Privacy Policy
this is a courtesy translation. in case of any conflict, the Portuguese version prevails as the legally binding text under Brazilian law.
1. Who we are
Madalena is a marketplace that connects tourists visiting Rio de Janeiro with local videomakers and photographers, with an editorial proposition of authorial recording made by residents of the city.
This Privacy Policy describes how we handle the personal data collected through the forms and navigation of the site, in compliance with the General Data Protection Law (Lei nº 13.709/2018, "LGPD").
Data controller (legal entity responsible for the processing, per art. 5, VI of the LGPD):
- Legal name: MADALENA PRODUÇÕES CRIATIVAS LTDA
- CNPJ: 66.676.716/0001-11
- Address: R. Cardeal Dom Sebastião Leme, 93, Apt 302, Santa Teresa, Rio de Janeiro/RJ, CEP 20.240-012
- Channel for data subjects: contato@somosmadalena.com.br
2. What data we collect
2.1 When you fill out the "experience" form (lead form on the home page)
We collect the data you voluntarily provide:
- Name.
- Email.
- Phone number, with country code.
- Continent, country, and state of origin.
- Intended travel date and time.
- Preferred contact method (email, WhatsApp, or Telegram).
We also collect automatically at the moment of submission:
- Marketing campaign parameters in the entry URL (utm_source, utm_medium, utm_campaign, utm_term, utm_content, gclid, fbclid) and the referrer (originating site).
- IP address truncated to /24 for IPv4 and /48 for IPv6, retained in server logs for temporal auditing and incident detection. Truncation aggregates your address into a subnet and does not allow individual identification.
2.2 When you register as a partner (page /ser-parceiro)
We collect:
- Full name, email, WhatsApp number, Instagram handle, address.
- Main occupation, education, portfolio link, work equipment, other occupations.
- Texts on motivation, values practiced, and identification with the brand.
2.3 Automatic collection for abuse prevention
At the moment of any form submission, the full IP address of your connection is consulted in temporary cache (rate limiting) for up to 1 minute, to verify whether the number of consecutive submissions exceeds defined technical limits. After this period, the record automatically expires from cache and is not recoverable. This measure protects forms against automated abuse, spam, and denial-of-service attacks.
2.4 What we do not collect
- We do not use third-party cookies for targeted marketing, retargeting, or user profile enrichment.
- We do not sell, rent, or trade personal data with third parties under any circumstances.
- We do not perform automated profiling to make decisions with legal effect or that materially affect the data subject.
- We do not collect sensitive personal data (racial or ethnic origin, religious belief, political opinion, union affiliation, health data, sexual life, genetic or biometric data), per art. 5, II of the LGPD, in any of the site's forms.
3. Why we collect, purpose and legal basis
Each category of data is processed with a specific purpose and declared legal basis, per art. 7 of the LGPD:
| Category | Purpose | LGPD legal basis |
|---|---|---|
| Lead form (tourist) | Establish commercial contact to close a photography or videography service | Art. 7, V, execution of preliminary procedures related to a contract |
| Partner registration | Evaluate candidacy and formalize contractual relationship with the selected partner | Art. 7, V, execution of preliminary procedures related to a contract |
| UTM, gclid, fbclid, and referrer parameters | Measure aggregate effectiveness of marketing campaigns | Art. 7, IX, legitimate interest, with aggregate processing and no individual identification |
| Truncated IP address in logs | Temporal auditing of requests and security incident detection | Art. 7, IX, legitimate interest, with the exclusive purpose of information security |
| Full IP address in rate limiting (TTL 1 minute) | Prevention of abuse, spam, and automated attacks | Art. 7, IX, legitimate interest, with the exclusive purpose of information security |
| Analytical cookies (Google Analytics 4) | Measure aggregate traffic and navigation patterns to improve the site's content | Art. 7, I, consent, collected via cookie banner before cookie loading |
The impact assessment for processing based on legitimate interest considered: (a) the legitimate and specific purpose of each processing operation, (b) the necessity of the processing to achieve the purpose, (c) the minimum impact on the data subject, and (d) the absence of less invasive means for the same objective. Processing respects the legitimate expectations of the data subject and the principles of art. 6 of the LGPD.
