Privacy Policy
This Privacy Policy describes how the Cadência mobile application ("Cadência") collects, uses, shares and protects your personal data, in compliance with Brazil's General Data Protection Law (LGPD — Law No. 13,709/2018) and other applicable legislation.
1. Data controller
Josafá Melo de Paulo
São Paulo/SP, Brasil
Contact: contato@cadenciapp.com
The data protection officer (DPO) is currently the founder. Requests related to data subject rights should be sent to the email above.
2. Data we collect
| Category | Data | Legal basis (LGPD) | Source |
|---|---|---|---|
| Identification | Name, email, profile photo, bio | Art. 7, I — Consent | Sign-up or social login |
| Authentication | Apple ID, Google ID, and/or hashed password | Art. 7, V — Performance of contract | Apple Sign In, Google OAuth, email/password |
| Location | Latitude/longitude at the moment of check-in to events | Art. 7, V — Performance of contract | Device GPS (with permission) |
| In-app activity | Groups, events created, RSVPs, attendance, comments | Art. 7, V — Performance of contract | App usage |
| Health and emergency (optional) | Blood type, allergies, medical conditions and emergency contacts, when the user chooses to fill them in | Art. 11, I — Specific consent for sensitive data; Art. 11, II, "e"/"f" — protection of life and health in emergencies | Voluntarily provided by the user |
| Notifications | Push token (APNs/FCM) and delivery preferences | Art. 7, I — Consent | Native opt-in |
| Strava integration (optional) | Access tokens and activity data, when the user connects Strava | Art. 7, I — Explicit consent | Strava API |
| Technical data | App version, device model, OS, error logs | Art. 7, IX — Legitimate interest (security and improvement) | Automatic collection |
Data we do not collect
- Credit card or payment details (in the future, processed directly by the payment provider).
- Browsing history outside the app.
- Biometric data. Health data is only collected when the user voluntarily fills it in the health/emergency section (see table above) or via Strava, if connected.
- Continuous background location (only at the moment of check-in).
3. Processing purposes
- Service operation: account creation, group management, event scheduling, RSVPs, check-ins and comments.
- Communication: sending notifications about events, changes and group messages.
- Attendance validation: using device location only at the moment of check-in to confirm the user is at the meeting point defined by the organizer.
- Security and fraud prevention: identifying misuse, abuse or violations of terms.
- Product improvement: aggregated and anonymous usage analysis (without personal identification).
- Compliance with legal or regulatory obligations.
4. Sharing with third parties
We share data only with vendors strictly necessary for service operation, classified as data processors under the LGPD:
- Supabase Inc. (USA) — database hosting, authentication and file storage. supabase.com/privacy
- Apple Inc. — Sign in with Apple, push notifications (APNs) and distribution via App Store.
- Google LLC — Google OAuth login, push notifications (FCM) and distribution via Google Play.
- Expo / EAS — app update delivery.
- Functional Software, Inc. (Sentry) — automatic capture of error and crash reports for diagnostics and bug fixing, including technical device data and the app state at the moment of the error. Servers in the European Union. sentry.io/privacy
- Strava Inc. — only when the user opts to connect their account. strava.com/legal/privacy
We do not sell your personal data to third parties. We do not share personal data for external advertising purposes.
Sharing health and emergency data with organizers
Health data and emergency contacts are private by default. Only if the user expressly enables the sharing option can the organizer of the groups they belong to view them — solely for the purpose of assistance in emergency situations during events. The user can disable this sharing at any time in the app settings.
International transfer
Part of the data is processed on servers located in the United States (Supabase, Apple, Google). The transfer occurs with the safeguards provided in art. 33 of the LGPD, including standard contractual clauses from the respective vendors.
5. Retention period
- Active account: we retain your data while the account is active.
- Deleted account: identifiable personal data is removed within 30 days, except where there is a legal retention obligation.
- Technical logs: retained for up to 6 months (art. 15 of the Brazilian Internet Civil Framework — Law 12,965/2014).
- Backups: may retain data for up to 90 days after deletion, encrypted, exclusively for disaster recovery.
6. Your rights as a data subject (LGPD art. 18)
You may, at any time, exercise the following rights:
- Confirmation and access — to know what data we hold about you.
- Correction — to update incomplete or outdated data (also available directly in the app, on the Profile screen).
- Anonymization, blocking or deletion of unnecessary data or data processed in non-compliance with the LGPD.
- Portability — to receive your data in a structured format (JSON).
- Deletion of data processed based on consent ("Delete account" button in the app).
- Information about sharing with third parties.
- Revocation of consent at any time — disconnecting Strava, disabling notifications, etc.
- Objection to processing based on legitimate interest.
To exercise any of these rights, send an email to contato@cadenciapp.com. We will respond within 15 days.
7. Security
We adopt reasonable technical and organizational measures to protect your data, including:
- Encryption in transit (HTTPS/TLS) for all communication with our servers.
- Encryption at rest, per the database provider's standard.
- Role-based access control (organizer, member) enforced at the database level (Row-Level Security).
- Authentication tokens with short expiration and automatic renewal.
In case of a security incident posing relevant risk to data subjects, we will notify the ANPD (Brazilian Data Protection Authority) and affected users within the legal deadline.
8. Children and adolescents
Cadência is intended for users aged 18 or older. We do not knowingly collect data from minors. If we identify an account of a minor, it will be removed.
9. Cookies and identifiers
The mobile app does not use browser cookies. We use only:
- Authentication session token (stored locally on the device).
- Installation identifier (generated by Expo) for push notifications.
This website (cadenciapp.com) may use strictly necessary cookies for operation and anonymous visit statistics.
10. Changes to this policy
We may update this Privacy Policy periodically. Material changes will be communicated through the app or by email in advance. The last update date will always appear at the top of this document.
11. Contact and authority
Questions, complaints or requests regarding personal data: contato@cadenciapp.com.
You may also contact the Brazilian Data Protection Authority (ANPD): gov.br/anpd.
← Back to home