Privacy and Cookie Policy

This Privacy and Cookie Policy explains how Elevata and its affiliated entities, including the Elevata entity responsible for the website or relationship with you, process personal information when you visit our website, contact us, subscribe to updates, apply for a role, or interact with us in connection with our cloud, data, AWS, and AI consulting services.

In this Policy, “Elevata,” “we,” “us,” and “our” mean Elevata Cloud Solutions Inc. and its affiliated Elevata entities, including Elevata Soluções Cloud Ltda. where relevant to Brazil-based activities.

For privacy requests, contact us using the details below.

This Policy applies to:

• Elevata’s public website and localized pages.
• Contact forms and commercial inquiries.
• Newsletter and event communications.
• Careers pages and recruiting interactions.
• Website analytics, cookies, and similar technologies.
• B2B communications with customers, prospects, partners, and suppliers.

This Policy does not replace any customer agreement, statement of work, data processing addendum, or other written agreement between Elevata and a customer. Where Elevata processes customer data as part of a contracted project, the applicable contract governs those project-specific processing activities.

We may collect the following categories of personal information.

2.1 Contact and business identity information

• Name.
• Business email address.
• Phone number.
• Company name.
• Job title or role.
• Country, region, or business location.
• Preferred language or communication channel.

2.2 Inquiry and commercial information

• Information you submit through contact forms.
• Details about your cloud, data, AI, migration, modernization, or AWS-related needs.
• Meeting requests, proposal requests, and related communications.
• Information provided during sales, partner, or customer discussions.

2.3 Newsletter and marketing information

• Email address.
• Subscription preferences.
• Event or content interests.
• Email engagement data, such as opens, clicks, and unsubscribe status, where provided by our email platform.

2.4 Careers information

If you apply for a role or contact us about employment, we may process:

• Resume/CV information.
• Work history.
• Skills and qualifications.
• LinkedIn or portfolio links.
• Interview notes.
• Communications related to recruiting.

2.5 Website and device information

When you use our website, we may collect:

• IP address.
• Device and browser information.
• Approximate location derived from IP address.
• Pages visited.
• Referring pages.
• Date and time of visit.
• Cookie identifiers.
• Site performance, security, and usage metrics.

2.6 Project-related information you voluntarily provide

If you submit information about a potential or active project, we may receive operational or technical information about your environment. You should not submit passwords, production credentials, API keys, secret keys, or highly sensitive information through public website forms. For active engagements, use the secure communication channels established for that project.

2.7 Sensitive personal information

Our website is not designed to collect sensitive personal information. Please do not submit sensitive information through website forms unless we specifically request it and provide an appropriate secure channel.

We collect personal information:

• Directly from you when you submit a form, email us, call us, subscribe to updates, or apply for a role.
• Automatically through cookies, analytics tools, logs, and similar technologies.
• From business partners, AWS-related programs, referrals, events, or public business sources where relevant to B2B relationship management.
• From service providers that support our website, CRM, communications, recruiting, analytics, and security operations.

We use personal information for the following purposes.

4.1 Responding to requests

We use contact and inquiry information to:

• Respond to your message.
• Route your request to the right specialist.
• Schedule calls or meetings.
• Prepare proposals or next-step recommendations.
• Follow up on commercial or technical discussions.

4.2 Providing and managing services

We use business and operational information to:

• Manage customer and partner relationships.
• Scope potential engagements.
• Deliver contracted services.
• Coordinate project communications.
• Support account management and customer success.

4.3 Website operation and improvement

We use website and device information to:

• Operate the website.
• Maintain website security and availability.
• Understand site usage.
• Diagnose errors.
• Improve content, navigation, and user experience.

4.4 Marketing and events

We use contact and preference information to:

• Send cloud, AWS, data, and AI insights.
• Send newsletters or event invitations.
• Share relevant content or service updates.
• Manage subscription and unsubscribe preferences.

We will honor unsubscribe requests and marketing preference changes.

4.5 Recruiting

We use careers information to:

• Review applications.
• Communicate with candidates.
• Evaluate qualifications.
• Conduct interviews.
• Manage hiring decisions.
• Maintain recruiting records.

