centav.io centav.io
Legal

Privacy Policy

Last updated:

This Privacy Policy describes how centav.io ("we", "us", "our") collects, uses, shares and protects personal data, in compliance with the EU General Data Protection Regulation (Regulation (EU) 2016/679 — "GDPR"), the UK GDPR and, where applicable, Brazil's General Data Protection Law (Law No. 13,709/2018 — "LGPD").

centav.io is a portfolio of free financial tools. All calculations run entirely in your browser (client-side) and are never sent to our servers. We collect personal data only when you choose to provide it, as described below.

1. Controller and Data Protection Officer

  • Data controller: EVOLVETI LTDA, registered under CNPJ No. 40,110,052/0001-35, with registered office at Rua José Aderval Chaves, No. 78, Suite 0508, Edifício Wecon Empresarial Center IV, Boa Viagem, Recife/PE, Brazil, ZIP 51111-030.
  • Data Protection Officer (DPO): EVOLVETI LTDA, via [email protected].
  • Privacy contact: [email protected].

2. Definitions

  • Personal data: any information relating to an identified or identifiable natural person.
  • Data subject: the natural person to whom the personal data relates.
  • Processing: any operation performed on personal data (collection, storage, use, sharing, erasure, among others).
  • Controller: the party that determines the purposes and means of processing.
  • Processor (operator): the party that processes personal data on behalf of the controller.

3. Data we collect

We collect only the data you provide when you subscribe to receive our materials (spreadsheet templates) and communications:

  • Email address, provided voluntarily in the subscription form.
  • Consent metadata, recorded as proof of consent: date and time of subscription, source (origin page) and IP address at the time of subscription.

We do not request your name, phone number, financial data or any special-category (sensitive) data. The values you enter into the calculators are processed locally in your browser and are not transmitted to, stored by, or accessed by us.

4. Purposes and legal basis for processing

We process your personal data on the basis of your consent (GDPR, art. 6(1)(a); LGPD, art. 7, I), for the following purposes:

  1. Delivery of the requested material and confirmation email — sending the spreadsheet template and the subscription confirmation message (double opt-in).
  2. Newsletter (optional) — sending communications about new tools and updates, only if you specifically consent to this purpose.

We do not rely on legitimate interest as the legal basis for sending marketing communications. Each purpose requires separate, specific consent.

5. Consent and confirmation (double opt-in)

  • Consent is collected through unchecked checkboxes, separated by purpose. You decide freely and independently for each purpose.
  • We use double opt-in: after you subscribe, we send a confirmation email. Your subscription is only considered valid after you confirm it via that email.
  • The double opt-in also serves as a record proving your consent.

6. Sharing and processors

We do not sell or trade your personal data. We share data only with processors that provide services necessary to the operation described in this Policy:

  • Brevo (Sendinblue SAS) — email marketing and transactional platform that stores your email and consent metadata and delivers the communications. It is the system of record for your contact data.
  • Cloudflare, Inc. — website hosting, content delivery network (CDN), security and cookieless audience analytics. To deliver and protect the site against abuse, Cloudflare processes technical connection data, including the IP address.

These processors handle data in accordance with our instructions and their own privacy policies.

7. International data transfers

Our processors may process data outside your country of residence:

  • Brevo is based in France (European Union).
  • Cloudflare is based in the United States and operates global infrastructure.

Where applicable, these transfers are covered by appropriate legal mechanisms, such as adequacy decisions or standard contractual clauses, in accordance with the requirements of the GDPR, the UK GDPR and the LGPD.

8. Cookies and tracking technologies

We currently do not use tracking, advertising or profiling cookies. To measure audience, we use a cookieless analytics solution that collects only aggregate metrics and does not identify individuals or perform fingerprinting. We honour do-not-track signals, including Do Not Track (DNT) and Global Privacy Control (GPC).

If we introduce cookies in the future (for example, to display advertising), we will implement a cookie consent management mechanism and update this Policy before any such collection.

9. Data retention

We keep your email and consent metadata for as long as your consent remains active. Your data is removed upon withdrawal of consent (unsubscribe) or after a prolonged period of inactivity, in accordance with our internal list-hygiene policy.

10. Information security

We implement technical and organisational measures to protect your data, including encrypted transmission (HTTPS), restricted access to the credentials of the services we use, and measures to protect the subscription form against abuse (including temporary rate limiting by IP address). No method of transmission or storage is fully secure; we cannot guarantee absolute security.

11. Your rights

You may exercise, at any time, the rights granted by applicable law:

  • Under the GDPR / UK GDPR (arts. 15–22): access; rectification; erasure ("right to be forgotten"); restriction of processing; data portability; objection; and the right not to be subject to automated decision-making. You also have the right to lodge a complaint with the competent supervisory authority.
  • Under the LGPD (art. 18): confirmation of processing; access; correction of incomplete, inaccurate or outdated data; anonymisation, blocking or deletion of unnecessary or non-compliant data; portability; deletion of data processed on the basis of consent; information about sharing; information about the option not to consent and its consequences; and withdrawal of consent.

12. How to exercise your rights and withdraw consent

  • Withdrawal of consent / unsubscribe: every email we send contains an unsubscribe (opt-out) link. Withdrawing consent is as easy as giving it and takes immediate effect for future communications.
  • Other rights: send your request to [email protected]. We will respond within the timeframes set by applicable law.

13. Children

centav.io is not directed at minors, and we do not knowingly collect data from children. If we become aware of inadvertent collection, we will delete the data.

14. Changes to this Policy

We may update this Policy from time to time. The last-updated date is shown at the top. Material changes will be communicated by appropriate means before they take effect.

15. Contact and supervisory authority

For any question about this Policy or the processing of your data, contact [email protected].

  • European Union / United Kingdom: you may lodge a complaint with the data protection authority of your country of residence.
  • Brazil: you may lodge a complaint with the National Data Protection Authority (ANPD).

16. Calculation-error report channel

The Contact page provides a form to report a calculation error. This channel exists for support and correction of the service — not marketing — and its data processing is distinct from the subscription described above.

  • Purpose and legal basis: to investigate and fix the reported error. The legal basis is our legitimate interest (LGPD art. 7, IX; GDPR art. 6(1)(f)) in keeping the service correct, limited to what is strictly necessary to handle the report. This channel does not use marketing consent and does not feed any list, newsletter or promotional communication.
  • Optional data: the reporter's email is optional and, when provided, is used only to reply about that report — it is not added to any list. The screenshot is optional and may contain personal data visible in the image; send only what is necessary.
  • No screenshot retention: when sent, the screenshot transits attached to the email and is not stored on our infrastructure (no dedicated report database).
  • Processor: sending the report uses Brevo (Sendinblue SAS) as the transactional-email processor, under the same terms as section 6, with no new sub-processor.

The form's consent checkbox records your awareness of this processing and is not marketing consent. The data-subject rights described in sections 11 and 12 apply equally to data sent through this channel.