Legal
Privacy Policy
Last updated: May 14, 2026
At a glance
- · We only collect what is required to run the service.
- · Lead data is retained for 90 days; tax records for 5 years.
- · You can request access, correction, or deletion at any time.
1. Data controller
Captou is operated by Wizz! comms (Wizz Digital Agency). DPO and privacy contact: support@wizzcomms.com.
2. Data collected
We collect account data (name, email, authentication ID via Clerk), extracted leads (name, company, phone, address, CNPJ/website as available from public sources), usage logs (timestamps, IPs, queries performed), payment data processed exclusively by Stripe (we do not store card data), and WhatsApp integration data via Meta Business API.
3. Purpose of processing
Data is processed to: deliver the contracted service (lead extraction, enrichment, and outreach); manage billing and subscriptions via Stripe; provide user support; maintain security and prevent fraud; and comply with legal obligations before competent authorities.
4. Legal basis (LGPD art. 7 / GDPR art. 6)
We process your data based on: (a) contract performance: to operate your account and deliver the service; (b) consent: for marketing communications and non-essential cookies (revocable at any time); (c) legitimate interest: for security, fraud prevention, and product improvement; (d) legal obligation: for retention of tax and financial records.
5. Data retention
Extracted leads: 90 days after extraction. Account data: during the active subscription + 30 days after closure. Billing records and invoices: 5 years (tax obligation). Access and audit logs: 12 months. Cookie consents: 13 months (LGPD/GDPR requirement). After these periods, data is anonymised or securely deleted.
6. Sub-processors and third parties
We share data with the following vendors: Clerk (US, authentication and session management); Stripe (US/IE, payment processing); Supabase (US, PostgreSQL database); Meta Platforms (US, WhatsApp Business API); Resend (US, transactional email); Anthropic and OpenAI (US, AI features); Vercel (US, hosting and CDN); Apify (CZ, data scraping and extraction). All vendors are subject to data processing agreements and confidentiality obligations.
7. International data transfers
Some data is transferred to servers in the US and EU. These transfers are conducted on the basis of Standard Contractual Clauses (GDPR SCCs) and, where applicable, regulatory adequacy decisions recognised by the ANPD (Brazilian DPA). You may request a copy of the contractual safeguards via our privacy contact.
8. Your rights (LGPD arts. 17–22 / GDPR arts. 15–22)
You have the right to: confirm the existence of processing; access your data; correct incomplete, inaccurate, or outdated data; anonymise, block, or delete unnecessary data; port data to another provider; delete data processed on the basis of consent; be informed about sharing; withdraw consent at any time; and lodge a complaint with the ANPD (Brazil) or your local supervisory authority. To exercise any right, contact support@wizzcomms.com.
9. Automated decisions (LGPD art. 20)
We may use usage data to personalise your experience and suggest settings. We do not make decisions with significant legal effects based solely on automated processing. If automated lead scoring or segmentation is introduced, we will inform you of the criteria used and you may request human review.
10. Security incidents
In the event of an incident that may cause risk or significant harm, we will notify the ANPD and affected data subjects within 72 hours of confirming the incident, as required by LGPD (art. 48) and GDPR (art. 33). The notification will include the nature of the affected data, measures taken, and DPO contact details.
11. Cookies
We use essential cookies (Clerk authentication, CSRF protection) and preference cookies (language, consent). We do not use third-party tracking cookies for advertising. See our Cookie Policy for the full inventory and preference management options.
Contact & DPO
For privacy questions, rights requests, or data removal: support@wizzcomms.com