Privacy Policy

Triyo Tecnologia da Informação Ltda ("Triyo", "we", "our" or "us") is a technology services company registered in Brazil under CNPJ 15.123.275/0001-90, with registered offices at Pedro de Toledo, 130, Conj 21, Vila Clementino, São Paulo — SP, Brazil. We provide IT infrastructure, cloud solutions, software development and managed technology services to business clients across multiple sectors.

This Privacy Policy explains what personal data we collect when you visit triyo.online or any sub-domain operated by us, contact us directly, or otherwise engage with our services. It also explains your rights under applicable data protection law — including the European Union's General Data Protection Regulation (GDPR), Brazil's Lei Geral de Proteção de Dados Pessoais (LGPD, Law nº 13,709/2018), and any other applicable national privacy legislation.

We have written this document to be clear and concrete. Where technical terms are unavoidable, we explain them. If you have any questions about how we handle your data, please contact us at contato@triyo.online before using our website.

By using our website or submitting information to us through any channel, you acknowledge that you have read this policy. Where the law requires it, we will ask for your explicit consent before processing your data for purposes beyond what is strictly necessary to respond to your request.

We collect personal data in three main ways: information you provide to us directly, information collected automatically when you use our website, and — in limited circumstances — information obtained from trusted third-party sources. We do not buy personal data lists, and we do not collect more data than we need.

2.1 Information You Provide to Us

When you fill in the contact form on our website, request a quote, subscribe to updates, or reach out to us by email or telephone, you may provide:

• Identity data: your first and last name, and optionally your job title or professional role.
• Business contact data: company name, business email address and phone number.
• Communication content: the subject matter and full text of your enquiry or message.
• Preferences: any services or topics you indicate interest in when completing a form.

All fields marked as mandatory on our forms are necessary for us to respond meaningfully to your request. Optional fields help us tailor our response but are never required to make contact with us.

2.2 Data Collected Automatically

When you visit our website, our web server and third-party analytics tools automatically record certain technical information. This may include:

• Log data: your IP address (stored in truncated or anonymized form where possible), browser type and version, operating system, referring URL, pages visited, time and date of your visit, and duration spent on each page.
• Device identifiers: a pseudonymous device or session identifier used by analytics tools to distinguish unique visits from repeat sessions.
• Geolocation data: approximate geographic location derived from your IP address (city or region level — we do not collect precise GPS coordinates from the browser).
• Interaction data: clicks, scroll depth, form submissions and other on-site behaviors, captured to help us understand how visitors use our content and where we can improve.

This automatic collection relies on cookies and similar technologies. Please read Section 4 for full details on which cookies we use and how to control them.

2.3 Data From Third-Party Sources

If you interact with our advertising campaigns (for example, through Google Ads or LinkedIn), we may receive aggregated conversion data — such as whether a click led to a contact form submission. This data is used solely to measure campaign effectiveness and is not linked to your personal profile without your consent. We also receive anonymized demographic and interest reports from Google Analytics that cannot be used to identify any individual.

We do not purchase, rent, or source personal data from data brokers or lead-generation companies.

Every use we make of your personal data is grounded in a specific legal basis. Under both GDPR and LGPD, the most common bases we rely on are: your consent, performance of a contract or pre-contractual steps, compliance with a legal obligation, and our legitimate interests — provided those interests are not overridden by your rights and freedoms.

3.1 Responding to Enquiries and Providing Services

Legal basis: performance of a (pre-)contractual relationship; legitimate interest in responding to business enquiries.

When you contact us, we use your name, email, phone number and message to reply promptly and accurately. If you request a project proposal or service quote, we use the information you submit to prepare and deliver that document. Your data is retained for as long as the conversation or project relationship requires (see Section 6).

3.2 Website Analytics and Improvement

Legal basis: consent (via cookie banner); legitimate interest in understanding website performance.

We analyze aggregated, anonymized usage data to understand which pages attract the most interest, where visitors drop off, and how to make navigation clearer. No individual is profiled or singled out in this process. The insights inform content decisions, not individual targeting.

3.3 Marketing Communications

Legal basis: your explicit consent, which you may withdraw at any time.

