Privacy Policy
Last updated: March 19, 2026
Available in English. Portuguese version coming soon.
1. Who We Are
StudyMaps is a brand operated by RESUMOCAST CONTEUDOS E MARKETING DIGITAL LTDA, a Brazilian limited liability company (Sociedade Limitada) registered under CNPJ 32.138.783/0001-60, with registered address at Avenida Paulista, 1842, Conjunto 155, Cerqueira Cesar, Sao Paulo, SP, 01310-200, Brazil. Our website is studymaps.work.
For the purposes of applicable data protection legislation:
- RESUMOCAST CONTEUDOS E MARKETING DIGITAL LTDA (trading as StudyMaps) is the data controller (GDPR Art. 4(7)) / controlador (LGPD Art. 5, VI) for personal data collected through our website and lead magnet forms.
- Gustavo Carriconde is the individual responsible for data protection matters at StudyMaps, contactable at privacy@studymaps.work.
For purchases, Paddle.com Market Ltd (for non-US transactions) or Paddle.com Inc (for US transactions) acts as the Merchant of Record and is an independent data controller for payment and billing data. StudyMaps never receives or stores your payment card information. See Paddle's Privacy Policy.
2. What We Collect
We collect only the minimum data necessary to deliver our products and services:
| Data | Source | Purpose |
|---|---|---|
| Email address | Provided by you when downloading a free sample or completing a purchase | Product delivery, marketing (with consent) |
| Consent records | Captured automatically at opt-in | Timestamp, IP address, page URL, consent text version — to demonstrate valid consent |
| Live chat messages | Provided by you when using the Crisp chat widget | Customer support |
| Error diagnostics | Collected automatically by Sentry when errors occur | IP address (for rate limiting only), browser/OS info, page URL, error details — for debugging website issues |
| Analytics data | Collected automatically by Plausible Analytics | Aggregate traffic patterns only — no personal data, no cookies, no individual tracking |
We do not collect: payment card details, government IDs, health data, biometric data, location data, or any special category / sensitive personal data (GDPR Art. 9 / LGPD Art. 11).
3. Why We Collect It (Legal Bases)
| Purpose | Data | Legal Basis |
|---|---|---|
| Free PDF delivery | Email address | Contract performance (GDPR Art. 6(1)(b) / LGPD Art. 7, V) |
| Purchase fulfillment | Email address (via Paddle webhook) | Contract performance (GDPR Art. 6(1)(b) / LGPD Art. 7, V) |
| Email marketing | Email address | Consent — opt-in checkbox (GDPR Art. 6(1)(a) / LGPD Art. 7, I / CASL s.6(1) / PECR Reg. 22) |
| Customer support (live chat) | Chat messages, email if provided | Legitimate interest (GDPR Art. 6(1)(f) / LGPD Art. 7, IX) |
| Error monitoring | IP address, browser info | Legitimate interest (GDPR Art. 6(1)(f) / LGPD Art. 7, IX) — maintaining website functionality |
| Website analytics | None (aggregate only) | Legitimate interest — no personal data processed (Plausible is cookieless) |
Consent for marketing is never required to receive purchased products or free samples. You can download your materials without opting in to marketing emails. This separation satisfies GDPR Art. 7(4), LGPD Art. 8 ss.4, and CASL s.6(1).
4. Who We Share Your Data With
We share personal data only with the following service providers, each operating under a Data Processing Agreement (DPA) or as an independent controller:
| Provider | Role | Data Processed | Data Location | Transfer Mechanism |
|---|---|---|---|---|
| Paddle | Merchant of Record (independent controller) | Payment and billing data (we never see card details) | UK, US | Independent controller — see Paddle Privacy Policy |
| Resend | Transactional email delivery (processor) | Email address, email content | US | EU SCCs (Resend DPA Section 6.2, Module Two: Controller to Processor) |
| Brevo | Marketing email automation (processor) | Email address, engagement data (opens, clicks) | EU (France) | EU-based — no international transfer required for EU/EEA data |
| Sentry | Error monitoring (processor) | IP address, browser/OS info, page URL, error stack traces | US | EU SCCs (Sentry DPA) |
| Crisp | Live chat support (processor) | Chat messages, email (if provided), IP address | EU (France) | EU-based — no international transfer required for EU/EEA data |
| Cloudflare | Website infrastructure, CDN, file storage, security (processor) | IP address, request metadata, stored files (R2) | Global (edge network) | EU SCCs (Cloudflare Privacy Policy Section 7) |
| Plausible Analytics | Privacy-focused analytics | No personal data — aggregate statistics only | EU (Germany) | No personal data transferred |
We do not sell, rent, or trade your personal data to any third party. We do not share personal data for advertising, behavioral profiling, or cross-context targeting purposes.
5. International Data Transfers
StudyMaps is based in Brazil. Your data may be processed in the following locations:
- United States — by Resend (email delivery) and Sentry (error monitoring)
- France / EU — by Brevo (email marketing) and Crisp (live chat)
- Global edge network — by Cloudflare (website infrastructure and CDN)
These transfers are protected by:
- EU/EEA transfers — EU Standard Contractual Clauses (SCCs) incorporated in the respective DPAs of Resend, Sentry, and Cloudflare. Brevo and Crisp are EU-based, so no additional transfer mechanism is required.
- UK transfers — UK International Data Transfer Agreement (IDTA) or UK Addendum to EU SCCs, as applicable, per the Information Commissioner's Office guidance.
- Japan (APPI Art. 28) — If you are located in Japan, your data may be transferred to Brazil (StudyMaps), the US (Resend, Sentry), and France (Brevo, Crisp) for the purposes described above. By providing your email address and using our services, you consent to these cross-border transfers. We ensure appropriate safeguards through contractual measures with our processors. These countries may not provide the same level of data protection as Japan under the APPI.
- South Korea (PIPA Art. 17) — If you are located in South Korea, your data may be transferred outside Korea to the locations listed above. We rely on your consent for these transfers and ensure contractual safeguards are in place with all processors. You will be informed of the data items transferred, the countries of destination, and the purposes of transfer before consent is obtained.
Brazil does not currently have an EU adequacy decision. We rely on the contractual safeguards described above to ensure appropriate protection for transferred data.
6. Data Retention
| Data | Retention Period | Legal Basis |
|---|---|---|
| Marketing email list | Until you unsubscribe, plus 90 days for suppression list maintenance. Contacts inactive for 24 months are automatically removed. | GDPR Art. 5(1)(e) storage limitation / LGPD Art. 16 |
| Consent records | Minimum 3 years from collection | CASL limitation period; GDPR/LGPD accountability obligation |
| Purchase records | 5 years | Tax and accounting compliance (Brazilian fiscal law) |
| Live chat transcripts | 12 months, then deleted | Legitimate interest (support quality) |
| Error monitoring data | 90 days | Sentry default retention policy |
| Analytics data | No personal data retained | Plausible retains only aggregate statistics |
After the retention period, data is deleted or anonymized. You may request earlier deletion at any time (see Section 7).
7. Your Rights
Depending on your jurisdiction, you have the following rights regarding your personal data:
- Access — request a copy of the personal data we hold about you (GDPR Art. 15 / LGPD Art. 18, II / APPI Art. 28 / PIPA Art. 35).
- Rectification — request correction of inaccurate data (GDPR Art. 16 / LGPD Art. 18, III / PIPA Art. 36).
- Erasure ("right to be forgotten") — request deletion of your personal data (GDPR Art. 17 / LGPD Art. 18, VI / APPI Art. 30 / PIPA Art. 36).
- Restriction — request that we limit processing of your data (GDPR Art. 18 / PIPA Art. 37).
- Portability — receive your data in a structured, machine-readable format (GDPR Art. 20 / LGPD Art. 18, V / PIPA Art. 35-2).
- Objection — object to processing based on legitimate interest, or object to direct marketing at any time (GDPR Art. 21 / LGPD Art. 18, IV).
- Withdraw consent — withdraw marketing consent at any time by clicking "unsubscribe" in any email or by contacting us. Withdrawal does not affect the lawfulness of prior processing (GDPR Art. 7(3) / LGPD Art. 8, ss.5).
- Non-discrimination — exercising your rights will not result in discriminatory treatment (CCPA Cal. Civ. Code ss.1798.125 / LGPD Art. 18, ss.2).
To exercise any right, contact: privacy@studymaps.work
Response times by jurisdiction:
- LGPD (Brazil): within 15 days (Art. 19, II)
- GDPR / UK GDPR (EU/UK): within 30 days (Art. 12(3)), extendable by 60 days for complex requests
- APPI (Japan): without delay (Art. 33)
- PIPA (South Korea): within 10 days (Art. 38)
- DPDPA (India): as specified by the Data Protection Board
If you are located in India, we serve as the grievance contact for the purposes of the DPDPA 2023 (Section 6). Contact: privacy@studymaps.work.
8. California Residents (CCPA/CPRA)
StudyMaps does not currently meet the thresholds for CCPA/CPRA applicability ($25M revenue, 100,000+ California consumers, or 50%+ revenue from data sales). However, in the spirit of transparency:
- We do not sell your personal information. We have never sold personal information and have no plans to do so.
- We do not share your personal information for cross-context behavioral advertising.
- Categories of personal information collected: Identifiers (email address), internet or electronic network activity (error logs via Sentry, aggregated analytics via Plausible).
- Right to know, delete, and correct: You may exercise these rights by emailing privacy@studymaps.work. We will not discriminate against you for exercising these rights (Cal. Civ. Code ss.1798.125).
If CCPA becomes applicable to us in the future, we will update this section to include all required disclosures including the "Do Not Sell or Share My Personal Information" mechanism.
9. Canadian Residents (CASL / PIPEDA)
If you are located in Canada:
- We will only send you commercial electronic messages (marketing emails) if you have provided express consent via an unchecked opt-in checkbox on our forms (CASL s.6(1)).
