Lenavio
Lenavio / Legal / Privacy

Privacy Policy

Last updated: April 21, 2026

Draft — pending legal review. This document is a working draft intended to describe our practices. A final, counsel-reviewed version will replace this page. For enterprise procurement, contact hello@lenavio.com.

Lenavio, Inc. (“Lenavio”, “we”, “us”) respects your privacy. This Privacy Policy explains what personal information we collect, how we use and share it, and the choices and rights available to you under the Brazilian General Data Protection Law (LGPD), the EU General Data Protection Regulation (GDPR), the UK GDPR, and the California Consumer Privacy Act (CCPA/CPRA).

1. Who we are

For our marketing site and commercial relationships (“Controller data”), Lenavio acts as the data controller. When you use the Lenavio application as part of your employer's HR workspace, Lenavio acts as a data processor and your employer is the data controller — see our Data Processing Agreement for the terms that apply.

2. Personal information we collect

  • Account data: name, work email, company, role, and login credentials.
  • Billing data: company name, billing address, tax ID, last-four of payment method (handled by our payment processor).
  • Product usage data: feature events, device/browser metadata, IP address, diagnostic logs, and crash reports used for security and reliability.
  • Customer Content you submit: employee records, documents, cases, and other HR data processed on behalf of your organization.
  • Marketing data: information you submit via forms, newsletter sign-ups, and demo requests.

3. How we use personal information

  • provide, secure, and improve the Service;
  • authenticate users and prevent abuse;
  • send operational and, with consent, marketing communications;
  • comply with legal obligations and enforce our agreements;
  • operate the AI features, scoped to your visibility — see Section 8.

4. Legal bases (GDPR / UK GDPR / LGPD)

We rely on the following legal bases:

  • Contract: to provide the Service you or your employer have contracted for.
  • Legitimate interest: to secure the Service, detect fraud, and improve features — balanced against your rights.
  • Consent: for non-essential marketing or tracking cookies where required.
  • Legal obligation: to meet regulatory, tax, and audit requirements.

5. Sharing

We share personal information only with (a) sub-processors under written contract (listed at lenavio.com/legal/dpa and linked from our Trust Report); (b) professional advisors bound by confidentiality; (c) authorities where required by valid legal process; and (d) a successor in connection with a merger, acquisition, or reorganization, subject to equivalent protections.

We do not sell personal information. We do not share personal information for cross-context behavioral advertising.

6. International transfers

Where personal information is transferred outside Brazil, the EEA, or the UK, we rely on appropriate safeguards including Standard Contractual Clauses, the UK International Data Transfer Addendum, and supplementary measures. Data residency in Brazil, the US, or the EU is available on Enterprise plans.

7. Retention

We retain personal information for as long as needed to provide the Service, meet legal obligations, resolve disputes, and enforce agreements. On termination, Customer Content is deleted within thirty (30) days unless retention is required by law. Backups are rotated on a rolling 35-day cycle.

8. AI features

The Lenavio AI Assistant processes Customer Content to generate drafts, summaries, and answers that are scoped to the asking user's access rights. AI outputs are never used to make adverse employment decisions, and we do not use Customer Content to train third-party foundation models.

9. Your rights

Depending on where you live, you may have rights to access, correct, delete, port, restrict, or object to processing of your personal information, and to withdraw consent. Californians have additional rights under the CCPA/CPRA, including the right to limit the use of sensitive personal information. Brazilians have rights under the LGPD, including data portability and review of automated decisions.

To exercise a right, email hello@lenavio.com. If you use Lenavio through your employer, please direct data-subject requests to your employer, who is the controller; we will assist them as processor.

10. Security

We use commercially reasonable administrative, technical, and physical safeguards, including encryption at rest (AES-256) and in transit (TLS 1.3), role-based access enforced at the database layer, and annual penetration testing. See our Security page for our posture overview.

11. Children

The Service is intended for use by businesses and employees age 18 or older. We do not knowingly collect personal information from children.

12. Cookies

See our Cookie Policy for how we use cookies and similar technologies.

13. Changes

We may update this Policy. Material changes will be posted here with a new “Last updated” date and, where appropriate, notified directly.

14. Contact

Data Protection Officer and general privacy questions: hello@lenavio.com.