This Policy describes how Ciatech collects, processes, stores, and protects personal data of operator representatives, prospective partners, website visitors, and authorized users of the Operator Hub. We follow the principles of Brazil's LGPD (Lei Geral de Proteção de Dados) and the EU GDPR.
Effective Date: January 15, 2026Last Updated: May 26, 2026Version: 2.1
B2B Scope. Ciatech does not process personal data of End Users playing games on Operator platforms. End-User data is collected and controlled by the Operator under its own privacy notice. This Policy covers data of commercial contacts, integrators, and Operator Hub users only.
01 Scope of this Policy
This Privacy Policy applies to personal data processed by Ciatech when you:
Visit our website ciatech.co or any subdomain;
Submit a demo request, sales inquiry, or contact form;
Subscribe to our B2B newsletter or commercial communications;
Interact with our team via email, video call, or trade-show channels;
Access the Operator Hub, our APIs, dashboards, or documentation portals;
Apply for a position with Ciatech.
It does not apply to data processed by Operators in respect of their End Users. Operators act as independent data controllers for that processing.
02 Data Controller
The data controller responsible for the processing described in this Policy is Ciatech, headquartered in São Paulo, Brazil. Where European data subjects are involved, Ciatech acts as the controller within the meaning of Article 4(7) GDPR. Where Brazilian data subjects are involved, Ciatech acts as controlador within the meaning of Article 5, VI of the LGPD.
03 Data We Collect
3.1 Identification & contact data
Full name, business role / job title, professional email, business phone;
Company name, address, license jurisdiction, and registration details supplied during onboarding;
Profile and avatar information you choose to add to the Operator Hub.
3.2 Commercial interaction data
Content of demo requests, commercial correspondence, meeting notes, and call transcripts (with your consent);
Records of integration discussions, technical questions, and support tickets.
3.3 Technical & usage data
IP address, device type, browser, operating system, language preference;
Pages visited, time on page, referring URL, session identifiers;
API access logs (key ID, endpoint, timestamp, response code) for Operator Hub users;
Communication preferences, subscription status, email engagement metrics (open / click).
We do not knowingly collect sensitive personal data (racial origin, political opinions, health, biometric) in the course of our B2B operations.
04 How We Collect It
Directly from you — via forms, email, contracts, or video calls;
Automatically — via cookies, server logs, and analytics on our website and platform;
From third parties — public registries, gaming-industry directories, business-intelligence providers, LinkedIn, or referrals from existing partners, where lawful;
Cloudflare Turnstile — to verify that form submissions originate from genuine users without using intrusive captchas.
05 Purposes & Legal Bases
We process personal data for the following purposes, relying on the indicated legal bases:
Responding to inquiries and providing demos — performance of pre-contractual steps at your request (LGPD Art. 7, V / GDPR Art. 6(1)(b));
Negotiating, executing, and performing commercial agreements — contract performance (LGPD Art. 7, V / GDPR Art. 6(1)(b));
Providing access to the Operator Hub and APIs — contract performance and our legitimate interest in operating the platform securely;
Sending B2B commercial communications — legitimate interest in promoting our services to professional contacts, with an opt-out at any time (LGPD Art. 7, IX / GDPR Art. 6(1)(f));
Security, fraud prevention, and platform integrity — legitimate interest and legal obligation;
Compliance with legal and regulatory obligations — including tax, accounting, and gaming-licensing recordkeeping (LGPD Art. 7, II / GDPR Art. 6(1)(c));
Analytics and product improvement — legitimate interest in understanding usage patterns to improve the Services.
06 Sharing & Disclosure
We share personal data only with the categories of recipients listed below and only to the extent necessary for the stated purposes:
Service providers (processors) — cloud hosting (Cloudflare), email delivery, CRM, analytics, payment processors, audit firms. All are bound by data-processing agreements and confidentiality obligations.
Group companies & affiliates — for centralized administration and support.
Professional advisors — lawyers, accountants, and auditors under professional confidentiality.
