Choose your preferred language:

Blueccone Privacy Policy

Updated on December 16th 2025

This Privacy Policy explains how Blueccone collects, uses, shares, and protects your company data and personal data.

Please review the sections below to understand our privacy practices. If you have any questions, feel free to get in touch with us.

Primary jurisdiction: Brazil (Law No. 13,709/2018 – LGPD)

International scope: European Union/EEA (GDPR), United Kingdom (UK GDPR), United States (including California – CCPA/CPRA), and other countries where we operate, as described in International Data Transfers.

Data Controller: Blueccone Consultoria Empresarial, acting as the controller of personal data processed across its global operations.

Data Protection Officer (DPO): Tiago Marquezine

Privacy contact (data subjects / ANPD): privacy@blueccone.com.

Address: Paulista Avenue, 1636, Bela Vista, Sao Paulo/SP, 01310 200, Brazil.

References to “Blueccone,” “we,” “us,” or “our” include all company operations and subsidiaries managed from Brazil.
This Policy describes how we collect, use, share, store, and protect personal data across our websites, applications, commercial proposals, contracts, business consulting activities, graphic design and branding services, professional coaching, marketing, support, and internal operations.

In Brazil, processing is based on the legal grounds set forth in Article 7 of the LGPD (including consent; contract performance; exercise of rights; compliance with legal or regulatory obligations; and legitimate interests supported by assessment and safeguards). Where sensitive personal data is involved, Article 11 of the LGPD also applies.

For the EU/EEA and the UK, we rely on equivalent GDPR/UK GDPR legal bases (such as consent, contract performance, legitimate interests, legal obligation, and vital interests). For California (CCPA/CPRA), we recognize consumer rights and the concepts of “selling” or “sharing” personal data, where applicable.
Personal data: Information relating to an identified or identifiable natural person.

Sensitive personal data: Racial or ethnic origin, religious belief, political opinion, union membership, genetic or biometric data, health data, sexual life, and similar categories.

Controller / Processor: The entity that determines purposes and means of processing / the entity that processes data on behalf of the controller.

Data subject: The individual to whom the data relates.

Supervisory authority: In Brazil, the ANPD; in the EU, the relevant local authority; in California, the CPPA or Attorney General.
We collect only what is necessary and proportionate to the purposes described below, in line with the principles of purpose limitation, adequacy, necessity, and data minimization:

Identification and contact information: name, email address, phone number, CPF/CNPJ (when required for invoicing), job title, company, country

Address and billing data: postal address, data required for invoices and contracts, payment history (we do not store full credit card details without a legal basis and PCI-DSS-compatible controls; payments are processed by third parties)

Business data: project briefs, brand preferences, client-provided content, approvals, and interaction history

Online usage data: logs, IP address, device identifiers, cookies and similar technologies (pixels, localStorage), pages visited, session duration, traffic source, and performance metrics

Support and communications: support tickets, emails, optional meeting recordings (with notice), feedback, NPS, and surveys

Sensitive data: generally avoided; when strictly necessary (e.g., accessibility needs), we obtain explicit consent and apply enhanced safeguards

Third-party channels: data received when you interact via social media or integrations (e.g., Google, Apple, Meta, Wix, CRM), according to your settings on those platforms

Sources: directly from the data subject; from your organization; from partners or service providers; from public sources; or automatically generated by our systems.
Service proposal, contracting, and delivery: needs analysis, scope definition, consulting, design, and coaching delivery, project management, support, invoicing, and collections

Commercial relationship management: onboarding, operational communications, meetings, reports, renewals, and quality audits

Marketing and engagement: newsletters, invitations, events, case studies, and educational materials, always with clear and easy opt-out options

Security, fraud prevention, and compliance: incident detection, logging, access controls, and vendor due diligence

Product and service improvement and analytics: usage metrics, A/B testing, usability analysis, and aggregated or anonymized statistics

Legal and regulatory obligations: tax and accounting compliance, consumer protection, responses to authorities, court orders

Exercise of rights: in judicial, administrative, or arbitration proceedings

Legitimate interests: only where data subject rights and freedoms do not prevail, supported by documentation and the right to object when applicable
We use strictly necessary (functional) cookies, as well as analytics, performance, and, where applicable, marketing cookies.

You can manage your preferences through our cookie banner or preference center and via your browser settings. Some cookies are essential for the proper functioning of the site.

Typical categories include:

• Session and authentication;

• Preferences (language, layout);

• Analytics (pages visited, time spent);

• Marketing (advertising pixels), when enabled.

We maintain a Cookie Register detailing purpose, duration, and associated third parties.
We share data only when necessary and under contracts that include data protection and confidentiality obligations:

• Processors: cloud, hosting, email, CRM, billing, analytics, support, and collaboration providers.

• Business partners: when you contract integrated services.

• Auditors and legal or accounting advisors.

• Public and judicial authorities: when required by law or valid order.

