PRIVACY POLICY

Last updated: December 26, 2025

INTRODUCTION

This Privacy Policy is intended to demonstrate the commitment of SENDKIT DESENVOLVIMENTO DE SOFTWARE LTDA, registered under CNPJ CNPJ EM PROCESSO DE EMISSAO, headquartered at ENDERECO COMPLETO A SER DEFINIDO, hereinafter referred to as SENDKIT, to the privacy and protection of personal data collected from its USERS.

This document establishes the rules regarding data processing within the scope of the services and functionalities of the SENDKIT platform, in compliance with Law No. 13,709/2018 (General Data Protection Law - LGPD), the Brazilian Internet Civil Framework (Law No. 12,965/2014), and other applicable legislation, ensuring transparency and clarity for USERS.

As a condition for accessing and using the functionalities of the SENDKIT platform, the USER declares that they have fully and carefully read this Privacy Policy and the Terms of Use, being fully aware and thereby granting their free and express consent to the terms set forth herein.

If you do not agree with this Privacy Policy, the USER must immediately discontinue use of the platform.

1. DEFINITIONS

For the purposes of this Privacy Policy, the following definitions apply:

1.1. SENDKIT: A software platform for sending transactional emails and email marketing campaigns, accessible at app.sendkit.dev.

1.2. USER: A natural person or legal entity that uses the SENDKIT platform, including developers, marketing professionals, business administrators, and other authorized collaborators.

1.3. CONTACT: A natural person or legal entity whose email data and associated information are entered into the SENDKIT platform by the USER for the purpose of sending messages.

1.4. PERSONAL DATA: Information related to an identified or identifiable natural person.

1.5. SENSITIVE PERSONAL DATA: Personal data regarding racial or ethnic origin, religious conviction, political opinion, membership in a trade union or organization of a religious, philosophical, or political nature, data concerning health or sexual life, genetic or biometric data, when linked to a natural person.

1.6. DATA SUBJECT: The natural person to whom the personal data being processed refers.

1.7. PROCESSING: Any operation carried out with personal data, such as collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, archiving, storage, deletion, evaluation or control of information, modification, communication, transfer, dissemination, or extraction.

1.8. CONTROLLER: A natural person or legal entity, under public or private law, to whom the decisions regarding the processing of personal data belong.

1.9. PROCESSOR: A natural person or legal entity, under public or private law, that processes personal data on behalf of the controller.

1.10. DATA PROTECTION OFFICER (DPO): A person designated by the controller and processor to act as a communication channel between the controller, data subjects, and the National Data Protection Authority (ANPD).

1.11. ANPD: National Data Protection Authority (Autoridade Nacional de Protecao de Dados), the public administration body responsible for overseeing, implementing, and enforcing compliance with the LGPD.

1.12. CONSENT: A free, informed, and unambiguous expression by which the data subject agrees to the processing of their personal data for a specific purpose.

1.13. ANONYMIZATION: The use of reasonable and available technical means at the time of processing, through which data loses the possibility of direct or indirect association with an individual.

2. ROLES AND RESPONSIBILITIES IN DATA PROCESSING

2.1. SENDKIT as Controller

2.1.1. SENDKIT acts as a CONTROLLER with respect to the USER's registration data (name, email, CPF/CNPJ, phone, address, payment data, etc.), being responsible for the decisions regarding the processing of such data.

2.1.2. In this capacity, SENDKIT:

a) Determines the purposes and means of processing the USER's registration data;

b) Implements appropriate security measures to protect the data;

c) Responds directly to the ANPD and data subjects for the processing of such data;

d) Ensures compliance with the LGPD in all its operations.

2.2. SENDKIT as Processor

2.2.1. SENDKIT acts as a PROCESSOR with respect to the contact data and recipients entered by the USER into the platform, processing data on behalf of the USER (who, in this case, is the CONTROLLER).

2.2.2. In this capacity, SENDKIT:

a) Processes contact data exclusively according to the USER's instructions;

b) Does not use contact data for its own purposes;

c) Implements technical and organizational measures to protect the data;

d) Assists the USER in fulfilling their obligations as a controller;

e) Notifies the USER in the event of security incidents.

