Maturity Lab
Sign in Founder access

Privacy Policy

Version 1.0 Effective: June 18, 2026 Last updated: June 18, 2026
In short

This is a courtesy English translation provided for convenience only. The legally binding version of this document is the Portuguese-language version. In the event of any discrepancy or conflict between the English translation and the Portuguese original, the Portuguese version prevails. This document and the relationship it governs are subject to the laws of the Federative Republic of Brazil — including the General Data Protection Law (LGPD, Law No. 13,709/2018) and the Consumer Protection Code — with the courts of Brasília, Federal District, Brazil, as the elected forum.

1. Who is the Controller and who is the Data Protection Officer (DPO)

1.1. The controller of the personal data processed on the Maturity Lab institutional site (maturitylab-site.pages.dev and, in the future, maturitylab.com — the “Site”) is: Atomtech Tecnologia da Informação LTDA, CNPJ 15.713.995/0001-05, SMPW Quadra 05, Conjunto 14, CEP 71735-514, Brasília/DF, Brazil.

1.2. The Data Protection Officer (DPO), the channel of communication between you, Atomtech, and the National Data Protection Authority (ANPD), can be reached at: [email protected] — Frederico Ribeiro Ramos.

2. To whom this Policy applies

2.1. This Policy applies to anyone who accesses the Site, sends messages through the forms, or signs up for the waitlist.

2.2. This Policy does not apply to the Maturity Lab software service (the platform to be made available to customers), which will have its own privacy policy and contract when launched. Here we address only the data from the institutional Site and the waitlist.

3. What data we process

We process the following categories of data, depending on your interaction with the Site:

3.1. Data you provide to us (forms). When you use the contact, waitlist, model request, or language request forms: name (optional in some forms), email, preferred language, model/product of interest, profile (consultant, company, institution), and the content of the message you write, as well as the source of your visit (where you came to the Site from).

3.2. Technical security data (form protection). To prevent automated submissions and abuse, we use Cloudflare's anti-bot verification service (“Turnstile”), which processes a verification token and your IP address.

3.3. Log data. Our infrastructure records technical data such as IP address and browser/device identification (user-agent) for security and operational purposes.

3.4. Audience measurement data (analytics cookies). If you accept the analytics cookies in the banner, we use Google Analytics 4, which processes browsing identifiers and behavior data on the Site (pages visited, time spent, etc.). These cookies are not loaded without your consent (see section 5).

3.5. Accessibility preferences. Your theme and font choices are stored locally in your browser (local storage) to remember your preference; as a rule they do not constitute personal data and are not sent to our servers.

We do not process sensitive data. The Site does not intentionally collect sensitive personal data (art. 11 of the LGPD) — such as health data, biometrics, racial origin, religious belief, or political opinion. We ask that you not include sensitive information in form messages.

4. What we use your data for and on what legal basis

The LGPD requires a specific legal basis for each purpose. The table below summarizes the processing:

PurposeData usedLegal basis (LGPD)
Respond to your contact and manage the waitlist / requestsname, email, language, model, profile, message, sourceConsent (art. 7, I), supported by preliminary procedures related to a future relationship (art. 7, V)
Send news and marketing communications (when authorized)emailSpecific and separate consent (art. 7, I)
Protect the forms against abuse and automation (anti-bot)verification token, IPLegitimate interest (art. 7, IX)
Ensure the security and operation of the Site (logs)IP, user-agentLegitimate interest (art. 7, IX)
Measure the Site’s audience (analytics)browsing identifiers and behaviorConsent via the cookie banner (art. 7, I)
Remember your display preferencestheme, fontpreference saved locally in the browser
In short

What you actively send us is processed on the basis of your consent. Security and logs rely on our legitimate interest. Analytics only with your acceptance in the banner.

5. Cookies and tracking technologies

5.1. Essential cookies. These are necessary for the Site to work and for security (for example, the forms' anti-bot). They do not depend on consent.

5.2. Analytics cookies (non-essential). We use Google Analytics 4 to measure audience. These cookies are activated only after you accept them in the consent banner — before that, no analytics data is collected.

5.3. How you control this. The banner lets you accept or reject the analytics cookies, with nothing pre-checked. You can review or withdraw your choice at any time through the “Manage cookies” link in the Site footer.

