Legal

Privacy Policy

Last updated: May 15, 2026.

ConsentFly is a consent and privacy management platform operated by the ConsentFly team. This policy describes, per processing activity, which personal data we collect, for what purpose, on which legal basis, and for how long. It is structured to meet the LGPD (Law No. 13.709/2018) and the GDPR (Regulation (EU) 2016/679) where processing involves data subjects in the European Economic Area.

When you use ConsentFly as a processor to manage consent for visitors to your sites, ConsentFly acts as the processor and you act as the controller. For those cases, please also see our Data Processing Addendum (DPA).

1. Roles and responsibilities

ConsentFly acts in two distinct roles:

  • Controller, for customer account data (data subjects: our own registered users — name, email, billing data, platform usage logs).
  • Processor, for consent events and visitor data collected by the ConsentFly script on customer sites; in that case the customer is the controller and defines purpose and means.

2. Processing activities and legal bases

The table below describes each processing activity, the data involved, the purpose, and the applicable legal basis under LGPD Art. 7 and GDPR Art. 6(1).

ActivityDataPurposeLegal basis
Account creation and managementName, email, password (bcrypt hash), optional Google IDIdentify the user, authenticate access, and deliver the contracted servicePerformance of contract — LGPD Art. 7(V) · GDPR Art. 6(1)(b)
Billing and subscriptionCustomer and billing identifiers in AbacatePay, subscription status, plan historyProcess payments, issue invoices, and meet tax obligationsPerformance of contract and legal obligation — LGPD Art. 7(V) and (II) · GDPR Art. 6(1)(b) and (c)
Transactional emails (verification, password reset, billing alerts)Email, name, alert contentConfirm identity, allow account recovery, and communicate critical account eventsPerformance of contract — LGPD Art. 7(V) · GDPR Art. 6(1)(b)
Product communication (announcements, plan changes)Email, nameInform you of relevant platform changes and updatesLegitimate interest (you can opt out at any time) — LGPD Art. 7(IX) · GDPR Art. 6(1)(f)
Banner script operation on customer sitesConsent events (timestamp, accepted categories), country/region derived from IP, user-agent. The raw IP is not persisted.Record consent evidence for the controller (customer) and meet LGPD/GDPR cookie requirementsProcessed as processor on behalf of the customer; the legal basis is set by the customer (controller), generally visitor consent or legal obligation to demonstrate compliance
Security logs, abuse prevention, and rate-limitingSource IP, session identifier, timestamp, route accessedProtect the platform against fraud, brute force, and misuseLegitimate interest — LGPD Art. 7(IX) · GDPR Art. 6(1)(f)
Evidence exports (consent CSV)Customer consent records, signed download linkProvide on-demand evidence to the customer for data portability and auditPerformance of contract — LGPD Art. 7(V) · GDPR Art. 6(1)(b)
Outbound webhooks for integrationsConsent or policy event payload, HMAC signatureDeliver events to the endpoints configured by the customerProcessed as processor on behalf of the customer; legal basis set by the customer

3. Retention periods

We keep each data category only for as long as needed to fulfill the stated purpose. After the term ends, data is deleted or irreversibly anonymized.

CategoryRetentionAfter the term
Active account (profile, authentication)While the account is activeDeleted within 30 days of the deletion request (see section 6)
Consent records (LGPD/GDPR evidence)While the account is active, plus 5 years after deletionDeleted; the term is justified by the need to demonstrate retrospectively the original data subject's record if questioned
Billing and invoice history5 years (LGPD Art. 16) — tax obligationDeleted
Generated exports (CSV)7 daysFile deleted from storage; audit metadata kept
Webhook events (delivered or failed)90 daysDeleted
Audit and security logs12 monthsDeleted or anonymized

4. Data sharing

We do not sell, rent, or commercialize personal data. To operate the service, we share data only with contracted subprocessors, under contractual obligations of confidentiality and security, listed on a dedicated and up-to-date page:

See the full subprocessor list →

We may also disclose data when required by law, court order, or competent authority, always limited to the minimum necessary.

5. International transfers

Some of our subprocessors operate servers outside Brazil (for example, in the United States and the European Union). When that happens, we ensure transfer by means of:

  • Standard Contractual Clauses issued by the European Commission for destinations without an adequacy decision
  • Subprocessors certified to recognized standards (ISO 27001, SOC 2)
  • For data subjects in Brazil: compliance with LGPD Art. 33

6. Data subject rights (DSAR)

Under LGPD (Art. 18) and GDPR (Art. 15-22), you may, at any time:

  • Access the personal data we process about you
  • Correct incomplete, inaccurate, or out-of-date data
  • Request deletion (excluding the mandatory retention cases described above)
  • Request portability of your data in a structured, machine-readable format
  • Withdraw consent, where that is the applicable legal basis
  • Object to processing based on legitimate interest
  • Receive information about the public and private entities with whom we share data

How to exercise in the dashboard: go to /dashboard/profile. The “Export my data” and “Delete account” actions cover access/portability and deletion rights directly — no need to email us.

DSAR response SLA:

  • Acknowledgement of receipt: within 5 business days
  • Full response for Brazilian data subjects (LGPD): within 15 days of receipt
  • Full response for EEA data subjects (GDPR Art. 12(3)): within 30 days of receipt, extendable by up to 60 days in complex cases with notice
  • On account deletion, data is removed within 30 days, subject to the mandatory legal retentions (billing, tax, consent evidence) described in section 3

For alternate channels, write to suporte@consentfly.com.br.

7. Information security

We adopt reasonable technical and organizational measures to protect data, including:

  • Passwords stored as bcrypt hashes — never in plaintext
  • Mandatory HTTPS in production (TLS 1.2+)
  • Session tokens in HttpOnly, Secure, SameSite cookies
  • Webhooks signed with HMAC-SHA256 and SSRF protection on delivery
  • Least-privilege database access controls
  • Composite rate-limiting (IP + email) on authentication routes
  • Error monitoring via Sentry with PII filtering

About the webhook signing secret: each endpoint's HMAC key is stored in plaintext in the database because the worker must compute a new signature on every delivery. The secret is revealed to the customer only once at endpoint creation; subsequent APIs return only the last four characters ("…a1b2"). Production database access is restricted to services; the trade-off is the same as any signature pipeline without a dedicated KMS, and the one-time reveal prevents accidental re-exposure via API.

8. Cookies on the ConsentFly website

The consentfly.com site itself uses only strictly necessary cookies (authenticated session and language preference). We do not use advertising or third-party tracking cookies. To manage cookies on your site, configure the ConsentFly banner in the dashboard.

9. Security incidents

In the event of an incident involving personal data with material risk, we will notify the ANPD and affected data subjects within a reasonable timeframe, per LGPD Art. 48 and GDPR Art. 33, with a description of the incident, data involved, measures taken, and recommendations.

10. Changes to this policy

This policy may be updated. Material changes are communicated by email or dashboard notice with at least 15 days' notice when they expand processing purposes. The last-updated date appears at the top of this page.

11. Contact

For privacy questions, to exercise data subject rights, or to contact our DPO:

Email: suporte@consentfly.com.br