Privacy Policy — QProva
Version 1.0.0 — effective from May 12, 2026.
This Policy describes how QProva collects, uses, shares and protects your personal data, in compliance with the Brazilian General Data Protection Law (LGPD — Law 13.709/2018). Please also read our Terms of Use.
This is the initial version of the document, subject to later legal review. Material changes will be communicated as described in section 13.
In case of conflict or divergence between language versions, the Portuguese version prevails.
1. Who we are — Data controller
The personal data you entrust to us is controlled by RANGEL ESPINDOLA DA ROSA JUNIOR TECNOLOGIA DA INFORMACAO LTDA, CNPJ 61991397000115, headquartered at RUA PAIS LEME, 215.
2. Data Protection Officer (DPO)
For any question about your personal data or to exercise rights under the LGPD, contact our DPO: suporte@qprova.com. We commit to responding within 15 (fifteen) calendar days.
3. Data we collect
| Category | What we collect | How |
|---|---|---|
| Identification | email; name (optional); profile picture (Google OAuth, optional) | directly from the User; OAuth |
| Account | password hash (managed by Supabase Auth); date of Terms acceptance (tos_accepted_at); accepted version (tos_version); contracted plan; Stripe customer ID | automatically on signup/subscription |
| Generated content | templates, questions (including prompts sent to AI), evaluations, answer keys | directly from the User |
| Platform usage | technical error logs (Sentry); AI usage events (provider, tokens consumed) | automatic |
| Payment | transaction status, Stripe ID — we do not receive or store card data | via Stripe |
4. How we collect
We collect data directly from the User (registration, content creation, forms) and automatically (basic navigation events, errors captured by Sentry, AI usage metrics).
5. Purposes and legal bases (LGPD Art. 7)
| Purpose | Legal basis (LGPD Art. 7) |
|---|---|
| Operate the Platform and provide contracted services | Performance of contract (V) |
| Charge for paid plans; issue invoices | Performance of contract (V) + Legal obligation (II) |
| Respond to support requests and send transactional communications | Performance of contract (V) |
| Monitor errors, prevent fraud and abuse | Legitimate interest (IX) |
| Marketing (MVP: only transactional welcome email) | Consent (I) |
6. Sharing with third parties (sub-processors)
We share personal data with the following sub-processors strictly for service provision:
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase Inc. | Database (PostgreSQL), authentication, image and PDF storage | United States |
| Stripe Inc. | Payment processing | United States |
| Sentry (Functional Software Inc.) | Technical error monitoring | United States |
| AI providers (OpenAI, Anthropic, Google and other integrated providers) | Educational content generation upon User request; may retain prompts and responses according to their own terms | United States |
The updated list of AI providers is always available on this page. We do not sell your personal data.
7. International transfer (LGPD Art. 33)
The sub-processors above are located in the United States. The personal data necessary for the service is therefore transferred outside Brazilian territory.
Legal bases for the transfer (LGPD Art. 33):
- item II — when the transfer is necessary for the execution of the contract entered into with the User;
- item I — when there is specific, prominent consent from the User, manifested upon accepting these Terms.
8. Cookies and similar technologies
The Platform uses strictly essential cookies for operation. We do not use analytical, advertising or cross-site tracking cookies.
| Cookie | Purpose | Legal basis |
|---|---|---|
sb-access-token, sb-refresh-token | Maintain authenticated session (Supabase Auth) | Performance of contract |
| Language preference cookies (next-intl) | Remember selected language | Legitimate interest |
| Stripe checkout session cookies | Securely process payments | Performance of contract |
| Error identifiers (Sentry) | Correlate errors for diagnostics | Legitimate interest |
Refusing essential cookies makes use of authenticated areas of the Platform impossible. Configuration may be done through browser options.
9. Your rights as a data subject (LGPD Art. 18)
You have the right, at any time, to:
- confirm the processing of your data;
- access the data we hold about you;
- correct incomplete, inaccurate or outdated data;
- anonymize, block or delete unnecessary, excessive or non-compliant data;
- request portability of your data to another service provider (when applicable);
- revoke consent when processing is based on consent;
- be informed about with whom we share your data;
- object to processing based on legitimate interest.
How to exercise: send an email to suporte@qprova.com. We will respond within 15 (fifteen) calendar days.
10. Data retention
| Category | Term |
|---|---|
| Active account data | While the contractual relationship lasts |
| Personal data after account deletion | Removed within 30 days |
| Attribution of questions published in the Public Bank after account deletion | Replaced by "User removed"; the question remains, unless explicitly requested to the DPO |
| Tax and payment records (Stripe + invoice) | 5 years (CTN Art. 174 + tax obligations) |
| Technical logs (Sentry) | 90 days |
AI usage logs (ai_usage) | 12 months for plan limits and audit |
11. Security
We adopt reasonable technical and organizational measures to protect your data, including:
- passwords stored with bcrypt hash (managed by Supabase Auth — never in plaintext);
- encrypted communication via HTTPS/TLS in all connections;
- isolation between Users in the database via PostgreSQL Row Level Security (RLS);
- sanitization of personal data in Sentry logs;
- Privacy by Default and Privacy by Design principles applied to development.
Despite efforts, no system is absolutely secure. In case of a security incident affecting your data, we will notify you and the ANPD as required by the LGPD.
12. Minors
The Platform is intended exclusively for professionals over 18 years old. We do not intentionally collect personal data of minors.
QProva does not store personal data of students of the User teachers (names, photos, grades, identifications). The educational content the User creates (templates, questions, answer keys) may mention students as exercise context, but the responsibility for the content lies entirely with the User.
If we identify the registration of a minor, the account will be deleted and the data removed.
13. Changes to this Policy
Material updates to this Policy will be communicated by email with reasonable notice and will require new acceptance via a specific gate before continued access to the Platform. Minor corrections take effect immediately, without re-acceptance.
14. Contact
- Data Protection Officer (DPO): suporte@qprova.com
- General support: suporte@qprova.com
- Address: RANGEL ESPINDOLA DA ROSA JUNIOR TECNOLOGIA DA INFORMACAO LTDA, CNPJ 61991397000115, RUA PAIS LEME, 215
You may also file a complaint with the National Data Protection Authority (ANPD) at gov.br/anpd.
Version 1.0.0 · Published on May 12, 2026