Privacy Policy

Last updated: March 27, 2026

1. Introduction

This Privacy Policy describes how QuandoPosso ("we", "our", "Service") collects, uses, stores, and protects your personal information. By using our Service, you agree to the practices described in this policy.

Commitment to privacy. We take the protection of your data seriously and are committed to complying with the Brazilian General Data Protection Law (LGPD — Law 13.709/2018), the Brazilian Internet Framework (Law 12.965/2014), and other applicable legislation. This Policy has been designed to ensure transparency about what data we collect, how we use it, and what your rights are as a data subject.

Data controller. QuandoPosso is the controller of the personal data processed through the Service. This means we are responsible for decisions about how your data is collected and used. If you are a professional using the Service to receive bookings, you may also act as a controller with respect to the personal data of your own clients.

2. Information We Collect

We collect different categories of personal information depending on how you interact with the Service. We always seek to limit data collection to the minimum necessary to provide and improve our features.

2.1 Account Information

Authentication data. When you create an account using Google authentication (Google OAuth), we automatically collect the basic information from your Google profile:

  • Full name: Used to identify your profile and personalize your public booking page
  • Email address: Used as the primary identifier for your account, for sending booking notifications and essential Service communications
  • Profile photo: When available on your Google profile, used for display on your booking page and in the Service interface
  • Unique Google identifier: A numeric code that allows us to securely link your Google account to your QuandoPosso account

2.2 Service Usage Information

Operational data. During your use of the Service, we collect information necessary for its operation:

  • Scheduling information: Dates, times, event types, session durations, and appointment statuses (confirmed, cancelled, rescheduled)
  • Availability settings: Your available time slots, buffer times between sessions, days off, and schedule exceptions
  • Client contact data: Names and email addresses provided by your clients at the time of booking, as well as any notes or responses to custom fields
  • Booking history: A complete record of your past and future appointments, including creation dates, modifications, and cancellations
  • Service preferences: Settings such as timezone, preferred language, and customizations to your booking page

2.3 Google Calendar Information

Scope of access. If you choose to sync with Google Calendar, we access information about your events solely to check availability and prevent scheduling conflicts. We use only the minimum necessary permissions (calendar scope) and do not store the full content of your personal events — only start and end times are used to determine your availability.

Revoking access. You can revoke QuandoPosso's access to your Google Calendar at any time through your Google account settings or the Service settings. Revoking access disables synchronization but does not affect bookings already created.

2.4 Technical Information

Automatically collected data. We automatically collect limited technical information when you access the Service:

  • Browser and device type: Information about the browser used (Chrome, Firefox, Safari, etc.) and the type of device (desktop, mobile, tablet)
  • Timezone: Your local timezone, essential for displaying correct times and appropriate availability
  • Pages accessed: Which pages of the Service you visited and how you interacted with them, for the purpose of improving the user experience

We do not collect precise geolocation data, do not use third-party trackers for advertising purposes, and do not create behavioral profiles for sale to third parties.

3. How We Use Your Information

We use your personal information based on the following legitimate purposes and legal bases as set forth by the LGPD:

  • Provide the Service (contract performance): Create and manage your account, generate and maintain your public booking page, process reservations, and manage your availability. This is the primary purpose for data collection.
  • Operational communication (contract performance): Send booking confirmations, automated reminders, cancellation notifications, and essential Service updates. You cannot opt out of these communications while your account is active, as they are necessary for the Service to function.
  • Service improvement (legitimate interest): Analyze usage patterns in an aggregated and anonymized manner to identify issues, improve existing features, and develop new capabilities.
  • Security and integrity (legitimate interest): Detect, prevent, and respond to fraud, abuse, security incidents, and activities that violate our Terms of Use.
  • Legal compliance (legal obligation): Fulfill legal, regulatory, and tax obligations imposed by Brazilian law.
  • Payment processing (contract performance): Manage your subscription, process charges, and maintain the necessary financial records.

We do not use your data for unsolicited direct marketing, creation of advertising profiles, or any other purpose incompatible with those described above.

4. Information Sharing

We share your personal information only in the strictly necessary situations described below. We do not sell, rent, or trade your personal data with third parties.

  • With your clients: Your name, profile photo, event types, and availability are visible on your public booking page. This is an essential feature of the Service, and you control which information is displayed through your account settings.
  • Payment processors (Stripe): We share information necessary for Stripe to process subscription payments. Stripe acts as an independent data processor and has its own privacy policy. We do not directly store your complete credit card data.
  • Google: For authentication and calendar synchronization, information is exchanged with Google services according to the permissions you have granted. Google has its own privacy policy governing the processing of your data.
  • Infrastructure (Cloudflare): Our services operate on Cloudflare's infrastructure, which may process data as part of Service delivery (CDN, security, storage). Cloudflare acts as a data processor under our instructions.
  • Legal obligations: We may disclose your information when required by law, court order, legal process, or when necessary to protect our legal rights, user safety, or public safety.

Business transfers. In the event of a merger, acquisition, reorganization, or sale of QuandoPosso's assets, your personal data may be transferred to the successor or acquirer. You will be notified by email of any such transfer.

