Privacy Policy

Last updated: May 4, 2026 • Versão em português

1. Data Controller

Cliq is operated by Instituto Innvicton Ltda, registered under Brazilian National Registry of Legal Entities (CNPJ) number 23.285.285/0001-50, headquartered in Itapema, SC, Brazil. We are the data controller for personal data processed on this platform, in compliance with the Brazilian General Data Protection Law (Lei nº 13.709/2018, LGPD) and the EU General Data Protection Regulation (GDPR) when applicable.

2. Data Protection Officer (DPO)

• Email: dpo@umcliq.com.br
• Address: Itapema, Santa Catarina, Brazil

3. Data We Collect

3.1 Cliq subscriber data: name, tax ID (CPF/CNPJ), email, phone, address, professional registration when applicable, payment method.

3.2 Platform usage data: appointments, WhatsApp messages sent, contacts registered, interaction history.

3.3 Sensitive data (LGPD Art. 11), when applicable: medical specialty, type of procedure, clinical notes. Processed with specific and prominent consent.

3.4 Meta (Facebook and Instagram) data, when the customer connects their Meta account to the Paid Traffic Module:

• Business Manager identifiers, Ad Accounts and Pages selected by the customer
• Long-lived access tokens (encrypted at rest with AES-256-GCM)
• Ad campaign metrics (spend, impressions, clicks, conversions, CPM, CTR, CPL, ROAS) read via Meta Marketing API
• Lead data received via Meta Lead Ads (name, phone, email and any other fields the customer configured in the form)
• Page engagement metrics when authorized by the customer

3.5 Automatic data: IP address, browser, operating system, device identifiers, essential and analytics cookies.

4. Purposes of Processing

• Deliver contracted services (CRM, scheduling, marketing automation, paid traffic management)
• Operate Meta Ads campaigns on behalf of the customer when authorized, including creation, pausing, editing and reading of campaigns
• Capture leads generated by Meta Lead Ads and deliver them to the customer's CRM
• Send automated communications (reminders, confirmations, weekly performance audio summaries) via WhatsApp and email
• Prevent fraud, abuse and Terms of Service violations
• Fulfill legal and regulatory obligations
• Improve the platform based on aggregated and anonymous metrics

5. Legal Basis

• Contract performance: data necessary to deliver the service
• Consent: for non-strictly contractual purposes and sensitive data
• Legal obligation: tax and accounting retention
• Legitimate interest: fraud prevention and platform improvement, balanced against data subject rights

6. Data Sharing

Cliq shares data with the following third parties, all contracted as data processors under LGPD/GDPR with equivalent DPAs:

• Meta Platforms Inc. when the customer connects their Meta account, Cliq acts as an authorized integrator and exchanges data via Marketing API and Webhooks (subject to Meta's own Privacy Policy)
• Asaas (payment gateway) to process billing
• Evolution API for sending WhatsApp messages
• Supabase for structured data storage
• Anthropic (Claude API) for ad copy and audio content generation upon customer request
• ElevenLabs for voice synthesis of weekly performance summaries

We do not sell, rent or share personal data with third parties for direct marketing purposes without explicit consent from the data subject.

7. Data Retention

• Customer registration data: while the contractual relationship lasts plus 5 years (Brazilian civil prescriptive period)
• Financial data (invoices, receipts): 5 years
• Leads captured via Meta Lead Ads: 90 days by default (configurable by customer), then automatic purge
• Campaign metrics: 24 months aggregated, 90 days granular
• Access and audit logs: 24 months
• Meta access tokens: while the connection is active, encrypted
• Backups: automatic rotation 7 to 30 days depending on data type

8. Data Subject Rights (LGPD Art. 18 / GDPR)

• Confirmation that processing exists
• Access to data
• Correction of incomplete, inaccurate or outdated data
• Anonymization, blocking or deletion of unnecessary, excessive or non-compliant data
• Data portability
• Deletion of data processed based on consent
• Information about entities with which data was shared
• Information about the possibility of refusing consent and its consequences
• Withdrawal of consent
• Opposition to processing based on other legal grounds
• Review of automated decisions that affect the subject's interests

To exercise any right, email dpo@umcliq.com.br. We respond within 15 days maximum.

9. Data Deletion Request

To request complete deletion of your data, you can:

• Email dpo@umcliq.com.br
• Access the deletion status page at umcliq.com.br/data-deletion-status
• If you are a Meta user whose account was connected by a Cliq customer, your automatic deletion request arrives via Meta callback at/api/meta/data-deletion

Maximum completion time is 30 calendar days, retaining only legally required data.

10. Security

• Encryption in transit (TLS 1.3) and at rest (AES-256-GCM for sensitive data and Meta tokens)
• Role-based access control (RBAC) with Row-Level Security in the database
• Multi-factor authentication (MFA) for administrator users
• Continuous audit of accesses and actions (audit log retained 24 months)
• Daily isolated and tested backups
• Documented incident response plan
• Notification to ANPD within 48 hours in case of incident with risk to subjects (LGPD Art. 48)

11. Cookies and Tracking Technologies

Cliq uses essential cookies (necessary for operation) and analytics cookies (with consent). You can manage your preferences via the cookie banner or browser settings.

12. International Data Transfers

Some operators (Meta, Anthropic, ElevenLabs) process data on servers outside Brazil. Such transfers occur based on (a) destination country adequacy recognized by ANPD, or (b) standard contractual clauses guaranteeing protection level equivalent to LGPD/GDPR.

13. Children

Cliq is not intended for users under 18. We do not intentionally collect data from children. If we identify inadvertent collection, data will be deleted immediately.

14. Competent Authority

For non-compliance complaints, the data subject can file with Brazil's National Data Protection Authority (ANPD): www.gov.br/anpd. EU data subjects may also file with their local DPA.

15. Changes to This Policy

This policy may be updated to reflect legal, regulatory or operational changes. We will notify subjects via email and/or prominent notice on the platform at least 15 days before material changes.

This policy is also available in Português.