Related Documents:

Introduction

Rybená Assistive Technologies Ltda., in compliance with Law No. 13,709/2018 - Brazilian General Data Protection Law (LGPD), establishes this Privacy Policy to demonstrate our commitment to personal data protection and transparency in our practices.

Our solution was developed with a focus on accessibility and inclusion, offering resources for LIBRAS translation and text-to-speech conversion. This policy describes how we process data in our operations, ensuring respect for user privacy.

Data Protection Principles

In accordance with Article 6 of the LGPD, Rybená observes the following principles in all its operations:

Fundamental Principles

  • Purpose: Processing carried out for legitimate, specific, explicit, and informed purposes
  • Adequacy: Compatibility of processing with the informed purposes
  • Necessity: Limitation of processing to the minimum necessary for achieving its purposes
  • Free access: Guarantee for data subjects to have easy and free consultation about the form and duration of processing
  • Data quality: Guarantee of accuracy, clarity, relevance, and updating of data
  • Transparency: Clear, precise, and easily accessible information about data processing
  • Security: Use of technical and administrative measures capable of protecting data
  • Prevention: Adoption of measures to prevent the occurrence of damages resulting from processing
  • Non-discrimination: Impossibility of carrying out discriminatory or abusive processing

Data Collection Statement

Rybená does not collect personally identifiable data. Our solution was designed to work without storing information that can identify users such as email, CPF, IP address, or any other personal data.

The only optionally collected data are spelling words, used exclusively for improving our LIBRAS translation technology, as detailed in this policy.

Learn More

For detailed information about spelling data collection, including how to configure and disable this functionality, consult our Spelling Data document.

Collected Data and Purpose

Processed Data (Not Stored)

For the operation of our services, the following data are temporarily processed and not stored:

  • Phrase/Sentence to be translated: Processed in real-time for immediate translation and discarded after completion
  • Web page content: Read only for simultaneous translation, without retention

Only Optionally Collected Data: Spelling

What is collected

Only when a word does not have a corresponding sign in our LIBRAS database and the user has not activated the doNotTrack parameter:

  • Only the spelled word (without context, without sentences, without numbers)
  • Completely anonymous: Without user identification, IP, source site, or any personal data
  • Encrypted: Stored with AES-256 encryption
  • Retention time: Maximum of 90 days, with automatic disposal if not validated

Technical Details

For complete information about the spelling data collection, validation, and control process, including how to implement the doNotTrack parameter, consult Spelling Data.

Exclusive purpose

  • Identify words that need specific signs in LIBRAS
  • Prioritize the development of new signs for vocabulary expansion
  • Improve assistive technology for the entire community
  • Ensure that only linguistically valid data are incorporated into the knowledge base

Total User Control

Users have absolute control over data collection:

  • doNotTrack parameter: When activated, it completely prevents the storage of spelled words
  • Immediate effect: The action is instantaneous, without future collection

In accordance with Article 7 of Law No. 13,709/2018 (LGPD), our operation is based on the following legal bases:

Article 7, Item IV - For conducting studies by research bodies

  • Foundation: We exclusively use anonymized spelling data to improve our translation technology and linguistic pattern recognition
  • Justification: The collected data are essential for scientific and technological development in the assistive technology area
  • Safeguards: We guarantee complete anonymity and impossibility of identifying data subjects

Article 7, Item IX - For serving the legitimate interests of the controller

  • Foundation: Continuous improvement of assistive technology, without prejudice to the fundamental rights and freedoms of users
  • Proportionality: The processing is strictly necessary and proportional to the intended objective
  • Impact: There is no significant impact on the rights and freedoms of data subjects

Absence of Sensitive Data

In accordance with Article 9 of the LGPD, we do not process sensitive data, considering that:

  • Individual spelling words, devoid of context, do not constitute data about racial or ethnic origin, religious conviction, political opinion, union membership or organization of a religious, philosophical, or political nature

As we do not collect personally identifiable data, there is no need to obtain specific consent according to Article 8 of the LGPD. The only optionally collected data (spelling words) is:

  • Completely anonymous and impossible to be related to an identified or identifiable natural person
  • Not identifiable, even in combination with other information
  • Collected only when the user does not activate the doNotTrack parameter
  • Used exclusively for technological improvement purposes

Information Security

Technical Details

For complete information about our technical security measures, including encryption, access control, and monitoring, consult our Information Security Policy.

