Legal & Compliance

Privacy Policy

Company: BLU TI SOLUCOES LTDA CNPJ: 14.816.794/0001-70 Last updated: 14 July 2025 Effective: 14 July 2025

Introduction

BLU TI SOLUCOES LTDA ("Blu TI", "we", "our", or "us") is committed to handling your personal data with transparency, care, and respect. This Privacy Policy explains what information we collect when you interact with our website at blumenauti.online, why we collect it, how we use and protect it, and what choices you have.

We are a technology consultancy headquartered in Blumenau, Santa Catarina, Brazil. Our services span managed IT infrastructure, cybersecurity, cloud architecture, software development, and strategic digital transformation. In the course of delivering these services and marketing them online, we process personal data of website visitors, prospective clients, and service partners.

This policy has been drafted to meet the requirements of Brazil's Lei Geral de Proteção de Dados (LGPD — Law 13,709/2018), the European Union's General Data Protection Regulation (GDPR — Regulation 2016/679), and the operational requirements of advertising platforms including Google Ads. Where the LGPD and GDPR differ, we apply the higher standard of protection to all individuals regardless of their location.

By using this website, submitting a contact form, or otherwise engaging with us online, you acknowledge that you have read and understood this policy. If you do not agree, please refrain from using the site and contact us at contato@blumenauti.online to discuss how we can assist you without data processing.

Legal Basis for Processing

We rely on the following legal bases under the LGPD and GDPR: consent (Art. 7(I) LGPD / Art. 6(1)(a) GDPR) for marketing communications and non-essential cookies; legitimate interest (Art. 7(IX) LGPD / Art. 6(1)(f) GDPR) for website analytics and fraud prevention; contract performance (Art. 7(V) LGPD / Art. 6(1)(b) GDPR) when responding to service enquiries; and compliance with a legal obligation (Art. 7(II) LGPD / Art. 6(1)(c) GDPR) for financial record-keeping.

Information We Collect

We collect only the information that is genuinely necessary for a specific, legitimate purpose. Below is a precise account of every category of data we may hold about you.

2.1 — Information you provide directly

When you fill in the contact form on our website or reach out to us by email, we collect the details you choose to submit. This typically includes:

  • Full name — so we can address you properly in our reply.
  • Email address — our primary channel for responding to enquiries.
  • Phone number — if provided voluntarily, for follow-up calls at your request.
  • Company name and role — to understand the organisational context of your enquiry.
  • Message content — the description of your challenge, project, or question.
  • Any attachments or documents — such as technical briefs or RFP documents you may choose to share.

Submission of this information is entirely voluntary. You are not required to provide it to browse our website. However, without a name and email address, we cannot meaningfully respond to your enquiry.

2.2 — Information collected automatically

When you visit blumenauti.online, our hosting infrastructure and analytics tools collect certain technical data automatically. This includes:

  • IP address — recorded by our web server and analytics platform to understand geographic traffic distribution and to detect abuse.
  • Browser type and version — used to ensure our site renders correctly across different environments.
  • Operating system — similarly used for compatibility and performance monitoring.
  • Referring URL — the page or advertisement that brought you to our site, which helps us measure the effectiveness of marketing spend.
  • Pages visited and time spent — to identify which content is most useful and where users encounter difficulty.
  • Date and time of visit — for security audit trails and traffic analysis.
  • Click events and scroll depth — collected via Google Analytics 4 and, if you accept advertising cookies, Google Ads conversion tags.

2.3 — Cookies and similar technologies

Our website uses cookies and similar tracking technologies, which are described in detail in Section 4. When you first visit the site, we present a consent banner that allows you to accept, reject, or configure non-essential cookies. Essential cookies required for the site to function are placed without consent, as they are strictly necessary.

2.4 — Information from third parties

If you click on one of our Google Ads advertisements, Google may pass anonymised or pseudonymised conversion data to our Google Ads account. We do not receive your name or email address through this channel — only aggregate conversion signals (e.g., "a user who clicked this ad visited the contact page"). We treat this data in accordance with Google's data-sharing terms and this policy.

How We Use Your Information

We are purposeful and deliberate about how personal data is used. We do not sell data, we do not use it for purposes unrelated to our business, and we do not profile individuals in ways that produce automated decisions with legal or similarly significant effects.

