Legal

Legal & Compliance Documentation

The terms, policies and compliance documents that govern how Octa8 operates and how we protect your data.

Legal & contracts

Terms of Use

Rules and conditions for using the Octa8 platform.

Version 1.0 · Effective 04/06/2026

1. Identification and Acceptance

Octa8 is a multi-tenant software-as-a-service (SaaS) platform operated by Octa8 Tecnologia LTDA, registered under CNPJ No. 12.345.678/0001-90, with its registered office at Jaú, São Paulo, Brasil ("Platform", "we", "us" or "our"). These Terms of Use ("Terms") govern access to and use of all services, features, applications, APIs, control panels, and content made available by Octa8.

By registering, accessing, clicking "Accept", subscribing to a plan, or otherwise using the Platform, the User declares that they have read, understood, and agreed in full to these Terms and to our Privacy Policy. If the User does not agree to any provision, they must immediately cease use and close their account.

These Terms constitute a binding agreement between the User (an individual or legal entity) and Octa8 Tecnologia LTDA. Where the User accepts these Terms on behalf of a legal entity, they represent that they have authority to do so, thereby binding that entity.

2. Definitions

For the purposes of these Terms, the following definitions apply:

"User" – any individual or legal entity that accesses or uses the Platform, including account holders, administrators, workspace members, and invited users.
"Account" – the individual or organizational registration created by the User to access the Platform.
"Workspace" – a logically isolated environment belonging to an account holder, to which additional users may be invited and Platform resources consumed.
"Plan" – a package of features and usage limits made available for a periodic fee (subscription) or, where applicable, at no charge (free plan).
"User Data" – any data, files, content, personal information, and materials entered, uploaded, or generated by the User on the Platform.
"Third-Party Services" – APIs, integrations, tools, and external platforms accessed through Octa8 but governed by the respective providers' own terms.
"Administrator" – a User with permission to manage Workspace settings, plans, members, and integrations.
"Reseller" / "White-label" – a company or professional that, under a specific contractual authorization, offers the Platform under its own brand to end customers.
"Affiliate" – an individual or legal entity participating in Octa8 Tecnologia LTDA's referral program, subject to the supplemental rules of that program.

3. Eligibility and Registration

3.1 Eligibility requirements

Access to the Platform is permitted to:

Individuals with full legal capacity, at least 18 (eighteen) years of age or legally emancipated;
Legal entities duly incorporated and represented by an administrator with authority to contract on the entity's behalf.

Registration by minors under 18 who are not legally emancipated is prohibited. Use by adolescents between 16 and 18 who are emancipated requires the express authorization of their legal representatives and proof of emancipation when requested.

3.2 Registration process

The User must provide truthful, accurate, current, and complete information at the time of registration ("Registration Data") and keep it up to date at all times. Providing false information constitutes a violation of these Terms and may result in immediate account termination.

The User is solely responsible for:

a) maintaining the confidentiality of their access credentials (login and password);
b) all activities carried out under their account, regardless of who carries them out;
c) immediately notifying Octa8 Tecnologia LTDA at help@octa8.app in the event of unauthorized use or suspected compromise of their credentials.

3.3 Corporate accounts and multiple users

When an Administrator invites members to a Workspace, the Administrator is responsible for ensuring that the invitees are also aware of and comply with these Terms before accessing the Platform. Violations of the Terms by any Workspace member may result in action being taken against the holder account.

3.4 Identity verification

Octa8 Tecnologia LTDA reserves the right, at any time, to request additional documents or information to verify the identity of the User or the regularity of the legal entity represented, and may suspend access while verification is pending.

4. Plans, Features, and Usage Limits

4.1 Available plans

Octa8 offers different Plans with distinct features, usage limits, users, storage, and API quotas. The details of each Plan are described on the pricing page at https://octa8.app//pricing, incorporated into these Terms by reference.

4.2 Free plan

Where available, the free plan is subject to more restrictive usage, feature, and support limits. Octa8 Tecnologia LTDA may, at its discretion, amend, restrict, or discontinue the free plan upon 30 (thirty) days' prior notice.

4.3 Usage limits and quotas

Each Plan establishes quotas relating to (as applicable): file storage, bandwidth, number of domains, API requests, users per Workspace, messages, automation executions, and other resources. Usage in excess of subscribed quotas may result in: (i) automatic suspension of the exceeded resource; (ii) proportional additional charges for the overage as per the published rate table; or (iii) temporary throttling until the billing cycle renews. The User will be notified upon reaching 80% and 100% of any relevant quota.

4.4 API usage and integrations

Access to third-party APIs made available through the Platform is subject, simultaneously, to these Terms and to the terms of service of the respective providers. The User is responsible for complying with the terms of Third-Party Services and for any additional costs charged by those providers directly to the User. Octa8 Tecnologia LTDA is not responsible for unavailability, changes to, or discontinuation of third-party APIs.

Access to Octa8's own APIs requires authentication via API Keys generated on the Platform. The User must: (i) keep their API keys confidential; (ii) not share them with unauthorized third parties; (iii) immediately revoke compromised keys. Use of Octa8's APIs is subject to rate limits defined per Plan and documented on the developer portal at https://octa8.app//docs/api.

4.5 Acceptable use

The User is expressly prohibited from:

a) using the Platform for illegal, fraudulent, or harmful purposes;
b) sending, storing, or transmitting viruses, malware, ransomware, or any malicious code;
c) conducting denial-of-service attacks (DDoS), unauthorized vulnerability scanning, or any attempt to compromise the Platform's infrastructure;
d) accessing the accounts, data, or systems of other Users without express authorization;
e) infringing the intellectual property rights of third parties;
f) sending unsolicited communications (spam) through Platform resources;
g) using the Platform to process content that violates applicable law, including child sexual abuse material (CSAM), unlawful hate speech, or content inciting violence;
h) reverse-engineering, decompiling, or disassembling any component of the Platform;
i) reselling, sublicensing, or assigning Platform access without express written contractual authorization from Octa8 Tecnologia LTDA;
j) circumventing authentication mechanisms, access controls, or security measures.

Violation of the acceptable use rules may result in immediate suspension or closure of the account without refund, as well as civil and criminal liability.

5. Payments, Billing, and Taxes

5.1 Prices and currency

Plan prices are listed at https://octa8.app//pricing and may be expressed in Brazilian Reais (BRL) or another currency, according to the User's account configuration. Prices are displayed exclusive of applicable taxes, unless expressly stated otherwise.

5.2 Payment methods

Octa8 Tecnologia LTDA accepts the payment methods available at the time of subscription, which may include credit card, bank slip (boleto bancário), PIX, and other electronic means. The User authorizes Octa8 Tecnologia LTDA to charge the registered payment method for amounts corresponding to the contracted Plan and any applicable usage overages.

5.3 Billing cycle

Billing occurs in advance, at the start of each cycle (monthly or annual, as per the chosen Plan). The renewal date corresponds to the original subscription date or the date agreed at the time of contracting.

5.4 Payment failure

In the event of a failed payment processing, Octa8 Tecnologia LTDA will make up to 3 (three) automatic retry attempts at intervals of 3 (three) days each. During the retry period, access may be maintained in restricted mode. If the failure persists after the retry period, the account will be suspended until payment is regularized.

5.5 Taxation

The User is responsible for paying all taxes applicable to their use of the services, in accordance with applicable law. Octa8 Tecnologia LTDA will issue invoices (notas fiscais) in accordance with applicable Brazilian tax legislation. For Users outside Brazil, local taxes (such as VAT, GST, or similar) may be added as required by the law of the User's jurisdiction.

5.6 Billing disputes

The User must notify Octa8 Tecnologia LTDA in writing within 30 (thirty) days of the due date of the disputed invoice, by sending a message to help@octa8.app with a reasoned description of the discrepancy. Charges not disputed within this period are considered accepted. A dispute does not suspend the obligation to pay undisputed amounts.

5.7 Refund policy

Unless otherwise required by applicable law or expressly provided for in the contracted Plan:

Monthly subscriptions: no pro-rated refund for cancellation before the end of the current cycle.
Annual subscriptions: a pro-rated refund for the unused period may be granted at Octa8 Tecnologia LTDA's sole discretion within the first 14 (fourteen) days of each annual cycle, provided the User has not already consumed significant resources.
Right of withdrawal: pursuant to Article 49 of the Brazilian Consumer Protection Code (Código de Defesa do Consumidor), a consumer-User has a right of withdrawal within 7 (seven) calendar days of contracting, with a full refund, provided the cancellation is requested through help@octa8.app or directly on the Platform.

6. Automatic Renewal

6.1 Renewal

Paid Plans renew automatically at the end of each billing cycle (monthly or annual, as applicable), for the same period and at the then-current price, unless the User cancels before the renewal date or Octa8 Tecnologia LTDA communicates a price change pursuant to Clause 6.2.

6.2 Price changes

Octa8 Tecnologia LTDA may adjust Plan prices by notifying the User no less than 30 (thirty) days in advance for monthly plans and 60 (sixty) days for annual plans, via e-mail and/or in-Platform notification. If the User does not cancel before the next billing cycle following the notice, they are deemed to have accepted the new price.

6.3 Disabling automatic renewal

The User may disable automatic renewal at any time through the account administration panel, under the "Subscription" section. Disabling automatic renewal does not cancel access during the already-paid period.

7. Cancellation and Closure by the User

7.1 Right to cancel

The User may cancel their subscription at any time, without need for justification, by accessing the account panel at https://octa8.app//account or by submitting a request to help@octa8.app. Cancellation takes effect at the end of the current billing cycle, unless the User requests immediate closure.

7.2 Effects of cancellation

Upon closure of the subscription:

a) Access to paid features will cease at the end of the paid cycle;
b) User Data will be maintained in read-only status for a period of 30 (thirty) days after closure, during which the User may export it;
c) After the 30-day period, User Data will be permanently deleted from Octa8 Tecnologia LTDA's systems, unless legal retention obligations apply;
d) Data required for compliance with tax, accounting, or regulatory obligations will be retained for the legally required period.

7.3 Data export

Octa8 Tecnologia LTDA provides data export tools within the Platform. The User is responsible for exporting their data before the account is permanently closed. Octa8 Tecnologia LTDA is not responsible for data loss after the post-cancellation retention period.

8. Suspension by the Platform

8.1 Suspension for non-payment

Octa8 Tecnologia LTDA may suspend access to the account in the event of payment overdue by more than 10 (ten) calendar days after the due date, following e-mail notification. During suspension for non-payment, User Data is preserved.

8.2 Suspension for violation of these Terms

Octa8 Tecnologia LTDA may immediately suspend or restrict access to the account, without prior notice, in the event of:

a) well-founded suspicion of fraudulent or abusive use;
b) a threat to the security, integrity, or availability of the Platform or other Users;
c) violation of applicable law;
d) breach of the acceptable use rules (Clause 4.5).

Octa8 Tecnologia LTDA will notify the User of the suspension and its grounds as soon as reasonably possible, subject to the constraints of ongoing investigations or legal requirements.

8.3 Suspension pursuant to judicial or regulatory order

Octa8 Tecnologia LTDA will comply with orders from judicial, regulatory, or competent authorities requiring the suspension, restriction, or closure of accounts, regardless of advance notice to the affected User.

9. Closure by the Platform

9.1 Closure for cause

Octa8 Tecnologia LTDA may permanently close the User's account, without entitlement to a refund, in the following circumstances:

a) repeated violations of these Terms following a warning;
b) provision of false information at registration;
c) non-payment not remedied after the suspension period;
d) use of the Platform for criminal purposes or causing serious harm to third parties or to Octa8 Tecnologia LTDA;
e) judicial or regulatory order.

9.2 Closure without cause

Octa8 Tecnologia LTDA may terminate the provision of services upon 90 (ninety) days' prior written notice, reimbursing the User for amounts paid corresponding to the unused portion of annual plans.

9.3 Effects of closure

The same effects set out in Clause 7.2 apply to closure, subject to the corresponding notice periods. Closure does not release the User from financial obligations already due.

10. Responsibilities of the Parties

10.1 Responsibilities of Octa8 Tecnologia LTDA

Octa8 Tecnologia LTDA undertakes to:

a) make the Platform available with reasonable efforts to maintain a minimum monthly uptime of 99.5% (excluding scheduled maintenance windows, force majeure events, and third-party failures), with continuous monitoring;
b) communicate scheduled maintenance with at least 48 (forty-eight) hours' prior notice, except in emergency situations;
c) implement appropriate technical and organizational measures to protect User Data;
d) notify the User of security incidents affecting their data, within the timeframes and in the manner required by applicable law;
e) process the User's personal data in compliance with Brazil's General Data Protection Law (Lei Geral de Proteção de Dados — LGPD, Law No. 13,709/2018) and, where applicable, the European Union General Data Protection Regulation (GDPR — Regulation (EU) 2016/679).

10.2 Responsibilities of the User

The User is entirely responsible for:

a) all content, data, information, and materials they insert, publish, transmit, or store on the Platform ("User Content");
b) ensuring that User Content does not infringe third-party rights (including copyright, trademarks, privacy, and data protection rights);
c) complying with all applicable legislation governing their business and use of the Platform, including data protection legislation when processing personal data of their own customers through Octa8's resources;
d) keeping their access credentials and devices used to access the Platform secure;
e) maintaining independent backups of their data, notwithstanding the technical safeguards implemented by Octa8 Tecnologia LTDA;
f) complying with the quotas, limits, and usage restrictions established in the contracted Plan.

10.3 Disclaimer regarding third-party content

Octa8 Tecnologia LTDA does not monitor, endorse, or bear responsibility for User Content or for content of Third-Party Services accessed through the Platform. The User acknowledges that Octa8 Tecnologia LTDA acts solely as a technological intermediary with respect to User Content.

11. Intellectual Property

11.1 Platform ownership

All intellectual property rights related to the Octa8 Platform — including, without limitation, software, source code, interfaces, designs, logos, trademarks, texts, methodologies, proprietary APIs, and documentation — are the exclusive property of Octa8 Tecnologia LTDA or its licensors. Nothing in these Terms transfers any intellectual property right to the User.

11.2 License granted to the User

Subject to compliance with these Terms and payment of the applicable fees, Octa8 Tecnologia LTDA grants the User a limited, non-exclusive, non-transferable, non-sublicensable, and revocable license to access and use the Platform exclusively for the lawful purposes for which it was contracted, during the subscription term.

This license does not authorize the User to: (i) copy, modify, distribute, sell, or sublicense any part of the Platform; (ii) reverse-engineer or attempt to extract the source code; (iii) remove copyright notices or Octa8 Tecnologia LTDA's trademarks.

11.3 User Content — license granted to Octa8 Tecnologia LTDA

The User grants Octa8 Tecnologia LTDA a worldwide, royalty-free, non-exclusive license, for the period necessary to provide the services, to host, store, reproduce, process, transmit, and display User Content solely for the purpose of operating, maintaining, and improving the Platform and delivering the contracted services. This license does not authorize Octa8 Tecnologia LTDA to commercialize, sublicense, or publicly disclose User Content.

11.4 Feedback and suggestions

If the User submits suggestions, ideas, improvements, or feedback about the Platform ("Feedback") to Octa8 Tecnologia LTDA, Octa8 Tecnologia LTDA may use such contributions without restriction, obligation of compensation, or attribution. Feedback is not considered the User's confidential information.

11.5 Trademarks and visual identity

The User may not use the name, logo, trademarks, or visual identity of Octa8 Tecnologia LTDA or Octa8 without prior written authorization, except as expressly permitted by these Terms or a partnership/reseller agreement.

12. Reseller and White-Label Licensing

Companies or professionals wishing to offer the Platform under their own brand (white-label) or resell Octa8 services must enter into a specific reseller agreement with Octa8 Tecnologia LTDA. The conditions, limits, commission rates, support obligations, and restrictions applicable to resellers are defined exclusively in that supplemental agreement. In the absence of a current reseller agreement, any attempt at resale or sublicensing is expressly prohibited.

Resellers are responsible for ensuring that their end customers are also bound by terms of use affording protection equivalent to that provided herein.

13. Confidentiality

Each party may receive confidential information from the other in the course of the relationship established by these Terms ("Confidential Information"). Each party undertakes to: (i) maintain the other's Confidential Information in strict confidence; (ii) not disclose it to third parties without prior written authorization; (iii) use it solely for the purposes of the contractual relationship. The following are not considered confidential: information that (a) is already in the public domain without breach of these Terms; (b) is legitimately received from a third party without confidentiality restrictions; (c) is independently developed by the receiving party; or (d) whose disclosure is required by law or court order, in which case the disclosing party shall notify the other with maximum practicable advance notice.

Confidentiality obligations survive termination of these Terms for a period of 5 (five) years.

14. Personal Data Protection

Octa8 Tecnologia LTDA processes personal data in accordance with its Privacy Policy available at https://octa8.app//legal/privacy-policy, with the LGPD (Law No. 13,709/2018), and, where applicable, with the GDPR. A User who employs the Platform to process third parties' personal data acts as a controller with respect to those third parties, with Octa8 Tecnologia LTDA acting as processor of such data. The conditions for personal data processing carried out by Octa8 Tecnologia LTDA in its capacity as processor are set out in the Data Processing Addendum ("DPA") available at https://octa8.app//legal/dpa, incorporated into these Terms by reference for Users who process third-party personal data.

For queries about privacy and data protection, the User may contact Octa8 Tecnologia LTDA's Data Protection Officer (DPO): Encarregado de Proteção de Dados (DPO) — Octa8 — dpo@acme.test.

15. Limitation of Liability

15.1 Disclaimer of warranties

THE PLATFORM IS PROVIDED "AS IS" AND "AS AVAILABLE". TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, Octa8 Tecnologia LTDA DISCLAIMS ALL WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, INCLUDING WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, UNINTERRUPTED PERFORMANCE, OR FREEDOM FROM ERRORS.

15.2 Exclusion of damages

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, Octa8 Tecnologia LTDA, ITS DIRECTORS, EMPLOYEES, AGENTS, SUPPLIERS, AND LICENSORS SHALL NOT BE LIABLE FOR:

INDIRECT, INCIDENTAL, SPECIAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES;
LOSS OF PROFITS, LOSS OF REVENUE, LOSS OF DATA, OR LOSS OF BUSINESS OPPORTUNITIES;

EVEN IF Octa8 Tecnologia LTDA HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

15.3 Liability cap

Octa8 Tecnologia LTDA'S TOTAL AND CUMULATIVE LIABILITY TO THE USER, FOR ANY CAUSE AND REGARDLESS OF THE FORM OF ACTION (CONTRACTUAL, TORT, OR OTHERWISE), SHALL BE LIMITED TO THE GREATER OF: (I) THE AMOUNTS ACTUALLY PAID BY THE USER TO Octa8 Tecnologia LTDA IN THE 12 (TWELVE) MONTHS IMMEDIATELY PRECEDING THE EVENT GIVING RISE TO THE CLAIM; OR (II) BRL 500.00 (FIVE HUNDRED BRAZILIAN REAIS).

15.4 Exceptions

The above limitations do not apply to: (i) damages caused by Octa8 Tecnologia LTDA's willful misconduct or gross negligence; (ii) liability for personal data breaches resulting from security failures solely attributable to Octa8 Tecnologia LTDA, to the extent required by the LGPD; (iii) cases where the exclusion or limitation is prohibited by applicable consumer protection legislation.

16. Indemnification

The User agrees to indemnify, defend, and hold harmless Octa8 Tecnologia LTDA, its partners, directors, employees, agents, and licensors from and against any claims, actions, losses, damages, costs, and expenses (including reasonable attorneys' fees) arising out of: (i) use of the Platform in violation of these Terms; (ii) User Content; (iii) infringement of third-party rights; (iv) the User's failure to comply with applicable law.

17. Force Majeure

Neither party shall be held liable for delay or failure to perform its obligations resulting from causes beyond its reasonable control, including, without limitation: natural disasters, war, pandemics, terrorist acts, large-scale power outages, internet infrastructure failures, widespread strikes, unforeseen governmental or regulatory acts ("Force Majeure Event").

