Privacy Policy

Company: FFingers Ventures Ltda
CNPJ: 50.567.618/0001-06
Service: Bubo — Digital safety for families
Website: bubo.family

Data Protection Officer (DPO):
Pedro Eduardo Santos
E-mail: contato@ffingers.com.br

We collect the following categories of data:

Minors' data: Bubo processes data of children and adolescents (from age 6) exclusively with consent and under the responsibility of parents or legal guardians, as provided in art. 14 of the LGPD. No minor's data is collected directly from them.

Personal data processing is carried out based on the following legal grounds under the LGPD:

• Consent (art. 7, I): for registration data collection and message analysis, upon express acceptance of this Policy at registration.
• Legitimate interest (art. 7, IX): for service operation and security, fraud prevention, and continuous improvement of risk detection.
• Protection of life and physical integrity (art. 7, VII): for imminent risk situations detected by the system (e.g., signs of self-harm, grooming).
• Compliance with a legal obligation (art. 7, II): when required by law or court order.

• Authenticate and identify the guardian in the dashboard;
• Send alerts and summaries via WhatsApp when risk patterns are identified;
• Process WhatsApp messages through artificial intelligence to detect risks (bullying, grooming, self-harm, violence, etc.);
• Store analysis results for dashboard display and history;
• Maintain audit records for security and legal compliance;
• Improve models and system accuracy.

Message content is never displayed directly to the guardian. What the guardian receives are AI-generated summaries and evaluations, without reproducing the original message text.

We share data only with the following service providers acting as processors under our instructions:

• Supabase Inc.: database and authentication. Data stored on servers in North America (USA). Privacy policy.
• Anthropic, PBC: message processing by Claude AI for risk pattern analysis. Messages are sent for analysis and are not used for model training without additional consent. Privacy policy.
• Railway Corp.: API hosting. Privacy policy.
• Vercel Inc.: web dashboard hosting. Privacy policy.

We do not sell, rent, or transfer personal data to third parties for commercial or advertising purposes.

Some providers listed above operate servers outside Brazil (primarily USA). We carry out these transfers based on art. 33 of the LGPD, as they involve countries or organizations providing an adequate level of protection, or through specific data protection contractual clauses.

Account deletion immediately erases all registration data, child profiles, messages, and analyses, except critical risk evidence excerpts retained by legal obligation.

Under arts. 17–22 of the LGPD, you have the following rights regarding your personal data:

• Confirmation and access: know whether we process your data and obtain a copy;
• Correction: request updating of incomplete or incorrect data;
• Anonymization, blocking, or deletion: of unnecessary data or data processed in non-compliance;
• Portability: receive your data in a structured format;
• Deletion: delete data processed based on consent;
• Withdrawal of consent: at any time, without prejudice to prior processing;
• Objection: object to processing based on legitimate interest;
• Review of automated decisions: request human review of decisions made solely by AI.

To exercise any of these rights, contact our DPO: contato@ffingers.com.br. We respond within 15 business days.

We adopt the following technical and organizational measures to protect your data:

• Passwords stored with secure hashing (bcrypt);
• Encrypted communications via HTTPS/TLS;
• Database access restricted by JWT authentication and row-level security (RLS) in Supabase;
• Production secrets stored in environment variables, never in source code;
• Error and unauthorized access monitoring.

In case of a security incident that may pose significant risk to data subjects, we will notify the Brazilian National Data Protection Authority (ANPD) and affected individuals as provided in art. 48 of the LGPD.

Bubo uses only strictly necessary cookies for authentication and dashboard functionality (session token). We do not use tracking, advertising, or third-party analytics cookies.

We may update this Policy periodically. Significant changes will be communicated by email or via a dashboard notice at least 15 days in advance. Continued use of the service after the effective date of changes constitutes acceptance of the new terms.

For questions, requests, or complaints related to privacy and data protection: