🇧🇷 PT | 🇺🇸 EN

Personal Data Processing Policy — in accordance with the Brazilian General Data Protection Law (Law 13.709/2018 — LGPD).

i
Note for international visitors: This policy is based on the Brazilian General Data Protection Law (LGPD — Law 13.709/2018). Visitors from other jurisdictions may also enjoy rights protected by their local data protection laws (e.g., GDPR in the European Union, CCPA in California). Where applicable, we strive to honor those rights.

1. Introduction

This Personal Data Processing Policy ("Policy") sets out the practices adopted by INCC in processing personal data, in accordance with Law 13.709/2018 — Brazilian General Data Protection Law (LGPD), the Brazilian Civil Rights Framework for the Internet (Law 12.965/2014), Decree 8.771/2016 and international best practices in data protection, including the European General Data Protection Regulation (GDPR).

2. Definitions

For the purposes of this Policy, the following definitions apply, in line with art. 5 of the LGPD:

  • Personal data: information related to an identified or identifiable natural person.
  • Sensitive personal data: data on racial or ethnic origin, religious belief, political opinion, trade-union membership, health or sex life, genetic or biometric data.
  • Data subject: the natural person to whom the personal data refer.
  • Controller: the natural or legal person who decides how personal data are processed.
  • Processor: the natural or legal person who processes personal data on behalf of the controller.
  • DPO: the person responsible for being a contact point between the controller, data subjects and the data protection authority.

3. Data Protection Officer (DPO)

To exercise the rights granted by the LGPD or for clarifications regarding data processing, data subjects can contact INCC's Data Protection Officer (DPO) through:

4. Data we collect

INCC may collect the following categories of personal data, depending on context and explicit consent of the data subject:

  • Identification data: name, email, phone, country/state.
  • Browsing data: IP address, browser, device, pages visited, time spent.
  • Cybercrime report data: information voluntarily provided in the report channel.
  • Communication data: messages sent through institutional channels.

4.1 Cybercrime report channel

When using the report form at /en/citizen.html#report we may collect: type, date and description of the incident, suspect data provided by the reporter (phone, email, account/Pix), and reporter's identifying data (name, email, phone, country/state, city, neighbourhood — the last two are optional) — except when the report is marked as anonymous, in which case no reporter identification data is collected. We additionally store a hash of the IP address, the user-agent and a timestamp for audit and security purposes.

City and neighbourhood are used solely for aggregated statistics on the Crime Map. Following LGPD anonymisation standards (k-anonymity ≥ 5), groupings with fewer than 5 reports are not displayed publicly.

Identifying fields (name, email, phone, free-text description, suspect data) are encrypted at rest with AES-256 (GCM) before being written to the database, with a key managed exclusively by INCC.

4.2 Report download lead capture

When requesting downloads of publications at /en/content.html, we collect: name, email (mandatory), organization, role and intended use (optional). Explicit consent is required for processing, plus a separate optional consent for future communications.

5. Sensitive data

INCC, as a rule, does not collect sensitive personal data. When such collection is essential (for example, in specific reports involving victims), processing will occur on the legal bases set out in art. 11 of the LGPD, with strengthened protective measures.

6. Data of children and adolescents

Processing of personal data of children and adolescents shall be carried out in their best interest, in accordance with art. 14 of the LGPD, with specific and prominent consent from at least one parent or legal guardian, except in legal exceptions.

7. Purposes of processing

  • Receiving and analysing cybercrime reports;
  • Producing intelligence, studies and reports;
  • Communication and engagement with citizens, partners and authorities;
  • Compliance with legal obligations;
  • Site improvement and audience analytics (in aggregate form);
  • Sending newsletters and institutional communications, with consent.

INCC processes personal data based on one or more of the legal bases set out in art. 7 of the LGPD:

  • Consent of the data subject;
  • Compliance with legal or regulatory obligation;
  • Legitimate interest of the controller;
  • Protection of life or physical integrity;
  • Exercise of rights in judicial, administrative or arbitral proceedings.

9. Sharing data

INCC may share personal data with:

  • Public authorities: when necessary for forwarding reports or in compliance with legal obligation.
  • Service providers: hosting, analytics, email and cybersecurity, with strict contractual obligations.
  • International organizations: in specific cases involving transnational cybercrimes, in compliance with the requirements of art. 33 of the LGPD for international data transfer.

10. Retention period

Personal data are kept only for the time necessary to fulfill the purposes for which they were collected, unless legal retention is required. Specific retention periods:

  • Cybercrime reports: 5 years from receipt;
  • Download leads: 2 years from registration, or until consent is revoked;
  • Audit logs: 12 months;
  • Consent log: 5 years.

After the retention period, data are anonymized or securely deleted automatically. Data subjects may request earlier deletion at any time via dpo@incc.org.br or POST /api/lgpd/excluir.

10.1 Processors and infrastructure

Data is processed by the following operators, all bound by contract with protection clauses:

  • Cloudflare, Inc. — application hosting (Pages), database (D1), file storage (R2), bot protection (Turnstile), CDN, WAF and aggregated analytics;
  • Google LLC — Google Analytics 4 and Google Tag Manager, with anonymized IP and only after explicit consent via the LGPD banner.

11. Security measures

INCC adopts technical and administrative security measures to protect personal data, including:

  • SSL/TLS encryption (Full Strict via Cloudflare);
  • Web Application Firewall (WAF) protection against OWASP Top 10;
  • DDoS protection;
  • Restricted access by role-based authentication;
  • Continuous monitoring of suspicious activity;
  • Periodic vulnerability and security audits.

12. Data subjects' rights

In accordance with art. 18 of the LGPD, you have the following rights:

  • Confirmation of the existence of processing;
  • Access to your data;
  • Correction of incomplete, inaccurate or outdated data;
  • Anonymization, blocking or deletion of unnecessary or excessive data;
  • Data portability;
  • Deletion of personal data processed with your consent;
  • Information about public and private entities with which INCC has shared your data;
  • Withdrawal of consent;
  • Filing a complaint with the National Data Protection Authority (ANPD).

13. Cookies

INCC uses essential and analytical cookies. For details, see our Cookie Policy.

14. Policy changes

This Policy may be updated periodically. The "Last update" date will always be displayed. We recommend periodic review.

15. National Data Protection Authority (ANPD)

If, after contacting INCC, you understand that your rights have not been respected, you may file a complaint with the National Data Protection Authority (ANPD) of Brazil at www.gov.br/anpd.

16. Contact

For questions about this Policy or to exercise your rights:

Last update: April 2026
Effective: from the date of publication on the INCC portal.