Caio Ramos — YouTube Growth Strategist & Thumbnail Designer

Privacy Policy

Version 1.0 — Last updated: June 5, 2026

Ask AI to explain

Get a quick, plain-language summary without all the jargon.

ChatGPTClaudeGeminiPerplexity

Glossary of key terms

To make this document easier to read, here are the main concepts used throughout:

  • Personal data: any information that identifies or makes it possible to identify a person — such as a name, email address, or IP address.
  • Sensitive data: a special category of data with greater potential for discrimination, such as racial origin, religious beliefs, health data, political opinions, or biometric data.
  • Controller: the company or person who decides why and how personal data is processed. On this site, the controller is Caio Ramos da Silva LTDA.
  • Processor: a company or person that processes personal data on behalf of the controller, following their instructions — such as the hosting and email delivery providers we use.
  • Processing: any operation performed on personal data — collection, storage, use, sharing, anonymisation, or deletion.

1. Who we are (Data Controller)

This Privacy Policy applies to the entire caio-ramos.com website. Currently, the only points of data interaction are the contact form and CRIA, a beta AI assistant that answers questions about the portfolio and the company's positioning.

The controller responsible for processing your data is:

  • Legal name: Caio Ramos da Silva LTDA
  • CNPJ (Brazilian company registration): 57.837.838/0001-51
  • Size: Micro-enterprise (ME)
  • Registered address: Avenida Paulista, 1106, Suite 01 / Floor 16, Bela Vista, São Paulo/SP, CEP 01310-914, Brazil
  • Privacy contact: hello@caio-ramos.com

For the purposes of this Policy, "we", "our", and "Caio Ramos" refer to the controller identified above.

This Privacy Policy forms part of an integrated regulatory framework alongside the Terms of Use available at caio-ramos.com/en/terms. The Terms of Use govern general conditions of access and use; this Policy governs specifically the processing of personal data. In matters of data protection, this Policy prevails over the Terms of Use.

As a company headquartered in Brazil, Caio Ramos da Silva LTDA is fully subject to the Brazilian General Data Protection Law (LGPD — Lei nº 13.709/2018). Although classified as a Micro-enterprise (ME) — benefiting from a proportionate administrative regime — we voluntarily adopt the European General Data Protection Regulation (GDPR) as an additional reference standard, seeking the highest level of transparency and care for data subjects.

2. What data we collect

2.1 Contact form

We collect only the data you voluntarily provide when filling out the contact form:

  • Name
  • Email address
  • Message subject
  • Message content
  • Preferred language (Portuguese or English, as selected on the site)

We also automatically record, for security and abuse-prevention purposes (such as automated spam submissions):

  • Sender's IP address
  • Date and time of submission

These data points are handled in two distinct ways depending on their nature: request technical logs (originating IP, HTTP headers) are generated automatically by our provider's infrastructure (Lovable Cloud / Supabase) with each backend request, retained for up to 7 days under the current plan, and discarded automatically — the retention period and deletion are outside our direct control. Error diagnostic data that may be recorded in our database (IP, approximate location, browser type, and technical error information) are retained for up to 12 months for security analysis purposes and deleted automatically after that period.

We do not collect sensitive data (such as racial origin, religious beliefs, health data, or political opinions) and ask that you do not include them in your message.

2.2 CRIA assistant (beta)

CRIA does not request or require any personal data to function — it is simply a free-text input for questions about the portfolio and the company's positioning, with no login, registration, or tracking cookies.

Conversations with CRIA are ephemeral: they exist only during your session and disappear when you close or refresh the page. No conversation is stored by the site — there is no database record, and no content is retained.

To generate responses, the text you type is transmitted to an AI service (see Section 5). This service operates in a paid tier, under which the provider does not use messages to train its models; there may be transient logging for a short period, solely for security and abuse-prevention purposes. Even so, we ask that you do not include personal or sensitive data in messages to CRIA — if you do so voluntarily, that data will pass through the service solely to generate the response.

3. Why we use your data (Purposes and legal bases)

Purpose Legal basis (LGPD / GDPR)
Responding to general enquiries (questions, messages, communication) Legitimate interest
Providing proposals, quotes, or estimates, when actively requested by you Steps prior to contract
Preventing spam, fraud, and abusive use of the form Legitimate interest
Sending marketing communications (news, updates), only if you expressly consent Consent
Complying with legal and tax obligations when the contact results in a commercial relationship Legal obligation

Sending marketing communications requires your explicit consent, given by actively checking a checkbox in the form, which is never pre-checked. You may withdraw this consent at any time, without affecting our response to your enquiry.

