March 22, 2026
Methodology About Contact
Rio de Janeiro AI
The Vanderbilt Terminal for Rio's Digital Future
INDEPENDENT GLOBAL INTELLIGENCE FOR RIO DE JANEIRO
City GDP: R$350B | Population: 6.7M | Metro Area: 13.9M | Visitors: 12.5M | Carnival: R$5.7B | Porto Maravilha: R$8B+ | COR Sensors: 9,000 | Unemployment: 6.9% | City GDP: R$350B | Population: 6.7M | Metro Area: 13.9M | Visitors: 12.5M | Carnival: R$5.7B | Porto Maravilha: R$8B+ | COR Sensors: 9,000 | Unemployment: 6.9% |

Privacy Policy — RiodeJaneiro.ai Data Protection & User Rights

Privacy Policy

Effective Date: March 22, 2026 Last Updated: March 22, 2026

RiodeJaneiro.ai (“we,” “us,” “our,” or “the Platform”) is committed to protecting the privacy and personal data of all users who access our website and services. This Privacy Policy explains in comprehensive detail what information we collect, how we collect it, the legal bases under which we process it, how we use and share it, how we protect it, how long we retain it, and what rights you have regarding your personal data under applicable data protection frameworks.

Because this platform covers Rio de Janeiro, Brazil, and serves a global audience including users in Brazil, the European Union, the European Economic Area, the United Kingdom, the United States, and other jurisdictions, this policy is designed to comply with the requirements of Brazil’s Lei Geral de Protecao de Dados (LGPD, Lei No. 13.709/2018), the European Union’s General Data Protection Regulation (GDPR, Regulation (EU) 2016/679), the United Kingdom’s UK GDPR and Data Protection Act 2018, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), and other applicable data protection laws. Where these frameworks impose different requirements, we apply the standard that provides the greatest protection to the data subject.

This Privacy Policy should be read alongside our Terms of Service, Cookie Policy, and Methodology, which together govern your use of the Platform and the processing of your personal data.

1. Data Controller Information

The data controller responsible for the processing of personal data collected through this platform is RiodeJaneiro.ai. The data controller determines the purposes and means of processing personal data and bears primary responsibility for compliance with applicable data protection laws.

For all privacy-related inquiries, data access requests, correction requests, deletion requests, or complaints, you may contact us at:

Email: info@riodejaneiro.ai

If you are located in Brazil and wish to exercise your rights under the LGPD, you may direct your request to our designated Data Protection Officer (Encarregado de Protecao de Dados Pessoais) at the same email address. The Encarregado is responsible for receiving and processing data subject requests, communicating with the Autoridade Nacional de Protecao de Dados (ANPD), and advising the organization on LGPD compliance matters as required by Article 41 of the LGPD. We will respond to all data subject requests within the timeframes mandated by applicable law, as specified in the rights sections below.

2. Information We Collect

We collect several categories of personal data through different collection mechanisms. The specific data we collect depends on how you interact with the Platform: browsing without registration results in minimal data collection, while creating accounts, subscribing to newsletters, downloading reports, or purchasing premium services involves progressively more detailed data collection.

2.1 Information You Provide Directly

When you actively provide information through Platform forms, communications, or account processes, we collect the following categories of data:

  • Contact form submissions: Your name, email address, the subject of your inquiry, and the content of your message when you contact us through our website contact form or by emailing info@riodejaneiro.ai directly. If you identify your professional role or organizational affiliation in your message, we retain that information as part of the correspondence record.
  • Newsletter subscriptions: Your email address and, optionally, your name, professional title, organization, and areas of interest when you subscribe to the Rio Intelligence Brief weekly newsletter. We also record the date, time, and IP address associated with your subscription to document consent as required by the LGPD and GDPR.
  • Report downloads: Your email address, name, organization, professional role, and country when you request downloadable intelligence reports such as the Rio de Janeiro Investment Guide. This information is collected through the download form and used to deliver the requested report and to understand our audience composition.
  • Account registration for premium services: If you create an account for Exclusive Intelligence or other premium services, we collect your full name, email address, password (stored exclusively in hashed and salted form using industry-standard cryptographic algorithms), professional title, organizational affiliation, billing address, and payment information. Payment card details are processed directly by our PCI-DSS-compliant payment processor and are never stored on our servers.
  • Custom research requests: Premium subscribers who submit custom research requests provide topic descriptions, data requirements, geographic parameters, and analytical specifications that may contain information about their investment activities, business strategies, or research agendas.

