Privacy Policy
Effective date: June 10, 2026 Version: 1.0.0
The Brazilian Portuguese (pt-BR) version is the authoritative legal text. This English translation is provided for convenience; in the event of any conflict, the Portuguese version prevails.
nottepass respects your privacy and is committed to protecting your personal data. This Privacy Policy describes, transparently, how we collect, use, store, share, and protect your information when you use the platform, in compliance with Law No. 13.709/2018 (General Data Protection Law — LGPD), the Brazilian Internet Civil Framework (Law No. 12.965/2014), and the Consumer Protection Code (Law No. 8.078/1990).
By registering or using our services, you declare that you have read and understood this Policy. We recommend reading it carefully before providing any data.
1. Who we are (Controller)
The platform is operated by nottepass Tecnologia Ltda., enrolled under CNPJ No. 51.890.784/0001-01 ("nottepass," "we").
nottepass is a technological intermediation platform that allows Organizers to create, advertise, and sell Tickets and Products for Events, and Buyers to acquire them. We act as an intermediary between Buyer and Organizer, and as a facilitator of payment processing through a partner gateway.
For the purposes of the LGPD:
- nottepass is the controller of the personal data processed in the operation of the platform (registration, account, purchases, payments, security, and compliance with legal obligations);
- The Organizer is an autonomous controller of the data it receives to manage its own Event (for example, access validation at the gate and communication about the Event), being independently responsible for the use it makes of such data;
- Infrastructure and payment providers act as processors, processing data on our behalf and under contract.
Data Protection Officer (DPO): privacidade@nottepass.com.br
2. What data we collect
We collect only the data necessary to operate the platform securely and to comply with our legal obligations. The data varies according to your usage profile (Buyer, Organizer, or team member).
2.1 Data you provide directly
Registration and account (all users):
- Full name, email, CPF (taxpayer ID), phone number, date of birth, and gender;
- Password, stored exclusively as a cryptographic hash (bcrypt) — we never have access to your password in readable form;
- Theme and language preferences.
Purchase (Buyers):
- Name, email, CPF/CNPJ, and phone number of the buyer associated with the order;
- Payment data, processed directly by the gateway. We do not store the full card number or the CVV. We keep only non-sensitive references returned by the gateway, such as the last four digits and the card brand, and the transaction identifier, for support, reconciliation, and fraud prevention;
- If you choose to save a card for future purchases, it is tokenized and stored by the payment gateway (Pagar.me), not on our servers. We keep only the token identifier and the non-sensitive data above.
Organizer and receipt of funds (Organizers):
- Organization data: name/corporate name, trade name, type of person (individual or legal entity), CPF or CNPJ, and address;
- Commercial contact data (organizer email and phone) and logo;
- Banking data for transfer and withdrawal: bank, branch, account, account type, name, and document (CPF/CNPJ) of the holder. This data is used to set up the recipient with the payment gateway.
Identity verification (KYC — where applicable):
To enable withdrawals and prevent fraud and money laundering, we may request from those who will receive funds (Organizers) an identity verification, which includes:
- Type and images of an official document (driver's license or ID card — front and back);
- A selfie to confirm ownership.
These files are treated as sensitive data and receive enhanced protection (see section 7). We do not request identity documents from the ordinary Buyer for the simple purchase of Tickets or Products.
Content generated by you:
- Messages, attachments, and contact information in Support Center tickets;
- Other information you choose to send us.
2.2 Data collected automatically
- IP address and connection data;
- Device type, operating system, and browser (user agent);
- Security and audit event records (for example, the time and context of policy acceptance, login events, account blocks), which include date, time, IP, and user agent, retained for evidentiary and security purposes;
- Aggregate access metrics for public Event pages (visit counts), without individually identifying the visitor;
- For affiliate links, we record the click in an anonymized manner, storing the IP only as a (non-reversible) hash, along with a session identifier and origin (referrer), for commission attribution and fraud prevention;
- Cookies and similar technologies (see Cookie Policy).
2.3 Data received from third parties
- Payment confirmation, status, and non-sensitive transaction data provided by the payment gateway;
- If you choose to log in with a third-party account (for example, social login), we receive from the provider the account identifier and the associated email, exclusively for authentication;
- Information provided by Organizers in the context of Events you have purchased.
3. Why we use your data and on what legal basis
| Purpose | Legal basis (LGPD) |
|---|---|
| Create and manage your account and authentication | Performance of a contract (Art. 7, V) |
| Process purchases, issue Tickets/Products, and generate QR Codes | Performance of a contract (Art. 7, V) |
| Process payments, transfers, and withdrawals | Performance of a contract (Art. 7, V) |
| Verify identity (KYC), prevent fraud, money laundering, and abuse | Compliance with a legal obligation (Art. 7, II) and legitimate interest (Art. 7, IX) |
| Send confirmations, receipts, QR Codes, and operational communications about your orders and Events | Performance of a contract (Art. 7, V) |
| Provide support and respond to requests | Performance of a contract and legitimate interest (Art. 7, IX) |
| Ensure platform security and record proof of acceptance and use | Legitimate interest (Art. 7, IX) and compliance with a legal obligation |
| Comply with tax, accounting, and regulatory obligations | Compliance with a legal obligation (Art. 7, II) |
| Exercise and defend rights in proceedings | Regular exercise of rights (Art. 7, VI) |
| Send marketing communications and news | Consent (Art. 7, I) — revocable at any time |
| Perform statistical analysis and improve the service | Legitimate interest (Art. 7, IX) |
Where processing is based on legitimate interest, we limit ourselves to what is strictly necessary and respect your reasonable expectations and fundamental rights. You may object to such processing as described in section 6.
