As a Processor, RD Station processes data, in the context of the provision of Services, according to the guidelines and instructions defined by the Controllers (its Customers). This means that RD Station follows the guidelines established in the contract signed between the parties and performs the data processing activities as specified by the Customer. RD Station is not responsible for defining the data processing that its customers perform on the RD Station Platform. All processing procedures carried out on behalf of Customers are governed by specific contractual clauses, which guarantee the confidentiality and security of information.

In addition, some RD Station Services may use Artificial Intelligence (“AI”) technologies, such as RDSM, AI Mentor, RD Conversas and other Lead communication tools. These technologies are used to better personalize and automate the processes that integrate the Services Customers subscribe to, and to efficiently optimize the interaction and user experience. RD Station may also use these technologies in its service channels, meetings, and communications with Customers and other Subjects. In compliance with applicable laws, including those governing the protection of personal data, RD Station ensures that the use of AI is carried out with due care, respecting the privacy and security of the information processed. Whenever possible and without compromising the quality of the Services, we use anonymization techniques to protect your privacy.

We are committed to processing Personal Data in a secure and transparent manner to provide efficient Services to our Customers, while complying with applicable laws.

Occasionally, RD Station may use personal information for purposes not expressly described in this Privacy Notice provided that they are within the scope of its activities and in compliance with applicable laws.

5. Data Sharing

RD Station may share your information under certain circumstances and with various entities as described below.

• Customers: RD Station may share your information with Customers only to comply with the law, enforce the contract, and provide Services.
• Suppliers:  RD Station may share your information with Suppliers to enable RD Station and Acquired Companies to provide their Services and activities.
• Partners: RD Station may share information with business or technology partners where this is necessary for the provision of the contracted Services or organization of Events. This information is shared in order to ensure the delivery of the features that are offered and to maintain the Service and/or performance of activities of legitimate interest.
• Acquired Companies or companies in the same Corporate Group: As part of the TOTVS Group, RD Station may share data with companies in the same group, including Acquired Companies, to deliver our Services, improve our operations and for legitimate business purposes, including marketing initiatives.
• Public Authorities: RD Station may disclose personal information to public authorities, such as the National Data Protection Authority (ANPD) or other government agencies, in response to formal requests or court orders, to comply with legal or regulatory obligations, or to defend against administrative or legal proceedings.
• Third-Party Applications: RD Station may make third-party applications, such as widgets or extensions, available through its Services. Information obtained by RD Station when the Customer activates a third-party application is treated in accordance with this Notice. Information collected by the third-party application provider is subject to the third party’s own privacy policy. It is the Customer’s responsibility to evaluate those terms and policies. These websites may collect information about the Customer, use cookies, incorporate additional third-party tracking, and monitor your interaction with the embedded content, including tracking the interaction with the embedded content if the Customer has an account and is logged in to that website. Please be sure to read the privacy notice of the website you are visiting to understand how they collect and process your information.
• Google API: For RD Station CRM Users who choose to integrate contact information (such as name, email, phone number, and position) from their Google accounts, we use an integration with Google that allows us to import this data via Google API. This integration is designed to ensure that the process of authenticating and reading contact data imported from Gmail to the RD Station platform is secure. Users can revoke their application permissions at any time through their Google Account settings. This information is used in accordance with Google’s Restricted Scope requirements, as described in the User Data Policy of the Google API Services. In addition, when integrating RD Station CRM with Google Calendar into the system, you will be asked to grant permissions for RD Station CRM to access your Google account. RD Station ensures that it never sends Google Calendar data to third parties, including AI models. The only data that RD Station stores is the Google Calendar event ID.

When sharing becomes necessary, RD Station takes appropriate measures to ensure that the shared information is processed solely for the specific purpose. 

6. Information Security

RD Station adopts a series of strict technical and organizational measures to protect the personal data it processes and to ensure that it is safe from unauthorized access, alteration, disclosure, or destruction. Our Privacy and Data Protection Program and security practices are governed by internal information protection standards that comply with applicable laws and industry best practices, such as ISO 27001 and NIST frameworks.

