Privacy Policy
Privacy Policy
Effective date: May 12, 2026
This Privacy Policy describes how Campos Sales Soluções Para Internet Ltda. ("Inventra", "we", "us", "our") collects, uses, shares, and protects personal data when you visit https://www.inventra.sh, create an account, or otherwise use our Platform ("Service").
This Policy is issued in accordance with the Brazilian General Data Protection Law (Lei Geral de Proteção de Dados Pessoais – Law No. 13.709/2018, "LGPD") and the Brazilian Internet Civil Framework (Law No. 12.965/2014).
1. Controller
The data controller responsible for processing your personal data is:
- Company: Campos Sales Soluções Para Internet Ltda.
- CNPJ: 37.753.203/0001-69
- Address: Av. Paulista, 1636, Suite 1504, Bela Vista, São Paulo – SP, ZIP code 01.310-200, Brazil
- Contact: legal@inventra.sh
For any matter related to this Policy or to the exercise of your rights as a data subject, you may contact our Data Protection Officer (Encarregado pelo Tratamento de Dados Pessoais) at the email above.
2. Scope
This Policy applies to personal data collected through the Inventra Platform, including the public website, the admin panel, our APIs, marketing communications, and customer support channels. It does not apply to third-party websites or services that you may access through links from our Platform, which are governed by their own privacy policies.
3. Personal data we collect
We collect personal data in the following categories:
3.1 Data you provide directly
- Account data: name, email address, password (stored as a hash), and language preferences when you sign up.
- Organization data: organization name, brand description, editorial guidelines, blog categories, and other configuration you submit to operate the Service.
- Billing data: billing name, billing email, billing address, country, currency, and tax identifier when you subscribe to a paid plan. Card numbers, expiration dates, and security codes are collected and stored exclusively by Stripe; we only receive a tokenized reference and metadata such as the last four digits.
- Communications: content of messages you send us through email, support forms, or in-app channels.
3.2 Data collected automatically
- Technical data: IP address, browser type and version, operating system, device identifiers, language, time zone, and referring URL.
- Usage data: pages visited, features accessed, actions performed inside the admin panel, session timestamps, and approximate access location derived from IP address.
- Cookies and similar technologies: see Section 9.
3.3 Data from third parties
- Payment provider: subscription status, transaction history, and limited card metadata returned by Stripe.
- Analytics and marketing tools: aggregated behavioral data from Google Analytics, Google Tag Manager, and Meta Pixel when these are enabled.
We do not knowingly collect sensitive personal data (such as data revealing racial or ethnic origin, religious beliefs, political opinions, health, or sexual orientation) as defined in Article 5, II of the LGPD. Please do not submit such data through the Service.
4. Purposes of processing
We process personal data for the following purposes:
- Service provision: to create and manage your account and Organization, authenticate access, generate and deliver AI-produced content, and operate Platform features.
- Billing and subscription management: to charge subscription fees, issue invoices, manage trials, send billing notifications, and prevent fraud.
- Customer support: to respond to your requests, troubleshoot issues, and provide technical assistance.
- Service improvement: to monitor performance, debug errors, analyze aggregated usage patterns, and develop new features.
- Security: to detect, prevent, and respond to fraud, abuse, security incidents, and violations of our Terms of Use.
- Marketing communications: to send service-related updates, newsletters, and promotional content, always with the ability to opt out.
- Legal compliance: to comply with applicable laws, regulations, judicial orders, and requests from competent authorities.
5. Legal basis for processing
Under Articles 7 and 11 of the LGPD, our processing relies on the following legal bases, depending on the activity:
- Performance of a contract to which you are a party (Art. 7, V), including account creation, subscription, and Service delivery.
- Compliance with a legal or regulatory obligation (Art. 7, II), such as tax, accounting, and consumer-protection record-keeping.
- Legitimate interests of the controller or a third party (Art. 7, IX), such as fraud prevention, network security, and improvement of the Service, provided that your fundamental rights and freedoms are not overridden.
- Consent (Art. 7, I), for non-essential cookies, marketing communications, and any other activity for which consent is the appropriate basis. Consent may be withdrawn at any time without affecting the lawfulness of processing carried out beforehand.
- Regular exercise of rights in judicial, administrative, or arbitration proceedings (Art. 7, VI), when applicable.
- Credit protection (Art. 7, X), for billing and fraud prevention.
6. Data sharing
We share personal data only when necessary and under appropriate safeguards. Categories of recipients include:
- Payment processors. Stripe, Inc., located in the United States, processes payments and stores card data on our behalf.
- Cloud hosting and infrastructure providers. Providers that host our application, databases, backups, and logs.
- Analytics and marketing providers. When you enable these integrations or accept the corresponding cookies, data may be shared with Google (Google Analytics, Google Tag Manager) and Meta (Meta Pixel).
- Email and communication providers. Providers that deliver transactional and marketing emails on our behalf.
- AI and content-generation providers. Third-party AI model providers used to generate blog content based on the instructions you submit. We do not allow these providers to use your content to train public models without your explicit consent.
- Professional advisors. Lawyers, accountants, auditors, and similar advisors, under confidentiality obligations.
- Authorities and third parties. When required by law, judicial order, or to protect rights, property, or safety.
- Successors. In the event of a merger, acquisition, reorganization, or asset sale, data may be transferred to the relevant successor, subject to the same level of protection described here.
We do not sell personal data.