If you opt in to receive updates, we will send you relevant content about technology trends, new services, events or thought leadership articles. Every marketing email includes a clear one-click unsubscribe link. We never send marketing messages without prior consent, and we do not share your email address with third parties for their own marketing purposes.

3.4 Advertising Measurement

Legal basis: consent (via cookie banner); legitimate interest in measuring the return on our advertising investment.

We use conversion tracking to understand whether our paid advertising campaigns lead to meaningful website actions (e.g., a contact form submission). This helps us allocate our budget responsibly and avoid showing ads to people who have already reached out. We do not use this data to build individual advertising profiles.

3.5 Legal and Regulatory Compliance

Legal basis: compliance with a legal obligation.

We may process and retain your data when required to do so by Brazilian law, tax regulations, or lawful orders issued by a competent public authority. We will always try to notify you when legally permitted to do so.

Our website uses cookies — small text files stored on your device — along with similar technologies such as web beacons and pixel tags. Some cookies are strictly necessary for the site to function; others are only set if you give your consent via our cookie consent banner.

You can withdraw or change your cookie preferences at any time by clicking the "Cookie Settings" link in the footer of any page. You can also configure your browser to refuse cookies entirely, though this may affect the functionality of the site. The browser controls for the most common browsers are available at the help pages for Chrome, Firefox, and Safari.

We do not sell, rent or trade your personal data. We share data only in the limited circumstances described below, and only to the minimum extent necessary.

5.1 Service Providers (Processors)

We engage a small number of trusted technology service providers who process data on our behalf and under our instructions. These currently include:

• Google LLC — for website analytics (Google Analytics 4), advertising measurement (Google Ads), email infrastructure (Google Workspace), and embedded mapping. Google acts as a data processor under our configuration; see Google's Privacy Policy at policies.google.com.
• Hosting and CDN provider — our website infrastructure provider processes access logs in the normal course of hosting operations. This provider is bound by a Data Processing Agreement aligned with LGPD and GDPR requirements.
• CRM / email platform — if you opt in to communications, your email address and name are stored in a CRM system operated by a third-party provider under a data processing agreement. You can request deletion at any time by emailing contato@triyo.online.

All processors are contractually bound to process your data only for the purposes we specify, to maintain appropriate security measures, and — where data is transferred outside Brazil — to do so in compliance with LGPD Chapter V.

5.2 Legal Requirements

We may disclose your personal data if required to do so by a Brazilian court order, a decision of the Autoridade Nacional de Proteção de Dados (ANPD), or another lawful legal obligation. Where permitted, we will notify you before complying with such a request.

5.3 Business Transfers

If Triyo is involved in a merger, acquisition, divestiture or sale of assets, personal data held about our contacts may be transferred as part of that transaction. We would notify affected individuals by email or prominent website notice before any such transfer, and the receiving entity would be required to respect this policy or replace it with one of equivalent protection.

5.4 International Transfers

Some of our service providers (including Google) store and process data on servers outside Brazil, including in the United States and European Economic Area. We ensure that any such transfer is covered by appropriate safeguards — including Standard Contractual Clauses adopted by the European Commission, or the equivalent mechanisms recognized under LGPD — so that your data receives a level of protection substantially equivalent to that which applies in Brazil.

We keep your personal data only for as long as is necessary for the purposes for which it was collected, or as required by applicable law. The following retention periods apply:

• Contact and enquiry data: retained for up to 5 years from the date of last contact. This allows us to refer back to the history of our correspondence in the event of a follow-up enquiry or dispute. After 5 years, data is securely deleted unless a legal hold applies.
• Active client records: retained for the duration of the contractual relationship plus 5 years to comply with Brazilian tax and commercial record-keeping obligations (Lei nº 10,406/2002 — Civil Code; Lei nº 5,172/1966 — Tax Code).
• Marketing opt-in data: retained until you unsubscribe or withdraw consent, plus an additional 30 days to ensure that unsubscribe instructions have been fully processed across all systems.
• Website analytics data: anonymized aggregate analytics data is retained for up to 26 months in Google Analytics, consistent with Google's standard data retention settings.
• Cookie consent logs: retained for 3 years to provide evidence of consent in case of regulatory audit.
• Server access logs: retained for a maximum of 90 days for security and diagnostic purposes, then automatically purged.

