Privacy Policy
Last updated: March 21, 2026
This policy follows a GDPR-first architecture — the most stringent standard is our global default.
This is a single, unified Privacy Policy that applies to all users worldwide. Regional sections for the European Union (GDPR), Brazil (LGPD), and the United States (CCPA/CPRA) are included below and apply in addition to the general provisions. Where regional law provides stronger protections, the regional law prevails.
1. General Overview
Instrumento.io ("we," "our," or "us") is a software-as-a-service platform that helps nonprofit organisations measure, track, and communicate social impact. This Privacy Policy explains how we collect, use, disclose, and protect personal information across all jurisdictions in which we operate.
Our architecture follows a GDPR-first principle: the most stringent standard (EU GDPR) is our default baseline. Users in regions with less prescriptive requirements benefit from the same level of protection unless they actively choose otherwise.
DPO / Encarregado: [email protected]
2. Data We Collect
We collect personal information in three ways: information you provide directly, information generated automatically by your use of the platform, and information received from third-party services you connect.
Information You Provide Directly
- Name and email address when you register
- Organisation name and mission details
- Payment and billing information processed by Stripe
- Program data and participant information you upload into the platform
- Communications you send to our support team
Information Collected Automatically
- IP address and approximate geographic location
- Browser type, operating system, and device identifiers
- Pages visited and features used within the platform
- Session duration and interaction patterns
Information from Third-Party Integrations
- Data from Google Sheets, Airtable, or other data sources you connect
- Authentication data from Google OAuth if you choose to sign in with Google
3. Legal Bases for Processing
We process personal data only when a valid legal basis exists. The table below applies globally; regional supplements in Sections 8–10 provide additional detail.
| Processing Activity | Legal Basis | Applies To |
|---|---|---|
| Account creation and management | Contract performance | All users |
| Service delivery and platform features | Contract performance | All users |
| Payment processing | Contract performance | All users |
| Customer support | Contract performance / Legitimate interest | All users |
| Security and fraud prevention | Legitimate interest | All users |
| Platform analytics and improvement | Legitimate interest (with consent where required) | All users |
| Compliance with legal obligations | Legal obligation | All users |
| Marketing communications | Consent (opt-in, separately obtained) | All users |
| Non-essential cookies and tracking | Consent (via cookie banner) | All users |
Where processing is based on legitimate interest, we have conducted a balancing test and determined that our interests do not override your fundamental rights. You may request a copy of this assessment at [email protected].
Where processing is based on consent, you may withdraw it at any time without penalty and without losing access to core platform features.
4. How We Use Your Information
We use the information we collect to provide and maintain the Service, including account management, feature delivery, and technical support. We use it to process payments and manage subscriptions, to communicate service updates, security alerts, and support responses, to improve the platform through analysis of aggregated usage patterns, to detect and prevent fraud, abuse, and security incidents, and to comply with applicable laws and respond to lawful requests from authorities.
We do not sell your personal information. We do not use your program participant data for any purpose other than delivering the Service to you.
5. Data Sharing and Disclosure
We share personal information only in the following circumstances:
- Service providers: Third-party vendors who process data on our behalf under strict data processing agreements, including Stripe (payments), Amazon Web Services (cloud infrastructure), and analytics providers.
- Business transfers: In connection with a merger or acquisition, where the acquiring entity will be required to honour this policy.
- Law or legal process: When required by valid court orders or regulatory requests.
- Protection of rights and safety: When necessary to prevent harm or enforce our terms.
- With your explicit consent: For any purpose you specifically authorise.
6. Data Retention
We retain personal data for as long as necessary to fulfil the purposes described in this policy, unless a longer period is required by law.
- Account data: retained for the duration of your subscription plus 90 days following account closure.
- Program participant data: retained as long as your account is active and deleted within 90 days of account closure.
- Consent logs and data subject request records: retained for five years to satisfy audit requirements.
- Payment records: retained for seven years to comply with financial regulations.
You may request early deletion of your data at any time by contacting [email protected]. We will confirm the deletion within 15 days.
7. Data Security
We implement technical and organisational measures appropriate to the risk, including:
- TLS/SSL encryption for all data in transit
- Role-based access controls within the platform
- Third-party OAuth authentication with no passwords stored on our servers
- Managed cloud infrastructure with built-in security controls
- PCI DSS Level 1 compliant payment processing through Stripe
In the event of a personal data security incident that may result in significant risk or harm, we will notify the relevant supervisory authority within 72 hours of becoming aware of the incident and will notify affected data subjects without undue delay.
8. European Users — GDPR Supplement
This section applies to users located in the European Economic Area (EEA), the United Kingdom, and Switzerland. It supplements the general provisions above and reflects the requirements of Regulation (EU) 2016/679 (GDPR) and, where applicable, the UK GDPR.
8.1 Your Rights Under the GDPR
You have the following rights, which you may exercise at any time by contacting [email protected]:
| Right | Description | Response Time |
|---|---|---|
| Right of Access (Art. 15) | Obtain confirmation of processing and a copy of your personal data | 30 days |
| Right to Rectification (Art. 16) | Correct inaccurate or incomplete data | 30 days |
| Right to Erasure (Art. 17) | Request deletion ("right to be forgotten") | 30 days |
| Right to Restriction (Art. 18) | Restrict processing in certain circumstances | 30 days |
| Right to Portability (Art. 20) | Receive your data in a structured, machine-readable format | 30 days |
| Right to Object (Art. 21) | Object to processing based on legitimate interest | Immediate cessation pending review |
| Right not to be subject to automated decisions (Art. 22) | Request human review of automated decisions | 30 days |
| Right to withdraw consent (Art. 7(3)) | Withdraw consent at any time | Immediate |
8.2 Consent Architecture (GDPR)
For EU users, our system operates in strict opt-in mode. No non-essential scripts, cookies, or tracking are activated until you have explicitly accepted them through our cookie banner. Acceptance of our Terms of Service does not constitute consent to data processing. Consent is obtained through a separate, granular mechanism and may be withdrawn at any time through your account's Privacy Settings.