2.2 Information Collected Automatically

When you visit the Platform, our servers and third-party services automatically collect certain technical and usage data through standard web technologies:

  • Usage data: Pages visited, articles read, dashboards accessed, time spent on each page, scroll depth, click patterns, internal search queries, navigation paths, referral sources (the URL or search engine that directed you to our Platform), and exit pages.
  • Device and browser information: IP address, browser type and version (such as Chrome, Firefox, Safari, or Edge), operating system and version, device type (desktop, tablet, or mobile), device manufacturer and model where available, screen resolution, viewport dimensions, and language preferences.
  • Cookie and tracking data: Information collected through cookies, web beacons, pixel tags, local storage, and similar tracking technologies as described in our Cookie Policy. This includes unique cookie identifiers, session tokens, consent preferences, and interaction data collected by analytics and advertising cookies.
  • Server log data: HTTP request logs recording the requested URL, request method, HTTP response status code, timestamp, data transfer volume, referring URL, and user agent string. Server logs are generated automatically by our web infrastructure and are retained for security monitoring, performance analysis, and debugging purposes.
  • Network data: Internet service provider information derived from IP address lookups, approximate geographic location at the city or regional level (not street-level precision), and connection type indicators.

2.3 Information from Third Parties

We may receive personal data about you from third-party sources in the following circumstances:

  • Analytics providers: Third-party analytics services, including Google Analytics, process usage data about Platform visitors and may provide us with aggregated demographic and interest reports derived from their broader data collection across the web.
  • Advertising partners: When you interact with advertisements displayed on our Platform through Google AdSense or other advertising networks, those networks may collect device identifiers, browsing behavior data, and interaction data subject to their own privacy policies. We may receive aggregated performance reports from these networks.
  • Payment processors: Our payment processing partners may provide us with transaction confirmation data, payment status updates, and fraud screening results related to premium service purchases.
  • Social media platforms: If you reach our Platform through social media links or share our content on social media, the respective platforms may provide us with referral data indicating that you visited our Platform through their service.

We process personal data only when we have a valid legal basis under applicable data protection law. The specific legal basis depends on the processing activity and the regulatory framework applicable to you based on your location.

Under the LGPD (Brazil — Lei No. 13.709/2018):

  • Consent (Art. 7, I): For newsletter subscriptions, marketing email communications, non-essential cookie placement, and processing of data for purposes beyond what is necessary for service delivery. Consent under the LGPD must be freely given, informed, unambiguous, and provided for a specific purpose. You may revoke your consent at any time without affecting the lawfulness of processing performed prior to revocation.
  • Legitimate interest (Art. 7, IX): For Platform analytics and usage pattern analysis, security monitoring and fraud prevention, service improvement and content optimization, and internal reporting. We conduct legitimate interest assessments to ensure that our interests do not override the fundamental rights and freedoms of data subjects, as required by Article 10 of the LGPD.
  • Performance of contract (Art. 7, V): For delivering premium intelligence services, custom research, and other paid services to subscribers who have entered into a service agreement with us.
  • Legal obligation (Art. 7, II): For tax and financial record-keeping requirements under Brazilian law, responding to valid legal process, and complying with regulatory orders from the ANPD or other competent authorities.
  • Protection of credit (Art. 7, X): For payment verification and fraud prevention in connection with premium service transactions.

