Instituto Torus
Legal document

Privacy Policy

How we handle your data

The Torus Institute values your privacy as much as your consciousness. This policy describes, in plain language, what data we collect, why we use it, who we share it with, and what your rights are — in compliance with Brazilian General Data Protection Law (LGPD, Law 13,709/2018) and international best practices.

01 · What data we collect

Only the essentials.

We collect only the minimum necessary to operate the platform and fulfill legal obligations. Specifically:

  • Registration data:full name, email, password (stored as hash) — provided at signup.
  • Profile data:avatar, biography, social links — optional, edited by the user.
  • Payment data:we do not store card numbers. Mercado Pago processes and tokenizes the transaction. We only keep the transaction ID and status.
  • Address data:only when buying physical products, for shipping calculation and delivery.
  • Usage data:pages visited, course progress, posts published, likes and comments on the network.
  • Technical data:IP, user-agent, strictly necessary cookies to maintain the session.
02 · Why we use your data

Legitimate purposes.

Each piece of data is processed for a specific and legitimate purpose:

  • Authentication and security:keep the account protected (legal basis: contract execution).
  • Delivery of contracted content:courses, social network, events, certificates (contract execution).
  • Payments and receipts:payment processing and issuing receipts (legal obligation and contract execution).
  • Transactional communications:confirmations, password recovery, notifications (legitimate interest).
  • Continuous improvement:aggregated and anonymous metrics to evolve the platform (legitimate interest).
  • Legal compliance:court orders or tax obligations when required (legal obligation).
03 · Who we share with

Essential partners.

We only share with partners strictly necessary to deliver the service, always under confidentiality and data protection agreements:

  • Supabase:database and authentication — USA, under standard contractual clauses.
  • Mercado Pago:payment processing — Brazil, PCI-DSS certified.
  • Resend:transactional email delivery — USA.
  • Vercel:application hosting — USA.
  • Sentry:error monitoring — USA, pseudonymized data.
  • Commitment:we never sell, rent, or transfer your data to advertisers or commercial third parties.
04 · Cookies and tracking

Only the essentials.

We use only strictly necessary cookies to operate the platform (session, language preference, cart). We do not use advertising, remarketing, or fingerprinting cookies. Usage metrics are collected by Vercel Analytics in an aggregated and anonymous way, without identifying individual users.

05 · How long we keep your data

Minimal retention.

Your data remains in our database while your account is active. After cancellation or account deletion, personal data is erased within 30 days, except when there is a legal retention obligation (e.g., tax data on purchases, kept for 5 years under Brazilian law).

06 · Your rights (LGPD)

Sovereignty of the data subject.

As the data subject, you have the right to:

  • Access:confirm whether we process data about you and access what we hold.
  • Correction:correct incomplete, inaccurate, or outdated data.
  • Anonymization or deletion:request anonymization, blocking, or deletion of unnecessary data.
  • Portability:export your data in a readable format.
  • Withdrawal:withdraw your consent and request complete account deletion.
  • Complaint:file a complaint directly with the Brazilian Data Protection Authority (ANPD).
07 · Security

Protection at every layer.

We adopt technical and organizational measures to protect your data: encryption in transit (HTTPS/TLS 1.3), passwords stored as bcrypt hash, Row Level Security (RLS) in the database, access auditing, continuous monitoring via Sentry, and daily automatic backups. Even so, no internet transmission is 100% secure — in case of an incident, we will notify affected users within 72 hours, as required by LGPD.

08 · How to exercise your rights

Data Protection Officer (DPO).

For any request related to your data (access, correction, deletion, portability, or questions), please contact our Data Protection Officer (DPO):

privacidade@institutotorus.com

We respond to all requests within 15 business days. If you are not satisfied with our response, you may appeal to ANPD at gov.br/anpd.

Last updated: April 10, 2026