Privacy Policy

Last updated: 2026-05-29

This policy explains what personal data GUIMA.AI collects, why, on what legal basis, who we share it with, and the rights you have. It is written to satisfy the Brazilian LGPD (Lei 13.709/2018) and the EU/EEA and UK GDPR for international users. GUIMA.AI is offered in English; this policy is published in English and applies to all users.

Controller & contact

The data controller is DGF Digital Ventures & Consulting Ltda., CNPJ 37.133.574/0001-48, a company headquartered in Brazil that operates the GUIMA.AI platform. For any privacy request — including the data-subject rights below — and to reach the person responsible for data protection (Encarregado / DPO), who is the company's founder, email [email protected]. We aim to respond within 7 business days and, in any case, within the period required by applicable law (LGPD: 15 days for confirmation/access requests).

What we collect, and why

• Email address — captured when you sign in or join a waitlist, and used to deliver one-time sign-in codes / magic links, your purchase confirmation, skill-unlock and refund notices, your certificate, and (if you opt in / do not opt out) re-engagement emails. Legal basis: performance of our contract with you; for re-engagement email, legitimate interest, with one-click unsubscribe in every message.
• Account & progress data — your preferred language, whether you have paid, the date you paid or were refunded, a one-time onboarding choice, and which lessons you have completed. Legal basis: performance of contract (delivering and gating the skills you bought).
• Certificate data — if you complete the course and choose to generate a certificate, we store the full name you type so it can appear on your certificate PDF, on the public verification page (at an opaque, non-guessable URL), and in the optional LinkedIn “add to profile” link. Generating a certificate is optional and you control the name shown. Legal basis: consent / performance of contract.
• Payment metadata — when you buy, Stripe sends us the order ID, amount, currency, billing country, and a Stripe customer ID. We use this for delivery, tax, and refund handling. We never receive or store your full card number. Legal basis: performance of contract and legal/accounting obligations.
• Functional cookie & usage events — a first-party anonymous session identifier (see Cookies below) and server-side funnel events (e.g. page viewed, sign-in attempted, lesson completed, checkout started, paid). For these events your IP address is never stored in raw form — only a salted one-way hash is kept; your browser's user-agent string is truncated; and a strict allow-list blocks any free-form or sensitive field. These events auto-delete on a rolling retention window. Legal basis: legitimate interest in operating, securing, and improving the product.

What the skills themselves collect

The skills you buy run locally inside Claude Code on your own machine. They do not send us telemetry or phone home on their own. When you actively sign in or mark progress from inside a skill, it contacts our API with the same data described above (your email/code and, for the course, the lesson you completed). Your use of Claude Code itself is governed by Anthropic's own terms and privacy policy, which we do not control.

Cookies, analytics & consent

We use a small number of strictly necessary, first-party cookies to run the site: an anonymous session id set on your first visit (used to tie together pre-sign-in funnel events; ~1 year), a sign-in session cookie set after you authenticate (~90 days), and a scoped admin cookie used only on the founder dashboard. These are required for the site and sign-in to work and do not require consent.

We are introducing optional analytics via Google Tag Manager and Google Analytics 4 to understand how the GUIMA.AI pages perform. Analytics and any non-essential cookies load only after you consent through our cookie banner. You can change or withdraw your choice at any time via the banner / cookie settings link. Analytics data may be processed by Google outside Brazil and the EU/EEA (see International transfers). If you decline, the site and your access to the skills you bought continue to work normally.

Who we share data with (subprocessors)

• Stripe — payment processing.
• Resend — transactional and re-engagement email delivery.
• Cloudflare — DNS and edge / CDN.
• Google (Tag Manager & Analytics 4) — optional, consent-gated analytics.
• DigitalOcean — application hosting (New York, United States).
• MongoDB Atlas — managed database, hosted on AWS in Virginia, United States. Stores your account, progress, and event data.

We do not sell your personal data, and we do not use it for advertising profiling.

International data transfers

GUIMA.AI is operated from Brazil by DGF Digital Ventures & Consulting Ltda., but the application itself runs on servers in the United States: it is hosted on DigitalOcean in New York, and your account, progress, and event data are stored in MongoDB Atlas on AWS in Virginia. Several of the other providers above (Stripe, Resend, Cloudflare, Google) likewise process data outside your country, including in the United States and the EU. This means your personal data is transferred internationally as a normal part of using GUIMA.AI.

For Brazilian users, these international transfers are made on the legal bases permitted by LGPD art. 33 — including transfers necessary for the performance of our contract with you and transfers to providers bound by contractual clauses that guarantee an adequate level of data protection. For EU/EEA and UK users, transfers outside the EU/EEA or UK are made under Chapter V of the GDPR — relying on the providers' Standard Contractual Clauses and equivalent safeguards, and, where applicable, on the transfer being necessary to perform our contract with you. You may request more information about these safeguards using the contact above.

How long we keep it

We keep your account, purchase, and progress data for as long as you have access to the skills you bought and as required for tax and accounting obligations afterwards. Funnel/usage events auto-expire on a rolling retention window (currently around 90 days). When you ask us to delete your data, we honor it subject to any record we must legally retain (e.g. proof of a sale for tax purposes).

Your rights

Under LGPD art. 18 and the GDPR you can request: confirmation that we process your data and access to it; correction of incomplete or inaccurate data; anonymization, blocking, or deletion of unnecessary or excessive data; portability (a copy of your data); information about whom we have shared it with; and the withdrawal of consent (including analytics cookies). You may also object to processing based on legitimate interest, and you have the right to lodge a complaint with your data-protection authority — in Brazil, the ANPD; in the EU/EEA, your local supervisory authority. To exercise any right, email [email protected]. We may ask you to confirm control of your account email before acting.

Children

GUIMA.AI is intended for adults and is not directed to children. We do not knowingly collect data from anyone under the age of 18.

Changes

We may update this policy; the “Last updated” date above reflects the current version.