Regulators & authorities — gaming, tax, or data-protection authorities where required by law or to defend our legal interests.
Successors in interest — in connection with a merger, acquisition, financing, or sale of assets, subject to confidentiality.
We do not sell personal data, and we do not share it with third parties for their own marketing purposes.
07 International Transfers
Ciatech is headquartered in Brazil and uses service providers and infrastructure located in multiple jurisdictions, including the European Economic Area, the United Kingdom, and the United States. Where personal data is transferred outside the country of origin, we rely on appropriate safeguards such as:
Standard Contractual Clauses approved by the European Commission;
The ANPD's standard clauses or other transfer mechanisms recognized under LGPD Art. 33;
Adequacy decisions, where applicable;
Supplementary technical measures (encryption in transit and at rest, key segregation).
08 Retention Periods
We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, including legal, accounting, or reporting requirements. Indicative retention periods:
Sales prospect data (without contract) — up to 24 months from the last interaction;
Contractual data — for the duration of the agreement plus 5 years thereafter;
Accounting and tax records — 5 to 10 years as required by Brazilian law;
Operator Hub access logs — 12 months for security and auditing;
Website analytics — 14 months in aggregated or pseudonymized form;
Marketing data — until you unsubscribe, then archived for suppression purposes only.
At the end of the retention period, data is securely deleted or irreversibly anonymized.
09 Security Measures
Ciatech implements technical and organizational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These include:
TLS 1.3 encryption for data in transit;
AES-256 encryption for data at rest in production systems;
Role-based access control with least-privilege principles;
Multi-factor authentication for administrative access;
Regular penetration testing and vulnerability scanning;
Security monitoring, SIEM, and incident-response playbooks;
Background checks and confidentiality agreements for personnel;
Privacy by design and by default reviews for new features.
10 Cookies & Tracking
Our website uses cookies and similar technologies to operate the site, remember preferences, secure form submissions, and measure traffic. We use the following categories:
Analytics — aggregated traffic measurement; we use IP truncation and short retention windows.
You may disable non-essential cookies through your browser settings or the cookie banner where presented. Disabling strictly-necessary cookies may impact the functionality of the website.
11 Your Rights
Subject to the conditions set out in the LGPD, GDPR, and other applicable laws, you have the right to:
Access — confirm whether we hold personal data about you and obtain a copy;
Rectification — correct inaccurate or incomplete data;
Erasure — request deletion where there is no longer a lawful basis for processing;
Restriction — limit processing in certain circumstances;
Portability — receive your data in a structured, machine-readable format;
Objection — object to processing based on our legitimate interest, including direct marketing;
Withdraw consent — where processing is based on your consent, at any time;
Information about sharing — request a list of public and private entities with which your data has been shared;
Lodge a complaint — with a supervisory authority, such as the ANPD (Brazil) or your local European DPA.
To exercise any of these rights, contact us at business@ciatech.co. We may need to verify your identity before responding and will reply within the period required by applicable law (15 days under LGPD; one month under GDPR, extendable where justified).
12 Children's Data
The Services are intended for licensed business users only. We do not knowingly collect personal data of individuals under the age of 18. If you believe a minor has provided personal data to us, please contact us so we can investigate and delete the data promptly.
13 Breach Notification
In the event of a personal-data breach that is likely to result in risk to the rights and freedoms of data subjects, Ciatech will notify the competent supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware. Affected data subjects and Operators will be informed where the breach is likely to result in high risk, in accordance with applicable law.
14 Changes to this Policy
We may update this Policy from time to time to reflect changes in our practices or legal requirements. The "Last Updated" date at the top indicates when changes took effect. Material changes will be communicated by email or via a prominent notice on the website. We encourage you to review the Policy periodically.
15 Contact & DPO
You can contact our Data Protection Officer (DPO) and privacy team for any question relating to this Policy or to exercise your rights.
Ciatech — Privacy & Data Protection
We respond to privacy requests within the deadlines required by LGPD (15 days) and GDPR (1 month). For urgent matters, please mark your message "PRIVACY REQUEST" in the subject line.