Legal documents
Privacy Policy
Last updated:
1. Who we are
Vereda Educação Ltda. (“Vereda”, “we”) operates the Santo André and São Bernardo do Campo campuses. This Policy describes, transparently, how we handle personal data collected through our digital channels: the main site, forms for scheduling a visit, waitlist, careers and partnerships.
Vereda is a Brazilian school subject to the Lei Geral de Proteção de Dados Pessoais (LGPD, Federal Law 13.709/2018). All article references in this Policy are to the LGPD and related Brazilian instruments.
2. What data we collect
- Identification: full name, e-mail, phone number.
- Educational interest and visits: campus, grade segment, target school year, and visit date/time. For scheduling, the guardian may provide the first names of participating students; this is used only to organize the visit.
- Job applications: position of interest, résumé (PDF/DOCX) and optional cover letter.
- Partnerships: company name, contact, partnership type, and proposal description.
- Browsing data (only after explicit consent via the LGPD banner): measurement cookies (Google Analytics via GTM), Core Web Vitals performance metrics, and session identifiers for telemetry correlation.
- Consent log: timestamp, user agent, and truncated IP for each accept/deny decision on the banner, for auditability under the accountability principle (Art. 6º X of the LGPD).
3. Legal bases and purposes
Personal-data processing is grounded in the following legal bases (Art. 7º LGPD):
- Consent (Art. 7º, I): analytical and marketing cookies are activated only after you click “Accept” on the privacy banner. Declining does not prevent navigation.
- Pre-contractual procedures (Art. 7º, V): contact, scheduling, waitlist, careers, and partnership forms are treated as preliminary to a possible contract. Scheduling a visit does not constitute marketing consent; any opt-in is requested separately.
- Legitimate interest (Art. 7º, IX): security logs, anti-fraud measures (honeypot, rate-limit), and request identifiers for auditing.
4. Children and adolescents | LGPD Art. 14 + ECA Digital
Processing of personal data of children (under 12) and adolescents (12 to 18) is governed by LGPD Art. 14 and aligned with Brazil’s Digital Statute for Children and Adolescents (Federal Law 15.211/2025, regulated by Decree 12.880/2026).
Best-interest principle (Art. 14, caput). Every decision regarding the processing of children’s and adolescents’ data takes the best interest of the data subject as the primary consideration.
Consent model (Art. 14, §1º). Before enrollment, forms mainly collect the guardian’s details and enrollment intent. For visit scheduling, the guardian may provide students’ first names solely to organize the visit. This information is not used for profiling or advertising. After enrollment, processing is grounded in the enrollment contract signed by the legal guardian and the legal bases applicable to educational services.
What we do not do (Art. 14, §3º and §6º).
- We do not perform advertising profiling or targeted processing of children and adolescents;
- We do not condition guardian participation on excessive data collection;
- We do not share minors’ data for marketing purposes;
- We do not use dark patterns in obtaining consent; the LGPD banner offers “Accept” and “Reject” with equal prominence.
Health and sensitive data (Art. 11 LGPD). Student health data (allergies, medications, accommodations) is processed under specific legal bases (Art. 11, II, “a”, compliance with legal obligation, and “f”, protection of life or physical safety). Access is restricted to the school health team and pedagogical leadership, with read-level audit logging.
Design commitments (ECA Digital). For future surfaces aimed at students (the educational portal under rewrite, the parent application under planning), our design commitments include: privacy-restrictive default settings, mandatory linkage to a parental account, no personalized recommendation algorithms targeting minors, no targeted advertising, and a reporting channel for harmful content.
Exercising rights regarding children’s and adolescents’ data. The rights set forth in Art. 18 of the LGPD are exercised by legal guardians. For requests concerning a child or adolescent under our educational care, contact the DPO (Section 9), who will validate the guardianship relationship via the active enrollment record or, in its absence, supporting documentation.
5. Data sharing
Data is shared only with strictly necessary processors:
- Vereda ERP: receives and organizes registrations, interest lists, and visit bookings. It is operated by Vereda.
- Microsoft Azure: site/backend hosting, telemetry, private résumé storage, and 360° tour delivery through Blob Storage/CDN. Résumé write URLs are temporary and uploaded files are revalidated.