2.3. USER Responsibilities as Controller

2.3.1. When the USER enters contact data into the SENDKIT platform, they act as the CONTROLLER of such data, being responsible for:

a) Obtaining the necessary consents from contacts for sending electronic communications;

b) Informing contacts about how their data will be processed;

c) Ensuring they have an adequate legal basis for processing;

d) Fulfilling contact requests (access, correction, deletion, portability, etc.);

e) Maintaining a communication channel with their contacts for the exercise of rights;

f) Fully complying with the LGPD regarding their contacts' data;

g) Not entering data into the platform without an adequate legal basis.

2.3.2. SENDKIT may assist the USER in responding to data subject requests, upon prior request and within the technical capabilities of the platform.

3. WHAT PERSONAL DATA WE COLLECT AND PROCESS

3.1. USER Data (Controlled by SENDKIT)

3.1.1. Registration Data:

Full name
CPF or CNPJ
Email
Mobile and/or business phone
Full address
Date of birth
Job title or role in the company
Company name
Banking details (for payments and receipts)

3.1.2. Browsing and Usage Data:

IP address
Browser type
Operating system
Pages visited
Time spent on site
Actions performed on the platform
Access logs
Cookies and similar technologies

3.1.3. Payment Data:

Credit card data (processed by a third-party payment gateway)
Transaction history
Billing information

3.2. Contact Data (Processed by SENDKIT on behalf of the USER)

3.2.1. SENDKIT processes, on behalf of the USER, the following contact data entered into the platform:

Contact Registration Data:

Name
Email
Phone (when provided)
Company (when provided)
Custom fields defined by the USER

Email Interaction Data:

Email opens
Link clicks
Bounces
Spam complaints
Unsubscribes
Sending history

Segmentation Data:

Tags and lists assigned by the USER
Preferences and interests
Behavioral engagement data

3.3. Third-Party Data

3.3.1. Suppliers and Service Providers:

Company name
CNPJ
Contact details
Banking details
Legal representative data

4. HOW WE COLLECT PERSONAL DATA

4.1. Direct Collection:

4.1.1. When the USER:

Registers on the platform
Fills out forms
Contacts support
Makes payments
Uses platform functionalities

4.2. Automatic Collection:

4.2.1. Through:

Cookies and similar technologies
System logs
Platform usage analysis
Analytics tools

4.3. Indirect Collection:

4.3.1. When the USER enters data into the platform:

Importing contact lists
Manually registering contacts
Integration with third-party services via API
Integrated capture forms

5. PURPOSES OF PROCESSING

5.1. USER Data

5.1.1. The USER's registration data is processed for the following purposes:

a) Account Management:

Create and manage the USER's account
Authenticate platform access
Personalize the USER's experience
Manage permissions and access levels

b) Service Delivery:

Provide platform functionalities
Process email sends
Provide technical support
Perform updates and maintenance

c) Billing and Invoicing:

Process payments
Issue invoices and receipts
Manage delinquencies
Comply with tax obligations

d) Communication:

Send service notifications
Inform about updates and news
Respond to support requests
Send marketing communications (with consent)

e) Security:

Prevent fraud
Detect suspicious activities
Protect SENDKIT's rights and property
Comply with legal obligations

f) Improvements and Analytics:

Analyze platform usage
Develop new features
Conduct research and statistics (anonymized data)
Improve user experience

5.2. Contact Data

5.2.1. Contact data is processed exclusively to enable the services contracted by the USER, including:

a) Storage and management of contact lists b) Sending transactional emails c) Sending email marketing campaigns d) Executing email automations (workflows) e) Generating engagement reports and metrics f) Processing bounces and complaints g) Managing unsubscribes h) Contact segmentation i) Any other purpose determined by the USER as controller

6. LEGAL BASES FOR PROCESSING

6.1. USER Data

SENDKIT bases the processing of USER data on the following legal bases provided by the LGPD:

6.1.1. Contract Performance (Art. 7, V):

Processing necessary for the execution of contracted services
Payment processing
USER account management

6.1.2. Compliance with Legal Obligation (Art. 7, II):

Issuance of tax invoices
Compliance with tax obligations
Compliance with court orders

6.1.3. Legitimate Interest (Art. 7, IX):

Fraud prevention
Platform security
Service improvements

6.1.4. Consent (Art. 7, I):

Sending marketing communications
Use of non-essential cookies
Other purposes that require consent

6.2. Contact Data

6.2.1. The processing of contact data by SENDKIT, as a processor, is carried out:

a) Based on the USER's (controller's) instructions b) When necessary for the execution of contracted services

6.2.2. It is the USER's (controller's) responsibility to ensure they have an adequate legal basis for the processing of their contacts' data, whether by:

Contact consent
Contract performance
Legitimate interest
Compliance with legal obligation
Other legal bases provided by the LGPD

7. DATA STORAGE AND SECURITY

7.1. Storage Location

7.1.1. Personal data is stored in:

a) Cloud servers located in Brazil, ensuring compliance with national legislation

b) Infrastructure provided by certified providers with high security standards

c) Secure, monitored environments with redundancy to ensure availability

7.2. International Data Transfer

7.2.1. Occasionally, some partner services or tools used by the platform may involve international data transfer.

7.2.2. When international transfer occurs, SENDKIT ensures that:

a) The destination country offers an adequate level of data protection (Art. 33, I, LGPD) b) Specific contractual clauses for data protection exist c) Suppliers comply with the LGPD d) Adequate security and privacy guarantees are in place

7.2.3. International transfer is carried out only when necessary for the provision of services and always with appropriate safeguards.

7.3. Security Measures

7.3.1. SENDKIT implements technical and organizational measures to protect personal data against:

a) Unauthorized access b) Accidental or unlawful destruction c) Loss, alteration, or improper disclosure d) Any form of inadequate or unlawful processing

7.3.2. Security measures include:

Technical Measures:

Data encryption in transit (SSL/TLS) and at rest (AES-256)
Two-factor authentication (2FA) for administrative access
Firewalls and intrusion detection systems
Automatic daily backups with 30-day retention
Continuous monitoring of suspicious activities
Role-based access control (RBAC)
Audit logs of all sensitive actions
DDoS attack protection
Network segmentation
Regular system updates and security patch application

Organizational Measures:

Information Security Policy
Regular training of employees on data protection
Confidentiality agreements with all employees
Physical and logical access control
Incident response procedures
Periodic risk assessments
Regular security audits
Secure development processes (Security by Design)

7.3.3. Only authorized and properly trained employees have access to personal data, observing the principles of necessity and proportionality.

7.4. Responsibilities and Limitations

7.4.1. SENDKIT is not responsible for:

a) Illegal interceptions or security breaches caused by factors beyond its control b) Viruses or intrusions on the USER's devices c) Improper sharing of passwords by the USER d) Unauthorized access resulting from the USER's negligence e) Data entered incorrectly by the USER

7.4.2. The USER is co-responsible for the security of their data and must:

a) Maintain absolute confidentiality of their access credentials and API keys b) Not share login credentials with third parties c) Use strong and unique passwords d) Enable two-factor authentication when available e) Log out at the end of each session f) Keep their devices and software up to date g) Immediately notify SENDKIT of any unauthorized access

8.1.1. SENDKIT may share personal data with:

a) Service Providers (Sub-processors):

Cloud infrastructure providers
Payment processors
Email delivery services (SMTP infrastructure)
Customer support tools
Analytics and monitoring services

b) Competent Authorities:

In compliance with court orders
To fulfill administrative authority requests
To protect rights in judicial, administrative, or arbitration proceedings

c) Business Partners:

In the event of merger, acquisition, or asset sale (with prior notice)

8.1.2. All sharing is conducted:

a) Only when necessary for the purposes described in this policy b) With the minimum amount of data possible c) Through contractual agreements that ensure adequate protection d) With assurance that third parties will comply with the LGPD

8.2. What We Do NOT Do

8.2.1. SENDKIT does NOT:

a) Sell personal data to third parties b) Share contact data for its own marketing purposes c) Use contact data for product development without authorization d) Publicly disclose personal data e) Share data with third parties without an adequate legal basis

9. DATA RETENTION AND DELETION

9.1. Retention Period

9.1.1. USER Data:

a) During the term of the contract: stored for service provision

b) After contract termination:

Financial data: 5 years (legal obligation - statute of limitations)
Tax data: as required by applicable tax legislation
Other registration data: up to 90 days after termination

9.1.2. Contact Data:

a) During the term of the contract with the USER:

Stored according to the USER's (controller's) instructions
Maintained for the provision of contracted services

b) After contract termination:

USER has 60 days to request export of all data
Export provided in CSV or JSON format
After 90 days from termination: definitive deletion of all data
No charge for the first export; additional exports may incur a fee

c) Exceptions to deletion:

When there is a legal obligation to retain
To comply with court orders
For the regular exercise of rights in judicial, administrative, or arbitration proceedings
Anonymized data for statistical purposes (without the possibility of identification)

9.2. Deletion Process

9.2.1. Data deletion is carried out securely through:

a) Definitive deletion from databases b) Removal from backups (respecting the backup retention cycle) c) Techniques that prevent data recovery d) Deletion certification when requested

9.2.2. Deletion is irreversible. After the 90-day period, SENDKIT will not have the technical capability to recover the data.