4.6 Security, compliance, and legal protection

We use personal information to:

• Protect our website, systems, and business operations.
• Detect, prevent, and investigate misuse, fraud, security incidents, or unauthorized access.
• Maintain records required for compliance.
• Enforce agreements.
• Establish, exercise, or defend legal claims.
• Respond to lawful requests from authorities.

4.7 Responsible use of AI and productivity tools

We may use internal productivity tools, including AI-enabled tools, to support activities such as summarizing business communications, routing inquiries, drafting responses, or improving operational efficiency.

We do not use personal information submitted through our website to train public AI models unless we specifically disclose that use and obtain any required consent. Where we use AI-enabled tools, we apply access controls and use them for business-support purposes consistent with this Policy.

Where the LGPD, PIPEDA, or similar privacy laws apply, we rely on appropriate legal bases depending on the context, including:

• Consent, such as for newsletter subscriptions or non-essential cookies where consent is required.
• Contract or pre-contractual steps, such as responding to a request for services, preparing proposals, or delivering services.
• Legitimate interests, such as B2B relationship management, website security, basic analytics, service improvement, and relevant business communications.
• Legal or regulatory obligations, such as tax, accounting, compliance, and recordkeeping duties.
• Regular exercise of rights, including the establishment, exercise, or defense of legal claims.

Where consent is required, you may withdraw it at any time. Withdrawal does not affect processing already carried out before withdrawal.

We use cookies and similar technologies to operate the website and understand how visitors use it.

6.1 Types of cookies we use

• Essential cookies are required for the website to function, maintain security, load pages, and remember basic technical settings. They cannot be disabled through our systems where they are strictly necessary.
• Analytics cookies help us understand how visitors use the website, which pages are viewed, and how the site performs. We use this information to improve the website and content experience.
• Functional cookies, if enabled, may remember preferences such as language, region, or display choices.
• Marketing cookies are not used unless they are clearly disclosed and enabled in accordance with applicable consent requirements.

6.2 Cookie choices

You can manage cookies through:

• The website’s cookie settings page, where available.
• Your browser settings.
• Direct request to contact@elevata.io.

If you disable certain cookies, parts of the website may not function properly. Essential cookies may still be used where required to operate the website.

We may share personal information with the following categories of recipients.

7.1 Elevata affiliates and personnel

We may share information within Elevata and with authorized personnel who need access for the purposes described in this Policy.

7.2 Service providers

We may use service providers for:

• Website hosting and content delivery.
• Contact forms.
• CRM and sales operations.
• Email and newsletter delivery.
• Analytics.
• Calendar and scheduling.
• Recruiting.
• Security monitoring.
• Cloud infrastructure.
• Document management.
• Professional services such as legal, accounting, and tax support.

Service providers are expected to process personal information only for authorized purposes and subject to appropriate confidentiality, security, and data protection obligations.

7.3 Business and technology partners

Where relevant to your request or our services, we may share limited business contact or project information with partners such as AWS, distributors, or technology partners, for example to coordinate an opportunity, support a funding request, prepare a proposal, or deliver a requested service.

7.4 Legal and compliance recipients

We may disclose personal information where required or permitted by law, including to:

• Courts.
• Regulators.
• Government authorities.
• Law enforcement.
• External advisors.
• Parties involved in legal claims, audits, corporate transactions, or compliance processes.

7.5 Business transfers

If Elevata undergoes a merger, acquisition, reorganization, financing, sale of assets, or similar transaction, personal information may be disclosed or transferred as part of that transaction, subject to appropriate protections.

7.6 No sale of personal information

We do not sell personal information. We also do not disclose personal information for third-party behavioral advertising unless we update our disclosures and obtain any required consent.

Elevata operates across Brazil, Canada, and other jurisdictions, and our service providers may process personal information in countries where they or their infrastructure are located.

This means personal information may be transferred to, stored in, or accessed from countries outside your country of residence, including Brazil, Canada, the United States, and other locations where our providers operate.

When we transfer personal information internationally, we use appropriate safeguards, which may include:

• Contractual data protection terms.
• Vendor due diligence.
• Access controls.
• Security measures.
• Transfer mechanisms required by applicable law.
• Other safeguards appropriate to the nature of the processing.

We retain personal information only for as long as reasonably necessary for the purposes described in this Policy, unless a longer period is required or permitted by law.

Retention periods depend on the type of information and context, including:

• Contact and inquiry records are retained while the request, opportunity, or business relationship remains active and for a reasonable period afterward.
• Customer and partner records are retained as needed for relationship management, contract administration, accounting, and legal obligations.
• Newsletter data is retained until you unsubscribe or until the information is no longer needed for marketing and suppression-list purposes.
• Recruiting data is retained for the hiring process and a reasonable period afterward, unless a longer period is required or permitted by law.
• Website analytics are retained in identifiable or pseudonymous form only as long as needed for analytics, security, and site improvement.
• Project data is retained according to the applicable customer agreement, statement of work, data processing addendum, or secure project process.

We may retain limited records where needed to comply with law, resolve disputes, maintain security, prevent abuse, or establish, exercise, or defend legal claims.

We use technical and organizational measures designed to protect personal information against unauthorized access, loss, misuse, alteration, or disclosure.

These measures may include:

• Access controls.
• Role-based permissions.
• Encryption where appropriate.
• Logging and monitoring.
• Secure cloud infrastructure.
• Network and application security controls.
• Personnel confidentiality obligations.
• Vendor security review.
• Incident response procedures.

No website, system, or transmission method is completely secure. You should avoid sending credentials, secrets, or highly sensitive technical information through public website forms.

Depending on your location and applicable law, you may have the right to:

• Confirm whether we process your personal information.
• Access personal information we hold about you.
• Correct incomplete, inaccurate, or outdated information.
• Request anonymization, blocking, or deletion of unnecessary, excessive, or unlawfully processed information.
• Request portability of your information, where applicable.
• Request information about entities with whom we have shared your information.
• Withdraw consent where processing is based on consent.
• Object to processing in certain circumstances.
• Request review of decisions made solely through automated processing that affect your interests, where applicable.
• Challenge our compliance with applicable privacy laws.
• Lodge a complaint with the competent privacy authority.

To exercise your rights, contact us at contact@elevata.io, attention: Privacy / Data Protection Contact.

We may need to verify your identity before responding. We will respond within the period required by applicable law.

You may unsubscribe from marketing emails by using the unsubscribe mechanism included in the message or by contacting us at contact@elevata.io.

Even if you unsubscribe from marketing communications, we may still send non-marketing messages, such as service, transactional, security, legal, or account-related communications.

Our website and services are intended for business users and are not directed to children or adolescents. We do not knowingly collect personal information from children through the website.

If you believe a child has provided personal information to us through the website, contact us and we will take appropriate steps to review and delete the information where required.

Our website may include links to third-party websites, platforms, partner pages, social media pages, or external resources. This Policy does not apply to third-party websites or services. Their privacy practices are governed by their own policies.

Where Elevata processes personal information on behalf of a customer as part of a consulting, migration, modernization, data, AI, AWS, or professional services engagement, the applicable customer agreement governs that processing.

In those contexts, Elevata may act as a processor/operator or service provider, and the customer may act as controller, depending on the role defined by the contract and applicable law.

Customer project data should be shared only through approved project channels and in accordance with the applicable agreement, security requirements, and data processing terms.

We may update this Policy from time to time to reflect changes in our website, services, legal requirements, or privacy practices.

When we update the Policy, we will revise the “Last updated” date above. Material changes may be communicated through the website or other appropriate channels.

For privacy requests, cookie questions, consent withdrawal, data access, correction, deletion, or other privacy-related matters, contact Elevata Privacy / Data Protection Contact at contact@elevata.io.

• Alameda Rio Negro, nº 503, Sala 2020, Alphaville, São Paulo, Brazil
• 325 Front St W, Toronto, ON M5V 2Y1, Canada