Privacy Policy

This Privacy Policy ("Policy") describes how F7 Tecnologia Ltda. ("F7", "we") handles personal data on the f7kore.com website and on the F7 KORE platform, in compliance with the Brazilian General Data Protection Law (Law No. 13,709/2018 — "LGPD").

1. Who we are

F7 Tecnologia Ltda., registered under Brazilian Tax ID (CNPJ) 23.839.390/0001-93, Municipal Registration No. 38.235, headquartered at Rua Feliciano Bortolini, 1640 — Sala 7, Box 6, Barra do Rio Cerro district, Jaraguá do Sul/SC, ZIP 89.260-090, Brazil.

2. Data Protection Officer (DPO)

F7 designates as Data Protection Officer (Encarregado) the channel [email protected], through which data subjects, authorities and other interested parties may reach F7 on matters related to this Policy and to the LGPD.

3. Scope of this Policy

This Policy covers two distinct situations:

• Institutional website (f7kore.com): data collected when you browse, read content, book a call or contact us by e-mail. Here, F7 is the controller of personal data.
• F7 KORE platform in operation at a customer: personal data processed inside the Platform as part of the customer's operation. Here the customer is controller; F7 acts as processor in the managed SaaS model, or as software supplier (without access to the data) in the on-premises model. That relationship is detailed in the Data Processing Agreement (DPA) signed with each customer.

4. Personal data collected through the Site

We only collect what is necessary to run the Site and to establish a commercial conversation when requested by you:

• Contact data voluntarily provided: name, e-mail, company, role, phone, message content — when you e-mail us, book a call through Calendly, or interact with Site links.
• Browsing data: IP address, device type, browser, operating system, pages accessed, date and time, traffic source (referrer). Such data is collected by our CDN provider (Cloudflare) for security and performance, and in server logs retained for a limited period.

Cookies

The Site uses two categories of cookies:

1. Strictly necessary cookies — always active, indispensable for basic operation. Under LGPD these do not require prior consent.

• Language preference — remembers PT/EN selection across pages.
• Security and bot mitigation — set by our CDN provider Cloudflare (e.g. __cf_bm) to distinguish legitimate traffic from malicious automation.
• Site preferences — small flags in localStorage, including the record of your cookie consent choice.

2. Analytics cookies (optional — require consent) — loaded only when you click "Accept all" on the banner. We use:

• Google Analytics 4 (Google LLC), with IP anonymization, to understand aggregate site usage (most-read pages, traffic source).
• Microsoft Clarity (Microsoft Corporation), for heatmaps and anonymized session recordings, with the goal of identifying navigation friction points. Clarity automatically masks sensitive content (form fields, text identified as personal).

We do not run behavioral advertising or retargeting from this data, and we do not sell it to third parties.

You can change your choice at any time by clicking review cookie consent — the banner reappears. You can also block or delete cookies directly in your browser settings. The Site remains functional without optional cookies.

5. Purposes and legal bases

We process your personal data for the purposes below, under the legal bases set out in Article 7 of the LGPD:

• Responding to contacts and scheduling commercial calls: execution of pre-contractual procedures at the data subject's request (Art. 7, V).
• Keeping the Site secure and available: F7's legitimate interest in protecting the operation, preventing fraud and meeting security obligations (Art. 7, IX).
• Compliance with legal and regulatory obligations: retention of accounting, tax and communication records when required (Art. 7, II).
• Defense in proceedings: regular exercise of rights in judicial, administrative or arbitral proceedings (Art. 7, VI).

6. Sharing with processors

To run the Site and contact channels, F7 uses trusted third-party services that act as processors under the LGPD:

• Cloudflare, Inc. — CDN, DDoS mitigation, security and caching for the Site;
• Google LLC (Google Cloud Storage) — static asset hosting for the Site, in region southamerica-east1 (São Paulo);
• Calendly LLC — initial-meeting scheduling; by filling out the Calendly form, you also agree to Calendly's privacy policy;
• Corporate e-mail providers — sending and receiving messages exchanged with F7.
• Google LLC (Google Analytics 4) and Microsoft Corporation (Clarity) — aggregate analytics and heatmaps, activated only after explicit consent (see "Cookies" section below).

F7 does not sell, rent or transfer your personal data to third parties for marketing purposes.

7. Data processed inside the Platform (customer operation)

When the F7 KORE Platform is in operation at a customer:

• In the on-premises model, all operational data — documents, forms, conversations, messages, audio, images, histories — remain entirely in the customer's data center. F7 neither stores nor processes such data; its role is limited to software support under specific access agreements that are temporary and audited when required.
• In the managed SaaS model, data is hosted on cloud infrastructure in regions and parameters defined by contract, on an instance dedicated per customer. The customer is controller; F7 is processor under a specific DPA, which details purposes, retention, security, authorized sub-processors and mechanisms for exercising data subject rights.

8. Retention

Voluntarily provided contact data is retained while the commercial relationship or demonstrated interest lasts, and for up to 5 (five) years after the last contact, save for any longer statutory retention duty. Server logs and security logs are retained for the time strictly necessary for security purposes, generally less than 12 months. For data processed inside the Platform, retention terms follow the customer's specific DPA.

9. Data subject rights

Under Article 18 of the LGPD, you have the right to, at any time, upon request to the DPO:

• confirm the existence of processing of your personal data;
• access the data we hold about you;
• correct incomplete, inaccurate or outdated data;
• request anonymization, blocking or deletion of unnecessary, excessive or unlawfully processed data;
• request portability of data to another service or product provider;
• request deletion of personal data processed under consent, save for statutory retention obligations;
• obtain information about public and private entities with which we shared your data;
• obtain information about the option to refuse consent and the consequences of refusal;
• withdraw consent, where consent is the applicable legal basis.

To exercise any of these rights, write to [email protected]. We may request additional information to confirm your identity before fulfilling the request.

10. Information security

We adopt technical and administrative measures to protect personal data against unauthorized access, accidental or unlawful destruction, loss, alteration, communication or dissemination. Current measures include: encrypted communication (HTTPS/TLS), role-based access control, detailed and immutable audit trails of sensitive Platform operations, and per-customer segregation on dedicated instances in the SaaS model.

11. International data transfer

The Site is hosted in region southamerica-east1 (São Paulo) and served by Cloudflare's global CDN. Certain administrative operations (corporate e-mail, scheduling) may involve providers established outside Brazil. In all cases, we require contractual safeguards and mechanisms compatible with Article 33 of the LGPD.

12. Children and adolescents

The Site and Platform are B2B (business-to-business) products targeted at professionals of companies. We do not target or intentionally collect data from children or adolescents. If we become aware of any inappropriate processing in this regard, we will delete the data under the LGPD.

13. Changes to this Policy

This Policy may be updated periodically to reflect legal, regulatory or operational changes. The current version will always be available at this URL, with the date of the latest update. In case of a material change, we will notify you through registered commercial contact channels.

14. National Authority

If your request to the DPO is not satisfactorily resolved, you have the right to lodge a complaint with the Brazilian National Data Protection Authority (ANPD).