Privacy Policy

1. Who we are (Controller)

Data controller: ANITELLE E BENEVIDES TECNOLOGIA E CONTEÚDO DIGITAL LTDA, a Brazilian limited liability company registered under CNPJ 64.628.516/0001-68, hereinafter "SoulSyn", "we" or "us". Data Protection Officer (DPO) / privacy contact channel: contato@soulsyn.com.

2. Data we collect

Identity and registration data

• Name, email and profile picture (obtained from the OAuth provider — Google or Facebook — when you choose that login method).
• Phone number and gender (optional, provided at sign-up).
• Username chosen by you.

Birth data (necessary for the service)

• Date, time and place of birth — yours and, optionally, of people for whom you generate charts.
• For third-party charts, you represent that you have the person's consent to process such data.

Payment data

• Tokens and identifiers issued by Stripe (card) and Mercado Pago (PIX). We do not store full card numbers, CVV, expiration or passwords.
• Transaction history (amounts, dates, status, coupons applied).

Interaction data

• Dialogue history (messages sent and responses generated).
• Favorited charts, settings and preferences.
• Push notification tokens, when enabled.

Technical data

• IP address, browser/device user-agent, date and time of access.
• Essential cookies (session) and analytics cookies (Google Tag Manager).

3. Legal bases (LGPD Art. 7 / GDPR Art. 6)

• Performance of a contract: providing the contracted service and managing your account.
• Consent: sensitive or optional data (phone, push, marketing) and processing of birth data of people for whom you generate charts.
• Legal obligation: tax and accounting records (billing).
• Legitimate interest: security, fraud prevention, service improvement — always balanced against your rights.

4. How we use your data

• Compute and generate personalized astrological content.
• Operate login, keep your account secure and personalize the experience.
• Process payments and manage premium subscriptions.
• Communicate important service updates, support, and responses to your requests.
• Ensure security, prevent fraud and comply with legal obligations.
• Improve the service through aggregated, anonymized analysis.

5. Sharing with third parties (sub-processors)

We do not sell your personal data. We share it with service providers strictly necessary for operation, as listed below. All operate under contract with data protection clauses and limited purposes.

6. International data transfers

Some sub-processors are located outside Brazil, mainly in the United States. In every case we require contracts with standard data protection clauses and adequacy with LGPD requirements (Arts. 33-36) and GDPR (Chapter V).

7. Data retention

• Active account: we keep your data while your account exists and is used.
• After a deletion request: up to 30 days to complete the erasure/anonymization process (LGPD Art. 18 §3).
• Financial records (invoices, transactions): 5 years, as required by Brazilian tax law (Law 8.846/94 Art. 4).
• Security logs: up to 6 months, anonymized whenever possible.

8. Your rights as a data subject

LGPD (Art. 18), GDPR and CCPA grant you the following rights:

• Confirmation that processing exists and access to your data.
• Correction of incomplete, inaccurate or outdated data.
• Anonymization, blocking or deletion of unnecessary, excessive or unlawfully processed data.
• Portability of data to another service provider, upon express request.
• Information about public and private entities with which sharing occurred.
• Withdrawal of consent at any time (LGPD Art. 8 §5).
• California residents (CCPA): right to know, right to delete, right to non-discrimination for exercising rights, opt-out of sale (we do not sell data).

To exercise any of these rights, write to contato@soulsyn.com. We will respond within legal deadlines (15 business days under LGPD; 30 days under GDPR/CCPA).

9. Cookies and similar technologies

• Essential cookies: keep your session authenticated (Better Auth, prefix soulsyn.*). Without them the app does not work.
• Analytics cookies: measure aggregate use via Google Tag Manager. Can be disabled in your browser settings.
• Push notifications: sent only with your explicit consent; can be disabled in-app and/or in your browser/system settings.

10. Security

We apply reasonable technical and organizational measures: HTTPS/TLS traffic, password hashing, short-lived rotating session tokens, schema isolation in the database, least-privilege principle for administrative access. No system is 100% secure — in case of an incident affecting your data, we will notify the relevant authority (ANPD in Brazil) and the data subjects as required by law.

11. Children and teenagers

The service is not intended for anyone under 16. We do not knowingly collect data from children. If we detect a registration by a minor without consent, we will close the account and delete the data. Parents or guardians who identify this situation may request immediate deletion through the contact channel.

12. Changes to this Policy

Material updates will be communicated by email and/or in-app banner, with at least 15 days' notice for substantive changes. The version in force is always the one published at this URL.

13. Contact and Data Protection Officer (DPO)

Data Protection Officer: contato@soulsyn.com. Please identify yourself with your registered email to speed up our response.

14. Supervisory authorities

• Brazil: ANPD — Autoridade Nacional de Proteção de Dados (gov.br/anpd).
• European Union: data protection authority of your country of residence.
• California (USA): California Attorney General — oag.ca.gov.
• Canada: Office of the Privacy Commissioner — priv.gc.ca.