LGPD Compliance
1. Our Commitment to Privacy
Pipevoz takes personal-data protection seriously. We operate in accordance with the Brazilian General Personal Data Protection Law (LGPD - Law No. 13,709/2018) and guide our operation by the LGPD principles.
| Principle | How we apply it |
|---|---|
| Purpose | Data is collected only for declared purposes, such as operating voice agents, billing and improving the service. |
| Adequacy | Processing is compatible with the purposes disclosed to data subjects. |
| Necessity | We collect the minimum data necessary for each operational purpose. |
| Free access | Data subjects can request information about their data and processing activities. |
| Data quality | We maintain accurate and updated records, with correction mechanisms. |
| Transparency | We communicate who we are, what we do and why in clear language. |
| Security and prevention | Technical and organizational measures protect data and help prevent incidents. |
| Non-discrimination | Personal data is not used for discriminatory, unlawful or abusive purposes. |
| Accountability | We keep records and controls that demonstrate compliance. |
2. Roles in Personal-Data Processing
The LGPD defines different roles. Pipevoz may act as controller or processor depending on the data flow.
Pipevoz as Controller
Pipevoz determines purposes and means when processing data from customers and their representatives, such as registration, billing, access logs and voice-agent settings.
Pipevoz as Processor
Pipevoz acts as processor when it processes personal data of contacts uploaded by customers for calls through AI voice agents, such as names, phone numbers, call recordings, transcripts and interaction metadata.
In those cases, the Pipevoz customer is the controller and is primarily responsible before data subjects. Pipevoz processes data according to the customer's instructions and the Data Processing Agreement.
3. Data-Subject Rights
When Pipevoz acts as controller, data subjects may exercise the following rights free of charge:
Confirm whether processing exists and obtain a copy of the data.
Request correction of incomplete, inaccurate or outdated data.
Request action regarding unnecessary, excessive or unlawfully processed data.
Receive data in a structured format for transfer to another provider, where applicable.
Withdraw consent where processing was based on consent.
Know with which entities data is shared.
Object to processing based on other legal hypotheses when there is non-compliance.
Request review of decisions made exclusively by automated systems.
4. How to Exercise Your Rights
Email contato@pipevoz.com with the subject "Data Subject Rights - LGPD", including your full name, identification document where necessary, a clear description of the right you want to exercise and contact details for response.
We respond within 15 calendar days from receipt when Pipevoz is the controller. We may request additional documents to verify identity before fulfilling the request.
If your data is processed by a Pipevoz customer, contact that company first. Pipevoz will support the customer as processor under the DPA.
5. Legal Bases for Processing
| Purpose | Legal basis |
|---|---|
| Providing the contracted service | Contract performance |
| Billing, credit purchases and tax invoices | Contract performance / legal obligation |
| Operational communications | Contract performance |
| Product improvement with aggregated data | Legitimate interest |
| Legal compliance | Legal obligation |
| Fraud prevention and security | Legitimate interest |
| Marketing communications | |
| Processing on behalf of customers | Controller instructions |
6. Information Security and Retention
Pipevoz adopts technical and organizational measures such as TLS encryption, encryption at rest, role-based access control, private storage for recordings, signed URLs with limited duration, controlled token expiration and continuous monitoring.
| Data category | Period | Basis |
|---|---|---|
| Call recordings | 90 days | Automatic storage lifecycle |
| Transcripts and metadata | While the account is active | Customer access and service operation |
| Customer registration data | Contract term plus 5 years | Legal obligations and limitation periods |
| Platform access logs | 6 months | Brazilian Internet Civil Rights Framework |
| Billing and tax data | 5 years | Tax obligation |
7. International Data Transfer
Pipevoz uses subprocessors for infrastructure, telephony, AI and payment services. Some subprocessors may process data in the United States or other countries. Transfers use contractual safeguards, data minimization and periodic vendor review.
8. Incident Response
If a security incident creates relevant risk or harm to data subjects, Pipevoz activates its response process, assesses affected data and risks, notifies the Brazilian Data Protection Authority when required, communicates affected data subjects where applicable and documents remediation measures.
9. Data Processing Agreement (DPA)
Customers that need to formalize the controller-processor relationship may request Pipevoz's standard DPA. It covers processor obligations, controller instructions, security measures, data-subject request support, subprocessors, termination and deletion of data.
To request the DPA, email contato@pipevoz.com with the subject "DPA Request".
10. Contact
For LGPD, privacy or data-protection questions, email contato@pipevoz.com. The Brazilian National Data Protection Authority is available at gov.br/anpd.
This page may be updated periodically to reflect regulatory, product or internal-practice changes. Material changes will be communicated to customers by email with reasonable prior notice.