The affected party must: (i) notify the other party in writing within 5 (five) business days of the commencement of the Force Majeure Event; (ii) employ reasonable efforts to mitigate the effects; (iii) resume performance of obligations as soon as reasonably possible. If the Force Majeure Event persists for more than 90 (ninety) calendar days, either party may terminate this agreement by written notice, without penalty, and the User shall be entitled to a pro-rated refund of amounts paid for the unused period.

18. Modifications to these Terms

Octa8 Tecnologia LTDA may modify these Terms periodically to reflect changes in services, applicable law, or business practices. Material modifications will be communicated to the User at least 15 (fifteen) days in advance, by e-mail and/or in-Platform notification. Modifications required by immediate legal mandate may take effect immediately.

Continued use of the Platform after the effective date of any modifications constitutes acceptance of the updated Terms. If the User disagrees with the modifications, they must cancel their account before the effective date.

19. Affiliate Program

The Octa8 affiliate program is optional and subject to specific rules available at https://octa8.app//affiliates/terms. Participants are responsible for complying with applicable advertising laws, commercial relationship disclosure requirements (including applicable regulatory standards), and tax obligations arising from commissions received. Octa8 Tecnologia LTDA reserves the right to amend, suspend, or discontinue the affiliate program upon 30 (thirty) days' notice.

20. Penalties for Violations

Without prejudice to account closure and applicable civil and criminal liability, violations of these Terms may result in:

a) Formal written warning, by e-mail, in cases of a first, non-serious infraction;
b) Temporary suspension of up to 30 (thirty) days, in cases of moderate infraction or minor repeat offense;
c) Permanent closure of the account, without refund, in cases of serious infraction, criminal use, or repeat offense following suspension;
d) Recovery of costs incurred by Octa8 Tecnologia LTDA in remedying harm caused by the User to the infrastructure or to third parties, including legal costs;
e) Reporting to competent authorities where the conduct constitutes a criminal offense or triggers a mandatory regulatory notification.

The application of penalties shall observe the principles of proportionality and reasonableness, and may be reviewed through the support channel at help@octa8.app.

21. Dispute Resolution

21.1 Amicable resolution

The parties undertake to attempt to resolve any dispute arising from or related to these Terms in an amicable manner, by written communication to help@octa8.app within 30 (thirty) calendar days of the dispute arising.

21.2 Mediation

Should no agreement be reached within the period set out in Clause 21.1, the parties may refer the dispute to mediation before a recognized mediation and arbitration chamber, prior to initiating any judicial or arbitral proceedings.

21.3 Arbitration

Business disputes (B2B) between Octa8 Tecnologia LTDA and corporate Users, where the amount in dispute exceeds BRL 50,000.00 (fifty thousand Brazilian Reais), may be submitted, at either party's election, to institutional arbitration before a chamber to be agreed upon by the parties at the time of the dispute, seated in Foro da Comarca de Jaú/SP, Brasil, conducted in the Portuguese language, with Brazilian law applicable. The existence and content of arbitral proceedings are confidential.

21.4 Consumer rights

Nothing in this Clause 21 restricts or waives any rights guaranteed to consumer-Users by the Brazilian Consumer Protection Code (Lei nº 8,078/1990) and other applicable protective legislation, including the right to judicial recourse and access to PROCON or other consumer protection bodies.

22. General Provisions

22.1 Entire agreement

These Terms, together with the Privacy Policy, the DPA (where applicable), any Plan-specific terms, and any applicable reseller or affiliate agreements, constitute the entire agreement between the parties with respect to their subject matter, superseding all prior understandings, whether written or oral.

22.2 Severability

If any provision of these Terms is held null, invalid, or unenforceable by a court or competent authority, the remaining provisions shall remain in full force and effect. The invalidated provision shall be interpreted so as to approximate, as closely as possible, the original intent of the parties.

22.3 Waiver

Octa8 Tecnologia LTDA's failure to exercise or enforce any right or provision of these Terms shall not constitute a waiver of such right or provision. Any waiver must be made in writing and signed by an authorized representative.

22.4 Assignment

The User may not assign or transfer their rights and obligations under these Terms without Octa8 Tecnologia LTDA's prior written consent. Octa8 Tecnologia LTDA may assign these Terms, in whole or in part, in connection with a merger, acquisition, corporate reorganization, or sale of assets, upon notice to the User.

22.5 Communications

All official communications from Octa8 Tecnologia LTDA to the User will be sent to the e-mail address registered on the account. The User is responsible for keeping their registered e-mail address current. Communications from the User to Octa8 Tecnologia LTDA must be directed to help@octa8.app.

22.6 Independence of the parties

Nothing in these Terms creates an employment, partnership, agency, or mandate relationship between the parties. Each party acts independently.

22.7 No third-party beneficiaries

These Terms are entered into solely for the benefit of the parties and do not confer rights on any third parties, except as expressly provided (such as Workspace members who accept these Terms).

23. Effective Date and Governing Law and Forum

These Terms of Use come into force on 04 de June de 2026 and remain in force for as long as the User holds an active account on the Platform or uses any of its services.

These Terms are governed by the laws of the Federative Republic of Brazil. For the resolution of disputes not submitted to arbitration pursuant to Clause 21.3, and without prejudice to consumer rights set out in Clause 21.4, the parties elect the courts of the district of Foro da Comarca de Jaú/SP, Brasil as the exclusive forum, waiving any other, however privileged.

For queries, support, and general correspondence:

E-mail: help@octa8.app
Phone: 0800 000 8888 (WhatsApp também)
Address: Jaú, São Paulo, Brasil
Website: https://octa8.app/
DPO: Encarregado de Proteção de Dados (DPO) — Octa8 — dpo@acme.test

Privacy & data protection

Privacy Policy

How Octa8 Tecnologia LTDA collects, uses, and protects your personal data.

Version 1.0 · Effective 04/06/2026

1. Controller Identification

Octa8 Tecnologia LTDA, registered under CNPJ number 12.345.678/0001-90, with registered address at Jaú, São Paulo, Brasil, is the controller of personal data processed through the Octa8 platform, hereinafter referred to as the "Platform", accessible at https://octa8.app/.

For purposes of this Policy, definitions are those set forth in Brazilian Federal Law no. 13,709/2018 (Lei Geral de Proteção de Dados — LGPD) and, where applicable, EU Regulation 2016/679 (GDPR).

General contact: help@octa8.app | 0800 000 8888 (WhatsApp também)

2. Data Protection Officer (DPO)

The Data Protection Officer of Octa8 Tecnologia LTDA is:

Name: Encarregado de Proteção de Dados (DPO) — Octa8
Email: dpo@acme.test

The DPO is the preferred channel for exercising rights, filing complaints, and obtaining clarifications regarding this Policy. All requests received are registered, triaged, and responded to within 15 (fifteen) calendar days, extendable by an equal period upon reasoned justification, pursuant to art. 18, § 4, of the LGPD.

3. Scope and Application

This Policy applies to:

End users — natural persons who access, use, or register on the Platform under their own account;
Workspace administrators — persons who create or manage tenants (workspaces), subscribe to plans, and configure integrations;
Team collaborators and members — persons invited to participate in a workspace;
Affiliates and resellers — partners who promote or redistribute the Platform;
Visitors — persons who access public pages, landing pages, portals, or chatbots hosted on the Platform;
Sub-processors and integration partners — when they interact with the Platform on behalf of a third-party controller.

This Policy does not cover processing carried out by independent controllers that host their own businesses on the Platform (e.g., workspace owners who process their own customers' data). Such controllers must adopt their own privacy policies and are solely responsible for processing their end users' data.

4. Personal Data Collected

4.1 Data Provided Directly by the Data Subject

Category	Examples	Collection Context
Identification and contact	Full name, email address, phone number, profile photo	Account registration, user profile
Access credentials	Password hash (bcrypt), session tokens, OAuth tokens	Authentication
Billing data	Cardholder name, last 4 digits, card brand, billing address, CPF/CNPJ for invoice issuance	Plan purchases, wallet top-ups
Professional and business data	Company name, CNPJ, business address, domain name, industry sector	Workspace configuration
User-generated content	Texts, images, videos, documents, templates, scheduled posts, form responses	Use of Platform tools
Communications	Messages exchanged via internal chat, support tickets, emails sent to the DPO or support	Support and internal communication
Affiliate and commission data	Name, email, Pix key/bank account, referral history and payment records	Affiliate module

4.2 Automatically Collected Data

Category	Examples	Mechanism
Device and network identifiers	IP address (IPv4/IPv6), User-Agent, browser type and version, operating system, screen resolution	HTTP requests
Browsing and interaction data	Pages visited, session duration, clicks, navigation sequences, interface errors	Application logs, telemetry scripts
Approximate location data	Country, state, city (derived from IP via geolocation)	Server-side processing
File metadata	File name, MIME type, size, modification date; EXIF data from images is removed at upload time for privacy reasons	File uploads
Cookies and similar technologies	Session identifiers, interface preferences, anti-CSRF tokens, analytics and performance cookies	See Section 5 and Cookie Policy
API usage data	Endpoints accessed, request volume, latency, response codes, API keys used	API logs
Webhook event data	Payloads received from payment providers, CRM integrations, email platforms, and other connected services	Third-party integrations

4.3 Inferred and Derived Data

The Platform may generate inferred data from collected information, including:

Behavioral segmentation — usage patterns that assist in personalizing features and recommendations;
Engagement scoring — aggregated interaction metrics with published content;
Security risk profiling — login anomaly detection and suspicious behavior identification for account protection;
Usage forecasting — resource consumption estimates for infrastructure sizing and proactive alerts.

Inferred data is not shared with third parties for independent commercial purposes.

4.4 Third-Party Data

When data subjects choose to authenticate via OAuth providers (Google, Facebook, GitHub, etc.), we receive the data authorized by the subject on that platform, typically: unique identifier, name, email address, and profile photo. The exact scope is disclosed at the time of authorization.

4.5 Sensitive Data

We do not intentionally collect sensitive personal data (as defined in art. 5, II, LGPD) — such as racial or ethnic origin, religious conviction, political opinion, health data, biometrics, or data about sexual life — as part of our service. Should a user include such data in content they publish or store on the Platform, processing occurs under the responsibility of the respective controller (workspace admin), who must obtain the appropriate legal bases.

5. Cookies and Tracking Technologies

The Platform uses first-party and third-party cookies to ensure technical operation, analyze performance, and personalize the user experience. Cookies are classified as:

Strictly necessary — indispensable for authentication, security, and session operation; do not require consent;
Functional — store user preferences (language, theme, layout); require consent or legitimate interest;
Analytics and performance — measure audience and performance (e.g., aggregated usage metrics); require consent;
Marketing and tracking — used by third-party integrations (e.g., conversion pixels); require explicit consent.

For detailed information on each cookie used, retention periods, and how to manage your preferences, please consult our Cookie Policy, available at https://octa8.app//cookies.

Consent for non-strictly-necessary cookies may be withdrawn at any time via the cookie preferences panel, accessible in the Platform footer.

6. Purposes and Legal Bases for Processing

#	Purpose	Data Used	Legal Basis (LGPD)	Legal Basis (GDPR)
P1	User account creation and management	Identification, credentials, business data	Contract performance (art. 7, V)	Art. 6(1)(b)
P2	Provision of contracted services (hosting, domains, tools, monitoring, SEO, AI)	All data necessary for the service	Contract performance (art. 7, V)	Art. 6(1)(b)
P3	Payment processing and subscription management	Billing data, transaction history	Contract performance (art. 7, V)	Art. 6(1)(b)
P4	Fraud prevention, security, and account protection	IP, logs, device metadata, authentication data	Legitimate interest (art. 7, IX)	Art. 6(1)(f)
P5	Compliance with legal and regulatory obligations (tax retention, court order, ANPD)	As required by authority	Legal obligation (art. 7, II)	Art. 6(1)(c)
P6	Transactional communications (confirmations, alerts, invoices, security notifications)	Email, phone	Contract performance / Legitimate interest (art. 7, V and IX)	Art. 6(1)(b)(f)
P7	Marketing communications and updates (newsletter, launches, promotions)	Email, preferences	Consent (art. 7, I)	Art. 6(1)(a)
P8	Usage analysis and Platform improvement (aggregated metrics, A/B testing)	Browsing data, logs (anonymized/pseudonymized)	Legitimate interest (art. 7, IX)	Art. 6(1)(f)
P9	Technical support and customer service	Communication data, relevant logs	Contract performance / Legitimate interest (art. 7, V and IX)	Art. 6(1)(b)(f)
P10	Affiliate program management and commission calculation	Affiliate data, referral history, payment data	Contract performance (art. 7, V)	Art. 6(1)(b)
P11	Feature personalization and recommendations	Usage data, inferred data	Legitimate interest / Consent (art. 7, IX and I)	Art. 6(1)(f)(a)
P12	Exercise of rights in administrative and judicial proceedings	Data relevant to the proceedings	Exercise of legal rights (art. 7, VI)	Art. 6(1)(f)
P13	Infrastructure health monitoring and abuse prevention (rate limiting, DDoS)	IP, API logs, traffic patterns	Legitimate interest (art. 7, IX)	Art. 6(1)(f)

Where processing is based on consent (P7, P11 in part), the data subject may withdraw consent at any time without affecting the lawfulness of processing carried out prior to withdrawal, by contacting the DPO or via account settings.

7. Data Sharing with Third Parties and Sub-Processors

Octa8 Tecnologia LTDA shares personal data only in the situations described below, always with adequate contractual safeguards (data protection clauses, Data Processing Agreements — DPAs, or equivalent):

7.1 Sub-Processors (Service Providers)

Sub-Processor Category	Purpose	Data Shared
Cloud infrastructure providers	Hosting, storage, CDN, databases	All data stored on the Platform
Payment processors	Financial transaction processing	Billing data (tokenized); never full card numbers
Transactional email providers	Sending system emails and notifications	Email address, name, message content
SMS and push notification providers	Sending alerts and verifications	Phone number, message content
Monitoring and log tools	Error tracking, performance analysis	Logs (pseudonymized), technical data
AI and NLP service providers	Integrated artificial intelligence features	Content submitted for processing (per user configuration)
Communication platforms (WhatsApp Business, CRM integrations)	Sending/receiving messages on behalf of the user	Data configured by workspace admin
DNS and domain registrar providers	Domain management	Domain name, holder contact data
Analytics partners	Aggregated usage analysis	Anonymized or pseudonymized data

An up-to-date list of sub-processors may be requested from the DPO at dpo@acme.test.

7.2 Sharing Between Tenants and Users

In the Platform's multi-tenant architecture, each workspace has logical data isolation. Data from one tenant is not accessible to other tenants, except for features expressly configured by the workspace administrator (e.g., integrations, external APIs, marketplace).

7.3 Public Authorities and Legal Compliance

We may disclose personal data to governmental authorities, regulatory bodies (including the ANPD), or pursuant to court orders, strictly within the limits necessary to comply with a legal obligation or to exercise legal rights, pursuant to art. 7, II and VI, of the LGPD.

7.4 Corporate Transfers

In the event of a merger, acquisition, spin-off, or asset sale, personal data may be transferred to the successor entity, which will be bound by the obligations of this Policy. Data subjects will be notified in advance by email or via a notice on the Platform.

7.5 What We Do Not Do

❌ We do not sell personal data to third parties;
❌ We do not share data with advertisers for behavioral advertising purposes without explicit consent;
❌ We do not share data between different customers (tenants) without express authorization.

8. International Data Transfers

Octa8 Tecnologia LTDA may transfer personal data to servers and sub-processors located outside Brazil. Such transfers are carried out only when:

The destination country provides an adequate level of protection, as recognized by the ANPD pursuant to art. 33, I, of the LGPD;
The sub-processor provides sufficient guarantees through:
- Standard contractual clauses approved by the ANPD or the European Commission (SCCs);
- Mechanisms equivalent to Binding Corporate Rules (BCRs);
- Recognized compliance certifications (e.g., ISO 27001, SOC 2 Type II);
The data subject has provided specific and highlighted consent for the transfer (art. 33, VIII, LGPD);
The transfer is necessary for the performance of the contract with the data subject or for pre-contractual steps taken at the data subject's request (art. 33, V, LGPD).

Our principal international transfers involve cloud infrastructure providers holding ISO 27001 and SOC 2 Type II certifications, and payment processors holding PCI-DSS certification, all bound by Data Processing Agreements (DPAs) ensuring a level of protection equivalent to that required by the LGPD and GDPR.

Specific information about each transfer may be requested from the DPO.

9. Data Subject Rights

Pursuant to art. 18 of the LGPD (and, where applicable, arts. 15 to 22 of the GDPR), data subjects have the right to:

Right	Description	How to Exercise
Confirmation and Access	Confirm the existence of processing and obtain access to processed personal data	Account Settings → "My Data" or request to DPO
Correction	Correct incomplete, inaccurate, or outdated data	Account settings or request to DPO
Anonymization, Blocking, or Deletion	Anonymize, block, or delete unnecessary, excessive, or unlawfully processed data	Request to DPO
Portability	Receive data in a structured, interoperable format for transfer to another provider	Request to DPO (deadline: up to 30 days)
Deletion (consent-based data)	Delete data processed on the basis of consent, upon revocation	Account settings or request to DPO
Information on sharing	Know which public or private entities have received the data	Request to DPO
Withdrawal of Consent	Withdraw consent at any time, without retroactive effect	Account Settings → "Privacy" or request to DPO
Objection	Object to processing based on legitimate interest, where legally grounded	Request to DPO, with justification
Review of automated decisions	Request human review of decisions made solely on the basis of automated processing that affect the data subject's interests	Request to DPO
Petition to the ANPD	File a petition regarding personal data against the controller before the ANPD	www.gov.br/anpd

Response deadline: up to 15 (fifteen) calendar days from receipt of a duly identified request, extendable by an equal period with justification.

Identity verification: To ensure data security, all requests require verification of the data subject's identity. We do not respond to anonymous requests involving access, copying, or deletion of data.

Legal limitations: Certain rights may be limited where processing is necessary to comply with a legal obligation, to exercise legal rights in judicial, administrative, or arbitral proceedings, or to protect the rights of third parties, pursuant to art. 18, §§ 3 and 4, of the LGPD.

10. Data Retention and Disposal

10.1 Retention Periods

We retain personal data only for as long as necessary for the purposes that motivated its collection, subject to applicable minimum legal retention periods:

Data Category	Retention Period	Legal Basis
Active account data	While the account is active	Contractual performance
Closed account data	5 years after account closure	Art. 27 of the Brazilian Consumer Protection Code; general civil statute of limitations (art. 205 of the Civil Code)
Financial transaction records	5 years	Law 9,613/1998 (AML); tax obligations (Law 9,430/1996)
Access and security logs	6 months (pursuant to Brazil's Marco Civil da Internet, art. 15) to 1 year (security)	Law 12,965/2014
Consent records	Duration of consent + 5 years	LGPD/GDPR accountability
Data for defense in judicial or administrative proceedings	Until final judgment or definitive closure	Art. 7, VI, LGPD
Marketing data (consent-based)	Until withdrawal of consent	Art. 7, I, LGPD
Backups and security copies	Up to 90 days after replacement by the subsequent backup	Operational

10.2 Deletion and Anonymization

After the retention period expires, data is either:

Securely and irreversibly deleted (overwriting, degaussing, or physical destruction, as appropriate to the medium), such that it cannot be recovered; or
Anonymized where there is a legitimate interest in statistical or historical analysis, making it impossible to identify the data subject, pursuant to art. 5, XI, of the LGPD.

Anonymized data ceases to be personal data and may be retained indefinitely for analytical and Platform improvement purposes.

10.3 Account Closure

Upon requesting account closure, data subjects may export their data before deletion. After confirmation, data is marked for deletion and removed from active systems within 30 (thirty) days. Backup copies are deleted in the rotation cycle described in section 10.1. Data subject to legal retention is kept in an isolated repository with restricted access until the applicable period expires.

