This Privacy Policy describes how CRISTIANO PEREIRA DA SILVA MUNIZ, LLC, a Delaware limited liability company doing business as "HireInBrazil" ("HireInBrazil", "we", "us"), collects, uses, shares, and protects Personal Data when you use our software platform (the "Platform").
This policy is authored and maintained in English. If you view a translated version, including through the site's translation feature, the English version controls.
We are bound by the Brazilian Lei Geral de Proteção de Dados (LGPD, Law No. 13.709/2018) and by U.S. state privacy laws including the California Consumer Privacy Act/CPRA. For European Economic Area visitors, we honor GDPR rights on a voluntary best-effort basis (we do not actively target the EEA).
1. Who we are
Controller (LGPD Controlador / GDPR Controller / CCPA Business):
CRISTIANO PEREIRA DA SILVA MUNIZ, LLC (dba HireInBrazil), a Delaware limited liability company, with registered address 1111B S Governors Ave STE 48391, Dover, DE 19904, United States, and operating email privacy@hireinbrazil.com.
For Brazilian data subjects: inquiries relating to your LGPD rights or to the ANPD may be sent to privacy@hireinbrazil.com, our designated channel for data-protection communications.
2. What data we collect
2.1 Tenant account data
- Company legal name, jurisdiction, registered address, billing address;
- Authorized representative name, work email, role;
- Payment method tokens (we do not store full card numbers — they live with Stripe);
- Tax identifiers (EIN for US Tenants);
- All data Tenant uploads to the Platform (job descriptions, contractor invitations, expense receipts, etc.).
2.2 Brazilian Contractor data
- Full name, CNPJ, residential address, registered PJ address;
- Bank account details (for payouts);
- Tax forms (W-8BEN, NFS-e records);
- ID document scans (RG / CNH / passport during onboarding);
- All data the Contractor submits to the Platform (skills, experience, signed contracts, time entries, expense receipts, leave requests).
2.3 Pre-engagement Talent data
- Full name, primary email, location, time zone;
- LinkedIn URL, portfolio URL, GitHub URL (optional);
- Experience snapshot, skills, hourly rate, English level (collected via the 15-min interview flow);
- Interview transcript and AI-derived embeddings;
- Any other data the Talent submits voluntarily.
2.4 Marketing-visitor data
- IP address (transient, kept only for rate-limiting and security per Arcjet);
- Browser metadata (User-Agent, language);
- Cookie identifiers (see Section 7);
- Form submissions (e.g., lead-inquiry form).
2.5 Operational data we generate
- Audit logs (
platform.platform_audit_log) — captures every action by HireInBrazil staff;
- Application error captures (
platform.app_errors) — message + digest; PII is redacted via lib/observability/logger.ts;
- Webhook deliveries, email outbox events, API token usage.
3. How we use Personal Data
We process Personal Data for these purposes (per LGPD Art. 6 + 7 and CCPA business purposes):
- Contract performance: operate the Platform, facilitate engagements, process payments;
- Legal obligation: tax reporting, OFAC screening, AML, recordkeeping;
- Legitimate interest: security, fraud prevention, Platform improvement;
- Consent: for any processing outside the above bases (e.g., marketing emails to former leads).
We do not sell Personal Data. We do not "share" Personal Data for cross-context behavioral advertising (CCPA-defined).
4. With whom we share Personal Data
We share Personal Data only with:
- Sub-processors listed in Annex A of our Data Processing Agreement, under written DPAs that bind them to LGPD-equivalent protections;
- Tenants who have engaged a particular Contractor — limited to the data needed for that engagement;
- The Contractor themselves — Tenant Personal Data shared with the Contractor as necessary to perform Services;
- Tax authorities — IRS in the US (e.g., 1099-NEC year-end filings if applicable), Brazilian municipal SEFAZ for NFS-e mediation;
- Law enforcement — only on valid legal process, and we challenge overbroad requests;
- Successor entity — in the event of a merger, acquisition, or asset sale, with notice to affected Data Subjects.
We do not share Personal Data with advertisers, data brokers, or any third party for commercial-marketing purposes.
