PRIVACY POLICY

How Aria handles your data.

Aria Research · Version 1.0 · Effective from publication date

1. Controller Identification

Aria Research is the trade name of an operation registered under CNPJ 10.686.422/0001-16, owned by Huoston Rodrigues Batista, an Individual Entrepreneur established in Brazil. The Controller is responsible for the processing of personal data collected through this website (ariaresearch.ai) and through the academic consulting services offered by Aria.

For matters relating to this Policy, exercise of data subject rights, or communication with the data protection officer:

Data Protection Officer (DPO): Huoston Rodrigues Batista
Contact channel: contato [at] ariaresearch [dot] ai

2. Scope of this Policy

This Policy applies to the processing of personal data collected by Aria Research in three contexts:

  1. Navigation on the website ariaresearch.ai (across all routes and languages).
  2. Completion of the contact form available at /contato and /contact (when active).
  3. Direct communication between the data subject and Aria via email or videoconference, at any stage of the pre-contractual, contractual, or post-contractual relationship.

The Policy complies with the Brazilian General Data Protection Law (Law No. 13.709/2018 — LGPD) and with the General Data Protection Regulation (EU Regulation 2016/679 — GDPR) of the European Union, whenever the data subject is subject to one or both regimes.

3. Data Collected

3.1. Through the contact form

When the data subject completes the form available at /contato or /contact, Aria collects:

  • Full name
  • Institutional email (preferred)
  • Affiliated institution and country
  • Research field
  • Project stage
  • Type of support requested
  • Estimated timeline
  • Preferred language of interaction
  • Public link to Google Scholar, Lattes, ORCID, or institutional profile
  • Extended project description
  • Funding source (FAPESP, CNPq, CAPES, institutional, personal, or to be determined)
  • Target journal, where applicable

3.2. Through site navigation

Aria does not use tracking cookies, analytics tools, social media pixels, or equivalent technologies that identify or profile the visitor.

The site uses browser local storage (localStorage) exclusively to preserve the user's own preferences (light/dark theme), in such a way that this data is not transmitted to any server.

Web servers may log, by technical necessity of operation and security, standard log data (IP address, user agent, date and time of request). These logs are maintained by the hosting provider and processed under the provider's own policy.

3.3. Through direct communication

During the pre-contractual and contractual phases, Aria may collect additional data voluntarily provided by the data subject: tax identification (CPF, passport number, or equivalent for international clients), invoicing address, bank or payment data, technical research materials (manuscripts, datasets, code), and any other information necessary for the execution of the contracted project.

3.4. Special categories of data

Aria does not intentionally collect sensitive data (racial or ethnic origin, religious belief, political opinion, trade union membership, health data, sexual life, genetic or biometric data, as defined in Art. 5(II) of the LGPD and Art. 9 of the GDPR).

If the data subject voluntarily includes data of this nature within the scope of a contracted research project (for example, by submitting a health research dataset), the processing will be governed by a specific contract with additional clauses, under the corresponding legal basis.

4. Purposes of Processing

The personal data collected is processed exclusively for the following purposes:

  1. To assess the technical and operational feasibility of the project described by the data subject.
  2. To prepare a personalized estimate and commercial proposal.
  3. To establish communication during the pre-contractual phase.
  4. To execute the service contract, when signed, in all its stages.
  5. To comply with tax, accounting, and legal obligations arising from the commercial relationship.
  6. To provide post-delivery support when contractually agreed.
  7. To defend Aria's rights in judicial, administrative, or arbitral proceedings, where applicable.

Aria does not use the collected data for direct marketing, advertising, profiling, sale to third parties, or any other purpose unrelated to the provision of contracted or potential services.

5. Legal Bases

The processing of personal data by Aria is grounded on the following legal bases:

For pre-contractual diligence and contract execution (Art. 7(V) LGPD; Art. 6(1)(b) GDPR): applicable to all data collected through the contact form and during contract negotiation and execution. The data subject voluntarily provides the data in order to receive a proposal and, eventually, contract the service.

For compliance with legal or regulatory obligation (Art. 7(II) LGPD; Art. 6(1)(c) GDPR): applicable to data retained under tax and accounting requirements (invoices, accounting records), for the period determined by applicable legislation.

For legitimate interest (Art. 7(IX) LGPD; Art. 6(1)(f) GDPR): applicable to the limited retention of data from leads that did not convert, for the purpose of subsequent commercial contact within a reasonable timeframe, provided that the rights of the data subject and the balancing test are observed.

For consent (Art. 7(I) LGPD; Art. 6(1)(a) GDPR): applicable when the data subject expressly opts to receive communications that go beyond the contractual purpose (newsletter, recurring editorial content). Aria currently does not operate any communication dependent on consent; this basis is reserved for future use.

6. Data Retention

Personal data is retained for the period strictly necessary to fulfill the purposes for which it was collected, observing the following maximum periods:

Leads that did not convert into contract: 24 months from the last substantive interaction between data subject and Aria, after which the data is deleted.

Clients with signed contract: throughout the duration of the contract and for 5 years after its termination, aligned with the contractual confidentiality term and applicable statutory limitation periods.

Data under mandatory legal retention: invoices, accounting records, and other documents required by Brazilian tax and fiscal legislation are retained for the period determined by the respective rule (generally 5 years), regardless of any deletion request by the data subject.

After the respective periods, data is securely deleted or anonymized when applicable.

7. Sharing and Transfers

Aria does not sell, rent, transfer, or share personal data with third parties for commercial, advertising, or any purpose unrelated to the execution of the contracted service.