11. Information Security

Octa8 Tecnologia LTDA adopts technical and organizational measures appropriate to the level of risk to protect personal data against unauthorized access, alteration, disclosure, accidental or unlawful loss, or destruction, including:

11.1 Technical Measures

Encryption in transit: TLS 1.2+ on all external communications; HSTS enabled;
Encryption at rest: sensitive data and backups encrypted with AES-256 or equivalent;
Password hashing: bcrypt with appropriate cost factor; no plaintext password storage;
Access control: multi-factor authentication (MFA) available; principle of least privilege; RBAC (role-based access control) per tenant;
Data isolation: multi-tenant architecture with logical isolation; each tenant accesses only its own data;
Attack protection: per-endpoint rate limiting; CSRF, XSS, and SQL injection protection; security headers (CSP, X-Frame-Options, HSTS);
Metadata removal: EXIF and GPS data removed from images at upload time;
Continuous monitoring: access logs, anomaly detection, real-time security alerts;
Vulnerability management: patch management process; periodic vulnerability scans.

11.2 Organizational Measures

Data access policy: employees access personal data only when necessary for their duties, under confidentiality commitments;
Training: teams handling personal data receive periodic training in data protection and information security;
Data Protection Impact Assessment (DPIA/AIPD): conducted for high-risk processing activities, pursuant to art. 38 of the LGPD;
Vendor management: sub-processors are assessed for LGPD compliance prior to engagement and subject to specific contractual clauses (DPA);
Incident Response Plan: documented procedures for containment, notification, and recovery;
Periodic testing: penetration testing and security audits conducted on a periodic basis.

The adoption of these measures does not guarantee absolute security; residual risks inherent to the internet exist. We communicate incidents as described in Section 12.

12. Incident Response and Notification

In the event of a security incident that may cause relevant risk or harm to data subjects (breach, leak, unauthorized access, accidental or unlawful destruction, or alteration of personal data), Octa8 Tecnologia LTDA will follow the procedure below:

Immediate containment — isolation of the affected system, revocation of compromised access credentials, and preservation of forensic evidence;
Risk assessment — classification of severity and potential impact on affected data subjects;
Notification to the ANPD — within a reasonable timeframe, pursuant to art. 48 of the LGPD and ANPD Board Resolution no. 15/2024 (or the then-applicable regulation), containing the required information: nature of the data, categories and estimated number of affected data subjects, measures taken, and DPO contact details;
Notification to affected data subjects — where the incident may cause relevant risk or harm, by email and/or Platform notice, in a clear and accessible manner, with guidance on protective measures data subjects can take;
Remediation and improvement — root cause correction, control review, and, where relevant, update of the DPIA.

The notification deadline to the ANPD and data subjects shall follow current ANPD regulations, currently set at 2 (two) business days for preliminary notification from the date the incident is identified, pursuant to ANPD Board Resolution no. 15/2024.

13. Children's Privacy

The Platform is not directed at persons under 18 (eighteen) years of age for the purpose of contracting services. Full civil capacity is required for autonomous access and use of the Platform.

Regarding features directed at the general public (e.g., landing pages, chatbots, and portals hosted by Platform customers):

We do not knowingly collect personal data from children (persons under 12 years of age) directly;
For adolescents (aged 12 to 17), data processing requires the consent of at least one parent or legal guardian, pursuant to art. 14 of the LGPD;
If we identify that data from children was collected without adequate parental consent, such data will be deleted immediately.

Workspace owners who, in the context of their own services, collect data from minors are responsible for obtaining and documenting the parental consent required by the LGPD and any applicable local legislation.

14. Third-Party Cookies and Integrations

The Platform allows integrations with third-party services (Google Analytics, Meta Pixel, CRM platforms, payment gateways, social networks, among others). Each of these services has its own privacy policy, over which Octa8 Tecnologia LTDA has no control.

By activating third-party integrations, the workspace administrator acknowledges and assumes responsibility for:

Informing their own users about active integrations;
Obtaining the necessary consents;
Complying with the legal obligations arising from the use of each integration.

Octa8 Tecnologia LTDA acts as a processor in relation to data processed through integrations configured by its customers (workspace admins).

15. Changes to This Policy

This Policy may be updated periodically to reflect changes in data processing practices, applicable legislation, or services offered.

In the event of material changes (that expand purposes, introduce new sharing arrangements, or reduce data subjects' rights), we will notify data subjects by:

Email to the registered address; and/or
Prominent notice on the Platform, with a minimum of 30 (thirty) days prior notice before the changes take effect.

Non-material changes (editorial corrections, contact information updates, clarity adjustments) take effect upon publication, as indicated in the effective_date field of this Policy.

A history of previous versions of this Policy may be requested from the DPO.

16. Governing Law and Jurisdiction

This Policy is governed by the laws in force in Foro da Comarca de Jaú/SP, Brasil, in particular Brazilian Federal Law no. 13,709/2018 (LGPD) and supplementary regulations issued by the ANPD. For data subjects located in the European Union or the European Economic Area, the GDPR additionally applies.

Any disputes arising from this Policy shall be submitted to the courts of Foro da Comarca de Jaú/SP, Brasil, without prejudice to the data subject's right as a consumer to elect the courts of their domicile.

17. Contact and Privacy Channel

To exercise your rights, ask questions, or file complaints related to the processing of your personal data:

Data Protection Officer (DPO): Encarregado de Proteção de Dados (DPO) — Octa8
DPO Email: dpo@acme.test
General Email: help@octa8.app
Phone: 0800 000 8888 (WhatsApp também)
Address: Jaú, São Paulo, Brasil
Portal: https://octa8.app//privacy

You may also file a petition directly with the Autoridade Nacional de Proteção de Dados (ANPD) at www.gov.br/anpd, if you believe your rights have not been adequately addressed.

Effective Date

This Policy takes effect on 04 de June de 2026 and applies to all personal data processing carried out by Octa8 Tecnologia LTDA through the Octa8 Platform, in the jurisdiction of Foro da Comarca de Jaú/SP, Brasil and, where applicable, in all other jurisdictions where the Platform operates.

Version 1.0 — 04 de June de 2026

Privacy & data protection

Cookie Policy

How Octa8 uses cookies and similar technologies.

Version 1.0 · Effective 04/06/2026

1. Introduction

This Cookie Policy describes how Octa8, operated by Octa8 Tecnologia LTDA ("we", "us" or "our"), uses cookies and similar tracking technologies when you access or use our platform, products and services, APIs, subdomains and any other digital property under our responsibility (collectively, "Services").

By interacting with our Services, you acknowledge and agree to the use of cookies as described in this Policy, without prejudice to the consent and revocation rights established by Brazil's General Data Protection Law (LGPD — Law No. 13.709/2018), the European Union General Data Protection Regulation (GDPR — Regulation EU 2016/679) and other applicable laws in Foro da Comarca de Jaú/SP, Brasil.

This Policy supplements our Privacy Policy and should be read alongside it.

2. What are cookies and similar technologies

Cookies are small text files that a website or web application stores on your device (computer, smartphone, tablet or other device) through your browser when you visit a site. They allow the platform to recognize the device on subsequent visits, storing preferences, authentication state and usage information.

In addition to traditional cookies, we use other functionally equivalent technologies, including:

Technology	Description
Web beacons / pixels	1×1 pixel images or invisible scripts embedded in pages or emails that record opening and interactions.
Local Storage / Session Storage	Browser storage mechanisms that persist data locally without an expiration date (Local Storage) or only during the session (Session Storage).
IndexedDB	A client-side database for larger-volume structured data storage.
Device fingerprinting	Collection of non-sensitive device attributes (OS type, language configuration, time zone, screen resolution) exclusively for security, fraud detection and session consistency purposes.
ETags and HTTP cache	Resource identifiers stored in the browser cache, used for performance optimization.
Third-party SDKs and tags	JavaScript libraries from partners loaded on our pages that may set their own cookies or access local storage.

For the purposes of this Policy, the term "cookies" encompasses all the technologies listed above, unless expressly indicated otherwise.

3. Categories of cookies we use

We classify cookies into four categories according to their purpose and degree of essentiality.

3.1 Strictly Necessary Cookies

These are indispensable for the basic and secure operation of the Services. Without them, fundamental features — such as authentication, session security, load balancing and essential preferences — would not function correctly.

Legal basis: Legitimate interest (LGPD art. 7, IX) and performance of a contract (LGPD art. 7, V). These cookies do not require prior consent, as they are a sine qua non condition for delivering the requested service.

Examples:

Name / Pattern	Purpose	Duration
`session_id`, `laravel_session`	Authenticated session maintenance	Session / until logout
`XSRF-TOKEN`, `csrf_token`	Cross-Site Request Forgery (CSRF) protection	Session
`remember_*`	"Keep me logged in" option	30 days (user-configurable)
`locale`, `lang`	User-selected language	12 months
`theme_pref`	Theme preference (light/dark)	12 months
`cookieconsent_*`	Cookie consent record	12 months
`load_balancer_*`	Traffic routing to servers	Session
`2fa_*`	Multi-factor authentication flow control	Session

3.2 Functional Cookies

These improve user experience by remembering preferences and customizations that go beyond minimum functionality, but are not strictly necessary for the operation of the Services.

Legal basis: Consent (LGPD art. 7, I). They can be disabled without preventing access to the essential service, though potentially at the cost of convenience.

Examples:

Name / Pattern	Purpose	Duration
`ui_layout`, `sidebar_state`	Administration panel state (open/closed menus)	6 months
`timezone_pref`	Preferred time zone	12 months
`notifications_dismissed`	Dismissed notifications control	30 days
`onboarding_step`	Onboarding flow progress	30 days
`last_workspace`	Recently selected workspace	30 days
`editor_prefs`	Content and code editor preferences	12 months
`widget_config_*`	Custom widget and dashboard settings	6 months

3.3 Analytics and Performance Cookies

These collect information about how visitors use the Services — pages visited, time spent, traffic sources, errors encountered — in aggregate and, wherever possible, anonymized form. This information helps us continuously improve platform performance and usability.

Legal basis: Consent (LGPD art. 7, I).

Examples:

Provider / Name	Purpose	Duration
Google Analytics 4 (`_ga`, `_ga_*`, `_gid`)	Audience analysis, browsing behavior, conversions	Up to 2 years
Hotjar (`_hj`, `hjSession`)	Heatmaps, anonymized session recordings, UX surveys	Up to 365 days
Mixpanel (`mp_*`)	Product funnel analysis, retention and cohorts	Up to 1 year
Datadog RUM (`_dd_s`, `dd_cookie_test*`)	Real user performance monitoring (Core Web Vitals)	Session / 15 min
Sentry (`sentry-sc`, `__sentry_*`)	Client-side error and exception tracking	Session
Internal metrics (`p8w_analytics_*`)	Proprietary analysis of platform feature usage	12 months

3.4 Marketing and Advertising Cookies

These are used to deliver relevant advertisements, measure the effectiveness of campaigns and limit how often the same ad is shown. They may be set by us or by advertising partners on our Services.

Legal basis: Consent (LGPD art. 7, I). Consent for marketing cookies is independent of other categories and can be revoked at any time.

Examples:

Provider / Name	Purpose	Duration
Google Ads / Google Tag Manager (`_gcl_au`, `_gac_*`)	Conversion tracking and remarketing	Up to 90 days
Meta Pixel (`_fbp`, `_fbc`)	Custom audiences and campaign attribution on Facebook/Instagram	Up to 90 days
LinkedIn Insight Tag (`li_fat_id`, `lidc`, `bcookie`)	B2B retargeting and professional campaign analysis	Up to 1 year
TikTok Pixel (`_tt_enable_cookie`, `_ttp`)	Conversion tracking for TikTok campaigns	Up to 13 months
Bing / Microsoft Advertising (`_uetsid`, `_uetvid`)	Conversion tracking and Bing Ads retargeting	Up to 1 year
Affiliates and partners (`p8w_ref_`, `p8w_aff_`)	Attribution of referrals and affiliate program conversions	30 days

4. Third-party cookies

Some cookies are set directly by us ("first-party"). Others are set by third parties whose services we incorporate into our platform ("third-party"). We do not control third-party cookies; their use is governed by the privacy and cookie policies of each respective third party.

4.1 Key third parties and their policies

Third Party	Purpose	Policy
Google LLC	Analytics, advertising, maps, reCAPTCHA	policies.google.com
Meta Platforms, Inc.	Meta Pixel, custom audiences	privacycenter.facebook.com
Hotjar Ltd	User experience analysis	hotjar.com/legal/policies/privacy
Mixpanel, Inc.	Product analytics	mixpanel.com/legal/privacy-policy
LinkedIn Ireland Unlimited Company	Insight Tag, B2B advertising	linkedin.com/legal/privacy-policy
Datadog, Inc.	Performance monitoring	datadoghq.com/legal/privacy
Sentry (Functional Software, Inc.)	Error tracking	sentry.io/privacy
Cloudflare, Inc.	CDN, security, reCAPTCHA Enterprise	cloudflare.com/privacypolicy
Stripe, Inc.	Payment processing	stripe.com/privacy
Intercom, Inc.	In-app support and communication	intercom.com/legal/privacy

4.2 International data transfers

Some third parties listed above are headquartered outside Brazil and/or the European Economic Area. International data transfers through these cookies are carried out on the basis of appropriate protection mechanisms, including Standard Contractual Clauses (SCCs), Adequacy Decisions issued by the Brazilian National Data Protection Authority (ANPD) or the European Commission, as applicable.

5. Legal basis and consent

5.1 Legal grounds

The processing of personal data through cookies on the Octa8 platform is grounded in the following legal bases under the LGPD:

Cookie Category	Legal Basis (LGPD)	Article
Strictly Necessary	Performance of contract / Legitimate interest	Art. 7, V and IX
Functional	Consent	Art. 7, I
Analytics and Performance	Consent	Art. 7, I
Marketing and Advertising	Consent	Art. 7, I

5.2 Granular consent collection

When you first access our Services (or after the consent period renewal), you will see a Cookie Consent Panel that allows you to:

Accept all cookies (including non-essential);
Reject all non-essential cookies (keeping only strictly necessary ones);
Customize your preferences by category, enabling or disabling each group individually.

Your choice is recorded with a timestamp, policy version and anonymized session identifier, as required by the LGPD and recommended by the ANPD.

5.3 Privacy by default

In the absence of an active choice, only strictly necessary cookies will be activated (privacy by default, LGPD art. 46). No inference of consent is made from browsing behavior, scrolling or inaction.

5.4 Consent of minors

Our Services are not directed at children under 13 years of age. We do not intentionally collect marketing or analytics cookies from children. If you have reason to believe that a child has provided personal data through cookies, please contact our Data Protection Officer (DPO) at the address indicated in Section 9.

6. How to manage and revoke consent

6.1 Platform Cookie Preferences Panel

You can review, change or revoke your consent at any time by accessing the Cookie Preferences Panel, available at:

Permanent footer link: "Cookie Preferences" on all platform pages;
Authenticated user area: Settings → Privacy → Cookies;
Reopening the banner: by clicking the privacy shield icon in the bottom corner of the screen.

Revocation of consent for non-essential categories will take effect immediately for new cookies. Cookies already set on your device will remain until their natural expiration date or until you manually delete them in the browser, as we do not have the technical capability to remotely delete files already stored on your device.

6.2 Browser settings

All modern browsers allow you to control, block or delete cookies. Please consult the specific instructions for your browser:

Browser	How to manage cookies
Google Chrome	Settings → Privacy and security → Cookies and other site data
Mozilla Firefox	Settings → Privacy & Security → Cookies and Site Data
Apple Safari	Preferences → Privacy → Manage Website Data
Microsoft Edge	Settings → Cookies and site permissions
Opera	Settings → Advanced → Privacy & security → Cookies

Note: Blocking strictly necessary cookies through browser settings may compromise the functioning of the Services, including inability to log in and loss of saved preferences.

6.3 Opt-out from specific third-party tools

In addition to browser settings and our panel, you may exercise opt-out directly with some third-party providers:

Tool	Opt-out link
Google Analytics	tools.google.com/dlpage/gaoptout
Google Ads	adssettings.google.com
Meta / Facebook	facebook.com/ads/preferences
LinkedIn	linkedin.com/psettings/guest-controls
Network Advertising Initiative (NAI)	optout.networkadvertising.org
Digital Advertising Alliance (DAA)	optout.aboutads.info
Your Online Choices (EU)	youronlinechoices.eu

6.4 Do Not Track / Global Privacy Control signals

Our platform respects the Global Privacy Control (GPC) signal when transmitted by the browser, interpreting it as a refusal to use marketing and analytics cookies. The legacy Do Not Track (DNT) signal does not have a binding technical standard recognized by the ANPD or the GDPR; however, we honor GPC as its functional equivalent.

7. Retention of data collected through cookies

The retention period for data collected through cookies varies by category:

Category	Server-side data retention	Cookie retention on device
Strictly Necessary	Duration of session or until account closure	Session to 12 months
Functional	Up to 12 months after last interaction	Session to 12 months
Analytics and Performance	Up to 26 months (aggregated/anonymized data)	Up to 24 months
Marketing and Advertising	Per third-party policy (maximum 13 months)	Up to 13 months

After the above periods expire, data is automatically deleted or irreversibly anonymized, making re-identification of the data subject impossible.

Data collected through cookies that relates to legal, regulatory, tax or contractual obligations may be retained for the period necessary to fulfill those obligations, pursuant to LGPD art. 16.

8. Updates to this Policy

We may update this Cookie Policy periodically to reflect changes in our practices, platform, third-party integrations or applicable law. Changes will be communicated through:

Cookie Consent Panel notice: a new consent banner will be displayed when there are material changes requiring a new expression of will;
In-app notification: for authenticated users, through a platform notification;
Email: for substantial changes that affect data subject rights, with a minimum of 15 (fifteen) calendar days advance notice before taking effect;
Versioning: the doc_version field in the header of this document is incremented with each material change; the version history is maintained in our internal records.

Continued use of the Services after changes to the Policy take effect, without expressing refusal, will be considered acknowledgment of the changes — never tacit consent to non-essential cookies, which always require active expression.

9. Contact and Data Protection Officer (DPO)

To exercise your rights as a data subject (access, correction, anonymization, portability, deletion, revocation of consent, objection and others provided for in LGPD art. 18), to clarify doubts about the use of cookies or to submit complaints related to this Policy, please contact:

Octa8 Tecnologia LTDA General email: help@octa8.app Data Protection Officer (DPO): dpo@acme.test

We are committed to responding to data subject requests within 15 (fifteen) business days, in accordance with ANPD guidance. If your request requires additional steps, we will inform you of the extended timeline and the reasons.

You also have the right to lodge a complaint directly with the Brazilian National Data Protection Authority (ANPD) at gov.br/anpd, or with the competent supervisory authority in your country of residence if the GDPR applies to your situation.

10. Effective Date

This Cookie Policy comes into force on 04 de June de 2026 and remains valid until superseded by a later version duly published and communicated.

Current version: 1.0 — 04 de June de 2026.

Octa8 Tecnologia LTDA — Octa8 — Foro da Comarca de Jaú/SP, Brasil

Privacy & data protection

Data Processing Agreement (DPA)

Personal data processing terms between Octa8 Tecnologia LTDA (Processor) and the Customer (Controller).

Version 1.0 · Effective 04/06/2026

Data Processing Agreement (DPA)

Octa8 — Platform operated by Octa8 Tecnologia LTDA, registered under Brazilian CNPJ No. 12.345.678/0001-90, headquartered at Jaú, São Paulo, Brasil ("Processor").

This Data Processing Agreement ("DPA" or "Agreement") is entered into between the Processor and the Customer, the legal entity or individual identified in the Platform account ("Controller"), and forms an integral part of, supplements, and prevails over the Terms of Service of Octa8 with respect to the processing of personal data. By accepting the Terms of Service or by using the Platform in a manner that involves the processing of personal data on behalf of the Controller, the Controller fully accepts the terms of this DPA.

1. Definitions

For the purposes of this Agreement, the following terms shall have the meanings set forth below, without prejudice to other definitions contained in applicable law:

1.1 "LGPD" means the Brazilian General Data Protection Law (Lei nº 13.709/2018) and its amendments, regulations, and guidance issued by the National Data Protection Authority ("ANPD").

1.2 "GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, as applicable.

1.3 "Personal Data" means any information relating to an identified or identifiable natural person, as defined in Article 5(I) of the LGPD and Article 4(1) of the GDPR.

