What is the FELCA Law and how does Qonclor help comply?

Law 15.211/2025 (FELCA Law / ECA Digital) is federal law and requires reliable age verification and related duties for platforms minors may use; the adaptation period is already underway. Qonclor provides an API for identity verification and compliance support.

Qonclor Privacy and Personal Data Protection Policy

Last updated: May 15, 2026

Preamble and initial considerations

This Privacy and Personal Data Protection Policy («Privacy Policy» or «Policy») sets forth the terms, conditions, guidelines, practices, procedures, and commitments of Qonclor («Qonclor», «we», «our», «us», «controller» or «data processing responsible party», as applicable), the brand under which services are operated at qonclor.com and related domains, with respect to the collection, processing, use, storage, protection, sharing, transfer, retention, and deletion of personal data and information of data subjects («Data Subject», «you», «your», «yours» or «data subject») who interact with the institutional website, the administrative dashboard, Qonclor contact channels, or whose data are processed through the infrastructure platform for identity verification, trust decisioning, and compliance («Platform» or «Services»). Commercial operation is carried out by Clervix Inova Simples (I.S.) (CNPJ 63.252.137/0001-53), as set forth in the Terms of use.

This Policy was prepared in compliance with the Brazilian General Personal Data Protection Law (Law No. 13,709/2018 — «LGPD»), the Brazilian Internet Civil Rights Framework (Law No. 12,965/2014), the Brazilian Consumer Defense Code (Law No. 8,078/1990), when applicable, and other legislation, regulations, rules, and good practices applicable to personal data protection and privacy in Brazil.

By accessing, browsing, using the website, submitting contact forms, registering on the administrative dashboard, or otherwise interacting with Qonclor in contexts in which we act as controller, you declare that you have read and understood this Policy. Use of the Services in which we act as processor on behalf of client companies is additionally governed by the privacy notices and contracts of the respective controller.

Qonclor is committed to protecting the privacy, confidentiality, and security of personal data, implementing technical, organizational, and legal measures proportionate to the risk to ensure adequate processing in compliance with applicable legislation.

Privacy channel: [email protected].

1. Definitions and interpretation

For the purposes of this Policy, the definitions of the LGPD apply and, complementarily, the following:

1.1. Personal data: any information relating to an identified or identifiable natural person, including, but not limited to, name, email, telephone, professional identifiers, IP address, access logs, usage data, and other information that allows direct or indirect identification.

1.2. Sensitive personal data: data concerning racial or ethnic origin, religious belief, political opinion, trade union membership, health or sex life data, genetic data, or biometric data, when linked to a natural person, within the meaning of the LGPD.

1.3. Processing: any operation carried out with personal data, including collection, production, receipt, classification, use, access, reproduction, transmission, distribution, processing, filing, storage, deletion, evaluation, control, modification, communication, transfer, dissemination, or extraction.

1.4. Data subject: the natural person to whom the personal data subject to processing refer.

1.5. Controller: the natural or legal person responsible for decisions concerning the processing of personal data. In the contexts of Sections 4.1 and 4.2 of this Policy, Qonclor is the controller.

1.6. Processor: the natural or legal person that processes personal data on behalf of the controller. In the contexts of Section 4.3, as a rule Qonclor acts as processor on behalf of the client company.

1.7. Data Protection Officer (DPO): the person designated to act as a communication channel between the controller, data subjects, and the Brazilian National Data Protection Authority (ANPD).

1.8. Consent: free, informed, and unambiguous manifestation by which the data subject agrees to the processing of their personal data for a determined purpose.

1.9. Legal basis: the ground that authorizes the processing of personal data under Articles 7 and 11 of the LGPD.

2. Scope, identification, and roles in processing

2.1. Qonclor is B2B infrastructure for identity verification, trust decisioning, and compliance, aimed at companies operating regulated digital environments.

2.2. This Policy covers the processing of personal data when you:

(i) browse the Qonclor institutional website;
(ii) submit a demonstration or commercial contact request;
(iii) use the administrative dashboard as a representative of a client company; or
(iv) have data processed through the Platform on behalf of a client company (for example, in identity or age verification flows).

2.3. Controller: for processing under Sections 4.1 and 4.2, Qonclor acts as controller, within the meaning of the LGPD.

2.4. Processor: for processing under Section 4.3, as a rule Qonclor acts as processor, in accordance with documented instructions from the client company (controller), under Articles 5, VII and VIII, and 39 through 42 of the LGPD.

2.5. If in doubt about processing in a product integrated by a client, also consult the privacy notice of the platform you used.

