Privacy Policy

This Privacy Policy aims to clarify to Users of the Goatcom Platform how their personal data is processed, in compliance with current legislation. In doing so, Goatcom reiterates its commitment to data protection, aligning with the provisions of Federal Law No. 13,709/2018 — the General Data Protection Law (LGPD) — and promoting greater transparency, security, and reliability in the use of information.

Due to the importance attributed to User privacy, Goatcom adopts its respect and protection as an essential principle. Therefore, its products and services are designed from the outset under the perspective of the “privacy by design” concept, meaning data protection is incorporated from conception to final delivery to the customer. Before accessing or using any platform functionality, it is fundamental that the User be fully aware of which data is collected, how it is processed, and for what purposes, as described in the Goatcom Terms of Use. This conduct ensures the data subject's right to informational self-determination — that is, the freedom to decide, based on clear information, whether or not to use the services offered.

To this end, we request that the User manifest their agreement with this Privacy Policy through express confirmation in the specific field of the platform. The document presents, in an objective and accessible manner, the criteria adopted regarding the collection, use, storage, and protection of personal data. Thus, we recommend that this Policy be read carefully before any registration or browsing on the Goatcom website and platform.

Considering that legal norms and User expectations may evolve, this Policy may be modified at any time. For this reason, it is important that you review its content periodically to stay informed about eventual updates.

1. Definitions and Concepts

For the purposes of this Privacy Policy, the terms below should be understood according to their legal meanings, pursuant to Law No. 13,709/2018 — General Data Protection Law (LGPD).

Registration Data: information provided by the User at the time of registration or during the use of the platform, such as parentage, address (physical and electronic), full name, marital status, profession, and other data that enable their identification and individualization.

III. Legal and Normative Foundations

Sensitive Personal Data: a special category of personal data regarding information about racial or ethnic origin, religious conviction, political opinion, affiliation with a union or a religious, philosophical, or political organization, data referring to health or sexual life, as well as genetic or biometric data, when linked to a natural person.

Anonymized Data: data relating to a subject who cannot be identified, considering the use of reasonable technical means available at the time of processing. In these cases, the data may be stored and used, provided it is not possible to reverse the anonymization through simple or accessible means.

Data Subject: the natural person to whom the personal data being processed refers.

Personal Data Processing: any operation or set of operations performed with personal data, such as collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, archiving, storage, deletion, evaluation, control, modification, communication, transfer, dissemination, or extraction.

Goatcom, as a provider of e-commerce solutions, acts in the processing of personal data with strict compliance with applicable legislation and information security best practices. To the extent that it collects, uses, shares, and stores User data, Goatcom may exercise both the function of controller and operator, always committing to the principles of purpose, necessity, security, transparency, and accountability, as provided for in the LGPD.

2. Scope of Application

This Privacy Policy applies fully to all services, products, functionalities, and other technological resources offered by Goatcom, including, but not limited to, its institutional website, digital platforms, web environment, integrated systems, and any software made available to Users.

3. Collection of Personal Data and Registration Information

For the services offered by the platform to be provided appropriately, Goatcom collects and processes personal data provided directly by the User, such as name, CPF or CNPJ, e-mail, telephone, address, and banking information. Furthermore, when using the platform, other data may be collected automatically, such as IP address, date and time of access, device type, and browsing behavior, provided they are in compliance with the purposes established in this Privacy Policy.

This data is used, for example, so that the Goatcom team can communicate with Users through notifications about their activity on the platform, system alerts, and relevant operational information. Personal data processing may also occur for the fulfillment of legal or regulatory obligations, execution of contracts, regular exercise of rights in judicial, administrative, or arbitral processes, as well as in other cases authorized by items I to X of Article 7 of the General Data Protection Law (LGPD).