4. With whom we share, operators
To operate the site and forms, we contract infrastructure providers (operators, per art. 5, VII of the LGPD) who receive data strictly to the extent necessary for service provision.
| Operator | Purpose | Processing location | Contractual basis |
|---|---|---|---|
| Vercel Inc. | Site hosting and API endpoints | United States | Contractual clauses per Vercel's Terms of Service, including the Data Processing Addendum published by the provider |
| Supabase Inc. | PostgreSQL database where forms are stored | São Paulo, Brazil (sa-east-1 region) | Contractual clauses per Supabase's Terms of Service, including the Data Processing Addendum published by the provider |
| Resend Inc. | Sending email notifications to partners about new registrations received | United States | Contractual clauses per Resend's Terms of Service, including the Data Processing Addendum published by the provider |
| Upstash Inc. | Temporary cache of IP addresses (TTL 1 minute) for abuse prevention via rate limiting | São Paulo, Brazil (sa-east-1 region) | Contractual clauses per Upstash's Terms of Service, including the Data Processing Addendum published by the provider |
| Google LLC | Collection of aggregate traffic metrics via Google Analytics 4, exclusively after your explicit consent in the cookie banner | United States | Contractual clauses per Google Analytics' Terms of Service, including the Data Processing Terms published by the provider |
None of these operators is authorized to process data for their own purposes beyond what is strictly necessary for the execution of the service contracted by Madalena. We do not share your data with advertisers, social networks (except aggregate anonymous metrics), data brokers, or any third party not listed above.
5. How long we retain your data
Each category of data has a retention period defined based on the purpose of processing and applicable legal deadlines:
| Category | Retention period |
|---|---|
| Non-converted lead (tourist who did not close a service) | 24 months from the date of form submission |
| Client with closed contract | 5 years after service end, per civil prescription period |
| Non-approved partner registration | 12 months from the date of form submission |
| Active partner | For the duration of the contractual relationship, plus 5 years after termination |
| Full IP address in rate limiting cache | 1 minute (automatic TTL at Upstash provider) |
| Application logs, without identifiable personal data and with truncated IP | Per the hosting provider's retention policy (Vercel, on the contracted plan, retains logs for approximately 1 hour) |
| Own consent cookie (madalena.consent) | 12 months from the choice; after this period, the banner is shown again for new manifestation |
| Google Analytics 4 cookies (_ga, _ga_*) | 2 years from last visit, per Google's policy |
After the retention period elapses, data is deleted or anonymized, except where there is a legal obligation to maintain it for a longer period, such as fiscal and accounting records required by applicable legislation.
6. Your rights as a data subject
As a data subject, you have the rights provided in art. 18 of the LGPD:
- Confirmation of the existence of processing of your personal data.
- Access to the data we hold about you.
- Correction of incomplete, inaccurate, or outdated data.
- Anonymization, blocking, or deletion of unnecessary, excessive, or non-compliant data.
- Portability of your data to another service provider, in a structured and interoperable format.
- Deletion of personal data processed based on consent.
- Information about the public and private entities with which we share your data.
- Information about the possibility of not providing consent and its consequences.
- Revocation of consent at any time, by express manifestation.
- Review of decisions made solely on the basis of automated data processing that affect your interests, when applicable (we do not perform this type of processing, per item 2.4 of this Policy).
Additionally, you may file a complaint with the National Data Protection Authority (ANPD), the supervisory body of the LGPD, through the official channels published by the authority.
How to exercise your rights: send your request to contato@somosmadalena.com.br. We respond within 15 (fifteen) days, per art. 19, §1 of the LGPD. If additional identity verification is necessary to prevent fraud or unauthorized access by third parties, we will request the minimum relevant elements.
7. Cookies and similar technologies
We use cookies in two categories, as detailed in the consent banner displayed on your first visit to the site. Your choice can be changed at any time via the "Cookie preferences" link in the site footer.
7.1 Essential cookies (always active)
Necessary for the site to function. They do not require prior consent, per consolidated data protection understanding.
| Cookie | Purpose | Provider | Duration |
|---|---|---|---|
| madalena.consent | Stores your choice regarding analytical cookies, preventing the banner from reappearing on each visit | Madalena (own cookie, written client-side) | 12 months |
7.2 Analytical cookies (only after your explicit consent)
Loaded only after you choose to accept them in the consent banner. Before your choice, these cookies are not written and no data is sent to Google.
| Cookie | Purpose | Provider | Duration |
|---|---|---|---|
| _ga | Distinguish unique users for aggregate traffic measurement | Google Analytics 4 | 2 years |
| _ga_4BJQRQZP99 | Persist user session state in Google Analytics 4 (linked to Measurement ID G-4BJQRQZP99) | Google Analytics 4 | 2 years |
The Google Analytics 4 setup uses Consent Mode v2 with analytics_storage set to denied by default until consent is granted. The IP address is anonymized by Google before any processing, per the product policy declared by the provider.