8.3 International Data Transfers
When personal data is transferred outside the EEA, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission (Decision 2021/914) as the transfer mechanism for all cloud infrastructure providers. You may request a copy of the applicable SCCs by contacting [email protected].
8.4 Supervisory Authority
You have the right to lodge a complaint with your local data protection supervisory authority. A list of EU supervisory authorities is available at: https://edpb.europa.eu/about-edpb/about-edpb/members_en
9. Brazilian Users — LGPD Supplement
Esta seção aplica-se aos usuários localizados no Brasil e reflete os requisitos da Lei Geral de Proteção de Dados Pessoais (LGPD), Lei nº 13.709/2018. / This section applies to users located in Brazil and reflects the requirements of the LGPD, Lei nº 13.709/2018.
9.1 Your Rights Under the LGPD
Pursuant to Art. 18 of the LGPD, you have the following rights, exercisable at any time by emailing [email protected]. We respond within 15 days of receiving the request.
| Right | Description |
|---|---|
| Confirmation and Access (Art. 18, I–II) | Confirm whether we process your data and obtain a copy |
| Correction (Art. 18, III) | Correct incomplete, inaccurate, or outdated data |
| Anonymisation, blocking, or deletion (Art. 18, IV) | Request anonymisation, blocking, or deletion of unnecessary data |
| Portability (Art. 18, V) | Receive your data in a structured format for another provider |
| Deletion (Art. 18, VI) | Request deletion of data processed based on consent |
| Information on sharing (Art. 18, VII) | Know which entities your data has been shared with |
| Revocation of consent (Art. 18, IX) | Revoke consent at any time without penalty |
| Review of automated decisions (Art. 20) | Request human review of automated decisions |
9.2 Encarregado de Dados (DPO)
Pursuant to Art. 41 of the LGPD, we have appointed a Data Controller (Encarregado de Dados) responsible for handling data subject requests and maintaining communication with the ANPD:
9.3 Legal Bases (LGPD Art. 7)
The complete mapping of legal bases for each processing activity is available in Section 3 of this document. For sensitive data (Art. 5, II of the LGPD), we require explicit consent from the data subject or another legal basis provided in Art. 11.
9.4 Incident Notification
In the event of a security incident with significant risk, we will notify the ANPD and affected data subjects within 72 hours, pursuant to Art. 48 of the LGPD and Resolution CD/ANPD nº 2/2022.
9.5 National Authority
You may file a complaint with the Autoridade Nacional de Proteção de Dados (ANPD): www.gov.br/anpd
10. United States Users — CCPA/CPRA Supplement
This section applies to residents of California and reflects the requirements of the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA). It supplements the general provisions above.
10.1 Your Rights Under the CCPA/CPRA
| Right | Description | Response Time |
|---|---|---|
| Right to Know | Request disclosure of the categories and specific pieces of personal information we have collected about you | 45 days |
| Right to Delete | Request deletion of personal information we have collected, subject to exceptions | 45 days |
| Right to Correct | Request correction of inaccurate personal information | 45 days |
| Right to Opt-Out of Sale or Sharing | We do not sell or share personal information for cross-context behavioural advertising. No opt-out is required. | N/A |
| Right to Limit Use of Sensitive Personal Information | Limit our use of sensitive personal information to necessary purposes | 45 days |
| Right to Non-Discrimination | We will not discriminate against you for exercising any of these rights | N/A |
10.2 No Sale of Personal Information
We do not sell personal information as defined by the CCPA/CPRA. We do not share personal information for cross-context behavioural advertising. You may verify this commitment at any time by contacting [email protected].
10.3 Exercising Your Rights
California residents may submit requests by emailing [email protected] with the subject line "CCPA Request." We will verify your identity before processing your request and respond within 45 days.
11. Cookies and Tracking Technologies
We use cookies and similar technologies to operate the platform, remember your preferences, and (with your consent) analyse usage patterns. Our cookie banner allows you to accept all cookies, reject non-essential cookies, or customise your preferences by category.
- Essential cookies are always active and necessary for the platform to function. They include session authentication, security tokens, and language preferences.
- Analytics cookies help us understand how users interact with the platform. These are activated only with your consent.
- Functionality cookies remember your preferences and customisations. These are activated only with your consent.
- Marketing cookies are used only if you have explicitly opted in. We do not use marketing cookies by default.
For EU users, all non-essential cookies are blocked until you provide explicit consent. For users in other regions, non-essential cookies may be active by default but can be disabled at any time through the cookie banner or your Privacy Settings page.
12. Children's Privacy
Our services are not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If you believe we have inadvertently collected information from a child, please contact [email protected] immediately.
13. Changes to This Policy
We may update this Privacy Policy periodically. We will notify you of material changes by posting the updated policy on our website, updating the "Last updated" date, and sending an email notification to registered users at least 30 days before changes take effect. Your continued use of the Service after changes become effective constitutes acceptance of the revised policy.
14. Contact
For all privacy-related requests, complaints, or inquiries — regardless of your location — please contact:
Instrumento.io
5 Union Square West #1396
New York, NY 10003, USA
legal.contactBlock.phone +1 (480) 227-8607