Last updated: July 15, 2026
At DoesItDefend, we take your privacy seriously. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Breach & Attack Simulation platform for LLM applications.
In accordance with the LGPD (Art. 41), we designate the following Data Protection Officer:
DoesItDefend (Lumina Serviços de Consultoria LTDA)
Email: privacy@doesitdefend.ai
Role: Receive complaints from data subjects, receive communications from the ANPD, and guide employees on data protection practices.
We may collect personal information that you voluntarily provide to us when you:
This information may include:
We automatically collect certain information when you visit, use, or navigate the platform. This information does not reveal your specific identity but may include:
We use the information we collect for the following purposes, with their respective legal bases under the LGPD (Art. 7):
We use artificial intelligence models (primarily Google Gemini) to power the simulation engine. AI is used to:
Data sent to the AI provider:
Protection measures:
Right to review (LGPD Art. 20): You have the right to request human review of automated decisions that affect your interests. Our findings and severity scores are decision-support outputs (not binding automated decisions); a security analyst on your team is expected to validate every remediation before acting. Our full methodology — the evaluation set, graders and defense-lattice scoring — is documented internally and can be summarised on request via research@doesitdefend.ai. To exercise this right, contact our DPO.
We may share your information with:
We implement appropriate technical and organizational security measures to protect your personal information, including:
In accordance with the General Data Protection Law (Law No. 13,709/2018), you have the following rights regarding your personal data:
Response time: 15 business days from the request (Art. 18, caput). To exercise your rights, contact our Data Protection Officer at privacy@doesitdefend.ai.
We use the following cookies and tracking technologies:
Essential cookies (do not require consent): did_{environment}_access (JWT authentication, 1 hour), did_{environment}_refresh (session renewal, 30 days), and doesitdefend-locale (language preference, 1 year). Authentication cookies are HttpOnly, SameSite=Lax, Secure in production, and isolated by environment.
Optional first-party analytics: only after you select Allow analytics, we record public page views, CTA and demo interactions, and signup completion through server-side logging on Google Cloud. We store an opaque visitor identifier and first-touch attribution in localStorage for up to 30 days; the consent choice is retained for up to 180 days. We never include prompts, private results, names, email addresses, full query strings, or full referrer URLs. No Google Analytics, advertising pixel, or data sale is involved. Legal basis: consent (LGPD Art. 7º I / GDPR Art. 6(1)(a)).
Management: select Analytics preferences in the site footer to allow, reject, or revoke optional analytics. Rejection or revocation deletes the browser identifiers immediately and stops non-essential events. Server-side telemetry is retained for 180 days. To request deletion of usage data linked to your workspace, contact our DPO (privacy@doesitdefend.ai). Essential authentication and locale storage cannot be disabled without compromising the service.
We retain your personal data for the following periods:
We retain personal data only for as long as necessary to fulfill the purposes described in this policy or as required by law. You may request deletion of your account and associated data at any time by contacting our DPO.
Our services are not intended for individuals under 18 years of age, in compliance with the Child and Adolescent Statute (ECA) and the Digital ECA (in effect since March 2026). We do not knowingly collect personal information from children or adolescents. If we identify that a minor has provided personal data, we will take immediate steps to delete that information. Parents or guardians who become aware that a minor has provided us with data should contact us immediately at privacy@doesitdefend.ai.
Your data may be transferred and processed outside of Brazil in the following situations:
We implement appropriate safeguards for international transfers, including Standard Contractual Clauses where applicable. For details about contractual arrangements, contact our DPO.
Optional integrations configured by you (such as HubSpot, Salesforce, or Slack) may involve additional data transfers governed by your own agreements with those providers.
In compliance with LGPD Arts. 5, XVII and 38, we are preparing a Data Protection Impact Report (RIPD) to document personal data processing activities, risk assessments associated with the use of artificial intelligence, and the technical and organizational mitigation measures implemented. The RIPD will be made available to the ANPD upon request.
We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new policy on this page and updating the "Last updated" date. Your continued use of our services after any changes indicates your acceptance of the updated policy.
If you have any questions about this Privacy Policy or our data practices, please contact us:
We're committed to transparency. If you have any questions about how we handle your data, our team is here to help.