1.4 "Sensitive Personal Data" means personal data concerning racial or ethnic origin, religious belief, political opinion, membership in a trade union or organization of a religious, philosophical, or political nature, data concerning health or sex life, genetic or biometric data, when linked to a natural person, pursuant to Article 5(II) of the LGPD.

1.5 "Processing" means any operation performed with personal data, such as collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, archiving, storage, deletion, evaluation, control, modification, communication, transfer, dissemination, or extraction, pursuant to Article 5(X) of the LGPD.

1.6 "Controller" means the natural or legal person, under public or private law, to whom the decisions regarding the processing of personal data belong, pursuant to Article 5(VI) of the LGPD. Under this DPA, the Controller is the Customer.

1.7 "Processor" means the natural or legal person, under public or private law, who processes personal data on behalf of the Controller, pursuant to Article 5(VII) of the LGPD. Under this DPA, the Processor is Octa8 Tecnologia LTDA.

1.8 "Sub-processor" means any third party, including affiliates of the Processor, that the Processor engages to carry out personal data processing activities on behalf of the Controller within the authorized sub-contracting chain.

1.9 "Data Subject" means the natural person to whom the personal data being processed relates, pursuant to Article 5(V) of the LGPD.

1.10 "Controller Data" means all personal data that the Controller or its end users submit, upload, transmit, or otherwise make available to the Platform for processing on behalf of the Controller, as described in Annex I.

1.11 "Platform" means the set of services, features, APIs, systems, and infrastructure provided by the Processor to the Controller under the Octa8 Terms of Service, including website creation, hosting, domains, monitoring, SEO, artificial intelligence tools, third-party integrations, file storage, and notifications.

1.12 "Personal Data Breach" means a security incident leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to, personal data transmitted, stored, or otherwise processed, pursuant to Article 48 of the LGPD and Article 4(12) of the GDPR.

1.13 "DPIA" or "RIPD" means a Data Protection Impact Assessment, an instrument provided for in Article 5(XVII) of the LGPD and in Article 35 of the GDPR.

1.14 "Documented Instruction" means a written instruction from the Controller to the Processor regarding the processing of personal data, including instructions contained in this DPA, the Terms of Service, Platform settings, or subsequent written communications.

1.15 "EEA" means the European Economic Area.

1.16 "Standard Contractual Clauses" or "SCCs" means the standard clauses approved by the European Commission for international transfers of personal data, pursuant to Commission Implementing Decision (EU) 2021/914, or its updates.

2. Subject Matter and Duration

2.1 Subject Matter. This DPA sets forth the rights, obligations, and responsibilities of the Parties with respect to the processing of Controller Data by the Processor in connection with the provision of Platform services, in compliance with the LGPD and, to the extent applicable, the GDPR and other applicable personal data protection laws.

2.2 Duration. This DPA is valid for the same period as the service contract between the Parties (Terms of Service), including any renewals, until the full performance of the data return and deletion obligations set forth in Clause 14.

2.3 Integration. In the event of conflict between this DPA and the Terms of Service with respect to matters of personal data protection, this DPA shall prevail. Both instruments together form the complete agreement between the Parties on the subject matter regulated herein.

3. Roles and Responsibilities

3.1 Customer as Controller. The Customer determines the purposes and means of processing Controller Data. The Customer is solely responsible for ensuring that it has an adequate legal basis for processing the data submitted to the Platform, for obtaining any necessary consents from Data Subjects, and for complying with all obligations imposed by applicable law on the Controller.

3.2 Octa8 Tecnologia LTDA as Processor. Octa8 Tecnologia LTDA processes Controller Data exclusively on behalf of and for the account of the Controller, in accordance with Documented Instructions and as necessary for the provision of the contracted services, within the limits of this DPA.

3.3 Separation of Processing Activities. The Parties acknowledge that the Processor may also process personal data as an independent controller, for its own legitimate purposes (e.g., billing data, Platform security, compliance with legal obligations, service improvement), a situation governed by Octa8's Privacy Policy and not by this DPA.

3.4 Controller Compliance. The Controller represents and warrants that: (a) it has a valid legal basis for the processing of each category of personal data submitted to the Platform; (b) it complies with the principles set forth in Article 6 of the LGPD; (c) it has provided and will continue to provide adequate privacy notices to Data Subjects; and (d) it maintains records of processing activities pursuant to Article 37 of the LGPD.

4. Nature, Purpose, Categories of Data and Data Subjects

The categories of personal data processed, the purposes of processing, the types of Data Subjects, and the duration are described in Annex I to this DPA, which forms an integral part of this instrument.

The Processor shall not process special categories of personal data, sensitive personal data, or data of children and adolescents, except pursuant to a specific Documented Instruction from the Controller and provided that the Controller confirms in writing that it has an adequate legal basis for such processing.

5. Documented Instructions from the Controller

5.1 Compliance with Instructions. The Processor shall process Controller Data only in accordance with the Controller's Documented Instructions. The Controller's initial instructions are incorporated in this DPA and the Terms of Service. The Controller may issue additional written instructions during the term of this Agreement, provided they are compatible with the scope of the contracted services.

5.2 Unlawful Instruction. If the Processor reasonably believes that a Documented Instruction violates the LGPD, GDPR, or other applicable data protection law, the Processor shall promptly notify the Controller in writing and may suspend compliance with the instruction until the matter is resolved. The Processor shall not be liable for non-compliance with unlawful instructions.

5.3 Legally Required Processing. If the Processor is required by law, regulation, or order of a competent authority to process personal data in a manner inconsistent with the Documented Instructions, it shall notify the Controller in advance, unless the law prohibits such notification.

5.4 No Sale or Monetization. The Processor shall not sell, rent, assign, monetize, commercially disclose, or share Controller Data with third parties for the purposes of its own advertising or marketing.

6. Confidentiality

6.1 Confidentiality Obligation. The Processor shall ensure that all persons authorized to process Controller Data are subject to appropriate confidentiality obligations, whether contractual or statutory, which survive the termination of their engagement.

6.2 Restricted Access. Access to Controller Data is limited to the Processor's personnel and Sub-processors who need to know such data for the provision of services, in accordance with the principles of minimum necessary access (need-to-know and least privilege).

6.3 Duration. The confidentiality obligations set forth in this clause shall survive the termination of this DPA for the maximum period permitted by law.

7. Security Measures

7.1 Technical and Organizational Measures. The Processor shall implement and maintain the technical and organizational security measures described in Annex II to this DPA, appropriate to the risks presented by the processing, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risks to the rights and freedoms of Data Subjects.

7.2 Assessment and Update. The Processor shall periodically assess its security measures and update them as necessary to ensure an appropriate level of protection proportionate to the risk.

7.3 Limitation. The security measures set forth in this DPA are designed to protect the infrastructure and data maintained on the Platform. The security of the Controller's and its end users' systems, devices, and connections remains under the exclusive responsibility of the Controller.

8. Sub-processors

8.1 General Authorization. The Controller grants general authorization to the Processor to engage Sub-processors to carry out data processing activities on behalf of the Controller, in accordance with the list of Sub-processors available at Octa8/legal/subprocessors (or an equivalent URL notified by the Processor) ("Sub-processor List"), which is updated periodically and incorporated by reference into this DPA.

8.2 Notification of Changes. The Processor shall notify the Controller of any material addition or replacement of Sub-processors at least thirty (30) days in advance, by means of an update published on the Sub-processor List or by electronic communication to the email address registered in the account.

8.3 Right of Objection. The Controller may object to a new Sub-processor by written notice to the Processor within fifteen (15) days of the notification of change, providing legitimate reasons grounded in data protection. The Processor shall use reasonable efforts to accommodate the objection; if unable to do so, either Party may terminate the service contract without penalty upon thirty (30) days' notice.

8.4 Liability for Sub-processors. The Processor shall enter into a contract with each Sub-processor imposing data protection obligations equivalent to those in this DPA. The Processor shall remain fully liable to the Controller for the acts and omissions of Sub-processors with respect to the processing of Controller Data.

8.5 Affiliates as Sub-processors. Affiliates of the Processor may be engaged as Sub-processors; in such case, they are subject to the same obligations set forth in this clause.

9. Audits and Inspections

9.1 Right of Audit. The Controller has the right to audit the Processor's compliance with this DPA, either directly or through an independent, mutually trusted external auditor, subject to the provisions of this clause.

9.2 Procedure. The Controller shall: (a) notify the Processor at least thirty (30) days in advance; (b) conduct the audit during business hours, minimizing interference with operations; (c) bear the costs of the audit; and (d) ensure that the auditor is subject to a confidentiality obligation.

9.3 Compliance Reports. As an alternative or supplement to direct audits, the Processor may provide the Controller with current security certifications (ISO 27001, SOC 2 Type II, or equivalents) and relevant third-party audit reports, subject to a confidentiality agreement, evidencing compliance with this DPA.

9.4 Frequency. On-site audits are limited to one (1) per twelve (12)-month period, except in the event of a documented Personal Data Breach or substantiated suspicion of non-compliance with this DPA.

9.5 Cooperation. The Processor shall reasonably cooperate with audits and provide the necessary information and access, to the extent this does not prejudice the confidentiality of information of other customers or the Processor's trade secrets.

10. Assistance to the Controller

10.1 Data Subject Rights. The Processor, taking into account the nature of the processing, shall assist the Controller, through appropriate technical and organizational measures, in fulfilling its obligations to respond to requests by Data Subjects to exercise their rights, including the rights of confirmation, access, correction, anonymization, blocking, deletion, portability, information about sharing, withdrawal of consent, and objection, pursuant to Article 18 of the LGPD and equivalent provisions of the GDPR.

10.2 Direct Data Subject Requests. If the Processor receives a data subject rights request directly relating to Controller Data, the Processor shall forward the request to the Controller within five (5) business days, without responding to it directly, unless expressly authorized by the Controller or required by law.

10.3 DPIA/RIPD. The Processor shall assist the Controller in conducting Data Protection Impact Assessments, providing reasonably necessary information about the processing carried out, as requested in writing.

10.4 Security Obligations. The Processor shall assist the Controller in meeting the obligations set forth in Articles 46–50 of the LGPD and Articles 32–36 of the GDPR, by providing information about the measures implemented (Annex II).

10.5 Costs of Assistance. The Processor shall provide the assistance set forth in this clause in a reasonable and proportionate manner at no additional cost, unless the assistance requires substantial efforts beyond the ordinary scope of the services, in which case the Parties shall agree on applicable compensation.

11. Personal Data Breach Notification

11.1 Notification to Controller. Upon becoming aware of a Personal Data Breach affecting Controller Data, the Processor shall notify the Controller without undue delay and, unless duly justified impossibility, within seventy-two (72) hours of becoming aware of the incident, by electronic means to the email address registered in the account or to help@octa8.app.

11.2 Notification Content. The notification shall include, to the extent available and without prejudice to the ongoing investigation: (a) a description of the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects and records affected; (b) the name and contact details of the Processor's Data Protection Officer; (c) the likely consequences of the Breach; (d) the measures taken or proposed to address the Breach and, where appropriate, to mitigate its possible adverse effects. The notification may be made in stages as further information becomes available.

11.3 Cooperation in Investigation. The Processor shall reasonably cooperate with the Controller in the investigation, containment, and remediation of the Personal Data Breach, providing additional requested information.

11.4 Notification to ANPD and Data Subjects. Responsibility for communicating the Personal Data Breach to the ANPD and to affected Data Subjects, pursuant to Article 48 of the LGPD, rests with the Controller. The Processor shall assist the Controller with the necessary information for such communication.

11.5 Sub-processor Breaches. The Processor shall ensure that its Sub-processors notify the Processor of any Personal Data Breach in sufficient time for the Processor to meet the seventy-two (72)-hour deadline set forth in this clause.

12. International Transfers of Personal Data

12.1 General Principle. The Processor shall only transfer Controller Data to countries, territories, or international organizations that provide an adequate level of protection for personal data, or where an appropriate safeguard exists, pursuant to Articles 33–36 of the LGPD and Chapter V of the GDPR, as applicable.

12.2 Applicable Safeguards. International transfers of Controller Data to Sub-processors located outside Brazil or the EEA are carried out based on one or more of the following mechanisms: (a) an adequacy decision issued by the ANPD or the European Commission; (b) Standard Contractual Clauses approved by the ANPD or the European Commission; (c) Binding Corporate Rules; (d) specific and informed consent of the Data Subject, where applicable; or (e) another safeguard recognized by applicable law.

12.3 Documentation. The Processor shall maintain documentation of the safeguards applied to international transfers and shall make it available to the Controller upon justified written request.

12.4 Localization Instructions. The Controller may, by Documented Instruction, restrict the processing of Controller Data to specific countries or regions, subject to the technical and operational feasibility of the contracted services.

13. Records of Processing Activities

13.1 Processor's Records. The Processor maintains records of processing activities carried out on behalf of Controllers, containing the information required by Article 37 of the LGPD and Article 30(2) of the GDPR, and shall make them available to the ANPD or the competent supervisory authority upon request.

13.2 Cooperation. The Processor shall provide the Controller with the information necessary for the Controller to fulfill its own record-keeping obligations pursuant to Article 37 of the LGPD.

14. Return and Deletion of Data

14.1 Upon Termination. Upon the termination of this DPA for any reason, the Processor shall, at the Controller's documented choice: (a) return to the Controller, in a structured, commonly used, machine-readable format, all Controller Data in its possession; or (b) securely and irreversibly delete all Controller Data, including copies, except to the extent that the law requires its retention.

14.2 Timeframe. The return or deletion shall be completed within thirty (30) days of the termination of the DPA or of the Controller's request, whichever occurs first.

14.3 Certification. Upon the Controller's request, the Processor shall issue a written certificate of deletion of Controller Data.

14.4 Backup Copies. Backup copies shall be deleted in accordance with the Processor's ordinary retention cycle, observing a maximum additional period of ninety (90) days after termination.

14.5 Legally Retained Data. If the law requires the Processor to retain certain personal data after termination, the Processor shall inform the Controller of such obligation and the applicable retention period, and shall not process such data for any other purpose during the mandatory retention period.

15. Liability

15.1 Processor's Liability. The Processor is liable for damages caused to the Controller and, where applicable, to Data Subjects, as a result of non-compliance with the obligations set forth in this DPA attributable to the Processor, pursuant to applicable law.

15.2 Controller's Liability. The Controller is liable for damages caused to the Processor and to Data Subjects as a result of non-compliance with its obligations as Controller, including the use of services in breach of this DPA, the Terms of Service, or applicable law.

15.3 Limitation of Liability. Unless in cases of willful misconduct or gross negligence, the total liability of the Processor to the Controller under this DPA is subject to the liability caps set forth in the Terms of Service. Nothing in this DPA excludes or limits any Party's liability to the extent such exclusion or limitation is not permitted by applicable law.

15.4 Joint and Several Liability towards Data Subjects. The Parties acknowledge that they may be held jointly and severally liable to Data Subjects for damages arising from processing, pursuant to Article 42 of the LGPD, and that each Party has a right of recourse against the other in proportion to the fault established.

15.5 Force Majeure. Neither Party shall be liable for failures to perform its obligations caused by events of force majeure or fortuitous events, pursuant to Article 393 of the Brazilian Civil Code, provided that the affected Party notifies the other without delay and takes reasonable steps to mitigate the effects.

16. Data Protection Officer (DPO)

16.1 Processor's DPO. The Processor has appointed a Data Protection Officer (DPO) pursuant to Article 41 of the LGPD:

Name: Encarregado de Proteção de Dados (DPO) — Octa8
Email: dpo@acme.test
General contact: help@octa8.app

16.2 Controller's DPO. The Controller shall keep its own Data Protection Officer's information, if applicable, updated in its Platform account.

17. General Provisions

17.1 Order of Precedence. In the event of conflict between this DPA and any other instrument entered into between the Parties, the following order of precedence shall apply with respect to personal data protection matters: (i) applicable mandatory law; (ii) this DPA; (iii) Terms of Service.

17.2 Amendments. The Processor may amend this DPA to reflect changes in law, regulations, authority guidance, or the services provided, upon at least thirty (30) days' advance notice to the Controller. Continued use of the services after the notice period constitutes acceptance of the amendments.

17.3 Severability. The invalidity or unenforceability of any provision of this DPA shall not affect the validity or enforceability of the remaining provisions, which shall remain in full force and effect.

17.4 Assignment. The Controller may not assign its rights or obligations under this DPA without the prior written consent of the Processor. The Processor may assign this DPA to an affiliate or in connection with a merger, acquisition, or corporate reorganization, upon notice to the Controller.

17.5 Waiver. The failure or delay of either Party in requiring the performance of an obligation shall not constitute a waiver of the right to require it in the future.

17.6 Notices. All formal communications under this DPA shall be made in writing and sent to help@octa8.app (for the Processor) or to the email address registered in the Platform account (for the Controller).

18. Governing Law and Jurisdiction

This Agreement enters into force on 04 de June de 2026 and remains in effect for the same term as the service contract between the Parties, being automatically renewed with any updates published by the Processor pursuant to Clause 17.2.

This DPA is governed by and construed in accordance with the laws of the Federative Republic of Brazil, in particular the LGPD and, subsidiarily, the Brazilian Civil Code. The Parties elect the courts of Foro da Comarca de Jaú/SP, Brasil as the exclusive venue for resolving any disputes arising from or related to this DPA, expressly waiving any other venue, however privileged, except where law mandates a different forum.

Annex I — Description of Processing Activities

This Annex describes the personal data processing activities carried out by the Processor on behalf of the Controller within the scope of the Octa8 Platform.

A. Nature and Purposes of Processing

The Processor processes Controller Data for the following purposes, in accordance with the Controller's Documented Instructions:

Purpose	Description
Hosting and content delivery	Storing and serving the Controller's and its end users' content (websites, files, media)
Domain and DNS management	Registering, configuring, and managing domains and DNS records on behalf of the Controller
Monitoring and availability	Monitoring the availability and performance of the Controller's resources on the Platform
Search engine optimization (SEO)	Analyzing and optimizing the content and technical structure of the Controller's websites
Artificial intelligence tools	Processing inputs and outputs of AI tools as requested by the Controller or its end users
APIs and third-party integrations	Transmitting data between the Platform and third-party services configured by the Controller
File and document storage	Storing, organizing, and providing access to files uploaded by the Controller or its users
Notifications and communications	Sending notifications (email, push, SMS, webhooks) configured by the Controller
Subscriptions and billing	Processing and recording subscription transactions, payments, and billing events
Logs and auditing	Generating, storing, and making available access logs, event logs, and error logs for operational and security purposes
User management	Authenticating and managing the Controller's end user accounts on the Platform
Marketplace and affiliates (future)	Facilitating transactions between the Controller and third parties on the marketplace, affiliate management, and resellers

B. Categories of Personal Data

The Processor may process, as determined by the Controller, the following categories of personal data:

Identification data: full name, display name, username, unique account identifier.
Contact data: email address, phone number, postal address, country.
Authentication data: access credentials (stored in hashed format), session tokens, authentication logs.
Professional data: company name, CNPJ/CPF (when provided), job title, industry.
Usage and behavioral data: access logs, IP addresses, session metadata, Platform interactions, configuration preferences.
Content data: texts, images, videos, documents, files, and other content uploaded or generated by the Controller or its end users on the Platform.
Billing data: payment information (managed by PCI-DSS certified payment processors, not stored in clear text by the Processor), transaction history, billing data.
Communication data: content of messages, notifications, and communications transmitted through the services.
Technical data: IP address, user agent, browser or device type and version, operating system, DNS settings.
Integration data: API tokens, webhooks, and other data required for integrations configured by the Controller with third-party services.

Sensitive Personal Data: The Processor does not intentionally collect or process sensitive personal data as defined in Clause 1.4, except pursuant to a specific Documented Instruction from the Controller and upon confirmation of legal basis by the Controller.

Children's Data: The Platform is not intended for children under eighteen (18) years of age. The Controller is responsible for ensuring that its end users are of legal age or, where applicable, that the processing of minors' data meets applicable legal requirements, including parental consent.

C. Categories of Data Subjects

End users of the Controller (customers, visitors, subscribers of the Controller's services).
Collaborators, service providers, and representatives of the Controller.
Business contacts and leads of the Controller.
Affiliates, resellers, and channel partners of the Controller (where applicable).

