1. Who we are and who this policy applies to
Bandeira Tecnologia LTDA, a Brazilian limited liability company registered under CNPJ No. 33.120.648/0001-50, headquartered at Av. Ernesto Igel, 307, Bloco B, Conjunto 146, Vila Leopoldina, São Paulo/SP, Brazil, is the data controller for personal data processed through its authorized political content amplification platform (the "Platform" or "Bandeira"), available at bandeira.app.br and related applications.
This Privacy Policy applies to three categories of users:
- Clients: candidates, elected officials, political parties, party federations, and political organizations that contract with Bandeira to operate authorized coordinated networks.
- Supporters: individuals who voluntarily and formally authorize the participation of their Instagram account in a coordinated network operated by a Client.
- Visitors: anyone who accesses the Bandeira institutional website or its public pages.
This Policy complies with the Brazilian Lei Geral de Proteção de Dados (Law No. 13,709/2018, "LGPD"), with Meta Platforms' Platform Terms and Developer Policies (as applicable to Instagram), and follows international data protection best practices.
2. Personal data we process
We exhaustively list below the personal data Bandeira processes.
2.1 Client data
- Identification: full name, Brazilian taxpayer ID (CPF), national ID (RG), professional email, mobile phone
- Political qualification: position or role, political party, electoral number, campaign CNPJ (when applicable)
- Financial: billing data, credit card information (stored exclusively by our PCI-DSS certified payment processor, never directly by us)
- Platform usage: access logs, IP, device, panel actions, editorial history
2.2 Supporter data
- Identification: full name, email, mobile phone
- CPF (Brazilian taxpayer ID): collected exclusively for identity confirmation at acceptance. Not stored in plaintext after verification — we retain only a cryptographic hash for audit purposes
- Authorized Instagram account data: Business account ID, username, profile picture, biography (read-only access, never modified)
- Meta OAuth token: long-lived access token with limited scope, provided by Meta after explicit consent
- Account content: posts, captions, media, basic engagement metrics — solely for network operation
- Consent audit data: IP at acceptance, date/time, device, browser, SHA-256 hash of the term, validated SMS code, approximate IP-based geolocation
- Operational history: republications performed, with date, time, content, and attribution
2.3 Visitor data
- Navigation: IP, device, browser, URLs visited, time spent, traffic source
- Cookies: session identifiers, preferences, anonymized analytics (details in Section 9)
- Forms: name, email, message, when voluntarily provided
3. How we collect your data
We collect data through three distinct channels:
3.1 Direct collection from the data subject
Most data is provided directly: during Client registration, during Authorization Term acceptance as a Supporter, or when filling out website contact forms.
3.2 Collection through Meta integration
When a Supporter grants authorization through the official Meta OAuth flow, we receive from Meta only the data strictly necessary for operation, based on the permissions explicitly granted by the Supporter. We do not perform any parallel or unauthorized data collection on the social network. We never scrape Instagram or any Meta platform.
3.3 Automatic collection during use
During Platform use, we automatically collect log, navigation, and audit data described in Section 2 — essential for security, fraud prevention, and legal compliance.
4. Why we process your data
For each data category, we identify the specific purpose and applicable legal basis under LGPD Article 7.
| Purpose | Legal basis | Data used |
|---|---|---|
| Registration and authentication | Contract performance | Client identification |
| Coordinated network operation | Consent + Contract | OAuth token, Instagram account, capture/republication |
| Operational communication | Contract performance | Email, phone, contact data |
| Billing and invoicing | Legal obligation + Contract | CPF/CNPJ, billing data |
| Consent audit | Legal obligation | IP, term hash, timestamp, SMS |
| Brazilian electoral compliance (TSE) | Legal obligation | CNPJ binding, calendar, content marking |
| Fraud prevention | Legitimate interest | Access logs, usage patterns, IP |
| Product analysis and improvement | Legitimate interest | Anonymized or pseudonymized data |
| Marketing and prospecting | Consent | Email and phone of opt-in subjects |
| Legal defense | Regular exercise of rights | As needed |
4.1 Processing of Client political opinion
A Client's political opinion is sensitive data under LGPD Article 5(II). We process this based on the Client's explicit consent, exclusively for Platform operation — which by its nature presupposes knowledge of the contracting party's political position. This data has additional security: encryption at rest, restricted access, no non-essential sharing.
