Privacy Policy
Last updated: May 2026 — fully compliant with LGPD (Brazil), CCPA/CPRA (California), and PIPEDA (Canada)
This Privacy Policy explains how Candidatoo ("Candidatoo", "we", "us") collects, uses, shares and protects personal data, and the rights you have over your data. It is written in plain language and structured to satisfy, simultaneously, the requirements of Brazil's General Data Protection Law (LGPD - Lei nº 13.709/2018), the California Consumer Privacy Act as amended by CPRA, and Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), as well as comparable principles of the EU/UK GDPR.
1. Controller and Data Protection Officer
Data controller: Candidatoo, headquartered in São Paulo - SP, Brazil. Data Protection Officer (Encarregado / DPO): info@candidatoo.com.br. For California consumers, this is also our designated contact for CCPA requests; for Canadian residents, our PIPEDA Privacy Officer.
2. Personal data we collect
- Account data: name, email, password hash, language, time zone.
- Profile & career data: resumes, work history, education, skills, certifications, cover letters, application notes — what you choose to upload or type.
- AI interaction data: prompts you send and outputs we generate, kept to give you history and to improve your experience.
- Job & company data: URLs and descriptions you connect to a resume, plus the public information we fetch about those companies.
- Billing data: plan, credits, invoices. Card details are tokenized and stored only by Stripe.
- Technical data: IP address, browser, device, OS, approximate location (city/country derived from IP), pages visited, performance metrics, and security event logs.
- Cookies and similar: see our Cookie Policy.
We do not knowingly collect sensitive personal data (health, biometrics, sexual orientation, religion, political opinions) or data from children under 16. If you believe a child has provided us data, contact us and we will delete it.
3. Purposes and legal bases
We process personal data only for specific, explicit and legitimate purposes, with at least one valid legal basis. Under LGPD art. 7º and 11; under GDPR art. 6; under PIPEDA Principle 4.3; under CCPA §1798.100, with proper notice at collection.
- Provide the service — execution of contract / cumprimento de contrato (LGPD art. 7º, V).
- Authenticate users and prevent fraud — legitimate interest / legítimo interesse (art. 7º, IX).
- Process payments — execution of contract and legal obligation.
- Send transactional messages — execution of contract.
- Send marketing emails — consent / consentimento (art. 7º, I), revocable at any time.
- Improve and secure the product — legitimate interest, balanced against your rights.
- Comply with the law — cumprimento de obrigação legal ou regulatória (art. 7º, II).
4. How we use AI
When you ask Candidatoo to generate or improve content, your prompts and the relevant context (your profile, the job description) are sent to the AI provider behind the Lovable AI Gateway (OpenAI, Google or Anthropic). We have contractual commitments that prevent your inputs and outputs from being used to train third-party models. You can delete generated content at any time.
5. Sharing
We do not sell your personal data and we do not engage in "cross-context behavioral advertising" (as defined by CPRA). In the last 12 months we have not sold or "shared" personal data under CCPA. We disclose data only to:
- Operators / processors that act on our instructions (see our DPA for the full list, including Supabase, Cloudflare, Stripe, and AI providers).
- Authorities, when required by court order, subpoena, or applicable law.
- An acquirer in case of merger, acquisition or asset sale, with prior notice.
6. International transfers
Some of our processors are located in the United States, Canada and the European Union. We rely on (a) adequacy decisions where they exist, (b) Standard Contractual Clauses with supplementary technical measures (encryption at rest and in transit, pseudonymization), and (c) other safeguards approved by the ANPD, the EDPB, the OPC or the ICO, as required by LGPD art. 33, GDPR Chapter V, and PIPEDA Principle 4.1.3.
7. Retention
- Active accounts: we keep your data while your account is active.
- Deleted accounts: we erase or anonymize personal data within 30 days of deletion, except where retention is required by law (e.g. tax records: 5 years in Brazil).
- Backups: encrypted backups rotate within 30 days.
- Logs: security and access logs are kept for up to 12 months (Marco Civil da Internet art. 15 — minimum 6 months for application logs).
8. Your rights
Subject to applicable law, you have the right to:
- Know / access — what personal data we hold about you (LGPD art. 18, I-II; CCPA §1798.110; PIPEDA Principle 4.9; GDPR art. 15).
- Correct incomplete, inaccurate or outdated data (LGPD art. 18, III; CPRA §1798.106; PIPEDA Principle 4.9; GDPR art. 16).
- Delete data processed in breach of the law or that is no longer needed (LGPD art. 18, VI; CCPA §1798.105; GDPR art. 17).
- Portability in a structured, machine-readable format (LGPD art. 18, V; GDPR art. 20).
- Object to processing based on legitimate interests (GDPR art. 21; PIPEDA Principle 4.3.8).
- Restrict processing in specific cases.
- Withdraw consent at any time, without retroactive effect.
- Opt out of sale / sharing and limit the use of sensitive personal information (CCPA/CPRA §1798.120 / §1798.121). We honor the Global Privacy Control (GPC) signal as a valid opt-out.
- Non-discrimination for exercising your rights (CCPA §1798.125).
- Lodge a complaint with the ANPD (Brazil), the OPC (Canada), the California Privacy Protection Agency, or your local data protection authority.
To exercise any right, email info@candidatoo.com.br. We respond within the shortest statutory deadline applicable to your request (LGPD: 15 days; PIPEDA: 30 days; CCPA: 45 days, extendable by 45 more days). Authorized agents may submit requests on your behalf with proof of authority.
9. Automated decisions
Candidatoo uses AI to suggest content, but no decision with legal or similarly significant effects on you is taken solely by automated means without human review (LGPD art. 20; GDPR art. 22).
10. Security
We apply technical and organizational measures to protect your data: TLS in transit, AES-256 at rest, role-based access control, MFA for administrators, Row-Level Security on multi-tenant data, continuous monitoring, daily encrypted backups, annual penetration testing, and a documented incident response plan. In case of a confirmed personal data breach we will notify the ANPD and affected data subjects in a reasonable time (LGPD art. 48), the OPC and individuals where the breach poses real risk of significant harm (PIPEDA s. 10.1), and California residents under §1798.82.
11. Children
The service is intended for users 16 years or older. If you are a parent or guardian and believe your child has provided us data, contact us for prompt removal.
12. Changes
Material changes will be announced by email and in-app notice with at least 15 days' advance notice. The "Last updated" date at the top of this page always reflects the current version.
13. California-specific disclosures
In the 12 months prior to the last update we collected the categories described in Section 2 (identifiers, commercial information, internet activity, geolocation derived from IP, professional information). We disclosed identifiers, commercial information and internet activity to our service providers solely to operate the service. We did not sell or share personal information. We did not collect or process sensitive personal information for purposes that would require a "Limit the Use" right under CPRA.
14. Contact
Data Protection Officer / Encarregado / Privacy Officer:
info@candidatoo.com.br
Candidatoo — São Paulo, Brazil.