EN PT
Join the waitlist

Privacy Policy

Last updated:

Effective date

This Privacy Policy takes effect on the date stated at the top of this document. It applies to data collected from that date forward. If a prior version of this Policy applied to data we collected from you, the prior version continues to govern that prior collection.

Plain-language summary

Before the detail: a quick read of what this Policy says.

  • We are Pau Brasil, LLC, the company behind the Pau Brasil capoeira tournament platform.
  • We collect the data you give us (name, contact info, registration data, payment info, medical info at registration, performance footage at events) and use it to run the tournaments.
  • Your data is processed on US-based infrastructure (Vercel, Neon, Stripe, and others) — the full current list of sub-processors is in § 6.
  • You have rights under LGPD — access, correction, deletion, portability, revocation of consent. Email privacy@paubrasilchampionship.com to exercise them. We respond within 15 days.
  • We do not sell your data. We share it only with the sub-processors needed to run the service.
  • Medical data is treated with extra protection — separate consent, narrower access, shorter retention.
  • We don't knowingly collect data from anyone under 18.

The rest of this document is the detailed version.

1. Who we are

Controller: Pau Brasil, LLC, a Florida limited liability company, located at 7901 4th St N, STE 300, St. Petersburg, FL 33702, USA.

Pau Brasil is the controller of your personal data under LGPD. The controller decides what data is collected, why, and how it is used. Pau Brasil will assign this role to the Brazilian operating entity once that entity is established, with 30 days' advance notice to you.

Contact for data protection matters: privacy@paubrasilchampionship.com

DPO / representative: During the v0 phase, Pau Brasil's data protection point of contact is Maria Teresa C. Hora (Administration, Pau Brasil, LLC), reachable at the email above. When the Brazilian operating entity is established, the entity's appointed Data Protection Officer (DPO) will be designated and identified on www.paubrasilchampionship.com/lgpd.

2. What data we collect

We collect data in phases as you interact with the Platform. The categories below reflect what we collect at each phase.

2.1 Phase 1 — Waitlist (current)

When you join the waitlist for a Pau Brasil tournament or music competition pathway, we collect:

  • Identification data: first name, last name
  • Contact data: email address; phone number (optional)
  • Location data: state of residence (Brazilian state)
  • Capoeira pathway data: capoeira group, mestre name, weight category, experience level / cordão indication
  • Music pathway data: team name, role / primary instrument, team size, instruments used
  • Consent data: which version of this Policy and the Terms of Service you accepted, when, from what IP address and user agent, with what marketing preferences (per channel: email, WhatsApp, SMS)

2.2 Phase 2 — Registration (when registration opens)

When you register for a tournament or music competition, we collect (in addition to the data in § 2.1):

  • Identification documents: CPF for Brazilian residents; passport for foreign residents where applicable
  • Personal data: date of birth, residential address
  • Emergency contact: name and phone number of an emergency contact
  • Medical / health data (sensitive personal data — see § 4): pre-existing injuries, chronic conditions, current medications, allergies, doctor's clearance (where applicable), health insurance details (the health insurance specifically), pregnancy status (where disclosed), disability or accommodation requests, vaccination records (if collected), blood type (if collected for emergency response), weigh-in data, recent-concussion disclosures
  • Identifying photo / biometric data (sensitive personal data — see § 4): photo at registration or check-in, used for identity verification at the venue
  • Payment data: card details (processed and stored by Stripe; Pau Brasil receives only metadata such as the last four digits and payment method type), Pix originator information for Pix payments
  • Capoeira credential data: lineage information, cordão verification responses (including responses from your stated mestre or group)
  • Music credential data: primary group affiliation, instrument competency confirmations
  • Waiver acceptance data: version of the Waiver accepted, when, from what IP / UA, plus venue re-acknowledgment if applicable

2.3 Phase 3 — Tournament participation (event days)

During and after a tournament you participate in, we collect:

  • Performance data: match results, judging records, rankings, prize awards
  • Footage: photographs, video, audio recordings of your competition, ceremonies, and venue presence (see § 7 of the Terms of Service)
  • Medical event records: any injury reports, on-site medical staff observations, treatment authorizations
  • Disciplinary records: any Code of Conduct issues, decisions, and outcomes

2.4 Phase 4 — Future services (when offered)

When Pau Brasil offers spectator ticketing, merchandise, and broader streaming, additional data may be collected, including ticket-purchase data, shipping addresses for merchandise, and viewing/interaction data on watch pages. This Policy will be updated to reflect those collections before they begin, with notice as set out in § 14.