Data sharing occurs exclusively with:

Technical infrastructure providers strictly necessary for site and service operation, under contracts with adequate data protection clauses:

  • Hostinger International Ltd. — site hosting and email service. Provider's policy: hostinger.com/privacy-policy.
  • Wise Payments Limited (or equivalent international payment platform) — payment processing for international clients. Provider's policy: wise.com/privacy-policy.
  • Stripe Brasil Soluções de Pagamentos Ltda. — payment processing for Brazilian clients. Provider's policy: stripe.com/br/privacy.

Public authorities and regulatory bodies when required by law, court order, or determination of competent authority.

Professionals under confidentiality obligations (accountants, lawyers) strictly to support Aria's tax, accounting, or legal operations.

7.1. International Transfer

Aria operates with internationally distributed infrastructure. Personal data may be transferred to Brazil, where Aria is fiscally established, and processed in other jurisdictions where the Controller operates or uses technical infrastructure providers.

In all international transfers, Aria applies adequate contractual and technical safeguards, aligned with the requirements of LGPD (Art. 33 et seq.) and GDPR (Chapter V, Arts. 44 to 49), including standard contractual clauses equivalent to those adopted by the European Commission where applicable.

8. Data Subject Rights

LGPD and GDPR ensure the data subject the following rights regarding their personal data:

  1. Confirmation of the existence of personal data processing.
  2. Access to the personal data processed by Aria.
  3. Correction of incomplete, inaccurate, or outdated data.
  4. Anonymization, blocking, or deletion of unnecessary, excessive, or non-compliantly processed data.
  5. Data portability to another service provider, observing commercial and industrial secrecy.
  6. Deletion of personal data processed on the basis of consent, except in cases of mandatory legal retention.
  7. Information about public and private entities with which Aria has shared the data.
  8. Information about the possibility of not providing consent and the consequences of refusal.
  9. Revocation of consent, when this is the applicable legal basis.
  10. Opposition to processing carried out on the basis of legitimate interest, upon substantiated request.
  11. Review of decisions made solely on the basis of automated processing of personal data that affect the data subject's interests (not applicable to Aria's operations, which do not perform automated decision-making).

For data subjects under GDPR jurisdiction, corresponding rights are set out in Arts. 15 to 22 of the Regulation.

8.1. How to exercise your rights

The data subject may exercise any of the rights above by sending a request to contato [at] ariaresearch [dot] ai, identifying themselves and describing the request clearly.

Aria responds to requests within 15 business days from receipt, extendable once by an equal period in cases of demonstrated complexity, with notification to the data subject.

In cases of well-founded doubt about the identity of the requester, Aria may require additional information for confirmation before fulfilling the request.

Exercise of rights is free of charge, except in situations of manifestly unfounded or excessive requests, in which case Aria may charge a reasonable administrative cost or refuse the request, pursuant to Art. 12(5) of the GDPR.

9. Data Security

Aria adopts technical and organizational measures appropriate to protect personal data against unauthorized access, accidental loss, destruction, alteration, or improper disclosure.

Measures implemented include:

  1. TLS/HTTPS encrypted communication across all site traffic.
  2. Strong authentication for access to systems storing personal data.
  3. Access to personal data limited to personnel strictly necessary for service execution.
  4. Mandatory bilateral Confidentiality Agreement (NDA) signed before any substantive research material is exchanged.
  5. Documented retention and deletion policy (Section 6 of this Policy).
  6. Contracts with infrastructure providers that include data protection clauses.

In the event of a security incident that may pose relevant risk or harm to data subjects, Aria will notify the National Data Protection Authority (ANPD) and affected data subjects within the timeframes and in the manner required by applicable legislation (Art. 48 LGPD; Arts. 33 and 34 GDPR).

10. Cookies and Equivalent Technologies

The site ariaresearch.ai does not use tracking, analytics, advertising, or profiling cookies. If this policy is amended in the future to introduce such technologies, this section will be updated and the visitor's explicit consent will be requested as required by applicable legislation.

11. Children and Adolescents

Aria's services are intended exclusively for academic researchers of legal age. Aria does not intentionally collect data from children or adolescents and does not direct its services to that age group. If it is identified that data of a minor has been collected without due legal consent, Aria will proceed with immediate deletion.

12. Complaints to Authorities

The data subject has the right to file a complaint with the National Data Protection Authority (ANPD) in Brazil, or with the competent data protection authority in their jurisdiction, in the European Union or in any other country where they reside.

Brazil — ANPD: www.gov.br/anpd
European Union — list of national authorities: edpb.europa.eu/about-edpb/board/members_en

13. Changes to this Policy

Aria may update this Policy periodically to reflect operational, legal, or regulatory changes. The current version is always the one published on this page, with the effective date indicated at the top of the document.

Material changes — understood as those that expand the scope of processing, modify applicable legal bases, or affect the rights of the data subject — will be communicated with reasonable advance notice to affected data subjects, by email or by prominent notice on the site.

Continued use of the site or services after the effective date of a new version implies awareness of the changes, without prejudice to the data subject's right to exercise any of the rights set out in Section 8.

14. Applicable Law and Jurisdiction

This Policy is governed by the Brazilian General Data Protection Law (LGPD), by the European General Data Protection Regulation (GDPR) when applicable to the data subject, and by other relevant Brazilian regulations.

For disputes related to this Policy, the courts of the District of São Paulo, State of São Paulo, Brazil are elected, without prejudice to the right of the European data subject to bring action before the data protection authority or the courts of their Member State of residence, as ensured by the GDPR.