Privacy policy
1. General Information
INFLOR takes your privacy and the processing of your personal data very seriously and with great respect.
In compliance with the General Data Protection Law (LGPD), INFLOR has prepared this Privacy Policy so that you can obtain information about our practices regarding the processing of personal data, including what data is collected, for what purposes it is used, with which third parties we may share it, what we do to ensure the security and protection of this information, and how you can manage the use of your data or exercise your rights as a personal data subject.
To prepare this Privacy Policy, INFLOR relied on Laws No. 12,965 of April 23, 2014 (Internet Civil Framework) and No. 13,709 of August 14, 2018 (General Personal Data Protection Law).
2. Our Data Protection Officer (DPO)
INFLOR has formally designated a Data Protection Officer (DPO), as required by art. 41 of the LGPD, responsible for acting as a communication channel between INFLOR, data subjects, and the ANPD.
| Field | Information |
|---|---|
| DPO Name | Mirian Jabur |
| Company | DPO AG Consultoria |
| Contact Email | dpo@inflor.com.br |
| Business Hours | Monday to Friday, 9am to 6pm |
| Response Time | Up to 15 business days, extendable with justification (art. 19 of LGPD) |
To exercise your rights (art. 18 of the LGPD), send an email to dpo@inflor.com.br stating: (a) full name and CPF or CNPJ, (b) which right you wish to exercise, (c) detailed description of the request. To ensure the security of information, we may request identity verification before fulfilling the request.
3. Terms Used in This Policy
For the purposes of this Privacy Policy, the following concepts apply:
- National Data Protection Authority – ANPD: the public administration body responsible for overseeing, implementing, and enforcing compliance with the General Data Protection Law – 13,709/2018;
- Data Subject: all individuals who will use or visit the website(s) and/or benefit from services offered by INFLOR, over 18 years of age or emancipated, or those absolutely or relatively incapacitated, duly represented or assisted;
- Controller: the person who has the authority to make decisions regarding the processing of personal data;
- Processor: the natural or legal person who processes personal data on behalf of the controller. Processing agents include both the controller and the processor;
- Common personal data: information related to an identified or identifiable natural person;
- Sensitive personal data: personal data concerning racial or ethnic origin, religious belief, political opinion, membership in a union or religious, philosophical, or political organization, health or sexual life, genetic or biometric data;
- Processing: any operation performed with personal data, such as: collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, archiving, storage, deletion, evaluation, information control, communication, transfer, dissemination, or extraction;
- DPO: person designated by INFLOR to act as a communication channel between INFLOR, the data subject, and the ANPD;
- Purpose: the objective that INFLOR aims to achieve with each personal data processing activity;
- Consent: free, unambiguous, and informed (and additionally specific and highlighted for sensitive personal data) authorization given by the Data Subject for INFLOR to process their data for a previously described purpose;
- Cookies: simple files sent by the website to your browser or device, which allow us to recognize you and record information about your browsing such as IP address, accessed content, and saved settings.
4. Data Subject Rights
The LGPD grants individuals rights regarding their personal data. The rights granted to Data Subjects, without prejudice to the limitations provided by applicable law, are:
- Right of access: request information and access personal data processed by INFLOR;
- Right of rectification: request the correction or updating of incorrect or incomplete data;
- Right of erasure: request the removal of your personal data, where applicable;
- Right of restriction: request that we stop processing all or some of your personal data, where applicable;
- Right to object: object to the processing of your data, provided it was not collected based on a contractual or regulatory obligation, including the right to object to use for direct marketing purposes;
- Right to data portability: request a copy of your data in electronic format for transmission to another service provider;
- Right not to be subject to automated decisions: not be subject to decisions made solely in an automated manner that produce legal or similarly significant effects on you.
To exercise any of these rights, contact the DPO as described in Section 2 of this document.
5. Collection and Use of Personal Information
INFLOR collects information provided by the Data Subject at the time of registration and through business partners who share data for the purposes of negotiating and contracting INFLOR’s services.
