Privacy Policy
Courtesy translation. In case of any discrepancy, the official Portuguese version prevails.
- Company
- Slice Tecnologia da Informação S.A.
- Company registration (CNPJ)
- 40.599.957/0001-10
- Last updated
- 04/29/2026
- Version
- 1.3
1. Introduction and Scope
Slice Tecnologia da Informação S.A. prioritizes privacy, information security, and transparency in the processing of personal data. This policy clearly explains how data is collected, used, stored, shared, and protected in compliance with Law No. 13.709/2018 (the Brazilian General Data Protection Law – LGPD) and applicable regulations.
This policy covers all Slice employees, service providers, partners, suppliers, and clients, addressing processing activities in both physical and digital media, including websites, platforms, systems, and technology solutions, especially SaaS models in our own environment.
The organization recognizes that the protection of personal data is a fundamental right and is committed to processing data in an ethical, transparent, and secure manner, respecting the dignity and privacy of data subjects.
2. Data Controller and Processor
Slice acts as a data controller when it defines the purposes and means of processing, pursuant to Article 5, item VI, of the LGPD.
In certain scenarios, Slice acts as a data processor, processing information on behalf of clients (controllers) in accordance with the instructions and agreements in place, limited to the purposes previously established (Article 5, item VII, of the LGPD).
When Slice acts as a processor, the client retains responsibility for decisions relating to the processing. The organization undertakes to process data strictly in accordance with the controller's instructions and the contractual terms in force.
3. Purpose of this Policy
This policy aims to:
- Ensure the protection of privacy and personal data in compliance with the LGPD
- Guarantee transparency regarding personal data processing practices
- Demonstrate Slice's commitment to legal and regulatory compliance and good data governance practices
- Establish information security guidelines applicable to the processing of personal data
- Define roles and responsibilities within the scope of data protection
- Guide employees, partners, and third parties on appropriate personal data processing practices
- Meet the requirements of clients, audits, and regulatory bodies regarding data protection
4. Data Processing Principles
The processing of personal data by Slice observes the principles established in Article 6 of the LGPD:
- Purpose: processing carried out for legitimate, specific, explicit purposes that are informed to the data subject
- Adequacy: compatibility of the processing with the purposes informed to the data subject
- Necessity: limitation of processing to the minimum necessary to achieve the purposes
- Free access: a guarantee of easy and free consultation regarding the form and duration of processing
- Data quality: a guarantee of accuracy, clarity, relevance, and currency of the data
- Transparency: clear and accessible information about the processing
- Security: use of technical and administrative measures to protect the data
- Prevention: adoption of measures to prevent harm to data subjects
- Non-discrimination: prohibition of processing for discriminatory purposes
- Accountability: demonstration of the adoption of effective compliance measures
5. Personal Data Collected
Slice only collects personal data that is necessary, adequate, and proportionate to the intended purposes, observing the principle of data minimization.
5.1 Data provided by the data subject
“Contact Us” form: name; company or market of operation; e-mail and/or contact phone number.
Registration for contracting the platform: name of the legal representative; CPF (individual taxpayer ID); job title; phone; e-mail; CNPJ (company taxpayer ID); corporate name.
The CPF and CNPJ are requested exclusively at the contractual stage to identify the legal representative and the client organization, and are processed on the basis of contract performance (Article 7, V, of the LGPD).
5.2 Data collected automatically
- IP address
- Date and time of access
- IP origin and approximate geolocation
- Device type, operating system, and browser
- Technical identifiers (cookies, session IDs)
- Pages accessed, time spent, and interactions performed
- Search terms used
- Referring URL (referrer)
This data is used for statistical purposes, security, technical auditing, fraud prevention, and improving the user experience, based on Slice's legitimate interest (Article 7, IX, of the LGPD).
5.3 Data related to credit card reconciliation
Where applicable, Slice processes data related to credit card transactions exclusively for reconciliation, auditing, operational support, and contractual compliance purposes, and does not perform credit analysis, scoring, financial profiling, or automated decisions about data subjects.
Credit card data is processed in accordance with PCI DSS (Payment Card Industry Data Security Standard) rules where applicable, and is not stored by Slice beyond what is strictly necessary for the reconciliation purpose.
6. Sensitive Data
Slice does not collect or process sensitive personal data as defined in Article 5, item II, and Articles 11 et seq. of the LGPD, such as data relating to racial or ethnic origin, religious conviction, political opinion, membership of a union or of a religious, philosophical, or political organization, data concerning health or sex life, or genetic or biometric data.
