Privacy Policy
This Policy explains how Donnu A/B processes personal data. It is part of the Terms of Use and should be read together with the Cookie Policy.
1. Controller
The controller of personal data processed in the account relationship is DONNU LTDA, CNPJ 65.082.197/0001-09, with its head office at Rua Lorena, 649, Loja Parte, Padre Eustaquio, Belo Horizonte/MG, Brazil, ZIP 30.730-170.
2. Roles: controller and processor
It is important to distinguish two contexts:
- Account data: with respect to the data of account holders and platform users, Donnu acts as controller.
- Visitor data: with respect to data collected by the Snippet on our customers' sites, Donnu acts as processor, and the customer who installed the Snippet is the controller. The customer is responsible for informing its Visitors and obtaining the applicable legal bases. Donnu processes this data only to provide the service, following the customer's instructions and this document.
3. Data we process
3.1. Account holders
- Registration data: name and email;
- Credentials: password stored in encrypted form (never in plain text);
- Billing data: processed through a third-party payment processor; we do not store full card numbers;
- Usage and technical logs: IP address, browser and device information, dates and times of access, and actions taken on the platform.
3.2. Visitors of customers' sites (Donnu as processor)
- Pseudonymous identifier: a random number (UUID) stored in a first-party cookie on the customer's own domain, used to keep the Visitor in the same variation and avoid duplicate counting;
- Experiment events: views, conversions, and goals configured by the customer;
- Device type (for example, desktop or mobile) and the page address, with query parameters known to be sensitive removed.
We do not perform fingerprinting, we do not track Visitors across different sites, and we do not intentionally collect sensitive personal data.
4. Purposes and legal bases
- Providing and operating the service, authenticating and billing: performance of a contract (LGPD, art. 7, V);
- Security, fraud prevention, and service improvement: legitimate interest (art. 7, IX), respecting the rights of the data subject;
- Compliance with legal and regulatory obligations: legal obligation (art. 7, II);
- Non-essential cookies, where applicable: consent (art. 7, I).
5. Sharing
We do not sell personal data. We may share data with:
- infrastructure providers and sub-processors that enable the service (for example, hosting, database, and delivery providers such as Supabase, Railway, and Netlify), under confidentiality and security obligations;
- the payment processor, to enable billing;
- authorities, when required by law, court order, or to exercise our rights.
6. International transfer
We aim to keep processing on infrastructure located in Brazil whenever possible. When a sub-processor is located abroad, we will adopt the safeguards required by applicable law for the international transfer of data.
7. Retention
We keep data for as long as necessary for the purposes of this Policy and the contractual relationship, and for the periods required by law. Once the relationship ends, data may be deleted or anonymized after a reasonable period, except where the law requires retention.
8. Security
We adopt appropriate technical and organizational measures, such as per-account data isolation (row-level security), access control, credential encryption, and transmission over a secure connection, along with audits and security testing. No system, however, is completely immune to incidents, and we cannot guarantee absolute security.
9. Your rights
Under the LGPD, you may request: confirmation that processing exists; access to your data; correction of incomplete, inaccurate, or outdated data; anonymization, blocking, or deletion of unnecessary data or data processed unlawfully; portability; information about sharing; and withdrawal of consent. To exercise these rights, use the contact in Section 13. Visitor requests relating to customers' sites should be directed to the respective customer, in its capacity as controller.
10. Cookies
The use of cookies and similar technologies is detailed in the Cookie Policy.
11. Minors
The platform is intended for professional use by people 18 or older and is not directed to minors. We do not intentionally collect data from children or adolescents.
12. Changes
This Policy may be updated at any time. Material changes will be communicated by reasonable means before they take effect. The version in force will always be available on the platform, with its date.
13. Data protection officer and contact
To exercise your rights or raise privacy matters, contact our data protection officer (DPO) at marco@donnu.com.br.
CNPJ 65.082.197/0001-09
Rua Lorena, 649, Loja Parte, Padre Eustaquio, Belo Horizonte/MG, Brazil, ZIP 30.730-170
Privacy: marco@donnu.com.br