4. With whom we share your data
We share data only when necessary to provide the service, comply with the law, or protect rights. The recipients and purposes are:
- Event Organizers: for Events you have purchased, the Organizer receives the Buyer's name, email, and phone number (the phone number only when provided), for access validation at the gate and communication about the Event (for example, changes or cancellation). The Organizer is an autonomous controller of this data and is responsible for the use it makes of it;
- Payment gateway (Pagar.me): data necessary to process payments, set up recipients, and carry out transfers/withdrawals;
- Infrastructure and communication providers (for example, hosting, database, and email-sending services): they process data on our behalf, as processors, under contract and with a confidentiality obligation;
- Public authorities and regulators: upon a court order, a legitimate administrative request, or to comply with a legal obligation;
- Successors: in the event of a corporate reorganization, merger, or acquisition, data may be transferred to the successor, with continued compliance with this Policy.
nottepass never sells your personal data. We do not share your data with third parties for their own marketing without your consent.
5. How long we store your data
We keep data for as long as necessary for the purposes for which it was collected and to comply with legal obligations:
- Registration and account data: while the account is active and for up to 5 years after deactivation, for tax obligations and the limitation period of the Consumer Protection Code;
- Transaction, payment, and tax data: at least 5 years, in accordance with tax and accounting legislation;
- Identity verification documents (KYC): for the period required by fraud-prevention and anti-money-laundering regulations and for as long as necessary to defend rights, being deleted or anonymized thereafter;
- Access records and security logs: at least 6 months (Internet Civil Framework, Art. 15), and may be kept longer when necessary for security and the defense of rights;
- Records of policy acceptance: kept for evidentiary purposes for as long as any liability arising from the relationship subsists; they may be anonymized upon request but not deleted, as they constitute proof of the expression of will.
Once the periods and purposes have ended, the data is securely deleted or anonymized, except for cases of mandatory retention provided for by law.
6. Your rights as a data subject
Under the LGPD (Art. 18), you may, at any time:
- Confirm the existence of processing of your data;
- Access the data we hold about you;
- Correct incomplete, inaccurate, or outdated data;
- Anonymize, block, or delete unnecessary, excessive, or unlawfully processed data;
- Port your data to another provider, upon express request;
- Delete data processed on the basis of your consent;
- Obtain information about the entities with which we share your data;
- Revoke consent at any time;
- Object to processing based on legitimate interest, in the cases provided for by law.
To exercise these rights, write to privacidade@nottepass.com.br. We may request additional information to confirm your identity before fulfilling the request, as a security measure. We will respond within the legal period.
Some rights may be limited where there is a legal duty of retention (for example, tax data or fraud-prevention records). In such cases, we will explain the reason for the refusal.
7. Data security
We adopt technical and organizational measures to protect your data against unauthorized access, loss, alteration, and improper disclosure:
- Encryption in transit (HTTPS/TLS);
- Passwords protected by bcrypt hashing and short-lived session tokens;
- Role-based access control (RBAC), with least-privilege grants;
- Enhanced handling of identity verification documents (KYC): storage in a private, dedicated repository, with no public access and segregated access keys; access by our team occurs only through short-lived temporary links and is recorded in an audit trail;
- Masking of sensitive data (such as CPF, phone number, and documents) in internal interfaces and removal of sensitive fields from log records;
- Monitoring of suspicious access and incident alerts.
No system is absolutely immune to risk. Should a security incident occur that may result in relevant risk or harm to data subjects, we will notify the National Data Protection Authority (ANPD) and the affected subjects, within the time and manner prescribed by law.
8. Cookies and similar technologies
We use essential cookies for the operation and security of the platform (such as authenticated session, CSRF protection, and recording of consent) and optional analytics and marketing cookies, the latter only with your consent. Details, purposes, and durations are in the Cookie Policy, where you can also manage your preferences.
9. Children and adolescents
Our services are intended for persons over 18 years of age. We do not intentionally collect data from minors. If we identify data from minors collected without proper legal basis, we will proceed with its deletion. If you are responsible for a minor who used the platform, please contact us for data removal.
10. International data transfer
Some infrastructure, payment, and communication providers may process data on servers located outside Brazil. In such cases, we ensure that the transfer complies with the requirements of the LGPD (Art. 33 et seq.), through appropriate contractual clauses and the requirement of protection standards compatible with Brazilian law.
11. Automated decisions
We may use automated rules to prevent fraud, validate payments, and protect the platform (for example, refusal of transactions with indications of fraud). You may request the review of automated decisions that affect your interests, pursuant to Art. 20 of the LGPD, through the channel indicated in this Policy.
12. Changes to this Policy
We may update this Policy periodically to reflect legal, technical, or operational changes. Material changes will be communicated at least 30 days in advance. Where the change requires a new expression of will, you will need to accept the new version to continue using the platform. The version history is available upon request.
13. Jurisdiction and applicable law
This Policy is governed by Brazilian law. The courts of the district of Presidente Prudente, State of São Paulo, are elected to settle disputes, save for the consumer's right to choose the courts of their domicile (Article 101, I, of the Consumer Protection Code).
14. Contact
Questions, requests, or the exercise of rights related to this Policy may be sent to the Data Protection Officer:
Email: privacidade@nottepass.com.br
Last updated: June 10, 2026