2.5 Automatically collected data

Regardless of phase, we may automatically collect:

  • Technical data: IP address, browser type, device type, operating system, language preference
  • Usage data: pages visited, features used, timestamps, referrer URL
  • Cookie data: see § 8 and our Cookie Policy for details

3. How we use your data

We use your data for the following purposes:

3.1 Service operation (contractual necessity)

  • Maintaining your Account and waitlist record
  • Processing your registration
  • Communicating about tournaments, your registration status, and event logistics
  • Processing payments and issuing refunds
  • Conducting check-in and identity verification at events
  • Generating tournament results, rankings, and credentials

3.2 Marketing (consent-based)

  • Sending marketing emails, WhatsApp messages, or SMS — only when you have opted in, with channel-level granularity
  • Promoting future tournaments, sponsor offers, and platform updates

You may revoke marketing consent at any time, per channel, via the unsubscribe link in any marketing communication or by contacting privacy@paubrasilchampionship.com.

3.3 Safety and event integrity

  • Reviewing medical disclosures to ensure athlete safety at events
  • Coordinating with event medical staff during emergencies
  • Investigating Code of Conduct allegations
  • Verifying credentials and lineage
  • Detecting and preventing fraud, abuse, and impersonation

3.4 Broadcast and tournament promotion

  • Capturing, broadcasting, archiving, and distributing footage of your participation per the Image, Likeness, and Broadcast Release in Terms of Service § 7
  • Sponsor reporting (aggregated and event-specific)
  • Future rankings, champion profiles, and embedded watch pages

3.5 Legal and regulatory compliance

  • Fiscal record-keeping per Brazilian tax law
  • Issuing NF-e (Nota Fiscal Eletrônica) for taxable transactions
  • Responding to lawful requests from authorities
  • Defending against legal claims

3.6 Aggregate analytics

  • Understanding how the Platform is used in aggregate to improve features and UX
  • We use PostHog for this purpose, with sensitive data excluded from event capture

3.7 Service improvement

  • Diagnosing technical issues
  • Iterating on product features
  • Conducting internal quality and security audits

4. Sensitive personal data

LGPD treats certain categories as sensitive personal data (dados pessoais sensíveis) under Art. 5 II, including data concerning health and biometric data. We collect two categories of sensitive data:

4.1 Health data

Collected at registration (§ 2.2) and during events (§ 2.3). Used solely for:

  • Athlete safety review and pre-event clearance
  • Emergency medical response at events
  • Treatment authorization for injuries

Access: limited to designated medical staff and event operations leads. Not accessible to marketing, general admin users, sponsors, or third parties (absent legal compulsion). Access is audit-logged.

Retention: medical data is deleted 90 days after the relevant tournament concludes, except where retained for:

  • Active or anticipated medical claims (insurance, treatment continuity)
  • Active investigations or disputes
  • Legal hold

4.2 Biometric data

Identification photos collected at registration or check-in are used to verify your identity at the venue, prevent impersonation, and maintain official tournament records.

Retention: see § 9 (unified retention matrix) — 12 months after most recent tournament participation or Account closure, whichever first.

4.3 Consent and legal basis for sensitive data

Sensitive personal data is collected only with your specific, separated consent at the point of collection (LGPD Art. 11, I). Alternative legal bases may also apply for specific uses:

  • Protection of life or physical safety (LGPD Art. 11, II, f) — emergency medical response at events
  • Compliance with legal or regulatory obligation (LGPD Art. 11, II, a) — fiscal or regulatory record-keeping where required

The separated consent for medical data and the consent for biometric capture are presented as distinct checkboxes during registration and at check-in. Consenting to general Terms or Privacy Policy does NOT, by itself, constitute consent to sensitive data processing.

5. Legal bases for processing

We process personal data on the following legal bases under LGPD Art. 7 (non-sensitive) and Art. 11 (sensitive):

Legal basis (Art. 7 / 11) What it covers
Consent (I) Marketing communications; sensitive data collection; cookies (non-essential); optional likeness uses
Performance of a contract (V) Operating your Account, processing your registration, processing payments, fulfilling tournament participation
Legitimate interest of the controller or third party (IX) Aggregate analytics; safety and fraud prevention; service improvement; sponsor reporting in aggregate
Legal obligation (II) Fiscal records, regulatory reporting, NF-e issuance
Protection of life or physical safety (Art. 11, II, f) Emergency medical response at events
Regular exercise of rights in judicial, administrative, or arbitration proceedings (VI) Defense or pursuit of legal claims
Public interest / official function (III) Not currently relied upon

We invoke "legitimate interest" only when (i) the interest is proportionate to your rights and freedoms, (ii) you would reasonably expect the processing, and (iii) you can object via the rights process in § 12.

6. Who else sees your data — sub-processors

Pau Brasil engages the following sub-processors to operate the Platform. Each sub-processor processes your data only on Pau Brasil's documented instructions, under contractual safeguards aligned with LGPD requirements. Where international transfer applies, Pau Brasil relies on the legal bases described in § 7, including contractual clauses aligned with ANPD's standard form (Resolução CD/ANPD nº 19/2024) where required.

Sub-processor Role Location
ButterTrip, LLC Platform infrastructure provider (operates the Pau Brasil platform on Pau Brasil's behalf) United States
Stripe, Inc. (and Stripe-supported Brazilian acquirers) Payment processing, including card payments and Pix United States (with Brazilian payment acquirers as applicable)
Vercel Inc. Web hosting and content delivery United States (edge regions globally)
Neon, Inc. Database hosting United States
Sanity, Inc. Content management system United States / European Union (Pau Brasil instance: US)
PostHog, Inc. Product analytics United States. Sensitive personal data is explicitly excluded from PostHog event capture.
Cloudflare, Inc. Bot protection (Turnstile) and DDoS mitigation United States
[Email/SMS provider TBD] Transactional and marketing email / SMS delivery
Sentry, Inc. Error monitoring and observability (with PII scrubbing enabled) United States
Brazilian operating entity (once established) Tournament operations, on-the-ground event delivery Brazil

This list is current as of this Policy's effective date and may change as Pau Brasil's stack evolves. Material changes (additions or removals of categories of sub-processor) are notified with 30 days' advance notice per § 14. The current list is maintained at www.paubrasilchampionship.com/subprocessors.

In addition to the sub-processors listed above, Pau Brasil may share limited identifying information with third-party verifiers to confirm credentials you have declared during registration. Specifically, for capoeira pathway registrations, Pau Brasil may contact your declared mestre or capoeira group leader to verify your cordão and lineage (see the Code of Conduct § 4); for music pathway registrations, Pau Brasil may contact your declared group leader to verify your ensemble affiliation. These verifiers are not Pau Brasil sub-processors — they are private individuals or groups outside the platform infrastructure — but they receive your declared information about yourself in the course of verifying it. You consent to these disclosures as a condition of registration.

Pau Brasil does NOT:

  • Sell your personal data
  • Share your personal data with advertisers or data brokers
  • Use your personal data to train AI models without specific consent
  • Disclose your personal data to third parties outside the sub-processor list, except where required by law, in response to lawful authority requests, or to enforce these terms

7. International transfers

Most Pau Brasil sub-processors operate in the United States. Your personal data is therefore transferred from Brazil to the US for processing on Pau Brasil's behalf.

The legal bases for these transfers under LGPD are:

  • Contractual necessity (LGPD Art. 33, V) — the transfers are necessary to perform our contract with you
  • Standard Contractual Clauses (LGPD Art. 33, II) — ANPD-aligned SCCs are in place with each US sub-processor under Resolução CD/ANPD nº 19/2024
  • Consent (LGPD Art. 33, VIII) — for sensitive data and marketing uses where consent is the primary basis

Pau Brasil maintains the right to revisit data residency arrangements, particularly for sensitive data categories (medical data), and may move specific data classes to Brazilian-region infrastructure in the future. We will update this Policy if data residency arrangements change materially.

8. Cookies and similar technologies

Pau Brasil uses cookies and similar technologies (localStorage, sessionStorage) on its websites. Detail is in the Cookie Policy, accessible from the footer of every page.

Three categories:

  • Strictly necessary — session, security, language preference, your cookie-consent choice itself. Always active; no consent required.
  • Analytics — PostHog. Optional; off by default until you opt in.
  • Marketing — placeholder for future remarketing tools. Optional; off by default.

You can manage your cookie preferences at any time via the "Configurações de cookies" link in the footer. Your choice is logged in our consent records.

Third-party embeds (notably YouTube on future broadcast pages) are not loaded until you click to load them; until then, no third-party cookies are set on your behalf by those embeds.

9. Retention — unified matrix

This § 9 is the canonical retention matrix for Pau Brasil. Other Pau Brasil documents (Terms of Service, Liability Waiver, Code of Conduct, DPA, registration form, consent ledger spec, DSAR workflow) reference this matrix as the source of truth. If another document states a different retention period, this matrix controls unless that other document has been published in a later effective version that supersedes this one.