We use advanced technologies such as encryption, intrusion testing, and security protocols to protect data in transit and at rest. In addition, we conduct regular internal audits to ensure that our security systems and processes are effective and continually evolving to address new threats.

Access to Personal Data is limited to RD Station employees and service providers who need this information to perform their duties, and they are all required to comply with the obligations set out in our security and privacy policies. RD Station also takes measures to protect its physical environment by strictly controlling access to the places where data is stored.

Although we take all possible measures to ensure security, it is important to note that we cannot be held responsible for breaches of security measures, security incidents that may occur in third-party systems or services, network infrastructure failures, or misuse of access credentials by Customers, among other situations beyond RD Station’s control. It is the responsibility of Users and Customers to adopt security practices on their own systems and devices, such as using strong and up-to-date passwords, to avoid security incidents.

7. Storage, Retention, and Deletion of Personal Data

RD Station adopts responsible practices for the storage and deletion of Personal Data, in compliance with applicable laws, to ensure the security and privacy of the information being processed. Personal Data may be stored on our own servers or those of third parties contracted for this purpose, both in Brazil and abroad, in accordance with applicable legislation. We may use cloud computing technologies and other emerging solutions to improve the services we provide to our Users, always in compliance with data protection regulations.

Personal Data will be kept for as long as necessary to fulfill the purpose for which it was collected or for as long as it is relevant to RD Station’s legitimate interests. The retention period may also be extended if necessary to comply with legal, contractual, or regulatory obligations. When the data is no longer necessary to fulfill these purposes, it will be securely deleted in accordance with Articles 15 and 16 of the General Personal Data Protection Law (LGPD).

The processing of Personal Data will be terminated in the following situations:

• If RD Station ceases to be the Controller of the Personal Data, or if the Customer’s account or contract is terminated for any reason.
• When Personal Data is no longer necessary or relevant for the purposes for which it was collected.
• At the request of the Data Subject, where applicable, and where there is no legal or contractual justification for the retention of the data.
• When there is a final determination by the National Data Protection Authority (ANPD) or any another competent authority.

The Personal Data required to comply with the Brazilian Civil Framework of the Internet is stored in a secure and controlled environment for a minimum period of six (6) months, subject to change depending on the type of contracts with Customers.

In specific situations, such as when data is required to comply with legal obligations, RD Station may retain the data for an additional period as required by law. At the end of the contractual relationship with the Customer, the data is deleted within 60 days, with a backup kept for up to 72 hours to ensure security and compliance. 

With respect to data processing based on the consent of the Data Subject, RD Station will terminate the processing of Personal Data, where applicable, if the Data Subject objects or withdraws consent. 

RD Station carefully assesses the quantity, nature, and sensitivity of the personal data, as well as the risks involved, in order to determine the most appropriate retention period, always with the aim of ensuring that data processing is carried out responsibly and in accordance with legal obligations.

 

8. Data Subject Rights

Personal Data Subjects have rights and guarantees with respect to their Personal Data. The detailed mechanisms available in this section are provided by RD Station to ensure that Data Subjects have clarity and transparency in exercising their rights. 

In cases where RD Station acts as the Processor of Personal Data, the responsibility for the processing of such data rests solely with the Customer, who acts as the Controller. Therefore, Personal Data Subjects whose information is processed through RD Station’s products and Services must exercise their rights directly with the RD Station’s Customer. RD Station is not responsible for complying with requests from Personal Data Subjects when acting solely as an Processor.

It should be noted that in situations where RD Station only processes the data on behalf of the Customer, acting as an Processor, RD Station does not make final decisions about the processing performed, such as sending communications and emails about our Customers’ products or services. RD Station is only an automation tool that acts as a medium between Customers and their end Customers. Any requests or questions regarding these activities should be directed directly to RD Station’s Customers, who are the Data Controllers.

