Privacy

Controller: Intrusion Pentest Cybersecurity LTDA, registered under CNPJ 12.854.331/0001-23, headquartered at QS 1, LED Office e Mall, Block T3, Suite 1301, Brasília – DF, Brazil. Branch office at Rua da Carvalha, nº570, Aldeamento Santa Clara, 2400-441 Leiria, Portugal.

Data Protection Officer (DPO): contato@intrusioncyber.com.

Contact data (name, email, phone, company) voluntarily provided through contact, quote, or scheduling forms.

Commercial relationship data (job title, sector, technical context) necessary to draft proposals and deliver services.

Technical browser data (IP address, user-agent, visited pages) collected via cookies and analytics, per our Cookie Policy.

During contracted pentest engagements, we may access technical data from the client environment (logs, configurations, snapshots). Such data is treated as Confidential Information under an NDA specific to each contract.

Performance of contract (LGPD art. 7 V; GDPR art. 6.1.b): processing data to prepare and execute contracted pentest services.

Legitimate interest (LGPD art. 7 IX; GDPR art. 6.1.f): commercial communication with qualified leads, service improvement, information security.

Consent (LGPD art. 7 I; GDPR art. 6.1.a): non-essential cookies, marketing communications, public testimonials.

Legal obligation (LGPD art. 7 II; GDPR art. 6.1.c): tax retention, accounting, AML compliance.

We do not sell your personal data. We share with third parties strictly when necessary: (a) infrastructure providers (Cloudflare, hosting), (b) operational tools (Formspree for form capture, Google Workspace for email), (c) competent authorities upon judicial order.

Client data collected during pentest engagements is NEVER shared with third parties, except when legally required or expressly authorized by the client.

Data may be transferred to servers outside Brazil/EU for operational purposes (e.g., Cloudflare, Google). We apply Standard Contractual Clauses and Transfer Impact Assessments (TIA) when applicable, per LGPD art. 33 and GDPR Chapter V.

Unconverted lead data: up to 24 months or until deletion request, whichever comes first.

Contractual data: throughout contract duration + 5 years to comply with tax obligations and civil statute of limitations.

Technical data collected during pentest: 90 days after final report delivery, then irreversibly deleted with destruction certificate provided upon request.

You may exercise at any time: confirmation of processing, access, rectification, anonymization or erasure, portability, information on sharing, withdrawal of consent, objection.

To exercise any right, email contato@intrusioncyber.com with subject "LGPD/GDPR — rights request". We respond within 15 business days. If you disagree with our response, you may complain to ANPD (Brazil) or your local data protection authority.

As a cybersecurity company, we apply technical and organizational controls aligned with ISO 27001: encryption in transit (TLS 1.3) and at rest (AES-256), mandatory MFA, least-privilege principle, client data segregation, access auditing, continuous team training.

This policy may be periodically reviewed. The current version is always the one published on this page, with the last-updated date visible at the top. Material changes will be communicated by email to active clients.