Privacy Policy

The personal data controller is: Eduardo Walneide Castilho Almeida Email: privacidade@levelpair.com Platform: https://levelpair.com

We collect the following categories of data: Registration data: • Full name • Email • Password (stored with cryptographic hash) Assessment data: • Date of birth, gender, city, academic background • Current position (optional) • Video recordings (2 videos of 2-3 minutes for cognitive analysis) • Video transcriptions (automatically generated) • Personality questionnaire responses (87 Likert questions) AI-generated data: • Cognitive profile (Jaques stratum, stage, connectors, evidence) • Personality profile (social styles, emotional skills) • Love languages (ranking) • Complete Match Report (compatibility, communication, dynamics, projection) Technical data: • IP address • Session data and authentication cookies • Language preference

Your data is processed for: • Account creation and maintenance • Cognitive and personality assessment • Match Report compatibility generation • Payment processing (via Stripe) • Service communication (transactional emails) • Compliance with legal obligations We do NOT use your data for: • Targeted advertising or marketing • Sale to third parties • Automated decisions with legal effects (the report is informational)

Your data processing is based on: • Explicit consent — for video recording, AI analysis, and sharing results with your partner (LGPD Art. 7, I / GDPR Art. 6(1)(a)) • Contract performance — for providing the contracted service (LGPD Art. 7, V / GDPR Art. 6(1)(b)) • Legal obligation — for compliance with tax and regulatory obligations (LGPD Art. 7, II / GDPR Art. 6(1)(c))

LevelPair uses AI (Claude, by Anthropic) to: • Analyze video transcriptions to determine the cognitive profile • Interpret personality questionnaire results • Generate the couples compatibility report Important: • Transcriptions and responses are sent to the Anthropic API for processing • Anthropic does not store data sent via API beyond what is necessary to process the request • AI results are informational and do not constitute a diagnosis or automated decision with legal effects • You have the right to request human review of any result

Your data may be shared with: • Your partner — Match Report results are shared with both assessed partners • Stripe — data necessary for payment processing (name, email) • Anthropic (Claude AI) — transcriptions and responses for analysis (no identifiable data beyond what is necessary) • Resend — email address for transactional emails • Vercel — platform hosting • Neon — PostgreSQL database We do NOT sell, rent, or commercialize your personal data.

Your data may be transferred to servers located outside your country of residence, including the USA (Vercel, Anthropic, Stripe, Resend, Neon). For Brazilian users: international transfer follows Art. 33 of the LGPD, based on explicit consent. For European users: transfer outside the EEA is carried out based on Standard Contractual Clauses (SCCs) approved by the European Commission and/or adequacy decisions, pursuant to Art. 46 of the GDPR.

• Account data: maintained while the account is active • Recorded videos: deleted after transcription and analysis (maximum 30 days) • Transcriptions: maintained while the account is active • Match Reports: maintained while at least one partner's account is active • Payment data: maintained for the legally required period (5 years for tax purposes) • Technical data (logs): maintained for 90 days After account closure, data is deleted within 30 days, except when legally required retention applies.

Under Law No. 13,709/2018, you have the right to: • Confirm the existence of processing • Access your data • Correct incomplete, inaccurate, or outdated data • Anonymize, block, or delete unnecessary or excessive data • Data portability to another provider • Delete data processed with consent • Obtain information about sharing • Be informed about the possibility of not providing consent and its consequences • Revoke consent at any time Response time: up to 15 business days. Channel: privacidade@levelpair.com

Under Regulation 2016/679, you have the right to: • Access (Art. 15) • Rectification (Art. 16) • Erasure — "right to be forgotten" (Art. 17) • Restriction of processing (Art. 18) • Portability (Art. 20) • Objection (Art. 21) • Not be subject to automated decisions (Art. 22) • Lodge a complaint with the supervisory authority in your country Response time: up to 30 days (extendable by 60 in complex cases). Channel: privacidade@levelpair.com

Under the CCPA (Cal. Civ. Code §1798.100 et seq.) and CPRA, you have the right to: • Know what personal data we collect, use, and share • Request deletion of your data • Opt out of personal data sales (we do NOT sell your data) • Not be discriminated against for exercising your rights • Correct inaccurate information • Limit use of sensitive personal information Categories of personal data collected in the last 12 months: identifiers, biometric data (video/voice), internet activity information. Response time: up to 45 days. Channel: privacidade@levelpair.com

LevelPair is intended exclusively for individuals 18 years of age or older. We do not intentionally collect data from minors. If we become aware that a minor's data has been collected, it will be immediately deleted. Parents or guardians who identify minors' data on the platform should contact: privacidade@levelpair.com

We use only strictly necessary cookies: • Session cookie (next-auth.session-token) — maintains your authentication • Language cookie (NEXT_LOCALE) — stores your language preference We do NOT use: • Analytics or tracking cookies • Advertising cookies • Third-party cookies for marketing purposes As we only use essential cookies, specific cookie consent is not required (Art. 5(3) of the ePrivacy Directive / LGPD).

We adopt technical and organizational measures to protect your data: • Passwords stored with bcrypt hash • Communication via HTTPS/TLS • Database with restricted and encrypted access • Invitation tokens with 30-day expiration • JWT authentication with secure session tokens • Infrastructure hosted on providers with SOC 2 and ISO 27001 certifications

In case of a personal data breach: • Affected users will be notified within 72 hours (per GDPR Art. 33-34) • The ANPD (Brazil) and/or competent European authority will be notified when applicable • Immediate measures will be taken to mitigate the effects of the breach

This policy may be updated periodically. Significant changes will be communicated by email at least 30 days in advance. We recommend reviewing this page periodically.

For questions, complaints, or exercise of privacy-related rights: • Email: privacidade@levelpair.com • Responsible: Eduardo Walneide Castilho Almeida

The Data Protection Officer (DPO) is: Eduardo Walneide Castilho Almeida Email: privacidade@levelpair.com The DPO is the point of contact for data subjects and data protection authorities.