- Every marketing email identifies StudyMaps as the sender (CASL s.6(2)(a)), includes our physical address (Avenida Paulista, 1842, Conjunto 155, Sao Paulo, SP, 01310-200, Brazil) (CASL s.6(2)(c)), and contains a working unsubscribe link (CASL s.6(2)(d)).
- Unsubscribe requests are honored within 5 business days (CASL s.11(3); also satisfies AU Spam Act 2003 s.18).
- Your consent records are retained for a minimum of 3 years in accordance with CASL's limitation period (s.14).
- The free PDF sample download is a transactional communication and does not require marketing consent (CASL s.6(6)).
10. Cookies and Similar Technologies
Plausible Analytics — entirely cookie-free. Does not collect personal data, does not track individual visitors, and does not require consent under the ePrivacy Directive or any other cookie legislation.
Cloudflare — may set a strictly necessary security cookie (__cf_bm) to identify and mitigate bot traffic. Strictly necessary cookies are exempt from consent requirements under the ePrivacy Directive Art. 5(3) and UK PECR Regulation 6.
Crisp — may set cookies for chat session persistence (e.g., crisp-client/*). These are functionally necessary cookies to maintain your support conversation and are exempt from consent as strictly necessary for a service you explicitly requested (ePrivacy Directive Art. 5(3)).
Sentry Session Replay — Sentry Session Replay is configured to record user sessions for error debugging (10% of sessions, 100% of error sessions). Session Replay uses DOM recording rather than persistent cookies, but the recording itself constitutes processing of interaction data. Sentry sendDefaultPii is set to false in our configuration, meaning personally identifiable information is not intentionally transmitted.
Paddle Checkout — when you initiate a purchase, Paddle's checkout overlay may set its own cookies. Paddle is the data controller for checkout data. See Paddle's Privacy Policy.
We do not use Google Analytics, Facebook Pixel, advertising cookies, or any behavioral tracking cookies.
11. Automated Decision-Making
We do not use automated decision-making or profiling that produces legal effects or similarly significantly affects you. Our email marketing automation (Brevo) sends pre-written emails on a time schedule — it does not make individualized decisions based on profiling.
12. Security Measures
We implement appropriate technical and organizational measures to protect your personal data, including:
- Two-factor authentication (2FA) on all service provider accounts
- Encryption in transit (TLS/HTTPS) on all data flows
- Encryption at rest provided by our processors (Resend, Brevo, Sentry, Cloudflare)
- No local storage of subscriber data — all personal data is stored in processor systems with enterprise-grade security
- Access limited to the data controller (sole operator)
- Regular review of processor security practices and DPA compliance
In the event of a personal data breach likely to result in risk to your rights, we will notify the relevant supervisory authority and affected individuals in accordance with applicable law (GDPR Art. 33-34: 72 hours; LGPD: 3 business days per ANPD Resolution 15/2024; PIPA Art. 34: 72 hours; APPI: without delay for serious incidents).
13. Supervisory Authorities
If you believe we have not handled your data correctly, you have the right to lodge a complaint with your local data protection authority:
- Brazil — ANPD (Autoridade Nacional de Protecao de Dados): gov.br/anpd
- European Union — the data protection authority of your EU/EEA member state. A list is available at edpb.europa.eu.
- United Kingdom — ICO (Information Commissioner's Office): ico.org.uk
- Canada — Office of the Privacy Commissioner of Canada: priv.gc.ca
- India — Data Protection Board of India (when constituted under the DPDPA 2023).
- Japan — Personal Information Protection Commission (PPC): ppc.go.jp
- South Korea — Personal Information Protection Commission (PIPC): pipc.go.kr
14. Children
Our products are designed for adults preparing for professional certification exams. We do not knowingly collect personal data from children. The applicable age thresholds by jurisdiction are:
- GDPR (EU): 16 years (or as low as 13 in some member states per national law)
- UK GDPR: 13 years
- LGPD (Brazil): 18 years (processing of minors' data requires specific parental/guardian consent under Art. 14)
- COPPA (US): 13 years
- APPI (Japan): No specific statutory age; parental consent required for minors
- PIPA (South Korea): 14 years
We do not target or market to children. If you believe we have collected data from a child below the applicable age threshold, please contact us at privacy@studymaps.work and we will promptly delete it.
15. Changes to This Policy
We may update this Privacy Policy to reflect changes in our practices or applicable law.
- When we make material changes (new data collection, new processors, changes to legal bases), we will notify existing subscribers by email at least 14 days before the changes take effect, and update the "Last updated" date at the top of this page.
- When we make minor changes (formatting, clarifications, updated contact information), we will update the date only.
Where applicable law requires your consent for material changes, we will obtain it before processing your data under the updated policy.
16. Contact
For any privacy-related questions, data subject requests, or complaints:
- Privacy inquiries: privacy@studymaps.work
- General support: support@studymaps.work
- Phone / WhatsApp: +55 11 93388-1412
- Address: Avenida Paulista, 1842, Conjunto 155, Cerqueira Cesar, Sao Paulo, SP, 01310-200, Brazil
- Website: studymaps.work