Privacy Policy — SalesOS

Play2sell S.A. (CNPJ: 28.864.200/0001-01) is the developer and operator of the SalesOS platform, a sales operating system that integrates Gamification, Payments and CRM modules.

In the context of the LGPD, Play2sell acts as:

• Data Processor when processing personal data of Users and Beneficiaries on behalf of the Contracting Company (Tenant/Controller)
• Data Controller when processing data for its own purposes (platform analytics, institutional marketing, legal obligations)

2.1 Data you provide

• Registration data: name, email, phone, CPF, company, job title
• Profile data: photo, organizational data, location
• Communications: support requests, feedback
• Financial data: banking information for digital account (processed by the BaaS partner)

2.2 Data generated by use

• Usage data: features accessed, actions taken, timestamps
• Performance data: scores, rankings, mission and quiz completion
• Device data: IP address, browser type, operating system, user-agent
• Location data: geolocation for check-in (when enabled by the Tenant)
• Commercial interaction data: call logs, WhatsApp, emails, visits (CRM module)
• Diagnostic logs and performance information

2.3 Third-party data

• Authentication data via identity providers (Auth0)
• CRM/ERP integration data authorized by the Contracting Company
• Lead and contact data entered by the Contracting Company (CRM module)

• Service delivery: operating the platform, authenticating access, processing transactions
• Gamification: calculating scores, generating rankings, assigning badges and PlayCoins
• Payments: processing awards and commissions, operating the digital account
• CRM: lead management, distribution, interaction logging
• Communications: service notifications, updates, support
• Analytics: understanding usage patterns and improving the service
• Security: detecting, preventing and combating fraud, threats and suspicious activities
• Legal compliance: fulfilling legal and regulatory obligations

Legal bases for processing (LGPD Art. 7 / GDPR Art. 6): performance of a contract, legitimate interest, consent and compliance with a legal obligation.

We share personal data only when necessary and with the following categories of recipients:

• Contracting Company (Tenant): performance and activity data of linked Users
• BaaS Partner (Banking as a Service): financial data for the opening and operation of the digital account
• Sub-processors: Supabase (AWS), Vercel, Auth0 (Okta), Temporal.io — as described in the DPA
• Authorities: when required by law, court order or applicable regulation

We do not sell, rent or commercialize your personal data.

Your data is stored in secure cloud infrastructure, hosted by Supabase (AWS) and Vercel. We implement technical and organizational measures to protect your data:

• Encryption at rest (AES-256) and in transit (TLS 1.2+)
• Multi-tenant data isolation via Row-Level Security (RLS)
• Role-based access control (RBAC) with granular permissions
• Multi-factor authentication (MFA) for administrative access
• Automated vulnerability scanning and penetration testing
• Encrypted backups with point-in-time recovery
• Network segmentation and firewall protections

We retain personal data for as long as necessary to fulfill the purposes for which it was collected, or as required by law.

Under the LGPD and GDPR, you have the following rights over your personal data:

• Access: request a copy of the personal data we hold about you
• Rectification: correct inaccurate or incomplete personal data
• Deletion: request the erasure of your personal data, subject to legal retention obligations
• Portability: obtain your data in machine-readable format
• Objection: object to processing based on legitimate interest
• Restriction: request restriction of processing in certain circumstances
• Withdrawal of consent: when processing is based on consent, withdraw it at any time

To exercise your rights, contact us at privacy@play2sell.com or use the options available in the application. We will respond within 15 (fifteen) days.

To request full deletion of your data, visit our Data Deletion.

We use the following types of cookies:

• Essential cookies: necessary for the functioning of the platform (authentication, session management, security)
• Analytical cookies: help us understand how users interact with the platform (anonymized data)
• Preference cookies: store your settings and preferences (language, locale)

You can manage your cookie preferences via the consent banner or browser settings. Disabling essential cookies may affect platform functionality.

Your data may be transferred to and processed in countries outside Brazil. We ensure that all international transfers comply with applicable law, using:

• Standard Contractual Clauses (SCCs) approved by the European Commission (for transfers under GDPR)
• Compliance with Chapter V of the LGPD for international transfers
• Supplemental security measures where necessary

• Account data: retained during the term of the account and for 30 days after closure for export
• Financial data: retained as required by regulation (minimum 5 years after the last transaction)
• Usage and analytics data: anonymized and aggregated after 24 months
• Backups: retained for up to 30 days after deletion
• Permanent deletion: within 180 days of request or end of service

SalesOS is intended for persons aged 18 and over. We do not intentionally collect personal data from minors. If we become aware that data of a minor has been collected, we will proceed with immediate deletion.

In the event of a security incident involving personal data:

• We will notify the Contracting Company (Controller) within 48 hours of becoming aware of the incident
• We will cooperate with the notification to the National Data Protection Authority (ANPD) within 72 hours, where applicable
• We will notify affected data subjects when the incident could cause significant risk or harm
• We will implement immediate corrective measures to mitigate damages

We may update this Privacy Policy periodically. In the event of significant changes, we will notify you via the application, email or publication on this page with the changes highlighted.

For questions about this Privacy Policy or about the processing of your data:

Play2sell S.A.
Data Protection Officer (DPO)
Email: privacy@play2sell.com
Website: https://salesos.com

If you believe your data protection rights have been violated, you may file a complaint with the National Data Protection Authority (ANPD) in Brazil, or with the data protection authority in your country within the European Union.