levver.ai

PRIVACY POLICY

How we process personal data at Levver.

Notice. This version of the policy is under legal review. The final text will be published after validation by a lawyer specialized in LGPD.

This policy describes how Levver collects, uses, stores, and protects personal data related to the use of the levver.ai website and the Delta and Maya products. It applies to site visitors, leads who fill out the contact form, active product clients, and anyone who interacts with the company.

The principle that governs this policy is simple. Your data is yours. We collect only what is necessary, use it only for the stated purpose, retain it only for the legally required period, and return or delete it on command.

Version 1.1 · Last updated: 2026-05-11

1. DATA CONTROLLER

Who is responsible.

Levver Ltda. CNPJ 63.299.766/0001-39
R. da Consolação, 2302, 9th floor · Consolação · São Paulo · SP · 01301-000
Contact: contato@levver.ai

For personal data that clients upload to the products (documents processed in Delta, conversations in Maya), Levver acts as a data processor, and the client acts as the data controller, under article 5 of the LGPD.

2. DATA COLLECTED

By interaction category.

2.1 Site visitors

Navigation data collected via Firebase Analytics. Pages visited, session time, device and operating system, traffic source (referrer), approximate geographic region (city/state, with no address-level precision). IP is collected by the infrastructure but truncated and anonymized by Analytics before storage. We do not identify visitors individually at this layer.

2.2 Form leads

Full name, company, role, corporate email, phone (optional), and the message sent. Visit source recorded for internal routing (origem or produto URL parameter). reCAPTCHA token generated by Google for spam protection (discarded after validation).

2.3 Active product clients

Client corporate registration data, login data of authorized users, instance configurations, operational usage records (access logs, actions executed). Content of documents processed (Delta) and conversations (Maya) remain isolated in the client's dedicated instance.

2.4 Cookies

We use essential cookies for site functionality (light/dark theme preference) and Firebase Analytics cookies (aggregated traffic measurement). We do not use advertising cookies or social media trackers. Google reCAPTCHA sets its own cookies for abuse detection.

3. LEGAL BASIS

By purpose.

  • ·Consent (article 7, I) for newsletter and future marketing communication, when applicable.
  • ·Performance of contract (article 7, V) for operational data of active product clients.
  • ·Legitimate interest (article 7, IX) for lead response, aggregated statistical analysis, and fraud protection (reCAPTCHA).
  • ·Legal obligation (article 7, II) for tax and contractual retention and responses to requests from competent authorities.

4. RETENTION PERIODS

How long we keep each piece of data.

  • ·Anonymous navigation data (Analytics). 14 months (Firebase Analytics default, set to the minimum).
  • ·Lead data (form). 24 months after the last commercial contact, unless the lead becomes a client (in which case it moves to contractual retention).
  • ·Active client data. For the contract term plus 5 years after termination, for tax and contractual purposes under Brazilian law.
  • ·Content processed by the products. For the contract term. After termination, export is available for 30 days and definitive deletion happens within 90 days, unless the client requests it earlier.
  • ·Access audit logs. 12 months, available on contractual request.

5. DATA PROCESSORS AND SUBPROCESSORS

Who we share with.

Levver operates with a restricted set of cloud and AI suppliers, all bound by contractual commitments to security and privacy that are equivalent to or stronger than LGPD requirements.

  • ·Google Cloud Platform / Firebase. Site hosting, Analytics, authentication. Servers in São Paulo (region southamerica-east1) or equivalent regions in LATAM.
  • ·Google reCAPTCHA. Form protection against spam.
  • ·LLM providers (Anthropic, OpenAI, Google). Processing of product content under no-training agreements on client data. Content sent to these APIs is discarded after inference.
  • ·Google Workspace. Corporate communication, contact form (Google Apps Script).

Levver does not sell personal data. We do not share data with third parties for advertising purposes.

6. INTERNATIONAL DATA TRANSFER

When data leaves Brazil.

Some of our data processors (Google, Anthropic, OpenAI) process data in data centers outside Brazil. These transfers occur under the safeguards provided in article 33 of the LGPD, including contractual clauses with obligations equivalent to Brazilian law and adequacy with recognized regimes (GDPR, EU adequacy decisions).

For clients with specific data residency requirements, we offer instance configurations restricted to Brazilian or LATAM regions (GCP southamerica-east1), with self-hosted open-source models as an alternative to third-party APIs. Configuration available under contract.

7. YOUR RIGHTS

What you can request, and how.

Under article 18 of the LGPD, you may at any time request:

  • ·Confirmation that processing exists
  • ·Access to data
  • ·Correction of incomplete, inaccurate, or outdated data
  • ·Anonymization, blocking, or deletion of unnecessary, excessive, or non-compliant data
  • ·Data portability
  • ·Deletion of data processed under consent
  • ·Information about data sharing
  • ·Withdrawal of consent

Send your request to dpo@levver.ai. We respond within 15 days, under article 19 of the LGPD. In complex cases, the deadline may be extended with justification.

8. SECURITY MEASURES

How we protect the data.

  • ·Encryption in transit (TLS 1.3) in all communications.
  • ·Encryption at rest (AES-256) in systems that store personal data.
  • ·Access control by least-privilege principle. Only people authorized by their role have access to client data.
  • ·Multi-factor authentication (MFA) required for administrative access.
  • ·Audit log of sensitive data access, available on contractual request.
  • ·Tenant isolation. Each client's data in a dedicated product instance. No mixing of data between accounts.
  • ·Zero training on client data. Contractual clause with clients and with LLM suppliers.

9. SECURITY INCIDENTS

If something goes wrong.

In the event of a security incident involving personal data under our responsibility, we will notify the affected data subject and the ANPD within a reasonable period, under article 48 of the LGPD. The notification will include the nature of the incident, data affected, technical and administrative measures in progress, and the risks involved.

10. DATA PROTECTION OFFICER (DPO)

Contact the DPO.

Levver has appointed a Data Protection Officer (DPO) to receive communications from data subjects and from the Brazilian Data Protection Authority (ANPD), under article 41 of the LGPD.

Responsible person. João Prado

Email. dpo@levver.ai

11. CHANGES TO THIS POLICY

How you find out.

This policy may be updated to reflect changes in legislation, in Levver's practices, or in our suppliers. Material changes will be communicated with reasonable advance notice to active clients and reflected in the version history below. The version in force is always the one published on this page.

12. VERSION HISTORY

What changed.

  • ·v1.1 (2026-05-11). Expanded LGPD coverage. Added detailed retention periods, list of data processors and subprocessors, international transfer clause, detailed security measures, incident protocol, version history.
  • ·v1.0 (2026-05-10). Initial preliminary version published with the site relaunch in the Premium Editorial direction.