Rybená implements rigorous security measures to protect processed data:

  • In-transit encryption: TLS 1.3 for all communications
  • At-rest encryption: AES-256 for all stored data
  • Access control: Restricted to authorized personnel
  • Continuous monitoring: Detection of anomalous activities
  • Network segregation: Isolation of development and production environments

Data Retention and Disposal

  • Spelling Words: Maximum retention of 90 days, with automatic disposal
  • System Logs: Minimum retention of 365 days for security purposes
  • Temporarily Processed Data: Immediate disposal after translation

Rights of Data Subjects

Rybená's Position on Personal Data

Rybená does not collect, store, or process personally identifiable data. Our technology was specifically developed to work without the need to collect information that can identify users.

Rights of Data Subjects (Article 18 of the LGPD)

Although we do not process personal data, we recognize and guarantee the rights provided for in Article 18 of the LGPD:

Right to Confirmation (Article 18, I)

  • Right: To confirm the existence of processing
  • Our response: Rybená does not process personally identifiable data
  • Procedure: Request through the DPO, response within 15 days

Right of Access (Article 18, II)

  • Right: Access to data
  • Our response: We do not maintain personally identifiable data in our systems
  • Procedure: Request through the DPO with identification, when applicable

Right to Correction (Article 18, III)

  • Right: Correction of incomplete, inaccurate, or outdated data
  • Our response: Not applicable, as we do not maintain personal data
  • Procedure: There are no data to be corrected in our systems

Right to Information about Sharing (Article 18, IV)

  • Right: Information about sharing with third parties
  • Our response: We do not share personal data, as we do not collect it
  • Procedure: Request through the DPO for confirmation

Right to Elimination (Article 18, V)

  • Right: Elimination of processed data
  • Our response: Not applicable, as we do not maintain personal data
  • Exception: Anonymized spelling words may be requested for elimination

Right to Portability (Article 18, VI)

  • Right: Portability of data to another provider
  • Our response: Not applicable, as we do not maintain personal data
  • Procedure: There are no data to be ported

Right to Information about Consent (Article 18, VII)

  • Right: Information about consent and possibility of revocation
  • Our response: We do not use consent as a legal basis, as we do not process personal data
  • Procedure: There is no consent to be revoked

Right to Review of Automated Decisions (Article 18, VIII)

  • Right: Review of decisions made solely based on automated processing
  • Our response: We do not make automated decisions based on personal data
  • Procedure: There are no automated decisions to be reviewed

Procedures for Exercising Rights

Request Channels

  1. Preferred email: [email protected]
  2. Correspondence: SHIN CA 05, Bloco J2, Edifício Lúcia Plaza, Salas 206 a 215. Lago Norte, Brasília, DF.
  3. Online form: Available on our website

Necessary Information

  • Full name or identification when applicable
  • Clear description of the requested right
  • Documents proving identity (when applicable)
  • Details that allow locating information (period, context, etc.)

Response Deadlines

  • Standard deadline: 15 (fifteen) business days
  • Extension: Up to 15 more days in exceptional cases, with justification
  • Impossibility of service: Information about reasons and available alternatives

Access Denial

Rybená may deny requests when:

  • The request is manifestly unfounded or repetitive
  • The processing is necessary to comply with legal obligation
  • The request is disproportionate to the interests of the rights and freedoms of the data subject

Data Protection Officer (DPO)

Identification and Contact

Rybená Assistive Technologies Ltda. has designated a Data Protection Officer (DPO) to act as a communication channel between the controller, data subjects, and the National Data Protection Authority (ANPD).

DPO Contact:

  • Email: [email protected]
  • Correspondence address: SHIN CA 05, Bloco J2, Edifício Lúcia Plaza, Salas 206 a 215. Lago Norte, Brasília, DF.

DPO Responsibilities

The Data Protection Officer is responsible for:

  • Guiding employees and contractors on the execution of this policy and other data protection practices
  • Receiving communications from data subjects and providing clarifications
  • Receiving complaints and communicating to the ANPD
  • Guiding on personal data protection impact assessments
  • Maintaining records of data processing activities

International Data Transfer

Statement on International Transfer

Rybená does not carry out international transfer of personal data, as we do not collect this type of information in our services.

Technical Infrastructure

We use national service providers for technical infrastructure:

  • Cloud and hosting services: For real-time translation processing
  • Development tools: For technology maintenance and improvement
  • Monitoring platforms: To ensure service availability and performance

Security Incident Notification

Technical Procedures

For detailed information about our technical incident response procedures, including recovery plan and mitigation measures, consult our Information Security Policy.

