Privacy and Cookies Policy
Data Transparency Mechanism — In compliance with LGPD (Law 13.709/2018), CCPA/CPRA (Cal. Civ. Code § 1798), and GDPR (EU Reg. 2016/679).
1. Identification of Data Controllers
This Privacy and Cookies Policy is published and maintained jointly by the following entities, which act as co-data controllers:
| Zamak Technologies, LLC | 888 Biscayne Blvd, Suite 505, Miami, FL 33132, USA — EIN registered with the IRS |
| Zamak Tecnologia da Informação LTDA | Av. Rio Branco 181, Room 608, Downtown, Rio de Janeiro, RJ 20040-007, Brazil — CNPJ: 14.150.689/0001-45 |
Data Protection Officer / Privacy Contact: [email protected]
Each entity is responsible for the processing of personal data according to the applicable jurisdiction: Zamak Tecnologia LTDA is accountable under LGPD and ANPD; Zamak Technologies LLC is accountable under state and federal laws of the USA, including CCPA/CPRA. In matters regulated by GDPR, both act as co-data controllers.
2. Scope and Applicability
This policy applies to all processing of personal data carried out by Zamak Technologies, including:
- Website: data collection through the domain zamakt.com and its subdomains, including contact forms, newsletters, live chat, and tracking technologies
- Managed Services (MSP): data accessed, processed, or stored during the provision of IT management, monitoring, backup, and remote support services
- Cybersecurity Services: data processed in the context of endpoint protection, incident detection and response, vulnerability management, and compliance
- Business Relations: data from prospecting, negotiation, contracting, and billing
- Labor Relations: data of employees and candidates, as applicable
When Zamak acts as a Data Processor on behalf of its clients (MSP and cybersecurity services), the specific terms of processing are governed by the service provision contract and the respective Data Processing Agreement (DPA).
3. Personal Data We Collect
3.1 Data provided directly by the data subject: full name, position, and company; email address and contact phone number; tax identification data (CNPJ, EIN) for billing; information submitted through contact forms, live chat, or email; communication and language preferences.
3.2 Data collected automatically: IP address, browser type, operating system, and device; pages visited, time spent, referring URLs; cookie data and similar technologies (detailed in Section 5); approximate geolocation data (derived from IP).
3.3 Data processed in managed services: in the context of providing MSP and cybersecurity services, Zamak may access or process, in its capacity as Processor: security event logs and system audit logs; endpoint metadata (hostname, internal IP, software versions); backup and disaster recovery data; support ticket records and service interactions; infrastructure monitoring alerts and reports. Zamak does not access, view, or process the content of personal files of the end users of clients, except when strictly necessary and authorized for the resolution of specific technical incidents.
4. Purposes and Legal Bases for Processing
| Purpose | LGPD | GDPR | CCPA/CPRA |
| Provision of contracted services | Contract execution (Art. 7, V) | Contract execution (Art. 6(1)(b)) | Business purpose |
| Security monitoring | Legitimate interest (Art. 7, IX) | Legitimate interest (Art. 6(1)(f)) | Business purpose |
| Commercial communication and marketing | Consent (Art. 7, I) | Consent (Art. 6(1)(a)) | Consent / opt-out |
| Analytics and website improvement | Legitimate interest (Art. 7, IX) | Consent (Art. 6(1)(a)) | Business purpose |
| Legal and regulatory obligations | Legal obligation (Art. 7, II) | Legal obligation (Art. 6(1)(c)) | Legal compliance |
5. Cookies and Tracking Technologies
Zamak uses cookies and similar technologies on its website (zamakt.com). The complete cookie policy is available at /cookie-policy and is an integral part of this Privacy Policy.
5.1 Categories of Cookies: Session and Security (essential, e.g. session_id) — authentication and session maintenance; Preferences (essential, e.g. frontend_lang) — language and display preferences; Interaction history (optional, e.g. utm_campaign, utm_source) — campaign attribution; Advertising (optional, e.g. Meta Pixel, LinkedIn Insight Tag) — targeting and measurement; Analytics (optional, e.g. _ga, _gat, _gid) — traffic and performance analysis.
5.2 Third-Party Tools: Google Analytics (browsing data for traffic analysis — policies.google.com/privacy); Meta Pixel (campaign measurement and audience creation — facebook.com/privacy/policy); LinkedIn Insight Tag (conversion analysis and professional targeting — linkedin.com/legal/privacy-policy).
5.3 Cookie Management: the visitor can manage cookies through the consent banner displayed on the first access or through the browser settings. Essential cookies cannot be disabled. To opt-out of advertising networks: optout.networkadvertising.org.
