LGPD compliance
Last updated: April 13, 2026
WiseData NPS, operated by WiseData Business LTDA (CNPJ 53.182.850/0001-14), processes personal data in compliance with Brazil's General Data Protection Law (LGPD — Law 13,709/2018).
Role of WiseData NPS
We act as the controller of our customers' data (account holders) and as the processor of survey recipients' data (contacts imported by customers). WiseData NPS acts as a processor in sending satisfaction surveys (NPS, CSAT, CES, eNPS, and similar) on behalf of customers, processing data exclusively in accordance with customer instructions and only to the extent necessary to provide the service. The customer who imports contacts is the controller of that data and is fully responsible for the collection, legality, and legal basis of the imported data, including obtaining prior consent (opt-in) or another applicable legitimate basis under the LGPD.
Legal bases used
Contract execution (Art. 7, V) to provide the contracted services; consent (Art. 7, I) for marketing communications and non-essential cookies; legitimate interest (Art. 7, IX) for product improvement, fraud prevention, and security; legal obligation (Art. 7, II) for tax retention.
Data subject rights
Confirmation of processing; access to data; correction of incomplete or outdated data; anonymization, blocking, or deletion of unnecessary or excessive data; portability to another provider; deletion of data processed based on consent; information about sharing with third parties; possibility of not providing consent and its consequences; revocation of consent.
Security measures
Encryption in transit (TLS 1.3) and at rest; data hosted on infrastructure located in Brazil (when available) and in the USA (AWS, SendGrid); role-based access control (RBAC); two-factor authentication (2FA); continuous access monitoring; email and phone number validation before sending for reputation protection.
Sub-processors
SendGrid (Twilio) — email delivery; Meta Platforms — WhatsApp delivery; AWS — hosting and storage; Stripe — payment processing; MillionVerifier — email validation; OpenAI — sentiment analysis (anonymized data). All operate under data processing agreements (DPA).
Visitor data and public pages (Embed)
Public survey response pages (accessed via unique link) and embed widgets installed on customer websites may collect technical data from visitors/respondents — IP address, User-Agent, device identifiers (fingerprint), interaction time, and browser language — exclusively for the purposes of security, fraud prevention, response integrity, and protection of the shared sending reputation. This data is not used for advertising profiling and is not shared with third parties for marketing purposes.
Retention and deletion
Account data: retained while the account is active. After cancellation: 90 days for export, then anonymization or deletion. Tax data: 5 years (legal obligation). Security logs: 6 months. Right to erasure: deletion of individual contacts is available at any time through the dashboard.
Security incidents
In the event of an incident involving relevant risk or harm to data subjects, we will notify ANPD (Brazil's National Data Protection Authority) and affected data subjects within a reasonable timeframe, in accordance with Art. 48 of the LGPD, describing the nature of the affected data, the risks, and the measures adopted.
How to exercise your rights
Send your request to dpo.nps@wisedatabusiness.com with the subject line 'LGPD — WiseData NPS', including your full name and a description of the request. We will respond within 15 business days. To request account or data deletion, you may also use the Platform dashboard directly.