Incident Definition

A security incident with personal data is considered any adverse event, confirmed or suspected, related to the breach of personal data security, that may entail risk to the rights and freedoms of the data subject.

Notification Procedures

Notification to ANPD (Article 33 of the LGPD)

  • Deadline: Within 72 hours after awareness of the incident
  • Mandatory content:
    • Description of the nature of the incident
    • Data about the controller
    • Information about the officer
    • Description of possible consequences
    • Technical and organizational measures adopted
    • Measures adopted to communicate to data subjects

Communication to Data Subjects (Article 34 of the LGPD)

  • Mandatory: When the incident represents relevant risk or damage to data subjects
  • Minimum content:
    • Description of the incident in clear language
    • Categories of personal data affected
    • Security measures adopted
    • Recommendations for protection
    • Information on how to obtain clarifications

Exemption from Communication to Data Subjects

Communication will not be required when:

  • The national authority determines that it may generate disproportionate risks
  • Rybená adopts sufficient measures to mitigate consequences
  • The data processing is confidential by force of law

Complaints and Communication Channels

Doubts and Requests

For doubts, requests, or complaints related to this policy and personal data processing, contact our Data Protection Officer:

  • Email: [email protected]
  • Address: SHIN CA 05, Bloco J2, Edifício Lúcia Plaza, Salas 206 a 215. Lago Norte, Brasília, DF.
  • Phone: (Available during business hours)

Complaints to ANPD

If you understand that your rights as a personal data subject have been violated, you have the right to file a complaint with the National Data Protection Authority (ANPD) through the official channels available at: https://www.gov.br/anpd

Complaint Procedure

  1. Attempt at amicable resolution: Contact our DPO
  2. Wait for response: We will respond within 15 days
  3. Internal appeal: If dissatisfied, request internal review
  4. ANPD: As a last resort, file a complaint with the authority

Governance and Compliance

Privacy Governance Program

Rybená maintains a structured privacy governance program that includes:

Organizational Structure

  • Officer (DPO): Communication channel with data subjects and authorities
  • Security Team: Implementation of technical and administrative measures

Policies and Procedures

  • Personal Data Protection and Privacy Policy
  • Information Security Policy
  • Incident Response Procedures
  • Data Retention and Disposal Guidelines

Training and Awareness

  • Initial training: All employees receive training on the LGPD
  • Continuous training: Regular updates on legislative changes
  • Awareness: Internal campaigns on the importance of data protection

Personal Data Protection Impact Assessment (DPIA)

In accordance with Article 38 of the LGPD, we carry out impact assessments when:

  • The processing involves sensitive data (not applicable to our case)
  • The processing may generate risks to the rights and freedoms of data subjects
  • The processing is carried out on a large scale

Audits and Monitoring

Audit Details

For complete information about our audit procedures and technical compliance, consult our Information Security Policy.

  • Internal audits: Quarterly assessment of data protection practices
  • Third-party assessments: Periodic external audits
  • Continuous monitoring: Verification of compliance with this policy

Policy Review and Update

Review Periodicity

This personal data protection and privacy policy will be reviewed and updated periodically, at minimum:

  • Annually: For general compliance assessment
  • When necessary: In case of legislative, regulatory, or operational changes that impact personal data processing
  • After incidents: Review after significant security incidents

Communication of Updates

Any significant change in this policy will be communicated to users through:

  • Notice on our website or application
  • Publication in an easily accessible location on our communication channels
  • Sending communications to relevant stakeholders

Effectiveness of Changes

Updates will take effect:

  • Immediately: For changes related to compliance with legal obligation
  • After 30 days: For other changes, provided they are properly communicated

Final Provisions

This personal data protection and privacy policy was prepared in compliance with:

  • Law No. 13,709/2018 - Brazilian General Data Protection Law (LGPD)
  • CD/ANPD Resolution No. 2/2022
  • CD/ANPD Resolution No. 1/2021
  • Standards and guidelines of the National Data Protection Authority
  • Federal Constitution - Article 5, items X and XII

Application and Accountability

The application of this policy will be consistent throughout the organization, regardless of the position or role occupied by employees. All violations will be treated in a fair and impartial manner, taking into account the severity of the violation and the individual circumstances involved.

Administrative Sanctions

Rybená recognizes the sanctions provided for in Article 52 of the LGPD and commits to:

  • Adopt preventive measures to avoid infractions
  • Cooperate with the ANPD in inspection processes
  • Implement recommendations and determinations of the authority
Modificado em: