top of page
Logo Black.png
Logo Black.png
mulher com sweater azul segurando a logo da Blueccone em aço em frente ao seu rosto representando segurança e privacidade

Blueccone. Privacy comes first.

Privacy & Data Protection

Blueccone designs processes, reports, creative work, campaigns, and coaching programs without compromising the confidentiality, integrity, or availability of information. Our approach blends law, ethics, and engineering: privacy by design, security by default, and a governance model aligned with ISO best practices (even where certification is not in place). We comply with Brazil’s LGPD and, where applicable, apply GDPR-equivalent controls for international projects.

What we protect.

We protect client information in all formats, including documents, images, audio/video, prototypes, and data stored in our CRM or project tools, such as:

  • Business intelligence shared for diagnostics and strategy (business plans, proposals, pricing, pipelines);

  • Brand assets (logos, source files, brand guidelines), creative drafts, and social media materials;

  • Sales, products, unreleased products/services, roadmaps, KPIs, and large data sets;

  • Client and contact data, including CRM interaction history;

  • Contracts, statements of work, NDAs, and other legal or financial documents;

  • Any other information labeled as confidential or reasonably understood to be sensitive.

Our privacy and security principles.

  • Privacy by design & by default. We embed data-protection safeguards into every service and default to collecting only what is necessary.

  • Data minimization & purpose limitation. We process only the data required, for clear purposes, and for no longer than needed.

  • Transparency & control. We clearly explain what data we collect, why, and how before processing personal data, and we honor data-subject requests within applicable timeframes.

  • Defense in depth. Technical and organizational controls working together (encryption, access controls, monitoring, vendor due diligence), aligned with ISO/IEC 27001 and 27701 principles.

Where privacy lives across our services.

Business

Consulting

Security. Clarity. Trust.

Graphic

Design

Creation with protection.

Career

Coaching

Privacy with purpose.

Technical controls (the “how”).

Encryption:

  • Data in transit via HTTPS/TLS

  • Data at rest using provider-level encryption (e.g., AES-256 where supported)

Identity & access:

  • SSO and MFA where available

  • Least-privilege access roles

  • Quarterly access recertification

Environment hardening:

  • Versioned backups, separation of dev/stage/prod environments where applicable, and monitoring of administrative actions

 

Monitoring & logging:

  • Activity logs for CRM, file sharing, and critical applications

  • Alerts for suspicious access

 

Secure sharing:

  • Expiring links, watermarked drafts, granular file permissions

 

Change control:

  • Documented approvals for websites or automations impacting personal data

These practices are inspired by ISO/IEC 27001 (ISMS) and ISO/IEC 27701 (privacy governance).

Organizational controls (the “who/when”).

  • Roles & accountability: an internal privacy lead (DPO-style) coordinates requests and controls

  • Policies: code of conduct, acceptable use, data handling, vendor management, and incident response — reviewed at least annually

  • Training: annual ethics and privacy training for the team, with periodic training for contractors and third parties

  • Vendor due diligence: risk-based assessments, DPA contracts, sanctions screening, and export-control checks for international operations

Your data rights (LGPD and similar laws).

You have the right to request, among others: access, correction, deletion, portability, and information about how your data is processed. Under the LGPD, controllers must respond within 15 days. We treat this as our baseline timeframe and will inform you if another jurisdiction requires a shorter period.

 

Requests should be sent to: legal@blueccone.com

We will verify your identity, assess the legal basis and retention obligations, and respond clearly.

Legal bases we use.

Depending on context, we process data under LGPD/GDPR-style legal bases such as: contract performance, legitimate interest (balanced and documented), consent, legal obligation, or exercise of rights. DPIAs or LIAs are conducted when risk warrants.

International data transfers.

Para trabalho fora do Brasil, utilizamos salvaguardas contratuais e de infraestrutura, buscando padrões equivalentes de proteção nos países envolvidos. Evitamos provedores ou rotas que comprometam criptografia ou privacidade quando possível.

Data retention and deletion.

  • Data is retained only as long as necessary for the stated purpose, contract, or legal obligation

  • Standard retention periods are defined by data type (projects, CRM, invoices, creative assets)

  • Secure deletion or anonymization occurs after expiration; early deletion may be requested where legally permitted

Incident response.

  • Rapid triage and containment, with forensic logs when applicable

  • Client notification as required by law or contract in the event of a confirmed breach involving their data

  • Remediation actions including control reinforcement, training, and disciplinary measures

Children’s data.

Our services are intended for organizations and adults. We do not knowingly collect children’s personal data. If discovered, such data will be promptly removed.

Report a Concern

We provide a confidential reporting channel for privacy or ethics concerns, with non-retaliation guarantees, aligned with our Ethics & Compliance framework.

Logo White.png
Logo White.png
bottom of page