Last updated: March 27, 2026
This Privacy Policy describes how That's Me Ltd. (CNPJ 48.657.854/0001-71), hereinafter "That's Me", collects, uses, stores, protects, and shares the personal data of users of the platform available at app.thatsme.com.br.
That's Me operates in compliance with the Brazilian General Data Protection Law (Lei nº 13.709/2018 — LGPD) and, for users residing in the European Economic Area or the United Kingdom, with the General Data Protection Regulation (GDPR — Regulation EU 2016/679).
For questions about this Policy, please contact us at [email protected].
This Policy applies to:
| Data | User type | Required |
|---|---|---|
| Full name | Recipient and Issuer | Required |
| Email address | Recipient and Issuer | Required |
| Password (bcrypt hash) | Recipient and Issuer | Required if not using OAuth |
| Username (@nickname) | Recipient | Required |
| Phone number | Recipient and Issuer | Optional |
| Company name | Issuer | Required |
| CNPJ or business registration | Issuer | Optional (KYB) |
| Address | Issuer | Optional |
| CPF (Brazilian tax ID) | Recipient | Optional |
| Date of birth | Recipient | Optional |
| Gender | Recipient | Optional |
| Profile picture | Recipient and Issuer | Optional |
| Bio | Recipient | Optional |
| Industry | Recipient and Issuer | Optional |
| LinkedIn (URL or code) | Recipient | Optional |
When the user chooses to authenticate via Google or LinkedIn, the platform receives from the provider, with the user's consent: name, email address, profile picture, and provider unique identifier. For LinkedIn, the following may also be received: current job title and profile URL. This data is stored in an OAuth connection linked to the account.
When an Issuer issues a certificate, it provides the platform with: full name, email and, optionally, phone number of the recipient. The Issuer is the data controller for this data; That's Me acts as a data processor in the context of issuance.
For organization verification, the Issuer may submit official documents (articles of incorporation, business registration, permits, etc.). These documents are stored in a private S3 bucket, accessible exclusively by the administrative team, and are never made publicly available.
Payment data (credit card, banking information) is processed directly by Stripe and is not stored on That's Me servers. The platform only retains the Stripe customer and subscription identifiers.
| Purpose | Legal Basis (LGPD) | Legal Basis (GDPR) |
|---|---|---|
| Service provision (issuance, storage, and verification of certificates) | Performance of contract — Art. 7, V | Art. 6(1)(b) |
| Account authentication and security | Legitimate interest — Art. 7, IX | Art. 6(1)(f) |
| Sending transactional notifications | Performance of contract — Art. 7, V | Art. 6(1)(b) |
| Processing based on explicit consent collected at registration | Consent — Art. 7, I | Art. 6(1)(a) |
| Compliance with legal and regulatory obligations | Legal obligation — Art. 7, II | Art. 6(1)(c) |
| Fraud prevention and platform security | Legitimate interest — Art. 7, IX | Art. 6(1)(f) |
| Service improvement and aggregated internal analytics | Legitimate interest — Art. 7, IX | Art. 6(1)(f) |
That's Me does not use personal data for marketing purposes without express consent and does not sell personal data to third parties.
The platform sends the following transactional emails. These are not marketing messages — they are essential notifications required for the secure operation of your account:
That's Me shares personal data with third parties only in the following cases:
| Third Party | Shared Data | Purpose |
|---|---|---|
| Amazon Web Services (AWS) — USA | All stored data | Hosting infrastructure (EC2, database, S3) |
| Stripe — USA | Customer ID, email, organization name | Payment and subscription processing |
| Amazon SES — USA | Recipient email, email content | Transactional email delivery |
| WhatsApp Business API | Phone number, name, certificate link | Certificate delivery via WhatsApp |
| BrasilAPI | CNPJ | CNPJ validation for KYB verification |
| LinkedIn OAuth | OAuth authorization code | Authentication via LinkedIn |
| Google OAuth | OAuth authorization code | Authentication via Google |
All providers listed above are selected based on their security practices and compliance with applicable data-protection laws. AWS holds SOC 2 and ISO 27001 certifications and supports GDPR compliance through Standard Contractual Clauses (SCCs).
Data is stored primarily on AWS servers in the sa-east-1 (São Paulo) region. Transactional emails are sent via AWS SES servers. Payments are processed by Stripe on infrastructure in the USA and Europe.
For users in the European Economic Area, data transfers to the USA rely on Standard Contractual Clauses (SCCs) adopted by the European Commission under Art. 46 of the GDPR.
That's Me adopts the following technical and organizational security measures:
No security measure is infallible. In the event of a material security incident, That's Me will notify affected users and the Brazilian National Data Protection Authority (ANPD) as required by Arts. 46 et seq. of the LGPD.
The platform uses only strictly necessary functional cookies for the operation of the services:
| Cookie | Purpose | Expiration |
|---|---|---|
thatsme:token | JWT access token for authentication | 15 minutes |
thatsme:refresh_token | Session renewal token | 30 days (renewed on each use) |
thatsme:session_id | Active session identifier | 30 days |
thatsme:company | Issuer context identification | Session |
The platform does not use tracking, advertising, or third-party analytics cookies.
| Data | Retention Period |
|---|---|
| Active account data | As long as the account is active |
| Data after deactivation | Until deletion is requested |
| Data after deletion request | 7 days (cooling-off period), then anonymized |
| Certificates (post-anonymization) | Retained with anonymized reference |
| Pending invitations | 2 years from issuance |
| Expired/revoked sessions | Deleted after 30 days |
| Used/expired magic links | Deleted in daily cleanup |
| KYB documents | Verification validity + 1 year |
| Audit logs | 2 years |
The platform is not intended for children under 13 years of age. For users between 13 and 18, we recommend that a parent or guardian be aware of and consent to their use of the platform, in accordance with Art. 14 of the LGPD. If we identify use by a minor without proper authorization, we will delete their data upon request.
Under Art. 18 of the LGPD and Arts. 15–22 of the GDPR, you have the right to:
| Right | How to exercise |
|---|---|
| Access — confirm data processing and obtain a copy | Email [email protected] or export in Settings → Account |
| Rectification — update incomplete or inaccurate data | Directly in Settings → Profile |
| Erasure — delete personal data | Settings → Account → Delete account |
| Portability — receive data in JSON format | Settings → Account → Export my data |
| Objection — object to processing based on legitimate interest | Email [email protected] |
| Withdrawal of consent | At any time; does not affect prior processing |
| Information about sharing | Section 6 of this Policy |
| Complaint | ANPD (Brazil) · ICO (United Kingdom) · CNIL (France) |
We will respond to requests within 15 (fifteen) calendar days.
For users in the EEA and the United Kingdom, the data controller is That's Me Ltd. Our EU representative can be contacted at [email protected]. For processing based on consent, the user has the right to withdraw it at any time without affecting the lawfulness of prior processing.
This Policy may be updated from time to time. If we make material changes, we will notify you by email at least 30 (thirty) days in advance. The current version is always available at thatsme.com.br/privacy/policy with the date of the latest update.
That's Me Ltd.
CNPJ: 48.657.854/0001-71
Belo Horizonte, Minas Gerais, Brazil
Email: [email protected]
For personal-data requests, please email us at the address above with the subject line "LGPD Request" or "GDPR Request".
Version 3.1 — March 27, 2026
Supersedes all prior versions.