Data category Retention period Retention trigger Disposition
Waitlist signup data (non-medical) 24 months from signup, or 6 months after registration opens, whichever is later Inactivity or registration opening Delete
Marketing consent + revocation records 5 years from revocation Revocation event Archive with anonymization after 5 years
Registration data (non-medical: profile, identifiers, results) Duration of Account + 5 years (CDC consumer-claim statute) Account closure or 24-month inactivity Anonymize for historical tournament records
Medical / health data (sensitive) 90 days post-tournament Tournament conclusion Hard delete; deletion job scheduled, not "we'll get to it"
Biometric / identification data (sensitive) 12 months after most recent tournament participation OR closure of Account, whichever first. Biometric templates may be deleted earlier when no longer needed for the active tournament cycle. Last tournament + 12 months, or Account closure Hard delete
Payment transaction records 5 years from transaction (CDC) Transaction date Retain aggregate fiscal records; anonymize transaction-level PII
Fiscal / NF-e records 5–7 years per Brazilian tax law Issuance date Per Brazilian tax retention requirement
Tournament medical event records (injury reports) 5 years (general civil claim statute) Event date Delete or anonymize after retention period
Tournament results, rankings, championship records (anonymizable) Indefinitely for sport-governance and historical purposes N/A Retained as part of sport record; PII can be anonymized over time
Footage / image / audio (broadcast archive) Indefinitely per ToS § 7.1(c) N/A Retained subject to revocation under ToS § 7.8
Music performance audio (mandatory grant scope) Same as footage above for tournament use; commercial uses require separate consent N/A Retained per grant scope
Consent ledger records 10 years (longer of CDC 5y and general civil 10y) Consent or revocation event Sentinel preserved post-deletion; PII fields nulled
DSAR audit log 5 years minimum Request date Delete after retention period
Cookie consents Cookie lifetime + 12 months grace Last consent action Archive after grace period
Account inactivity-triggered closure After 24 months of inactivity, with prior notice Last user activity Account closed; underlying data treated per the category-specific rows above

Where retention periods conflict (e.g., you ask for deletion but we are required to retain fiscal records): we retain the minimum required by law, restrict access to the retained data, and explain the limitation in our response to your request.

Where retention is "indefinite": this applies only to data that is part of the sport's permanent record (results, rankings, broadcast archive). You retain the right to request cessation of future use under the ToS § 7.8 objective process. Indefinite retention does NOT mean Pau Brasil keeps unlimited personal data forever — anonymization is applied progressively, and PII fields associated with historical records are minimized to what is necessary for the historical purpose.

10. Security

Pau Brasil implements technical and organizational measures appropriate to the risk profile of the data we process, including:

  • Encryption at rest for personal data, with stronger encryption for sensitive data
  • Encryption in transit (TLS 1.2+ for all client-server communication)
  • Role-based access control — staff access only the data needed for their role
  • Audit logging of access to sensitive data
  • Multi-factor authentication for staff accounts with privileged access
  • Background checks for staff with access to sensitive data, where legally permissible
  • Vendor security review before engaging new sub-processors
  • Incident response plan with breach notification protocols (ANPD notification within the timeframe required by LGPD, typically 48 hours of awareness for incidents likely to cause relevant risk to data subjects)

No system is impenetrable. If we suffer a security incident affecting your data, we will notify you and ANPD as required by LGPD Art. 48.

10a. Accessibility commitment

Pau Brasil is committed to accessibility consistent with the Lei Brasileira de Inclusão (Lei nº 13.146/2015) and applicable Brazilian accessibility standards. We aim for our digital surfaces to meet WCAG 2.1 AA (and the corresponding Brazilian standard, ABNT NBR 17060) and are implementing this progressively. We provide accommodation request workflows at registration for athletes with disabilities, and alternate communication channels (postal, telephone) on request for users who cannot use email.

If you encounter an accessibility barrier with any Pau Brasil surface, contact privacy@paubrasilchampionship.com and we will respond within the standard LGPD-rights response window (48-hour acknowledgment, 15-day substantive response). For accommodation requests related to specific tournaments, contact privacy@paubrasilchampionship.com with at least 30 days' lead time where possible.

11. Children

Pau Brasil is for adults aged 18 or older. Registration requires the user to declare they are 18 or older. We do not knowingly collect personal data from anyone under 18.