5. Who we share data with
5.1 Essential technology operators
These vendors process data on our behalf, under our direction:
- Amazon Web Services (AWS) — server infrastructure, primary servers in São Paulo, Brazil
- Meta Platforms, Inc. — Instagram Graph API
- Anthropic, Inc. — AI for caption variations and content filtering (no model training with your data)
- Twilio or Zenvia — SMS delivery
- Resend — transactional email
- Stripe or Asaas — payment processing (PCI-DSS)
- Cloudflare — cyber attack protection and CDN
- Clerk or Auth0 — authentication management
- D4Sign or Clicksign — electronic contract signing
5.2 Sharing between Client and Supporters
Data of Supporters who accept participation in a Client's network is shared with that specific Client, to the extent necessary. Each Client receives only data of Supporters who authorized their network, never from other networks.
5.3 Sharing with public authorities
Upon formal substantiated request, court order, or request from TSE/TREs/ANPD. Whenever legally possible, we will notify the data subject before sharing.
6. How long we retain your data
- Client registration: while contract is in effect + 5 years for fiscal obligations
- Supporter operational data (OAuth token): deleted within 24h of revocation
- Supporter personal data (name, email): deleted within 15 days of revocation
- Consent audit logs: 5 years, in segregated format, for legal compliance
- Billing and invoicing: 5 years after last invoice
- Access and security logs: 6 months (Brazilian Marco Civil da Internet)
- Session cookies: until session ends
- Anonymized data: indefinitely (no longer considered personal data)
7. How we protect your data
7.1 Technical measures
- Encryption in transit: TLS 1.3 on all connections
- Encryption at rest: AES-256 for sensitive data
- OAuth tokens: additional application-layer encryption
- Passwords: never plaintext; bcrypt + salt
- Servers in ISO 27001 and SOC 2 certified data centers
- Encrypted backups in separate geographic region
- Web Application Firewall via Cloudflare
- Continuous monitoring and anomaly alerts
- Security updates within 72 hours
7.2 Organizational measures
- Access by least-privilege principle
- Internal information classification policy
- Periodic team training in security and LGPD
- NDAs and confidentiality clauses
- Documented incident response plan
- Periodic internal audits
7.3 In case of incident
We will notify the ANPD within reasonable timeframe, notify affected subjects, document internally, and cooperate with competent authorities.
8. Your rights as a data subject
LGPD guarantees you important rights. Bandeira fully honors them.
8.1 Confirmation and access
Request confirmation of processing, access to data in readable format, export in portable electronic format (PDF or JSON).
8.2 Correction
Request correction of incorrect, incomplete, or outdated data. We respond within 15 days.
8.3 Deletion
Request deletion. We delete within 15 days, except for data we must retain due to legal obligation or for defense in ongoing proceedings.
8.4 Portability
Request portability to another provider in structured and interoperable format.
8.5 Revoke consent
When processing is based on consent, you may revoke at any time, without penalty. Supporters can revoke directly through the personal panel with effect within 24h for new publications and within 15 days for personal data deletion.
8.6 Object
Object to processing based on legitimate interest, demonstrating concrete situation.
8.7 Information about sharing
Know which public and private entities Bandeira has shared your data with.
8.8 Review of automated decisions
Request review by a natural person of decisions made exclusively by automated systems.
8.9 Petition the ANPD
File a complaint with the Brazilian National Data Protection Authority if your rights have not been adequately addressed.
9. Cookies and similar technologies
9.1 Cookie types
- Strictly necessary: essential for operation. Cannot be disabled.
- Preference: store your settings.
- Analytics: understand Platform use, anonymized, via LGPD-compatible providers (PostHog, Plausible).
- Marketing: only on public pages, with explicit consent. Disabled by default.
9.2 How to manage
First-visit consent banner allows accepting all, rejecting non-essential, or customizing by category. Reviewable via "Cookie Settings" in footer.
