Privacy Policy.

This Policy applies to all personal data processed by Blue Hoper — including data of individual clients and business clients who commission document preparation or administrative support services, website visitors and anyone whose data is processed in connection with our professional services activities.

Document preparation services by their nature involve significant access to personal and business information — tax identification numbers, company registration details, contracts, declarations and other sensitive documents. We treat all client data and document content with professional discretion and strict purpose limitation.

The nature of our services requires us to handle a broader range of personal data than most service businesses. We process the following categories:

• Client identification data: Name, CPF (for individuals) or CNPJ and company name (for business clients), phone number and email — collected when clients engage our services or request quotations.
• Document content data: The personal information contained within documents we are commissioned to prepare, review or file on behalf of clients — which may include addresses, CPF/CNPJ, income information, business structure details, contract parties, and other data depending on the document type. This data is used exclusively to prepare or process the specific document.
• Company registration and filing data: Social contract details, partner and shareholder information, business activities, registered addresses and other data required for Junta Comercial, CNPJ, Receita Federal and municipal filings.
• Billing data: Name and CPF or CNPJ for NFS-e issuance — in compliance with SEFAZ-ES and ISS/Prefeitura de Vitória requirements.
• B2B representative data: For corporate clients — the name, phone number and email of the responsible contact at the company engaging our services.
• Contact and communication data: Messages via WhatsApp, telephone or online form.
• Technical website data: IP address, browser type, pages visited and access times.

We do not sell or commercially exploit client data or document content. Sharing occurs only in the following situations:

• Government authorities and registries (on behalf of clients): When filing documents with Junta Comercial do Espírito Santo, Receita Federal, SEFAZ-ES, Prefeitura de Vitória or other regulatory bodies — this is the purpose for which the client has engaged our services. Client data is shared with these authorities solely to complete the commissioned filing.
• SEFAZ-ES / Receita Federal (our own fiscal compliance): Tax data for NFS-e issuance and applicable state and federal tax compliance relating to our own business activities.
• Prefeitura de Vitória (ISS): For ISS/ISSQN obligations on our administrative service activities.
• PROCON-ES: When required in a consumer dispute mediation under the CDC.
• Legal authorities: When required by a competent judicial or administrative order.

Our services operate primarily within Brazil. Primary storage of client and document data is in Brazil. Any technology platforms used for communication, document processing or administrative purposes that operate on international servers do so only under the guarantees of Art. 33 of the LGPD or recognised adequacy mechanisms.

• NFS-e and fiscal records: Minimum 5 years under federal and state tax legislation (CTN, Art. 174; SEFAZ-ES).
• Document preparation records: A record of the services commissioned and completed (service description, date, parties) is retained for 5 years — to support any service quality dispute or warranty claim under the CDC. The document content itself is returned to the client or deleted after service completion, unless the client requests ongoing document management.
• Company registration and filing records: Where we have filed documents with government registries on behalf of clients, we retain a service record (not necessarily the full document) for 5 years — to support any dispute about the filing.
• Monthly admin retainer records: Duration of the retainer relationship plus 5 years — for contractual, fiscal and dispute documentation.
• Contact and enquiry data: Up to 1 year from last interaction if no service was contracted.
• Website analytics: Aggregated and anonymised after 12 months.

• Access to client documents and personal data restricted to the company principals and authorised staff directly engaged in delivering the commissioned service;
• Client documents handled and stored securely — paper documents kept under physical access controls; digital documents stored with encryption and access controls;
• Document content transmitted to government registries only via official, secure submission channels;
• WhatsApp communications handled with discretion — client document details not shared beyond those involved in delivering the service;
• Encryption in transit (HTTPS) for website and digital communications;
• As a Ltda, formal internal data handling and access control protocols are maintained;
• Incident response procedures and breach notification in accordance with LGPD Art. 48.

• Confirmation and Access (Art. 18, I–II): Confirm whether we hold your data and receive a copy — including service records and any retained document data.
• Correction (Art. 18, III): Request correction of inaccurate data in our records.
• Anonymisation / Blocking / Deletion (Art. 18, IV): Request restriction or deletion — subject to fiscal retention and service warranty record obligations.
• Portability (Art. 18, V): Receive your data in a structured format — including a copy of documents we prepared on your behalf.
• Deletion of consent-based data (Art. 18, VI): Request deletion of data processed by consent.
• Information on sharing (Art. 18, VII): Find out which entities your data has been shared with — including which government registries received your filing.
• Withdrawal of Consent (Art. 8º, §5º): Withdraw consent at any time.
• Complaint to the ANPD (Art. 18, §1º): Lodge a complaint at www.gov.br/anpd.

We respond within 15 business days. Deletions may be limited by mandatory NFS-e fiscal retention and service warranty record requirements.

Our website may use cookies for essential functionality and aggregated performance analysis. We do not use behavioural tracking cookies for advertising without prior consent. Preferences can be managed through browser settings.

Our document and administrative services are engaged by adults — business owners, company directors and individuals of legal age. We do not intentionally collect personal data from children under 13. Where a document we are preparing involves a minor (for example, a parental consent document or legal declaration), the commissioning client is the responsible adult and all communication is with that adult. We never use data in connection with our services for marketing to minors.

The documents we prepare or handle on behalf of clients may contain sensitive personal data as defined in LGPD Art. 5º, II — including health information, financial details, legal status and other data depending on the document type. Our handling principles:

• Sensitive data appearing in client documents is processed exclusively to complete the commissioned document — it is never analysed, retained or used for any other purpose;
• We identify and flag, at the time of commissioning, when a document will contain sensitive data categories, so the client can provide appropriate authorisation;
• Consent for the processing of sensitive data within documents is obtained explicitly at the time of service engagement where required by LGPD Art. 11;
• Clients who commission documents involving particularly sensitive categories — health records, legal proceedings, family law matters — are advised to discuss our handling protocols before instructing the work.

This Policy may be updated to reflect changes in our services, the LGPD, ANPD guidance or applicable tax legislation. Material changes will be communicated via our website or directly to active clients by WhatsApp or email.

All privacy requests, questions and complaints should be directed to our Data Protection Officer (Encarregado — LGPD Art. 41):