Introduction
Codions Tecnologia Criativa Ltda ("Codions," "we," "us," or "our") operates the website codions.site and provides software development, digital product design, cloud infrastructure, and related technology services. We understand that you trust us with information about yourself when you visit our site or engage our services, and we take that responsibility seriously.
This Privacy Policy explains what personal information we collect, why we collect it, how we process and protect it, and what rights you have over it. It applies to all visitors to our website, prospective clients who submit enquiries, existing clients, and anyone who otherwise interacts with us digitally.
Our processing activities are governed primarily by Brazil's Lei Geral de Proteção de Dados Pessoais (LGPD — Law No. 13,709/2018) and, where applicable to individuals in the European Economic Area and the United Kingdom, the General Data Protection Regulation (GDPR). We apply the higher of the two standards whenever they overlap. Where we reference "data protection law," we mean both instruments collectively.
By using our website or submitting information to us, you acknowledge that you have read and understood this policy. If you have any questions at any point, please contact us at contato@codions.site — we will be happy to help.
Information We Collect
We collect personal information in two main ways: information you provide to us directly, and information that is collected automatically when you use our website.
Information You Provide to Us
When you interact with Codions through our contact forms, project enquiry pages, or any other submission mechanism on the site, you may provide us with:
- Identity data: your full name and, where applicable, the name of your organisation.
- Contact data: your email address and telephone number.
- Project data: details about the service or solution you are seeking, timelines, budget ranges, and any other information you choose to include in the message field of a contact form.
- Communication data: the content of any emails, messages, or follow-up correspondence you send to us.
You are never obligated to share more information than is necessary to answer your enquiry. Fields marked as required on our forms collect only what is strictly needed to respond to you.
Information Collected Automatically
When you visit codions.site, certain technical information is collected automatically by our web server and analytics tools. This includes:
- Log data: your IP address (which may be truncated or anonymised depending on your region), browser type and version, operating system, referring URL, pages viewed, and the date and time of your visit.
- Device data: device type (desktop, tablet, or mobile), screen resolution, and language settings.
- Behavioural data: how you navigate the site — which pages you visit, how long you spend on each, and which links you click — collected via analytics cookies (see Section 4).
- Advertising interaction data: if you arrive at our site via a Google Ads advertisement, we may receive information about which ad you clicked and broad campaign-level performance metrics. We do not receive your personally identifying information from Google for this purpose.
Information From Third-Party Sources
In some cases, we may receive limited information about you from third-party platforms — for example, if you contact us via a professional networking profile that shares your name and job title when you initiate a conversation. We treat any such information with the same care as information you provide directly.
How We Use Your Information
We process personal information only when we have a lawful basis to do so. The table below describes our principal purposes, the data involved, and the legal grounds under LGPD and GDPR.
Responding to Enquiries and Providing Services
When you fill in a contact form or send us an email, we use your name, email address, phone number, and the content of your message to respond to your questions, prepare a project proposal, schedule a discovery call, and ultimately deliver the services you engage us for. The legal basis is the performance of a contract or pre-contractual steps at your request (LGPD Art. 7(V); GDPR Art. 6(1)(b)).
Improving Our Website and Services
Automatically collected log and behavioural data helps us understand how visitors use the site so we can improve navigation, identify technical errors, and prioritise new content. The legal basis is our legitimate interest in maintaining and improving our digital presence, balanced against your reasonable expectations as a website visitor (LGPD Art. 7(IX); GDPR Art. 6(1)(f)).
Marketing Communications
If you have explicitly requested updates, blog posts, or newsletters from us, we will send those to your email address. We will never subscribe you to marketing communications without your prior opt-in consent. You may withdraw consent at any time by clicking the unsubscribe link in any marketing email or by writing to us at contato@codions.site. The legal basis is consent (LGPD Art. 7(I); GDPR Art. 6(1)(a)).
Measuring Advertising Performance
We use Google Ads conversion tracking to understand whether visitors who arrive via paid advertisements subsequently submit a contact form. This helps us allocate our advertising budget responsibly. The data is aggregated and not used to build individual profiles. The legal basis is our legitimate interest in running cost-effective marketing (LGPD Art. 7(IX); GDPR Art. 6(1)(f)), subject to your cookie preferences.
Legal and Compliance Obligations
Where required by applicable law, court order, or regulatory authority, we may need to process and disclose your personal information. The legal basis is compliance with a legal obligation (LGPD Art. 7(II); GDPR Art. 6(1)(c)).
We do not sell your personal data. We do not trade, rent, or sell your personal information to any third party for their own commercial purposes, under any circumstances.
Cookies & Tracking Technologies
Cookies are small text files that a website stores on your device when you visit. We use cookies and similar technologies — including pixels and local storage — to keep the site functioning correctly, to understand how it is used, and to measure the effectiveness of our advertising.
Types of Cookies We Use
Managing Your Cookie Preferences
When you first visit codions.site, a cookie consent banner gives you the opportunity to accept all cookies, accept essential cookies only, or customise your preferences by category. You can change your preferences at any time by clicking the "Cookie Settings" link in the footer.