4. How long we keep your data (Retention)

Data is retained for different periods depending on its nature and purpose:

Request technical logs (originating IP, HTTP headers recorded by the Lovable Cloud / Supabase infrastructure): retained for up to 7 days under the current plan, discarded automatically by the provider. Retention period and deletion are outside our direct control.

Error diagnostic data (IP, approximate location, browser type, technical error information — recorded in our database in the event of a technical failure): retained for up to 12 months for security and site-stability analysis, deleted automatically after that period.

Contact form messages (name, email, subject, content): data exists in two copies with distinct treatments at the end of the retention period:

  • Database (Lovable Cloud / Supabase): retained for up to 24 (twenty-four) months from the date of last contact. After that period, the data that personally identifies you is automatically anonymised — it can no longer be associated with you; statistical records (such as date and language of contact) that do not permit identification may be retained.
  • Corporate email inbox (Google Workspace): a copy of the message is automatically forwarded to the company email inbox as a notification. This copy is retained for the same 24 (twenty-four) month period and, at the end of that period, is permanently deleted — it is not anonymised, as the email format does not allow for equivalent technical anonymisation.

Fiscal exception: where the contact results in an actual commercial relationship, both copies may be retained for a longer period due to legal and fiscal obligations applicable in Brazil (generally 5 years), in accordance with applicable legislation.

5. Who we share your data with (Processors / Sub-processors)

We do not sell or commercialise your personal data. To operate the site, the contact form, and the CRIA assistant, we use service providers that process data on our behalf:

  • Lovable Cloud (database and hosting infrastructure, built on Supabase) — storage of messages submitted via the contact form.
  • Resend (transactional email delivery service) — processing the sending of notification and confirmation emails.
  • Google Workspace (corporate email service) — receiving and storing the notification of each contact form submission in the company inbox (hello@caio-ramos.com). Google acts as a processor under the Google Workspace data processing terms, which incorporate European SCCs for international transfers.
  • Lovable AI Gateway (routing to the Google Gemini model, paid tier) — processing messages sent to the CRIA assistant, solely to generate real-time responses. Under Google's terms for paid services, prompts and responses are not used to train models; Google may log them transiently for a limited period, solely for security and abuse prevention. No conversation is stored by this site.
  • Adobe (Adobe Fonts / Typekit, via Creative Cloud Pro plan) — delivery of web fonts to your browser via the use.typekit.net service. Adobe acts as a processor under a signed Data Processing Agreement (DPA), in the capacity of Data Processor. Adobe states that it does not store the visitor's IP address or use cookies to serve fonts.

These providers process data on servers located outside Brazil, including in the United States. This international transfer is covered by Data Processing Agreements (DPAs) signed with each provider, incorporating the Standard Contractual Clauses (SCCs) approved by the European Commission (Decision 2021/914). Resend additionally holds certification under the EU-U.S. Data Privacy Framework. In Adobe's case, transfers are consolidated via Adobe Systems Software Ireland Limited as the initial European recipient, as set out in the applicable DPA.

Under the Brazilian framework, Resolution CD/ANPD No. 19/2024 established national Standard Contractual Clauses (CPCs) as a mandatory instrument for international transfers covered by contractual clauses. The formal adoption of the Brazilian CPCs with the providers above is in progress as part of this company's ongoing legal review, with the aim of ensuring full compliance with the LGPD and ANPD regulations across all applicable jurisdictions.

6. Your rights

6.1 Under the LGPD (Brazil)

Under the LGPD, you have the right at any time, upon request, to:

  • Confirm whether your data is being processed
  • Access your data
  • Correct incomplete, inaccurate, or outdated data
  • Request the anonymisation, blocking, or deletion of unnecessary data or data processed in violation of the law
  • Request data portability
  • Withdraw consent
  • Obtain information about the entities with which we share your data

6.2 Under the GDPR (European Union)

If you are located in the European Union, you also have the rights of access, rectification, erasure ("right to be forgotten"), restriction of processing, data portability, and objection to processing, as well as the right to lodge a complaint with a supervisory authority.