Additionally, the data may be stored and processed for the following specific purposes:

The report can be anonymous or identified, with the following being ensured:

a ) Continuously improve the products, services, and functionalities offered by Goatcom;b ) Respond to requests made by Users and enable the proper use of platform resources;c ) Send institutional, informative, or promotional communications about products, services, updates, and campaigns from Goatcom;d ) Analyze usage patterns and develop statistical and demographic browsing profiles;e ) Confirm the truthfulness of provided information, as well as request necessary additions for service execution;f ) Ensure the stability and efficiency of the operation of platform tools and functionalities;g ) Protect the integrity, security, and confidentiality of stored data;h ) Disclose third-party products and services when compatible with the platform context and User interest;i ) Serve, whenever applicable, the legitimate interest of the controller, provided the fundamental rights and freedoms of the subject are respected.

All data processing described above is performed based on a legal ground, legitimate purpose, and in a transparent manner, in strict compliance with current personal data protection legislation.

6.1) Personal Data and User Rights

In compliance with Articles 9 and 18 to 22 of Law No. 13,709/2018 (LGPD), Users are guaranteed the right to obtain, upon formal request, complete, clear, and accessible information about the processing of their personal data performed by Goatcom.

The data subject may, at any time, request:

• Confirmation of the existence of processing of their personal data;
• Access to stored data;
• Correction of incomplete, inaccurate, or outdated data;
• Anonymization, blocking, or deletion of unnecessary, excessive data or data processed in non-compliance with the LGPD;
• Data portability, as regulated by the competent authority;
• Deletion of personal data processed based on consent, when applicable;
• Revocation of previously granted consent;
• Information about public or private entities with which the data has been shared;
• Information about the possibility of not providing consent and the consequences of that decision.

To exercise these rights, as well as to clarify doubts or present requests related to data protection, the User should contact Goatcom through the official service channel: support@goatcom.io. In cases where the processing of personal data is based on consent, the User may revoke it at any time, without prejudice to the legality of the processing previously performed. It is noted, however, that the revocation of consent or the request for deletion of data processed based on legitimate interest or contractual necessity may result in the interruption of certain services, in which case Goatcom will not be held responsible for eventual losses resulting from the discontinuity.

Some personal data, even if subject to a deletion request, may be kept by Goatcom for the period necessary to comply with legal, regulatory, or fiscal obligations. For example, data linked to invoices, financial records, CPF/CNPJ, and essential information for meeting tax obligations and proving operations will be preserved as per legal requirements.

Goatcom adopts rigorous technical and organizational measures to ensure the security, confidentiality, and integrity of processed data, but recognizes that, for technical and operational reasons, it is not possible to guarantee absolute inviolability. In cases of suspected fraud, bad faith, or misuse of the platform, Goatcom reserves the right to share the collected personal data with competent authorities, such as: public security bodies, specialized police stations, supervisory entities, insurance companies, Judiciary bodies, arbitration courts, and other administrative or judicial entities capable of conducting such investigations or processes.

The User also authorizes Goatcom to share their personal and registration data with third-party service providers, contracted to enable the operation of the platform and improve the services offered. This sharing may involve, among others, providers responsible for data backup and storage, fraud detection and prevention services, e-mail providers, database solutions, tax document issuance, and other essential operational activities.

Goatcom undertakes to require all its partners and suppliers to include contractual clauses that ensure the proper processing of shared personal data, with observance of security measures, confidentiality, and use limited to authorized purposes.

Furthermore, the User declares to be aware that, in the event of corporate transactions involving a merger, spin-off, incorporation, acquisition, or sale of assets, the personal data in Goatcom's possession may be transferred as an integral part of the business assets, observing, in this case, the maintenance of confidentiality obligations and respect for the rights of data subjects.

Except for the situations already covered in this Privacy Policy, the personal and registration data provided directly by Users to the platform, as well as access records (such as IP address, date, time, and time zone) and information related to transactions made through Goatcom, may only be disclosed to third parties in the following circumstances:

• When there is a request or express authorization from the data subject themselves;
• By force of legal obligation or through a valid judicial order;
• To protect the life or physical integrity of the data subject or third parties;
• When necessary for the purposes of health protection, in procedures performed by medical professionals or public health entities.

