Prodgy Privacy Policy

Last updated: October 22, 2025.

About Programmers Informática LTDA

PROGRAMMERS INFORMÁTICA LTDA., a private legal entity, headquartered at Avenida Doutor Jose Bonifácio Coutinho Nogueira, nº 150, Sala 38, Térreo, Jardim Madalena, Campinas, SP – CEP: 13091-611, registered under CNPJ nº 00.169.600/0001-88, hereinafter referred to simply as “Programmers” or “Processor”, developer and provider of the Prodgy (“Software”) software, establishes this Privacy Policy to demonstrate its commitment to the security and privacy of information collected from Users.

This policy applies to the Software and related Services, in accordance with the instructions of the Licensee (“Controller”) and with the Brazilian General Data Protection Law (LGPD - Law nº 13.709/2018) and other applicable privacy laws.

I. Definitions

For the purposes of this Privacy Policy, the following definitions apply, in accordance with the Brazilian General Data Protection Law (LGPD - Law nº 13.709/2018):

• Sleeper Agent: malicious behavior of an AI model that is intentionally programmed to be activated only under specific conditions or inputs, making it difficult to detect in normal security testing.

• User: natural person who uses the Software.

• Personal Data: any information related to an identified or identifiable natural person.

• Sensitive Personal Data: personal data about racial or ethnic origin, religious conviction, political opinion, union membership or membership in religious, philosophical or political organizations, data referring to health or sexual life, genetic or biometric data, when linked to a natural person.

• Controller: The roles of Controller and Processor vary according to the Usage Modality, as detailed in the Terms and Conditions of Use. General Rule (SaaS/Self-Hosted): the Licensee is the Controller and Programmers is the Processor. However, in Trial mode, Programmers acts as Controller for research, development and product validation purposes.

• Processor: Programmers, which processes personal data on behalf of the Controller. It is the natural or legal person, under public or private law, that processes personal data on behalf of the controller.

• Anonymization: use of reasonable technical means available at the time of processing, through which data loses the possibility of association, direct or indirect, to an individual.

• Purpose: the specific purpose for which personal data is collected and processed.

• Risky AI Usage: misuse of the Software that constitutes negligent, intentional or malicious conduct and may lead to security vulnerabilities, ethical violations, inadequate access to sensitive data or actions that result in harm.

• Free Trial (“Trial”): version made available for a limited time, exclusively for evaluation purposes, without guarantee of continuity, technical support or data preservation at the end of the usage period.

• Software as a Service (“SaaS”): temporary and non-exclusive usage license, with cloud hosting, recurring payment and comprehensive infrastructure management, maintenance and updates under the responsibility of the Licensor.

• Client Environment Implementation (“Self-Hosted”): corporate license installed on the Licensee’s infrastructure, with greater customization and shared responsibilities regarding security, availability and maintenance.

II. Data We Collect

Privacy Commitment

In strict observance of the principle of non-discrimination and due to adequacy to the Software’s purposes, Programmers does not collect Sensitive Personal Data (Art. 5º, II, of LGPD) from Users.

The types of data collected and processed by Programmers on behalf of the Controller are:

Account Information

• Username
• Corporate email address
• Profile photo (if provided)

This information is provided by the Controller through integrations with authentication providers.

Usage Data

• Access logs
• IP address
• Browser type
• Pages visited
• Resources used
• Date and time of activities

Note

We strive to keep this data in a format not linked to direct identification information, treating it as anonymized data whenever the objective allows.

Device Data

• Device type
• Operating system
• Unique identifiers
• Language settings

This information is collected to optimize the User experience in the Software.

Log Information

• IP address
• Browser type
• Internet service provider
• Referral/exit pages
• Operating system
• Date/time and click data

This information is automatically recorded by our servers and is not linked to other information we collect about the User.

III. Cookie Usage

What are Cookies?

Cookies are small text files stored on the User’s device to improve browsing experience. Cookies can be used to:

• Remember user preferences (language and settings)
• Provide analytics on Software usage
• Optimize platform functionalities

Cookie Management

Users can manage or disable cookies in browser settings, but this may affect Software functionality.

IV. How We Use Data

We use the collected data for the following purposes:

Provide and Improve the Software

• Operate the Software
• Provide Services
• Personalize User experience
• Improve functionality, performance and security

Communication

• Send important communications
• Inform about Software updates
• Share information about new features
• Respond to support requests

Analysis and Research and Continuous Improvement

Tip

We analyze usage trends and interaction behaviors (preferably using anonymized or pseudonymized data) to conduct internal research for the legitimate interest of Software improvement and optimization.

Security and Fraud Prevention

Protection Against AI Threats

We investigate and prevent:

• Data manipulation (Poisoning)
• Malicious Artificial Intelligence behaviors (Sleeper Agent)

This is done through analysis of logs and usage data, falling under the legal basis of Legitimate Interest.

Audit and Compliance

• Use usage data and Logs for monitoring
• Investigate and mitigate Risky AI Usage
• Detect ethical violations or conduct that violates these Terms
• Ensure compliance with data protection legislation

This constitutes legitimate interest and security measure.

V. Data Sharing

We share data with the following entities:

• With the Controller: aggregated and anonymized usage data for reporting and analysis purposes, based on contractual obligation compliance.

• With service providers: data with third-party service providers that assist us in providing Services, such as hosting and data analysis providers, under contractual security and confidentiality obligations.

• For Legal purposes: We will share data if we believe in good faith that disclosure is necessary for compliance with legal or regulatory obligations (Art. 7º, II, LGPD), or for defense and exercise of rights in judicial, administrative or arbitral proceedings (Art. 7º, VI, LGPD); enforce our Terms and Conditions of Use; detect, prevent or address security or fraud issues; respond to support requests; or protect the rights, property or safety of the Licensor, Users and Licensee.

• Marketing: only with explicit User consent, we may send marketing communications about our workspaces and services. Users may cancel receipt of these communications at any time.

At no time will User information be commercialized or transferred to third parties for advertising purposes or other unauthorized uses.

VI. Data Security

We employ robust security measures to protect User data:

Advanced Encryption

• Data in transit: TLS/SSL Protocol
• Data at rest: AES 256 standard or higher

Access Control

• Strict access control
• Limited permissions to authorized users
• Multi-factor authentication when applicable

Data Protection

• Regular backups to ensure integrity
• Constant system monitoring
• Detection and prevention of vulnerabilities

Team Training

• Regular training in information security practices
• Continuous awareness about data protection

Self-Hosted Mode

In Self-Hosted mode, the Licensee/Controller assumes exclusive responsibility for the security of their local infrastructure, including:

• Network environment and operating systems
• Internal access control
• Encryption at rest
• Internal backups

As established in the License Agreement.

VI.A. Security Incident Communication

Incident Response Protocol

In case of a security incident that may pose relevant risk or harm to Users, Programmers, as Processor, commits to:

• Notify immediately (within 24 hours)
• Provide all necessary information
• Facilitate communication to ANPD and data subjects

According to Art. 48 of LGPD.

VII. Data Retention

We will retain User Data for the time necessary to fulfill the purposes described in this Policy, or as required by law or the License Agreement. After this period, data will be securely deleted or anonymized. Data retention criteria are based on collection purpose, legal requirements (e.g., Brazilian Civil Rights Framework for the Internet) and the minimum lifecycle essential for providing the contracted service.

In Trial mode, data will be automatically deleted or anonymized at the end of the trial period, according to the Controller’s retention policy for this mode, with no guarantee of backup or data recovery, as provided in the Terms and Conditions.

VIII. User Rights (Data Subjects)

Exercise Your Rights

Users have the following rights regarding their data, as provided by LGPD:

Confirmation and Access

Right to obtain confirmation that your data is being processed and, if so, access the data and information about the processing.

Correction

Right to correct incomplete, inaccurate or outdated data.

Anonymization, Blocking or Deletion

Right to anonymize, block or delete unnecessary, excessive data or data processed in non-compliance with LGPD.

Portability

Right to receive your data in structured and interoperable format, and to transmit it to another data controller.

Information about Sharing

Right to obtain information about public and private entities with which your data is shared.

Consent Revocation

Right to revoke consent for data processing, when processing is based on consent.

Note

Revocation will not affect the legality of processing performed before revocation.

Opposition

Right to oppose data processing based on legitimate interest, if the processing does not serve your interests or fundamental rights and freedoms.

Review of Automated Decisions

Right to request review of decisions made solely based on automated processing of personal data that affect your interests.

How to Exercise Your Rights

To exercise these rights, Users must contact the Controller.

IX. International Data Transfer

Territorial Protection

We do not perform international transfer of personal data.

Information about platform usage and performance that may eventually be shared with Programmers group companies are:

• Aggregated and anonymized
• Exclusively for improvement purposes of our services
• Do not allow identification of individual users

This sharing does not constitute international transfer of personal data, as defined by LGPD.

X. Changes to this Policy

Policy Updates

We may update this Policy periodically. Changes will be:

• Published on this page
• Notified by email (if significant)
• Highlighted in the Software when relevant

XI. Contact

Contact Channels

For Programmers (Processor) Issues

Data Protection Officer (DPO) Email: privacidade@programmers.com.br

For questions or requests related to Programmers’ obligations as Processor.

To Exercise Your Data Subject Rights

To exercise your rights (access, correction, deletion, etc.), Users must directly contact the Data Protection Officer of the Licensee/Controller, according to their internal policies.

---