Privacy Policy
Version 1.0.0 · Last updated: May 15, 2026
1. Who we are (Controller identification)
Atypos.family is a digital platform for families with neurodivergent children and adolescents. The service is operated by:
Legal name: Rafael Barrochelo Guimarães Consultoria em TI
Trade name: Entercast Consulting
CNPJ (Brazilian company ID): 29.312.177/0001-05
Legal type: 213-5 Sole Proprietorship (Micro Enterprise — ME) — Brazil
Registered address: R. Toledo Barbosa, 611, Casa 16, Belenzinho, São Paulo/SP, ZIP 03.061-000, Brazil
Responsible: Rafael Barrochelo
Email: encarregado@atypos.family
Site: https://atypos.family
If you have questions about how we handle your data, you can write to us at any time.
2. Data Protection Officer (DPO)
As required by LGPD Art. 41, we have designated a DPO:
Rafael Barrochelo
Contact: encarregado@atypos.family
Role: Responsible for receiving communications from data subjects, acting as a channel with the Brazilian National Data Protection Authority (ANPD), and ensuring internal compliance with this policy.
3. Data we collect and why
We collect only the data we need to operate. Below are the categories, what we collect, and why:
3.1 Caregiver (legal guardian) data
| Data | Purpose | LGPD legal basis |
|---|---|---|
| Name | Personalise communications and manuals | Contract (Art. 7 V) |
| Manual delivery, authentication, support | Contract (Art. 7 V) | |
| WhatsApp (optional) | Notifications about the manual (only if you provide it) | Consent (Art. 7 I) |
| Gender (optional) | Adapt language in the manual texts | Consent (Art. 7 I) |
3.2 Child or adolescent identification data
| Data | Purpose | LGPD legal basis |
|---|---|---|
| Name (or nickname) | Personalise the manual with your child's name | Specific consent of the legal guardian (LGPD Art. 14 §1) |
| Age range | Adapt language and recommendations by developmental stage | Specific consent of the legal guardian (LGPD Art. 14 §1) |
| Gender (optional) | Adapt pronouns and language in the manual | Specific consent of the legal guardian (LGPD Art. 14 §1) |
| Photo (optional) | Manual cover — securely processed, stored on a private server | Explicit consent of the legal guardian (LGPD Art. 14 §1). Note: if the photo is used in a context that reveals health-related data, LGPD Art. 11 will additionally apply. |
3.3 Health data — SPECIAL CATEGORY (LGPD Art. 11)
The data below is classified as sensitive data and receives enhanced protection:
| Data | Purpose | LGPD legal basis |
|---|---|---|
| Declared diagnosis (e.g. ASD, ADHD, undiagnosed) | Guide the AI-generated psychosocial profile | Specific and explicit consent of legal guardian (Art. 11 I) |
| Behavioural quiz answers | Generate the child's detailed psychosocial profile | Specific and explicit consent of legal guardian (Art. 11 I) |
| AI-generated psychosocial profile | Compose manual sections (sensory, communication, emotions, routine, etc.) | Specific and explicit consent of legal guardian (Art. 11 I) |
Important: Atypos.family is not a health service and does not make diagnoses. The "declared diagnosis" is provided by you — we do not verify, clinically interpret, or share it with third parties beyond the technical sub-processors listed in Section 7.
3.4 Behavioural and usage data
| Data | Purpose | LGPD legal basis |
|---|---|---|
| Quiz answers | Generate the manual | Contract (Art. 7 V) |
| Diary entries (subscribers) | Caregiver's personal log about their child | Contract (plan feature) |
| Manual access records (views) | Operational debugging and service quality | Legitimate interest (Art. 7 IX) |
3.5 Financial data
We do not store credit card data. Payment processing is handled by Stripe (credit card — US servers): Atypos receives only payment confirmation (status + transaction_id); and AbacatePay (PIX — Brazilian servers): Atypos receives only payment status confirmation.
3.6 Navigation and technical diagnostic data
| Data | Purpose | LGPD legal basis |
|---|---|---|
| Session cookies (Supabase) | Keep you authenticated | Legitimate interest (Art. 7 IX) — essential to operation |
| Anonymous analytics (PostHog, Google Analytics) | Understand how the site is used and improve it | Consent (Art. 7 I — cookie banner) |
| Error reports (Sentry) | Identify and fix technical bugs | Consent (Art. 7 I — cookie banner) |
| IP and user-agent | Security, anti-fraud | Legitimate interest (Art. 7 IX) |
4. Children's and Adolescents' Data — Special Protection (LGPD Art. 14)
Atypos.family processes data of children (under 12) and adolescents (12 to 17 years old), with enhanced protection as required by LGPD Art. 14. The same safeguards apply to both groups, though we acknowledge that risk profiles and progressive autonomy differ between these age ranges.
