Privacy Policy

This Policy explains how Dropou Surf LTDA processes personal data in the context of the Dropou Surf platform.

Effective date: February 25, 2026Last updated: February 25, 2026

Controller and contact

The data controller for personal data processed on the platform is Dropou Surf LTDA (CNPJ 63.694.134/0001-70), with address at Rua Pais Leme 215 Conj 1713, Pinheiros, São Paulo/SP, 05424-150.

For privacy and data protection matters, contact us at [email protected].

Data we collect

We may collect data provided directly by you and data generated during platform use, including:

registration and contact data (e.g., name, email, phone, and documents when applicable);
instructor onboarding data (e.g., date of birth, CPF, RG, parent names, address, teaching beach/location, and verification files such as selfie and ID document);
instructor professional profile data (e.g., bio, profile/gallery photos, supported levels, class formats, pricing, packages, and schedule/availability);
profile and preference data related to service usage;

Purposes and legal bases (LGPD)

We process data to enable registration, authentication, booking operations, payment processing, user communication, and support.

Legal bases include contract performance, legal/regulatory obligation, legitimate interest, and consent when required.

Data sharing

Your data may be shared with essential service providers for platform operation, such as payment processors, storage services, infrastructure, and antifraud providers.

We may also share data when required by law, by competent authority order, or for rights defense in administrative or judicial proceedings.

International transfers

Some vendors may process data outside Brazil. In those cases, we adopt contractual and organizational safeguards to protect personal data.

International data transfers follow applicable law and appropriate mechanisms under LGPD.

Retention and disposal

We keep personal data for as long as necessary to fulfill the purposes of this Policy, comply with legal obligations, and allow regular rights defense.

After the applicable retention period, data is deleted or anonymized, except where legal retention is required.

Information security

We adopt reasonable technical and administrative measures to protect personal data against unauthorized access, loss, destruction, or improper alteration.

Despite safeguards, no environment is entirely risk-free. In case of a relevant incident, we will take measures required by law.

Data subject rights

Under LGPD, you may request, when applicable:

confirmation of processing and access to your personal data;
correction of incomplete, inaccurate, or outdated data;
anonymization, blocking, or deletion of unnecessary data;
portability, information about sharing, and consent withdrawal;
deletion of data processed on consent basis, when applicable.

Cookies and similar technologies

We use cookies and similar technologies for authentication, security, performance, usage analytics, and platform experience improvement.

You can manage cookie preferences in your browser, noting that some features may be affected.

Minors' data

Processing of minors' data follows applicable legal requirements, including protective measures and, when necessary, legal guardian consent.

If we identify unlawful minors' data processing, we will adopt measures for regularization or deletion.

Changes to this policy

This Policy may be revised periodically to reflect legal, regulatory, or operational updates.

The updated version will be published on the platform with its respective update date.

Privacy contact

Privacy and data protection requests should be sent to [email protected].

Applicable jurisdiction for matters not resolved administratively: São Paulo/SP, Brasil.

To understand platform usage rules, see our Terms of Use.