If, exceptionally, the processing of sensitive data is necessary for the performance of contractual obligations with clients, it will be carried out on a specific legal basis (Article 11, II, of the LGPD), with additional security measures and registration in the data inventory.
7. Processing of Children's and Adolescents' Data
Slice fully observes the provisions of the Child and Adolescent Statute (Law No. 8.069/1990), the LGPD (Article 14), and the Digital ECA (Law No. 15.211/2025), which reinforces the protection of minors in the virtual environment with requirements for age verification, privacy by design, and a prohibition on design practices that induce excessive use. Oversight of these obligations is the responsibility of the ANPD.
Slice's websites, platforms, and contracting services are intended exclusively for individuals over 18 years of age or legal representatives of legal entities. Slice does not intentionally collect data from minors through its direct channels. Should this occur inadvertently, the data will be deleted immediately and securely, with notice to the DPO and the legal guardian where possible.
7.1 Adolescents' data in card reconciliation operations
Within the scope of credit card reconciliation services, transactional data of adolescents (aged 16 and over) may be present in the records, since they may hold additional or prepaid cards. In this case, Slice acts as a processor and adopts the following safeguards:
- Processing based on the best interest of the minor (Article 14, LGPD) and on contract performance with the controlling client
- Data limited to the strictly transactional (amounts, dates, merchant), without profiling, scoring, or automated decision-making
- Consent of the legal guardian under the responsibility of the controlling client (financial institution)
- Additional security measures: environment segregation, encryption, and least privilege
- Retention in accordance with legal and contractual periods, with secure deletion at the end
7.2 Children (under 12 years of age)
Slice does not process children's data under any circumstances. If identified in transactional records, such data will be flagged to the controlling client and excluded from processing by Slice.
7.3 Sharing
Minors' data is not shared without the consent of the legal guardian, except by legal obligation, court order, or for the protection of the minor. In the reconciliation context, sharing follows the controlling client's instructions.
8. Purposes of Processing
Personal data may be processed for the following purposes:
- Handling contact and support requests
- Performance of contracts and provision of contracted services
- Pre-contractual procedures, including viability analysis and commercial proposals
- Technical support and customer service
- Institutional and operational communication
- Continuous improvement of products, services, and user experience
- Ensuring the security of information and systems
- Prevention and detection of fraud, misuse, and unlawful activities
- Compliance with applicable legal, regulatory, and contractual obligations
- Regular exercise of rights in administrative, judicial, or arbitration proceedings
- Generation of statistical and analytical reports (with anonymized data where possible)
- Auditing and compliance with information security standards
9. Legal Bases for Processing
Slice's processing of personal data is based on the following legal bases set forth in Article 7 of the LGPD:
| Legal Basis | LGPD Article | Application |
|---|---|---|
| Contract performance | Art. 7, V | Provision of contracted services |
| Compliance with legal obligation | Art. 7, II | Tax, labor, and regulatory obligations |
| Regular exercise of rights | Art. 7, VI | Judicial and administrative proceedings |
| Legitimate interest | Art. 7, IX | Security, fraud prevention, analytics |
| Consent | Art. 7, I | Non-essential cookies, marketing |
| Credit protection | Art. 7, X | Contractual viability analysis |
Consent may be withdrawn by the data subject at any time, free of charge, through the contact channels indicated in this Policy, subject to legal grounds that authorize the continuation of processing.
10. Cookies and Tracking Technologies
Slice uses cookies and similar technologies to improve navigation, performance, security, and personalization of the website.
10.1 Types of cookies used
| Type | Purpose | Legal Basis |
|---|---|---|
| Necessary | Essential for the website to function | Legitimate interest |
| Performance | Statistical analysis of usage and performance | Consent |
| Functional | Personalization of user preferences | Consent |
| Marketing | Targeted content and campaign measurement | Consent |
Cookies do not access information stored on the user's device nor collect personal data without authorization.
10.2 Cookie management
On first access to the website, the user is presented with the cookie consent banner and may accept, refuse, or configure non-essential cookies. Disabling essential cookies may impair the proper functioning of the website.
The user may, at any time, change their cookie preferences through the browser settings or the cookie management panel available on the website.
Third-party tools that may be used include: Google Analytics, Facebook Pixel, Tawk.to, Privy, and AddThis.
