1. Data Controller
The controller of personal data processed on this platform is Rede SurfTank, registered under CNPJ 50.000.273/0001-04, headquartered in Brazil.
Data protection officer contact: [email protected]
2. Personal Data Collected
2.1 Data provided by the user
- First and last name: account identification
- Email: communication, account activation and recovery
- Password: stored exclusively in encrypted format (SHA-512)
- Date of birth: age verification and compliance with legal obligations
- Gender: optional, for experience personalization
- CPF (Brazilian Tax ID): when voluntarily provided for verification
- Legal guardian's email: for users under 16 years of age, as required by Brazilian Law 15.211/2025 (Child and Adolescent Digital Protection Act)
2.2 Data collected automatically
- IP address: security, fraud detection and legal compliance
- Device fingerprint: processor core count, screen resolution, browser language - for account security
- User Agent: browser and operating system identification
- Browsing data: pages accessed, access times
- Cookies: session management and known device tracking
2.3 Transaction data
- Purchase history: amount, date, payment method, items purchased
- Payment data: processed directly by payment processors (Stripe, MercadoPago, EfiPay/PIX, PayPal) - Rede SurfTank does not store credit card data
3. Purpose of Data Processing
Data processing is carried out in accordance with the LGPD (Lei Geral de Proteção de Dados - Brazil's General Data Protection Law, Law No. 13.709/2018).
| Data | Purpose | Legal Basis (LGPD) |
|---|
| Name, email | Account creation and management | Contract performance (Art. 7, V) |
| Date of birth | Age verification | Legal obligation (Art. 7, II) - Law 15.211/2025 |
| Guardian's email | Legal guardian linkage | Legal obligation (Art. 7, II) - Law 15.211/2025 |
| IP, fingerprint | Security and fraud prevention | Legitimate interest (Art. 7, IX) |
| Purchase data | Transaction processing | Contract performance (Art. 7, V) |
| Age verification (Didit) | Confirm legal age for purchases | Legal obligation (Art. 7, II) |
4. Processing of Minors' Data
In compliance with the LGPD (Art. 14) and Brazilian Law 15.211/2025 (Child and Adolescent Digital Protection Act):
- Processing of data belonging to individuals under 18 years of age is carried out in the best interest of the child and adolescent
- For users under 16 years of age, specific consent from a legal guardian is required via email confirmation
- We collect only the data strictly necessary for the provision of the service
- Age verification data is used exclusively for that purpose
- Users under 18 years of age are not permitted to make purchases with real currency
4.1 Information for United States Users (COPPA)
This service is not directed to children under the age of 13. We do not knowingly collect personal information from children under 13. The minimum age for account creation is 14 years old. If we become aware that we have collected personal data from a child under the age of 13, we will take steps to delete such information as soon as possible. If you believe that a child under 13 has provided us with personal data, please contact us at [email protected].
5. Data Sharing
Personal data may be shared with:
- Didit (didit.me): exclusively for age verification of users over 18 who wish to make purchases. Didit receives only the data necessary to confirm legal age, without exposing other personal data
- Payment processors: Stripe, MercadoPago, EfiPay (PIX) and PayPal, exclusively for processing financial transactions
- Competent authorities: when required by law or court order
Rede SurfTank does not sell, rent or trade the personal data of its users.
6. Retention and Deletion
- Account data: retained while the account remains active
- Transaction data: retained for the legally required period of 5 years (tax obligation)
- Security logs (IP, fingerprint): retained for 6 months
- Age verification data: retained while the account exists (legal obligation)
Users may request account deletion at any time. Data required for compliance with legal obligations will be retained for the period required by law.
7. Data Subject Rights
Under the LGPD (Brazil's General Data Protection Law), you have the right to:
- Confirmation of the existence of data processing
- Access to your personal data
- Correction of incomplete, inaccurate or outdated data
- Anonymization, blocking or deletion of unnecessary data
- Portability of data to another service provider
- Deletion of data processed with consent
- Information about data sharing
- Revocation of consent
To exercise your rights, please contact us at [email protected] or open a ticket at Support.
8. Data Security
We adopt technical and organizational measures to protect your data:
- Passwords encrypted with SHA-512 algorithm
- HTTPS/TLS connection across the entire platform
- Suspicious login detection by IP and device
- Attack protection via Cloudflare
- Database access restricted to authorized personnel
- Payment data processed directly by PCI-DSS certified processors
9. Cookies and Tracking
We use cookies for:
- Essential cookies (always active):
- PHP session — to keep you logged in
- Known device — to prevent login alerts on previously used devices (7 days)
- Cookie consent — to store your cookie preferences (365 days)
- Immediate credit consent — to store acceptance for purchases (90 days)
- Analytics and marketing cookies (only with consent):
- Attribution tracking — to associate sign-ups and purchases with marketing campaigns
- Device fingerprint — identification for security
- Facebook Pixel and Google Analytics — usage analysis and conversion tracking
When you access the site, a banner requests your consent. You may choose "Accept" (enables all cookies) or "Essential Only" (disables analytics and marketing cookies). Essential cookies cannot be disabled as they are necessary for the site to function.
You may change your preference at any time by clearing your browser cookies.
10. Account Ownership Transfer
When the email linked to an account is changed, we consider the account to have a new owner. In this case:
- All personal data of the previous owner is dissociated from the account (name, date of birth, age verification, acceptance of terms)
- The new owner must provide their own personal data and accept the Terms of Use and Privacy Policy
- Age verification for purchases is reset, requiring a new verification
- The transaction history remains linked to the account for tax audit purposes
11. International Data Transfer
Your data may be processed by servers located outside of Brazil only through the third-party services mentioned (payment processors and Didit), which have their own privacy policies and compliance with data protection legislation.
12. Changes to This Policy
This Policy may be updated periodically. Significant changes will be communicated via email or notification on the site. The date of the last update is indicated at the top of this document.
13. Contact
For questions or requests related to this Privacy Policy:
You may also file a complaint with the Autoridade Nacional de Proteção de Dados (ANPD) (Brazil's National Data Protection Authority) at www.gov.br/anpd.