The personal data requested will be kept confidential and used only for the purpose that motivated the registration, as per the purpose tables below.
5.1 Purposes — institutional website
| Channel / Form | Purpose | Required Data |
|---|---|---|
| Contact Us / Request Contact | Providing a channel for users to contact INFLOR | Full name, company, phone, email, city/state, area of interest, business segment, company activity, how they found INFLOR, and message |
| Work With Us / Careers | Job applications. Alternative email: rh@inflor.com.br | Full name, address, city/state, phone, email, date of birth, position of interest, language, and qualifications |
| Newsletter / Receive Updates | Sending information about INFLOR’s news and activities | Name and email |
| DPO Channel | Data subject contact with the Data Protection Officer | Name, CPF or CNPJ, email, and description of request |
5.2 Purposes — products and services
In addition to data collected via the institutional website, INFLOR processes personal data within the scope of its SaaS products and services. The table below links each data category to its source and legal basis:
| Data Category | Product / Context | Source | Legal Basis |
|---|---|---|---|
| System user data (name, email, position, access logs) | INFLOR Forest, Services, INFLOR Sociall, Tracker | Registered by the client at licensing or use | Contract performance |
| Operational data entered in systems by clients | All SaaS products | Entered by the client or their employees during system use | Contract performance — INFLOR acts as processor for the client controller |
| Internal employee data (onboarding, payroll, benefits) | HR / Internal operations | Provided by the employee themselves | Legal obligation (CLT) |
| Job applicant data | Recruitment | Website form or email rh@inflor.com.br | Legitimate interest |
| Supplier and partner data (contact, CNPJ, contractual data) | Partner management / Alliances / Services | Provided during the contracting process | Contract performance |
| Marketing leads and contact data (name, email, company, position) | Marketing / Sales | Website forms, events, or partner referrals | Consent / Legitimate interest |
INFLOR acknowledges that, within the scope of its SaaS products, it may act as a processor of personal data entered by its clients (controllers). In this capacity, it processes data strictly in accordance with contractual instructions received and data processing agreements entered into with each client.
6. Cookies and Similar Technologies
Cookies on this website are used to track which parts of the site our users are visiting, for optimization purposes, and to keep users logged in.
6.1 What are cookies?
Cookies are small files we transfer to your browser or device (such as a mobile phone or tablet), which allow us to recognize you and know how and when INFLOR’s websites, products, and services are used. They can be useful for adapting the site size to your screen, better understanding your preferences, and offering a more efficient service.
6.2 Why do we use cookies?
INFLOR uses cookies for user authentication and recognition when accessing our services, for personalizing the browsing experience according to your settings, and for enabling social media plugins when you choose to access our products through those networks.
6.3 Types of cookies used
| Cookie Type | Purpose | Partners Involved | Can be disabled? |
|---|---|---|---|
| Strictly necessary | Basic site operation, authentication, and session security | INFLOR internal systems | No — essential for site operation |
| Analytical / performance | Measure page usage, identify errors, optimize navigation | Google Analytics (Google Tag Manager GTM-N3XRJ79) | Yes — via cookie preferences panel |
| Functional | Remember user preferences (language, saved settings) | INFLOR internal systems | Yes — via cookie preferences panel |
| Marketing / advertising | Display personalized communications and measure campaigns | Meta (Facebook/Instagram), Google Ads | Yes — via preferences panel or browser settings |
| Social media plugins | Integration with social networks (Instagram, LinkedIn) available in the site footer | Meta, LinkedIn | Yes — via browser settings |
You can manage your cookie preferences at any time by accessing the settings panel available in the INFLOR website footer, or through your browser’s privacy settings. Disabling essential cookies may impact the functioning of some features.
7. Legal Grounds for Processing
INFLOR only conducts its data processing activities when necessary to fulfill contractual obligations (such as providing its technology services to clients, defending against legal claims or administrative proceedings), to comply with a legal or regulatory obligation, to satisfy legitimate interests, and, occasionally, to protect the health of a data subject.