Discovery and remediation. If Pau Brasil learns or has reason to believe that an Account, waitlist signup, or registration belongs to someone under 18, we will:

(a) Close the Account or remove the waitlist signup (b) Delete the associated personal data, except where retention is required by law (see § 9 unified retention matrix) (c) Refund any fees paid (per § 6 refund policy, organizer-side trigger) (d) Inform the parent/guardian of the action where contact information is available

Parent / guardian complaints. Parents or guardians who believe Pau Brasil holds data about a minor may contact privacy@paubrasilchampionship.com. We will investigate and remediate within the LGPD 15-day response window, with priority handling for child-data complaints.

Incidental capture at events. Pau Brasil events may capture incidental images of attendees in venue and broadcast footage. Where a minor is reasonably identifiable in such incidental capture and a parent/guardian requests removal, Pau Brasil will, within 30 days of receipt of a documented request, take reasonable steps to remove or obscure the minor's likeness from future use of the affected content. Already-published live broadcast or live-streamed segments cannot be retroactively recalled but will be removed from future archival use and re-edits.

Underage athletes attempting to register. Athletes who provide false age information to register are subject to the false-registration provisions of § 2.3, the Code of Conduct, and applicable law.

12. Your rights under LGPD

You have the rights set out in LGPD Art. 18, including:

  • Confirmation of processing — confirmation that we hold data about you
  • Access — a copy of the data we hold
  • Correction — fix incomplete, inaccurate, or outdated data
  • Anonymization, blocking, or deletion of unnecessary or excessive data
  • Portability — receive your data in a machine-readable format suitable for transfer to another provider
  • Deletion of data processed with consent, subject to retention exceptions
  • Information about sharing — who we have shared your data with
  • Information about consent consequences — what happens if you decline or revoke consent
  • Revocation of consent — withdraw consent for any consent-based processing

A dedicated, user-friendly summary of your rights and how to exercise them is at LGPD Rights (www.paubrasilchampionship.com/lgpd).

How to exercise your rights — current phase (waitlist)

During the waitlist phase, all LGPD-rights requests are handled by email at privacy@paubrasilchampionship.com. Requests are handled manually by Pau Brasil staff. You will receive:

  • An acknowledgment within 48 hours of receipt
  • A substantive response within 15 days as required by LGPD Art. 19. For complex requests, ANPD guidance permits a one-time 15-day extension with written notice; if we need to take that extension, we will tell you and explain why.

If you wish to revoke marketing consent specifically, every marketing communication you receive includes a one-click revocation link; you do not need to file a formal request.

How to exercise your rights — when registration opens

When Pau Brasil's registration product launches, additional channels will become available:

  • A structured web form for LGPD-rights requests at www.paubrasilchampionship.com/lgpd/solicitar-direitos
  • In-app self-service controls in your registered Account: view your consent history with document versions accepted; revoke marketing consent per channel (email, WhatsApp, SMS); download your data in a machine-readable format; delete your Account with a 7-day cooling-off period for safety

We will update this Policy with notice when those additional channels go live.

Identity verification is required to protect you from fraudulent requests. For low-risk requests (access, correction), we verify control of your registered email. For high-risk requests (account deletion), we additionally use a 7-day cooling-off period as account-compromise insurance.

Requests are free. If you believe a request was wrongly denied or unanswered, you can complain to ANPD (gov.br/anpd) — Pau Brasil cooperates with ANPD complaints.

13. Automated decisions

Pau Brasil does not currently make automated decisions of legal effect about you (LGPD Art. 20). Registration approval is reviewed by a person; disciplinary decisions are made by Pau Brasil staff. If we introduce automated decision-making in the future, we will update this Policy and provide the right to request human review.

14. Changes to this Policy

We may amend this Policy. Material changes are notified by email and by notice on the Platform at least 30 days before they take effect.

Material changes include:

  • New categories of data collected
  • New purposes of processing
  • New sub-processors or recipient categories
  • Changes to your rights or how to exercise them
  • Changes to retention periods
  • Changes to international transfer arrangements

Non-material changes (typos, clarifications, formatting) may be made without advance notice; a change log is maintained.

Each version of this Policy is timestamped and archived at a stable URL. Consent records reference the version current at the time of acceptance.

15. Contact

  • Data protection / LGPD rights: privacy@paubrasilchampionship.com
  • General inquiries: hello@paubrasilchampionship.com
  • Legal notices: legal@paubrasilchampionship.com
  • Postal address: Pau Brasil, LLC, 7901 4th St N, STE 300, St. Petersburg, FL 33702, USA

You may also lodge complaints with ANPD (Autoridade Nacional de Proteção de Dados) at gov.br/anpd.

Back to home Join the waitlist