6.3 Under United States law (including CCPA — California)

Under the California Consumer Privacy Act (CCPA), if you are a California resident, you have the right to know what personal data we collect, to request its deletion, and not to be discriminated against for exercising these rights. We do not sell personal data as defined under applicable law.

6.4 How to exercise your rights — request procedure

Contact channel: all data subject requests must be sent to hello@caio-ramos.com, with the subject line "Privacy Request".

What to include in your message:

  • Identification: your full name and the email address you used when interacting with the site (the same one used in the contact form, if applicable);
  • Right you wish to exercise: clearly describe what you are requesting — for example, access to your data, correction, deletion, or withdrawal of consent;
  • Country of residence: please indicate the country where you reside. This information allows us to correctly apply the data protection rules of your jurisdiction. Failure to provide this information does not block the processing of your request — we will apply the most protective standard available;
  • Context: any information that helps us locate your data, such as the approximate date of your enquiry or the subject of the message you sent.

No specific form needs to be completed, nor are additional documents required for straightforward requests. If we need to verify your identity to protect third-party data, we will request only the minimum information necessary.

Response times by jurisdiction:

  • Brazil (LGPD): we will respond within 15 (fifteen) days of receiving the request, in accordance with Art. 19 of the LGPD.
  • European Union and United Kingdom (GDPR / UK GDPR): we will respond within 1 (one) month of receiving the request. In cases of complexity or high volume of requests, this period may be extended by a further two months, with prior notice and justification to the data subject.
  • California, USA (CCPA/CPRA): we will respond within 45 (forty-five) days of receiving the request, in accordance with applicable legislation. In cases of justified need, this period may be extended by a further 45 days, with prior notice to the data subject.
  • Other jurisdictions: we will respond within the period prescribed by the legislation applicable to your country of residence, when informed. In the absence of that information, we will apply the LGPD rules as the default.

In practice, we adopt 15 days as our operational standard for all requests, as it is the most restrictive — ensuring compliance with Brazilian and international legislation at the highest standard of quality. In cases where complexity justifies a longer period, we will inform you in advance with the applicable justification. When the country of residence is not provided, the request will be handled under the terms of the LGPD.

When we are unable to fulfil a request: if we are unable to fulfil your request in whole or in part — for example, due to a legal retention requirement or the technical impossibility of identifying the data — we will explain the reason in writing within the applicable period. The data subject retains the right to refer the matter to the data protection authority in their jurisdiction:

  • Brazil: Autoridade Nacional de Proteção de Dados (ANPD) — gov.br/anpd
  • European Union: supervisory authority of your country of residence (full list of national authorities at edpb.europa.eu)
  • United Kingdom: Information Commissioner's Office (ICO) — ico.org.uk
  • California (USA): California Attorney General — oag.ca.gov

7. Security and incident notification

We adopt reasonable technical and organisational measures to protect your data against unauthorised access, loss, or destruction, including: encrypted communications via TLS/SSL protocol across all HTTPS site traffic; access controls on stored data; and protections against automated abusive form submissions. No system, however, is entirely immune to risk.

In the event of a security incident that may pose a risk or cause harm to data subjects — such as unauthorised access, data leakage, or destruction — we will notify the competent data protection authority and the affected data subjects. Legal timeframes vary by jurisdiction: Resolution CD/ANPD No. 15/2024 provides for 6 (six) business days for small-scale operators in Brazil; the GDPR requires 72 (seventy-two) hours for notification to the supervisory authority in the European Union. We adopt 72 hours as our single operational standard, as it is the most restrictive — ensuring simultaneous compliance with Brazilian and international legislation at the highest standard of quality. The notification will include information about the nature of the incident, the data involved, and the measures taken.

8. Cookies and similar technologies

This site does not use advertising tracking cookies, nor traffic or behavioural analytics tools (such as Google Analytics, Meta Pixel, or similar). We do not track your browsing for advertising or profiling purposes.

We use only cookies and storage technologies strictly necessary for the site to function, namely:

  • Language preference: we store your language choice (Portuguese or English) locally in your browser (localStorage), so we do not need to ask again on each visit. This data remains only on your device, contains no personal identifier, and is not sent to third parties.
  • Restricted area session cookies: only after authentication in the site's administrative area (access restricted to the site owner) are session cookies used to maintain the login. Public site visitors do not receive these cookies.
  • Web fonts (Adobe Fonts / Typekit): the site loads fonts via the Adobe Fonts service (use.typekit.net), accessed under a paid Creative Cloud Pro plan. To deliver the fonts, this process transmits your IP address to Adobe's servers (including in the United States) — a technically unavoidable step for the font to be delivered to your browser. Adobe acts as a processor under a signed DPA and states that it does not store this IP address or use cookies to serve fonts. This transmission is covered by the data processing agreement entered into with Adobe, and is the only third-party service loaded on the public site.