Where consent is the legal basis, it will be obtained freely, unambiguously, and in an informed manner — and additionally, specifically and separately for sensitive personal data. Evidence of consent will be documented and filed. To revoke consent, send a request to dpo@inflor.com.br.
8. International Transfer of Personal Data
INFLOR performs international transfers of personal data to technology vendors located outside Brazilian territory, necessary for operating its products and services infrastructure.
| Vendor / Category | Country | Data Transferred | Adequacy Mechanism |
|---|---|---|---|
| Amazon Web Services (AWS) — main storage and processing infrastructure | United States | User data, SaaS operational data, employee data (encrypted at rest and in transit) | Standard contractual clauses recognized by ANPD; AWS Data Processing Addendum |
| SaaS tools for productivity, communication, and collaboration | United States / Europe | Contact data and communications of employees and internal users | Standard contractual clauses / GDPR adequacy (European Union) |
INFLOR adopts measures to ensure that processing abroad occurs in compliance with the LGPD, including specific contractual clauses with international vendors. This list will be updated whenever new international vendors are contracted.
9. Sharing of Personal Data
INFLOR may share the Personal Data collected with third parties, in the situations and within the limits required and authorized by law:
| Recipient | Data Shared | Purpose | Legal Basis | Int’l Transfer |
|---|---|---|---|---|
| INFLOR economic group companies | Registration and service usage data | Integrated management and internal support | Contract performance / Legitimate interest | No |
| IT and infrastructure vendors (incl. AWS) | Operational and registration data (encrypted) | Hosting, processing, and technical support | Contract performance | Yes (see Section 8) |
| Marketing and communication vendors | Contact data (name, email, company) | Campaigns, communications, and events | Consent / Legitimate interest | Eventual |
| Recruitment and selection companies | Applicant data (resume, contact) | Vacancy selection processes | Legitimate interest | No |
| Occupational medicine and benefits (CCT) | Employee data (occupational health, legal benefits) | Compliance with labor obligations | Legal obligation | No |
| Judicial and regulatory authorities | Data relevant to the specific demand | Compliance with judicial or administrative decision | Legal obligation | No |
| Partners and clients (SaaS data) | Operational system data entered by the client | Provision of contracted service — INFLOR acts as processor | Contract performance | Per contract |
In all cases of sharing, we require recipients to process data consistently with the purposes described in this Policy, in compliance with the LGPD and other applicable regulations.
10. Risk Assessment and Data Protection Impact Report
INFLOR conducts risk assessments on its personal data processing activities, with the aim of identifying, evaluating, and mitigating potential impacts on data subjects’ privacy.
When processing may generate high risk to data subjects — such as large-scale data processing for SaaS clients, international data transfers, or integration with third-party systems involving sensitive data — INFLOR prepares a Data Protection Impact Report (DPIA), pursuant to art. 38 of the LGPD, documenting the security measures, safeguards, and mitigation mechanisms adopted.
11. Consequences of Not Providing Data
In accordance with art. 9, V of the LGPD, we inform below the consequences for the data subject if they choose not to provide certain categories of personal data:
| Data Category | Provision Character | Consequence of Non-Provision |
|---|---|---|
| Contracting data (company, CNPJ, contract data) | Mandatory for formalization | Inability to formalize the INFLOR product licensing contract |
| Employee data (CPF, bank details, onboarding data) | Mandatory by legal requirement (CLT) | Inability to formalize the employment relationship and fulfill labor obligations |
| Job applicant data (resume, email, phone) | Mandatory to participate in the selection process | Inability to participate in the selection process |
| Contact data for website forms | Recommended for service | Inability of INFLOR to respond to the submitted request |
| Email for newsletter | Voluntary | Non-receipt of INFLOR communications and news, with no impact on other services |
12. Storage and Retention Period
Information collected by INFLOR will be deleted from its systems when it is no longer useful for the purposes for which it was collected, or when the Data Subject requests deletion (if there is no other legal basis that justifies retention, such as a legal or regulatory obligation or the need to defend against legal or administrative proceedings).