Guiding principle: the best interests of the child and adolescent guide all our decisions about data processing.
Consent: processing a minor's data requires specific and prominent consent from the legal guardian (parent, tutor, guardian, or any person legally authorised to represent the minor), collected at the start of the manual creation flow. We adopt guardian legitimacy verification mechanisms proportional to the risk of the processing and to the minimisation principle.
- We use the minor's data exclusively to generate the manual requested by the caregiver
- We do not share the minor's data with third parties for commercial purposes
- We do not use the minor's data for advertising or marketing profiling
- The manual is accessible only to the legal guardian who created it (private URL with 144 bits of entropy)
- Minor's photo: optional, stored in a private bucket, access URLs expire in 72 hours
5. Artificial Intelligence and Automated Decisions
Atypos.family uses artificial intelligence tools to support the organisation of your responses and the generation of your personalised manual. This processing may include creating summaries and descriptive profiles based on the information provided in the form and quiz.
Atypos.family does NOT perform medical diagnosis, does NOT issue clinical reports, and does NOT replace specialised professional assessment. The generated manual is a practical guidance document — with no clinical or therapeutic value.
AI provider: Anthropic Inc. (USA), through the Claude model via a standard commercial API. By default, Anthropic does not use inputs and outputs from commercial clients to train its models. We do not have Zero Data Retention (ZDR) or a Business Associate Agreement (BAA) configured with Anthropic. Anthropic's data practices can be consulted directly in its official documentation (privacy policy and usage policies).
When automated processing may significantly affect your interests, you may: (a) request human review of the AI-generated decision or content; (b) request clarification about the logic applied; (c) exercise all rights provided under LGPD Art. 20 regarding automated decisions. To do so, contact us at encarregado@atypos.family.
6. How long we keep your data (Retention)
| Category | Retention period | Basis |
|---|---|---|
| Caregiver data (name, email) | While account is active; up to 5 years after closure | Legal obligation + rights defence |
| Minor's data (name, profile) | While the manual exists; deleted when manual or account is deleted | Purpose fulfilled |
| Minor's photo | While the manual exists; deleted upon deletion | Purpose fulfilled |
| Declared diagnosis + psychosocial profile | While the manual exists | Purpose fulfilled |
| AI logs (prompts and outputs — claude_logs) | 90 days exclusively for operational debugging; automatically deleted at end of period | Limited legitimate interest — no use for model training or prompt improvement |
| Email events (delivery status) | 180 days for delivery tracking and support | Operational legitimate interest |
| Financial data (payment confirmation) | 5 years | Fiscal and accounting obligation (Brazilian Law 9.430/96 and applicable tax legislation) |
| Analytics cookies | 13 months | Per your choice in the cookie banner |
| Diary data (subscribers) | While subscription is active; 30 days after cancellation | Purpose fulfilled |
When you delete your account, all minor's data is removed from the active database. We request deletion from third-party systems (Section 8), but their timelines may vary. Backup copies may have residual technical retention per internal backup policy.