The LGPD came into full effect in September 2020, with enforcement sanctions beginning in August 2021, and is administered by the Autoridade Nacional de Protecao de Dados (ANPD). As a platform focused on Brazilian subject matter and serving Brazilian data subjects, we take LGPD compliance as a core operational obligation.

Under the GDPR (European Union and EEA):

  • Consent (Art. 6(1)(a)): For marketing communications, non-essential cookies, and any processing that is not covered by another legal basis. Consent under the GDPR must meet the standards of Article 7, including being freely given, specific, informed, and unambiguous, with the ability to withdraw consent as easily as it was given.
  • Legitimate interest (Art. 6(1)(f)): For analytics, fraud prevention, security monitoring, and service optimization. We maintain records of our legitimate interest assessments, which balance our operational needs against the rights and expectations of data subjects.
  • Contractual necessity (Art. 6(1)(b)): For fulfilling premium service subscriptions, processing payments, and delivering contracted research and intelligence products.
  • Legal obligation (Art. 6(1)(c)): For compliance with tax reporting, financial record-keeping, and regulatory requirements applicable to our operations.

Under the UK GDPR and Data Protection Act 2018:

We apply the same legal bases and processing standards as under the EU GDPR for users located in the United Kingdom, with adjustments for UK-specific regulatory requirements under the Information Commissioner’s Office (ICO) guidance.

Under the CCPA/CPRA (California, United States):

  • We do not sell personal information as defined under the CCPA (California Civil Code Section 1798.140(ad)).
  • We do not share personal information for cross-context behavioral advertising as defined under the CPRA without providing notice and the right to opt out.
  • California consumers may exercise their rights to know, delete, correct, and opt out as described in the rights section below.

4. How We Use Your Information

We use the personal data we collect for the following specific purposes, each tied to one or more of the legal bases described above:

  • Service delivery and content access: Providing you with access to articles, reports, dashboards, glossary entries, comparisons, entity profiles, and other Platform content. Delivering newsletters, downloadable reports, and premium intelligence products you have requested or subscribed to. Managing your account, processing subscription changes, and providing customer support.
  • Communication: Responding to inquiries submitted through our contact form or email. Sending the Rio Intelligence Brief to subscribers who have opted in. Delivering system notifications regarding account activity, service changes, subscription renewals, or security alerts. Providing premium subscribers with research deliverables, quarterly reports, and monthly data digests.
  • Analytics and service improvement: Understanding how users navigate the Platform, which content receives the most engagement, which referral sources drive the most traffic, and where the user experience can be improved. Analyzing aggregate usage patterns to inform editorial decisions about content priorities and coverage depth. Testing Platform features, layouts, and functionality improvements.
  • Security and fraud prevention: Detecting, investigating, and preventing unauthorized access, abuse, scraping, credential stuffing, payment fraud, and other security threats. Monitoring server logs for anomalous activity patterns. Enforcing our Terms of Service and acceptable use policies.
  • Advertising: Displaying relevant advertisements through third-party advertising networks, including Google AdSense, subject to the advertising partner’s own privacy policies, our cookie consent mechanism, and your cookie preference settings as managed through our Cookie Policy. We do not use personal data to serve targeted advertisements except through the standard cookie-based mechanisms operated by our advertising partners.
  • Legal compliance and record-keeping: Meeting obligations under applicable tax, financial, and data protection laws. Responding to valid legal process, regulatory inquiries, and court orders. Maintaining records required for LGPD, GDPR, and CCPA compliance, including consent records, data processing inventories, and data subject request logs.
  • Business operations: Internal reporting on Platform performance, audience demographics, and revenue metrics. Planning content strategy, resource allocation, and service expansion based on aggregated usage data. Managing relationships with third-party service providers and advertising partners.

