Privacy Policy (LGPD & GDPR-aligned)

Overview

TaxUp Consultoria Tributária Ltda ("TaxUp") is committed to protecting personal data collected from clients, prospects, website visitors and any individual whose data is processed in the course of providing tax consulting services.

This Privacy Policy describes the personal data we collect, the purposes of processing, the legal basis under LGPD and GDPR, how we protect that data, with whom we share it, and the rights of data subjects under both regulations.

By using our website (taxup.com.br) or engaging our services, you acknowledge that you have read and understood this Privacy Policy. For specific Portuguese-language version (canonical for Brazilian regulatory compliance), see Política de Privacidade.

Who we are (Data Controller)

• Entity: Taxup Consultoria Ltda
• CNPJ (Brazilian taxpayer ID): 58.268.857/0001-77
• Headquarters: Rua Sader Macul, 96, Itaim Bibi, São Paulo/SP · 04542-090 · Brazil
• Contact (general): contact@taxup.com.br
• Contact (privacy / DPO): privacy@taxup.com.br

For EU clients: TaxUp does not have an EU establishment; however, we comply with applicable extraterritorial GDPR requirements when offering services to data subjects within the European Union or monitoring their behavior in the EU.

Personal data we collect

We collect personal data through three main channels:

Direct from the data subject

• Name, professional title, role/position;
• Email address (corporate and personal when provided);
• Phone number (mobile, fixed, WhatsApp);
• Company name, CNPJ, sector, size;
• Tax-relevant information voluntarily shared during diagnostic or engagement (regime, revenue range, exposures, pending matters);
• Communication content (email, messages, meeting transcripts when applicable and consented).

Automatically (via website)

• IP address, browser type, device, operating system;
• Pages visited, time spent, navigation pattern;
• Referrer (where the visitor came from);
• Cookies (see Cookies section below).

From third parties (when applicable)

• Public business databases (Brazilian Federal Revenue, corporate registries, Junta Comercial);
• Publicly available professional information (LinkedIn, company websites);
• Information provided by referrers or partners with appropriate legal basis.

Purposes and legal basis

We process personal data for specific purposes, each grounded in a legal basis under LGPD (Article 7) and GDPR (Article 6):

1. Service provision (execution of contract)

Legal basis: LGPD Article 7, V (execution of contract or preliminary procedures relating to contract); GDPR Article 6(1)(b). Used to provide tax consulting services, draft opinions, file appeals and applications, communicate progress.

2. Free diagnostic and pre-contract analysis

Legal basis: LGPD Article 7, V; GDPR Article 6(1)(b). Used to assess fit and scope of potential engagement before formal contract.

3. Legitimate interest

Legal basis: LGPD Article 7, IX; GDPR Article 6(1)(f). Used for: business development, marketing communications to existing clients about related services, security and fraud prevention, internal analytics for service improvement. Subject to balancing test with data subject rights.

4. Consent

Legal basis: LGPD Article 7, I; GDPR Article 6(1)(a). Used for: optional newsletter subscription, marketing to non-clients, optional cookies. Consent can be withdrawn at any time.

5. Legal obligation

Legal basis: LGPD Article 7, II; GDPR Article 6(1)(c). Used to comply with applicable laws: tax authority requirements (RFB, PGFN), regulatory inspection support, court orders, audit retention requirements.

Data sharing and international transfers

We do not sell personal data. We share personal data only when necessary and with specific legal basis:

• Sub-processors / service providers — email systems (Google Workspace), document management, CRM platforms, secure file transfer services — all under data processing agreements with appropriate safeguards;
• Public authorities — when required by law or court order (Federal Revenue, PGFN, judicial subpoena);
• Professional partners — when engaging foreign law firms or auditors for cross-border matters, with explicit client consent and confidentiality undertaking;
• Successors — in the event of corporate restructuring, merger or acquisition, with notice to data subjects.

International transfers

When transferring personal data to countries outside Brazil (typically for cloud-based services with US or EU servers), we apply LGPD Article 33 safeguards (countries with adequate level of protection, contractual clauses, binding corporate rules, or specific consent). For EU data subjects, we apply GDPR Chapter V requirements including Standard Contractual Clauses (SCCs) where applicable.

Retention periods

• Active client data — retained during the engagement and for additional periods required by applicable law (tax-related: 5 years from end of fiscal year, per CTN Article 173);
• Diagnostic-only data (no engagement) — retained for 2 years for follow-up opportunities, then deleted unless specific consent for longer retention;
• Marketing contact lists — retained until consent withdrawal or 3 years of inactivity;
• Website analytics — typically 26 months (Google Analytics standard);
• Legal hold — data subject to active legal proceedings is retained until matter is resolved.

Your rights as a data subject

Under LGPD (Article 18) and GDPR (Articles 15-22), data subjects have the following rights:

• Access — request confirmation of processing and access to your personal data;
• Rectification — request correction of inaccurate or incomplete data;
• Deletion ("right to be forgotten") — request deletion of data, subject to legal retention exceptions;
• Portability — request a copy of data in commonly used machine-readable format;
• Restriction — request limitation of processing in specific circumstances;
• Objection — object to processing based on legitimate interest;
• Consent withdrawal — withdraw consent at any time without affecting prior lawful processing;
• Information — information about with whom data is shared, processing purposes, retention periods;
• Lodge a complaint — with the Brazilian National Data Protection Authority (ANPD) or the relevant EU supervisory authority.

To exercise any of these rights, contact privacy@taxup.com.br. We respond within 15 days (LGPD timeline) or one month (GDPR timeline), whichever applies.

Security measures

We adopt technical and organizational measures appropriate to the risk, including:

• Access control to systems and physical documents (need-to-know basis);
• Encryption in transit (TLS 1.3 minimum) and at rest for sensitive data;
• Strong authentication (multi-factor authentication for internal systems);
• Regular security training for staff;
• Incident response procedure with notification within 72 hours when applicable (GDPR Article 33; ANPD guidance for LGPD);
• Confidentiality undertaking signed by all staff and external collaborators;
• Regular review of security measures and vulnerability assessment.

Cookies and similar technologies

The website uses cookies for:

• Strictly necessary cookies — required for site functionality (session management). Cannot be disabled;
• Analytics cookies — Google Analytics to understand site usage. Subject to consent;
• Functional cookies — to remember preferences (language, accessibility settings). Subject to consent.

We do not use advertising cookies. The cookie banner allows granular consent management.

Changes to this policy

This Privacy Policy may be updated to reflect changes in our practices, legal requirements or services offered. Material changes are notified to active clients by email. The "last updated" date is shown at the bottom of the page. Historical versions are available upon request.

Last updated: May 16, 2026.