Privacy and Data Policy
Valid from July 1, 2016
DATA CONTROLLER IDENTIFICATION
This Privacy Policy is controlled by 12 MIN SERVICOS DIGITAIS E NEGOCIOS LTDA, registered under CNPJ No. 26.434.636/0001-35, with its head office at Rua Castelo de Alcazar, 125, Castelo neighborhood, ZIP 31.330-310, Belo Horizonte/MG, Brazil. For the purposes of the Brazilian General Data Protection Law (Law No. 13,709/2018 — LGPD) and, where applicable, the General Data Protection Regulation (GDPR), we are the Data Controller of your personal data. For matters relating to the protection of your personal data, we maintain a dedicated channel: [email protected]. This channel is the official point of contact with the Data Protection Officer appointed by 12min, as required by Article 41 of the LGPD.
WHAT WE DO WITH YOUR INFORMATION
1. The term "personal information" used here is defined as any information that identifies or can be used to identify, contact or locate the person to whom such information belongs. The personal information we collect will be subject to this Privacy Policy, which is updated from time to time. 2. When you register with 12min we ask for your email address. 3. Images collected from the user are used only for profile illustration and personalization in the reading ranking display. The image is added or deleted by the user themselves and 12min does not use these images anywhere else. 4. 12min uses information that is collected for the following general purposes: product and service provision, billing, identification and authentication, service improvement, contact and research. 5. As part of the purchase and sale process on 12min, we may obtain the email address and/or shipping address of our customers. By accepting our User Agreement, you agree that the Personal Information of other users that you obtain through 12min (or through a communication related to 12min or transaction facilitated by 12min) is licensed to you only for communications related to 12min that are not unsolicited commercial messages. 6. 12min does not tolerate spam. Therefore, without limiting the foregoing, you are not licensed to add the name of someone who has purchased an item from you to your mailing list (email or physical mail) without their express consent. 7. 12min maintains only login information data and your interaction with the application when permission is consented. 8. You can delete your personal information from the 12min database autonomously following the deletion steps in the Settings screen section within the app. 9. Your submission of personal information through app stores is governed by their own Privacy Policy. Check your Android or IOS privacy policy for more information. 10. When you first open the app, before you create an account, 12min may automatically create an anonymous profile identified by a device identifier (Identifier for Vendor / IDFV on iOS, App Set ID on Android) in order to provide and personalize the service, attribute installations, and recognize the same device across app reinstalls. We may also process an analytics identifier and, subject to your consent (App Tracking Transparency on iOS), advertising identifiers, for analytics and attribution purposes. If you later create an account or sign in, this anonymous profile is linked to (merged into) your account, preserving your activity. You may request deletion of this data as described in this Privacy Policy.
LEGAL BASES FOR PROCESSING
We process your data on the following legal bases: (i) Consent — for account creation with email, marketing communications, opt-in push notifications, and the use of advertising identifiers (AD_ID on Android, IDFA on iOS) where applicable; (ii) Performance of a contract — to provide the 12min Premium service, billing, payment processing, and the sending of transactional emails; (iii) Legitimate interests — for fraud prevention, service security, error correction, and product improvement via aggregated analytics; (iv) Compliance with a legal or regulatory obligation — for tax, accounting, and regulatory obligations.
DEVICE IDENTIFIERS AND SESSION DATA
To provide the service, prevent fraud, and measure operational performance, we automatically collect the following data when you use our applications or website: (a) technical device identifiers, such as ANDROID_ID (Android), identifierForVendor/IDFV (iOS), model, operating system version, and application version; (b) pseudonymous advertising identifiers, such as Google Advertising ID (AD_ID), IDFA (iOS Identifier for Advertisers), Adjust ID, and Tenjin ID — used when tracking permission is granted on the device and intended to measure the performance of marketing campaigns (attribution); (c) session information, including IP address, User-Agent, language, time zone, screens accessed, actions performed, and session duration; (d) technical error data (stack traces, application state at the time of the error) sent to our monitoring service for bug correction; (e) anonymous identifiers generated by our SDKs (RudderStack, GrowthBook) before account creation, used to correlate pre-registration activity with the account after registration. Legal basis: legitimate interests for items (a), (c), (d), and (e); consent for item (b).
WHAT IT MEANS IN PRACTICE
To identify you electronically, a cookie will be stored on your computer. We have a "remarketing" tool running that allows us to take note of your visits to our site and show relevant ads on our site and across the Internet. You can always opt out of seeing them.
PROCESSORS AND SUBPROCESSORS
To operate the service, we share data with the following third parties, each for a specific purpose. Infrastructure: Google Cloud Platform (Google LLC) — server and data hosting. Payments: Apple (App Store — iOS subscriptions), Google (Google Play — Android subscriptions), Stripe (international card), Pagar.me (Brazilian card), Hotmart and Lastlink (subscriptions via affiliates). Analytics and product: RudderStack (event aggregation), BigQuery (Google Cloud — data warehouse), Sentry (error monitoring), GrowthBook (feature flags and A/B experiments), Firestore (Google Cloud — intermediate session storage). Marketing and communication: OneSignal (push notifications), ActiveCampaign (email marketing), SendGrid (transactional emails), Google Ads (campaign conversion), Adjust and Tenjin (mobile ads attribution), Facebook/Meta (attribution and social login). Authentication and identity: Google Account Linking and Apple Sign In (social login). We require all of our partners to provide equivalent data protection guarantees, including compliance with the LGPD and, where applicable, the GDPR. The list above may be updated whenever we adjust our stack; the current version is always available on this page. To request the list applicable at the time of a specific transaction, contact our Data Protection Officer at [email protected].
INTERNATIONAL DATA TRANSFER
Some of our processors are located outside Brazil (mainly in the United States and Europe). When an international data transfer takes place, it is based on: (i) standard contractual clauses ensuring an adequate level of protection; (ii) our processors' adherence to recognized data protection frameworks; and (iii) your consent where applicable. Transfers occur exclusively for purposes necessary to provide the service.
DATA RETENTION
We retain your data for the following periods: (a) account and usage data — for as long as your account is active and for up to 5 years after closure, to comply with tax and regulatory obligations; (b) payment data — in accordance with applicable tax legislation (typically 5 years); (c) pseudonymized analytics events in the data warehouse — up to 24 months; (d) technical and security logs — 90 days; (e) marketing and communication data — until consent is withdrawn; (f) support and ticket data — 3 years after resolution. After the applicable period, data is deleted or anonymized.
YOUR RIGHTS
As the data subject of your personal data, you have the right to: (i) confirmation that processing exists; (ii) access to your data; (iii) correction of incomplete, inaccurate, or outdated data; (iv) anonymization, blocking, or deletion of unnecessary or excessive data; (v) portability of data to another provider; (vi) deletion of data processed on the basis of your consent; (vii) information about with whom we share your data; (viii) information about the possibility of withholding consent and its consequences; (ix) withdrawal of consent; (x) objection to processing carried out on other legal bases. Deletion can be performed autonomously in the Settings section of the app or requested via [email protected]. We will respond to all rights requests within 15 days, at no cost to the data subject.
MINORS
The 12min service is intended for users over 18 years of age. We do not knowingly collect data from children under 13 without the specific and prominent consent of a legal guardian. If we become aware that we have collected data from a child under 13 without such authorization, we will delete that data as quickly as possible. If you are a legal guardian and believe your child has provided us with data without authorization, please contact us at [email protected].
PCI-DSS
The Payment Card Industry Data Security Standard (PCI-DSS) is a set of security requirements managed by the PCI Security Standards Council, a joint effort of payment brands including Visa, MasterCard, American Express and Discover. PCI-DSS requirements help ensure the secure handling of credit card information by merchants and service providers.
WHAT IT MEANS IN PRACTICE
We will use industry standards on security, the same used by large credit card companies, to help you maintain a secure account on 12minutes.
CHANGES TO THIS PRIVACY POLICY
We reserve the right to modify this privacy statement at any time, so please review it frequently. If we make material changes to this policy, we will notify you here or by means of a notice on our homepage, so that you are aware of what information we collect, how we use it, and under what circumstances, if any, we disclose it.
WHAT IT MEANS IN PRACTICE
We may change this Privacy Policy. If it is a big change, we will inform you here.
DATA PROTECTION OFFICER (DPO) CHANNEL
For matters relating to the protection of personal data, the exercise of data subject rights, security incidents, or general questions about this Privacy Policy, please contact our Data Protection Officer at [email protected]. We will respond to all requests within 15 days. You also have the right to lodge a complaint with the competent data protection authority. In Brazil, this is the National Data Protection Authority (ANPD) via www.gov.br/anpd.
QUESTIONS
Any questions about this Privacy Policy should be addressed to [email protected]. Last Updated on September 13, 2023