10. COOKIES AND SIMILAR TECHNOLOGIES

10.1. What Are Cookies

10.1.1. Cookies are small text files stored on the USER's device when they access the SENDKIT platform.

10.2. Types of Cookies Used

10.2.1. Strictly Necessary Cookies:

Essential for the platform to function
Manage user authentication and sessions
Cannot be disabled

10.2.2. Performance Cookies:

Collect information about how the USER uses the platform
Help improve functionalities
Data is aggregated and anonymous

10.2.3. Functionality Cookies:

Remember USER preferences
Personalize the experience
Store settings

10.2.4. Marketing Cookies (with consent):

Track browsing activities
Display relevant advertisements
Measure campaign effectiveness

10.3.1. The USER can manage cookies through:

a) Browser settings b) Cookie banner displayed on the first visit to the site c) Platform privacy settings

10.3.2. Disabling non-essential cookies may affect some platform functionalities.

10.4. Other Technologies

10.4.1. In addition to cookies, SENDKIT may use:

a) Web beacons (pixels) b) Local storage c) Session storage d) Analytics tools (Google Analytics, etc.)

11. DATA SUBJECT RIGHTS

11.1. Rights Guaranteed by the LGPD

11.1.1. In accordance with Art. 18 of the LGPD, data subjects have the right to:

a) Confirmation and Access:

Confirm whether SENDKIT processes their personal data
Access their personal data

b) Correction:

Request correction of incomplete, inaccurate, or outdated data

c) Anonymization, Blocking, or Deletion:

Request anonymization of unnecessary data
Request blocking of data
Request deletion of data processed in violation of the LGPD

d) Portability:

Request portability of data to another provider
Upon express request, in a structured and interoperable format

e) Information About Sharing:

Know which public and private entities SENDKIT has shared their data with

f) Information About Non-Consent:

Be informed about the possibility of not providing consent
Know the consequences of refusal

g) Revocation of Consent:

Revoke consent at any time (when applicable)

h) Opposition:

Object to processing in case of non-compliance with the LGPD

i) Review of Automated Decisions:

Request review of decisions made solely on the basis of automated processing

11.2. Exercise of Rights by the USER

11.2.1. The USER may exercise their rights:

a) Directly through the platform settings area (for access, correction, and updates)

b) Via email: dpo@sendkit.dev

c) Through the contact form on the website

11.2.2. SENDKIT will respond to requests within 15 (fifteen) days, in accordance with Art. 18, paragraph 3 of the LGPD.

11.2.3. Some requests may require identity verification for data protection purposes.

11.3. Exercise of Rights by Contacts

11.3.1. Given the role of PROCESSOR that SENDKIT plays with respect to contact data:

a) Contact requests should be directed to the USER (controller), who is the company or person responsible for sending the emails

b) The USER must maintain a communication channel with their contacts for handling requests

c) SENDKIT will assist the USER in responding to requests, upon formal request and within the technical capabilities of the platform

11.3.2. For contact data portability:

a) The contact must request it from the USER responsible for the sending b) The USER can export the data through the platform c) SENDKIT provides tools to facilitate portability

12. MARKETING COMMUNICATIONS

12.1.1. SENDKIT will only send marketing communications with the USER's prior consent.

12.1.2. The USER may choose to receive or not:

a) Product and service news b) Special offers and promotions c) Educational and informational content d) Event and webinar invitations

12.2. How to Unsubscribe

12.2.1. The USER may unsubscribe from marketing communications at any time through:

a) The "unsubscribe" link present in each email b) Privacy settings on the platform c) Email to suporte@sendkit.dev

12.2.2. Unsubscribing does not affect the receipt of transactional and essential communications (service notifications, billing, critical updates, etc.).

