Privacy Policy

The Service is operated by VSB Serviços de Informação e Tecnologia Ltda. (CNPJ 36.997.903/0001-36), a private legal entity headquartered in Brazil. We act as the data controller of personal data under the Brazilian General Data Protection Law (LGPD, Law No. 13,709/2018) and as the controller for purposes of Regulation (EU) 2016/679 (GDPR). For privacy-related questions, exercise of rights, queries, or complaints, please write to contact@bigduckai.com. Our Data Protection Officer (DPO) is reachable at the same address.

We process personal data on the following legal bases, as applicable: (a) performance of contract (LGPD Art. 7(V); GDPR Art. 6(1)(b)) to provide and operate the Service, fulfill requests, and process payments; (b) legitimate interests (LGPD Art. 7(IX); GDPR Art. 6(1)(f)), including platform security, prevention of fraud and abuse, product improvement, aggregate analytics, non-intrusive direct marketing, defense in legal and administrative proceedings, and development of new features; (c) consent (LGPD Art. 7(I); GDPR Art. 6(1)(a)) for non-essential cookies, behavioral advertising, advanced personalization, and email marketing communications; (d) compliance with legal or regulatory obligations (LGPD Art. 7(II); GDPR Art. 6(1)(c)), including tax record retention and responses to authorities; (e) exercise of rights in judicial, administrative, or arbitration proceedings (LGPD Art. 7(VI)). When we rely on legitimate interests, we conduct a balancing assessment, and you may object at any time as detailed below.

We process the following categories of data: (a) Usage and interaction data: test answers, computed scores, navigation events, session duration, click patterns, traffic sources, language and locale; (b) Technical identifiers: IP address, user agent, device identifiers, browser type and version, operating system, screen resolution, time zone, cookie identifiers, advertising identifiers (Google Ad ID, IDFA where applicable), anonymous browser fingerprint; (c) Account data, when an account is created: email, name, password hash, preferences, test history, login dates; (d) Payment data, where applicable: transaction data, status, gateway, identifier, amount, currency, last 4 digits and brand of the card (we do not store full credit card data); (e) Communication data: emails sent to contact@bigduckai.com, optional test feedback, support tickets; (f) Inferred and aggregated data: characteristics derived from your usage patterns, computed personality profiles, marketing segmentations; (g) Security logs: authentication records, suspicious activity, fraud attempts. Test results do not constitute special categories of data, health data, or biometric data within the meaning of GDPR Art. 9 or LGPD Art. 5(II), as they are derived from self-report on self-reflection instruments and do not constitute clinical diagnosis.

We use data to: (i) operate, maintain, provide, and personalize the Service, including generating results and reports; (ii) prevent fraud, abuse, spam, attacks, and Terms violations; (iii) ensure security of the platform, users, and our infrastructure; (iv) perform aggregate analytics, A/B testing, product metrics, and development of new features; (v) personalize content, recommendations, and user experience; (vi) display contextual advertising and, with consent, behavioral advertising; (vii) carry out direct marketing of our own products and services on the basis of legitimate interest, with free opt-out at any time; (viii) communicate with you about Service updates, changes to the Terms or this Policy, operational alerts, and responses to requests; (ix) comply with legal, tax, accounting, and regulatory obligations, retaining records for the periods required by law; (x) train, validate, and improve internal models for content generation, scoring, test quality, and pattern analysis, always through aggregated or anonymized data; (xi) defend legal rights in judicial, administrative, or arbitration proceedings; (xii) conduct internal research and statistical studies using anonymized or aggregated data; (xiii) establish, exercise, or defend any right in or out of court.

We use first- and third-party cookies, web beacons, pixels, local storage, session storage, and similar tracking technologies. We categorize these technologies as: (a) Strictly necessary: essential to operate the Service, including authentication, security, fraud prevention, load balancing, consent recording, bot mitigation, accessibility settings, and core functionality. These do not require prior consent under ePrivacy Directive 2002/58/EC Art. 5(3); (b) Analytics: measure aggregate usage and performance, including Google Tag Manager, PostHog, and Sentry. In jurisdictions that require prior consent, these are activated only after your authorization; (c) Advertising: enable display, personalization, and measurement of ads, including Google AdSense, AdSense Offerwall, Google Ads, Meta Pixel where applicable, Ezoic, and programmatic partners. These are activated only with explicit consent; (d) Personalization: store preferences and history to adapt content, recommendations, and experience. Activated with consent. You can manage preferences at any time via the consent banner displayed on first visit, or via a footer link. Some features may be limited if you decline non-essential cookies. We operate under Google Consent Mode v2 and support the IAB Transparency and Consent Framework (TCF) v2.3 where required by partner networks.

With your consent, we display ads provided by: Google AdSense (including Auto Ads, in-content, and Offerwall), Google Ads, Ezoic, and other programmatic networks and header bidding partners that may be added, as listed in our updated processor list. These partners may collect data (IP, user agent, advertising identifier, browsing behavior, page context) for personalization, frequency capping, measurement, attribution, and fraud prevention. We may share, with your consent, anonymized hashes (SHA-256) of email addresses with advertising partners to build similar (lookalike) audiences, remarketing audiences, and Customer Match lists. You can opt out of Google personalized advertising at adssettings.google.com, NAI at optout.networkadvertising.org, DAA at optout.aboutads.info, and EDAA at youronlinechoices.eu. Contextual non-personalized ads may be served on the basis of legitimate interest even without consent, except where local law also requires prior consent for that modality.