8. How we protect your data
We adopt technical and administrative measures in five layers to protect your data:
- Application layer: rigorous input validation with typed schemas and size limits on all fields, anti-bot honeypot mechanism, rate limiting via Upstash, structured logs without identifiable personal data, IP address truncated in persisted records.
- Transport layer: mandatory communication over HTTPS/TLS, with active Strict-Transport-Security. The browser is instructed to always use an encrypted connection with the site, even on first visit after opt-in.
- Database layer: Row-Level Security activated by default in Supabase on all tables with personal data, separation between read/write server keys (service_role) and public keys with restricted access (anon), encryption at rest provided by the provider.
- Credentials and secrets layer: all API keys and credentials stored in environment variables, outside version control. Periodic key rotation. Two-factor authentication on all administrative accounts (GitHub, Vercel, Supabase, Resend, Upstash, Registro.br, Google).
- Operations layer: continuous monitoring of structured logs, periodic review of administrative access, and documented incident response procedure.
In the event of a security incident affecting your personal data, we will notify the ANPD and affected data subjects within a reasonable time, per art. 48 of the LGPD, with clear indication of the scope, the nature of the data involved, the measures adopted to mitigate the impact, and self-protection recommendations to those affected.
9. International data transfer
Some operators listed in item 4 are located outside Brazil:
- Vercel (United States), responsible for site hosting.
- Resend (United States), responsible for sending email notifications to partners.
- Google (United States), responsible for analytical cookies, with processing conditioned on your explicit consent.
These transfers comply with art. 33 of the LGPD by means of:
- Contractual clauses applicable per the Terms of Service of each provider, including the Data Processing Addenda published by the operators.
- Adequacy assessment of destination countries, considering contractual protection mechanisms and security certifications published by the providers.
- Minimization principle applied to both the quantity and sensitivity of data transferred.
The Supabase and Upstash operators, which store the actual personal data (forms and rate limiting cache), operate on servers located in São Paulo, Brazil (sa-east-1 region). There is no international transfer of data stored in this infrastructure.
10. Data processing officer
Madalena is classified as a Microenterprise (ME) under Complementary Law nº 123/2006 and is subject to the simplified regime of ANPD Resolution nº 2/2022, which addresses the application of the LGPD to small-scale data processing agents.
Per this Resolution, small-scale processing agents are exempt from the obligation to formally appoint a Data Processing Officer, provided that an open and efficient communication channel with data subjects and the National Data Protection Authority is maintained.
As an additional measure of transparency, we voluntarily designate a person responsible for the communication channel:
Jonathan da Silva Sousa, founding partner of Madalena.
Communication channel: contato@somosmadalena.com.br
Requests related to data subject rights, questions about personal data processing, or any communication regarding this Policy must be directed exclusively to this channel, ensuring an auditable written trail of the interactions.
Madalena does not have an internal legal department in operation. Specific legal demands, when necessary, are forwarded to external legal consultancy contracted for this purpose.
11. Updates to this Policy
This Policy may be updated periodically to reflect changes in the services offered, applicable legislation, or data protection practices.
Material updates, understood as those that substantially change the declared legal bases, processing purposes, retention periods, data subject rights, or international transfers, will be communicated with a minimum of 30 days' notice by:
- Email, to data subjects whose contact we maintain.
- Highlighted notice on the site, throughout the entire notice window.
The current version is always available on the /privacidade page, with indication of the date of last revision.
Last updated: May 8, 2026
12. How to talk to us
For any questions, requests, or communications related to this Privacy Policy or the processing of personal data by Madalena:
Email: contato@somosmadalena.com.br
We maintain this channel as the only formal route for the exercise of rights by data subjects, ensuring an auditable written trail of all interactions. Service occurs within 15 (fifteen) days from the date of receipt, per art. 19, §1 of the LGPD.