11. Sharing of Personal Data
Slice does not sell, rent, or distribute personal data to third parties. Personal data may be shared exclusively in the following cases:
- When necessary for the performance of a contract or provision of a service contracted by the data subject
- When required by legal or regulatory obligation or court order
- For the regular exercise of rights in administrative, judicial, or arbitration proceedings
- Upon the express consent of the data subject
- For service providers essential to Slice's operation (sub-processors), under agreements ensuring confidentiality, data protection, and LGPD compliance
In all cases of sharing, Slice adopts measures to ensure that third-party recipients maintain adequate data protection standards, including specific contractual clauses and periodic compliance assessments.
12. International Data Transfer
Slice's technology infrastructure is hosted on Amazon Web Services (AWS), with servers located in the sa-east-1 region (São Paulo, Brazil). Personal data processed by Slice is preferably stored and processed within Brazilian territory.
When an international data transfer is necessary, it will be carried out in compliance with Chapter V of the LGPD (Articles 33 to 36), observing the following safeguards:
- Transfer to countries or international organizations that provide an adequate level of personal data protection
- Through specific contractual clauses ensuring compliance with the LGPD
- With the adoption of technical and organizational measures compatible with the level of protection required by Brazilian law
- Upon the specific and informed consent of the data subject, where applicable
The cloud service providers used by Slice (AWS) maintain international security certifications (ISO 27001, ISO 27017, ISO 27018, SOC 1/2/3) and adopt standard contractual clauses for international data transfers.
13. Data Storage and Retention
Personal data will be stored for the period necessary to fulfill the purposes described in this Policy, respecting applicable legal, contractual, and regulatory periods.
The criteria for defining the retention period include: the duration of the contractual relationship; applicable legal and regulatory obligations (tax, labor, etc.); statutes of limitation for the regular exercise of rights; legitimate and documented operational need; and the data subject's consent, where this is the applicable legal basis.
After the end of the retention period, the data will be securely and permanently deleted; or irreversibly anonymized for statistical or research purposes; or retained where there is a legal or regulatory obligation justifying its preservation.
14. Data Subjects' Rights
Under Articles 17 to 22 of the LGPD, the data subject may exercise, at any time and free of charge, the following rights by request to the Data Protection Officer (DPO):
- Confirmation of the existence of personal data processing
- Access to the personal data processed by Slice
- Correction of incomplete, inaccurate, or outdated data
- Anonymization, blocking, or deletion of unnecessary or excessive data, or data processed in non-compliance with the LGPD
- Portability of data to another service or product provider, upon express request
- Deletion of personal data processed on the basis of consent
- Information about the public and private entities with which the data has been shared
- Information about the possibility of not providing consent and the consequences of refusal
- Withdrawal of consent, under the terms of Article 8, §5, of the LGPD
Requests will be answered within 15 (fifteen) calendar days of receipt, pursuant to Article 18, §4, of the LGPD, and may be extended for an equal period in cases of complexity.
Slice may request additional information to verify the requester's identity, in order to prevent fraud and ensure data security. The exercise of certain rights may make it impossible to continue the contractual relationship, where applicable, subject to legal retention obligations.
15. Information Security
Slice adopts appropriate technical and organizational measures to protect personal data against unauthorized access and accidental or unlawful destruction, loss, alteration, communication, or dissemination, in compliance with Article 46 of the LGPD and ISO/IEC 27001 good practices. Security measures include, but are not limited to:
- Storage in a secure environment with cloud infrastructure (AWS) holding security certifications
- Encryption of data at rest (AES-256) and in transit (TLS 1.2+)
- SSL/TLS certificates on all exposed services
- Access control based on the principle of least privilege
- Secure authentication with robust password policies
- Multi-layered firewalls (AWS Security Groups, Network ACLs, UFW/IPFW)
- Web Application Firewall (WAF) with ModSecurity and the OWASP Core Rule Set
- EDR/antimalware solution (Bitdefender GravityZone) on endpoints
- SIEM (Wazuh) for centralization and correlation of security events
- Continuous monitoring via Prometheus and Grafana with automated alerts
- Corporate VPN (OpenVPN) with individual certificates for remote access
- Vulnerability management with periodic internal and external scans
- Data loss prevention (DLP) controls
- Backup and disaster recovery
- Per-client environment segregation
- Formalized internal security policies, reviewed periodically
16. Data Protection Impact Assessment (DPIA)
Slice conducts Data Protection Impact Assessments (DPIA/RIPD) when the processing of personal data may pose high risks to the rights and freedoms of data subjects, pursuant to Article 38 of the LGPD and the guidance of the National Data Protection Authority (ANPD). Situations that require a DPIA include:
- Large-scale processing of personal data
- Processing of sensitive data or data of children and adolescents
- Use of new technologies that may impact privacy
- Processing that may result in significant harm to data subjects
- Systematic monitoring of publicly accessible areas
The DPIA is conducted by the Data Protection Officer (DPO) together with the areas involved, and its results are documented and kept available to the ANPD upon request.
