Legal

Privacy Policy

We believe you have a right to know exactly what information BH Softwares collects, why we collect it, how we protect it, and what choices you have over your personal data. This document explains all of that in plain, direct language — no legal fog.

Last updated: June 18, 2025
Section 01

Introduction

This Privacy Policy is published by COTTA CONSULTORIA E DESENVOLVIMENTO DE SOFTWARES LTDA, a Brazilian company registered under CNPJ 28.442.160/0001-00, located at Rua Belo Oriente, 120, Sala 09, Providência, Belo Horizonte – MG, Brazil, operating the website and services under the brand BH Softwares (collectively, "we", "us", or "our").

By visiting our website at bhsoftwares.site, submitting a contact form, requesting a proposal, or otherwise engaging with us digitally, you acknowledge that you have read and understood the practices described in this document.

We are committed to protecting your personal data in accordance with applicable privacy legislation, including Brazil's Lei Geral de Proteção de Dados Pessoais (LGPD — Law No. 13,709/2018) and, where applicable to individuals located in the European Economic Area, the EU General Data Protection Regulation (GDPR — Regulation 2016/679). Additional compliance considerations for other jurisdictions are addressed where relevant.

This policy applies solely to personal data processed through our website and associated marketing communications. It does not govern data processing carried out under separate contractual arrangements with clients for whom we develop or maintain software systems — those relationships are governed by the relevant data processing agreements and service contracts.

Section 02

Information We Collect

We collect personal data only to the extent necessary to provide you with information about our services and to respond to your enquiries. The categories of data we may collect are described below.

Information you provide directly

When you fill in our contact form, request a project proposal, subscribe to our newsletter, or communicate with us by email, we collect the information you choose to share, which typically includes:

  • Full name and professional title (when supplied)
  • Business email address and/or telephone number
  • Company name and sector
  • A description of your project, challenge, or enquiry as written by you
  • Any attachments or supporting documents you voluntarily send us

Data collected automatically

When you browse our website, our hosting infrastructure and third-party analytics services automatically record technical information about your visit. This may include:

  • IP address and approximate geographic location derived from it (city or region level)
  • Browser type, version, and language preference
  • Operating system and device type
  • Pages visited, time on page, and navigation path through the site
  • Referring URL — that is, the website or search-engine result that brought you here
  • Date and timestamp of each request
  • Interaction data such as clicks, scroll depth, and button engagement (where tracking scripts are active)

Data from advertising platforms

If you arrive at our website through a Google Ads campaign, Google may pass us aggregated, pseudonymised conversion data (for example, that a click led to a form submission) via the Google Ads conversion tag. We do not receive individually identified personal data from Google in this process; we receive only aggregate performance metrics.

We do not collect sensitive personal data — such as racial or ethnic origin, health information, biometric data, religious beliefs, or political opinions — and we ask that you do not include such information in any message or form you send us.

Section 03

How We Use Your Information

We use the personal data we collect for specific, explicit, and legitimate purposes. We do not process your data in ways that are incompatible with those purposes. The table below sets out each purpose, the legal basis we rely on under the LGPD and GDPR, and the categories of data involved.

Purpose Data Used Legal Basis (LGPD / GDPR)
Responding to contact form submissions and enquiries Name, email, phone, project description Legitimate interests / Execution of pre-contractual steps
Preparing and delivering project proposals Name, company, email, project details Execution of pre-contractual steps / Consent
Sending newsletters or service updates (only with consent) Name, email address Consent (freely given, specific, and revocable)
Website analytics — understanding how visitors use our site IP address, browsing behaviour, device data Legitimate interests / Consent (where cookies require it)
Advertising measurement — tracking conversions from Google Ads Aggregated/pseudonymised click and conversion data Legitimate interests / Consent
Security — detecting and preventing abuse, spam, or fraudulent use IP address, request logs Legitimate interests / Legal obligation
Legal compliance — meeting regulatory or judicial obligations Any data relevant to the obligation Legal obligation

We will never sell your personal data, rent it to third parties, or use it to build advertising profiles for any purpose unrelated to our own services. If we wish to use your data for a new purpose materially different from those listed above, we will notify you and obtain any consent required by law before doing so.

Section 04

Cookies & Tracking Technologies

Our website uses cookies and similar tracking technologies to make the site function correctly, to understand how it is used, and to measure the effectiveness of our advertising. A cookie is a small text file stored on your device by your browser when you visit a website.

