Back to login

ilumniz — Privacy Policy

Version: 1.0 Effective as of: April 9, 2026 Last updated: April 9, 2026

Convenience translation. This is a translation of the original Brazilian Portuguese version. In case of any divergence between versions, the Brazilian Portuguese version prevails.

1. Introduction

This Privacy Policy describes how ilumniz collects, uses, shares, stores and protects personal data of people who access or use the platform, in compliance with the Brazilian General Data Protection Law — LGPD (Law No. 13,709/2018) and other applicable regulations.

This Policy is an integral part of the Terms of Service and must be read together with them. By using ilumniz, you declare to be aware of the practices described herein.

2. Who is the controller

For the purposes of the LGPD, the controller of the personal data processed within ilumniz is the individual (natural person) who operates the platform under the "ilumniz" brand.

ilumniz does not have a formally appointed Data Protection Officer (DPO). The channel above fully addresses the purposes provided in art. 41 of the LGPD to the extent applicable.

3. To whom this Policy applies

This Policy applies to anyone who:

  • Creates or maintains an account on ilumniz;
  • Accesses features that require authentication or identification, even in testing phase;
  • Interacts with the institutional website, waiting lists or forms related to the service.

ilumniz is intended for people over 18 years old. We do not intentionally collect data from children or adolescents. If we become aware of collecting data from minors, we will take measures to delete it.

4. Data we process

ilumniz may process the following categories of personal data, according to the features used:

4.1. Registration and account data

  • Email address;
  • Password (stored in protected form, via hash, never in plain text);
  • User identifiers and session tokens;
  • Data received from federated login providers (for example, Google OAuth): account identifier, name, public profile photo and email, as authorized by you at the provider.

4.2. Profile and onboarding data

  • Information voluntarily provided in profile or onboarding forms, when they exist (for example, study area, goals, preferences).

4.3. "Active university student" verification data

  • Institutional email submitted for validation, corresponding domain, attempt records and verification result.

4.4. User Content

  • Notes, documents, files, tasks, calendar events, messages, questions, answers, quizzes and other content that you create, submit or store on the platform.

4.5. Usage and telemetry data

  • Usage events, pages accessed, features used, clicks, interaction time, preferences and settings, collected by analytics tools.

4.6. Technical and security data

  • IP address, browser type and version, operating system, device identifiers, language, time zone, access logs, authentication events, error records and security indicators.

4.7. Communication data

  • Content of messages sent to ilumniz via support@ilumniz.com or through other official channels, including attachments.

4.8. Payment data (when applicable, in the future)

  • Data related to subscriptions and billing will be processed directly by the contracted payment processor (for example, Stripe), and ilumniz may receive only limited information, such as transaction status, internal identifier, last card digits and billing history.

As a rule, ilumniz does not process sensitive personal data (art. 5, II, of the LGPD). We ask you not to submit sensitive information (such as health data, biometrics, religious beliefs, sexual orientation) through User Content or messages.

5. How we collect data

We collect personal data:

  • Directly from you, when you create an account, fill out forms, submit content, contact us or purchase plans;
  • Automatically, through use of the service (telemetry, logs, cookies and similar technologies);
  • From authorized third parties, such as authentication providers (for example, Google) and, in the future, payment processors, in accordance with the authorizations you grant.

6. Purposes and legal bases (art. 7 and art. 11 of the LGPD)

We process personal data only for legitimate, specific and informed purposes, in accordance with the following legal bases:

PurposeData involvedLegal basis
Create, authenticate and maintain the user accountRegistration, federated login, credentialsPerformance of contract (art. 7, V)
Provide, operate and maintain the service and its featuresUser Content, profile, usagePerformance of contract (art. 7, V)
Verify the "active university student" conditionInstitutional email and verification recordsPerformance of contract / preliminary procedures (art. 7, V)
Ensure security, fraud prevention and service integrityLogs, IP, device, authentication eventsLegitimate interest (art. 7, IX) and compliance with legal obligation (art. 7, II)
User support and handling of requestsContact data and message contentPerformance of contract and preliminary procedures (art. 7, V)
Usage analysis and service improvement (analytics)Events, telemetry, identifiersLegitimate interest (art. 7, IX), subject to data subject rights
Operational communications (registration, security, contractual changes)Email, user identifierPerformance of contract (art. 7, V) and compliance with legal obligation (art. 7, II)
Marketing communicationsEmail, preferencesConsent (art. 7, I), revocable at any time
Billing, subscriptions and payment processing (when applicable)Subscription and billing dataPerformance of contract (art. 7, V)
Compliance with legal, regulatory obligations and defense in proceedingsAs necessaryLegal obligation (art. 7, II) and regular exercise of rights (art. 7, VI)

ilumniz does not make automated decisions with relevant legal effects on data subjects under art. 20 of the LGPD. Should it start to do so, this Policy will be updated and you will be informed.

7. Cookies and similar technologies

ilumniz and its suppliers may use cookies, local storage, pixels and similar identifiers to:

  • Essential: keep your session authenticated, remember basic preferences and ensure the functioning of the service (cannot be disabled without compromising use).
  • Analytics and performance: understand how the service is used, measure engagement, identify errors and improve experience, through tools such as, currently, PostHog and Google Analytics.
  • Functional: personalize parts of the experience, when applicable.

Cookie banner (CMP). Currently, ilumniz does not display a cookie management banner. For transparency, we inform you that, until a management tool is implemented, you can control the use of cookies and similar technologies through your browser settings (including cookie deletion and tracker blocking) and/or privacy extensions and blockers of your choice. Such adjustments may impact the operation of parts of the service.

8. Data sharing

ilumniz does not sell personal data. Sharing occurs only when necessary and with appropriate safeguards, in the following cases:

  • Processors (suppliers/sub-processors) that process data on behalf of ilumniz to enable the service, within the limits of the instructions provided (see section 9).
  • Authentication providers chosen by you (for example, Google), according to the respective federated login flow.
  • Public and judicial authorities, when required by law, court order, legitimate administrative request or for regular exercise of rights.
  • Corporate operations or succession, such as any reorganization, assignment or transfer of assets, in which case data subjects will be informed by reasonable means and data protection will be preserved.
  • With your consent, in other specific cases.

9. Processors and sub-processors (reference)

ilumniz currently uses, among others, the following types of suppliers to operate the service. This list is indicative and may be changed at any time, as described in "Updates to this Policy" and in the change clause of the Terms of Service:

CategorySupplier(s) currently in usePurpose
Database, authentication and backendSupabase (infrastructure in the us-east-1 region, USA)Storage, authentication and backend services
Federated loginGoogle (OAuth)Optional authentication via Google account
Product analyticsPostHogUsage analysis, events and product metrics
Web analyticsGoogle AnalyticsUsage and performance statistics
Hosting / CDNHosting and content delivery provider(s)Delivery of the website and application
Payment processing (when applicable)Payment processor, for example StripeBilling, subscriptions and transactions
Eventual AI, vectorization and context retrieval providers (when applicable)To be defined / currently not in productionAI-based assistive features

Each supplier processes data according to its own privacy policies and terms, which we recommend you read. ilumniz may add, replace or remove suppliers at any time for reasons of operation, cost, compliance, security or service continuity.

Notice about AI and RAG. In the current version, ilumniz does not use, in production, generative artificial intelligence providers (such as Gemini or equivalents) nor vector databases (such as Pinecone) to process User Content. Should such features be activated, this Policy will be updated beforehand to describe applicable purposes, legal bases and safeguards.