D. Duration of Processing

The Processor shall process Controller Data for the duration of the service contract, plus the time required to fulfill the return and deletion obligations set forth in Clause 14. Data that must be retained by legal obligation shall be kept exclusively for the period required by law.

Annex II — Technical and Organizational Security Measures

The Processor implements and maintains, at minimum, the following technical and organizational security measures for the protection of Controller Data:

A. Access Controls

Role-based access control (RBAC): access to Controller Data limited to personnel with a documented operational need (need-to-know), with periodic review of permissions.
Strong authentication: multi-factor authentication (MFA) mandatory for access to production systems and the Processor's internal administrative panels.
Credential management: strong password policies, use of corporate password managers, periodic rotation of privileged credentials, and immediate revocation of access upon termination.
Privileged access management (PAM): control and auditing of privileged access, with logging of administrative sessions.

B. Encryption

In transit: all communication between the client and the Platform is protected by TLS 1.2 or higher. Digital certificates managed with automatic renewal.
At rest: sensitive data stored with encryption at rest (AES-256 or equivalent), including backups and storage volumes.
Key management: cryptographic keys managed by dedicated systems (Key Management Service — KMS), with periodic rotation and audited access.

C. Network and Infrastructure Security

Network segregation: logical separation between production, development, and administration networks.
Firewall and WAF: use of web application firewalls (WAF), network firewalls, and intrusion detection/prevention systems (IDS/IPS).
DDoS protection: mitigation of distributed denial-of-service attacks through specialized providers.
Vulnerability management: periodic vulnerability scanning of systems and applications, with a risk-based prioritization and remediation process.
Penetration testing: periodic penetration tests conducted by internal teams or specialized third parties.
Patch management: formal process for applying critical security patches within a timeframe commensurate with the identified risk.

D. Physical Security

Data centers: the Processor hosts its systems in certified third-party data centers (ISO 27001, SOC 2 Type II, or equivalent), with physical access controls (biometric turnstiles, CCTV, security guards), power and cooling redundancy.
Media disposal: physical media containing personal data are securely and certifiably destroyed at end of life.

E. Resilience and Continuity

Backups: automated backup routine at a frequency consistent with service SLAs, stored at a geographically separate location from production, with periodic integrity verification and restoration testing.
Disaster Recovery Plan (DRP): formal disaster recovery plan with defined and periodically tested RTO (Recovery Time Objective) and RPO (Recovery Point Objective).
High availability: infrastructure with redundancy for critical components, eliminating single points of failure (SPOF) in essential services.

F. Application Security

Secure Software Development Lifecycle (S-SDLC): integration of security practices in all phases of the software development cycle, including security-oriented code reviews, static analysis (SAST), and dynamic analysis (DAST).
Dependency management: monitoring of vulnerabilities in third-party software dependencies (Software Composition Analysis — SCA), with an update and remediation process.
Input validation: controls to prevent injection attacks (SQL injection, XSS, CSRF, and similar) on all Platform inputs.
Application audit logs: immutable logging of relevant security events (authentication, authorization, changes to sensitive data), with retention consistent with legal obligations.

G. Incident Management

Incident Response Plan: formal security incident response process with defined roles and responsibilities, including identification, containment, eradication, recovery, and lessons learned.
Response Team: dedicated (or contracted) security incident response team, with defined internal and external communication channels.
Continuous monitoring: SIEM (Security Information and Event Management) systems and automated alerts for detecting anomalous activities.

H. Supplier and Sub-processor Management

Due diligence: security assessment of suppliers and Sub-processors prior to engagement, with periodic review.
Security contracts: inclusion of data protection clauses and minimum security requirements in contracts with suppliers that access Controller Data.
Sub-processor List: maintenance and publication of an updated list of Sub-processors that process Controller Data, pursuant to Clause 8.

I. Policies and Training

Security policies: a formal set of information security, privacy, and data protection policies, reviewed annually or when material changes occur.
Training: mandatory periodic training for all employees on data protection, information security, and incident response; additional training for teams with access to Controller Data.
Confidentiality agreements: all employees and service providers with access to Controller Data sign confidentiality obligations prior to access.

J. Audit and Compliance

Certifications: the Processor seeks to maintain and/or verify relevant security certifications (ISO 27001, SOC 2 Type II, or equivalents), whose reports may be made available to the Controller pursuant to Clause 9.3.
Internal assessments: periodic internal audits of compliance with security policies and the obligations of this DPA.
Privacy program: a formal privacy management program, including records of processing activities, impact assessments (DPIA/RIPD), and data lifecycle management.

This Data Processing Agreement is an integral part of the Octa8 Terms of Service, operated by Octa8 Tecnologia LTDA (12.345.678/0001-90), headquartered at Jaú, São Paulo, Brasil. Questions about this document may be directed to help@octa8.app or to the Data Protection Officer at dpo@acme.test.

Legal & contracts

Service Agreement

Contractual terms, service levels (SLA) and warranties of Octa8 Tecnologia LTDA.

Version 1.0 · Effective 04/06/2026

1. Subject Matter

This Service Agreement ("Agreement") governs the legal relationship between Octa8 Tecnologia LTDA, registered under CNPJ No. 12.345.678/0001-90, headquartered at Jaú, São Paulo, Brasil ("Provider"), and the individual or legal entity that has electronically adhered to the Octa8 platform ("Customer"), with respect to the provision of information technology services described in the following clause.

Adherence to this Agreement occurs at the moment the Customer completes the registration process on the platform, clicks a button or equivalent option indicating acceptance, or uses any service made available by the Provider — whichever occurs first. Such acceptance carries the same legal force as a handwritten signature, pursuant to applicable law including, without limitation, Brazilian Civil Code arts. 107 and 219 and the Brazilian Internet Civil Rights Framework (Law No. 12,965/2014).

2. Definitions

For the purposes of this Agreement, the following terms shall have the meanings set forth below:

Term	Definition
Platform	The set of software, APIs, interfaces and infrastructure operated by the Provider under the Octa8 brand, accessible via the internet.
Services	All functionalities made available to the Customer under their contracted Plan, including without limitation: website creation and hosting, domain management, availability monitoring, SEO tools, artificial intelligence tools, programmatic APIs, subscription management, file storage and processing, notifications, logs and third-party integrations.
Plan	The package of resources and limits contracted by the Customer, as described in the current pricing table published on the Platform.
Tenant	The isolated environment, linked to the Customer's account, within the Provider's multi-tenant infrastructure.
Customer Data	All data, content, files, configurations and information inserted, transmitted or generated by the Customer in the use of the Platform.
Personal Data	Any information relating to an identified or identifiable natural person, as defined by the Brazilian General Data Protection Law (LGPD — Law No. 13,709/2018) and the General Data Protection Regulation (GDPR — EU Regulation 2016/679).
Security Incident	Unauthorized access, disclosure, alteration, destruction or accidental or unlawful loss of Customer Data or Personal Data.
Downtime	The period, measured in full consecutive minutes, during which the Services are inaccessible or inoperative for the Customer, excluding the circumstances set forth in Clause 4.4.
Service Credit	An amount in currency or credit applicable to the next invoice, granted by the Provider to the Customer as compensation for non-compliance with the SLA.
Marketplace	The distribution environment for extensions, themes, integrations and third-party plugins made available on the Platform, present or future.
Reseller / Affiliate	An individual or legal entity that, pursuant to a specific agreement with the Provider, offers the Services in its own name or on behalf of third parties.

3. Description of Services

3.1 Included Services

The Provider makes available to the Customer, in accordance with the applicable Plan:

a) Hosting and Websites — provisioning of hosting environments, site builders, templates and publishing tools;

b) Domain Management — registration, transfer, renewal and configuration of DNS records;

c) Monitoring — periodic availability checks on URLs and configurable alerts;

d) SEO and Analytics — keyword analysis tools, ranking tracking and performance reports;

e) Artificial Intelligence Tools — AI models and functionalities integrated into the Platform for the Customer's use, subject to the Plan's usage limits;

f) Programmatic APIs — access to the Platform's public API via authentication, as per documentation available on the Platform;

g) Subscription and Billing Management — invoice issuance, payment processing and subscription lifecycle management;

h) File Storage — disk space for upload, storage and delivery of the Customer's files, within Plan limits;

i) Notifications — alerts, transactional emails and webhooks, as configured by the Customer;

j) Third-Party Integrations — pre-built connectors with external services enabled by the Customer using their own credentials;

k) Logs and Audit — activity and event records accessible by the Customer via the administration panel;

l) Marketplace (when available) — access to partner extensions and integrations, subject to additional terms;

m) White-label / Resellers (when contracted) — brand customization and distribution, pursuant to a specific addendum.

3.2 Updates

The Provider may, at its sole discretion, add, modify or discontinue Service functionalities, and shall notify the Customer with at least 30 (thirty) days advance notice for modifications that materially impact functionalities in use, unless required by law or necessitated by a security emergency.

3.3 Third-Party Functionalities

Integrations with third-party services are subject to the terms and availability of those third parties. The Provider does not guarantee the continuous operation of third-party integrations and is not responsible for failures, discontinuities or changes imposed by the third party.

4. Service Level Agreement (SLA)

4.1 Target Availability

The Provider undertakes to maintain the Services available in accordance with the levels set forth in the table below, measured monthly, from the activation date of the Customer's Plan:

Plan	Monthly Target Availability
Basic	99.0%
Professional	99.5%
Business	99.9%
Enterprise / White-label	99.95% (customized SLA upon addendum)

The above percentages represent the monthly available time, calculated using the following formula:

Availability (%) = ((Total Minutes in Month − Downtime) / Total Minutes in Month) × 100

The SLA levels applicable to the Customer's current Plan are detailed in the account administration panel and on the respective Plans page of the Platform.

4.2 Scheduled Maintenance Window

The Provider shall perform scheduled maintenance preferably during the following hours, absent an emergency:

Standard window: Tuesdays and Thursdays, from 02:00 to 06:00 (Brasília time / UTC-3).
The Customer shall be notified by email or panel with at least 48 (forty-eight) hours advance notice for maintenance expected to result in Downtime exceeding 15 (fifteen) minutes.
Emergency maintenance (critical security) may be performed without prior notice, with immediate communication after commencement.

Downtime resulting from maintenance notified within the standard window shall not be counted for SLA calculation purposes.

4.3 Metrics and Monitoring

Measurement method: automated availability checks executed from multiple points of presence at intervals not exceeding 1 (one) minute.
Measurement period: calendar month (00:00 on the 1st to 23:59 on the last day, UTC-3).
Reporting: the Customer may consult the real-time availability history in the administration panel and receive monthly reports by email, if enabled.
Incident records: the Provider maintains a public status page on a dedicated subdomain with incident history and real-time updates.

4.4 SLA Exclusions

The following periods shall not be computed as Downtime:

a) scheduled maintenance within notified windows (Clause 4.2);

b) events of force majeure or act of God, including widespread internet infrastructure failures, natural disasters, acts of war or terrorism;

c) acts or omissions of the Customer, its end users or systems under its control, including misconfigurations, abusive scripts or attacks originating from its infrastructure;

d) failures of third-party services external to the Provider's infrastructure, including DNS providers, CDN or payment processors;

e) denial-of-service (DDoS) attacks of exceptional magnitude exceeding the Provider's mitigation capacity, documented and communicated to the Customer;

f) Service suspension due to violation of this Agreement, the Terms of Use or a legal order;

g) the Customer's express request for support tasks that require interruption;

h) inaccessibility to the Platform caused by the Customer's own internet provider or equipment failures.

4.5 Service Credits for SLA Non-Compliance

When the measured monthly availability falls below the contracted target, the Customer shall be entitled to Service Credits as follows:

Measured Availability	Credit on Monthly Plan Value
≥ target and < target + 0.5%	None
< target and ≥ target − 1.0%	5%
< target − 1.0% and ≥ target − 2.0%	10%
< target − 2.0% and ≥ target − 5.0%	25%
< target − 5.0%	50%

Conditions for granting:

i. The Customer must request the Service Credit within 30 (thirty) calendar days after the end of the measurement month, through the official support channel;

ii. The Credit shall be applied to the next invoice or Plan renewal and is not convertible to cash, except upon termination without cause by the Provider;

iii. The total Service Credits granted in a single month shall not exceed 50% (fifty percent) of the monthly Plan value;

iv. Service Credits constitute the Customer's sole and exclusive contractual remedy for SLA non-compliance, without prejudice to the termination rights provided in Clause 11.

5. Warranties and Disclaimers

5.1 Provider's Warranties

The Provider warrants that:

a) the Services shall be rendered with diligence, professionalism and in accordance with recognized industry practices;

b) it will implement and maintain technical and organizational information security measures consistent with ISO/IEC 27001 standards and the requirements of LGPD/GDPR, including access controls, encryption of data in transit (TLS 1.2+) and at rest, vulnerability management and incident response plans;

c) it will process the Customer's and its end users' Personal Data strictly in accordance with the Privacy Policy and Data Processing Addendum available on the Platform;

d) it will notify the Customer within 72 (seventy-two) hours of becoming aware of a Security Incident affecting their Data, as required by LGPD (art. 48) and GDPR (art. 33).

5.2 Disclaimers

EXCEPT FOR THE WARRANTIES EXPRESSLY SET FORTH IN THIS AGREEMENT AND TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW:

a) The Platform is provided "as is" and "as available";

b) The Provider does not warrant that the Services will be uninterrupted, error-free, or free from viruses or other harmful components;

c) The Provider does not warrant specific business results, search engine rankings or campaign performance arising from the use of the Services;

d) The Provider is not responsible for content published by the Customer on the Platform, the accuracy of information entered, or the compliance of Customer's use of the Services with the laws applicable to the Customer's business.

6. Limitation of Liability

6.1 Quantitative Limitation

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, THE PROVIDER'S TOTAL AND CUMULATIVE LIABILITY TO THE CUSTOMER FOR ANY CLAIMS ARISING FROM OR RELATED TO THIS AGREEMENT OR THE SERVICES, WHETHER IN CONTRACT, TORT (INCLUDING NEGLIGENCE) OR OTHERWISE, SHALL BE LIMITED TO THE GREATER OF:

(i) The total amounts actually paid by the Customer to the Provider during the 12 (twelve) months immediately preceding the event giving rise to the claim; or

(ii) BRL 500.00 (five hundred Brazilian reais).

6.2 Exclusion of Indirect Damages

THE PROVIDER SHALL NOT BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, PUNITIVE OR CONSEQUENTIAL DAMAGES, INCLUDING LOST PROFITS, LOST REVENUE, LOSS OF DATA, LOSS OF GOODWILL OR COST OF SUBSTITUTE SERVICES, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

6.3 Exceptions

The limitations set forth in this clause shall not apply to:

a) damages caused by the Provider's willful misconduct or gross negligence;

b) breaches of confidentiality obligations (Clause 13);

c) violations of the Customer's intellectual property rights;

d) legally mandated Security Incident notification obligations.

7. Technical Support and Contact Channels

7.1 Channels

Technical support shall be provided through the following channels, in accordance with the Customer's Plan:

Channel	Availability	Plans
Knowledge base / Online documentation	24h × 7 days	All
Online chat / Ticket system	Business hours (Mon.–Fri., 09:00–18:00, UTC-3)	Basic and above
Priority email	Business hours	Professional and above
Live chat with 4h SLA response	24h × 7 days	Business and above
Dedicated account manager	By agreement	Enterprise

Primary contact address: help@octa8.app | Phone: 0800 000 8888 (WhatsApp também).

7.2 Initial Response Time

Plan	Critical (P1)	High (P2)	Medium (P3)	Low (P4)
Basic	24h	48h	5 business days	10 business days
Professional	8h	24h	3 business days	7 business days
Business	4h	8h	2 business days	5 business days
Enterprise	1h	4h	1 business day	3 business days

Priority determined by the Provider based on impact to the Services.

7.3 Scope of Support

Support covers the operation of the contracted Services. Custom development, business consulting and support for third-party products are outside scope, unless additionally contracted.

8. Billing, Invoicing and Taxes

8.1 Pricing and Plans

Current prices are published on the Platform and incorporated into this Agreement by reference. The Provider reserves the right to change prices, notifying the Customer with at least 30 (thirty) days advance notice, pursuant to Clause 9.

8.2 Billing Cycle

a) Services are billed in advance, in monthly or annual cycles, as selected by the Customer at the time of contracting.

b) Billing occurs automatically on the Plan renewal date, using the payment method registered by the Customer.

c) Invoices are available in the administration panel and sent by email to the registered address.

8.3 Delinquency

a) Non-payment by the due date shall subject the Customer to:

i. Preventive suspension of Services after 7 (seven) calendar days from the due date, with prior email notice;

ii. Termination of the Plan and deletion of Customer Data after 30 (thirty) days of continuous delinquency, with prior notice;

iii. A late payment penalty of 2% (two percent) on the overdue amount and interest of 1% (one percent) per month, calculated on a pro rata die basis.

b) The Provider is not responsible for loss of Customer Data resulting from termination due to delinquency after the period set forth in this clause.

8.4 Taxes

Published prices are subject to applicable taxes (service tax, and other taxes levied on technology service provision), which shall be itemized in the invoice. The Customer's own tax obligations relating to its business are solely its responsibility.

8.5 Refunds

a) Monthly plans are non-refundable after the billing date, except in cases provided for in this Agreement or required by applicable consumer protection legislation.

b) Annual plans: a Customer exercising the right of withdrawal (where applicable under consumer law) within 7 (seven) calendar days of contracting shall receive a full refund. Cancellations after this period are governed by Clause 11.

c) Service Credits (Clause 4.5) are not convertible to cash, unless expressly stated otherwise.

9. Price Adjustments

9.1 Index and Frequency

Plan prices may be adjusted annually, based on the positive variation of the IGP-M (General Market Price Index) published by Fundação Getulio Vargas (FGV), or the IPCA (National Consumer Price Index), whichever is lower, for the 12 (twelve) months preceding the adjustment date.

9.2 Notification

Price adjustments shall be communicated to the Customer by email and/or administration panel notification with at least 30 (thirty) days advance notice before the effective date.

9.3 Extraordinary Adjustments

In the event of a significant exchange rate fluctuation, infrastructure cost increase or tax changes that materially impact the cost of providing the Services, the Provider may apply an extraordinary adjustment, with at least 30 (thirty) days advance notice and substantiated justification. A Customer who does not agree with an extraordinary adjustment may terminate the Agreement without penalty, provided they notify the Provider within 15 (fifteen) days of receiving the notice.

10. Term and Renewal

10.1 Effective Date

This Agreement enters into force on the date the Plan is activated by the Customer ("Start Date") and remains valid for an indefinite term, unless terminated pursuant to Clause 11.

10.2 Automatic Renewal

Plans with a defined periodicity (monthly or annual) automatically renew at the end of each period for the same term, unless the Customer communicates its intention not to renew with at least 5 (five) business days (monthly plans) or 30 (thirty) calendar days (annual plans) advance notice before expiry.

10.3 Trial Period

When the Provider offers a free trial period, its duration and conditions will be informed on the Platform. At the end of the trial without express cancellation, the selected Plan will be activated and billing will commence automatically.

11. Termination

11.1 Termination for Convenience by the Customer

The Customer may terminate this Agreement at any time by:

a) Submitting a request in the administration panel or by email to help@octa8.app;

b) Effect at the end of the current billing period (no proportional refund for monthly plans; for annual plans, a proportional refund of the unused period shall be made, net of any annual discount granted);

c) The Customer must export and back up its Data before termination; after closure, the Provider shall retain Customer Data for an additional 30 (thirty) days for recovery purposes, after which it will be permanently deleted.

11.2 Termination for Cause by the Provider

The Provider may immediately terminate or suspend the Services without refund in the following circumstances:

a) violation of any provision of the Terms of Use or Acceptable Use Policy;

b) use of the Services for unlawful, fraudulent activities or activities that violate third-party rights;

c) delinquency not remedied pursuant to Clause 8.3;

d) provision of false or misleading information during registration;

e) abusive or offensive conduct directed at the Provider's employees or representatives;

f) order of a competent judicial, administrative or regulatory authority.

