1. Introduction
This Privacy and Personal Data Protection Policy ("Policy") sets out, in a transparent and institutional manner, the guidelines, principles and practices observed by the company providing the Effluex system (hereinafter "Effluex" or "Operator") regarding the processing of personal data and information security in the context of services rendered to municipalities, concessionary companies, environmental agencies and other user entities (hereinafter "Controllers" or "Customers").
Effluex is a multi-tenant SaaS (Software as a Service) solution, hosted on Amazon Web Services (AWS) cloud infrastructure, designed for the operational monitoring of Wastewater Treatment Plants (WWTPs), the recording of technical and environmental data, the tracking of regulatory compliance, the generation of reports and indicators, and integration with regulatory bodies. The system may employ Artificial Intelligence (AI) and machine learning resources for predictive analysis, detection of operational anomalies and optimization of environmental indicators.
This Policy was prepared in compliance with Brazilian Law No. 13,709/2018 (General Personal Data Protection Law — LGPD), the Brazilian Internet Civil Framework (Law No. 12,965/2014), the Access to Information Law (Law No. 12,527/2011) and, subsidiarily, with international information security and cybersecurity best practices and standards, such as ABNT NBR ISO/IEC 27001, ISO/IEC 27002, ISO/IEC 27017, ISO/IEC 27018, ISO/IEC 27701, NIST Cybersecurity Framework (CSF) 2.0 and OWASP ASVS/Top 10.
By accessing, registering or using Effluex, the user declares to have read, understood and agreed with the terms of this Policy.
2. Important Definitions
For the purposes of this Policy, the following definitions apply, in compliance with article 5 of the LGPD and with technical information security frameworks:
- Personal Data:
- information related to an identified or identifiable natural person.
- Sensitive Personal Data:
- data on racial or ethnic origin, religious belief, political opinion, union or religious/philosophical/political organization membership, health or sexual life, genetic or biometric data. As a rule, Effluex does not process sensitive personal data.
- Anonymized Data:
- data relating to a subject that cannot be identified, considering the use of reasonable and available technical means at the time of processing.
- Pseudonymization:
- processing whereby data loses the possibility of association, direct or indirect, with an individual, except through the use of additional information kept separately by the controller in a controlled and secure environment.
- Data Subject:
- the natural person to whom the personal data being processed refer.
- Processing:
- any operation carried out with personal data, such as collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, archiving, storage, deletion, evaluation, modification, communication, transfer, dissemination or extraction.
- Controller:
- natural or legal person, public or private, who is responsible for decisions regarding the processing of personal data. In the context of Effluex, the Controller is, as a rule, the contracting entity (municipality, company or environmental agency).
- Operator (Processor):
- natural or legal person, public or private, who processes personal data on behalf of the Controller. The company that maintains Effluex acts, as a rule, as Data Operator.
- Sub-operator (Sub-processor):
- third party contracted by the Operator to assist in service provision, subject to contractual obligations compatible with this Policy and with the LGPD.
- Data Protection Officer (DPO):
- person appointed to act as a communication channel between the Controller, data subjects and the Brazilian National Data Protection Authority (ANPD).
- ANPD:
- Brazilian National Data Protection Authority, responsible for ensuring, implementing and enforcing compliance with the LGPD.
- Security Incident:
- adverse event, confirmed or suspected, related to a breach of confidentiality, integrity, availability or authenticity of data or systems.
- Operational Data:
- technical information regarding the operation of WWTPs, such as treated volumes, physicochemical parameters, laboratory analyses and environmental compliance indicators. Such data are not, as a rule, personal data, but may be associated with identifiable natural persons.
3. What Data Is Collected
Effluex collects and processes data in a minimized way, observing the principle of necessity (art. 6, III, of the LGPD), strictly to the extent required by the purpose of the contracted service.
3.1. Registration Data
Data provided when registering users — operators, technical leads (environmental engineers, chemists, technicians), public managers and account administrators —, including:
- Full name;
- CPF (Brazilian individual taxpayer ID), when required by contractual, regulatory or audit standards;
- Corporate or institutional email address;
- Professional contact phone;
- Position, role or professional bond;
- Professional council registration number (CREA, CRQ or equivalent), when applicable, as professional data linked to the exercise of technical responsibility;
- Functional registration or internal identification number of the contracting agency/company;
- Organization, agency or unit to which the user is linked.
3.2. System Usage Data
Data generated from the user's interaction with the platform, including:
- Operational records entered (volumes, chemical parameters, laboratory results, technical observations);
- Reports and environmental indicators generated or consulted;
- Actions performed (creation, editing, deletion and approval of records);
- Internal navigation history and accessed features;
- Configuration and account parameter preferences.
3.3. Technical and Access Data
Data automatically collected for security, audit and operational continuity purposes, including:
- Source IP address;
- Device, operating system and browser identification;
- Date, time and duration of access (authentication logs);
- Audit logs and trails of critical events;
- Session identifiers and cookies, as detailed in Section 11;
- Security events, failed access attempts and anomaly detection alerts.
3.4. Operational and Geospatial Data of WWTPs
Effluex processes technical, operational and location data related to WWTP infrastructure, such as:
- Identification and georeferenced location of WWTPs, collection points and discharge points;
- Physicochemical and biological effluent parameters (pH, BOD, COD, solids, coliforms, metals, among others);
- Treated volumes, flow rates and efficiency indicators;
- Non-conformity records, action plans and communications to regulators;
- Technical documents, environmental licenses and related reports.
Given the potentially sensitive nature of information about the location of critical environmental infrastructure, geospatial data are subject to reinforced access controls, profile-based segregation and audit-trail logging.
3.5. Data That Effluex Does NOT Collect
Effluex does not aim to collect or process sensitive personal data, such as health information, biometric data, genetic data, racial or ethnic origin, religious or philosophical convictions, political opinions, union membership or data on sexual life. If such information is exceptionally entered by the user, the Controller is responsible for assessing the legality and pertinence of processing.
4. Purpose of Data Processing
Data are processed for legitimate, specific and explicit purposes, communicated to the data subject, in compliance with the principle of purpose (art. 6, I, of the LGPD):
- To enable user registration, authentication and management on the platform;
- To allow the operation, monitoring and management of Wastewater Treatment Plants;
- To record and store operational data, laboratory analyses and environmental indicators;
- To generate reports, dashboards and environmental compliance documents;
- To enable integration and information exchange with regulatory bodies, when applicable and as instructed by the Controller;
- To ensure traceability, audit and security of system operations;
- To apply Artificial Intelligence and machine learning resources for predictive analysis, anomaly detection, optimization suggestions and report automation, operating, whenever possible, on aggregated, pseudonymized or anonymized data;
- To comply with legal, regulatory and contractual obligations;
- To respond to requests from competent authorities;
- To prevent fraud, misuse, cyberattacks and security incidents;
- To improve features, performance, usability and security of the system.
The Operator does not process personal data for purposes incompatible with those described in this Policy or set out in the contracts entered into with the Controller.
5. Legal Bases for Processing
The processing of personal data observes the hypotheses provided for in articles 7 and 11 of the LGPD, notably:
- Performance of a contract or preliminary procedures (art. 7, V): to enable the provision of the SaaS service to the Controller, including registration, authentication and operation of the system.
- Compliance with legal or regulatory obligation (art. 7, II): to meet environmental, labor, tax and transparency requirements applicable to the Controller and/or the Operator.
- Execution of public policies (art. 7, III): when the Controller is a public entity and the processing relates to the execution of legal duties in sanitation and environment.
- Regular exercise of rights in judicial, administrative or arbitration proceedings (art. 7, VI): for defense in regulatory, supervisory or litigation proceedings.
- Legitimate interest (art. 7, IX): for information security, fraud prevention, detection and response to cyber incidents, audit and service improvement, respecting the fundamental rights of the data subject.
- Consent (art. 7, I): used subsidiarily, only when no other legal basis applies, and provided in a free, informed and unequivocal manner.
The legal basis applicable to each processing operation is jointly defined by the Controller and the Operator, observing the contractual and regulatory purposes.
6. Data Sharing
Effluex does not sell personal data. Sharing only occurs in the cases described below, always under appropriate contractual clauses and with technical data protection controls:
6.1. With the Controller
All data processed in the system remain under the ownership and control of the contracting Customer (Controller), who has access, control and the ability to export their data under the terms of the signed contract.
6.2. With Public Bodies and Regulators
Upon Controller's instruction or by legal requirement, data may be shared with:
- Environmental agencies at the federal, state and municipal levels (e.g., IBAMA, state environmental bodies, municipal departments);
- Sanitation regulatory agencies (e.g., ANA, state and municipal agencies);
- Public Prosecutor's Office, Judiciary and police authorities, upon formal and substantiated request;
- External and internal control bodies (Courts of Accounts, Comptroller General).
6.3. With Partners, Suppliers and Sub-operators
The Operator may share data with service providers acting as sub-operators, always under contracts with data protection clauses, prior due diligence and equivalent security level, including:
- Cloud infrastructure provider Amazon Web Services (AWS), for hosting, storage, processing, backup and AI resources;
- Managed database services (such as Amazon RDS, Amazon Aurora, Amazon DynamoDB) and storage services (such as Amazon S3);
- AI and machine learning services (such as Amazon Bedrock, Amazon SageMaker or equivalents), restricted to what is strictly necessary and, whenever possible, on pseudonymized or aggregated data;
- Transactional email and notification services;
- Monitoring, observability, log management and security services (SIEM, WAF, antivirus, EDR, CSPM);
- Audit, legal and accounting consulting firms, when necessary.
The Operator will keep an updated record of sub-operators, made available to the Controller upon request, in line with the principle of transparency.
6.4. In Corporate Operations
In case of merger, acquisition, corporate reorganization or sale of assets, data may be transferred to the successor, maintaining the same protection obligations set out in this Policy.
7. Data Storage and Security
The Operator adopts an information security and cybersecurity program structured in layers (defense-in-depth), guided by the principles of confidentiality, integrity, availability, authenticity, traceability and resilience, based on ISO/IEC 27001, ISO/IEC 27002, ISO/IEC 27701, ISO/IEC 27017, ISO/IEC 27018, NIST CSF 2.0 and OWASP ASVS/Top 10.
7.1. Cloud Infrastructure (AWS)
Effluex runs on Amazon Web Services (AWS) infrastructure, a global benchmark for security and availability, with certifications such as ISO/IEC 27001, 27017, 27018, SOC 1, SOC 2 and SOC 3, among others. Primary storage occurs preferentially in AWS regions located in Brazil (São Paulo Region — sa-east-1), with additional regions used for redundancy, backup and business continuity.
The architecture follows the shared responsibility model: AWS is responsible for the security OF the cloud (physical infrastructure, network, virtualization); the Operator is responsible for security IN the cloud (secure configuration, access control, encryption, hardening, monitoring).
7.2. Multi-tenant Architecture and Logical Segregation
Effluex is built on a multi-tenant architecture, with strict logical segregation of each Controller's data, so that one Customer's data is not accessible to another. Segregation is ensured through:
- Unique tenant identifiers applied to all queries;
- Isolation policies in the database and object storage;
- Role-based and tenant-based access control (RBAC);
- Automated tests to prevent lateral leakage between tenants.
7.3. Database
Data are stored in managed relational and/or non-relational database services, with automatic replication, periodic snapshots, configurable retention policies and point-in-time recovery mechanisms. Documents, attachments and files are stored in object services with granular access control and versioning.
7.4. Encryption
Encryption is adopted as an essential and permanent control:
- In transit: all communications between user and system, as well as between internal components, occur under TLS 1.2 or higher, with modern cryptographic suites and valid digital certificates.
- At rest: databases, volumes, backups and stored objects are encrypted with industry-standard algorithms (AES-256 or equivalent), with key management through a dedicated service (AWS KMS) and periodic key rotation.
- Secrets and credentials: tokens, API keys and system credentials are managed in secure vaults (e.g., AWS Secrets Manager), never stored in code repositories or in plain text.
- User passwords: stored in hashed format, with robust cryptographic functions and adequate work factor, making plain-text recovery impossible.
7.5. Access, Identity and Authentication Controls
Access controls follow the need-to-know and least-privilege principles, covering:
- Role-segmented profiles (operator, technical lead, manager, administrator);
- Individual, named and non-transferable credentials;
- Strong password policy and automatic lockout after successive failed attempts;
- Multi-factor authentication (MFA), mandatory for administrative profiles and available to other users;
- Sessions with maximum inactivity time and invalidation on logout;
- Periodic permission review (access recertification);
- Reinforced administrative controls for production environments, with just-in-time access and immutable records.