As we use only storage and cookies strictly necessary for the site's operation, we do not display a cookie consent banner, as permitted under applicable legislation. You may at any time delete locally stored data and cookies via your browser settings.

9. Children and minors

The site and contact form are not intended for minors. We do not intentionally collect data from children or adolescents. Should we identify such a collection, the data will be deleted immediately.

The protections in place are proportionate to the site's profile and the actual risk involved:

  • Professional nature of the site: the content, vocabulary, and purpose of the site are strictly B2B — YouTube growth strategy and thumbnail design for brands, creators, and agencies. The professional nature of the service does not attract a minor audience by its own design.
  • Contact form: the fields require professional context (subject, message, proposal, or quote). Every submission is read by the company owner, which allows for the immediate identification and deletion of any data inadvertently submitted by a minor.
  • CRIA assistant: conversations are ephemeral — they are not stored in a database or retained by the site. Even if a minor interacts with the assistant, no personal data is collected or kept.

10. Changes to this Policy and version control

We may update this Policy periodically. The version number and date of the last update are indicated at the top of this document.

Consent record. When you submit data via the contact form, the system records the version of the Policy in force at that time and the date of consent, for evidentiary purposes. If you wish, you may request a copy of the specific version of this Policy to which you consented, via the contact email below.

Notification of changes. When we make material changes to this Policy, we will notify by email those data subjects who have consented to previous versions and whose email address is in our records.

Effect of changes. Changes that require consent — in particular the sending of marketing communications — will only take effect upon a new affirmative action on your part; silence or non-response is not considered consent. Changes that do not require consent (for example, adjustments relating to processing necessary to respond to your enquiry or to secure the site) take effect on the date indicated, and continued use of the site following notification implies awareness of those changes.

Continued browsing constitutes awareness of the new version of the Policy. This does not, however, eliminate your rights: you retain the full right to object to the continued processing of your data based on legitimate interest, at any time, via the contact channels set out in this document.

We recommend reviewing this page regularly.

11. Applicable law and jurisdiction

This Policy is governed by Brazilian law, in particular the LGPD. The courts of the district of São Paulo/SP, Brazil, are elected as the venue for resolving any disputes arising from this Policy, without prejudice to the data subject's right to bring proceedings before the court of their domicile where so provided by law.

As a company headquartered in Brazil, Caio Ramos da Silva LTDA is fully subject to the LGPD: all principles, legal bases, and data subject rights apply without reduction. As a Micro-enterprise (ME), it benefits from the proportionate regime provided by the ANPD for small-scale operators, which simplifies certain internal administrative obligations (such as the form of record-keeping), without reducing your rights or the level of protection of your data. As a complement, we voluntarily adopt the GDPR as a high-standard reference — even though it does not provide for size-based exemptions — reinforcing our commitment to international best practices.

Where the data subject is located outside Brazil, the data protection rules of the relevant jurisdiction also apply, to the extent applicable — notably the General Data Protection Regulation (GDPR) in the European Union, the UK GDPR in the United Kingdom, and the California Consumer Privacy Act (CCPA/CPRA) in the United States. In order for us to correctly identify and apply the law of your jurisdiction, we ask that data subjects provide their country of residence when exercising their rights, as set out in the procedure described in Section 6.4.

The elected court of São Paulo/SP applies to disputes of a contractual or civil nature arising from this Policy. For data subjects located in the European Union or the United Kingdom, disputes specifically relating to the processing of personal data under the GDPR or UK GDPR may be referred to the data protection supervisory authority of the data subject's country of residence — independently of the elected contractual forum and without prejudice to available judicial remedies. The right to refer a matter to the supervisory authority is a right of the data subject that cannot be overridden by a choice of forum clause.

12. Contact

For any questions, requests, or exercise of rights relating to this Privacy Policy:

Caio Ramos da Silva LTDA
CNPJ: 57.837.838/0001-51
Email: hello@caio-ramos.com