7. Your Rights as a Data Subject (LGPD Art. 18 and Art. 20)
You have the following rights over your data — and the data you provided about your child or dependent:
- Confirmation: know whether we process your data
- Access: receive a copy of the data we hold about you
- Correction: correct incomplete, inaccurate or outdated data
- Anonymisation or blocking: for unnecessary, excessive, or non-compliant data
- Portability: receive, in a structured and interoperable format, the data you directly provided — limited to data the law actually subjects to the portability right
- Erasure: request deletion of data processed on the basis of consent
- Information: know with whom we share your data
- Objection: object to processing based on legitimate interest if you believe it harms your rights
- Human review of automated decisions: request that an AI-generated automated decision be reviewed by a human, receive clarification about the logic applied, and contest the outcome (LGPD Art. 20)
- Withdrawal of consent: revoke any consent given, without prejudice to prior processing
How to exercise your rights:
- Via the app: go to /account and select "Privacy and data"
- By email: encarregado@atypos.family with subject "LGPD Rights"
We respond within the applicable legal and regulatory timeframes. We may ask for identity confirmation before processing your request. You may also submit a complaint directly to the Brazilian National Data Protection Authority (ANPD): https://www.gov.br/anpd
8. Who we share your data with
We share personal data only with third parties necessary to operate, host, bill, communicate, or protect the service. Depending on the context, these third parties act in distinct roles:
Processors (handle data on our behalf, following our instructions):
| Vendor | Server location | Data shared by context | Purpose | DPA |
|---|---|---|---|---|
| Supabase | US / EU | Main database (profiles, quiz, manual, diary); authentication (email, password hash); storage (minor's photo) | Database infrastructure, authentication, and file storage | Under review |
| Resend | US / EU | Caregiver email, name, manual link | Transactional email delivery | Under review |
| Vercel | US / EU | HTTP request data, access logs (anonymised) | Site hosting and delivery | Under review |
| Sentry | US | Technical error data (sessions masked) | Error and bug monitoring | Under review |
| PostHog | US / EU | Anonymous usage ID (UUID), navigation events | Product analytics | Under review |
Independent controllers (also process data to meet their own regulatory obligations and purposes):
| Vendor | Server location | Data shared | Purpose | DPA |
|---|---|---|---|---|
| Stripe | US | Payment data (card) | Credit card payment processing — Stripe acts as an independent controller for anti-fraud and regulatory compliance purposes | To be formalised |
| AbacatePay | Brazil | Payment data (PIX) | PIX payment processing — AbacatePay acts as an independent controller for Brazilian Central Bank regulatory purposes | To be formalised |
| Anthropic Inc. | US | Declared diagnosis, quiz answers, minor's name — minimised to what is necessary for manual generation | Manual generation via AI (Claude). By default, Anthropic does not use commercial inputs/outputs for model training. No Zero Data Retention configured. | To be formalised |
| Google (Analytics) | US | Anonymous navigation data (anonymised IP) | Traffic analytics — Google acts as an independent controller under Google Analytics terms of service | To be formalised |
| Meta Platforms (Pixel + Conversions API) | US | Email, phone, name (SHA-256 hashed), IP, user agent, conversion events (Lead/InitiateCheckout/Purchase). PII always sent hashed — only IP/UA in clear | Conversion attribution and ad campaign optimisation on Facebook/Instagram. Meta acts as an independent controller under Business Tools Terms. Browser Pixel only loads with marketing consent; server-side CAPI runs under contract execution (Art. 7º V LGPD) to support our acquisition plan | Meta Business Tools Terms (accepted via Business Manager) |
Public content CMS (does not access family data):
| Vendor | Server location | Data accessed | Purpose |
|---|---|---|---|
| Notion | US | Public blog content (no family data) | Blog CMS — does not access personal data of users or minors |
DPAs (Data Processing Agreements) with vendors marked as "under review" or "to be formalised" are in the process of negotiation and execution. We will update this section as instruments are signed.
9. International Data Transfers
Several of our vendors have servers outside Brazil. Transfers are governed by the legal mechanisms applicable to each flow:
9. Cookies and Tracking
We use cookies to keep your session active, analyse site usage, and identify technical bugs. You can manage your preferences via the cookie banner available on the site.
Categories:
- Essential: required for operation (authentication, session). Cannot be disabled.
- Analytics: PostHog and Google Analytics — collect aggregated usage data. Enabled with your consent.
- Diagnostics: Sentry — captures technical errors with masked sessions. Enabled with your consent.
10. Security
We adopt technical and organisational measures to protect your data:
- Database with per-user access control (Row-Level Security)
- Photos and PDFs stored in private buckets (authentication required for access)
- Temporary access URLs (expire in 72h) for sensitive files
- Data transmission via HTTPS with TLS
- Error monitoring with masked data
- Internal access limited to the minimum necessary
If we become aware of a security incident affecting your data, we will notify you and the ANPD as required by LGPD Art. 48.
11. Changes to this Policy
We may update this policy periodically to reflect legal, operational, or technological changes to the service. When we make material changes, we will provide notice by appropriate means at least 30 days in advance. The "last updated" date at the top of this page will always reflect the current version. When a change involves a new purpose, new sharing, new international transfer, or a change of legal basis that requires consent, new consent will be requested before the new processing begins — continued use of the service does not substitute that specific consent. If you do not agree with a material change, you may close your account before it takes effect.
12. Contact and DPO Channel
To exercise your rights, ask questions, or make complaints:
Email: encarregado@atypos.family
Via the app: /account — "Privacy and data"
If you are not satisfied with our response, you may also contact the Brazilian National Data Protection Authority (ANPD) at https://www.gov.br/anpd https://www.gov.br/anpd
Version 1.0.0 — May 15, 2026