3. Principles governing processing

We observe the principles of Article 6 of the LGPD, in particular: purpose; adequacy; necessity, with minimization; free access and transparency; security and prevention; non-discrimination; and accountability and demonstration of compliance.

4. Information collected and categories of personal data

4.1. Website visitors and demonstration requesters

4.1.1. Identification and contact data: full name, corporate email, telephone, job title, and other data voluntarily provided in forms.

4.1.2. Business data: legal name or company name, website, and information related to the commercial request.

4.1.3. Request data: estimated verification volume, area of interest, free-text message, and other information useful to qualify the contact.

4.1.4. Technical data: IP address, browser identification (user agent), and information automatically generated when submitting forms.

4.1.5. Access logs (Brazilian Internet Civil Rights Framework): IP address with date and time of access to the website and applications, collected automatically for compliance with Law No. 12,965/2014 and application security.

4.1.6. Communications with Qonclor: content of emails, support messages, or commercial contact; metadata such as date, time, and IP address of the communication.

4.1.7. Consent record: express acceptance when submitting the contact form, when required.

4.1.8. Anti-abuse verification data: token or identifiers generated by anti-abuse verification mechanisms when submitting the form, provided by a specialized provider.

The contact form requires specific consent for processing the information provided for the purpose of responding to the request.

4.2. Representatives of client companies (dashboard and contract)

4.2.1. Company data: trade name, legal name, tax identification document (CNPJ or equivalent), and registration information necessary for contracting.

4.2.2. User data: first name, last name, email, and relationship with the company (role, profile, or function).

4.2.3. Access and authentication data: sessions, access tokens, and revocation records on logout.

4.2.4. Technical credentials: API keys and cryptographic authentication material of the company (as a rule, they do not constitute personal data of the data subject verified in identity flows, but require rigorous protection).

4.2.5. Invitations and members: pending invitations, team participation, and access management on the Platform.

4.3. Data subjects verified via the Platform (clients’ end users)

When a client company integrates Qonclor to verify identity, age, or risk, we may process data on behalf of the controller, in accordance with contracted operations:

4.3.1. Identifiers: CPF or equivalents.

4.3.2. Biometric and image data: facial image for biometric verification, estimated age range, and related data — sensitive data when linked to the person.

4.3.3. Document data: front and back of an identity document, when enabled — may include sensitive data.

4.3.4. Verification metadata: request status, confidence score, risk level, estimated age range, and other structured outputs.

4.3.5. Compliance evidence: opaque audit identifier, retention policy associated with the decision, and records for regulatory traceability.

4.3.6. Client references: reference identifiers and metadata sent by the controller, whose content is their responsibility.

4.3.7. Irreversible cryptographic references: fingerprints derived from verification evidence, without retaining the corresponding raw content when the retention policy so provides — minimization mechanism.

4.3.8. Technical processing records: request identifiers, latency, operational cost, and aggregated technical responses, which may contain limited metadata.

Qonclor is not intended, on the institutional website, for a child audience. In age verification flows, processing occurs on behalf of the client controller, who must ensure legal bases and transparency, including Article 14 of the LGPD and legislation on the protection of minors in digital environments.

4.4. Data we do not request on the institutional website

We do not require, on the institutional form, data from end data subjects of verification. Such data are sent by clients’ integrated systems, under each controller’s contractual and regulatory responsibility.

4.5. Verified data subjects: when Qonclor is processor

If you underwent identity, age, or risk verification in a client company’s application, website, or service, as a rule:

(i) the client company is the controller of your data;
(ii) Qonclor is the processor, processing data in accordance with contractual instructions;
(iii) the priority privacy notice is that of the platform you used;
(iv) to exercise rights, contact the controller or [email protected] — we may forward your request to the controller;
(v) biometric and document data are sensitive; the controller must observe Article 11 of the LGPD.

4.6. Aggregated and anonymized data

We may process aggregated, anonymized, or irreversibly de-identified data that do not allow identification of the data subject, for operational analysis, security, and improvement of the Services, within the limits of the LGPD.

5. How information is collected

5.1. Direct provision: forms, dashboard registration, contracts, and communications with our team.

5.2. Client companies: requests to the Platform, configured integrations, and documented instructions from the controller.

5.3. Automatic collection: technical logs, IP address, access logs, and device or browser information when necessary for security or website operation.

5.4. Providers and partners: identity verification results orchestrated through contracted partners, exclusively for authorized purposes.

5.5. Cookies and similar technologies: in accordance with Section 15 and the Cookie Policy.

6. Purposes and legal bases for processing

We process data on the grounds of Articles 7 and 11 of the LGPD. When we are controller, the purposes below apply. In Section 4.3, legal bases are as a rule defined by the client controller.