11.3 Termination for Cause by the Customer

The Customer may terminate this Agreement without penalty in the following circumstances:

a) material breach of the Provider's obligations not remedied within 15 (fifteen) days of written notice;

b) extraordinary adjustment not accepted, pursuant to Clause 9.3;

c) substantial adverse modification of the Services without the Customer's consent and without maintaining equivalent functionality.

11.4 Effects of Termination

Upon termination of the Agreement for any reason:

a) The Customer's access to the Platform shall be terminated on the effective termination date;

b) The Provider shall have no obligation to retain Customer Data beyond the period set forth in Clause 11.1(c), unless legally required;

c) The clauses on Confidentiality (13), Intellectual Property (14), Limitation of Liability (6) and Governing Law (15) shall survive termination.

12. Penalties and Service Credits

12.1 Credits for SLA Non-Compliance

The Service Credit regime for SLA non-compliance is fully governed by Clause 4.5.

12.2 Early Termination Penalty for Annual Plans

Upon early termination of an annual plan by the Customer without cause (Clause 11.3), a penalty equivalent to 10% (ten percent) of the total contracted annual value, net of the amount already paid for the elapsed period, shall be due.

12.3 Penalty for Abusive Use

Use of the Services in violation of the Acceptable Use Policy may result in:

a) immediate suspension of the affected Tenant, without prejudice to Customer notification;

b) billing for extraordinary costs generated by abusive use, including consumption of infrastructure resources beyond Plan limits;

c) termination for cause pursuant to Clause 11.2.

13. Confidentiality

13.1 Reciprocal Obligations

Each party ("Receiving Party") that receives confidential information from the other party ("Disclosing Party") undertakes to:

a) maintain in confidence and not disclose such information to third parties without the Disclosing Party's prior written consent;

b) use the confidential information solely for the purposes set forth in this Agreement;

c) apply the same protective measures it applies to its own confidential information, in no event less than reasonable security measures.

13.2 Exceptions

Confidentiality obligations shall not apply to information that:

a) is or becomes publicly known without fault of the Receiving Party;

b) is legitimately known to the Receiving Party prior to disclosure;

c) is disclosed by order of a court, administrative body or law, provided the Receiving Party notifies the Disclosing Party in advance to the extent permitted by law;

d) is independently developed by the Receiving Party without use of the confidential information.

13.3 Duration

Confidentiality obligations shall remain in force during the term of this Agreement and for 5 (five) years after its termination.

13.4 Customer Data as Confidential Information

Customer Data is deemed confidential information of the highest sensitivity. The Provider shall only access Customer Data for the purpose of providing the Services, technical support requested by the Customer, compliance with legal obligations or as expressly authorized by the Customer.

14. Intellectual Property

14.1 Provider's Ownership

The Platform, including its source code, algorithms, interfaces, trademarks, logos, documentation and all other elements, is and shall remain the exclusive property of the Provider or its licensors. Nothing in this Agreement transfers to the Customer any intellectual property rights in the Platform.

14.2 License to Customer

The Provider grants the Customer a limited, non-exclusive, non-transferable, revocable license, for the term of this Agreement, to access and use the Platform solely for the purposes permitted under this Agreement.

14.3 Customer Data and Content

The Customer retains all rights to its Data and content submitted to the Platform. The Customer grants the Provider a non-exclusive, limited, royalty-free license to process, store, transmit and reproduce Customer Data solely for the purpose of providing the contracted Services, support and compliance with legal obligations.

14.4 Feedback

If the Customer provides suggestions, ideas or feedback about the Services, the Provider may use such input without any obligation of compensation, confidentiality or attribution to the Customer.

14.5 Trademarks

Neither party may use the other party's trademarks, logos or trade names without prior written consent, except to refer to the other party as a commercial partner in a factual and non-misleading manner.

15. Personal Data Processing

15.1 Roles

For purposes of LGPD and GDPR:

The Customer is the Controller of the Personal Data of its end users processed through the Platform.
The Provider acts as Processor with respect to such data and as Controller of the Customer's own registration data.

15.2 Legal Basis and Purposes

The Provider processes Personal Data on the following legal bases: performance of a contract (LGPD art. 7, V / GDPR art. 6(1)(b)); compliance with a legal obligation; legitimate interest; and, where applicable, data subject consent.

15.3 Data Processing Addendum

The processing of Personal Data is governed by the Data Processing Addendum (DPA) available on the Platform, which supplements and forms part of this Agreement. In the event of conflict between this Agreement and the DPA on matters of data protection, the DPA prevails.

15.4 International Transfers

International transfers of Personal Data to countries without an adequate level of protection shall be carried out using legally recognized mechanisms (Standard Contractual Clauses, BCRs or equivalent), as detailed in the DPA.

16. General Provisions

16.1 Communications

Formal communications between the parties shall be made in writing, to the registered addresses and email addresses. Electronic communications have full legal validity for the purposes of this Agreement.

16.2 Assignment

The Customer may not assign, transfer or sublicense its rights or obligations under this Agreement without the Provider's prior written consent. The Provider may assign this Agreement to any affiliate or in connection with a merger, acquisition or asset sale, upon notice to the Customer.

16.3 Force Majeure

Neither party shall be liable for delays or non-performance caused by events of force majeure or acts of God, provided it notifies the other party within 5 (five) business days of the event.

16.4 Entire Agreement

This Agreement, together with the Privacy Policy, Terms of Use, Acceptable Use Policy and DPA available on the Platform, constitutes the entire agreement between the parties and supersedes all prior understandings, written or oral, regarding its subject matter.

16.5 Severability

The invalidity or unenforceability of any clause shall not affect the remaining provisions, which shall remain in full force and effect.

16.6 Waiver

The failure of either party to enforce any provision of this Agreement shall not constitute a waiver of that right.

16.7 Modifications to the Agreement

The Provider may modify this Agreement at any time by publishing the updated version on the Platform and notifying the Customer by email with at least 30 (thirty) days advance notice for material changes. Continued use of the Services after the notice period constitutes acceptance of the changes.

17. Governing Law and Jurisdiction

This Agreement is entered into in accordance with the laws of the Federative Republic of Brazil, including in particular the Civil Code (Law No. 10,406/2002), the Consumer Protection Code (Law No. 8,078/1990), where applicable, the Internet Civil Rights Framework (Law No. 12,965/2014), the General Data Protection Law (Law No. 13,709/2018) and other applicable regulations.

The parties elect the courts of Foro da Comarca de Jaú/SP, Brasil as the exclusive venue for resolving any disputes arising from or related to this Agreement, expressly waiving any other jurisdiction, however privileged, except where consumer protection legislation requires a different venue.

This Agreement enters into force on 04 de June de 2026 and remains valid until terminated pursuant to the terms hereof.

Octa8 Tecnologia LTDA — 12.345.678/0001-90 — Jaú, São Paulo, Brasil — help@octa8.app — 0800 000 8888 (WhatsApp também)

Document version: 1.0 | Effective as of: 04 de June de 2026

Legal & contracts

Acceptable Use Policy

Prohibited conduct and rules for responsible use of the Octa8 platform.

Version 1.0 · Effective 04/06/2026

1. Introduction and Purpose

This Acceptable Use Policy ("AUP" or "Policy") establishes the standards of conduct applicable to all use of the services, platforms, APIs, infrastructure and digital resources offered by Octa8 Tecnologia LTDA under the Octa8 brand (collectively, the "Services").

This Policy forms an integral and inseparable part of Octa8 Tecnologia LTDA's Terms of Service and Privacy Policy. In the event of conflict, the Terms of Service shall prevail, except in circumstances expressly governed by this Policy, which constitutes a specific instrument.

Octa8 Tecnologia LTDA is committed to the availability, integrity and security of the Services for all its users. Accordingly, use of the Services for unlawful, abusive, harmful or otherwise non-compliant purposes is strictly prohibited.

2. Applicability

2.1 Covered parties

This Policy applies, without exception, to:

Account holders (individuals or legal entities that have contracted the Services directly with Octa8 Tecnologia LTDA);
Authorized users (employees, collaborators, contractors or any person who accesses the Services using credentials linked to an account);
Resellers and white-label partners that redistribute the Services to third parties;
Affiliates promoting the Services under an affiliate agreement;
End users of platforms and environments created by account holders through the Services;
Developers integrating third-party systems via APIs provided by Octa8 Tecnologia LTDA.

2.2 Responsibility for third parties

Account holders are jointly responsible for the conduct of all authorized users on their account, as well as the conduct of end users of any environment they operate or distribute through the Services. Resellers must incorporate obligations equivalent to those in this Policy into their own terms and conditions, and must maintain effective monitoring and response mechanisms.

2.3 Objective scope

This Policy applies to all channels of access and use of the Services, including but not limited to: the web administration panel, mobile applications, REST and GraphQL APIs, webhooks, integrations with third-party systems, email and messaging traffic generated by the platform, content hosted on Octa8 Tecnologia LTDA infrastructure, and any computational resources (storage, network, processing) allocated for the benefit of the user.

3. Prohibited Conduct

3.1 Spam and Unsolicited Communications

Using the Services to do any of the following is prohibited:

a) Sending bulk electronic messages (email, SMS, push notifications, instant messages) without the prior, express and verifiable consent of the recipient, as required by the CAN-SPAM Act, the GDPR, the Brazilian Lei n.º 14.132/2021, the Marco Civil da Internet (Lei n.º 12.965/2014) and other applicable laws;

b) Collecting electronic addresses or other contact information through automated means, list scraping, purchasing third-party lists or any method that produces recipient databases without legitimate opt-in;

c) Concealing the origin of messages, using forged headers, non-existent domains or deceptive sender addresses (spoofing);

d) Operating email lists without a functional and immediate unsubscribe mechanism, or continuing to send messages to recipients who have expressed a refusal through any channel;

e) Using the Services as support infrastructure for third-party spam networks, including storing lists, running dispatch scripts or routing malicious traffic;

f) Engaging in snowshoe spamming (distributing volume across multiple domains and IPs to dilute reputation) or any technique designed to evade anti-spam filters.

3.2 Malware and Malicious Code

The following are prohibited:

a) Hosting, distributing, transmitting or facilitating access to viruses, worms, trojans, ransomware, spyware, adware, rootkits, keyloggers, cryptojackers, exploits or any other code designed to cause damage, obtain unauthorized access or compromise the systems, devices or data of third parties;

b) Using the Services as a command-and-control (C2/C&C) platform for botnets or networks of compromised devices;

c) Storing or transmitting exploitation payloads, automated attack tools or phishing kits;

d) Modifying, obfuscating or repackaging third-party software in a manner that conceals malicious functionality;

e) Executing code that interferes with the operation of the Services, Octa8 Tecnologia LTDA's servers or any connected networks and systems.

3.3 Fraud and Deceptive Schemes

Using the Services to do any of the following is prohibited:

a) Conducting or facilitating financial fraud, including fraudulent billing, chargeback fraud, affiliate fraud, advertising fraud (ad fraud) and money laundering;

b) Creating or operating pyramid schemes, Ponzi schemes, unregulated multi-level marketing or any system that promises financial returns not backed by lawful economic activity;

c) Gaining unauthorized access to accounts, systems or data of third parties through deception, misrepresentation or any unlawful means;

d) Impersonating others, creating fictitious personas with the intent to deceive third parties or using false documents to open or verify an account;

e) Promoting illegal gambling, unauthorized lotteries or any activity prohibited under the laws of Foro da Comarca de Jaú/SP, Brasil.

3.4 Phishing and Social Engineering

The following are prohibited:

a) Creating, hosting or distributing pages, forms or interfaces that impersonate brands, government entities, financial institutions or any legitimate organization for the purpose of inducing users to provide credentials, financial data or sensitive personal information;

b) Using the Services to disseminate links or redirects leading to phishing pages, regardless of whether those pages are hosted on Octa8 Tecnologia LTDA infrastructure;

c) Conducting social engineering attacks against Octa8 Tecnologia LTDA employees, contractors or customers, including pretexting, vishing and smishing;

d) Registering domains or creating subdomains that imitate third-party brands with deceptive intent (typosquatting and cybersquatting);

e) Sending communications that purport to originate from Octa8 Tecnologia LTDA or Octa8 without prior express authorization.

3.5 Illegal and Harmful Content

Hosting, publishing, transmitting or making available any of the following is prohibited:

a) Child sexual abuse material (CSAM) or any content that exploits, abuses or endangers minors — conduct that will be immediately reported to competent authorities, including the NCMEC (National Center for Missing & Exploited Children) where applicable, and to law enforcement authorities in Foro da Comarca de Jaú/SP, Brasil;

b) Content that incites, glorifies or instructs the commission of crimes, terrorism, genocide or acts of violence against individuals or groups;

c) Hate speech based on race, ethnicity, religion, gender, sexual orientation, disability or any other characteristic protected by law;

d) Content that violates personality rights, including non-consensual intimate imagery (revenge porn), defamation and libel;

e) Information that unlawfully identifies individuals (doxing) or that facilitates harassment, stalking or intimidation;

f) Adult content or content intended for individuals aged eighteen (18) or older in environments lacking effective age verification where required by law;

g) Any material whose publication, hosting or distribution is prohibited by the laws in force in Foro da Comarca de Jaú/SP, Brasil or in the user's place of residence.

3.6 Piracy and Intellectual Property Infringement

The following are prohibited:

a) Hosting, distributing or making available works protected by copyright (software, music, films, books, images, databases) without the appropriate licence or authorization from the rights holder;

b) Using the Services to index, aggregate or redistribute protected content in violation of the DMCA (Digital Millennium Copyright Act), applicable copyright statutes or international treaties;

c) Registering, using or transferring domain names, trademarks or visual identity elements that infringe on the intellectual property rights of third parties;

d) Reverse engineering, decompiling, disassembling or otherwise attempting to extract the source code of the Services, except to the extent expressly permitted by law;

e) Removing, altering or obscuring copyright notices, trademarks or other proprietary indications contained in any component of the Services.

Octa8 Tecnologia LTDA responds to copyright infringement notifications sent to help@octa8.app with the information required by applicable law.

3.7 Attacks, Intrusion and Offensive Activities

The following are prohibited:

a) Conducting denial-of-service (DoS) or distributed denial-of-service (DDoS) attacks against the Services, Octa8 Tecnologia LTDA's infrastructure or any third-party systems, whether or not using computational resources provided by Octa8 Tecnologia LTDA;

b) Exploiting vulnerabilities in Octa8 Tecnologia LTDA's or third parties' systems, applications or networks without express prior written authorization (unauthorized penetration testing);

c) Conducting network scans (port scanning, vulnerability scanning, fingerprinting) on systems that are not owned or controlled by the user;

d) Attempting to circumvent authentication, authorization or access-control mechanisms of the Services, including brute force, credential stuffing and session attacks;

e) Intercepting, capturing or manipulating network traffic of other users (sniffing, man-in-the-middle);

f) Injecting malicious code into applications hosted on the Services (SQL injection, XSS, SSRF, RCE and the like) with the intent to cause harm or gain unauthorized access;

g) Using the Services as a launch point, intermediary or destination for any of the activities described above against third parties.

Legitimate security research: Users who identify vulnerabilities in the Services are encouraged to report them responsibly (responsible disclosure) to help@octa8.app, with sufficient information to reproduce the issue. Octa8 Tecnologia LTDA will not initiate legal action against researchers who act in good faith and in accordance with the responsible disclosure program published on its portal.

3.8 Abusive Automation and Data Scraping

The following are prohibited:

a) Using bots, crawlers, scrapers, headless browsers or any automated mechanism to access the Services in a manner that exceeds the reasonable use of a human user or that is not expressly authorized by Octa8 Tecnologia LTDA's official API;

b) Scraping, collecting or extracting data from other accounts, profiles or environments on the Services without authorization from the respective account holders;

c) Circumventing access control mechanisms (CAPTCHA, rate limiting, authentication) by automated means;

d) Making requests in volumes that degrade the performance of the Services for other users or that exceed the usage limits defined in the API documentation or the contracted plan;

e) Aggregating, reselling or redistributing data extracted from the Services without Octa8 Tecnologia LTDA's express authorization.

3.9 Unauthorized Cryptocurrency Mining

Using any computational resource provisioned by Octa8 Tecnologia LTDA — including processing capacity (CPU/GPU), bandwidth and storage — for cryptocurrency mining or the execution of any proof-of-work algorithm without prior written authorization from Octa8 Tecnologia LTDA is strictly prohibited.

This prohibition includes embedding miners in web pages (cryptojacking) that consume visitors' device resources without informed consent.

3.10 Misuse of Artificial Intelligence Tools

The Services provide features based on artificial intelligence (AI) and language models. Using those features for any of the following is prohibited:

a) Generating, distributing or amplifying disinformation, fake news, deceptive content or coordinated propaganda;

b) Creating content that infringes third-party rights, including synthetic texts, images, audio and video (deepfakes) used to defame, deceive or harass;

c) Circumventing safety guardrails, content filters or moderation mechanisms implemented by the models or the Services (prompt injection, jailbreaking);

d) Producing malicious code, exploits, malware or any software with destructive or offensive potential;

e) Engaging in unlawful discrimination based on legally protected characteristics in automated decision-making processes;

f) Processing sensitive personal data through the Services' AI tools without a valid legal basis (GDPR Art. 9; LGPD Art. 11);

g) Using outputs generated by the AI tools to falsely misrepresent the authorship or nature of the produced content when such misrepresentation may cause harm to third parties.

3.11 Resource and API Usage Limits

Use of the Services is subject to the technical and contractual limits defined in the user's plan. The following are prohibited:

a) Exceeding storage, bandwidth, API requests, email sends, messages and other metric quotas established in the contracted plan;

b) Creating multiple accounts to circumvent free-plan limits or to accumulate credits fraudulently;

c) Renting, reselling, sublicensing or otherwise commercializing access to the Services to third parties without a white-label reseller plan contracted with Octa8 Tecnologia LTDA;

d) Using the Services in ways that prevent or impair other users' access to the platform, including operations that persistently consume disproportionate resources;

e) Accessing internal or administrative endpoints not intended for public use, even if technically reachable.

Octa8 Tecnologia LTDA reserves the right to impose temporary technical limitations (throttling, rate limiting) on accounts that exceed normal usage patterns, including without prior notice, when necessary to protect the platform.

4. Abuse Reporting

4.1 Official channel

Reports of violations of this Policy, including spam, abuse, illegal content, phishing, security vulnerabilities and any other prohibited conduct, must be submitted to:

Email: help@octa8.app

When reporting, please include, where possible: (i) a detailed description of the conduct; (ii) the URL, domain, IP address or account identifier involved; (iii) evidence (screenshots, email headers, logs); (iv) the approximate date and time of the incident; (v) your contact information for any follow-up.

4.2 Triage and response

Octa8 Tecnologia LTDA is committed to:

a) Acknowledging receipt of the report within two (2) business days;

b) Completing initial triage within five (5) business days;

c) Taking interim blocking measures where the reported content or conduct poses an immediate risk to the safety of individuals or the integrity of the platform, irrespective of the conclusion of the investigation;

d) Informing the reporter of the outcome of the investigation, to the extent permitted by applicable data protection law and applicable confidentiality agreements.

4.3 Good faith and anonymity

Reports may be submitted anonymously. Octa8 Tecnologia LTDA does not retaliate against reporters who act in good faith. Reports that are manifestly unfounded, false or used as an instrument of harassment may give rise to corrective measures against the reporter.

5. Consequences of Violations

5.1 Available measures

Upon confirming a violation of this Policy, Octa8 Tecnologia LTDA may, at its sole discretion and in proportion to the severity of the conduct, take one or more of the following measures:

Measure	Description
Warning	Formal notification to the account holder requiring immediate cessation of the conduct and, where applicable, remediation of damages caused.
Temporary limitation	Restriction of specific features (email sending, API access, content creation) while the investigation proceeds.
Preventive suspension	Temporary blocking of access to the account or specific resources, without prejudice to the ongoing investigation.
Content removal	Deletion or suppression of content that violates this Policy or applicable law.
Account termination	Permanent cancellation of the agreement and deletion of the account, with or without prior notice, depending on the severity of the violation.
Withholding of funds	Retention of balances, credits or amounts owed to the user, to the extent necessary to cover damages caused to third parties or to Octa8 Tecnologia LTDA, in accordance with applicable law.
Cooperation with authorities	Providing information, logs and data to competent authorities upon valid legal request or on Octa8 Tecnologia LTDA's own initiative where there is a legal obligation to notify.

