Privacy Policy
Last updated: March 10, 2026
1. Introduction
Zarv Inc. ("Zarv", "we", "us", "our") is committed to protecting the privacy and personal data of our clients, partners, end users, and website visitors. This Privacy Policy describes how we collect, use, store, share, and protect personal data in connection with our risk intelligence platform and related services. This policy applies to data processed through Zarv ID, Zarv Signal, Zarv Lens, our website, APIs, SDKs, and all related services. We comply with applicable data protection laws including Brazil's Lei Geral de Proteção de Dados (LGPD), the European Union's General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other relevant jurisdictional requirements.
2. Controller and Data Protection Officer
Zarv Inc. is the data controller for personal data processed through our platform. Registered address: São Paulo, SP, Brazil. Our Data Protection Officer (DPO) can be reached at: privacy@zarv.com. For GDPR matters, our EU representative can be contacted through the same email. The DPO is responsible for overseeing data protection strategy, monitoring compliance, serving as point of contact for data subjects and supervisory authorities, and advising on data protection impact assessments.
3. Categories of Personal Data We Collect
We collect and process the following categories of personal data: (a) Identity Data: full name, CPF/CNPJ (Brazilian tax ID), RG (identity document), CNH (driver's license), passport, date of birth, facial biometrics for identity verification; (b) Contact Data: email address, phone number, physical address, business contact information; (c) Geolocation and Behavioral Data: real-time GPS coordinates from vehicle tracking, historical route data, driving behavior patterns, speed, acceleration, braking events, telematics sensor data; (d) Vehicle and Asset Data: license plates, VIN (vehicle identification number), vehicle make/model/year, ownership records, registration data captured via LPR/OCR cameras; (e) Claims and Insurance History: insurance policy numbers, claim records, loss history, underwriting data, damage assessments; (f) Corporate and Relational Data: company registration (CNPJ), corporate structure, beneficial ownership, director and officer information, business relationships, network analysis; (g) Technical and Usage Data: IP address, browser type and version, device ID, operating system, access times, pages viewed, API calls, query parameters; (h) Financial Data: payment information for billing purposes (processed by third-party payment processors); (i) Communications: correspondence with our support team, demo requests, contract negotiations. We do not intentionally collect special categories of sensitive personal data (such as racial origin, political opinions, religious beliefs, health data, or sexual orientation) unless strictly necessary for specific fraud prevention use cases and with explicit consent or legal authorization.
4. How We Collect Personal Data
Personal data is collected through the following channels: (a) Direct provision by clients: when clients submit data through our API, upload data to our dashboards, or provide information during onboarding; (b) Automated collection from integrated systems: telematics devices, GPS trackers, LPR/OCR cameras, insurance management systems, claims databases; (c) Third-party data sources: public records, government databases (DETRAN, Receita Federal), credit bureaus, data enrichment partners operating under strict data processing agreements; (d) Website interactions: cookies, analytics tools, form submissions; (e) Business communications: emails, demo requests, support tickets. Data is always collected with appropriate legal basis and with transparency about the purpose of collection.
5. Legal Basis for Processing (LGPD, GDPR, CCPA)
We process personal data based on the following legal grounds: (a) Legitimate Interest (LGPD Art. 7, X; GDPR Art. 6(1)(f)): fraud prevention, risk assessment, security of our platform, protection against financial crimes. Our legitimate interest assessment balances business needs against individual rights and freedoms; (b) Contractual Necessity (LGPD Art. 7, V; GDPR Art. 6(1)(b)): processing required to deliver services under our client agreements, including identity verification, risk scoring, continuous monitoring, and claims investigation; (c) Legal Obligation (LGPD Art. 7, II; GDPR Art. 6(1)(c)): compliance with anti-money laundering (AML) laws, tax obligations, regulatory reporting requirements, court orders, law enforcement requests; (d) Consent (LGPD Art. 7, I; GDPR Art. 6(1)(a)): where explicitly required by law or where no other legal basis applies, we obtain clear, informed, specific consent. Consent can be withdrawn at any time; (e) Protection of Life or Physical Safety (LGPD Art. 7, VII; GDPR Art. 6(1)(d)): in emergency situations involving risk to health or safety; (f) Credit Protection (LGPD Art. 7, X): for credit risk assessment and fraud prevention in lending and insurance contexts. For California residents subject to CCPA: we process personal information for business purposes as defined under CCPA, including fraud prevention, security, service delivery, and legal compliance.