  • Responding to enquiries and proposals. When you contact us, we use your name, email, and message to provide a relevant, timely response — whether that is a proposal, a consultation call, or further information about a specific service. This processing is necessary to take steps at your request prior to entering a contract (LGPD Art. 7(V); GDPR Art. 6(1)(b)).
  • Sending requested information. If you ask us to send a capability deck, a technical brief, or other materials, we will use your email address for that single purpose. We will not add you to a mailing list without separate, explicit consent.
  • Marketing communications. With your explicit opt-in consent, we may send occasional email updates about new services, case studies, or industry insights relevant to technology decision-makers. You can withdraw consent at any time by clicking "Unsubscribe" in any email or by contacting us directly. We use no dark-pattern design to obtain consent.
  • Website analytics and improvement. Aggregated, anonymised analytics data helps us understand how visitors navigate the site, which pages are helpful, and where the experience breaks down on certain devices. We use this to improve content, performance, and accessibility — not to track individuals.
  • Advertising performance measurement. Conversion data from Google Ads tells us which advertising campaigns, keywords, and messages are generating genuine business enquiries. This allows us to allocate our marketing budget responsibly and to show you advertising that is relevant to your professional context. No personal profiling is created for this purpose.
  • Security, fraud prevention, and abuse detection. Server logs and IP data are retained for a limited period to identify and block malicious traffic, brute-force attempts, and spam submissions. This is a legitimate interest that does not override your fundamental rights.
  • Legal compliance and record-keeping. Brazilian law requires us to maintain certain financial and contractual records for specified periods. Where personal data forms part of such records (e.g., client invoices bearing a company contact's name), we retain it only for the minimum legally required period.

We do not use your data for any purpose not listed above. If we intend to use it for a new purpose that is materially different, we will notify you and, where required, obtain fresh consent before proceeding.

Cookies & Tracking Technologies

Our website uses cookies — small text files stored in your browser — as well as pixel tags and JavaScript beacons. This section explains every category we use, who sets them, what data they capture, and how long they persist.

When you arrive on our site for the first time, our cookie consent manager presents you with a clear choice. You may accept all cookies, reject non-essential cookies, or customise your preferences by category. Your choice is stored in a consent cookie for 12 months, after which we will ask again. You may change your preferences at any time by clicking the "Cookie Settings" link in the footer.

Google Analytics 4 (GA4). We use GA4 with IP anonymisation enabled at the collection level. This means the final octet of your IP address is zeroed out before the data reaches Google's servers. GA4 data is processed in accordance with Google's Data Processing Amendment. The data is used exclusively for our own internal reporting — we do not share it with other advertisers or allow Google to use it for its own advertising purposes. You can opt out of GA4 tracking globally by installing the Google Analytics Opt-out Browser Add-on.

Google Ads conversion tracking. When you submit our contact form, a conversion signal is sent to our Google Ads account via a Google tag embedded in the confirmation event. This signal does not include your name or email address — it is a pseudonymous event linked to a Google click identifier (gclid) that is stored in your browser. You can prevent this by declining advertising cookies in our consent banner or by adjusting your Google account's ad personalisation settings at myaccount.google.com.

How to manage cookies in your browser. All modern browsers allow you to view, block, or delete cookies independently of any website's consent mechanism. The settings are typically found under Privacy, Security, or Site Settings. Note that blocking essential cookies may impair the functionality of this website.

Sharing With Third Parties

We do not sell, rent, or trade your personal data to third parties. We share it only in the limited circumstances described below, and only with parties who are contractually bound to protect it.

  • Service providers (data processors). We use a small number of trusted technology providers to operate this website and our business communications. These include our web hosting and DNS provider, our email delivery platform for sending enquiry notifications, and our CRM tool for tracking client communications. Each provider has signed a Data Processing Agreement (DPA) with us and is prohibited from using your data for any purpose other than delivering the contracted service.
  • Google LLC. As described in Sections 3 and 4, we share pseudonymous analytics and advertising conversion data with Google. Google acts as a data processor for GA4 analytics and as an independent data controller for its advertising infrastructure. Google's privacy practices are governed by the Google Privacy Policy. Where Google processes data on our behalf, we have executed Google's standard controller-processor terms.
  • Legal and regulatory authorities. We will disclose personal data to competent Brazilian authorities (e.g., ANPD, RECEITA FEDERAL) or law enforcement agencies if required to do so by applicable law, court order, or to protect our legal rights. We will notify you of any such disclosure where legally permitted to do so.
  • Business transfers. In the event that Blu TI undergoes a merger, acquisition, or sale of substantially all of its assets, personal data we hold may be transferred to the successor entity. We would notify affected individuals and ensure the successor is bound to treat the data in accordance with this policy.
  • Professional advisors. Our lawyers, accountants, and auditors may have access to personal data when providing professional services to us. They are bound by professional confidentiality obligations.