5.2 Proportionality criteria

The choice and intensity of the measure applied will consider, among other factors: (i) the severity and potential impact of the violation; (ii) whether the conduct is repeated or isolated; (iii) the user's good faith and cooperation during the investigation; (iv) the actual harm caused to third parties or to Octa8 Tecnologia LTDA; (v) the existence of a legal obligation requiring a specific measure.

5.3 Right to be heard and appeal

Except in cases where urgency requires immediate action (security risks, child abuse content, ongoing attacks), Octa8 Tecnologia LTDA will notify the account holder before taking definitive measures, granting a reasonable period to present a defence. The holder may contest the decision by contacting help@octa8.app, presenting the factual and legal grounds they deem relevant. Octa8 Tecnologia LTDA will review the appeal and communicate a reasoned decision.

5.4 Civil and criminal liability

A user who violates this Policy is liable, under applicable law, for material and moral damages caused to Octa8 Tecnologia LTDA, its users and third parties. Octa8 Tecnologia LTDA reserves the right to take appropriate legal action and to report criminal conduct to competent authorities in Foro da Comarca de Jaú/SP, Brasil and other countries, in accordance with the geographic reach of the conduct.

5.5 Reseller liability

Resellers who fail to incorporate, enforce or apply obligations equivalent to this Policy toward their end users are jointly and severally liable for violations committed by those end users, under applicable civil law and internet liability frameworks.

6. General Provisions

6.1 Amendments

Octa8 Tecnologia LTDA reserves the right to revise this Policy periodically. Material changes will be communicated by email to the account holder and/or by prominent notice in the administration panel at least thirty (30) days before taking effect, except where required by immediate legal obligation. Continued use of the Services after the changes come into force constitutes acceptance of the updated terms.

6.2 Severability

The invalidity or unenforceability of any provision of this Policy shall not affect the remaining provisions, which shall remain in full force and effect.

6.3 Governing law and jurisdiction

This Policy is governed by and construed in accordance with the laws of Foro da Comarca de Jaú/SP, Brasil. Any disputes arising from it shall be submitted to the competent courts of Foro da Comarca de Jaú/SP, Brasil, with the parties expressly waiving any other forum, however privileged it may be.

6.4 Language

The Portuguese (Brazil) version of this Policy is the reference version for legal interpretation in Foro da Comarca de Jaú/SP, Brasil. The English version is provided as a faithful translation for the convenience of international users.

Effective Date

This Acceptable Use Policy enters into force on 04 de June de 2026 and applies to all agreements and usage relationships maintained with Octa8 Tecnologia LTDA from that date, as well as to pre-existing relationships where users continue to use the Services after that date.

Questions, formal notices and abuse reports should be directed to help@octa8.app.

Octa8 Tecnologia LTDA — Octa8

Artificial intelligence

AI Use & Responsible AI Policy

Principles, transparency, limitations and responsibilities governing AI use on Octa8.

Version 1.0 · Effective 04/06/2026

1. Scope and Purpose

This AI Use & Responsible AI Policy ("Policy") describes how Octa8, operated by Octa8 Tecnologia LTDA ("we", "us", "our"), develops, deploys and governs artificial intelligence (AI) and machine learning (ML) systems within the platform. It applies to all users, customers, resellers and partners who use any AI-powered features made available by the platform.

This Policy should be read together with our Privacy Policy, Terms of Service, and the Sub-Processors & AI Providers List, which identifies the external language model providers and AI services we use.

By accessing or using any AI feature on the platform, you agree to the practices described in this Policy.

2. Responsible AI Principles

Our AI governance is grounded in the following principles, aligned with the NIST AI Risk Management Framework (AI RMF), EU AI Act guidelines, and global responsible AI best practices:

2.1 Lawfulness. All AI systems operate in compliance with applicable law, including the Brazilian General Data Protection Law (LGPD — Law No. 13,709/2018), the EU General Data Protection Regulation (GDPR — Regulation (EU) 2016/679), and other applicable regulations of the jurisdiction Foro da Comarca de Jaú/SP, Brasil.

2.2 Fairness and Non-Discrimination. We seek to identify, monitor and mitigate algorithmic biases that may result in unfair or discriminatory treatment of individuals or groups, particularly on the basis of legally protected attributes (race, gender, origin, religion, disability, and others).

2.3 Transparency. We inform users when they are interacting with AI systems and make accessible, clear explanations of the general operation of those systems, their purposes and limitations.

2.4 Accountability. We establish clear internal responsibilities for the development, operation and auditing of AI systems, including the Data Protection Officer (DPO) role and a dedicated AI technical team.

2.5 Safety and Robustness. We implement technical and organizational measures to ensure that AI systems operate securely, are resistant to adversarial manipulation, and behave predictably within their designed boundaries.

2.6 Privacy by Design. AI systems are designed with privacy by design principles, minimizing the collection and use of personal data to what is strictly necessary for the stated purpose.

2.7 Human Oversight. We ensure that high-impact decisions involve meaningful human oversight, preserving data subjects' right to contest automated decisions, in accordance with Article 20 of the LGPD and Article 22 of the GDPR.

2.8 Social Benefit. The development of AI on the platform aims to generate genuine value for users, customers and society, avoiding applications that cause foreseeable harm.

3. How AI is Used on the Platform

Octa8 incorporates AI-powered functionality across several areas of the platform. Key uses include, without limitation:

3.1 Content Generation. Tools for generating text, images, captions, hashtags, emails, scripts and other marketing and communication content, based on prompts provided by the user.

3.2 Chatbots and Virtual Assistants. Conversational agents configurable by the customer for visitor support, internal assistance, lead qualification and workflow automations. End users interacting with chatbots may or may not be informed that they are communicating with an automated system, depending on the customer's configuration — the customer is responsible for such transparency toward their own visitors.

3.3 Intelligent Model Routing (OmniRoute). A proprietary system that automatically selects the most suitable AI model for each request based on criteria of cost, latency, quality and availability, and can distribute requests across multiple large language model (LLM) providers.

3.4 Document Analysis and Data Extraction. Document processing (OCR), semantic indexing of knowledge bases (RAG — Retrieval-Augmented Generation), content summarization and structured data extraction.

3.5 SEO and Optimization. Automated suggestions for keywords, metadata, content structuring and recommendations to improve search engine performance.

3.6 Workflow Automation. AI agents capable of executing sequences of actions (sending messages, creating content, updating records) within automations configured by the user.

3.7 Business Intelligence Analysis. Interpretation of financial and operational metrics with AI-generated suggestions to support decision-making.

3.8 Personalization. Recommendations for content, products or actions based on user behavior and their end customers' activity.

3.9 Monitoring and Moderation. Automated detection of potentially problematic content, spam or suspicious activity.

The list of AI features may be updated periodically. Material updates will be reflected in this Policy and communicated as applicable.

4. Algorithmic Transparency

4.1 Identification of AI-Generated Content. In contexts where the platform generates content directly visible to the user through AI, some indication of that nature will be provided wherever technically feasible — except where content is produced on behalf of the customer for use on external surfaces, in which case the disclosure responsibility rests with the customer.

4.2 Explainability. We do not operate black boxes without any level of explanation. For high-impact AI features (such as content moderation or risk scoring), we provide at minimum the general criteria considered in the processing.

4.3 Logging and Auditability. We maintain internal records of requests made to AI models, including metadata such as the model used, timestamp, associated user/tenant and result, for the period necessary for the stated purposes and applicable legal obligations.

4.4 Model Versions. AI features may use models from different versions and providers. Octa8 does not guarantee that the same model or version will be used permanently and may update models to improve quality, safety or efficiency — always in compliance with the requirements of this Policy.

5. Human Oversight

5.1 Output Review. The user is responsible for reviewing all AI-generated content before publishing, sending or taking any action based on it. The platform does not replace qualified human judgment.

5.2 AI Agents and Action Approval. For high-impact actions executed by AI agents (such as sending bulk communications, accessing external APIs or executing transactions), the platform provides human pre-approval mechanisms configurable by the customer in the administrative dashboard.

5.3 Continuous Monitoring. Our technical teams continuously monitor the performance, security and behavior of AI systems in production, with periodic reviews and the ability to intervene immediately when necessary.

5.4 Right to Review Automated Decisions (Art. 20 LGPD / Art. 22 GDPR). Where the platform uses automated processes that produce decisions with significant legal effects or that materially affect a data subject — such as account moderation, access blocking or risk classification — the data subject has the right to:

Request human review of the decision;
Obtain information about the criteria and procedures used;
Express their opposition to the decision.

To exercise this right, the data subject should contact the Data Protection Officer at dpo@acme.test.

6. Personal Data Processing by AI and Legal Bases

6.1 Data Used by AI. The platform's AI systems may process personal data entered directly by the user (texts, files, contacts, conversation histories) or inferred from platform usage, strictly for the stated purposes and within the limits of the agreed contract.

6.2 Legal Bases (LGPD / GDPR). The processing of personal data by AI systems on the platform is carried out on the following legal bases, as applicable:

Contract performance (Art. 7(V) LGPD; Art. 6(1)(b) GDPR): when necessary to provide the contracted features;
Legitimate interests (Art. 7(IX) LGPD; Art. 6(1)(f) GDPR): for service quality improvement, security and fraud prevention, subject to impact assessment;
Consent (Art. 7(I) LGPD; Art. 6(1)(a) GDPR): for optional personalization features that depend on sensitive data or non-essential purposes;
Legal obligation (Art. 7(II) LGPD; Art. 6(1)(c) GDPR): when required by law or competent authority.

6.3 No Training on Customer Data. Octa8 Tecnologia LTDA does not use personal data belonging to customers, their end users or their visitors to train, fine-tune or optimize AI models in a manner that causes such data to become a permanent part of any model. Data is processed transactionally to generate the requested output and is not retained by models beyond the context of the request.

6.4 International Transfers. The use of AI model providers (sub-processors) may involve international data transfers. All transfers are carried out with the appropriate safeguards required by the LGPD (Art. 33) and GDPR (Chapter V), including standard contractual clauses, certifications or applicable adequacy decisions. The updated list of sub-processors and the applicable transfer mechanisms is available in the Sub-Processors & AI Providers List.

6.5 Minimization and Retention. We implement data minimization practices, ensuring that only the information necessary for the stated AI purpose is processed. Personal data associated with AI requests is retained for the period defined in the Privacy Policy, after which it is deleted or anonymized.

6.6 Sensitive Data. Processing of sensitive personal data (Art. 5(II) LGPD; Art. 9 GDPR) by AI systems occurs only on the basis of specific and explicit consent of the data subject, or under other legally authorized grounds, and it is prohibited to use such data for purposes other than those disclosed.

7. AI Risk Management

7.1 Risk Identification. We conduct periodic risk assessments for the AI systems deployed, considering: algorithmic bias, hallucinations (generation of false or inaccurate information), adversarial attacks (prompt injection, jailbreaking), privacy violations, third-party provider dependencies and security risks.

7.2 Algorithmic Bias. We acknowledge that large language models may reproduce biases present in their training data. We implement technical and procedural mitigations to reduce this risk, including regular output evaluations, system prompt tuning and careful model and provider selection.

7.3 Hallucinations. Generative AI models may produce factually incorrect, incomplete or misleading content ("hallucinations"). The platform does not guarantee the accuracy, completeness or currency of any AI-generated content. Users must independently verify any relevant information before relying on it.

7.4 Security Against Manipulation. We implement technical safeguards to detect and mitigate attempts to manipulate AI systems through malicious inputs (prompt injection, jailbreaking, context poisoning). The intentional exploitation of such vulnerabilities constitutes a violation of this Policy and the Terms of Service.

7.5 Third-Party Dependencies. The availability and performance of AI features partially depend on external providers. We maintain failover architecture and intelligent routing (OmniRoute) to mitigate outages, but do not guarantee uninterrupted availability of all AI features.

7.6 Impact Assessments. For new AI features involving significant processing of personal data, we conduct Data Protection Impact Assessments (DPIAs/RIPDs) prior to production deployment.

8. AI Limitations

The user acknowledges and agrees to the following inherent limitations of AI systems:

8.1 No Guarantee of Accuracy. No content, analysis, forecast or recommendation generated by AI constitutes a guarantee of results or professional advice (legal, medical, financial, technical or of any other nature). Octa8 is not liable for decisions made based solely on AI outputs.

8.2 Output Variability. AI outputs may vary even for identical inputs. Past results do not guarantee equivalent future results.

8.3 Context and Language. AI models may perform differently depending on language, subject domain or cultural context. Octa8 does not guarantee uniform performance across all contexts.

8.4 Training Cutoff. Language models have a training data cutoff date and may not have knowledge of events, legislation or information subsequent to that date.

8.5 Third-Party Content. AI may reference or reproduce third-party content. The user is responsible for verifying the legal and copyright suitability of any content before using it publicly.

9. User Responsibility for Generated Results

9.1 Responsibility for Use. The user is fully responsible for their use of the platform's AI features, including the review, editing, approval and publication of any generated content. Octa8 does not assume responsibility for AI-generated content that is published, shared or used by the user.

9.2 Mandatory Review. Before using any AI output for commercial, legal, medical, financial, journalistic or other purposes that may affect third parties' rights, the user must submit the content to review by a qualified professional.

9.3 Intellectual Property. The user is responsible for ensuring that the use of AI-generated content does not infringe third-party intellectual property rights. Copyright laws applicable to AI-generated content vary by jurisdiction and are evolving; users should seek specialized legal advice when necessary.

9.4 Responsibility for Input Context. The user is responsible for the data, prompts and instructions they provide to AI systems. Entering personal data of third parties without an adequate legal basis or in violation of third-party rights is the exclusive responsibility of the user.

9.5 Indemnification. The user agrees to indemnify and hold harmless Octa8 Tecnologia LTDA, its staff and partners from any claims, damages, penalties or expenses arising from misuse of AI features or from the publication of AI-generated content without proper review and adaptation.

10. Prohibited Uses of AI

It is expressly prohibited to use the platform's AI features to:

10.1 Generate, distribute or amplify illegal content, including child sexual abuse material (CSAM), hate speech, incitement to violence or any other category prohibited by law.

10.2 Create disinformation, fake news, deepfakes or any misleading content intended to manipulate public opinion, interfere in electoral processes or cause harm to individuals or organizations.

10.3 Conduct phishing, social engineering, fraud or any form of cybercrime.

10.4 Develop, train or refine competing AI models using platform-generated outputs without the express written authorization of Octa8 Tecnologia LTDA.

10.5 Automate bulk data collection from the platform or from third parties without authorization (scraping) or in any way that violates the Terms of Service.

10.6 Use AI for unauthorized mass surveillance, monitoring of individuals without their knowledge or consent, or to create discriminatory profiling.

10.7 Generate content that violates the privacy rights of third parties, including the creation of non-consensual explicit content involving real people.

10.8 Attempt to bypass, manipulate or compromise the security systems, content filters or usage restrictions of AI models (prompt injection, jailbreaking or similar techniques).

10.9 Use AI to replace regulated professional advice (medical, legal, financial, psychological) in contexts where such substitution may cause harm to the user or third parties.

10.10 Any purpose that violates fundamental rights, human dignity or the responsible AI principles set out in this Policy.

Violation of these terms may result in immediate suspension of access to AI features or account termination, without prejudice to applicable legal measures.

11. AI Providers and Sub-Processors

11.1 Use of Third Parties. Octa8 uses language models and AI services provided by third parties ("AI sub-processors") to power the features described in this Policy. These providers include, but are not limited to, large language model (LLM) providers, embedding services, inference infrastructure providers and specialized APIs.

11.2 Selection and Contracts. All AI sub-processors are selected based on criteria of security, privacy, legal compliance and quality. We formalize data processing agreements (DPAs) with all sub-processors that process personal data, ensuring obligations equivalent to those in this Policy.

11.3 Sub-Processor List. The updated list of AI sub-processors, including provider identification, country of establishment, processing purposes and applicable international transfer mechanisms, is available in our Sub-Processors & AI Providers List. We update that list whenever there is a relevant change of sub-processor, with notification to customers at least 30 days in advance for new or materially changed sub-processors.

11.4 Liability. Octa8 Tecnologia LTDA remains liable to data subjects for processing carried out by sub-processors on its behalf, under the terms of the LGPD and GDPR.

12. Automated Decisions and Right to Review

12.1 Scope. This section applies to decisions made in a solely automated manner — without meaningful human intervention — that produce legal effects or similarly significantly affect a data subject's interests (Art. 20 LGPD; Art. 22 GDPR).

12.2 Examples of Automated Decisions. On the platform, examples of processes with a significant automated component include: risk assessment for account moderation, content classification for visibility purposes, lead scoring and audience segmentation.

12.3 Right to Human Review. The data subject has the right to request human review of any automated decision that significantly affects them, as well as to:

Obtain clear information about the criteria, data and logic used in the decision;
Contest the decision and present relevant considerations;
Obtain correction of incorrect data that influenced the decision.

12.4 Exercising the Right. To exercise the right of review of an automated decision, the data subject must submit a request to the Data Protection Officer at dpo@acme.test, identifying the decision in question and the grounds for their contest. We will respond within 15 (fifteen) business days, extendable by an equal period in more complex cases, with a reasoned communication.

12.5 Limitations. The right of review does not apply to decisions necessary for the performance of the contract between the parties, for compliance with a legal or regulatory obligation, or where based on the data subject's own explicit consent — provided that minimum safeguards are ensured (right to express a point of view and to contest).

13. Updates to this Policy

Octa8 Tecnologia LTDA reserves the right to update this Policy periodically to reflect changes in AI features, applicable law or AI governance best practices. Material updates will be communicated with at least 15 (fifteen) days' notice via the platform dashboard or by email. Continued use of AI features after the effective date of changes constitutes acceptance of the new version of the Policy.

The current version will always be available at Octa8/docs/ai-policy. The version history is available upon request to the Data Protection Officer.

14. Contact and Data Protection Officer (DPO)

For questions, rights requests, complaints or any matter related to this Policy or the use of AI on the platform:

Data Protection Officer (DPO): Email: dpo@acme.test

General Support Channel: Email: help@octa8.app Access: Help Center

Octa8 Tecnologia LTDA Jurisdiction: Foro da Comarca de Jaú/SP, Brasil

Data subject rights requests will be responded to within the applicable legal time limits. To report security incidents involving AI, please use the security contact available on our website.

15. Effective Date

This Policy takes effect on 04 de June de 2026 and remains in force until replaced by a subsequent version, duly communicated in accordance with Section 13.

The effective date of each version is identified in the doc_version field and in the header of this Policy. Prior versions are archived and made available upon request.

Octa8 Tecnologia LTDA — Octa8

Privacy & data protection

Data Protection Officer & Your Rights

How to exercise your LGPD rights and contact the Data Protection Officer (DPO) at Octa8 Tecnologia LTDA.

Version 1.0 · Effective 04/06/2026

1. Identification of the Data Protection Officer (DPO)

In compliance with Article 41 of Brazil's General Data Protection Law (Lei Geral de Proteção de Dados Pessoais — Law No. 13,709/2018, "LGPD") and, where applicable, Article 37 of the EU General Data Protection Regulation (GDPR), Octa8 Tecnologia LTDA has formally designated a Data Protection Officer (DPO):

Field	Information
Name	Encarregado de Proteção de Dados (DPO) — Octa8
Institutional e-mail	dpo@acme.test
Controller	Octa8 Tecnologia LTDA
Platform	Octa8
Primary jurisdiction	Foro da Comarca de Jaú/SP, Brasil

The DPO may be contacted directly by data subjects, the Brazilian National Data Protection Authority (Autoridade Nacional de Proteção de Dados — ANPD), and any other competent supervisory authority.