5. Storage and Security

Infrastructure. Your data is stored on Cloudflare's infrastructure, with globally distributed servers. Cloudflare is recognized as one of the leading web security and performance platforms.

Security measures. We implement appropriate technical and organizational security measures to protect your personal information against unauthorized access, loss, destruction, or alteration, including:

  • Encryption in transit: All communications between your browser and our servers are protected by HTTPS/TLS, ensuring your data cannot be intercepted during transmission
  • Encryption at rest: Sensitive data is encrypted in storage, protecting it even in the event of unauthorized physical access to servers
  • Access controls: Data access is restricted to authorized personnel, with strong authentication and the principle of least privilege
  • Security monitoring: Continuous monitoring for threats, unauthorized access attempts, and suspicious activity
  • Secure authentication: We use Google's OAuth 2.0 protocol for authentication, eliminating the need to store passwords

While we employ robust protective measures, no system is 100% secure. In the event of a security incident that may pose a risk to data subjects, we will notify those affected and the Brazilian National Data Protection Authority (ANPD) as required by the LGPD.

6. Data Retention

Active account. We retain your personal information as long as your account is active or as needed to provide the Service. Scheduling data is maintained to allow access to the complete history of your appointments.

After account deletion. After you request deletion of your account, your personal data will be removed within 30 days. Anonymized and aggregated data that does not allow your identification may be retained indefinitely for statistical purposes.

Legal exceptions. Certain data may be retained beyond the 30-day period when retention is necessary for compliance with legal, tax, or regulatory obligations, dispute resolution, or contract enforcement. Financial records, for example, must be kept for at least 5 years under Brazilian tax legislation.

7. Your Rights (LGPD)

Under the Brazilian General Data Protection Law (LGPD), you have the following rights regarding your personal data, which may be exercised at any time:

  • Confirmation and access: Confirm the existence of data processing and obtain access to the personal data we hold about you, including information on data categories, purposes, and sharing arrangements
  • Correction: Request correction of incomplete, inaccurate, or outdated personal data. You can directly update some information through your account settings
  • Anonymization, blocking, or deletion: Request anonymization, blocking, or deletion of personal data that is unnecessary, excessive, or processed in violation of the LGPD
  • Portability: Request the portability of your personal data to another service provider, in a structured and interoperable format
  • Deletion of consent-based data: Request the deletion of personal data processed solely on the basis of your consent
  • Information about sharing: Be informed about the public and private entities with which we share your data
  • Consent withdrawal: Withdraw consent given for the processing of personal data at any time, with the understanding that withdrawal does not affect the lawfulness of processing carried out prior to withdrawal
  • Objection to processing: Object to the processing of personal data when carried out on a basis other than consent, where there is non-compliance with the LGPD

How to exercise your rights. To exercise any of these rights, contact us at [email protected]. We will respond to your request within 15 business days. You can also request data deletion directly through the Service interface in your account settings.

ANPD. If you believe that the processing of your personal data violates data protection legislation, you have the right to file a complaint with the Brazilian National Data Protection Authority (ANPD).

8. Cookies and Similar Technologies

Essential cookies. We use strictly necessary cookies for the functioning of the Service. These cookies are indispensable and cannot be disabled without compromising use of the Service:

  • Session cookie: Keeps your authentication active while you use the Service, avoiding the need to log in repeatedly
  • Preferences cookie: Stores settings such as language and theme (light/dark) choices

What we do not use. We do not use third-party tracking cookies for advertising purposes, behavioral analysis cookies for profiling, or any cross-site tracking technology. We do not participate in programmatic advertising networks.

9. International Data Transfer

Global infrastructure. Your data may be processed on servers located outside Brazil as part of Cloudflare's infrastructure, which operates a global network of data centers. Similarly, integrated services such as Google and Stripe may process data on international servers.

Adequate safeguards. We ensure that all international data transfers occur in compliance with the LGPD, using adequate security measures such as standard contractual clauses, privacy certifications, and protection commitments equivalent to the level of protection provided by Brazilian legislation.

Primary destinations. Data may be transferred primarily to servers in the United States and Europe, where our infrastructure providers and integrated services maintain their operations.

10. Children's Privacy

The Service is not intended for individuals under 18 years of age, and we do not intentionally collect personal information from children or adolescents. We do not direct our features, marketing, or communications to minors.

If we become aware that we have collected personal data from a minor under 18 without verifiable consent from a legal guardian, we will take immediate steps to delete that information from our systems. If you believe a minor has provided personal data to the Service, please contact us at [email protected].

11. Changes to this Policy

We may update this Privacy Policy periodically to reflect changes to the Service, data processing practices, or applicable legislation. When we make significant changes, we will notify you by email or a prominent notice on the Service at least 15 days in advance before the new terms take effect.

We recommend reviewing this Policy regularly. The date of the last update is always indicated at the top of this page. Continued use of the Service after the changes take effect constitutes acceptance of the updated Policy.

12. Contact

For questions about this Privacy Policy, about the processing of your personal data, or to exercise your rights as a data subject, please contact our team:

We are committed to responding to your request within a reasonable period, not to exceed 15 business days, as required by the LGPD. For data deletion requests, the completion period is up to 30 days.