• Corporate transactions: mergers, acquisitions, or reorganizations, with notice and safeguards.

We do not sell personal data. In jurisdictions such as California, where “sale” or “sharing” may include certain disclosures for behavioral advertising, we provide opt-out mechanisms when applicable.
As a global company headquartered in Brazil, we may transfer data to other countries when necessary (for example, service providers located outside Brazil), in compliance with:

• LGPD (Articles 33 to 36): adequacy decisions, Standard Contractual Clauses approved by competent authorities, global corporate rules, or other safeguards.

• GDPR/UK GDPR: updated Standard Contractual Clauses (SCCs), Transfer Impact Assessments (TIAs), and supplementary measures.

• United States / California: contracts with service providers and contractors with defined usage limitations.

We apply technical and organizational safeguards such as encryption in transit and at rest, logical segregation, access controls, minimization, retention limits, and periodic risk assessments.
We retain personal data only for as long as necessary to fulfill the stated purposes, contractual obligations, or legal requirements (for example, tax and accounting retention periods, defense of rights). Once no longer required, data is securely deleted or anonymized, unless retention is legally required.
Where applicable, you may exercise the following rights:

• Confirmation of processing and access (immediate simplified response and full response within 15 days in Brazil);

• Correction of incomplete, inaccurate, or outdated data;

• Anonymization, blocking, or deletion of unnecessary, excessive, or non-compliant data;

• Data portability (where technically feasible and regulated);

• Deletion of data processed based on consent;

• Information about data sharing;

• Withdrawal of consent;

• Objection to processing based on legitimate interests;

• Review of automated decisions affecting your interests;

• Filing a complaint with the ANPD or consumer protection authorities.

Requests must be submitted via the Privacy Channel listed above. Identity verification may be required to protect your data.
Our services are not directed to children. If specific activities involve minors, we comply with Article 14 of the LGPD, including prominent parental consent, enhanced transparency, and processing in the best interest of the minor. Any improperly collected data will be deleted.
We may use analytics and modeling to improve services, prevent fraud, and personalize communications. We do not carry out solely automated decisions that produce significant legal effects without meaningful human involvement and mechanisms for review. Marketing preferences can be managed or opted out at any time.
We maintain an Information Security Program that includes policies, access management, encryption, backups, testing, event logging, processor agreements, training, and incident response plans.

In the event of an incident involving relevant risk or harm, we will notify affected individuals and competent authorities as required.
We select vendors with appropriate data protection and security standards. Sub-processors act only under our documented instructions and contractual approval. We maintain an inventory of material processors and sub-processors and provide information where required.
• Processing inventories and impact assessments (DPIA/LIA/TIA), where applicable;

• Internal policies, training, and audits;

• Privacy by design and by default in products and processes;

• Accountability mechanisms and compliance indicators (for example, response SLAs, incident tracking).
We use your data to send content and invitations aligned with your professional interests. Each communication includes unsubscribe and preference management options. We do not use sensitive data for marketing without explicit consent.
• Contract performance: delivery of consulting, design, and coaching services; technical support; billing.

• Legal or regulatory obligation: invoicing, accounting, tax compliance, responses to valid orders.

• Legitimate interest: security, continuous improvement, fraud prevention, and defense of rights, subject to balancing assessments.

• Consent: optional newsletters, marketing cookies, publication of testimonials or case studies with identification, and sensitive data when required.
Brazil (LGPD): rights and timelines as described above.

EU/EEA & United Kingdom (GDPR/UK GDPR): additional rights including portability, restriction, and objection (Articles 20–21), SCCs for transfers, and supplementary measures.

California (CCPA/CPRA): rights to know, correct, delete, opt out of sale or sharing, limit the use of sensitive personal data, and non-discrimination; annual metrics reports published where applicable.
Submit your request via the Privacy Channel indicated in the first item, detailing your request. We will inform you of the steps, timelines, and identity verification requirements. For complex cases, we will provide status updates and explanations.

If you are not satisfied, you may file a complaint with the ANPD (Brazil) or the competent authority in your jurisdiction.
We may update this Policy to reflect legal, regulatory, or operational changes. The update date will appear at the top of the document. When changes are materially relevant, we will provide prominent notice and, where required, request renewed consent.
• Product- or service-specific notices (for example, forms, contracts, landing pages);

• Data Processing Agreements (DPAs) when acting as a processor for corporate clients;

• Cookie records;

• Impact assessment reports (when applicable);

• List of material sub-processors (when applicable).
Data subjects / ANPD: anpd@blueccone.com

Corporate clients: corporate@blueccone.com

Legal matters: legal@blueccone.com

Final Notice

This document summarizes our commitment to transparency, security, and global compliance. In the event of discrepancies between translations, the Portuguese (Brazil) version shall prevail for global operations managed from Brazil, without prejudice to the application of local laws outside Brazil.