5. Data Sharing and Third Parties

We share personal data with the following categories of third-party service providers and partners, each acting under contractual obligations that restrict their use of your data to the purposes we specify and require them to implement appropriate security measures:

  • Hosting and infrastructure providers: Cloud hosting services that store and serve Platform content, databases, and user account data. These providers process data on our behalf under data processing agreements that comply with LGPD and GDPR requirements for processor obligations.
  • Analytics providers: Services such as Google Analytics that process usage data to help us understand Platform traffic patterns, user behavior, content engagement, and referral sources. Google Analytics data is configured to anonymize IP addresses where required by applicable law and to retain data for a limited period. You may opt out of Google Analytics using the Google Analytics Opt-out Browser Add-on.
  • Advertising networks: Google AdSense and potentially other advertising partners that display advertisements on the Platform. These partners use cookies and similar technologies to serve advertisements and measure ad performance. Their data collection practices are governed by their own privacy policies, and you may manage your advertising preferences through the mechanisms described in our Cookie Policy.
  • Email service providers: Third-party email platforms used to manage newsletter distribution, transactional email delivery, and email communication campaigns. These providers process subscriber email addresses and engagement metrics (open rates, click rates) on our behalf under data processing agreements.
  • Payment processors: PCI-DSS-compliant third-party payment processors that handle credit card and other payment method transactions for premium services. We do not receive or store full credit card numbers, CVV codes, or other sensitive payment authentication data. Payment processors provide us with transaction identifiers, payment status confirmations, and billing address verification results.
  • Content delivery networks: CDN providers that cache and deliver Platform content, static assets, and media files to optimize load times and reduce latency for users in different geographic locations. CDN providers may process IP addresses and request headers in the course of content delivery.
  • Legal and regulatory authorities: We may disclose personal data if required by law, court order, subpoena, regulatory order, or governmental regulation, or if we believe in good faith that disclosure is necessary to protect our legal rights, your safety, the safety of others, investigate fraud, or respond to a government request. For LGPD compliance, we will notify the ANPD and affected data subjects of any data breach that may create risk or relevant damage to data subjects, as required by Article 48 of the LGPD.

We do not sell personal data to data brokers, marketing companies, list aggregators, or any other third party for their independent commercial use. We do not share personal data for purposes of cross-context behavioral advertising except through standard advertising cookie mechanisms that are subject to your consent preferences.

6. International Data Transfers

Because this platform serves users globally and operates infrastructure across multiple jurisdictions, personal data may be transferred to and processed in countries other than your country of residence. Specifically:

  • Transfers from Brazil: Data collected from Brazilian users may be processed on servers located outside Brazil. Such transfers comply with LGPD requirements under Article 33, including the use of standard contractual clauses, transfers to countries recognized by the ANPD as providing an adequate level of data protection, or other transfer mechanisms authorized by the ANPD. We maintain records of our international transfer assessments and the safeguards applied to each transfer.
  • Transfers from the EU/EEA and UK: Data collected from users in the European Union, European Economic Area, and United Kingdom may be transferred to servers outside those jurisdictions. Such transfers are governed by Standard Contractual Clauses (SCCs) approved by the European Commission under Implementing Decision (EU) 2021/914, adequacy decisions under Article 45 of the GDPR, or other lawful transfer mechanisms. We conduct transfer impact assessments where required to evaluate the data protection laws of the receiving country and implement supplementary measures where necessary.
  • Transfers from the United States: Data collected from United States residents, including California residents, is processed in accordance with applicable U.S. federal and state data protection laws regardless of the physical location of our processing infrastructure.

We ensure that all international data transfers are accompanied by appropriate safeguards and that data subjects retain the ability to exercise their rights regardless of where their data is processed.

7. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes described in this policy, comply with our legal obligations, resolve disputes, and enforce our agreements. Specific retention periods are as follows:

  • Contact form submissions: Retained for twenty-four months from the date of last correspondence, then permanently deleted from active systems. Backup copies may persist for an additional ninety days before complete purge.
  • Newsletter subscriber data: Retained for the duration of your active subscription plus six months after unsubscription to process any pending requests, honor re-subscription within a reasonable period, and maintain suppression lists that prevent unwanted re-enrollment.
  • Report download data: Retained for twenty-four months from the date of download to manage follow-up communications and understand audience composition.
  • Account data for premium services: Retained for the duration of your active subscription plus thirty-six months after account closure for legal and financial record-keeping purposes required by Brazilian tax law and applicable accounting standards.
  • Payment transaction records: Retained for seventy-two months (six years) from the transaction date as required by Brazilian tax obligations and financial audit requirements.
  • Server logs: Retained for twelve months from the date of generation, then automatically purged. Security-related log entries associated with incident investigations may be retained for up to thirty-six months.
  • Analytics data: Aggregated and anonymized analytics data that does not constitute personal data under any applicable framework may be retained indefinitely for historical trend analysis and content planning purposes.
  • Cookie data: Retention periods vary by cookie type and purpose as detailed in our Cookie Policy.
  • Consent records: Records documenting the date, time, method, and scope of your consent to data processing are retained for as long as the relevant processing continues plus forty-eight months to demonstrate compliance in the event of a regulatory inquiry.

When retention periods expire, personal data is deleted from active databases and backup systems through secure deletion procedures that prevent recovery. Where immediate deletion is technically infeasible, data is pseudonymized and access-restricted until deletion can be completed.

8. Your Rights

Depending on your location and the applicable data protection framework, you have specific rights regarding the personal data we process about you. We are committed to honoring these rights promptly, transparently, and without charge except where applicable law permits reasonable fees for manifestly unfounded or excessive requests.

8.1 Rights Under the LGPD (Brazilian Data Subjects)

Under Articles 17 through 22 of the LGPD, Brazilian data subjects have the following rights:

  • Confirmation and access (Art. 18, I-II): You have the right to confirm whether we process your personal data and to obtain a complete copy of that data in a clear, adequate, and accessible format.
  • Correction (Art. 18, III): You have the right to request correction of incomplete, inaccurate, or outdated personal data.
  • Anonymization, blocking, or deletion (Art. 18, IV): You have the right to request that unnecessary, excessive, or non-compliantly processed data be anonymized, blocked, or deleted.
  • Data portability (Art. 18, V): You have the right to request the transfer of your personal data to another service provider or product provider, in accordance with ANPD regulations.
  • Deletion of consent-based data (Art. 18, VI): You have the right to request deletion of personal data processed on the basis of your consent, except where data retention is required for legal, regulatory, or contractual reasons.
  • Information about sharing (Art. 18, VII): You have the right to obtain information about public and private entities with which we have shared your personal data.
  • Consent information (Art. 18, VIII): You have the right to be informed about the possibility and consequences of not providing consent when consent is the legal basis for processing.
  • Revocation of consent (Art. 18, IX): You have the right to revoke your consent at any time through a free and facilitated procedure, with the understanding that revocation does not affect the lawfulness of processing performed prior to revocation.
  • Right to petition (Art. 18, paragraph 1): You have the right to petition the ANPD regarding complaints about the processing of your personal data.

To exercise any of these rights, contact our Encarregado at info@riodejaneiro.ai. We will acknowledge receipt of your request within five business days and provide a substantive response within fifteen days as required by the LGPD. Complex requests that require additional processing time will be communicated with an explanation of the delay and an estimated completion date.

8.2 Rights Under the GDPR (EU/EEA Data Subjects)

Under the GDPR, data subjects in the European Union and European Economic Area have the following rights:

  • Access (Art. 15): The right to obtain confirmation of whether we process your personal data, access to that data, and information about the purposes, categories, recipients, retention periods, and safeguards applicable to the processing.
  • Rectification (Art. 16): The right to obtain correction of inaccurate personal data and completion of incomplete personal data.
  • Erasure — right to be forgotten (Art. 17): The right to request deletion of personal data when the data is no longer necessary for the original purpose, when you withdraw consent, when you object to processing, when data has been unlawfully processed, or when deletion is required by law.
  • Restriction of processing (Art. 18): The right to request that processing be restricted while accuracy is contested, while we assess an objection, when processing is unlawful but you prefer restriction over deletion, or when we no longer need the data but you require it for legal claims.
  • Data portability (Art. 20): The right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit that data to another controller.
  • Objection (Art. 21): The right to object to processing based on legitimate interest, including profiling. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.
  • Automated decision-making (Art. 22): The right not to be subject to decisions based solely on automated processing, including profiling, that produce legal or similarly significant effects. We do not currently engage in solely automated decision-making that produces such effects.

