Privacy policy

Privacy Policy

_Last updated: May 27, 2026_

This Privacy Policy describes how Goal Factory ("Goal Factory", "we", "us", "our"), registered under em formalização, located at Endereço em formalização, collects, uses, shares, stores, and protects your personal data.

We comply with the General Data Protection Regulation (GDPR — Regulation (EU) 2016/679), the California Consumer Privacy Act (CCPA), the UK GDPR and Data Protection Act 2018, and the Brazilian General Data Protection Law (LGPD — Law No. 13.709/18).

1. Data Controller

Controller: Goal Factory

  • Registration: em formalização
  • Registered office: Endereço em formalização
  • Contact email: suporte@goalfactory.com
  • Website: https://mv4a1a-rh.com.br

2. Data Protection Officer (DPO)

Appointed in accordance with GDPR Art. 37 and LGPD Art. 41:

  • DPO email: suporte@goalfactory.com
  • Response deadline: within 30 days of receiving your request (GDPR) or 15 days (LGPD)

To exercise the rights listed in Section 8, email the DPO with:

  • Subject line: "Privacy Rights — [type of request]"
  • Full name and email address on file
  • Clear description of the right being exercised

3. Personal data we collect

3.1 Data you provide directly

  • Account: full name, email, date of birth (optional), gender (optional)
  • Contact: phone, WhatsApp
  • Shipping: full address (postcode, street, number, city, state/province, country)
  • Payment: last 4 digits of card, cardholder name (full card data stays with the payment processor)

3.2 Data collected automatically

  • Navigation: IP address, browser type, operating system, device, pages visited, time spent
  • Cookies and similar technologies: unique identifiers for session, cart, preferences, analytics (see Section 10)
  • Approximate geolocation (derived from IP, not precise)

3.3 Data received from third parties

  • Social login: if you sign in with Google, Facebook, or Apple, we receive name and email from the provider
  • Marketing partners: anonymous identifiers (third-party cookies) for campaign measurement

3.4 Sensitive data

We do not collect sensitive personal data (GDPR Art. 9 / LGPD Art. 5, II — racial origin, religious belief, health data, biometrics, etc.).

4. Purposes and legal bases

Under GDPR Art. 6 and LGPD Art. 7, processing requires a legal basis. Our purposes:

| Purpose | Legal basis | |---|---| | Processing orders and deliveries | Contract performance | | Issuing invoices and fiscal records | Legal obligation | | Customer support | Contract performance | | Fraud prevention | Legitimate interest | | Marketing and remarketing | Consent or legitimate interest | | Analytics and site improvement | Legitimate interest | | Defense in legal proceedings | Legitimate interest / legal claims |

5. Sharing with third parties

We share your data only when necessary with the following categories of partners:

  • Payment gateways (Shopify Payments, Stripe, PayPal, Mercado Pago) — transaction processing
  • Shipping carriers (DHL, UPS, FedEx, USPS, Royal Mail, Correios, etc.) — order delivery
  • E-commerce platform (Shopify Inc.) — hosting and site operation
  • Email services (Resend, Klaviyo, Mailchimp) — transactional communication
  • Analytics (Google Analytics, Meta Pixel) — anonymous aggregated measurement
  • Accounting and tax offices — fiscal / tax compliance
  • Legal authorities — only when judicially required

We do not sell personal data to third parties. We do not allow partners to use your data for purposes incompatible with those declared here.

6. International transfers

Some partners (Shopify, Google, Meta, Stripe) process data in servers outside the European Economic Area / UK / Brazil. Transfers occur with safeguards compatible with applicable law:

  • Countries with adequate protection recognized by the European Commission, ICO, or ANPD
  • Standard Contractual Clauses approved by the European Commission
  • International certifications (ISO 27701, Privacy Shield successors)
  • Binding Corporate Rules where applicable

7. Retention and storage period

| Category | Retention period | |---|---| | Account data (active) | While account is active + 5 years after inactivity | | Orders and tax records | 10 years (tax law requirement) | | Access logs | 6-12 months (per local law) | | Commercial communication data | Until consent revocation | | Fraud prevention data | While risk exists + 5 years |

After these periods, data is anonymized or securely deleted.

8. Your rights

8.1 GDPR rights (EU/UK residents) — Articles 15-22

  • Access: confirmation and copy of your data
  • Rectification: correction of inaccurate or incomplete data
  • Erasure ("right to be forgotten"): deletion of data no longer needed
  • Restriction: limit processing in specific cases
  • Portability: receive data in structured, machine-readable format
  • Object: oppose processing based on legitimate interest
  • Withdrawal of consent: at any time, without affecting past lawful processing
  • Not be subject to automated decision-making with legal or similar effects

8.2 CCPA rights (California residents)

  • Right to know what personal information is collected, used, shared, sold
  • Right to delete personal information we collect
  • Right to opt-out of sale (we do not sell personal data, but we respect opt-out preference signals)
  • Right to non-discrimination for exercising privacy rights

8.3 LGPD rights (Brazilian residents) — Article 18

Equivalent to GDPR rights, adapted to Brazilian law, including confirmation, access, correction, anonymization, portability, elimination, information, and revocation of consent.

How to exercise

Email the DPO at suporte@goalfactory.com with subject "Privacy Rights". We respond within 30 days (or 15 days under LGPD). Request is free. We may request identity verification before processing.

9. Minors

The site is not directed to children under 16 (GDPR threshold) or under 13 (COPPA threshold in the US). We do not knowingly collect data from minors. Parents/guardians who believe a minor provided us data should contact the DPO for immediate deletion.

10. Cookies

We use the following cookie categories:

  • Strictly necessary (always on): cart, session, security. Site cannot function without them.
  • Functional (opt-in): preferences, language, currency
  • Analytics (opt-in): Google Analytics, Hotjar — anonymous aggregated measurement
  • Marketing (opt-in): Meta Pixel, Google Ads — remarketing and campaign measurement

How to manage

  • On first visit, we show a consent banner for non-essential cookies
  • You can revoke consent anytime at "Cookie settings" (footer of the site)
  • Cookies can be blocked in browser settings (Chrome, Firefox, Safari, Edge all have options)

11. Security measures

Technical and organizational measures to protect your data:

  • TLS 1.3 encryption in transit, AES-256 at rest
  • Restricted access (least-privilege principle)
  • Access audit logs
  • Regular staff training
  • Encrypted backups with retention
  • Regular penetration tests
  • Partners contractually bound to equivalent security standards

12. Data breach notification

In case of an incident that may result in risk or significant harm to data subjects:

  • We notify supervisory authorities (ANPD, ICO, CNIL, etc.) within 72 hours of awareness (GDPR requirement)
  • We notify affected individuals via email as soon as possible
  • We disclose nature of breach, data categories involved, technical measures taken, and potential risks

13. Changes to this policy

This policy may be revised. Material changes will be communicated via email to registered users with 30 days notice where feasible. The current version is always published at https://mv4a1a-rh.com.br/pages/privacy-policy with the last updated date at the top.

Version history available on request from the DPO.

14. Supervisory authorities

If you believe your rights have been violated and did not receive a satisfactory response from our DPO, you may file a complaint with:

  • European Union: your local Data Protection Authority (list at edpb.europa.eu)
  • United Kingdom: Information Commissioner's Office (ICO) — ico.org.uk
  • California (US): Attorney General — oag.ca.gov/privacy
  • Brazil: Autoridade Nacional de Proteção de Dados (ANPD) — gov.br/anpd

15. Contact

  • General email: suporte@goalfactory.com
  • DPO email: suporte@goalfactory.com
  • Phone/WhatsApp: +55 75 99181-8215
  • Registered office: Endereço em formalização
  • Business hours: Seg. à Sex. 09:00h às 18:30h

---

_This policy is drafted in accordance with GDPR, CCPA, UK GDPR, and LGPD. It does not constitute legal advice._