5.4. Consent Mode. The loading of Google tags is conditioned on your choice through the consent mechanism (Google Consent Mode), so that collection occurs only in accordance with the consent granted.

6. Who we share with (processors / subprocessors)

6.1. We do not sell your data. We share personal data only with providers that process it on our behalf and under contract (processors), to the extent necessary to operate the Site:

  • Supabase — database and storage of the form records. Processing under a signed Data Processing Addendum (DPA).
  • Cloudflare — Site hosting and anti-bot verification (Turnstile). Processing under the DPA applicable to its terms of service.
  • Google (Google Analytics 4) — audience measurement, when you accept the analytics cookies. Processing under Google's Data Processing Terms, accepted by Atomtech.

6.2. We may also share data to comply with a legal obligation or an order from a competent authority, always within the limits of the law.

7. International data transfer

7.1. The processors listed in section 6 process data outside Brazil — as a rule in the United States (Supabase in the Oregon region; Cloudflare on a global network headquartered in the US; Google in the US). Therefore, the processing involves international data transfer (arts. 33 to 36 of the LGPD).

7.2. To support this transfer, we adopt safeguards provided for in the LGPD, including data processing addenda (DPAs) with contractual clauses signed with the processors and, regarding the data you actively provide (forms) or authorize (analytics cookies), your specific and highlighted consent, which mentions the possibility of processing outside Brazil.

In short

Your data is processed by providers in the US. We have protection agreements with them and we ask for your consent for this where applicable.

8. Automated decisions and artificial intelligence

8.1. The institutional Site does not make automated decisions that produce legal effects or significantly affect you, nor does it carry out profiling for that purpose. Any artificial intelligence features in the Maturity Lab software service are addressed in that service's own policy, outside the scope of this Policy.

9. How long we keep your data (retention)

9.1. We keep form data for as long as the purpose lasts and for up to 24 (twenty-four) months after your last contact or interaction (“inactivity”), after which it will be deleted or anonymized.

9.2. Data processed on the basis of marketing consent is kept until you withdraw your consent.

9.3. Security data and logs are kept for the period necessary for their respective purposes and within the infrastructure provider's terms.

9.4. You may request the deletion of your data at any time (section 10), except in cases of mandatory retention required by law.

10. Your rights as a data subject

10.1. Under art. 18 of the LGPD, you may, at any time, request:

  • confirmation that processing exists;
  • access to your data;
  • correction of incomplete, inaccurate, or outdated data;
  • anonymization, blocking, or deletion of unnecessary or excessive data, or data processed in noncompliance;
  • portability to another provider, under the regulations;
  • information about the entities with which we share data;
  • information about the possibility of not providing consent and the consequences thereof;
  • withdrawal of consent, at any time, free of charge and through a facilitated process.

10.2. How to exercise these rights. Send your request to [email protected]. We may ask for information to confirm your identity before fulfilling it, in order to protect your data.

10.3. Time frames. We will respond to requests within a reasonable time and in accordance with the LGPD.

11. How we protect your data (security)

11.1. We adopt reasonable technical and organizational measures to protect your data, including: encryption in transit (HTTPS), database access control restricting read access to authorized administrators (row-level security policies), and application of the principle of least privilege.

11.2. No system is completely immune to risk. For this reason, we do not guarantee absolute security, but we are committed to processing your data diligently and to continually improving our measures.

12. Security incidents

12.1. In the event of a security incident that may result in relevant risk or harm to data subjects, we will notify the ANPD and the affected data subjects within the time frames and in the manner required by the LGPD, informing the measures adopted.

13. Data of children and adolescents

13.1. The Site is not directed at people under 18 and does not intentionally collect their data. If we identify the inadvertent collection of a minor's data, we will take measures to delete it.

14. Changes to this Policy

14.1. This Policy may be updated at any time. The version in force will always be the one published on the Site, with an indication of the version and the date of “Last updated”.

14.2. Material changes will be communicated through an appropriate means and, when they involve a new purpose based on consent, through renewed consent.

15. Contact

15.1. For questions about this Policy or to exercise your rights: [email protected].

15.2. Other matters about the Site: /en/contato.