Talkwcarina

Privacy Policy

Last updated: April 22, 2026

BuenOps operates the Talkwcarina platform, an online video-based English learning service for Brazilian adults. This Privacy Policy explains how we collect, use, share, and protect your personal data in compliance with Brazil's Lei Geral de Proteção de Dados Pessoais (Law 13.709/2018, the "LGPD"), the Marco Civil da Internet (Law 12.965/2014), and the Brazilian Consumer Protection Code (Law 8.078/1990). By using Talkwcarina, you agree to the practices described below. The Portuguese-language version of this Policy is the binding version in case of any conflict.

1. Introduction

Talkwcarina is operated by BuenOps ("we", "our", "controller"), a Brazilian legal entity registered under CNPJ 64.923.100/0001-72, headquartered at Av. Nova Independência, 651, Brooklin Paulista, São Paulo/SP, CEP 04.570-001.

For the purposes of this Policy, BuenOps acts as the data controller of the personal data of users of Talkwcarina, under Article 5, VI, of the LGPD.

This Policy becomes effective on the date shown above and applies to all visitors and users of Talkwcarina. Privacy questions can be sent to contact@buenops.net.

2. Definitions

For clarity, we follow LGPD definitions:

  • Data subject: the natural person to whom the personal data refers (you).
  • Controller: the legal entity that makes decisions about the processing of personal data (BuenOps).
  • Processor: the legal entity that processes data on behalf of the controller (our subprocessors, listed in Section 5).
  • Personal data: any information relating to an identified or identifiable natural person.
  • Sensitive personal data: data on racial or ethnic origin, religious belief, political opinion, union membership, health, sexual life, genetic or biometric data. Talkwcarina does not collect sensitive personal data.
  • Processing: any operation performed on personal data, such as collection, storage, use, sharing, or deletion.
  • Consent: a free, informed, and unambiguous statement by which you agree to the processing of your personal data for a specified purpose.
  • ANPD: the Brazilian National Data Protection Authority, responsible for enforcing the LGPD.

3. What data we collect

3.1. Account data

  • Full name
  • Email address
  • Password (stored only as a cryptographic hash — never in plain text)
  • Profile photo (optional, provided by you)
  • Date of birth (used only to confirm legal age — see Section 11)

3.2. Third-party authentication data

If you sign in using "Sign in with Google", we collect only: name, email, and public profile picture from your Google account. We do not access other resources of your Google account such as contacts, calendar, or email. Authentication is brokered by Amazon Cognito, and the requested scopes are limited to "openid", "email", and "profile".

3.3. Payment data

Payments are processed entirely by Stripe, our payment subprocessor. We do not store card numbers, security codes (CVV), card PINs, or equivalent data on our servers.

From Stripe we receive only the metadata needed to manage your subscription: internal subscription identifier, status (active, trialing, canceled), last 4 digits of the card, card brand, and expiration date.

3.4. Platform usage data

  • Lessons watched, progress, and viewing time for each video
  • Device and browser used (device type, operating system, browser version)
  • IP address, masked after 6 months for statistical purposes
  • Date and time of platform access
  • Pages visited and interactions within the platform

3.5. Cookies and similar technologies

We use essential, functional, and analytics cookies. Details on each category and how to manage them are in Section 10.

4. Processing purposes and legal bases

We process your data only for specific, legitimate, and disclosed purposes, supported by one of the legal bases in Article 7 of the LGPD:

DataPurposeLegal basis (LGPD Art. 7)
Account dataCreate and maintain your account, authenticate access, deliver the platformV — contract performance
EmailAccount, support, billing, and security notificationsV — contract performance
Google authentication dataAuthenticate via OAuth when you choose this methodV — contract performance
Payment dataProcess subscriptions, charge recurring fees, issue invoicesV — contract performance; VI — legal obligation (tax)
Usage and progress dataOperate the product, track learning progress, recommend next lessonsV — contract performance; IX — legitimate interest (service improvement)
IP address and access logsFraud prevention, security, compliance with Marco CivilVI — legal obligation (Marco Civil, Art. 15); IX — legitimate interest
Analytics cookiesUnderstand aggregated usage to improve the serviceI — consent
Marketing emails (opt-in)Newsletter and educational content when you opt inI — consent (revocable at any time)

We do not use your data for automated decisions that significantly affect your interests (LGPD Art. 20).