6. How We Use Personal Data
Personal data is processed for the following specific purposes: (a) Risk Scoring and Identity Verification (Zarv ID): behavioral analysis, fraud detection, identity authentication, risk classification, credit decisioning support; (b) Continuous Monitoring and Anomaly Detection (Zarv Signal): real-time tracking of insured assets, geofencing alerts, route deviation detection, behavioral pattern changes, early warning signals for fraud or policy violations; (c) Claims Investigation and Evidence Generation (Zarv Lens): gathering and analyzing evidence for insurance claims, generating investigative reports, documenting incident timelines, supporting subrogation and recovery processes; (d) Service Improvement: model training and calibration, algorithm optimization, platform performance monitoring, user experience enhancement; (e) Client Communication: service notifications, technical support, billing and account management, product updates; (f) Legal and Regulatory Compliance: responding to legal requests, regulatory reporting, audit trails, tax compliance; (g) Business Operations: contract management, invoicing, business analytics, security monitoring. All processing is limited to what is necessary and proportionate to achieve the stated purposes.
7. Data Sharing and Recipients
We share personal data only with authorized recipients under strict contractual and security requirements: (a) Clients: insurers, lenders, fleet managers, and other contracted entities receive risk scores, alerts, reports, and evidence relevant to their business relationship with the data subject, limited to the scope of services purchased; (b) Sub-processors: cloud infrastructure providers (AWS, Google Cloud), data enrichment partners, analytics providers, payment processors—all operating under Data Processing Agreements (DPAs) compliant with LGPD Art. 15, GDPR Art. 28, and equivalent standards; (c) Law Enforcement and Regulatory Authorities: when legally obligated by court order, subpoena, regulatory investigation, or statutory duty; (d) Professional Advisors: lawyers, auditors, insurers, consultants under confidentiality obligations; (e) Business Transfers: in the event of merger, acquisition, restructuring, or asset sale, with appropriate data protection safeguards. We NEVER sell personal data to third parties. We do not engage in data brokerage. Any data sharing is governed by legitimate business purposes, legal obligations, or explicit consent.
8. International Data Transfers
Personal data may be transferred to and processed in countries outside your jurisdiction, including the United States, European Union member states, and other locations where our service providers operate. For transfers from Brazil: we comply with LGPD Art. 33 and ensure adequate safeguards through Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), or transfers to countries with adequacy decisions recognized by ANPD (Autoridade Nacional de Proteção de Dados). For transfers from the EU/EEA: we use mechanisms approved under GDPR Chapter V, including EU Standard Contractual Clauses (2021 version), adequacy decisions, or derogations for specific situations. For California and other US data: transfers are governed by contractual protections and service provider agreements. All international transfers include appropriate technical and organizational security measures, including encryption in transit and at rest. Data subjects have the right to obtain information about safeguards in place for international transfers by contacting our DPO.
9. Data Retention
Personal data is retained only for as long as necessary to fulfill the purposes for which it was collected, or as required by law: (a) Identity verification data: retained for the duration of the client relationship plus 5 years for audit and regulatory compliance (LGPD, AML/CFT requirements); (b) Geolocation and behavioral data: raw data is retained for 90 days; aggregated and anonymized insights are retained indefinitely; (c) Claims investigation data: retained for 7 years in accordance with insurance industry standards and statute of limitations; (d) Risk scores and flags: retained for 5 years or as specified in client agreements; (e) Technical logs and security data: retained for 12 months for security monitoring and incident response; (f) Financial and billing records: retained for 7 years to comply with tax and accounting regulations. After the retention period, data is securely deleted or anonymized. Data subjects may request earlier deletion subject to legal and contractual obligations. Specific retention periods may be extended to defend legal claims, comply with investigations, or fulfill regulatory orders.
