ilumniz — Privacy Policy

Version: 1.1 Effective as of: May 4, 2026 Last updated: May 4, 2026

Convenience translation. This is a translation of the original Brazilian Portuguese version. In case of any divergence between versions, the Brazilian Portuguese version prevails.

1. Introduction

This Privacy Policy describes how ilumniz collects, uses, shares, stores and protects personal data of people who access or use the platform, in accordance with the Brazilian General Data Protection Law — LGPD (Law No. 13,709/2018) and other applicable rules.

This Policy is an integral part of the Terms of Service and must be read together with them. By using ilumniz, you declare that you are aware of the practices described herein.

ilumniz currently offers three main functional areas — Classroom (individual study and academic organization), Learning (assisted learning and quizzes) and Networking (public profile, feed, connections, chat and university communities). This Policy covers the processing of personal data related to all of them.

2. Who is the controller

For the purposes of the LGPD, the controller of the personal data processed within ilumniz is the individual (natural person) who operates the platform under the "ilumniz" brand.

Single contact channel (privacy, LGPD, support and exercise of rights): support@ilumniz.com

ilumniz does not have a formally appointed Data Protection Officer (DPO). The above channel fully addresses the contact purposes provided for in art. 41 of the LGPD where applicable.

3. To whom this Policy applies

This Policy applies to those who:

Create or maintain an account on ilumniz;
Access features that require authentication or identification, even in test phase;
Interact with the institutional website, waiting lists or forms related to the service;
Have personal data processed by reason of interaction with other users of the platform (for example, by being mentioned, quoted or recipient of a message).

ilumniz is intended for persons over 18 years of age. We do not intentionally collect data of children or adolescents. If we become aware that we have collected data of minors, we will take steps to delete it.

4. Data we process

ilumniz may process the following categories of personal data, depending on the features used:

4.1. Registration and account data

Email address;
Password (stored in protected form, by hash, never in plain text);
User identifiers, profile identifiers and session tokens;
Data received from federated login providers (for example, Google OAuth): account identifier, name, public profile photo and email, as authorized by you on the provider.

4.2. Profile and onboarding data

Display name, username, biography, profile photo, cover photo;
Visual customizations of the profile card (theme, style, custom footer, text effects);
University affiliation (institution, course, semester/quarter, progress status, year of admission);
Appearance preferences, accent color, language, time zone, accessibility settings, cursor preferences.

4.3. "Active university student" verification data

Institutional email submitted for validation, corresponding domain, attempt records and verification result, link to the validated institution.

4.4. User Content — individual study (Classroom / Learning)

Notes, documents, uploaded files, tasks, calendar events, subjects, materials, lessons, study notes, questions and answers with the ilumniz assistant, generated quizzes.

4.5. User Content — social area (Networking)

Feed publications: posts (text, images, videos), polls and poll votes, reposts (with or without quote), comments and tree replies, audience setting (public, followers, private), reply permissions;
Engagement: likes, reposts, bookmarks, poll votes, views;
Tags: hashtags used, @mentions of other users;
Lists and bookmarks: curated lists (public/private), bookmark folders (public/private), folder followers and collaborators;
Messages exchanged in direct conversations (1-1) and group rooms, attachments (images, videos, PDFs, notes, documents), reactions (emojis), pinned messages, read receipts, "typing" status, room membership and role (member/admin);
Connections: follower/following relationship, connection requests sent and received (pending, accepted, declined);
Communities: membership in the institution's community, member status, current active community, joins and leaves;
Notifications: records of events that generated notifications (likes, comments, mentions, new followers, messages, connection requests), read/unread state, dates;
Reports: content of reports submitted (post, comment, message, reported profile, reason, reporter's message).

4.6. Derived social-interaction data

Aggregate counters (number of followers, following, posts, likes received);
Trending hashtags in recent time windows;
Contact suggestions calculated from the network and from filters such as university and course.

4.7. Usage and telemetry data

Usage events, pages accessed, features used, clicks, interaction time, preferences and settings, collected by analytics tools (currently PostHog and Google Analytics).

4.8. Technical and security data

IP address, browser type and version, operating system, device identifiers, language, time zone, access logs, authentication events, error logs, OTP events, security and antifraud indicators.

4.9. Communication-with-ilumniz data

Content of messages sent to ilumniz via support@ilumniz.com or other official channels (including the in-app feedback module), including attachments.

4.10. Payment data (when applicable, in the future)

If paid plans are introduced in the future, data related to subscriptions and billing will be processed directly by the contracted payment processor (for example, Stripe), with ilumniz receiving only limited information, such as transaction status, internal identifier, last digits of the card and billing history. ilumniz currently does not charge for the use of the service.

ilumniz, as a rule, does not process sensitive personal data (art. 5, II, LGPD). We ask that you do not submit or publish sensitive information (such as health data, biometrics, religious beliefs, sexual orientation) through User Content, messages or profile.

5. How we collect data

We collect personal data:

Directly from you, when creating an account, filling out forms, submitting content, publishing posts, sending messages, configuring profile, contacting us or contracting plans;
Automatically, through use of the service (telemetry, logs, cookies and similar technologies);
From authorized third parties, such as authentication providers (for example, Google) and, in the future, payment processors, in accordance with the authorizations you grant;
From other users, when they mention, quote, repost, send messages, add to lists, follow or report you or your content.

6. Purposes and legal bases (art. 7 and art. 11 of the LGPD)

We process personal data only for legitimate, specific and informed purposes, in accordance with the following legal bases:

Purpose	Data involved	Legal basis
Create, authenticate and maintain the user account	Registration, federated login, credentials	Performance of contract (art. 7, V)
Provide, operate and maintain the service and its features (Classroom, Learning, Networking)	User Content, profile, usage	Performance of contract (art. 7, V)
Verify "active university student" status and administer communities	Institutional email, verification records, community membership	Performance of contract / preliminary procedures (art. 7, V)
Operate social features (feed, public profile, connections, lists, bookmarks, communities) and display content to other users according to the configured audience	Posts, comments, public profile, connections, hashtags, mentions	Performance of contract (art. 7, V)
Operate direct messages and group rooms, including attachments, reactions and read receipts	Message content, attachments, chat metadata	Performance of contract (art. 7, V)
Generate notifications arising from interactions (mentions, likes, comments, new followers, messages, connection requests)	Interaction events, user identifiers	Performance of contract (art. 7, V)
Recommend contacts, trending hashtags and content discovery	Connections, public profile data, engagement	Legitimate interest (art. 7, IX)
Moderate the service, analyze reports, investigate violations and apply measures	Reported content, profile, logs, messages (when necessary)	Legitimate interest (art. 7, IX), compliance with legal obligation (art. 7, II) and regular exercise of rights (art. 7, VI)
Ensure security, fraud prevention and integrity of the service	Logs, IP, device, authentication events	Legitimate interest (art. 7, IX) and compliance with legal obligation (art. 7, II)
User support and handling of requests	Contact data and message content	Performance of contract and preliminary procedures (art. 7, V)
Usage analysis and service improvement (analytics)	Events, telemetry, identifiers	Legitimate interest (art. 7, IX), observing the rights of the data subject
Operational communications (registration, security, contractual changes, social-interaction notifications)	Email, user identifier, events	Performance of contract (art. 7, V) and compliance with legal obligation (art. 7, II)
Marketing communications	Email, preferences	Consent (art. 7, I), revocable at any time
Billing, subscriptions and payment processing (when applicable, in the future)	Subscription and billing data	Performance of contract (art. 7, V)
Compliance with legal, regulatory obligations and defense in proceedings	As needed	Legal obligation (art. 7, II) and regular exercise of rights (art. 7, VI)

ilumniz does not perform automated decisions with relevant legal effects on data subjects under art. 20 of the LGPD. Should it begin to do so, this Policy will be updated and you will be informed.

7. Cookies and similar technologies

ilumniz and its vendors may use cookies, local storage, pixels and similar identifiers to:

Essential: maintain your authenticated session, remember basic preferences and ensure operation of the service (cannot be disabled without compromising use).
Analytics and performance: understand how the service is used, measure engagement, identify errors and improve the experience, through tools such as, currently, PostHog and Google Analytics.
Functional: personalize parts of the experience, where applicable.

Cookie banner (CMP). Currently, ilumniz does not display a cookie management banner. For transparency, we inform you that, until a management tool is implemented, you can control the use of cookies and similar technologies through your browser settings (including deleting cookies and blocking trackers) and/or privacy extensions and blockers of your choice. Such adjustments may impact the operation of parts of the service.

8. Content visibility and audience

Different types of content on ilumniz have different visibility. The following table describes the default visibility of each type. Where there is "Yes" in the Configurable column, you can change the visibility in the publication or account settings.

Content type	Default visibility	Configurable?
Feed post (audience "everyone")	All authenticated users; appears in search and discovery	Yes
Feed post (audience "followers")	Only your followers	Yes
Private post / draft	Only you	Yes
Comments, reposts, likes	Same audience as the original post	Partly
Profile (name, username, photo, cover, bio, university, course, card customizations)	Public within the platform	No, at this time
Connections (followers and following)	Public within the platform	No, at this time
Curated lists	According to list configuration (public/private)	Yes
Private bookmark folder	Only you	Yes
Public bookmark folder	Any authenticated user, with follower opt-in	Yes
Bookmark folder with collaborators	You and the collaborators	Yes
Direct message (DM 1-1)	You and the recipient	No
Group room	Members of the room	No, persists while the room exists
Classroom content (notes, files, tasks, calendar)	Only you (unless explicitly shared)	Yes
Notifications	Only you	No
Searches performed	Only you (internal use to deliver the result)	No

Important notice. ilumniz's audience configuration is a reasonable effort to limit the visibility of content, but does not prevent people legitimately authorized to see it from copying, quoting, taking screenshots, reposting or sharing it outside the platform. After you delete content, legitimately obtained copies by other users may remain.

9. Data sharing

ilumniz does not sell personal data. Data may be shared or made accessible in the following hypotheses:

9.1. With other users (operation of the social service). Public content (posts with audience "everyone", profile, connections, public lists and folders, messages in group rooms, etc.) is, by its nature, displayed to other users of the platform, according to their own settings. This sharing arises from the operation of the service chosen by you, not constituting a transfer to "third parties" in the traditional sense.

9.2. With operators (vendors/sub-processors) who process data on behalf of ilumniz to enable the service, within the limits of the instructions provided (see section 10).

9.3. With authentication providers chosen by you (for example, Google), according to the respective federated login flow.

9.4. With public and judicial authorities, when required by law, judicial order, legitimate administrative request or for regular exercise of rights.

9.5. In corporate or succession transactions, such as eventual reorganization, assignment or transfer of assets, in which case data subjects will be informed by reasonable means and the protection of data will be preserved.

9.6. With your consent, in other specific hypotheses.

10. Operators and sub-processors (reference)

ilumniz uses, currently and among others, the following types of vendors to operate the service. This list is referential and may be changed at any time, as described in the "Updates to this Policy" section and in the changes clause of the Terms of Service:

Category	Vendor(s) currently in use	Purpose
Database, authentication and backend	Supabase (infrastructure in us-east-1 region, USA)	Storage, authentication, realtime and backend services
File storage (chat attachments, post media, profile photos)	Supabase Storage	Hosting of files uploaded by users
Federated login	Google (OAuth)	Optional authentication via Google account
Transactional email delivery (verification, OTP, password recovery, operational notifications)	Resend	Operational email delivery
Product analytics	PostHog	Usage, event and product-metric analysis
Web analytics	Google Analytics	Usage and performance statistics
Hosting / CDN	Hosting and content delivery provider(s) (for example, Vercel)	Delivery of the site and the application
Payment processing (when applicable, in the future)	Payment processor, for example Stripe	Billing, subscriptions and transactions
Eventual AI, vectorization and context-retrieval providers (when applicable)	TBD / currently not in production	AI-based assistive features

Each vendor processes data according to its own privacy policies and terms, which we recommend reading. ilumniz may add, replace or remove vendors at any time for purposes of operation, cost, compliance, security or service continuity.

Notice on AI and RAG. In the present version, ilumniz does not use, in production, generative-AI providers (such as Gemini or equivalents) nor vector databases (such as Pinecone) to process User Content. If such features are activated, this Policy will be updated in advance to describe the applicable purposes, legal bases and safeguards.

11. International data transfer

Part of the personal data may be stored and processed outside Brazil, especially in the United States and other regions, due to the infrastructure of Supabase (us-east-1 region), Resend, PostHog, Google and other global vendors.

ilumniz adopts, to the extent reasonable, contractual, technical and organizational safeguards so that these transfers occur in accordance with the LGPD, including the choice of recognized vendors and the contractual requirement of security measures. We recommend reading the privacy policies of the respective providers for additional details about the protections applied by them.

12. Retention and deletion

ilumniz retains personal data for the time necessary to fulfill the purposes for which they were collected, observing the following principles:

While your account is active: registration data, profile, User Content, connections, messages and other records are kept to enable the service.
After account termination: data associated with your account may be deleted within a reasonable period, except for: (i) compliance with legal or regulatory obligations; (ii) regular exercise of rights in proceedings; (iii) retention in security logs for a limited period; (iv) data already anonymized, which ceases to be considered personal data; (v) records of reports and moderation kept for defense in proceedings and to prevent recurrence.
Copies held by other users: messages already received, posts already viewed, reposts, quotes and screenshots may remain held by other users, on their devices or in their own message inboxes, even after you delete the source content or terminate your account. ilumniz does not control or take responsibility for those copies.
Group rooms: the history of your messages in group rooms remains visible to other members while the room exists, even if you leave the room or terminate your account.
Beta and migrations: due to the beta phase, data may be deleted or migrated as a result of updates, as already warned in the Terms of Service.
Backups: backup copies may be kept for an additional technical period, being deleted or overwritten according to retention cycles.