5. Sharing data with third parties

To operate Talkwcarina, we need to share some data with subprocessors (processors under the LGPD). Each one is contractually required to adopt adequate security measures and to process data only within the agreed purpose:

PartnerPurposeCountry of processingSafeguard
Amazon Web Services (AWS)Hosting, database, video storage, CDN deliveryBrazil (sa-east-1, São Paulo) with backup/CDN possibly involving other regionsContractual clauses, AWS DPA, ISO 27001, ISO 27701, SOC 2 certifications
Stripe, Inc.Payment processing and subscription managementUnited States (with regional subprocessors)Contractual clauses, PCI-DSS Level 1 certification
Google LLCSocial login (OAuth 2.0) when you use Sign in with GoogleUnited StatesContractual clauses, ISO 27001 and SOC 2 certifications
Amazon Simple Email Service (SES)Transactional email (welcome, password reset, notices)Brazil/United States (under AWS contract)Covered by the AWS DPA

We do not sell, rent, or lease your personal data to third parties for their marketing. Beyond the subprocessors above, we share data only:

  • Upon a court order, subpoena, or legal obligation;
  • In case of corporate restructuring, merger, or acquisition involving BuenOps, with prior notice to you;
  • With your specific and informed consent.

6. International data transfer

Some subprocessors (notably Stripe and Google) process data outside Brazil, including in the United States. For each international transfer, we adopt at least one of the safeguards in Article 33 of the LGPD:

  • Specific contractual clauses with obligations compatible with the LGPD (Art. 33, II);
  • Verification that the destination country or international body offers an adequate level of protection (Art. 33, I);
  • Risk assessment and complementary technical measures (encryption, data minimization).

The primary AWS region is sa-east-1 (São Paulo, Brazil). Transfers to other regions happen only in secondary operations such as backup, redundancy, and CDN content delivery (CloudFront).

7. Data retention

We keep your personal data only as long as necessary for the purposes for which it was collected, or for the period required by law:

CategoryRetention periodBasis
Active-account dataWhile your account is activeContract performance
Data after account closureDeleted within 30 days of the closure request, except for items belowData subject request (LGPD Art. 18, VI)
Tax and financial records (invoices, payments)5 years after the end of the contractual relationshipBrazilian tax law
Application access logs (IP, date/time)6 monthsMarco Civil da Internet, Art. 15
Security and fraud-prevention logs6 monthsLegitimate interest; Marco Civil, Art. 15
Anonymized or aggregated dataIndefiniteNon-identifiable data (LGPD Art. 12)
Operational backupsRotated within 90 daysSecurity and business continuity

After the applicable period, data is irreversibly deleted or anonymized.

8. Data subject rights

The LGPD (Art. 18) grants you the following rights as the data subject:

  1. Confirmation of whether we process your data;
  2. Access to the personal data we hold about you;
  3. Correction of incomplete, inaccurate, or outdated data;
  4. Anonymization, blocking, or deletion of unnecessary, excessive, or unlawfully processed data;
  5. Portability to another service provider, subject to trade and industrial secrets;
  6. Deletion of personal data processed based on your consent;
  7. Information about the public and private entities with which we share your data;
  8. Information about the option not to give consent and the consequences of refusal;
  9. Withdrawal of consent, when that is the legal basis for processing;
  10. Opposition to processing carried out in breach of the LGPD.