10. Your Rights as a Data Subject
Depending on your jurisdiction, you have the following rights: (a) Right of Access (LGPD Art. 18, I-II; GDPR Art. 15; CCPA §1798.100): confirm whether we process your data and obtain a copy of your personal data; (b) Right to Rectification (LGPD Art. 18, III; GDPR Art. 16): correct incomplete, inaccurate, or outdated data; (c) Right to Erasure/Deletion (LGPD Art. 18, VI; GDPR Art. 17; CCPA §1798.105): request deletion of your data, subject to legal retention obligations and legitimate grounds for continued processing; (d) Right to Restriction of Processing (LGPD Art. 18, IV; GDPR Art. 18): limit how we process your data in certain circumstances; (e) Right to Data Portability (LGPD Art. 18, V; GDPR Art. 20): receive your data in structured, commonly used, machine-readable format and transmit to another controller; (f) Right to Object (LGPD Art. 18, §2º; GDPR Art. 21): object to processing based on legitimate interest or for direct marketing; (g) Right to Withdraw Consent (LGPD Art. 8, §5º; GDPR Art. 7(3)): where processing is based on consent, withdraw it at any time without affecting prior lawful processing; (h) Right to Review Automated Decisions (LGPD Art. 20; GDPR Art. 22): request human review of decisions made solely through automated processing with significant effects; (i) Right to Information (LGPD Art. 18, VIII): obtain information about third parties with whom we share data; (j) Right to Know Categories and Sources (CCPA §1798.110): for California residents, know categories of personal information collected and sources; (k) Right to Opt-Out of Sale (CCPA §1798.120): we do NOT sell personal data, but you have the right to confirm this. To exercise these rights, contact our Data Protection Officer at privacy@zarv.com. We will respond within: 15 days (LGPD), 1 month extendable to 3 months (GDPR), 45 days extendable to 90 days (CCPA). We may require identity verification before fulfilling requests. Certain requests may be limited by legal obligations or overriding legitimate interests.
11. Security Measures
We implement comprehensive technical and organizational security measures to protect personal data against unauthorized access, loss, destruction, alteration, or disclosure: (a) Encryption: data encrypted in transit (TLS 1.3) and at rest (AES-256); (b) Access Controls: role-based access control (RBAC), multi-factor authentication (MFA), principle of least privilege; (c) Network Security: firewalls, intrusion detection/prevention systems (IDS/IPS), DDoS protection, network segmentation; (d) Audit and Logging: comprehensive audit trails, security event monitoring (SIEM), automated anomaly detection; (e) Secure Development: security-by-design principles, code review, vulnerability scanning, penetration testing; (f) Incident Response: documented incident response plan, breach notification procedures compliant with LGPD Art. 48, GDPR Art. 33-34, CCPA requirements; (g) Vendor Management: due diligence on sub-processors, contractual security requirements, regular audits; (h) Physical Security: restricted access to data centers, surveillance, environmental controls; (i) Employee Training: regular security and privacy awareness training, confidentiality agreements, background checks; (j) Certifications and Standards: we align our security practices with ISO 27001, SOC 2, and industry best practices. Despite our robust security measures, no system is 100% secure. In the event of a data breach affecting your rights and freedoms, we will notify you and relevant supervisory authorities as required by law.
13. Children's Privacy
Our Services are not directed to individuals under 18 years of age. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child without parental consent, we will take steps to delete such information. If you believe we have inadvertently collected data from a minor, contact privacy@zarv.com immediately.