6.1. Respond to demonstration and commercial contact requests — data under Section 4.1. Legal basis: consent (Art. 7, I) and/or legitimate interest (Art. 7, IX).

6.2. Send receipt confirmation — email, name. Legal basis: consent or preliminary procedures at the data subject’s request (Art. 7, V).

6.3. Prevent abuse and fraud on the website — IP, anti-abuse verification token. Legal basis: legitimate interest (Art. 7, IX) and protection of security, when applicable.

6.4. Register, authenticate, and provide contracted Services — Section 4.2. Legal basis: performance of contract (Art. 7, V) and preliminary procedures.

6.5. Comply with legal and regulatory obligations — as required. Legal basis: legal or regulatory obligation (Art. 7, II).

6.6. Maintain access logs (Brazilian Internet Civil Rights Framework) — Section 4.1.5. Legal basis: legal obligation (Art. 7, II), Law No. 12,965/2014.

6.7. Exercise rights in judicial, administrative, or arbitral proceedings — as necessary. Legal basis: regular exercise of rights (Art. 7, VI).

6.8. Improve Platform security and operation — technical logs, aggregated metrics. Legal basis: legitimate interest (Art. 7, IX), with safeguards.

6.9. Corporate transactions, investments, and due diligence — Sections 4.1 and 4.2, when applicable. Legal basis: legitimate interest or regular exercise of rights, for merger, acquisition, investment, or reorganization involving Qonclor.

6.10. Compatible exceptional purposes: in exceptional situations, we may use data for purposes not listed when compatible with the original purposes, respecting legitimate expectations and the LGPD. An incompatible purpose requires authorization or a new legal basis.

6.11. Sensitive data in verification (Section 4.3): the controller must indicate a ground under Article 11 (for example, specific consent, legal obligation, or fraud prevention, when applicable). Qonclor limits processing to what is necessary for contracted operations.

7. Sharing of personal data with third parties

We may share data in the cases below, with contracts and safeguards compatible with the LGPD:

7.1. Client companies (controllers): return of structured verification and decision results, in accordance with the contracted integration.

7.2. Infrastructure providers and partners: hosting, cloud processing, identity and biometric verification, email communication, anti-abuse verification, and other services strictly necessary for operation.

7.3. Auxiliary service providers: technical support, audit, legal or accounting advisory, under confidentiality and data protection.

7.4. Advisors, investors, and auditors: in due diligence, fundraising, merger, acquisition, sale, or corporate reorganization, with contractual safeguards.

7.5. Public authorities: when there is a legal obligation, court order, or legitimate request from a competent authority.

7.6. Data subject’s consent: in other cases, upon express and informed consent, when applicable.

7.7. We do not sell personal data. Whenever technically feasible and appropriate, we seek to minimize identification or use aggregated or anonymized data in sharing.

The website may contain links to third parties with their own policies; this Policy applies to Qonclor’s Services as described herein.

8. International transfers of personal data

Some providers and partners may process data on servers outside Brazil. In such cases, we adopt safeguards under Articles 33 through 36 of the LGPD, such as standard contractual clauses, specific clauses, or another mechanism recognized by the ANPD. Additional information may be requested at [email protected].

9. Retention, deletion, and exceptions

We retain data only for the time necessary for the purposes described, respecting legal and contractual deadlines and the principle of necessity.

9.1. Demonstration requests (Section 4.1): for as long as the commercial relationship or legitimate prospecting lasts, and for up to 24 (twenty-four) months after the last contact, unless a longer legal obligation applies or deletion is requested when applicable.

9.2. Accounts and company data (Section 4.2): term of the contract and additional period for legal, accounting obligations, or defense of rights (in general up to 5 (five) years after termination, when applicable).

9.3. Identity verifications (Section 4.3): in accordance with the contracted policy. As a rule, deletion of sensitive content after completion of validation, preserving minimum audit records (irreversible cryptographic references and decision metadata). Extended retention only with express agreement.

9.4. Access logs (Brazilian Internet Civil Rights Framework): applicable minimum legal period (in general 6 (six) months), unless a longer period is required by law or authority.

9.5. Security logs: in general up to 12 (twelve) months, consistent with incident investigation.

9.6. Deletion: after the periods, data will be deleted or anonymized irreversibly, unless legal retention applies. Certain data may be kept for legal obligations, pending disputes, or defense of rights, in accordance with Section 13.

10. Security measures and data protection

We implement technical, organizational, and legal measures proportionate to the risk, including:

10.1. Isolation and access control: logical segregation between client accounts; session authentication; credential revocation; principle of least privilege.