10. International data transfers
Primary servers in Brazil (AWS São Paulo). Some operators are international:
- Meta (USA): OAuth tokens and Instagram operation data
- Anthropic (USA): AI processing
- Stripe (USA/Ireland): payment processing
- Twilio (USA/Ireland): international SMS
Transfers under LGPD Article 33, with standard contractual clauses, verification of compatible protection, and vendors adhering to recognized adequacy frameworks.
11. Specific section — Meta Platforms (Instagram) integration
Because Bandeira essentially operates on top of Meta infrastructure, we dedicate this specific section to clarify each aspect of the integration. This section is particularly relevant for understanding our compliance with Meta Platform Terms and Developer Policies.
11.1 OAuth permissions requested
When the Supporter connects their Instagram account through the official Meta OAuth flow, we request exclusively:
instagram_business_basic— reading basic information (username, picture, biography)instagram_business_content_publish— publishing content approved by the account owner, exclusively within the Authorization Term limits (daily cap, blackout, visible attribution)instagram_business_manage_comments(optional) — managing comments related to publications via the Platform
11.2 OAuth token usage
Tokens are used exclusively to capture posts from the authorized Origin account, publish approved content to authorized Destination accounts with visible attribution, and collect basic reach metrics. Stored with additional encryption, with limited scope, revocable at any time.
11.3 Compliance with Meta policies
Bandeira operates in compliance with Meta Platform Terms, Developer Policies, Instagram Community Standards, and specific determinations for commercial and political use of the platform. We implement automatic technical controls: cadence limits, jitter, mandatory attribution, blackouts, non-simultaneous distribution.
11.4 Mandatory safeguards on every republication
Every republication performed through Bandeira:
- Includes visible attribution to the original content author within the caption (e.g., "via @original_account"). Enforced by Platform — cannot be disabled by Clients.
- Requires prior human approval by the Client. No publication is automatic without editorial review.
- Respects the daily cap of maximum 3 publications per Supporter account.
- Respects the configured blackout window (default: 10:00 PM to 7:00 AM Brasília time).
- Is distributed with randomized timing (jitter) to avoid simultaneous posts that would indicate coordinated inauthentic behavior.
- Is filtered by AI for prohibited content (defamation, hate speech, deepfake) prior to publication.
- Is logged in an immutable audit trail with timestamp, source, destination, approver, and content hash.
11.5 Your relationship with Meta
Regardless of Bandeira use, your relationship with Instagram is also governed by Meta's own policies, available at facebook.com/privacy/policy and help.instagram.com/519522125107875.
You may, at any time, revoke Bandeira access directly through Instagram settings under "Apps and Websites" — independently of revoking through Bandeira.
12. Children's data
Bandeira is not intended for individuals under 18. We do not intentionally collect data from minors as Supporters, Clients, or registered Visitors.
If we identify minor data processed without adequate authorization, it will be immediately deleted. Parents or guardians should contact us through Section 14 channels.
When a Client publishes content containing imagery or reference to minors, it is the Client's responsibility to ensure appropriate legal authorizations from parents or guardians. Bandeira contractually prohibits exposure of minors not in compliance with the law.
13. Updates to this policy
- New version published at
bandeira.app.br/privacy - "Effective" date updated at the top
- Email notification when changes are material
- Previous versions archived and accessible upon request
14. How to exercise your rights and contact us
Official contact channels
Primary email for privacy matters and LGPD rights exercise
support@bandeira.app.br · general support
bandeira.app.br/data-deletion · data deletion request URL
Response timeframes:
- 15 days for simple requests (access, correction, deletion)
- 30 days for complex requests (with prior communication)
- 72 hours for urgent requests (security incident, leak)
15. Data Protection Officer (DPO)
In compliance with LGPD Article 41, we formally designate a Data Protection Officer:
Name: [Full name of DPO]
Email: dpo@bandeira.app.br
Role: contact point with data subjects and ANPD; supervision of LGPD compliance; internal guidance on processing practices.
You may contact the DPO directly. Response within 15 business days, except for urgent requests (within 72 hours).