2. Role and Responsibilities of the DPO

The DPO acts as the primary point of contact between Octa8 Tecnologia LTDA, data subjects, and regulatory bodies. Responsibilities include, among others:

Receiving complaints and communications from data subjects, providing clarifications, and taking necessary action (art. 41, § 2, I, LGPD).
Receiving communications from the ANPD and acting accordingly (art. 41, § 2, II, LGPD).
Guiding employees and contractors on data protection best practices (art. 41, § 2, III, LGPD).
Performing additional duties defined in supplementary regulations and internal policies.
Advising the organisation on Data Protection Impact Assessments (DPIAs) and continuously monitoring compliance with the LGPD and applicable regulations.
Maintaining records of processing activities (Relatório de Impacto à Proteção de Dados Pessoais — RIPD) when required.

The DPO carries out their duties independently and does not receive instructions regarding the exercise of their regulatory responsibilities.

3. Your Rights as a Data Subject (art. 18 LGPD)

The LGPD grants data subjects a robust set of rights that may be exercised at any time against the controller, without the need to provide justification for most of them:

3.1 Confirmation of Processing

Right to obtain confirmation that Octa8 Tecnologia LTDA processes or has processed your personal data.

3.2 Access to Data

Right to access a full copy of your personal data being processed, including categories of data, purposes, sources, retention periods, and disclosures to third parties.

3.3 Correction of Incomplete, Inaccurate, or Outdated Data

Right to request the update or correction of any data that is inaccurate, incomplete, or outdated.

3.4 Anonymisation, Blocking, or Deletion

Anonymisation: transformation of data so that it no longer permits the identification of the data subject.
Blocking: temporary suspension of processing while a dispute is under review.
Deletion: permanent removal of data that is unnecessary, excessive, or processed in violation of the LGPD.

Please note: deletion may be limited where Octa8 Tecnologia LTDA is legally required to retain data (e.g., tax obligations, fraud prevention, compliance with judicial orders) or where processing is necessary for the regular exercise of legal rights.

3.5 Data Portability

Right to receive your personal data in a structured, interoperable, machine-readable format (e.g., JSON, CSV) for transfer to another service or product provider, in accordance with ANPD regulations.

3.6 Information about Data Sharing

Right to know which public and private entities (processors, partners, sub-processors) Octa8 Tecnologia LTDA shares your personal data with.

3.7 Information about the Possibility of Not Consenting

Right to be informed of the practical consequences of refusing consent or withdrawing it, where consent is the applicable legal basis.

3.8 Withdrawal of Consent

Where processing is based on your consent (art. 7, I, or art. 11, I, LGPD), you may withdraw it at any time, free of charge and through a simple mechanism. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.

3.9 Review of Automated Decisions (art. 20 LGPD)

Right to request human review of decisions made exclusively on the basis of automated processing of personal data that affect your interests, including decisions that establish personal, professional, consumer, or credit profiles.

4. How to Exercise Your Rights

4.1 Preferred Channel — Account Dashboard (immediate self-service)

The fastest way to exercise many of your rights is directly in the "Privacy & Data" section of your account:

Octa8/portal/profile/data

In this area you can, without the need for a manual request:

Download a full export of your personal data (confirmation of existence + access + portability) in JSON/CSV format.
Request deletion of your account and associated data (erasure).
Manage consents: view, update, and withdraw specific consent bases.
Review active data sharing with third parties.

4.2 Formal Channel — Contact the DPO

For rights not available via self-service, automated decision reviews, disputes, or formal complaints:

Channel	Address
E-mail (DPO)	dpo@acme.test
General e-mail	help@octa8.app
Web form	Octa8/portal/profile/data (section "Submit a request")

Please include in your request:

Your full name.
The e-mail address associated with your account.
A clear description of the right you wish to exercise.
Any supporting documents or information that may assist in identification and processing of your request.

5. Identity Verification

To protect your data and prevent unauthorised access, Octa8 Tecnologia LTDA may request identity verification before processing any request. Verification is proportionate to the sensitivity of the right being exercised and may include:

Confirmation of account access (authenticated session via dashboard).
A confirmation e-mail sent to your registered address.
In high-risk cases (e.g., portability of large volumes of data, irreversible deletion): an official government-issued photo ID or other additional verification.

Octa8 Tecnologia LTDA will never use the information provided for identity verification for any purpose other than processing the relevant request.

6. Response Timeframes

Situation	Timeframe
Acknowledgement of receipt	Immediate (automated) or within 2 business days
Substantive response to the exercise of a right	Within 15 calendar days from receipt of the complete request
Extension (complex or high-volume cases)	Up to 15 additional calendar days, with reasoned notice to the data subject
Requests via self-service dashboard	Immediate (export) or processed within 30 days (deletion, subject to legal retention)

Timeframes run from receipt of the request with all information necessary for identity verification and processing. Incomplete requests will receive a request for supplementary information, and the timeframe will restart upon receipt.

7. Request Handling Procedure

Data subject requests are handled according to the following internal workflow:

Receipt and registration of the request (unique reference number assigned).
Identity verification of the data subject (§ 5 above).
Admissibility assessment: whether the right is applicable, whether a legal basis for limitation exists (e.g., legal obligation, legitimate interest, regular exercise of rights), and whether the request is complete.
Processing: technical execution of the request (access, correction, export, anonymisation, deletion, blocking, or withdrawal).
Response to data subject: communication of the outcome, including reasoning in cases of limitation or denial.
Record-keeping and evidence: maintenance of an internal record of the handling for audit and compliance purposes.

In cases of partial or full denial, Octa8 Tecnologia LTDA will inform the data subject of the reasons, identify the applicable legal basis, and advise on available avenues of redress, including complaint to the ANPD.

8. Consent Management and Legal Bases

Octa8 Tecnologia LTDA processes personal data on the following legal bases set out in art. 7 of the LGPD (and art. 11 for sensitive data):

Legal Basis	Example of Use
Consent (art. 7, I)	Opt-in e-mail marketing, non-essential analytics cookies
Compliance with a legal obligation (art. 7, II)	Tax retention, accounting records, compliance with court orders
Performance of a contract (art. 7, V)	Provisioning of contracted services, billing, support
Legitimate interest (art. 7, IX)	Platform security, fraud prevention, service improvement (subject to balancing test)
Regular exercise of legal rights (art. 7, VI)	Defence in administrative or judicial proceedings
Protection of life or physical safety (art. 7, VII)	Emergency situations involving the data subject

You can view the applicable legal basis for each processing purpose in our Privacy Policy available at Octa8.

Where the legal basis is consent, you can manage and withdraw it at any time at Octa8/portal/profile/data (section "Consents"). Withdrawal is free, simple, and effective immediately on the platform.

9. Deletion and Anonymisation of Data

9.1 Account Deletion

Upon requesting account deletion at Octa8/portal/profile/data or through a formal request:

Identification and usage data linked exclusively to your profile will be deleted or anonymised within 30 days of confirmation of the request.
Data that Octa8 Tecnologia LTDA is legally required to retain (e.g., tax records, access logs required by applicable legislation) will be retained for the minimum statutory period and permanently deleted thereafter.
Third-party data generated through interactions with other platform users (e.g., messages in collaborative conversations, publicly published content) may be treated differently; you will be informed of any applicable limitations.

9.2 Anonymisation

Data that has been irreversibly anonymised (such that it no longer permits, by reasonable means, re-identification of the data subject) is not considered personal data for the purposes of the LGPD and may be retained for statistical, service improvement, and security purposes without a fixed retention period.

9.3 Backups and Legacy Systems

Data deleted from the active database may remain in encrypted backups for up to 90 additional days after deletion from the active environment, after which it is automatically purged during regular backup rotation cycles. During this period, data in backups is not accessed for commercial purposes.

10. Complaints to the ANPD and Other Authorities

If you believe your rights have not been adequately addressed, you may file a complaint directly with the Autoridade Nacional de Proteção de Dados (ANPD):

Complaints portal: https://www.gov.br/anpd
Ombudsman (Ouvidoria): available on the ANPD portal.

For data subjects located in the European Union or European Economic Area whose data is processed under the GDPR, the right to lodge a complaint with the competent supervisory authority in your country of residence is also guaranteed (art. 77 GDPR).

We encourage you to contact us first at dpo@acme.test so that we may attempt to resolve the matter directly and promptly before engaging regulatory authorities.

11. International Data Transfers

Where personal data is transferred outside Brazil, Octa8 Tecnologia LTDA ensures such transfers comply with art. 33 of the LGPD, through:

Transfer to countries or international organisations that provide a level of personal data protection adequate to the LGPD (ANPD adequacy decision);
Standard contractual clauses approved by the ANPD;
Specific consent of the data subject; or
Other safeguards provided for by law or ANPD regulation.

Information on international transfers made, including destination countries and the safeguards adopted, is set out in our Privacy Policy.

12. Data of Minors

Octa8 Tecnologia LTDA processes personal data of children and adolescents only when necessary, in the best interest of the minor, and with the specific and express consent of at least one parent or legal guardian (art. 14 LGPD). Guardians may exercise the rights set out in this document on behalf of minors in their care, subject to verification of identity and guardianship.

13. Updates to This Document

This document may be updated periodically to reflect changes in legislation, in Octa8 Tecnologia LTDA's data processing practices, or in response to guidance from regulatory authorities. Material changes will be communicated to data subjects by e-mail or through a prominent notice on the platform with reasonable advance notice.

We recommend reviewing this page periodically. A version history is available upon request from the DPO at dpo@acme.test.

Effective Date

This document takes effect on 04 de June de 2026 and remains valid until expressly superseded by a subsequent version, duly dated and published at Octa8.

For questions, requests, or complaints, please contact the Data Protection Officer of Octa8 Tecnologia LTDA at dpo@acme.test.

Privacy & data protection

Subprocessors

Third parties that process personal data on behalf of Octa8 Tecnologia LTDA.

Version 1.0 · Effective 04/06/2026

1. Introduction

Octa8 Tecnologia LTDA ("Processor") acts as a data processor when it processes personal data on behalf of its customers ("Controllers"), in accordance with Brazil's General Personal Data Protection Law (LGPD — Law No. 13,709/2018) and, where applicable, the European Union's General Data Protection Regulation (GDPR — Regulation (EU) 2016/679).

A subprocessor is any natural or legal person that, under instruction from Octa8 Tecnologia LTDA, processes personal data whose control originally belongs to the contracting Controller. Subprocessing relationships are formalised through data protection clauses incorporated into commercial contracts with each subprocessor (DPA — Data Processing Agreement or equivalent instrument), ensuring that these third parties provide a level of protection compatible with the requirements of the LGPD and GDPR.

This register fulfils the transparency obligation set out in Article 37 of the LGPD and Article 30 of the GDPR, and complements the Data Processing Agreement concluded between Octa8 Tecnologia LTDA and its Controllers.

2. Change Notification and Right to Object

Octa8 Tecnologia LTDA may add, replace, or remove subprocessors from this list. Where such changes may materially affect the protection of a Controller's data, we will follow this procedure:

Advance notice: Octa8 Tecnologia LTDA will publish the change on this page and send an email notification to the Controller's registered address at least 30 (thirty) days before the change takes effect.
Right to object: A Controller that has legitimate, data-protection-related grounds for objecting to the addition or replacement of a subprocessor may notify Octa8 Tecnologia LTDA in writing at dpo@acme.test within the notice period. The parties will make good-faith efforts to find an alternative solution. If no agreement can be reached, the Controller may terminate the agreement without penalty, as provided in the terms of service.
Emergency changes: In exceptional circumstances — such as the sudden discontinuation of a subprocessor or an imminent security risk — Octa8 Tecnologia LTDA may replace a subprocessor immediately, notifying the Controller as soon as reasonably practicable.
Historical versions: Previous versions of this list are available on request by contacting dpo@acme.test.

3. Subprocessor List

The table below identifies the subprocessors engaged by Octa8 Tecnologia LTDA in the processing of personal data, organised by functional category.

Note on data processed: the "Data processed" column describes the categories of data that may be transmitted to each subprocessor depending on service configuration. Not all data is transmitted in every usage context.

Subprocessor	Category	Purpose	Data processed	Location (HQ / main DCs)	International transfer
Cloudflare, Inc.	CDN, Network Security & DNS	Content delivery, DDoS protection, web application firewall (WAF), DNS resolution, TLS optimisation and network routing	IP addresses, HTTP headers, request metadata, session cookies (as configured), access logs	USA (HQ); globally distributed DCs	Yes — EU Standard Contractual Clauses (SCCs); EU–US DPF
Amazon Web Services, Inc. (AWS)	Cloud Infrastructure & Hosting	Cloud computing, object storage (S3), managed databases (RDS), message queuing (SQS), caching (ElastiCache), content delivery (CloudFront), and networking services	All data processed by the platform as configured by the Controller: account data, user-submitted content, logs, file metadata, monitoring data, IP addresses	USA (HQ — Seattle, WA); configurable regions (default: us-east-1); Brazil DC available (sa-east-1)	Yes — SCCs; EU–US DPF; AWS GDPR DPA; regional adequacy per region selection
Google LLC / Google Cloud Platform (GCP)	Cloud Infrastructure & AI Services	Cloud computing, storage, databases, machine learning services, maps, translation, data analytics and other platform services	Account data, user content, access logs, metadata, IP addresses, analytics data (subject to enabled services)	USA (HQ — Mountain View, CA); global DCs	Yes — SCCs; EU–US DPF; Google Cloud DPA
OpenAI, LLC	Artificial Intelligence Processing	Text generation, semantic analysis, summarisation, classification, vector embeddings and other large language model (LLM) capabilities exposed via API	Prompts and content submitted by users to the AI, request metadata, session identifiers; does not include model training data (per current DPA)	USA (HQ — San Francisco, CA)	Yes — SCCs; OpenAI DPA
Anthropic, PBC	Artificial Intelligence Processing	Text generation, content analysis, reasoning, summarisation and Claude model capabilities via API	Prompts and content submitted to the API, request metadata; does not include model training data (per current DPA)	USA (HQ — San Francisco, CA)	Yes — SCCs; Anthropic DPA
Cerebras Systems, Inc.	AI Inference	High-speed language model inference via API (specialised hardware)	Prompts and content submitted to the API, request metadata	USA (HQ — Sunnyvale, CA)	Yes — SCCs
NVIDIA Corporation	AI Inference Infrastructure	Accelerated inference services via API (NVIDIA NIM / DGX Cloud), embeddings and GPU-accelerated AI models	Prompts, embeddings and content submitted to the API; request metadata	USA (HQ — Santa Clara, CA); global DCs	Yes — SCCs; NVIDIA DPA
Resend, Inc.	Transactional Email	Delivery of transactional and notification emails: registration confirmation, password recovery, system alerts, billing notifications, platform-generated communications	Recipient email address, name, message content, delivery metadata (status, timestamps), sender IP addresses	USA (HQ — San Francisco, CA)	Yes — SCCs
Stripe, Inc.	Payments & Financial Management	Credit/debit card payment processing, recurring subscription management, invoice issuance, fraud prevention and PCI-DSS compliance	Cardholder name, card data (tokenised — never stored by Octa8 Tecnologia LTDA in plain text), billing address, email address, transaction metadata, IP address	USA (HQ — South San Francisco, CA); European DCs (Ireland)	Yes — SCCs; EU–US DPF; Stripe DPA; PCI-DSS Level 1 compliance
Twilio, Inc.	Communications (SMS / Voice)	Transactional SMS delivery: number verification, security alerts, account notifications	Phone number, SMS message content, delivery metadata	USA (HQ — San Francisco, CA); global DCs	Yes — SCCs
Vonage / Ericsson	Communications (SMS / Voice)	SMS and voice notification delivery as a regional alternative	Phone number, message content, delivery metadata	USA / Netherlands (HQ); global DCs	Yes — SCCs
Datadog, Inc.	Monitoring & Observability	Infrastructure monitoring, application performance monitoring (APM), log analysis, incident alerting and performance metrics	Application logs (which may contain request metadata and IP addresses), system metrics, distributed traces	USA (HQ — New York, NY); EU DCs available	Yes — SCCs; Datadog DPA
Sentry (Functional Software, Inc.)	Error Monitoring	Tracking and analysis of application exceptions and errors for debugging and quality improvement	Stack traces, error messages, application version, IP address (optionally anonymised), user session identifier (non-PII by default)	USA (HQ — San Francisco, CA); EU hosting available	Yes — SCCs
GitHub, Inc. (Microsoft)	Version Control & CI/CD	Source code hosting, continuous integration and delivery (CI/CD) pipelines, version control	Source code, CI/CD logs, commit metadata, developer IP addresses	USA (HQ); global DCs	Yes — SCCs; GitHub DPA; EU–US DPF
Pusher / Ably (Ably Real-time Ltd.)	Real-time Messaging	Real-time event delivery via WebSocket for instant notifications, reactive UI updates and platform event broadcasting	Channel identifiers, event payloads (as configured — may include user IDs and session metadata), IP addresses	UK (HQ — London); global DCs	Yes — SCCs; UK GDPR clauses
Cloudinary, Inc.	Media Management & Processing	Optimisation, transformation, storage and delivery of images and videos uploaded through the platform	User-submitted media files, file metadata (name, dimensions, MIME type), URLs	USA (HQ — Santa Clara, CA); global DCs	Yes — SCCs
hCaptcha (Intuition Machines, Inc.)	Security & Fraud Prevention	CAPTCHA verification for bot prevention and automated abuse protection on public-facing forms	IP address, browser interaction data (aggregated fingerprint), challenge tokens	USA (HQ)	Yes — SCCs
Groq, Inc.	AI Inference	High-speed language model inference via API (specialised LPU hardware)	Prompts and content submitted to the API, request metadata	USA (HQ — Mountain View, CA)	Yes — SCCs

4. Safeguards for International Data Transfers

The majority of the subprocessors listed above are headquartered or maintain data centres in the United States of America or in other countries outside Brazil that may not provide a level of protection legally equivalent to that required by the LGPD. To ensure the legitimacy of these transfers, Octa8 Tecnologia LTDA implements the following safeguards, in accordance with Articles 33 to 36 of the LGPD and, where applicable, Articles 46 to 49 of the GDPR:

4.1 Standard Contractual Clauses (SCCs)

For transfers of personal data relating to data subjects located in the European Union or the United Kingdom, Octa8 Tecnologia LTDA uses the Standard Contractual Clauses approved by the European Commission (Implementing Decision (EU) 2021/914) or the equivalent clauses under the UK GDPR, incorporated into contracts with each subprocessor.

4.2 Adequacy Decisions

Where a subprocessor is established in a country recognised as adequate by the European Commission or by Brazil's National Data Protection Authority (ANPD), the transfer is based on that adequacy decision, without the need for additional safeguards.

4.3 EU–US Data Privacy Framework (DPF)

US-based subprocessors that have enrolled in the Data Privacy Framework (DPF, successor to the Privacy Shield, in force since July 2023) benefit from an additional legal basis for transfers of personal data relating to European data subjects.

4.4 Specific Contractual Instruments (DPAs)

Each subprocessor enters into a Data Processing Agreement (DPA) with Octa8 Tecnologia LTDA that establishes: (i) the purposes and means of processing; (ii) confidentiality obligations; (iii) technical and organisational security measures; (iv) rules governing sub-contracting; (v) data subject rights and cooperation mechanisms; and (vi) incident notification procedures.

4.5 Data Protection Impact Assessment (DPIA / RIPD)

For high-risk processing activities — in particular those involving AI models processing personal content — Octa8 Tecnologia LTDA conducts, or requires the subprocessor to conduct, a Data Protection Impact Assessment (DPIA), as required by Article 38 of the LGPD and Article 35 of the GDPR.

5. Contact

Enquiries regarding this register, the processing carried out by specific subprocessors, or the exercise of data subject rights should be directed to the Data Protection Officer (DPO) of Octa8 Tecnologia LTDA:

DPO email: dpo@acme.test
General contact email: help@octa8.app
Applicable jurisdiction: Foro da Comarca de Jaú/SP, Brasil

Data subjects may also lodge complaints with Brazil's Autoridade Nacional de Proteção de Dados (ANPD) — www.gov.br/anpd — or, where applicable, with the supervisory authority competent for their country of residence.

Effective Date

This Subprocessors List takes effect on 04 de June de 2026 and supersedes all prior versions in their entirety. Octa8 Tecnologia LTDA will review this document at least annually or whenever a material change occurs in the subprocessors engaged.

Questions about our policies?

We’re happy to help — reach out any time.

Data requests, contracts, compliance — we route your request to the right person.