event of a security incident that may entail relevant risk or damage to data subjects, Digital Ileus will notify the National Data Protection Authority (ANPD) and potentially affected data subjects within a reasonable time, as required by Art. 48 of the LGPD, describing the nature of the affected data, related risks, and mitigation measures adopted.

6. Data Retention and Deletion

Personal data is retained for the period necessary to fulfill the purposes for which it was collected, observing the following criteria:

  • Account and product access data: for the term of the contract plus 5 (five) years for possible dispute resolution;
  • Payment and transaction data: 5 (five) years, pursuant to fiscal, tax, and accounting obligations (Brazilian Tax Code);
  • Navigation data and access logs: 12 (twelve) months, sufficient to contest chargebacks and disputes with Stripe (which accepts disputes for up to 120 days), with a safety margin;
  • Marketing data (email for communications): until consent is revoked by the data subject or deletion is requested;
  • Data required to fulfill a legal or regulatory obligation: for the period required by applicable legislation, regardless of the end of the contractual relationship.

After the applicable retention periods expire, data will be securely deleted or anonymized so that identification of the data subject is no longer possible.

7. Cookies and Tracking Technologies

The Digital Ileus platform uses cookies and similar technologies. Upon first accessing the site, the user will be presented with a cookie banner allowing them to accept, reject, or customize the use of each category. The categories are:

  • Essential cookies: necessary for the basic functioning of the site, checkout, and client area (session management, authentication, security). They do not require consent and cannot be deactivated, as they are indispensable for service provision.
  • Analytical cookies: collect aggregated and pseudonymized data about browsing behavior to improve the platform (e.g., Google Analytics). They require consent and may be rejected without impact on service access.
  • Marketing cookies: used for measuring advertising campaigns and displaying relevant ads. They require consent and may be rejected without impact on service access.

The user may change their cookie preferences at any time via the cookie settings panel available on the site, or by disabling them directly in their browser settings. Disabling essential cookies may compromise the functioning of the checkout and client area.

Regarding the "Do Not Track" (DNT) signal emitted by some browsers, Digital Ileus honors this preference by automatically deactivating analytical and marketing cookies when the signal is detected.

8. Data Subject Rights

In accordance with Art. 18 of the LGPD, the data subject has the following rights, exercisable at any time:

  • Confirmation of the existence of processing of their personal data by Digital Ileus;
  • Access to the personal data collected and processed;
  • Correction of incomplete, inaccurate, or outdated data;
  • Anonymization, blocking, or deletion of unnecessary, excessive, or unlawfully processed data;
  • Portability of data to another service or product provider, upon express request;
  • Deletion of data processed on the basis of consent, subject to legal retention periods;
  • Information about entities with which Digital Ileus shares data;
  • Information about the possibility of not providing consent and the consequences thereof;
  • Revocation of consent at any time, free of charge and in a simplified manner.

To exercise any of these rights, the data subject must send a request to the DPO at suporte@digitalileus.com, with sufficient identification for identity verification. Digital Ileus will respond within 15 (fifteen) calendar days.

Should the data subject consider that their rights have been violated, they may file a complaint with the National Data Protection Authority (ANPD) at gov.br/anpd, without prejudice to other available legal remedies.

9. International Data Transfers

Due to the use of international technology partners, some personal data may be transferred to and processed in countries outside Brazil, namely the United States of America (Stripe, Inc.).

These transfers are carried out based on the following safeguards, in compliance with Art. 33 of the LGPD:

  • Stripe, Inc.: adopts Standard Contractual Clauses (SCCs) for data transfers outside the European Economic Area and maintains PCI-DSS Level 1 certification for payment data;
  • KashPay: a company headquartered in Brazil, directly subject to the LGPD.

Digital Ileus contractually requires all international recipients of personal data to guarantee a level of protection equivalent to that required by the LGPD.

10. Legitimate Interest — Justification

When Digital Ileus processes personal data on the basis of legitimate interest (LGPD, Art. 7, IX), it first conducts a balancing assessment, verifying that:

  • The interest pursued is legitimate and specific (platform improvement, fraud prevention);
  • The processing is necessary to achieve the purpose, without less privacy-invasive alternatives being sufficient;
  • The fundamental interests, rights, and freedoms of the data subjects do not override the controller's interest, considering the context and reasonable expectations of the data subjects.

The data subject may, at any time, object to processing based on legitimate interest, pursuant to Art. 18, II of the LGPD, whereupon Digital Ileus must demonstrate that there are compelling legitimate grounds that override such objection.

11. Changes to This Policy

Digital Ileus may update this Privacy Policy periodically to reflect changes in privacy practices, legal requirements, or new services. Material changes will be communicated by registered email at least 15 (fifteen) days before they take effect, or immediately when the change is required by law.

We recommend that users review this Policy regularly. The date of the last update is indicated in the header of this document. Continued use of the platform after the effective date of changes constitutes acceptance of the new conditions.

12. General Provisions

This Privacy Policy is governed by the laws of the Federative Republic of Brazil, in particular the LGPD (Law No. 13.709/2018) and the Internet Civil Rights Framework (Law No. 12.965/2014).

If any provision of this Policy is held invalid or unenforceable, the remaining provisions shall remain in full force and effect (severability).

Questions, requests, or complaints related to this Policy should be directed to the Data Protection Officer: suporte@digitalileus.com