RD Station can only respond directly to requests from Data Subjects when acting as the Data Controller. If necessary, the Data Subject may contact RD Station to request information about their rights through our Help Center, where they can obtain information and submit requests regarding their rights: 

• Confirmation of the existence of the processing: You can check the existence of your data in the RD Station database. To do this, we may ask you to verify your identity or data before providing this information for fraud prevention purposes.
• Access to Data: At any time, You may request RD Station to inform you what Personal Data is being processed.
• Correction of incomplete, inaccurate, or outdated Personal Data: You may request the correction or addition of missing or inaccurate Personal Data.
• Anonymization, blocking, or deletion of personal data that is unnecessary, excessive, or processed in violation of the LGPD: You may request the anonymization, blocking, or deletion of Personal Data that RD Station is processing, in the event of non-compliance with the law. However, if RD Station has a legal or regulatory basis for retaining the data, the data will be retained for the required period of time.
• Personal Data Portability: You may request the portability of your Personal Data to another service provider.
• Data Sharing Information: You may request information about the public or private entities with which your personal information has been shared.
• Revocation of Consent: If the data processing is based on your consent, you have the right to revoke it at any time. In addition, you may withhold consent to any activity at your discretion. 
• Deletion of data: You may request the deletion of your Personal Data at any time, with the exceptions set out in article 16 of the LGPD.
• Review of automated decisions:  You may request a review of decisions taken solely on the basis of automated processing of personal data that affect your interests, in accordance with art. 20 of the LGPD.

You also have the right to choose not to receive marketing communications and other promotional messages from RD Station or its Customers. If you wish to unsubscribe or stop receiving these communications, You may do so at any time by following the unsubscribe link provided in each email sent or by contacting the Customer responsible for using the service provided by RD Station directly.

RD Station undertakes to respond to all requests from Data Subjects in a timely manner and within the time limits established by the National Data Protection Authority (ANPD).

 

9. International Transfer

RD Station may transfer Personal Data internationally, particularly to the United States, as part of its Personal Data processing activities. 

The data from the Services available on the RD Station Platform is stored on the Google Cloud Platform (GCP) and/or Amazon Web Services (AWS) services, both of which are renowned cloud providers with appropriate protections. The data centers are located specifically in the states of California and Iowa in the United States. In addition, RD Station may use some vendors that require international transfer in order to provide its Services.

When providing services that involve the international transfer of Personal Data, RD Station gives priority to processing carried out in countries that offer a level of protection of Personal Data that is equivalent to that provided by the LGPD and/or that have adopted appropriate standard contractual clauses for the purpose of carrying out such transfer, in accordance with Resolution CD/ANPD No. 19 of 23 August 2024 and with art. 33 of the LGPD. In exceptional circumstances, RD Station may conduct International Data Transfers through other means authorized by the LGPD.

In addition, some RD Station products may be marketed and provided by overseas partner companies. RD Station extends to these cases the protection offered to the Data Subjects in the event of International Data Transfer and attention to applicable legislation.

In cases where RD Station processes Personal Data that is not protected by the LGPD – either because it falls outside the legal territorial limits or because it falls under one of the exclusion criteria defined in the law – RD Station undertakes to ensure the security, protection, and privacy of the personal data of the Data Subjects concerned. In addition, RD Station will comply, within reasonable limits and capabilities, with the exercise of rights established by applicable laws when such requests are made through its official channels of Service to Data Subjects, and will provide reasonable assistance in response to governmental and other requests from entities located in foreign countries.

10. Contact

You can always submit your questions, vendor reviews, rights requests, and other questions or suggestions to our Help Center. When opening a support ticket, in the “I want to talk about” field, simply select “Data Protection”.

Without prejudice, you may also send your questions about this Privacy Notice and other related matters directly to the RD Station Manager:

Name: Fernanda Nones    

Address: Rodovia Virgílio Várzea, nº 587, 3º piso, sala 302, Saco Grande, Florianópolis/SC.

Email: [email protected] 

11. Privacy Notice Update

RD Station may change this Privacy Notice at any time for any reason, whether due to the introduction of new technologies, changes in legislation, the need to adapt the security of the Services, or for any other reason. Any changes will always be available on the RD Station website and will be effective from the date of publication.