5. Where we store Personal Data
Detailed data-localization map is in DPA Annex A. Summary:
| Data class | Primary storage location |
|---|
| Brazilian Talent + Contractor PII | São Paulo, Brazil (Floci S3, KVM 4) |
| Talent + Worker embeddings (prd) | São Paulo, Brazil (Qdrant on KVM 4) |
| Talent + Worker embeddings (dev) | us-east-1 (Qdrant Cloud free tier) — no real Personal Data |
| Tenant company data + billing | us-east-1 (Neon Postgres) |
| Application logs | us-east-1 (Vercel) |
6. How long we retain Personal Data
Our Retention Policy holds the full schedule. Summary:
| Data class | Retention period |
|---|
| Tenant company data + signed contracts | 7 years from end of relationship (US tax recordkeeping) |
| Contractor PJ data + signed ICAs + NFS-e records | 5 years from termination (Brazilian civil + tax statute of limitations) |
| Payroll + payout history | 7 years (US tax / SOC 2) |
| Talent profiles (unhired, no activity) | 24 months from last interaction, then auto-purged |
| Audit logs | 7 years (SOC 2 baseline) |
| Email outbox | 90 days |
| API token use audit | 1 year |
| Application telemetry / logs | 90 days |
Beyond these periods, we delete or de-identify Personal Data unless we have specific consent or a legal obligation to retain longer.
7. Cookies
We use cookies and similar technologies. Details are on the Platform's cookies page. We use:
- Strictly necessary cookies (no consent needed): session authentication (NextAuth), CSRF protection, language preference;
- Functional cookies (consent banner): UI preferences;
- Analytics cookies (consent banner): aggregated usage metrics — we do not use ad-tech cookies.
8. Your rights
Depending on where you are, you have some or all of these rights:
Under LGPD (Brazilian Data Subjects)
- Access (Art. 18-II)
- Rectification (Art. 18-III)
- Anonymization, blocking, or deletion of unnecessary, excessive, or non-compliant data (Art. 18-IV)
- Portability (Art. 18-V)
- Deletion of consented data (Art. 18-VI)
- Information about sharing (Art. 18-VII)
- Information about consequences of denial (Art. 18-VIII)
- Revocation of consent (Art. 18-IX)
We respond within 15 days of a verifiable request — that's our LGPD Art. 18 SLA.
Under CCPA/CPRA (California Residents)
- Right to know
- Right to delete
- Right to correct
- Right to opt out of "sale" / "sharing" (we don't do either, but the opt-out is moot here)
- Right to limit use of Sensitive Personal Information
- Right to non-discrimination
We respond within 45 days (CCPA SLA), with extension permitted to 90 days.
Under GDPR (EEA Visitors, voluntary)
- Same rights as LGPD with minor differences in scope and timing.
How to exercise rights
- Self-service: in-Platform delete functions where available.
- Email: privacy@hireinbrazil.com.
- Postal: CRISTIANO PEREIRA DA SILVA MUNIZ, LLC (dba HireInBrazil), 1111B S Governors Ave STE 48391, Dover, DE 19904, United States.
We may ask you to verify identity before processing requests for Personal Data.
9. Security
We protect Personal Data with:
- TLS 1.2+ encryption in transit;
- AES-256 encryption at rest;
- Postgres Row-Level Security per-tenant isolation;
- Multi-factor authentication for platform admins;
- Audit logging of all data access;
- Annual penetration tests (target Q4 each year);
- Documented incident-response runbook;
- Target: SOC 2 Type II by year +2.
No system is perfectly secure. If we detect a Personal Data breach affecting you, we'll notify you within 72 hours unless law enforcement requires delay.
10. Children
The Platform is not directed at children under 18 (LGPD Art. 14 / COPPA / GDPR Art. 8 thresholds). We do not knowingly collect Personal Data from minors. If you believe we have, contact privacy@hireinbrazil.com and we will delete it.
11. International transfers
When we move Personal Data across borders, we use the legal mechanisms in DPA Section 6. For Brazilian Data Subjects: data is primarily stored in Brazil; the limited operational metadata transiting to US-based services is covered by LGPD Art. 33-IV (contract performance).
12. Changes to this policy
We may update this Privacy Policy. When we do, we will:
- post the new version with an updated
Last updated date;
- bump the version number;
- notify Tenant authorized representatives by email of material changes;
- present a clickwrap re-acceptance to all signed-in users for material changes.
Continued use after the effective date constitutes acceptance.
13. Contact
Privacy questions / Data Subject requests: privacy@hireinbrazil.com
Brazilian data-protection (ANPD) inquiries: privacy@hireinbrazil.com
Postal: CRISTIANO PEREIRA DA SILVA MUNIZ, LLC (dba HireInBrazil), 1111B S Governors Ave STE 48391, Dover, DE 19904, United States