To exercise any of these rights, email contact@buenops.net from the address registered in your account, describing your request. We will reply within 15 calendar days of receipt. For security, we may request additional information to confirm your identity before executing the request.

You can also exercise the right of deletion directly through the Delete data and Delete account pages, without emailing us.

9. Information security

We apply reasonable technical and organizational measures to protect your data against unauthorized access, destruction, loss, alteration, or undue disclosure, in line with LGPD Articles 46-49:

  • Encryption in transit (TLS 1.2 or higher) for all communication with the platform;
  • Encryption at rest for data stored in databases and storage, using AWS KMS;
  • Passwords stored only as cryptographic hashes, never in plain text;
  • Role-based access control (RBAC). Staff access only the data required for their role;
  • Audit logs on sensitive operations;
  • Incident response plan with notification to the ANPD and affected data subjects within legal timelines in case of a relevant incident (LGPD Art. 48);
  • Periodic review of permissions, credentials, and software dependencies.

Although we apply these measures, no system is 100% secure. If you suspect unauthorized access to your account, contact us immediately at contact@buenops.net.

10. Cookies and similar technologies

We use cookies — small files stored in your browser — to operate the platform and to improve it. We work with three categories:

TypePurposeLegal basisCan refuse?
EssentialKeep an authenticated session, CSRF protection, language preferenceContract performanceNo — disabling breaks the service
FunctionalTheme (light/dark), last watched lesson, layout preferencesLegitimate interestYes, through browser settings
AnalyticsAggregated usage (pages visited, time on lesson) to improve the serviceConsentYes, through the cookie banner shown on first visit

You can also manage cookies via your browser settings (Chrome, Firefox, Safari, Edge). Disabling essential cookies will prevent the platform from functioning properly.

11. Children and adolescents

Talkwcarina is intended for users 18 years of age or older. When registering, you declare that you are 18 or older. Under LGPD Art. 14:

  • If we identify an account belonging to a child (under 12), the account will be suspended immediately and the data deleted, except for the minimum required to process a deletion request. Any further processing requires specific, prominent consent from at least one parent or legal guardian and must be in the best interests of the child.
  • If we identify an account belonging to an adolescent (ages 12-17), the account will be suspended and reactivation depends on formal authorization by a parent or legal guardian.

If you are a parent or legal guardian and suspect that a minor in your care has created an account on Talkwcarina without authorization, email contact@buenops.net with the details so we can act on it.

12. Data Protection Officer (DPO)

Pursuant to LGPD Art. 41, we have appointed a Data Protection Officer:

  • Name: Renan Bueno
  • Email: renan.bueno@buenops.net

The DPO is responsible for receiving complaints and communications from data subjects, handling communications from the ANPD, and advising BuenOps staff on data protection best practices.

13. Changes to this Policy

We may update this Policy to reflect legal, technical, or product changes. For material changes (those that substantively affect your rights or the purposes of processing), we will:

  1. Notify active users by email at least 15 calendar days in advance;
  2. Display a notice on the platform on the next authenticated access after the change takes effect;
  3. Update the "Last updated" date at the top of this page.

If you disagree with the changes, you may request account closure before the new version takes effect.

14. Contact

For any question, request, or complaint about this Privacy Policy, the official channels are:

  • Privacy and LGPD: contact@buenops.net
  • Data Protection Officer (DPO): renan.bueno@buenops.net
  • Security incidents: contact@buenops.net
  • Commercial contact: contact@buenops.net
  • Postal address: Av. Nova Independência, 651, Brooklin Paulista, São Paulo/SP, CEP 04.570-001

We reply within 15 calendar days of receipt.

15. National Data Protection Authority (ANPD)

You may also file a complaint with the Brazilian National Data Protection Authority (ANPD), the body responsible for enforcing the LGPD.

  • Official site: https://www.gov.br/anpd

Before contacting the ANPD, we suggest reaching us directly through the channels above — we will be glad to resolve your request.