When data reaches the end of its retention period, we either delete it securely (using industry-standard deletion methods that render the data unrecoverable) or anonymize it so that it can no longer be associated with any individual.

As a technology company, data security is not a checkbox exercise for us — it is central to how we operate. We apply layered technical and organizational controls to protect your personal data against unauthorized access, disclosure, alteration, and destruction.

Technical Measures

• All data transmission between your browser and our website is encrypted using TLS 1.2 or higher. We enforce HTTPS sitewide and implement HTTP Strict Transport Security (HSTS) headers.
• Our web infrastructure operates behind a Web Application Firewall (WAF) that filters malicious traffic patterns.
• Forms on our website are protected against automated spam and abuse with reCAPTCHA or equivalent challenge mechanisms.
• Access to internal systems that store personal data is restricted by role-based access control and requires strong, unique credentials. Multi-factor authentication (MFA) is mandatory for all team members accessing systems that process personal data.
• Sensitive data fields in our CRM are encrypted at rest using AES-256 encryption.

Organizational Measures

• Only team members with a clear operational need to access your data can do so. Access rights are reviewed quarterly and revoked immediately upon role change or departure.
• All staff involved in handling personal data receive annual privacy and security training.
• We maintain an internal data register that documents what personal data we hold, where it is stored, and who has access to it.
• Our key service providers are vetted against our security standards and bound by Data Processing Agreements before any personal data is shared with them.

Despite these measures, no method of electronic transmission or storage is 100% secure. In the unlikely event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ANPD and — where required — the affected individuals within the timeframes prescribed by LGPD (72 hours for high-risk incidents).

Brazilian law (LGPD) and European data protection law (GDPR) grant you a comprehensive set of rights with respect to your personal data. These rights apply to any personal data about you that Triyo holds or processes. We are committed to fulfilling requests promptly and transparently — ordinarily within 15 days and never more than 30 days from the date of receipt.

How to Exercise Your Rights

To exercise any of the rights described above, send a written request to contato@triyo.online with the subject line "Data Subject Request". Please include your full name, the email address associated with your data, a description of the right you wish to exercise, and — if requesting access or deletion — a brief description of the data in question. We will acknowledge your request within 5 business days and provide a full response within 15 business days (extendable to 30 in cases of complexity or volume).

We will verify your identity before acting on a request to ensure we do not inadvertently disclose or delete data belonging to another person. We will not charge a fee for reasonable requests, but reserve the right to charge an administrative fee or decline manifestly unfounded or excessive requests.

Our website and services are directed exclusively at business professionals and are not intended for use by children under the age of 18. We do not knowingly collect personal data from minors.

If you are a parent or guardian and believe that a child under your care has submitted personal data to us without appropriate consent, please contact us immediately at contato@triyo.online. Upon verification, we will delete the data promptly and take steps to prevent recurrence.

Under LGPD (Art. 14), the processing of personal data of children requires specific legal authorization and parental or guardian consent. We take this obligation seriously and maintain safeguards to prevent inadvertent collection of children's data through our platforms.

Privacy law and the technical landscape evolve, and our Privacy Policy will be updated periodically to reflect those changes. We will always display the "Last Updated" date at the top of this page so you can see at a glance whether the policy has changed since you last read it.

For minor changes — such as clarifications of existing language, additions of new service providers that process data in the same way, or corrections of typographical errors — we will update the page without individual notification.

For material changes — particularly any change that expands the scope of data we collect, introduces a new legal basis for processing, or significantly alters how we share data with third parties — we will provide at least 30 days' advance notice via a prominent banner on our website and, where we hold your email address, by direct email notification. Your continued use of our website after a material change takes effect constitutes your acknowledgment of the updated policy.

We encourage you to review this policy periodically. Previous versions are available on request by emailing contato@triyo.online.

Triyo Tecnologia da Informação Ltda is the data controller for the personal data collected through this website. If you have any questions, concerns or requests related to this Privacy Policy or to how we handle your personal data, please contact us through any of the details below. We aim to respond to all privacy-related enquiries within 5 business days.

Under LGPD (Art. 41), controllers are required to designate a Data Protection Officer (Encarregado de Proteção de Dados). Enquiries directed to the contact email below will be routed to the person responsible for this function within Triyo. We will update this section with a named DPO contact as our data governance program matures in accordance with ANPD guidance.