We share personal data, strictly as necessary, with the following categories of third parties: (a) infrastructure, hosting, CDN, database, and storage providers (including Vercel, Coolify, MongoDB Atlas, Cloudflare, Amazon Web Services); (b) transactional email and messaging providers (including Resend, Nodemailer, SMTP providers); (c) analytics and observability providers (including Google, PostHog, Sentry, Vercel Analytics); (d) payment processors (including Stripe, MercadoPago, and similar); (e) advertising networks and media processors (Google AdSense, Google Ads, Ezoic, Meta, and other programmatic partners); (f) AI and content processing providers (including OpenAI, Anthropic, and equivalent partners); (g) fraud prevention and security providers; (h) legal, accounting, and tax advisors under confidentiality obligations; (i) public, regulatory, or judicial authorities where required by law, court order, or to defend legitimate rights; (j) acquirers, successors, or investors in the event of merger, acquisition, corporate restructuring, asset sale, bankruptcy, or similar process. International transfers to countries outside Brazil or the European Economic Area are made on the basis of an adequacy decision, Standard Contractual Clauses (SCCs) approved by the European Commission, or other safeguards provided by applicable law. The updated list of subprocessors is available on email request.

We retain personal data for the time necessary to fulfill the purposes described and to comply with legal obligations. Typical retention periods: (a) anonymous usage and interaction data: up to 38 months, in line with standard analytics periods; (b) account and profile data: while the account is active and for up to 5 years after inactivity or cancellation, for the purposes of defense in any claims and compliance with legal obligations; (c) transaction, payment, and tax data: 5 years from the transaction, in accordance with Brazilian Law No. 9,430/96, Decree No. 9,580/2018 (RIR), and equivalent EU legislation; (d) consent records: for the consent validity period and for 5 years after revocation, for evidence in any dispute; (e) emails and communications: 3 years from the last contact; (f) security and fraud prevention logs: 12 months, extendable in case of active investigation; (g) data subject to a hold or retention order from authorities: for the period required. After these periods, we anonymize or delete the data. Irreversible anonymization is treated as equivalent to deletion for purposes of this Policy, as recognized by the LGPD and Recital 26 of the GDPR.

You have the following rights over your personal data, subject to applicable law: (a) confirmation of processing; (b) access to data; (c) correction of incomplete, inaccurate, or outdated data; (d) anonymization, blocking, or deletion of unnecessary or excessive data, or data processed in violation of law; (e) data portability, limited to data you have actively provided in a structured, commonly used format; (f) objection to processing based on legitimate interest, subject to our right to continue processing where we demonstrate compelling legitimate grounds or for the establishment, exercise, or defense of legal claims; (g) revocation of consent at any time, with no retroactive effect, without affecting the lawfulness of prior processing; (h) information about public and private entities with which we share data; (i) review of automated decisions affecting your interests under LGPD Art. 20; (j) lodging a complaint with the competent data protection authority. To exercise these rights, send an email to contact@bigduckai.com identifying yourself sufficiently to allow reasonable verification. We will respond within applicable legal periods: up to 15 days for most requests under the LGPD, and up to 1 month under the GDPR, extendable by up to 2 months for complex cases with reasoned notification. Manifestly unfounded, excessive, or repetitive requests may be refused or subject to a reasonable fee corresponding to administrative costs, to the maximum extent permitted by GDPR Art. 12(5) and equivalent legislation. We satisfy the right to deletion preferentially through irreversible anonymization where this serves the purpose of the request and is technically appropriate, preserving aggregate logs, legally required records, and data necessary for the exercise of rights.

The Service is not directed at, nor intended for, minors under 16. We do not knowingly collect personal data from minors under 16 without parental or guardian consent. For users in Brazil, in compliance with LGPD Art. 14, the processing of data of children (under 12) is carried out with specific and prominent consent given by at least one parent or legal guardian, and the processing of adolescent data observes the child's best interest. For the European Economic Area, the minimum age for consent without parental assistance varies between 13 and 16 by Member State (GDPR Art. 8); we apply 16 as a default for safety. If you become aware of unauthorized processing of a minor's data, contact us at contact@bigduckai.com and we will take steps to anonymize or delete such data within a reasonable time.

We may update this Policy at any time, at our sole discretion, to reflect changes in the Service, our practices, partners, or legal requirements. Changes take effect on the 'Last updated' date at the top of this page. Material changes will be flagged via prominent notice in the Service or email to account holders at least 30 days before they take effect, except where the law requires a different period. Continued use of the Service after the effective date constitutes tacit acceptance of the changes. If you do not agree, you must discontinue use before the effective date and, where applicable, exercise your rights under this Policy. Prior versions are available upon email request.

For any question about privacy, exercise of rights, queries, or complaints, contact us at contact@bigduckai.com. Without prejudice to attempting to resolve directly with us, you may file a complaint with the competent authority: in Brazil, the National Data Protection Authority (ANPD) at gov.br/anpd; in Portugal, the Comissão Nacional de Proteção de Dados (CNPD); in France, the Commission Nationale de l'Informatique et des Libertés (CNIL); in Germany, the Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI) or the competent Land authority; in Italy, the Garante per la protezione dei dati personali; in Spain, the Agencia Española de Protección de Datos (AEPD); in Japan, the Personal Information Protection Commission (PPC); or the data protection authority of your Member State or country of habitual residence.