Specific terms may vary depending on the nature of the data and applicable obligations, with the necessity periodically reassessed.

13. Information security

ilumniz adopts reasonable technical and administrative measures, compatible with the beta stage of the service, to protect personal data against unauthorized access, destruction, loss, alteration, undue communication or dissemination. Among them:

Storage of passwords in protected form (hash);
Data transmission via encrypted connections (HTTPS/TLS);
Access controls, authentication and Row-Level Security in the database;
Monitoring of logs and security events;
Hiring of vendors with recognized security practices.

Private messages (DMs and group rooms) are protected in transit by TLS and stored by Supabase's database. They are not end-to-end encrypted. In exceptional scenarios (judicial order, defense in proceedings, incident investigation, investigation of breach of the Terms), the technical team may access message content, in accordance with applicable law.

No system is 100% secure. In the event of a security incident that may pose risk or relevant damage to data subjects, ilumniz will adopt the measures required by the LGPD, including communication to data subjects and to the ANPD, when applicable.

14. Moderation and reports

Within the platform, you may report posts, comments, messages, profiles, lists and other content published by other users that you understand to violate these Terms, applicable law or your rights or those of third parties. By submitting a report, you agree to the processing of the following personal data:

Identifier of your account as reporter;
Identifier of the reported content or profile;
Reason, message and supporting materials provided by you;
Eventual content of the reported material, preserved for analysis purposes.

ilumniz performs reactive moderation: content is not pre-screened. Upon report, or sua sponte in urgent cases, ilumniz may remove content, restrict reach, suspend or terminate accounts, as set out in the Terms of Service.

Records of reports and moderation measures are kept for defense in proceedings, to prevent recurrence and to comply with legal obligations, and may be shared with authorities when required by law.

15. Data subject rights (art. 18 LGPD)

You, as a data subject, have the right, upon request, to:

Confirm the existence of processing;
Access your data;
Correct incomplete, inaccurate or outdated data;
Anonymize, block or delete unnecessary, excessive or data processed in non-compliance with the LGPD;
Request portability to another provider, observing legal requirements and trade and industrial secrets;
Delete data processed based on consent, except for cases of legal retention;
Obtain information about public and private entities with whom ilumniz has shared data;
Be informed about the possibility of not providing consent and its consequences;
Revoke consent, when it is the legal basis for processing;
File a petition with the ANPD (National Data Protection Authority).

Specific limitations on social features. Deletion and portability rights will be honored in relation to your own data. They do not reach legitimate copies held by other users (e.g., messages already received, posts already reposted or quoted, screenshots). Citations of your username (@mentions) made by third parties in others' publications remain as personal data of those who published it, and may, upon assessment of viability, be subject to a specific removal request.

How to exercise your rights. Send a request to support@ilumniz.com from the email registered in your account or providing sufficient data for identity validation. We may request additional information to confirm your identity before fulfilling the request, in protection of the data subject themselves.

We will respond to requests within the periods and terms provided in the LGPD. Some requests may be partially denied when they conflict with legal obligation, regular exercise of rights, third-party rights or technical characteristics of the service, in which case the justification will be informed.

16. Marketing and communications

Marketing communications (for example, news, tips, promotions) are sent only with your prior consent. You may revoke consent at any time through the unsubscribe link present in messages, through the account settings, when available, or through support@ilumniz.com.

Operational communications (registration, security, charges where applicable, contractual changes, service notices, social-interaction notifications such as mentions, comments, new followers, messages) are necessary for the performance of the contract and/or legal obligations and do not depend on consent to be sent. You may, within the notification settings, adjust channels and categories of social notifications you wish to receive.

17. Updates to this Policy

ilumniz may update this Policy periodically, to reflect changes in the service, features, vendors/sub-processors, security practices or applicable law.

The version and date of last update will always be indicated at the top of this document.
Material changes may be communicated by reasonable means, such as in-platform notice or email.
We recommend that you review this Policy periodically.
Continued use of the service after the publication of a new version means awareness of the changes; when the applicable legal basis requires, new consent will be requested.

18. Prevailing language

This Policy may be made available in other languages for convenience. In case of divergence between versions, the Brazilian Portuguese version prevails.

19. Contact

For questions, requests, complaints or exercise of rights related to personal data and privacy, use the channel:

support@ilumniz.com