You may also lodge a complaint with your national data protection supervisory authority. A list of EU/EEA supervisory authorities is maintained by the European Data Protection Board at edpb.europa.eu. We will respond to GDPR access requests within thirty days of receipt. If the request is complex or we receive a high volume of requests, we may extend the response period by an additional sixty days with notification.

8.3 Rights Under the CCPA/CPRA (California Residents)

California residents have the following rights under the CCPA as amended by the CPRA:

  • Right to know (Cal. Civ. Code Section 1798.100): You may request disclosure of the categories and specific pieces of personal information we have collected about you, the sources of that information, our business or commercial purposes for collecting it, the categories of third parties with whom we share it, and the specific pieces of personal information we have collected.
  • Right to delete (Section 1798.105): You may request deletion of personal information we have collected from you, subject to exceptions for legal obligations, security purposes, and other permitted uses.
  • Right to correct (Section 1798.106): You may request correction of inaccurate personal information we maintain about you.
  • Right to opt out of sale or sharing (Section 1798.120): We do not sell personal information and do not share personal information for cross-context behavioral advertising as defined by the CCPA/CPRA. You may nonetheless submit an opt-out request as a precautionary measure, and we will honor it.
  • Right to limit use of sensitive personal information (Section 1798.121): We do not collect or process sensitive personal information as defined by the CPRA for purposes beyond those permitted under the law.
  • Right to non-discrimination (Section 1798.125): We will not discriminate against you for exercising any of your CCPA/CPRA rights, including by denying services, charging different prices, providing different quality of service, or suggesting you will receive different treatment.

We will respond to verified CCPA requests within forty-five days. If additional time is needed, we will notify you of the extension and the reason within the initial forty-five-day period, with a maximum total response time of ninety days. We verify consumer requests through email confirmation and, for requests to access specific pieces of personal information, through additional identity verification steps.

9. Children’s Privacy

RiodeJaneiro.ai is not directed at children under the age of sixteen, and we do not knowingly collect personal data from children under sixteen. The Platform’s content focuses on investment analysis, economic data, infrastructure development, and institutional intelligence that is intended for professional and adult audiences.

If we become aware that we have inadvertently collected personal data from a child under sixteen without verified parental or guardian consent, we will take prompt steps to delete that data from our systems. Under the LGPD, processing of children’s and adolescents’ personal data requires specific and prominent consent from at least one parent or legal guardian, as provided by Article 14. Under the GDPR, children under sixteen (or the lower age set by individual member states, but no lower than thirteen) require parental consent for information society services under Article 8. Under COPPA (the United States Children’s Online Privacy Protection Act), we do not knowingly collect personal information from children under thirteen.

If you are a parent or guardian and believe that your child has provided personal data to this Platform without your consent, please contact us immediately at info@riodejaneiro.ai and we will take steps to remove that information.

10. Security Measures

We implement technical and organizational security measures appropriate to the risk level of the personal data we process, designed to protect personal data against unauthorized access, alteration, disclosure, destruction, and other forms of unlawful processing. These measures include but are not limited to:

  • Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher protocols with strong cipher suites. We enforce HTTPS across all Platform pages and API endpoints.
  • Encryption at rest: Sensitive personal data stored in our databases, including hashed passwords, payment references, and premium subscriber account information, is encrypted at rest using AES-256 or equivalent encryption standards.
  • Access controls: Personal data access is restricted to authorized personnel on a need-to-know basis through role-based access control systems. Administrative access requires multi-factor authentication.
  • Infrastructure security: Our hosting infrastructure employs firewalls, intrusion detection systems, DDoS mitigation, and regular security patching. Server configurations follow industry-standard hardening guidelines.
  • Regular security assessments: We conduct periodic vulnerability assessments and penetration testing to identify and remediate potential security weaknesses before they can be exploited.
  • Incident response: We maintain documented incident response procedures for detecting, containing, investigating, and reporting data breaches. We will notify the ANPD and affected data subjects of LGPD-reportable breaches within a reasonable timeframe as required by Article 48. We will notify the competent GDPR supervisory authority within seventy-two hours of becoming aware of a GDPR-reportable breach as required by Article 33, and affected data subjects without undue delay when the breach is likely to result in a high risk to their rights and freedoms under Article 34. We will comply with applicable U.S. state breach notification laws, including the California data breach notification requirements under California Civil Code Section 1798.82.
  • Employee training: Personnel with access to personal data receive regular training on data protection obligations, security best practices, and incident response procedures.

No security system is impenetrable, and we cannot guarantee the absolute security of your personal data. However, we are committed to implementing and maintaining security measures that meet or exceed industry standards for the types and volumes of data we process.

11. Do Not Track Signals

Some web browsers transmit “Do Not Track” (DNT) signals to websites. There is currently no industry-standard protocol for interpreting DNT signals, and different browsers implement DNT functionality inconsistently. As a result, the Platform does not currently respond to DNT signals. However, you may control tracking through our cookie consent mechanism as described in our Cookie Policy and through the browser-level and service-specific opt-out mechanisms described in this policy.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our data processing practices, the technologies we use, applicable legal requirements, regulatory guidance, or other operational factors. When we make changes, we will update the “Last Updated” date at the top of this page.

For material changes that significantly affect how we collect, use, or share your personal data, or that reduce your rights under this policy, we will provide prominent notice through the Platform, via email to registered users and newsletter subscribers, or through other appropriate communication channels at least thirty days before the changes take effect, except where a shorter notice period is permitted or required by law.

We encourage you to review this policy periodically to stay informed about how we protect your personal data. Your continued use of the Platform after changes are posted constitutes your acknowledgment of those changes. If you disagree with any changes, you should discontinue use of the Platform and exercise your deletion rights as described above.

13. Governing Law

This Privacy Policy is governed by the laws of the Federative Republic of Brazil with respect to LGPD compliance for all users and with particular emphasis for Brazilian data subjects, the laws of the European Union with respect to GDPR compliance for EU/EEA data subjects, the laws of the United Kingdom with respect to UK GDPR compliance for UK data subjects, and the laws of the State of California with respect to CCPA/CPRA compliance for California residents. In the event of conflict between jurisdictional requirements, we will apply the standard that provides the greatest protection to the data subject, consistent with our obligations under each applicable framework.

14. Contact for Privacy Matters

For all privacy-related questions, data subject access requests, correction requests, deletion requests, consent withdrawals, complaints, or other inquiries:

Email: info@riodejaneiro.ai

For LGPD-specific requests, address your communication to the Encarregado (Data Protection Officer) at the above email address and reference your rights under the LGPD. For GDPR-specific requests, reference your EU/EEA or UK residency and the specific right you wish to exercise under the GDPR. For CCPA/CPRA requests, reference your California residency and the specific right you wish to exercise under the CCPA.

All data subject requests will be acknowledged within five business days of receipt. We may request additional information necessary to verify your identity before processing your request, as permitted under applicable law. Verification requirements are proportionate to the sensitivity of the request: requests for specific pieces of personal information require more rigorous identity verification than general inquiries or opt-out requests.

We aim to resolve all data subject requests within the timeframes mandated by applicable law. If resolution requires additional time, we will communicate the reason for the delay and provide an estimated completion date. You have the right to lodge a complaint with your applicable data protection supervisory authority if you are not satisfied with our response to your request.

Institutional Access

Coming Soon