Notwithstanding, information may be retained to fulfill a legal or regulatory obligation and/or for INFLOR’s exclusive use, in anonymized form.
| Data Category | Retention Period | Legal Basis |
|---|---|---|
| Employee data (onboarding, payroll, benefits) | 5 years after termination | CLT art. 11; Decree-Law 5,452/1943 |
| Financial and tax data (contracts, invoices, payments) | 5 years after the operation | National Tax Code art. 174; Law 9,613/1998 |
| Client data (contractual) | Contract term + 5 years | Civil Code art. 206, §3; LGPD art. 16 |
| Job applicant data | 2 years after the end of the selection process | Legitimate interest; LGPD art. 15 |
| Website and system access logs | 6 months | Internet Civil Framework — Law 12,965/2014, art. 15 |
| Marketing data (newsletter, leads) | Until consent revocation + 2 years for rights defense | LGPD art. 15 and 16 |
| Data for defense in legal or administrative proceedings | Duration of process + 5 years after final judgment | CPC art. 189; LGPD art. 16, IV |
13. Artificial Intelligence and Automated Decisions
INFLOR declares its position on the use of artificial intelligence and automated decisions within the scope of its products and services, in compliance with art. 20 of the LGPD:
INFLOR products (Forest, Services, Sociall, and Tracker) may contain analytical features, report generation, dashboards, and suggestions based on data entered by users in the system. When these features produce informational or human decision-support outputs — without direct legal effect on the data subject — they are considered support tools and do not qualify as automated decisions within the terms of art. 20 of the LGPD.
Should INFLOR implement features that produce automated decisions with direct effect on data subjects, this Policy will be updated to inform: the systems involved, the data processed, the logic used, and the channel for requesting human review pursuant to art. 20 of the LGPD.
For questions about the use of analytical features in INFLOR products, contact the DPO at dpo@inflor.com.br.
14. Personal Information Security
All Personal Data used digitally is stored in INFLOR’s systems and/or in databases maintained in the cloud by contracted specialized service providers, who exercise the same care for security and are in compliance with the LGPD and other applicable legal or regulatory standards.
For data requiring physical storage, INFLOR keeps it protected in secure and monitored locations, with access limited to employees who use it in their activities.
INFLOR and its vendors use various security procedures to protect the confidentiality, integrity, and availability of Personal Data, preventing potential damage, including: access controls, network monitoring, event analysis, antivirus, backup, and firewall.
15. Legal Grounds for Data Disclosure
INFLOR may disclose Personal Data, to the extent necessary or appropriate, to governmental bodies, advisors, and/or other third parties, in order to comply with applicable law or a court order, or if it believes in good faith that such action is necessary to:
- Comply with legislation requiring such disclosure;
- Investigate, prevent, or take action related to suspected or actual illegal activities, or to cooperate with public bodies or protect national security;
- Enforce its contracts;
- Investigate and defend against any third-party claims or allegations;
- Exercise or protect the rights, property, and security of INFLOR and its affiliated companies;
- Protect the rights and personal safety of its employees, Data Subjects, or the public;
- In the event of sale, purchase, merger, reorganization, liquidation, or dissolution of the company.
INFLOR will notify the respective Data Subjects of any legal demands resulting in the disclosure of personal information, as required by the LGPD, unless such notification is prohibited by law, barred by a court order, or the request is urgent.
16. Policy Revisions
This document has indefinite validity and is reviewed every twelve months from the date of its publication, and may be amended at any time and at INFLOR’s discretion. Changes will be published visibly on the website.
When material changes are made, you will be duly notified, for example, via a notice on INFLOR’s website, email, or message. We may notify you in advance.