17. Security Incident Response
Slice maintains a Security Incident and Personal Data Breach Response Policy that establishes procedures for the identification, containment, eradication, recovery, and communication of security incidents involving personal data. In the event of a security incident that may give rise to relevant risk or harm to data subjects, Slice will:
- Notify the National Data Protection Authority (ANPD) within a reasonable period, pursuant to Article 48 of the LGPD and applicable regulations
- Notify affected data subjects when the incident may cause them relevant risk or harm
- Adopt immediate technical measures to contain and mitigate the effects of the incident
- Document the incident with a detailed record of the circumstances, affected data, measures taken, and lessons learned
- Report the incident to the client (controller) when Slice is acting as a processor
18. Internal Responsibilities
The protection of personal data is the responsibility of all employees, managers, partners, and third parties acting on behalf of Slice. Responsibilities include:
- Senior Management: ensure resources and support for the implementation and maintenance of data protection practices
- DPO (Data Protection Officer): oversee LGPD compliance, guide employees, and act as a communication channel with data subjects and the ANPD
- Information Security: implement and maintain technical data protection controls
- Area managers: ensure that their area's processes comply with this Policy
- Employees and third parties: observe this Policy and immediately report to the DPO any incident or situation that may compromise the protection of personal data
19. Training and Awareness
Slice promotes periodic training and awareness actions on personal data protection and information security, aimed at all employees and third parties who process personal data on behalf of the organization. The training covers: fundamental concepts of the LGPD and data subjects' rights; information security good practices; incident response procedures; identification and prevention of threats (phishing, social engineering); and appropriate use of systems and technology resources.
20. Data Protection Officer (DPO)
Slice's Data Protection Officer (DPO) is responsible for ensuring the organization's compliance with the LGPD, acting as the communication channel between Slice, data subjects, and the National Data Protection Authority (ANPD).
- Data Protection Officer (DPO)
- Rafael Stuepp Riegel
- dpo@slice.global
- Alternate (in case of absence)
- Luis Roberto Pfau
- luis@slice.global
The DPO may be contacted for: clarifications regarding personal data processing; the exercise of data subjects' rights; complaints, suggestions, or reports related to data protection; and the communication of security incidents involving personal data.
21. Penalties and Sanctions
Failure to comply with this Policy by employees, service providers, or third parties may result in disciplinary measures, including warning, suspension, or termination of contract, without prejudice to the applicable civil and criminal liabilities.
22. Changes to this Policy
This Policy will be reviewed periodically (at least annually) and may be updated at any time to reflect legal, regulatory, operational, or technological changes.
Relevant changes will be communicated through appropriate means, including publication on the institutional website and direct notification when necessary. The version in force will always be available at https://www.slice.global/politica-de-privacidade.
23. Questions and Contact
For clarifications regarding this Policy, the processing of personal data, or to exercise data subjects' rights, please contact the Data Protection Officer: E-mail: dpo@slice.global — Website: https://www.slice.global. Requests will be answered within the legal period of 30 (thirty) calendar days.
24. Normative References
- Law No. 13.709/2018 – Brazilian General Data Protection Law (LGPD)
- Law No. 8.069/1990 – Child and Adolescent Statute (ECA)
- Law No. 15.211/2025 – Digital ECA (protection of children and adolescents in the virtual environment)
- Law No. 12.965/2014 – Brazilian Civil Rights Framework for the Internet
- Decree No. 8.771/2016 – Regulation of the Civil Rights Framework for the Internet
- ISO/IEC 27001:2022 – Information Security Management Systems
- ISO/IEC 27701:2019 – Privacy Information Management
- Regulations and guidance of the National Data Protection Authority (ANPD)
- NIST Privacy Framework
- PCI DSS – Payment Card Industry Data Security Standard (where applicable)
- Phone
- +55 (11) 4004-2642
- contato@slice.global
- Website
- https://www.slice.global