We do not transfer personal data to countries outside Brazil unless adequate safeguards are in place. Google LLC and its subsidiaries store data in data centres that are subject to Google's Binding Corporate Rules and the EU–US Data Privacy Framework, which we treat as an adequate safeguard for the purposes of international data transfers under LGPD Art. 33 and GDPR Chapter V.

Data Retention

We keep personal data only for as long as is necessary for the purpose for which it was collected, or as required by applicable law. We operate a retention schedule that is reviewed annually.

  • Contact form submissions — no engagement. If you submit an enquiry but no service relationship develops, we retain your contact details and message for a maximum of 12 months from the date of submission. After that period, records are permanently deleted from our CRM and email archives unless you have consented to ongoing marketing communications.
  • Contact form submissions — active or completed client engagement. Where an enquiry leads to a service agreement, contact data becomes part of the client record and is retained for the duration of the agreement plus 5 years, as required by Brazilian tax and commercial law (Lei 10.406/2002; Lei 5.172/1966).
  • Marketing consent records. If you have opted in to marketing communications, we retain evidence of your consent (timestamp, consent method) for the duration of the consent plus 2 years after withdrawal, to demonstrate compliance with data protection law.
  • Website analytics data (GA4). Raw event data is retained in Google Analytics for a maximum of 14 months per our GA4 configuration. Aggregate, anonymised reports derived from this data may be retained indefinitely for historical business analysis.
  • Server access logs. Web server logs, including IP addresses, are retained for 90 days for security monitoring and are then automatically purged.
  • Google Ads conversion data. Conversion records in our Google Ads account are retained for up to 90 days, in line with Google's standard gclid expiry period.
  • Cookie consent preferences. Your cookie consent choice is stored locally in your browser for 12 months, after which we present the consent banner again.

When data reaches the end of its retention period, it is either permanently deleted or irreversibly anonymised so that it can no longer be linked to an identifiable individual. Deletion requests submitted by users under their rights (see Section 8) are honoured within the timeframes described in that section, subject to overriding legal obligations to retain certain records.

Data Security

As a cybersecurity and IT infrastructure firm, data security is not a compliance checkbox for us — it is core to our professional identity. We apply the same rigour to protecting client data as we advise our clients to apply to their own systems.

Our technical and organisational security measures include, but are not limited to:

  • Encrypted data in transit. All communication between your browser and our website is encrypted using TLS 1.2 or higher. We enforce HTTPS site-wide with HSTS headers to prevent protocol downgrade attacks.
  • Encrypted data at rest. Personal data stored in our CRM, email systems, and file storage platforms is encrypted at rest using AES-256 or equivalent standards.
  • Access controls. Personal data is accessible only to members of our team who have a legitimate need to process it for the purpose described in this policy. Access is role-based, audited, and protected by multi-factor authentication.
  • Vendor security assessment. Before onboarding any third-party service provider that will process personal data, we assess their security posture, review their privacy and data handling policies, and ensure an appropriate DPA is in place.
  • Penetration testing and vulnerability management. We subject our own web properties to periodic vulnerability assessments, consistent with the same services we offer to our clients.
  • Incident response. We maintain a documented data breach response plan. In the event of a breach that is likely to result in risk to individuals, we will notify the Autoridade Nacional de Proteção de Dados (ANPD) within 72 hours where required under LGPD Art. 48, and will communicate with affected individuals without undue delay.

Despite these measures, no method of transmission over the internet or electronic storage is 100% secure. We encourage you never to share sensitive credentials, passwords, or confidential business data via a standard contact form. If you need to share sensitive materials, please contact us directly to arrange a secure transfer method.

Your Rights

Under both the LGPD and the GDPR, individuals have meaningful rights over their personal data. We take these rights seriously and have built a straightforward process for exercising them.

Right of Access

You may request confirmation of whether we hold personal data about you, and a copy of that data along with details of how it is used, stored, and shared.