- Google Tag Manager, Google Analytics, and Google Ads: activated only after consent for measurement and campaign evaluation.
- Meta: campaign measurement tools activated only after consent.
- Google Maps: embedded maps load only after an explicit visitor action. External direction links are subject to Google’s policy when opened.
We do not sell, rent, or assign personal data to third parties for independent marketing purposes.
6. Cookies and similar technologies
| Cookie | Source | Purpose | Type | Retention | Category |
|---|---|---|---|---|---|
__consent_lgpd_v1 | Vereda (1st party) | Records the consent decision (accept/reject) | localStorage | Indefinite (until browser data is cleared) | Necessary |
_ga | Google (3rd party) | Distinguishes unique users | Cookie | 13 months | Analytical (after consent) |
_ga_<id> | Google (3rd party) | GA4 session state | Cookie | 13 months | Analytical (after consent) |
_gid | Google (3rd party) | Distinguishes sessions in a 24-hour window | Cookie | 24 hours | Analytical (after consent) |
_gcl_au and related cookies | Google Ads (3rd party) | Campaign conversion measurement | Cookie | Per Google’s configuration | Marketing/measurement (after consent) |
_fbp and _fbc | Meta (3rd party) | Campaign and conversion measurement | Cookie | Per Meta’s configuration | Marketing/measurement (after consent) |
ai_session | Vereda (1st party, App Insights) | Correlates session-level performance metrics | Cookie | 30 min idle / 24h absolute | Analytical (after consent) |
ai_user | Vereda (1st party, App Insights) | Pseudonymous identifier for cohort analysis | Cookie | 365 days | Analytical (after consent) |
Analytical and marketing cookies remain blocked until the banner is accepted.
You may review or revoke your choice at any time through Manage cookies in the footer. Revocation stops future collection and attempts to remove first-party measurement cookies; previously collected data remains subject to retention rules (Section 7) and the relevant processors’ policies.
7. Retention
- Leads and applications: up to 24 months after the last contact, or as needed to comply with legal obligations.
- Résumés in the talent bank: up to 12 months, with automatic lifecycle in Azure Blob storage.
- Security logs: 90 days.
- Server-side consent and telemetry logs: 90 days.
- Enrolled student data: lifetime of enrollment + 10 years (educational records), with subsequent anonymization.
- Student health data (Art. 11): anonymized at the end of enrollment.
- Financial records: 10 years (compliance with fiscal obligations).
8. Your rights (Art. 18 LGPD)
You may, at any time, exercise the data-subject rights set forth in Art. 18 of the LGPD: confirmation of processing, access, correction, anonymization, portability, deletion, consent revocation, and review of automated decisions. Vereda does not currently make automated decisions about data subjects; this right is listed for completeness.
To exercise a right, contact our Data Protection Officer (DPO):
E-mail: dpo@veredaeducacao.com
We will respond within 15 business days of receiving the complete request (including identity verification). For requests regarding children’s and adolescents’ data, we validate the guardianship relationship as described in Section 4.
9. Security
We apply protection layers in accordance with LGPD Art. 46: HTTPS/TLS encryption in transit and encryption at rest in Azure services, role-based access controls (RBAC), a private site-to-ERP credential, server-side honeypot anti-spam, IP rate limiting, request identifiers for auditing, and continuous dependency checks (npm audit, CI gate). Résumés are written directly to a private container, with no public listing and signed URLs valid for only 10 minutes.
We operate under an incident-response policy aligned with LGPD Art. 48 and ANPD Resolution 15/2024: we detect, contain and assess incidents and, when an incident may create relevant risk or harm, notify both the ANPD and affected data subjects within 3 business days, unless a specific statutory deadline applies.
10. Updates to this Policy
This Policy may be updated to reflect regulatory changes, new services, or security improvements. The date of the latest revision is shown at the top of this page. In case of material change, we will notify by e-mail and/or via banner on the site.
11. Contact
For any question about this Policy or the processing of your data, contact the DPO at dpo@veredaeducacao.com or our team via the visit-scheduling form.