Skip to content
bbossaot
CoursesAboutContact
Sign inSign up

Legal document

Privacy Policy

This is a draft — the final version is pending legal review.

Last updated: 27 May 2026

Contents

  1. 01Who we are
  2. 02Data we collect
  3. 03How we use your data
  4. 04Sharing
  5. 05Cookies
  6. 06Your rights (LGPD / GDPR)
  7. 07Retention
  8. 08Security
  9. 09Data Protection Officer
  10. 10Changes to this policy

This policy describes how bossaot handles your personal data when you use the platform. We're committed to collecting only what's necessary, being transparent about every use, and respecting your rights.

1. Who we are

bossaot is an online course platform operated by Bossa, an agency headquartered in São Paulo, Brazil. We act as the controller of personal data collected on the platform.

2. Data we collect

We collect only what we need to operate the platform: name, email, preferred language, usage data (courses visited, progress, notes), and optionally a profile photo. We don't collect sensitive data (health, political opinion, religion, sexual orientation).

3. How we use your data

We use your data to authenticate access, track progress, issue certificates, improve the platform, and — with your explicit consent — send the editorial newsletter. We don't sell your data.

4. Sharing

We share data strictly with providers that run the platform (Supabase for database and authentication, Cloudinary for images, Resend for transactional email, Vercel for hosting). All under data processing agreements.

5. Cookies

We use strictly necessary cookies (authentication session, language preference, theme choice). No marketing or third-party tracking cookies. Aggregate analytics come from Vercel Analytics, without personal identification.

6. Your rights (LGPD / GDPR)

You can request access, correction, export, or deletion of your data at any time. To exercise these rights, write to privacidade@bossaot.com. We respond within 15 days.

7. Retention

We keep your data while your account is active. After a deletion request, personal data is removed within 30 days, except when we must retain it by legal obligation (audit logs).

8. Security

We use TLS in transit, encryption at rest, Row Level Security in the database, Argon2 password hashing, and continuous auditing. Full technical details are available under NDA for B2B clients.

9. Data Protection Officer

Data Protection Officer (DPO): dpo@bossaot.com. You can also contact your national data protection authority if you believe your rights weren't respected.

10. Changes to this policy

We may update this policy. When that happens, we'll notify account holders by email and update the date at the top of this document.

bbossaot

Online training in destinations and travel products. For travel industry professionals.

Editorial newsletter

One email a month with new courses, reads, and behind-the-scenes notes. No noise, no upsell.

By subscribing, you agree to receive emails from bossaot and to our Privacy Policy. ↗

Platform

  • Catalog
  • Categories
  • For organizations

Bossa

  • About
  • Contact
  • Blog

Legal

  • Terms of Service
  • Privacy
  • Cookies

© 2026 bossaot · made by Bossa in São Paulo

·Sign in