Categories of cookies we use

Category Provider Examples Purpose Consent Required?
Strictly Necessary Our hosting infrastructure Enabling basic site functionality, session management, and security (e.g. CSRF protection). These cannot be disabled without breaking the site. No — exempt
Analytics Google Analytics 4 Collecting pseudonymised data about page views, session duration, traffic sources, and user journeys to help us improve content and navigation. IP addresses are anonymised before storage. Yes
Advertising & Conversion Google Ads (gclid, _gcl_au) Measuring which campaigns lead to contact form submissions. No cross-site behavioural profiling is conducted through our own tag configuration. Yes
Preferences Our website Remembering your cookie consent choices and optional site preferences (e.g. language) for the duration of a session or longer if you choose. No — functional to consent management

Managing your preferences

On your first visit, a cookie consent banner will present you with the option to accept or decline non-essential cookies. You can change or withdraw your consent at any time by clicking the "Cookie Settings" link in the footer of any page. Withdrawing consent does not affect the lawfulness of any processing that occurred before you withdrew it.

In addition to our on-site controls, you can manage or delete cookies through your browser settings. Most browsers allow you to refuse cookies, delete existing cookies, or be warned before a cookie is stored. Disabling strictly necessary cookies will impair the website's core functionality. Detailed instructions are available in your browser's help documentation or at www.allaboutcookies.org.

For information about how Google uses data from analytics and advertising products, please visit policies.google.com/technologies/partner-sites. You may also opt out of Google Analytics measurement across all sites using the Google Analytics Opt-out Browser Add-on.

Section 05

Sharing With Third Parties

We do not sell, trade, or rent your personal data. We share data only in the limited circumstances described below, and always with appropriate safeguards in place.

Service providers (data processors)

We engage carefully selected third-party companies to help us operate our website and business. These parties act strictly on our documented instructions and are not permitted to use your data for their own purposes. They include:

  • Web hosting and infrastructure provider — our website and form data are hosted on servers maintained by our hosting provider. All data in transit is protected by TLS encryption.
  • Google LLC — we use Google Analytics 4 for website analytics and Google Ads for advertising measurement. Google processes data as a data processor under our instructions and as an independent data controller for its own advertising systems. Google's applicable terms and privacy policies govern those interactions.
  • Email service provider — transactional and newsletter emails are sent through a reputable email delivery platform. This provider receives your email address and name solely for the purpose of delivering the communication you requested.
  • Project management and CRM tools — internally, we may store your contact information and proposal details in a CRM system used only by our team.

Legal and regulatory disclosure

We may disclose personal data to courts, regulators, government authorities, or law enforcement agencies when we are legally required to do so, or when disclosure is necessary to protect our rights, your safety, or the safety of others.

Business transfers

In the event of a merger, acquisition, or sale of all or a portion of our assets, personal data we hold may be among the assets transferred. We will notify affected individuals by email or through a prominent notice on our website before your data becomes subject to a materially different privacy policy.

International transfers

Some of our service providers (notably Google LLC) process data in the United States and other countries outside Brazil and the European Economic Area. Where such transfers occur, we rely on appropriate safeguards — including Standard Contractual Clauses approved by the European Commission and, for Brazil, equivalent mechanisms recognised by the ANPD — to ensure your data remains protected to an equivalent standard.

Section 06

Data Retention

We retain personal data only for as long as is necessary to fulfil the purpose for which it was collected, to comply with legal obligations, and to resolve any disputes that may arise. The following retention periods apply:

  • Contact form data and enquiries — retained for up to 5 years from the date of last contact. This period reflects the standard civil limitation period under Brazilian law and allows us to refer back to historical conversations if you return as a prospective or active client.
  • Proposal and pre-contractual documents — retained for 5 years after the proposal date or the end of any resulting contractual relationship, whichever is later.
  • Newsletter subscriber data — retained for as long as you remain subscribed, plus a brief reconciliation period of up to 90 days after unsubscription to ensure deliverability systems are fully updated.
  • Analytics and log data — aggregated analytics data is retained in Google Analytics for up to 14 months (our configured retention window). Raw server logs are retained for up to 90 days for security and diagnostic purposes.
  • Financial and tax records — where personal data forms part of a financial record, it is retained for 10 years in compliance with Brazilian tax and accounting law.

When data is no longer needed, we securely delete or anonymise it so that it can no longer be associated with any individual. Backups are subject to the same deletion schedule, with a reasonable lag of up to 90 days for backup cycles to complete.

Section 07

Data Security

We implement layered technical and organisational measures to protect your personal data against unauthorised access, accidental loss, alteration, or destruction. Our security practices include:

  • TLS/HTTPS encryption on all pages of our website. All data you transmit through our contact forms travels over an encrypted connection.
  • Access controls — personal data is accessible only to team members who require it in the course of their role. Access is managed through unique credentials and role-based permissions.
  • Reputable, security-audited infrastructure — we host our website on providers that maintain ISO 27001 certification or equivalent, with regular independent security audits.
  • Regular security reviews — our development team routinely reviews the website's code, dependencies, and server configuration for known vulnerabilities and applies patches promptly.
  • Data minimisation — we collect only the data we genuinely need, reducing the volume of information at risk.
  • Vendor due diligence — third-party service providers are assessed for their security practices before engagement, and are contractually required to maintain appropriate safeguards.

No system is perfectly impenetrable. While we make every reasonable effort to protect your data, we cannot guarantee absolute security of information transmitted over the internet. If you have reason to believe that your interaction with us has been compromised, please contact us immediately at contato@bhsoftwares.site.

In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority (Brazil's ANPD, and the applicable EU supervisory authority where relevant) and, where required by law, affected individuals, within the timeframes mandated by applicable legislation — no later than 72 hours after becoming aware of the breach where the GDPR applies.

Section 08

Your Rights

Depending on your location and the legal framework that applies to you, you have a number of rights in relation to the personal data we hold about you. We respect and honour these rights for all individuals, regardless of where they are based.

Right of Access

You may request a copy of the personal data we hold about you, along with information about how it is processed and with whom it has been shared.

Right to Rectification

If any information we hold about you is inaccurate or incomplete, you have the right to request that we correct or complete it without undue delay.

Right to Erasure

You may ask us to delete your personal data where it is no longer necessary for the purpose it was collected, where you have withdrawn consent, or where it has been processed unlawfully. Certain legal obligations may require us to retain some data.

Right to Object

Where we process your data on the basis of legitimate interests, you have the right to object. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests.

Right to Restriction

You may ask us to suspend the processing of your data — for example, while you contest its accuracy or where you need us to retain it beyond our normal schedule for the establishment of a legal claim.

Right to Data Portability

Where technically feasible and where processing is based on consent or contract, you may request a copy of your data in a structured, commonly used, machine-readable format for transfer to another provider.

Right to Withdraw Consent

Where processing is based on your consent (such as newsletter subscription), you may withdraw that consent at any time by clicking "Unsubscribe" in any email or by contacting us directly. Withdrawal does not affect the lawfulness of prior processing.

Right to Lodge a Complaint

If you believe we have not handled your data correctly, you have the right to lodge a complaint with Brazil's Autoridade Nacional de Proteção de Dados (ANPD) or, if you are in the EEA, with the supervisory authority of your EU member state.

How to exercise your rights

To exercise any of the rights listed above, please contact our data protection point of contact by email at contato@bhsoftwares.site, with the subject line "Data Subject Request". Please include your full name and, if helpful, a description of the specific data or processing activity your request concerns. We will respond within 15 business days (or within the statutory timeframe required by applicable law, which is up to 30 days under the GDPR and LGPD, with a possible one-month extension for complex requests).

We may need to verify your identity before processing a request to protect against fraudulent or unauthorised access to personal data. We will not charge a fee for access requests unless they are manifestly unfounded or excessive.

Section 09

Children's Privacy

Our website and services are directed exclusively at business professionals and organisations. We do not knowingly collect personal data from individuals under the age of 18. Our contact forms and service offerings are not designed for, and should not be used by, children.

If we become aware that we have inadvertently collected personal data from a minor, we will take immediate steps to delete that data from our records. If you are a parent or guardian and believe your child has submitted personal data to us, please contact us at contato@bhsoftwares.site so we can act promptly.

Section 10

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the services we offer, or applicable legal requirements. When we make material changes — meaning changes that significantly affect how your personal data is processed — we will:

  • Update the "Last updated" date at the top of this page
  • Display a prominent notice on our website for a reasonable period following the change
  • Where we hold your email address and the change is significant, notify you directly by email

We encourage you to review this page periodically to stay informed about how we protect your information. Continued use of our website after changes are posted constitutes your acceptance of the revised policy, to the extent permitted by applicable law. If you disagree with any changes, you should discontinue use of our website and contact us to request deletion of your personal data.

Previous versions of this Privacy Policy are available on request by emailing us at the address below.

Section 11

Contact Us

If you have any questions about this Privacy Policy, wish to exercise your data subject rights, or want to report a concern about how we handle personal data, please reach out to us through any of the channels below. We are committed to addressing your questions fairly, promptly, and transparently.

Data Controller — Contact Details

Company

COTTA CONSULTORIA E DESENVOLVIMENTO DE SOFTWARES LTDA

CNPJ

28.442.160/0001-00

Address

Rua Belo Oriente, 120, Sala 09, Providência
Belo Horizonte – MG, Brazil

Response Time

We aim to acknowledge all privacy-related enquiries within 2 business days and to resolve them within 15 business days.