You may also manage cookies directly through your browser. Most browsers allow you to refuse new cookies, delete existing cookies, or be notified when a cookie is set. The following links explain how to do this in the most common browsers:
- Google Chrome — Settings → Privacy and security → Cookies and other site data
- Mozilla Firefox — Preferences → Privacy & Security → Cookies and Site Data
- Apple Safari — Preferences → Privacy → Manage Website Data
- Microsoft Edge — Settings → Cookies and site permissions
Please note that disabling certain cookies — particularly essential ones — may affect the functionality of the site. Analytics and advertising cookies are entirely optional and can be declined without any impact on your ability to browse our content or submit an enquiry.
Google Analytics Data Sharing
We use Google Analytics 4 with IP anonymisation enabled. This means that before your IP address is transmitted to Google's servers, the final octet (for IPv4) is masked, making it impossible for Google to identify you personally from that data point. We have disabled data sharing with Google Advertising products for users who have not consented to advertising cookies.
Sharing With Third Parties
We do not share your personal information with third parties except in the limited circumstances described below. In every case, we ensure that appropriate safeguards are in place.
Service Providers (Data Processors)
We engage carefully selected third-party companies to help us operate our business and website. These companies process personal data on our behalf and under our instructions — they are not permitted to use your data for any other purpose. Our current sub-processors include:
- Google LLC — Google Analytics 4 (website analytics) and Google Ads (advertising performance tracking). Data may be transferred to and processed in the United States under Standard Contractual Clauses and/or Google's adequacy commitments.
- Cloud hosting and infrastructure providers — We host our website and project management tooling with providers that maintain ISO 27001 or SOC 2 Type II certifications. Data is stored primarily in Brazil and/or within the EU/EEA where technically feasible.
- Email delivery service — Transactional and marketing emails are delivered via a third-party email platform operating under a data processing agreement that complies with LGPD and GDPR requirements.
Professional Advisors
We may share information with lawyers, accountants, or auditors where necessary for the purposes of legal compliance, financial reporting, or the protection of our legal rights. These parties are bound by confidentiality obligations.
Business Transfers
If Codions is involved in a merger, acquisition, or sale of assets, personal data held by us may be transferred as part of that transaction. We will notify affected individuals before their data is transferred and becomes subject to a different privacy policy.
Legal Requirements
We may disclose personal information when required to do so by law, court order, or government authority, including in response to requests from public security or law enforcement agencies in accordance with LGPD Art. 7(II)–(III) and GDPR Art. 6(1)(c)–(e). Where we have discretion, we will notify you before any such disclosure unless prohibited by law.
International Data Transfers
Some of our service providers are located outside Brazil. When we transfer personal data internationally, we ensure that appropriate legal mechanisms are in place — such as Standard Contractual Clauses approved by the competent supervisory authority, adequacy decisions, or equivalent safeguards recognised under LGPD. If you would like more information about the specific mechanisms used for a particular transfer, please contact us.
Data Retention
We retain personal information only for as long as necessary to fulfil the purpose for which it was collected, or to comply with applicable legal, regulatory, accounting, or reporting requirements. Our general retention periods are as follows:
- Contact form submissions (enquiries that did not result in a contract): We retain your name, email address, and enquiry details for up to 24 months from the date of last contact. This allows us to respond to any follow-up questions and to have a record of our communications. After this period, the data is securely deleted or anonymised.
- Client data (projects that resulted in a contract): Data related to active or completed client engagements — including communications, project briefs, and deliverables — is retained for 5 years from the end of the contractual relationship. This reflects our obligations under Brazilian civil and tax law (Código Civil Art. 206; Lei 9.430/1996).
- Marketing preferences and consent records: We retain records of your consent (or withdrawal of consent) for as long as we hold your contact details for marketing, plus an additional 12 months, as evidence of compliance.
- Website analytics data: Aggregated and anonymised analytics data is retained for up to 26 months in Google Analytics 4, in line with the default data retention settings and our analysis needs. Individual event-level data is subject to shorter retention periods.
- Server access logs: Our web server logs are retained for up to 90 days for security monitoring and troubleshooting purposes, then automatically purged.
When data is no longer required, we delete it securely or irreversibly anonymise it so that it can no longer be associated with any identifiable individual. We review our retention schedules annually.
Data Security
We implement technical and organisational security measures appropriate to the sensitivity of the data we process and the risks involved. Our security practices include:
- Encryption in transit: All data transmitted between your browser and our website is encrypted using TLS 1.2 or TLS 1.3. We enforce HTTPS across the entire site and use HSTS headers to prevent downgrade attacks.
- Access controls: Access to systems that contain personal data is restricted to authorised personnel on a need-to-know basis. We use strong passwords, multi-factor authentication, and role-based access controls.
- Data minimisation: We collect only the information that is genuinely needed for the stated purpose, reducing the volume of personal data in our systems and therefore the impact of any potential incident.
- Vendor security requirements: Before engaging any sub-processor, we assess their security practices and require them to demonstrate compliance with applicable standards through contractual commitments and, where available, independent audit reports.