14. California Consumer Privacy Act (CCPA) Disclosures
For California residents, this section provides specific CCPA disclosures: (a) Categories of Personal Information Collected (past 12 months): identifiers (name, email, IP), commercial information (purchase history), internet activity (website usage), geolocation data, professional information, inferences (risk profiles). Sources: directly from you, from your devices, from third-party data providers, from public records. (b) Business Purposes: fraud prevention, security, service delivery, legal compliance, internal analytics. (c) Categories Shared: identifiers and commercial information with service providers and clients as described in Section 7. (d) Sale of Personal Information: Zarv does NOT sell personal information. (e) Your California Rights: right to know, right to delete, right to opt-out of sale (not applicable), right to non-discrimination. (f) Authorized Agent: California residents may designate an authorized agent to submit requests on their behalf. We may require verification of the agent's authority. (g) Shine the Light Law: California residents may request information about disclosure of personal information to third parties for direct marketing (not applicable as we do not share for this purpose). Contact: privacy@zarv.com or 1-855-ZARV-PRI (toll-free within US).
15. European Union (GDPR) Specific Rights
For individuals in the European Economic Area (EEA), United Kingdom, and Switzerland: (a) Lawful Basis: our processing relies on legitimate interest, contractual necessity, and legal obligations as detailed in Section 5. (b) Data Protection Authority: you have the right to lodge a complaint with your local supervisory authority if you believe our processing violates GDPR. (c) Automated Decision-Making: we use automated risk scoring models. You have the right to request human intervention, express your point of view, and contest decisions made solely by automated means that produce legal effects or similarly significantly affect you. (d) Profiling: we engage in profiling for fraud detection and risk assessment purposes based on legitimate interest. You may object to such profiling. (e) Direct Marketing: you may object to processing for direct marketing purposes at any time. (f) EU Representative: for GDPR matters, contact our EU representative at privacy@zarv.com with subject line 'EU GDPR Request'. (g) Cross-Border Transfers: see Section 8 for details on safeguards for international data transfers.
16. Brazilian LGPD Specific Rights
For individuals in Brazil: (a) Encarregado (DPO): our Data Protection Officer can be contacted at privacy@zarv.com. (b) ANPD: you have the right to file a complaint with Autoridade Nacional de Proteção de Dados (ANPD) if you believe our processing violates LGPD. (c) Bases Legais: we process data based on legitimate interest (Art. 7, IX and X), execution of contract (Art. 7, V), legal obligation (Art. 7, II), consent (Art. 7, I), credit protection (Art. 7, X), and protection of life (Art. 7, VII) as detailed in Section 5. (d) Revisão de Decisões Automatizadas: pursuant to LGPD Art. 20, you may request review of decisions made solely through automated processing that affect your interests. We will provide information about criteria and procedures used in automated decisions. (e) Tratamento de Dados Sensíveis: sensitive data (CPF, biometrics, geolocation) is processed only when necessary for fraud prevention, with appropriate safeguards, specific consent, or legal authorization. (f) International Transfers: we comply with LGPD Chapter V and use Standard Contractual Clauses approved by ANPD or transfer to countries with adequacy recognition.
17. Changes to This Privacy Policy
We may update this Privacy Policy periodically to reflect changes in our practices, legal requirements, or service offerings. Material changes will be notified through: email to registered clients, prominent notice on our website, in-app notifications. The 'Last Updated' date at the top of this policy indicates when it was last revised. Continued use of our Services after changes constitutes acceptance of the updated policy. For significant changes affecting your rights, we may seek renewed consent where required by law. We encourage you to review this policy periodically to stay informed about how we protect your personal data.
18. Contact Information and Data Subject Requests
To exercise your privacy rights, request information, or raise concerns about data protection: Data Protection Officer: privacy@zarv.com. Postal Address: Zarv Inc., São Paulo, SP, Brazil. For EU/GDPR inquiries: privacy@zarv.com (Subject: EU GDPR Request). For California/CCPA inquiries: privacy@zarv.com (Subject: CCPA Request) or toll-free 1-855-ZARV-PRI. When submitting a request, please provide: full name, contact information, description of your request, proof of identity (to prevent unauthorized access), jurisdiction (to apply appropriate legal framework). We will acknowledge your request within 5 business days and provide a substantive response within the timeframes required by applicable law. There is no fee for exercising your rights unless requests are manifestly unfounded, excessive, or repetitive, in which case we may charge a reasonable administrative fee or refuse the request.
Related documents