10.2. Protection of integration credentials: safeguards for API keys and authentication secrets.

10.3. Encryption and minimization: encryption in transit and at rest; irreversible cryptographic references when retention so determines; temporary processing of biometric and image data only for the time necessary for verification.

10.4. Monitoring and compliance: operation logging for audit; internal policies; periodic training of employees with access to personal data.

10.5. Incident management: detection, containment, investigation, and communication procedures in accordance with Section 11.

10.6. Dashboard user responsibilities: keep credentials in a secure place; do not share them with unauthorized third parties; notify [email protected] in case of suspected misuse, leak, or unauthorized access.

No measure is absolute. We do not guarantee infallible security, especially if credentials are shared or exposed outside our systems. We are committed to continuously improving our controls.

11. Security incidents

In an incident that may entail relevant risk or harm, we will adopt containment, investigation, and, when required by Article 48 of the LGPD, communication to the ANPD and affected data subjects. Incidents in processing operated on behalf of a client will be communicated to the controller for fulfillment of their obligations.

12. Automated decisions and automated processing

The Platform aggregates verification signals (confidence, risk, decision outcome, estimated age range) to support client companies’ decisions. The final decision on access, registration, or treatment of the data subject is that of the client controller, who defines policies and human review when required.

If processing produces legal effects or relevant impacts based exclusively on automated processing, you may request review by a natural person (Art. 20 of the LGPD), in accordance with Section 13.

13. Rights of personal data subjects

Under Article 18 of the LGPD, you may request:

13.1. confirmation of the existence of processing;

13.2. access to data;

13.3. correction of incomplete, inaccurate, or outdated data;

13.4. anonymization, blocking, or deletion of unnecessary, excessive, or unlawfully processed data;

13.5. portability, upon express request and ANPD regulation;

13.6. deletion of data processed on the basis of consent, subject to legal grounds for retention;

13.7. information on sharing with public and private entities;

13.8. information on the possibility of not consenting and the consequences of refusal;

13.9. revocation of consent;

13.10. objection to processing based on legitimate interest, in cases provided by law;

13.11. review of solely automated decisions, when applicable.

13.12. How to exercise: send a request to [email protected] or via the Schedule a demo form with subject «Privacy», with reasonable identification. Response within 15 (fifteen) days, extendable by a further 15 with justification (Art. 18, §3).

13.13. When we are processor: we will forward requests to the controller when they are primarily responsible (Sections 4.3 and 4.5).

13.14. Deletion request: we will comply when applicable, subject to retention for legal, regulatory, contractual obligations, defense of rights, and audit (Section 9).

13.15. We may refuse manifestly unfounded, repetitive requests, or those that compromise third-party rights or trade secrets, with justification.

14. Children and adolescents

The website and commercial form are intended for adult representatives in a B2B context. When we process data for age verification or protection of minors on behalf of clients, the controller must inform data subjects and guardians, observe Article 14 of the LGPD, and use the Platform in accordance with applicable legislation (including protection of minors in digital environments in Brazil). Qonclor does not use minors’ data for its own marketing.

15. Cookies and similar technologies

The website may use technologies strictly necessary for security and the contact form, including anti-abuse verification with cookies or local storage. We currently do not use third-party advertising or analytics cookies on the landing page. Details in the Cookie Policy. If we begin using non-essential cookies, we will update the policies and request consent when required.

16. Changes to this Privacy Policy

We may modify this Policy to reflect legal, regulatory, or Service changes. The date at the top indicates the current version. Relevant changes may be communicated on the website or by email to contracting clients. We recommend periodic review.

If you do not agree with the current version, discontinue use of the website and the Services in which we are controller. Continued use after changes constitutes acknowledgment of the new version, without prejudice to LGPD rights.

17. Data Protection Officer (DPO) and contact

The Qonclor Data Protection Officer serves data subjects, clients, and authorities:

Email: [email protected]
Form: Schedule a demo, subject «Privacy»
Website: qonclor.com

We commit to responding in a timely manner, within LGPD deadlines.

18. Complaints to the Brazilian National Data Protection Authority (ANPD)

Without prejudice to other means, you may file a complaint with the ANPD: https://www.gov.br/anpd.

19. Applicable law and final provisions

This Policy is governed by the legislation of the Federative Republic of Brazil, in particular the LGPD, the Brazilian Internet Civil Rights Framework, and related ANPD rules.

This Policy constitutes Qonclor’s transparency instrument on the processing of personal data in the contexts described herein and should be read together with the Terms of use and the Cookie Policy, when applicable.