13. SECURITY INCIDENTS

13.1. Incident Notification

13.1.1. In the event of a security incident that may pose a risk or relevant harm to data subjects, SENDKIT will:

a) Notify the ANPD within a reasonable timeframe b) Communicate with affected data subjects (when applicable) c) Inform the USER (when contact data is involved)

13.1.2. The communication will include:

a) Description of the incident b) Potentially affected data c) Measures taken to mitigate damages d) Actions adopted to prevent recurrence e) Risks to data subjects f) Guidance for protection

13.2. Incident Response

13.2.1. SENDKIT has established procedures for:

a) Rapid incident detection b) Containment and damage mitigation c) Root cause investigation d) Implementation of improvements e) Documentation and record-keeping

14. CHILDREN'S PRIVACY

14.1. The SENDKIT platform is intended for businesses and professionals and is restricted to individuals over 18 years of age.

14.2. It is the USER's responsibility to ensure that they do not enter data of minors into their contact lists without proper authorization from legal guardians, when applicable.

14.3. The processing of data of minors that may be entered is the responsibility of the USER (controller), who must:

a) Obtain consent from legal guardians when necessary b) Comply with specific legislation applicable to minors c) Take special care with data of children and adolescents

15. DATA PROTECTION OFFICER (DPO)

15.1. Role

15.1.1. The Data Protection Officer (DPO) of SENDKIT is responsible for:

a) Receiving complaints and communications from data subjects b) Providing clarifications about data processing c) Acting as a communication channel with the ANPD d) Guiding employees on data protection practices e) Overseeing compliance with the LGPD

15.2. Contact

15.2.1. For questions about data protection, privacy, or the exercise of rights, contact our DPO:

Email: dpo@sendkit.dev

15.2.2. Responses will be sent within 15 (fifteen) business days, in accordance with applicable legislation.

16. CHANGES TO THIS PRIVACY POLICY

16.1. SENDKIT reserves the right to modify this Privacy Policy at any time to:

a) Adapt to new legislation b) Include new services or functionalities c) Improve privacy practices d) Update information

16.2. In the event of substantial changes, the USER will be notified through:

a) Registered email b) Prominent notice on the platform c) Publication on the website sendkit.dev/privacy

16.3. Changes that require new consent will only be implemented after obtaining the USER's agreement.

16.4. The updated version will always be available at sendkit.dev/privacy, with an indication of the date of the last update.

16.5. Continued use of the platform after changes implies acceptance of the new Privacy Policy.

17. GOVERNING LAW AND JURISDICTION

17.1. This Privacy Policy is governed by the laws of the Federative Republic of Brazil, particularly:

a) Law No. 13,709/2018 (LGPD) b) Law No. 12,965/2014 (Marco Civil da Internet) c) Decree No. 8,771/2016 d) Consumer Protection Code (Law No. 8,078/1990) e) Brazilian Civil Code

17.2. To resolve disputes arising from this Privacy Policy, the jurisdiction of the Court of Sao Paulo, State of Sao Paulo, is elected, with waiver of any other, however privileged it may be.

18. FINAL PROVISIONS

18.1. This Privacy Policy supplements the Terms of Use of the SENDKIT platform.

18.2. In the event of a conflict between this Policy and the Terms of Use, the more specific document for the matter in question shall prevail.

18.3. The invalidity of any clause of this Policy shall not affect the validity of the remaining provisions.

18.4. SENDKIT's tolerance of any failure to comply with any provision shall not constitute novation or waiver of rights.

18.5. This Privacy Policy constitutes the entire agreement between SENDKIT and the USER regarding the processing of personal data.

19. QUESTIONS AND CONTACT

For questions, suggestions, or complaints about this Privacy Policy or the processing of personal data:

Data Protection Officer (DPO): dpo@sendkit.devTechnical Support: suporte@sendkit.devWebsite: www.sendkit.devDocumentation: docs.sendkit.dev

20. NATIONAL DATA PROTECTION AUTHORITY

20.1. In case of unresolved questions or complaints, the data subject may contact the National Data Protection Authority (ANPD):

Website: www.gov.br/anpdEmail: encarregado@anpd.gov.br

SENDKIT - Committed to Your Privacy and Data Security

Version 1.0 - December 2025

EXECUTIVE SUMMARY - KEY POINTS

To facilitate understanding, here is a summary of the most important points of this Policy:

Your data is protected - We use encryption, automatic backups, and advanced security measures
You are in control - You can access, correct, export, or delete your data at any time
Full transparency - We clearly explain what data we collect and why
LGPD compliant - We fully comply with Brazilian data protection legislation
Contact data belongs to the USER - As a processor, we handle contact data only according to your instructions
No data selling - We never sell or share personal data for marketing purposes
Support available - Our team is ready to answer questions about privacy

PRIVACY POLICY

Ready to send better emails?