Right to Correction

If any personal data we hold about you is inaccurate, outdated, or incomplete, you have the right to have it corrected or completed without undue delay.

Right to Deletion (Erasure)

You may request the deletion of your personal data where it is no longer necessary for the purpose collected, or where you withdraw consent and no other legal basis applies. We will honour this unless a legal obligation requires us to retain certain records.

Right to Portability

Where technically feasible, you may request a structured, machine-readable copy of the personal data you have provided to us, to transfer it to another controller.

Right to Object

You may object to the processing of your personal data where we rely on legitimate interests as our legal basis. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests or rights.

Right to Restrict Processing

In certain circumstances — for example, while a correction request is being resolved — you may request that we temporarily suspend active processing of your data.

Right to Withdraw Consent

Where processing is based on consent (e.g., marketing emails or non-essential cookies), you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

Right to Lodge a Complaint

You have the right to lodge a complaint with the ANPD (Brazil's national data protection authority) or, if you are in the EU/EEA, with your local supervisory authority. Contact details for the ANPD are available at gov.br/anpd.

To exercise any of the above rights, please contact us using the details in Section 11. Please include your full name, the email address you used to contact us, and a clear description of your request. We will respond within 15 days for requests under the LGPD (extendable to 30 days where complexity justifies it) and within one month for requests under the GDPR (extendable to three months in complex cases).

Identity Verification

To protect your privacy and prevent unauthorised access to your data, we may ask you to verify your identity before processing a rights request. This will typically involve confirming the email address from which you contacted us. We will not ask for sensitive identity documents unless the situation genuinely requires it.

We will not charge a fee for processing rights requests unless they are manifestly unfounded, repetitive, or excessive — in which case we will inform you of any fee before proceeding.

Children's Privacy

Our website and services are directed exclusively at businesses and adult professionals. We do not knowingly collect, process, or retain personal data from individuals under the age of 18. Our contact forms, marketing materials, and service offerings are not designed to attract or engage minors.

The LGPD (Art. 14) imposes heightened protections for the processing of personal data of children (under 12) and adolescents (12–17). In the unlikely event that we discover we have inadvertently collected personal data from a minor without appropriate parental or guardian consent, we will delete that data immediately and, where required, notify the relevant authority.

If you are a parent or guardian and believe your child has submitted personal information to us, please contact us at contato@blumenauti.online and we will take prompt action to review and, if appropriate, delete the data.

Changes to This Policy

We review this Privacy Policy at least once a year and whenever there is a material change to our data processing activities, applicable law, or the guidance issued by data protection authorities. Changes may also be prompted by the introduction of new services, new third-party tools, or changes to our advertising strategy.

When we make material changes — meaning changes that affect your rights, the categories of data we collect, the purposes for which we use it, or the parties with whom we share it — we will update the "Last updated" date at the top of this page and, where we have your contact details, notify you by email before the changes take effect. For minor, non-material clarifications (such as correcting a typo or improving the clarity of a sentence), we will update the page without advance notice.

We encourage you to revisit this page periodically to stay informed about how we protect your data. The version of the policy in force on the date of any given interaction is the version that governs that interaction.

Previous versions of this policy are available on request. Contact us at contato@blumenauti.online if you would like to compare the current version with a prior version.

Contact & Data Controller Details

If you have questions about this Privacy Policy, wish to exercise your data protection rights, or want to report a concern about how your personal data is handled, please reach out to us directly. We aim to respond promptly and thoroughly.

The data controller responsible for personal data processed through this website is:

BLU TI SOLUCOES LTDA — Data Controller

Legal name
BLU TI SOLUCOES LTDA
CNPJ
14.816.794/0001-70
Address
Rua General Osório, 451, Sala 03, Velha, Blumenau — SC, Brazil, CEP 89036-060
DPO contact
contato@blumenauti.online — subject line: "Data Protection Officer Request"

For all data protection enquiries — including rights requests, consent withdrawal, and breach reports — please use the email address above with a clear subject line indicating the nature of your request. We will acknowledge receipt within 2 business days and aim to resolve most requests within 15 days.

If you are not satisfied with our response, you have the right to escalate your complaint to the Autoridade Nacional de Proteção de Dados (ANPD), whose contact details and complaint submission portal are available at gov.br/anpd. Individuals within the European Economic Area may also contact their local data protection supervisory authority.