Privacy Policy

Last updated: April 2026

This Policy explains how Lex Ocorrências handles personal data when you use our services. It complies with the Brazilian General Data Protection Law (LGPD, Law 13,709/2018).

1. Processing model

Lex Ocorrências is a SaaS platform contracted by condominium administrators and building managers (together, "Administration").

• For resident data (name, WhatsApp number, request content), the Administration is the controller (deciding purpose and means) and Lex Ocorrências is the processor (LGPD art. 5, VII), processing data on behalf of the Administration for the purpose of managing requests.
• For commercial contact data (interested administrators, leads, etc.), Lex Ocorrências is the controller.

2. What we collect

From the resident, when opening a request:

• Name (optional, provided by the resident).
• WhatsApp number (E.164), used to send updates about the request.
• Free-text description of the request and location identifier (e.g. building block or apartment).
• Optional photo or short video attached to the request.
• Explicit consent flag (LGPD art. 7, I) with timestamp and source channel.
• Send-related technical metadata: opening date and time, subsequent statuses (triaged, resolved, closed).

From the Administration, for access to the panel: name, email, password hash and assigned role (building manager, administrator, operations).

We do not collect CPF, government ID numbers, banking information, precise geolocation, sensitive data (health, religion, political opinion), nor third-party tracking cookies.

3. What we use it for

• Recording the request opened by the resident.
• Notifying the resident exclusively about the request they themselves opened (or subscribed to): confirmation, triage, status updates, closure.
• Allowing the Administration to triage, assign responsibility, record guidance and mark as resolved.
• Operating the opt-out and data deletion mechanisms at the data subject's request.

We do not use data for promotional messages, marketing, advertising profiling, sale to third parties, or commercial partner sharing.

4. Lawful basis (LGPD art. 7 and 11)

• Consent (art. 7, I) — for sending WhatsApp notifications to the resident. Consent is collected explicitly at the moment of opening the request (unchecked by default; submit stays disabled until the user actively checks it) and reinforced by a user-initiated confirmation (a message from the resident themselves to our WhatsApp before any notification is sent). It can be withdrawn at any time (see §6).
• Performance of contract (art. 7, V) — for processing Administration data necessary to fulfill the service agreement.
• Legitimate interest (art. 7, IX) — for internal alerts to administrative contacts previously registered by the Administration (e.g. building manager's WhatsApp receiving a new-request alert).
• Compliance with legal obligation (art. 7, II) — minimum retention of consent logs and send history for audit and response to the Brazilian Data Protection Authority (ANPD).

5. Sharing and processors

We do not sell, lease or trade data with third parties for commercial purposes. To operate the service we use the following processors and infrastructure:

• Meta Platforms, Inc. — message delivery via WhatsApp Business Platform (Cloud API). Subject to Meta's terms and the WhatsApp Business Messaging Policy.
• Render Services, Inc. — application hosting and managed Postgres database (us-west-2 / Oregon, USA region).
• Amazon Web Services (AWS) — attachment storage (photos and videos) in a private S3 bucket (us-east-1, USA region), accessed via short-lived signed URLs.
• Cloudflare — institutional domain email routing and edge delivery.

International transfer: Meta, Render, AWS and Cloudflare process data on servers outside Brazil. The transfer is based on LGPD art. 33, I and VI (performance of contractual obligation and consent).

6. Data subject rights (LGPD art. 18)

The resident (data subject) may, at any time:

• Confirm the existence of the processing and access their data.
• Correct incomplete, inaccurate or outdated data.
• Delete personal data (anonymizing the request) directly on the request page, via the "Delete my data" button. The operation is immediate and irreversible: the technical record remains for the Administration's statistical and operational purposes, but the name, phone number and free-form content are removed.
• Withdraw consent for WhatsApp notifications by replying SAIR (we also accept STOP and PARAR) to any message from our WhatsApp, or by clicking the "Stop receiving notices about this request" link present in every message. The block is immediate and cross-tenant: no condominium operated by Lex can send messages to that number anymore. Reactivation only happens if the data subject themselves sends us a new message.
• Request data portability to another provider when applicable.
• File a complaint with ANPD if you believe processing is unlawful.

For requests beyond the in-page button, write to contato@lexocorrencias.com. We respond within 15 days.

7. Retention

• Requests and attachments: retained while the subscribed condominium is active, and for a further 12 months after contract termination, for audit, defense and legal-obligation purposes. After that period, associated personal data is deleted or anonymized.
• Send history and consent logs: retained for up to 24 months for compliance audit (LGPD and WhatsApp Business Platform policies).
• Data anonymized at the subject's request: the request remains (without personal identification) to preserve the condominium's operational record.

8. Security

• Traffic over TLS 1.2+ on every connection (web, API, integrations).
• Encrypted storage at rest (AES-256) in the database and S3 bucket.
• Passwords stored as bcrypt hash (cost 12).
• Administration sessions HMAC-signed with a rotatable secret.
• Mandatory verification of the WhatsApp number by the data subject themselves before the first send (user-initiated conversation).
• Production-log administrative access is restricted and logged.

9. Incidents

In case of a security incident that may carry relevant risk or harm to the data subjects, we notify the ANPD and the affected subjects within a reasonable period, in accordance with LGPD art. 48, describing the nature of the data, affected subjects, applicable technical and security measures, and mitigation actions.

10. Updates to this Policy

We may update this Policy to reflect changes in the service, the legal framework or messaging-provider requirements. Material changes are communicated at least 15 days in advance via WhatsApp or email. The last-updated date appears at the top of this page.

11. Contact

Data Protection Officer (DPO) and single point of contact: contato@lexocorrencias.com.