10. International data transfer

Part of the personal data may be stored and processed outside Brazil, particularly in the United States, due to the infrastructure of Supabase (us-east-1 region) and other global suppliers (such as Google and PostHog).

ilumniz adopts, to the extent reasonable, contractual, technical and organizational safeguards so that such transfers occur in compliance with the LGPD, including selection of recognized suppliers and contractual requirement of security measures. We recommend reading the privacy policies of the respective providers for additional details on the protections applied by them.

11. Retention and deletion

ilumniz retains personal data for the time necessary to fulfill the purposes for which it was collected, observing the following principles:

  • While your account is active: registration, profile and User Content data are retained to enable the service.
  • After account termination: data may be deleted within a reasonable period, except for: (i) compliance with legal or regulatory obligation; (ii) regular exercise of rights in proceedings; (iii) retention in security logs for a limited period; (iv) data already anonymized, which is no longer considered personal data.
  • Beta and migrations: due to the beta phase, data may be deleted or migrated as a result of updates, as already warned in the Terms of Service.
  • Backups: backup copies may be retained for an additional technical period, being deleted or overwritten according to retention cycles.

Specific periods may vary depending on the nature of the data and applicable obligations, and the need is reassessed periodically.

12. Information security

ilumniz adopts reasonable technical and administrative measures, compatible with the beta stage of the service, to protect personal data against unauthorized access, destruction, loss, alteration, undue communication or diffusion. Among them:

  • Storage of passwords in protected form (hash);
  • Data transmission over encrypted connections (HTTPS/TLS);
  • Access and authentication controls;
  • Monitoring of security logs and events;
  • Engagement of suppliers with recognized security practices.

No system is 100% secure. In the event of a security incident that may cause relevant risk or damage to data subjects, ilumniz will take the measures required by the LGPD, including communication to data subjects and the ANPD, where applicable.

13. Data subject rights (art. 18 of the LGPD)

You, as a personal data subject, have the right, upon request, to:

  • Confirm the existence of processing;
  • Access your data;
  • Correct incomplete, inaccurate or outdated data;
  • Anonymize, block or delete unnecessary, excessive or data processed in non-compliance with the LGPD;
  • Request portability to another supplier, observing legal requirements and commercial and industrial secrets;
  • Delete data processed based on consent, subject to legal retention cases;
  • Obtain information about public and private entities with which ilumniz has shared data;
  • Be informed about the possibility of not providing consent and its consequences;
  • Revoke consent, when it is the legal basis for processing;
  • File a petition with the ANPD (National Data Protection Authority).

How to exercise your rights. Send a request to support@ilumniz.com from the email registered in your account or providing sufficient data for identity validation. We may request additional information to confirm your identity before fulfilling the request, in protection of the data subject themselves.

We will address requests within the deadlines and terms provided by the LGPD. Some requests may be partially denied when they conflict with legal obligations, regular exercise of rights, third-party rights or technical characteristics of the service, in which case the justification will be informed.

14. Marketing and communications

Marketing communications (for example, news, tips, promotions) are sent only with your prior consent. You may revoke consent at any time through the unsubscribe link present in the messages, through account settings, when available, or through support@ilumniz.com.

Operational communications (registration, security, billing, contractual changes, service notices) are necessary for the performance of the contract and/or legal obligations and do not depend on consent to be sent.

15. Updates to this Policy

ilumniz may update this Policy periodically, to reflect changes in the service, features, suppliers/sub-processors, security practices or applicable legislation.

  • The version and last updated date will always be indicated at the top of this document.
  • Relevant changes may be communicated by reasonable means, such as notice on the platform or by email.
  • We recommend that you review this Policy periodically.
  • Continued use of the service after publication of a new version signifies awareness of the changes; when the applicable legal basis requires it, new consent will be requested.

16. Prevailing language

This Policy may be made available in other languages for convenience. In case of divergence between versions, the Brazilian Portuguese version prevails.

17. Contact

For questions, requests, complaints or exercise of rights related to personal data and privacy, use the channel:

support@ilumniz.com