7. International data transfers
Some of our providers process data outside Brazil, including in the United States and the European Union. When personal data is transferred internationally, we rely on the legal bases set out in Article 33 of the LGPD, in particular contractual clauses, global compliance certifications of the recipient, or your specific consent when applicable, ensuring an adequate level of protection.
8. Data retention
We retain personal data only for as long as necessary for the purposes described in this Policy, including:
- Active account data: for as long as your account remains active.
- Billing and tax records: for the periods required by Brazilian tax, accounting, and commercial legislation (typically up to five years after the end of the fiscal year).
- Access logs to application systems: for at least six (6) months, in accordance with Article 15 of the Brazilian Internet Civil Framework.
- Backups: for the duration of our backup rotation, after which data is overwritten.
- Support communications: for as long as reasonably necessary to resolve your request and address any follow-up.
After the applicable retention period, data is deleted or irreversibly anonymized, except where longer retention is required or allowed by law.
9. Cookies and similar technologies
We use cookies and similar technologies to operate the Platform, remember your preferences, measure performance, and, where you consent, support marketing activities. Cookies fall into the following categories:
- Strictly necessary cookies: required to authenticate you and to operate core features. These cannot be disabled.
- Functional cookies: remember your settings and preferences.
- Analytics cookies: help us understand how the Platform is used (for example, via Google Analytics).
- Marketing cookies: measure and optimize advertising campaigns (for example, Meta Pixel and Google Tag Manager configurations).
You can manage non-essential cookies through the consent banner displayed on first visit and through your browser settings. Disabling certain cookies may affect Platform functionality.
10. Your rights as a data subject
Under Article 18 of the LGPD, you have the right to:
- Confirm the existence of processing of your personal data.
- Access your personal data.
- Correct incomplete, inaccurate, or outdated data.
- Anonymize, block, or delete unnecessary or excessive data, or data processed in non-compliance with the LGPD.
- Request data portability to another service or product provider, subject to commercial and industrial secrecy.
- Request deletion of personal data processed with your consent, except where retention is required or permitted by law.
- Be informed about public and private entities with which we share your data.
- Be informed about the possibility of refusing to provide consent and the consequences of such refusal.
- Withdraw consent at any time.
- Oppose processing carried out without your consent if you believe it does not comply with the LGPD.
- Request review of decisions made solely on the basis of automated processing that affect your interests.
To exercise any of these rights, contact us at legal@inventra.sh. We will respond within the legal deadlines and may need to confirm your identity before fulfilling certain requests.
If you believe your rights have not been adequately addressed, you may also file a complaint with the Brazilian National Data Protection Authority (Autoridade Nacional de Proteção de Dados – ANPD) at https://www.gov.br/anpd.
11. Security
We adopt administrative, technical, and physical safeguards designed to protect personal data against unauthorized access, accidental or unlawful destruction, loss, alteration, communication, or any form of inadequate or unlawful processing. These measures include encryption of credentials and sensitive fields, access control, logging, regular backups, and review of security practices.
Despite our efforts, no system is completely secure. In the event of a security incident that may result in significant risk or damage to data subjects, we will notify affected individuals and the ANPD in accordance with Article 48 of the LGPD.
12. Children's data
The Platform is intended for use by adults. We do not knowingly collect personal data from children or adolescents. If you become aware that a minor has provided personal data to us without proper authorization, please contact legal@inventra.sh so that we may take appropriate action.
13. Updates to this Policy
We may update this Policy from time to time. When changes are material, we will notify you by email or through the Platform at least fifteen (15) days before they take effect. The "Effective date" at the top of this Policy indicates the most recent update. We encourage you to review this Policy periodically.
14. Google account sign-in and Calendar (OAuth)
When you sign in with Google or connect Google Calendar in Organization settings, Inventra accesses Google user data through OAuth 2.0 as follows:
Sign in with Google
- Data accessed: your Google account email address, display name, and profile picture, via the
openid,email, andprofilescopes. - Purpose: to create or link your Inventra account and authenticate you to the Service.
- Storage: account identifiers and session tokens are stored through our authentication provider (Better Auth). We do not store your Google password.
Google Calendar (optional)
If an Organization owner or administrator connects Google Calendar, Inventra may access:
- Calendar metadata and events via
https://www.googleapis.com/auth/calendar.readonlyandhttps://www.googleapis.com/auth/calendar.events, solely to verify the connection, schedule appointments on your behalf when you enable that feature, and attach Google Meet links where supported. - Purpose: to provide calendar integration features you explicitly enable in the admin panel.
OAuth refresh and access tokens for Calendar are stored encrypted at rest on our servers. API responses in the admin panel expose only connection status and non-sensitive metadata (for example, calendar email and last health-check time), never raw OAuth tokens.
Limited Use and sharing
Inventra's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. We do not use Google user data to serve advertisements, sell data to third parties, or train generalized AI/ML models. We share Google user data only with infrastructure providers that process it on our behalf under confidentiality obligations and solely to operate the Service, or when required by law.
Revoking access
You may disconnect Google Calendar at any time in Settings → Integrations within your Organization. You may revoke Inventra's access to your Google account entirely at Google Account permissions. Revocation stops future API access; data already stored in your Organization is handled according to Sections 8 and 10 of this Policy.
15. Contact
For questions, requests, or complaints related to this Policy or to the processing of your personal data, please contact our Data Protection Officer:
- Company: Campos Sales Soluções Para Internet Ltda.
- CNPJ: 37.753.203/0001-69
- Address: Av. Paulista, 1636, Suite 1504, Bela Vista, São Paulo – SP, ZIP code 01.310-200, Brazil
- Email: legal@inventra.sh