← ProPrep

Privacy Policy

Last updated: May 18, 2026

This Policy explains how Pedro Matheus Ferreira Fructuoso LTDA, registered under CNPJ 61.799.410/0001-39, with its registered office at Rua Rússia, 55 — Sorocaba/SP — ZIP 18045-080 ("ProPrep", "we"), processes the personal data of those who use the ProPrep platform ("you").

Data controller: Pedro Matheus Ferreira Fructuoso LTDA — CNPJ 61.799.410/0001-39.
Data Protection Officer (DPO): pedromatheusbr@hotmail.com.

1. Data we collect

  • Account: name, email, role (student, teacher, institution, guardian) and password (stored hashed, never in plain text).
  • Teacher profile: bio, qualifications, experience and avatar, when provided.
  • Minors and guardians: the link between a student and their guardian (the guardian follows the linked student's progress).
  • Payments: processed by Stripe; we do not store card data. For teachers, payouts via Stripe Connect (bank data stays with Stripe).
  • Platform activity: mock exams and exercises taken, essays and answers, speaking recordings and transcripts, notes on materials, progress and study plan.
  • Communications: messages exchanged on the platform and emails we send.
  • Technical and usage data: IP, browser, device, access times, usage events (analytics) and error logs.

2. How we use it (and legal basis — LGPD Art. 7/11)

  • Operate the platform and perform our contract with you (performance of a contract).
  • Generate automated AI grading, feedback and progress reports (performance of a contract).
  • Process payments and payouts (performance of a contract / legal obligation).
  • Send account- and service-related communications (performance of a contract); optional communications (consent).
  • Security, fraud/abuse prevention and service improvement (legitimate interest).
  • Comply with tax and legal obligations (legal obligation).
  • Speaking/writing data processed to generate feedback (basis: consent / performance of a contract).

3. Automated decisions and AI (LGPD Art. 20)

We use AI to estimate band/score, give feedback and build study plans. These outputs are indicative and do not replace a definitive human assessment. You can request a review of these automated decisions through the channel in Section 7.

4. Sharing and processors

We share data only with providers that enable the service, under a contractual obligation of protection and restricted use:

  • Supabase — database, authentication and file storage.
  • Stripe / Stripe Connect — payments and payouts.
  • OpenAI and Anthropic — AI grading, feedback, transcription and voice generation.
  • Resend — transactional email delivery.
  • PostHog — product usage analytics.
  • Sentry — error monitoring.
  • Vercel — application hosting.

We do not sell your personal data.

5. International transfer

Some of the processors above process data outside Brazil (e.g., the United States). We adopt contractual safeguards for these transfers, in line with the LGPD (Art. 33). If you are in the European Union, processing may be subject to the GDPR.

6. Retention

We keep data while the account is active and for up to 5 years after closure, the period required for tax and financial obligations. Exam/grading content may be anonymized before that period. A deleted account has its personal data erased or anonymized, except what the law requires us to keep.

7. Your rights (LGPD Art. 18)

You may request: confirmation and access, correction, anonymization/deletion, portability, information about sharing, and to withdraw consent. To exercise these, contact the DPO at pedromatheusbr@hotmail.com or use the feedback/report button in your account. We respond within the legal deadline (up to 15 days for access).

8. Security

Encryption in transit (HTTPS) and at rest, password hashing, authentication, Row Level Security in the database, and a watermark with the student's email on paid content. In the event of a relevant security incident, we will notify you and the ANPD as required by law.

9. Cookies and similar technologies

We use necessary cookies/storage (authentication, language preference) and analytics (PostHog) to understand usage and improve the product. We do not use advertising cookies.

10. Children and adolescents

The platform is intended for users over 16 years old. Minors need the consent and supervision of a parent/legal guardian, who can follow the activity through the guardian panel. We process minors' data in the minor's best interest (LGPD Art. 14).

11. Changes

We may update this Policy. Relevant changes will be communicated by email and within the platform, with a new update date.

12. Contact

Privacy questions: pedromatheusbr@hotmail.com. Data Protection Officer (DPO): Pedro Matheus Ferreira Fructuoso.