9.1 Isolation

Each company only sees its own data; each partner only sees their own portfolio. The separation is enforced at the database level, not just on screen.

9.2 Retention (run automatically, every day)

  • Temporary technical events: 90 days.
  • Data that identifies the person (phone, sender name): anonymized in 30 days.
  • Technical click telemetry (IP prefix, browser): anonymized in 180 days.
  • Lead merge history: 365 days.
  • Business data (leads, sales, aggregates): does not expire by time — it only leaves through on-demand erasure (§9.3) or account removal.

Anonymizing the telemetry doesn’t change your numbers — the funnel and scoreboard don’t depend on the anonymized columns.

9.3 Erase data at the data subject’s request

The data subject can request deletion; the admin runs it via the “Eliminar dados do titular” action in the lead detail (§4.7) — don’t confuse it with “Excluir”, which only removes it from the list and keeps the data. The erasure anonymizes the personal data irreversibly, preserves the anonymous values, and stays audited.

The sensitive agreements are versioned: when the text changes, the previous acceptance drops and the system asks for re-consent, with the date recorded.

9.5 Encrypted credentials and auditing

The integration credentials (Meta/Google tokens, WhatsApp connection) are encrypted and never appear in logs. Partner access via “Entrar como” is audited.