7.6. Network and Perimeter Security
Perimeter and network protection includes:
- Segmentation of virtual private networks (VPCs), separating development, staging and production environments;
- Network firewalls, security groups and access control lists (ACLs) with minimal and explicit rules;
- Web Application Firewall (WAF) to mitigate application-layer attacks, including OWASP Top 10;
- Protection against Distributed Denial of Service (DDoS) attacks;
- Denied-by-default policy for administrative access and mandatory use of encrypted access.
7.7. Secure Development and Vulnerability Management
The Operator adopts secure development practices (secure SDLC), including:
- Code review and approval policies for relevant changes;
- Static analysis (SAST) and software composition analysis (SCA) for third-party libraries;
- Dynamic analysis (DAST) and security testing in pre-production environments;
- Periodic intrusion testing (pentests) carried out by independent teams;
- Continuous vulnerability management, with prioritization based on criticality (CVSS) and business impact;
- Security updates and patches (patch management) on planned windows;
- Hardening of operating systems, images, containers and managed services.
7.8. Monitoring, Logs and Detection
The Operator maintains continuous (24x7) monitoring of critical environments, with:
- Collection and centralization of application, infrastructure, database and security logs;
- Event correlation through SIEM (Security Information and Event Management) solutions;
- Integrity, availability and performance monitoring;
- Detection of anomalies, suspicious access and unusual behavior;
- Automated alerts and documented triage procedures.
Application access logs are retained, at minimum, for the periods required by the Brazilian Internet Civil Framework and applicable rules, preserving integrity and traceability.
7.9. Security Incident Management
The Operator maintains a structured Incident Response Plan (IRP), with defined roles, responsibilities and workflows, comprising the phases of preparation, detection, containment, eradication, recovery and lessons learned.
In the event of a security incident that may pose relevant risk or harm to data subjects, the Operator will notify the Controller within a reasonable period, providing the minimum necessary information — nature of the incident, affected data, data subjects involved, technical and administrative measures taken and arising risks —, so that the Controller may comply with its obligations toward the ANPD and data subjects, under article 48 of the LGPD and ANPD complementary regulations.
7.10. Business Continuity and Disaster Recovery
To ensure availability and resilience, the Operator maintains:
- Documented and periodically tested Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP);
- Regular backups, with geographic redundancy and restoration tests;
- Recovery Time Objective (RTO) and Recovery Point Objective (RPO) defined contractually, according to the agreed service level;
- High-availability architecture, with redundancy of critical components.
7.11. Governance, People and Processes
Security depends on people and processes; therefore, the Operator adopts:
- Privacy and Information Security Program, with internal policies, defined roles and responsibilities;
- Periodic training and awareness campaigns on data protection and cybersecurity;
- Confidentiality contractual clauses with employees and providers;
- Supplier management process, with prior assessment and continuous monitoring;
- Privacy by Design and Security by Design when conceiving new features;
- Records of Processing Activities (RoPA) and Data Protection Impact Assessments (DPIA), when applicable.
7.12. Responsible Use of Artificial Intelligence
The AI resources employed in Effluex follow principles of accountability and transparency:
- Purpose restricted to operational analysis (predictive, anomaly detection, optimization, report automation);
- Preference for aggregated, pseudonymized or anonymized data;
- Non-use of Controllers' personal data for training general-purpose models or to benefit third parties, except with specific contractual authorization;
- Human oversight mechanisms for relevant decisions;
- Compliance with the right to review of automated decisions, under article 20 of the LGPD.
8. Data Retention and Disposal
Personal data are kept for the time necessary to fulfill the purposes informed and while the contract with the Controller is in force, also observing:
- Retention periods set by environmental, administrative, labor, tax and health legislation applicable to the sanitation sector;
- Obligation to keep access logs for at least 6 (six) months, under the Brazilian Internet Civil Framework;
- Statute-of-limitation periods applicable to potential legal claims;
- Internal retention policies based on information classification.
Once the contract is terminated, and the legal retention periods are observed, the data will be securely deleted or returned to the Controller, as provided in the contract, through procedures that ensure reasonable impossibility of recovery, including in backups, respecting the technical rotation cycles of backup copies.
Anonymized data may be kept without restriction for statistical purposes, service improvement and development of analytical models, under article 12 of the LGPD.