- Incident response: We maintain a documented data breach response procedure. In the event of a breach that is likely to cause risk to your rights and freedoms, we will notify the competent supervisory authority (ANPD in Brazil; the relevant DPA in the EEA) within 72 hours of becoming aware of it, and will notify affected individuals without undue delay where required by law.
- Regular reviews: We conduct periodic reviews of our privacy and security practices to identify gaps and improvements as our technology and business evolve.
While we employ these safeguards, no method of transmission over the internet or method of electronic storage is completely secure. We cannot guarantee absolute security, but we can assure you that protecting your data is an active and ongoing priority at Codions.
Your Rights
Under LGPD (Art. 18) and GDPR (Arts. 15–22), you have a meaningful set of rights over your personal information. We are committed to honouring these rights promptly and without undue bureaucracy. The rights described below apply to personal data about you that we hold as a data controller.
Right of Access
You may ask us to confirm whether we hold personal data about you and, if so, to provide you with a copy of that data along with details of how it is processed.
Right to Correction
If any personal data we hold about you is inaccurate or incomplete, you have the right to ask us to correct or update it without undue delay.
Right to Deletion
Also known as the "right to be forgotten." You may request the erasure of your personal data where it is no longer necessary for the purpose it was collected, where you have withdrawn consent, or where the processing is unlawful.
Right to Object
You may object to our processing of your personal data where we rely on legitimate interests as our legal basis. You also have an absolute right to object to processing for direct marketing purposes at any time.
Right to Restriction
In certain circumstances — for example, while you contest the accuracy of data or have objected to processing — you may ask us to restrict (temporarily pause) the processing of your data.
Right to Portability
Where we process your data by automated means on the basis of your consent or a contract, you may request a copy of your data in a structured, commonly used, machine-readable format, or ask us to transmit it directly to another controller.
Right to Withdraw Consent
Where we rely on your consent as the legal basis for processing, you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.
Right to Information
You have the right to be informed about how your data is used, which is the primary purpose of this Privacy Policy. You may also request information about third parties with whom we have shared your data.
How to Exercise Your Rights
To exercise any of the rights listed above, please send a written request to contato@codions.site with the subject line "Data Subject Request." To protect your data, we may need to verify your identity before we can respond — we will typically ask you to confirm your full name and email address, and may request an additional identifier if there is any ambiguity.
We aim to respond to all valid requests within 15 calendar days (LGPD Art. 19) or within 30 days (GDPR Art. 12(3)), whichever applies to your request. In complex cases, we may extend this period by a further 30 days, in which case we will notify you of the extension and the reasons for it.
Exercising your rights is free of charge. If a request is manifestly unfounded or excessive — for example, if it is repetitive in a way designed to cause disruption — we reserve the right to charge a reasonable fee or refuse to act on it, in line with applicable law.
If you are unsatisfied with our response, or believe we are processing your personal data unlawfully, you have the right to lodge a complaint with the competent supervisory authority. In Brazil, this is the Autoridade Nacional de Proteção de Dados (ANPD) at www.gov.br/anpd. In the EEA, you should contact the data protection authority in your country of residence.
Children's Privacy
Our website and services are directed exclusively at businesses and adult professionals. We do not knowingly collect, solicit, or process personal information from individuals under the age of 18, and our site is not designed to attract or be used by children.
If you believe that a child under 18 has submitted personal information to us without appropriate parental or guardian consent, please contact us immediately at contato@codions.site. We will take prompt steps to investigate and, if confirmed, to delete the relevant data from our systems.
Under LGPD Art. 14, processing of personal data of children (under 12 in Brazil) requires specific consent from a parent or legal guardian. We have no legitimate reason to process data from any individual under the age of 18, and any submission from a minor should be reported to us so we can act accordingly.
Changes to This Policy
As our business evolves and data protection law continues to develop, we may need to update this Privacy Policy from time to time. When we make changes, we will update the "Last updated" date at the top of this page. If the changes are material — meaning they significantly affect how we process your data or your rights — we will notify you more prominently, for example by posting a prominent notice on our homepage or by sending an email to users who have subscribed to our communications.
We encourage you to review this page periodically so that you remain informed about how we handle your personal information. Continued use of our website following a policy update constitutes your acknowledgement of the revised terms, to the extent permitted by applicable law. Where updated processing activities require fresh consent, we will seek that consent from you proactively.
Previous versions of this Privacy Policy are available on request by writing to contato@codions.site.
Contact Us
If you have any questions, concerns, or requests relating to this Privacy Policy or to the way Codions handles your personal data, please do not hesitate to reach out. We prefer to resolve privacy-related matters directly and informally wherever possible, and we aim to respond to all queries within 5 business days.
Codions — Data Controller Contact Details
You may contact us for privacy-related matters using any of the following:
São Luís — Maranhão, Brazil
We are committed to working cooperatively with you to resolve any privacy concerns. If after contacting us you remain unsatisfied, you are entitled to escalate your complaint to the ANPD (Brazil's National Data Protection Authority) or, if you are resident in the European Economic Area, to the data protection supervisory authority in your country.