Additionally, any and all requests for personal data of third parties, stored by Goatcom as a result of the service provision agreement signed with its Users, is conditioned on the presentation of a judicial order or determination from a legally competent authority.

Goatcom clarifies that it does not share or provide personal data upon simple informal request. In case of infringement or violation of civil, criminal, or administrative rights, it will be up to the interested party to register the occurrence with the competent official bodies and present to Goatcom the corresponding judicial order, request from the Public Prosecutor's Office, or determination from a police or administrative authority legitimized for such, in accordance with current legislation.

9. Data Maintenance After Account Cancellation

The User may request the closure of their Goatcom account at any time through the Settings area of the Platform itself. Requests made by other means will not be considered valid for this purpose.

If the cancellation request is sent directly to the service channel via e-mail support@goatcom.io, Goatcom will archive the registration and personal data provided by the User during their use of the Platform, which will be kept in a protected environment, with restricted access and through appropriate security measures.

The retention of this data will occur based on items II, V, VI, and IX of Article 7, and pursuant to Article 16 of Law No. 13,709/2018 (LGPD), ensuring compliance with legal and regulatory obligations, as well as the regular exercise of rights in an eventual judicial, administrative, or arbitral process. As for application access records (IP address, date, time, and time zone), these will be automatically deleted after the 180-day period, as required by applicable legislation, unless it is necessary to keep them for a longer period due to legal or judicial determination.

10. Anti-Spam Policy

Goatcom adopts a rigorous policy against sending unsolicited messages (spam) and commits to ensuring that all communications originating from its Platform are relevant, legitimate, and of interest to the respective recipients.

The User may, at any time, adjust their communication preferences to stop receiving e-mails sent by Goatcom through account settings or, if preferred, through the request for account closure as provided in this Policy.

Goatcom also imposes on its Users the obligation not to use the platform for the dissemination of unwanted content. It is the User's responsibility to ensure that any message sent through Goatcom's tools is relevant and consented to by the recipient.

The practice of spam or any other abusive conduct related to communication may result in sanctions, including the blocking or cancellation of the account of the involved User, as well as the sharing of their registration data with directly affected third parties, pursuant to this Privacy Policy and applicable legislation.

Goatcom may, at its discretion and whenever necessary, review and modify this Privacy Policy, whether due to the implementation of new functionalities, legal updates, or improvement of data processing practices.

In case of modification of this document, Goatcom commits to communicating with Users through a notice sent to the registered e-mail and/or through a prominent publication on the Platform itself, clearly informing the content of the changes made.

Continued use of the Platform after the disclosure of changes will be interpreted as tacit manifestation of agreement with the new terms of the Privacy Policy, constituting express, irrevocable, and irredeemable consent to the updated provisions.

12. Final Provisions

Goatcom may store collected personal data on servers located in Brazil or other countries, provided that the requirements established in Article 33 of Law No. 13,709/2018 (LGPD) are respected. In these situations, Goatcom ensures the adoption of adequate protection guarantees, such as specific contractual clauses and international transfer mechanisms compatible with the standards required by the National Data Protection Authority (ANPD).

Use of the Platform is restricted to persons aged 18 (eighteen) or over and with full civil capacity. Goatcom does not deliberately collect or process personal data of children or adolescents, in compliance with the provisions of Article 14 of the LGPD. If the use of the Platform by a minor is identified, the respective account will be closed and any personal data eventually collected will be immediately deleted.

Additionally, Goatcom declares that it adopts internal governance measures and good practices in data protection, such as mapping and inventory of personal data, access control, periodic review of security measures, continuous training with its teams and, whenever necessary, the preparation of Data Protection Impact Assessments (DPIA), as provided for in Article 38 of the LGPD.