9. Rights of Data Subjects
Under article 18 of the LGPD, the data subject has the right to obtain, upon request:
- Confirmation of the existence of processing of their personal data;
- Access to processed personal data;
- Correction of incomplete, inaccurate or outdated data;
- Anonymization, blocking or deletion of unnecessary, excessive data or data processed in non-compliance with the LGPD;
- Data portability to another service or product provider, observing ANPD regulations and trade and industrial secrets;
- Deletion of personal data processed under consent, except in cases of legal retention;
- Information about public and private entities with which the Controller has shared data;
- Information about the possibility of not providing consent and about the consequences of refusal;
- Withdrawal of consent, when this is the applicable legal basis;
- Objection to processing performed under one of the consent-waiver hypotheses, in case of LGPD non-compliance;
- Review of decisions made solely on the basis of automated processing, including AI-based decisions, that affect their interests.
Considering that the Operator acts, as a rule, as Data Operator, the data subject's requests should be primarily addressed to the Controller (contracting Customer), who is primarily responsible for fulfilling rights. The Operator will provide the technical cooperation necessary to enable handling such requests.
10. How the Data Subject Can Exercise Their Rights
The data subject may exercise their rights by sending a formal request to the channels indicated in Section 15 of this Policy, containing:
- Identification of the data subject (full name and identification document);
- Clear indication of the right they wish to exercise;
- Objective description of the request and, when applicable, of the data involved;
- Means of contact for response.
The Operator will respond to requests within a reasonable period, observing legal and technical limits, and may request additional information to confirm the requester's identity and prevent unauthorized access. If the request refers to data under the responsibility of a specific Controller, the request will be forwarded to that Controller, with notice to the data subject.
12. International Data Transfer
Due to the use of Amazon Web Services (AWS) infrastructure and Artificial Intelligence services, there may be, on a complementary basis, international transfer of personal data to countries where data centers, redundancy services, AI services or technical support centers are located.
Any international transfer will strictly observe articles 33 to 36 of the LGPD, and will be carried out exclusively when:
- The destination country provides a level of data protection adequate to that set out in the LGPD; or
- The controller offers and demonstrates safeguards of compliance with principles, data subject rights and the data protection regime, through specific contractual clauses, standard clauses, global corporate rules, seals, certificates or codes of conduct; or
- The transfer is necessary for the performance of a contract, compliance with a legal obligation, protection of life, health or regular exercise of rights in proceedings.
Primary and preferential storage of data takes place on infrastructure located in Brazil (AWS São Paulo Region).
13. User Responsibilities
The user of Effluex undertakes to:
- Maintain the confidentiality of their credentials, not sharing them with third parties;
- Enable and use, whenever available, multi-factor authentication (MFA);
- Use the system in a lawful, ethical manner and in compliance with the LGPD;
- Provide truthful, up-to-date and complete information;
- Not insert third-party personal data into the system without an adequate legal basis;
- Not insert sensitive personal data, except when strictly necessary, authorized by the Controller and with a specific legal basis;
- Use devices with minimum security measures (updated operating system, antivirus when applicable, screen lock and trusted networks);
- Immediately notify the Operator and the Controller of any suspicion of security incident, misuse or unauthorized access;
- Respect access profiles and competencies assigned by the Controller;
- Not attempt to bypass security mechanisms, perform reverse engineering, conduct unauthorized intrusion tests or use the system for purposes other than those contracted.
Failure to comply with these obligations may result in suspension of access, contract termination and liability under applicable law.
14. Changes to This Policy
This Policy may be updated at any time, due to legal, regulatory, technological, contractual or operational changes. The current version will always be available on the official Effluex website and/or in the authenticated area of the system, with the date of the last update indicated.
Substantial changes will be communicated in advance to the Controller and, when applicable, to data subjects, through registered communication channels. Continued use of the system after the new version takes effect will imply agreement with the updated terms, without prejudice to the legal rights of the data subject.
15. Contact of the Data Protection Officer (DPO)
To exercise their rights, clarify questions about this Policy, report incidents or address data protection matters, the data subject can contact the Data Protection Officer (DPO) of the Effluex Operator through the following channels:
- Officer:
- To be defined
- Email:
- dpo@effluex.com.br
- Phone:
- To be defined
- Address:
- To be defined
If the response is not satisfactory, the data subject may file a complaint with the Brazilian National Data Protection Authority (ANPD), through the official channels available on its website (www.gov.br/anpd).