6. Data Processing in Managed Services and Cybersecurity
Zamak predominantly acts as a Processor in client environments, according to LGPD (Art. 5, VII) and GDPR (Art. 4(8)).
6.1 Processing Principles: strict purpose (data accessed exclusively for the provision of contracted services); minimization (only data necessary for technical operation); confidentiality (employees and subcontractors bound by NDA); segregation (logically segregated environments between clients).
6.2 Types of Technical Access: Monitoring (RMM) — hardware, software, patches, alerts status, for preventive and proactive maintenance; Endpoint Protection (EDR) — security events, hashes, processes, for threat detection and response; Backup and DR — encrypted copies, backup logs, for recovery and continuity; Remote Support — recorded sessions, ticket logs, for incident resolution; Compliance and Audit — compliance records, vulnerability reports, for regulatory adherence.
6.3 Data Processing Agreement (DPA): for all managed services clients, Zamak provides a DPA that formalizes processing instructions, security measures, authorized subprocessors, incident notification, and audit rights.
7. Data Sharing with Third Parties
Zamak does not sell, rent, or trade personal data. Sharing occurs only with: technology providers (service platforms such as Microsoft, RMM/EDR, backup, under contracts with appropriate safeguards); analytics and marketing (Google Analytics, Meta, and LinkedIn, as per Section 5); legal obligations (when required by court order or regulatory determination); consultants and auditors (under confidentiality obligations). In compliance with the CCPA/CPRA, Zamak does not “sell” or “share” personal data of California residents for behavioral advertising across contexts.
8. International Data Transfer
Data may be transferred between Brazil and the USA based on: Standard Contractual Clauses (SCCs) for transfers subject to GDPR; specific contract for transfers subject to LGPD (Art. 33); consent when applicable and not covered by the above mechanisms. All transfers are subject to encryption in transit and at rest.
9. Data Retention and Disposal
| Category | Retention | Criterion |
| Contractual and billing data | Contract + 5 years | Tax obligations |
| Security logs | Minimum 1 year | Compliance and forensics |
| Marketing and CRM | Until revoked | Consent/legal interest |
| Cookies | As per validity | Session for 2 years |
| Customer backups | As per contract | Contractual SLA |
| Candidate data (HR) | Up to 12 months | Legitimate interest |
After the end of the retention period, data is deleted with media overwriting and irreversible logical deletion.
10. Information Security
Technical Measures: encryption in transit (TLS 1.2+) and at rest (AES-256); multi-factor authentication (MFA) for critical systems; continuous monitoring with EDR/XDR; patch and vulnerability management; network segmentation and least privilege; automated backup with restoration testing.
Administrative Measures: formalized security policy reviewed periodically; ongoing training in security and privacy; NDA with employees and third parties; incident response procedures; periodic internal audits.
11. Data Subject Rights
11.1 Rights under the LGPD (Art. 18): confirmation of processing and access to data; correction of incomplete or inaccurate data; anonymization, blocking, or deletion of unnecessary data; portability, deletion, and revocation of consent; information on sharing with third parties.
11.2 Rights under the GDPR (Arts. 15–22): access, rectification, and erasure (“right to be forgotten”); restriction, objection, and portability; not to be subject to automated decisions; complaint to the supervisory authority.
11.3 Rights under the CCPA/CPRA: know what data is collected and how it is used; request deletion and correction of data; opt-out of “sale” or “sharing”; non-discrimination and limitation of sensitive data.
11.4 How to Exercise Your Rights: requests via [email protected]. Deadlines: 15 days (LGPD), 30 days (GDPR), 45 days (CCPA/CPRA). Identity verified before service.
12. Data of Minors
Zamak’s services are not directed to minors under 18 years old (or 16 under GDPR). We do not intentionally collect data from minors.
13. “Do Not Track” Signals
The website does not respond to DNT signals, as there is no uniform standard adopted by the industry.
14. Changes to this Policy
Zamak may update this policy at any time. Significant changes will be communicated via the website or by email.
15. Contact
| Privacy Email | [email protected] |
| Zamak Technologies, LLC (USA) | 888 Biscayne Blvd, Suite 505, Miami, FL 33132 — +1 305 330-2899 |
| Zamak Tecnologia LTDA (Brazil) | Av. Rio Branco 181, Room 608, Rio de Janeiro, RJ 20040-007 — +55 21 3553-6311 |
Zamak Technologies is committed to the protection of personal data as a fundamental value of its operation. Questions and requests: [email protected]
Related document: Cookie Policy /cookie-policy