Forlex Logo
Institutional

Terms of Use and Privacy Policy

Find all the information needed to use Forlex safely and confidently

PRIVACY POLICY

FORLEX LTDA.Version 5.0Last updated: January 09, 2026

FORLEX Ltda. ("we", "our", "FORLEX"), a private legal entity, registered under CNPJ No. 49.118.347/0001-22, headquartered at insert address, is committed to protecting the privacy and personal data of its users, clients, and other data subjects. This Privacy Policy ("Policy") describes FORLEX's practices regarding the collection, use, storage, sharing, and protection of personal data on our website www.forlex.ai ("Site") and in the services offered through our platform ("Services"), in compliance with:

  • Law No. 13.709/2018 General Personal Data Protection Law (LGPD);
  • Regulation (EU) 2016/679 General Data Protection Regulation (GDPR);
  • Resolutions and Guidelines of the ANPD National Data Protection Authority, as applicable.

By using our Services, the data subject acknowledges having read and understood the terms of this Policy. In case of any doubts, the data subject may contact our Data Protection Officer (DPO) via email at privacy@forlex.ai.

1. Definitions and Glossary

For the purposes of this Policy, the following definitions are adopted, in compliance with Art. 5 of the LGPD and Art. 4 of the GDPR:

TermDefinition
Personal DataInformation relating to an identified or identifiable natural person (Art. 5, I, LGPD/Art. 4, 1, GDPR).
Sensitive Personal DataPersonal data revealing racial or ethnic origin, religious beliefs, political opinions, trade union membership, genetic, biometric, health, or sexual life data (Art. 5, II, LGPD/Art. 9 GDPR).
Data SubjectNatural person to whom the personal data being processed relates.
ControllerNatural or legal person who determines the purposes and means of the processing of personal data.
ProcessorNatural or legal person who processes personal data on behalf of the Controller.
ProcessingAny operation performed on personal data: collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, archiving, storage, elimination, evaluation, control, modification, communication, transfer, dissemination, or extraction.
DPOPerson appointed to act as a communication channel between the Controller, data subjects, and the ANPD.
ANPDNational Data Protection Authority, the agency responsible for overseeing compliance with the LGPD.
DPAData Processing Agreement.
DPIAData Protection Impact Assessment (Art. 38, LGPD / Art. 35, GDPR).
SCCStandard Contractual Clauses for the international transfer of data.
AI TrainingThe process of using data for the development, fine-tuning, validation, or improvement of artificial intelligence or machine learning models.

2. Fundamental Principles

This Policy is structured based on the principles of Art. 6 of the LGPD and Art. 5 of the GDPR:

  • Purpose: collection exclusively for legitimate, specific, explicit purposes informed to the data subject, prohibiting further incompatible processing.
  • Adequacy: compatibility of processing with the purposes informed to the data subject.
  • Necessity: limitation to the minimum necessary, with relevant, proportional, and non-excessive data.
  • Transparency: clear, precise, and easily accessible information about the processing.
  • Free Access: facilitated and free consultation regarding the form and duration of the processing.
  • Data Quality: accuracy, clarity, relevance, and up-to-dateness of the data.
  • Security: technical and administrative measures to protect against unauthorized access, destruction, loss, alteration, or dissemination.
  • Prevention: measures to prevent damages resulting from the processing.
  • Non-Discrimination: prohibition of processing for unlawful or abusive discriminatory purposes.
  • Accountability: demonstration of the adoption of effective compliance measures.
  • Privacy by Design and by Default: integration of data protection from the design of systems (Art. 46, §2, LGPD / Art. 25, GDPR), ensuring that only strictly necessary data is processed by default.

3. The Relationship Dynamics: FORLEX as a Data Processor

FORLEX predominantly acts as a Data Processor, processing personal data based on the instructions and on behalf of its clients (Data Controllers).

3.1. Account Modalities

  • Corporate Client (CNPJ): The organization is the Controller, responsible for determining the purpose and legal basis for the processing of its users' data. FORLEX processes this data strictly on behalf of the organization.
  • Individual Client (CPF): The individual is the Controller of their own personal data. If they manage additional users, they also assume the role of Controller for that data.

Regardless of the modality, the data subject is always the natural person whose data is processed, enjoying all rights provided by the legislation.

3.2. Data Processing Agreement (DPA)

FORLEX enters into a DPA with each client, detailing: (i) scope and purpose of processing; (ii) categories of data; (iii) security measures; (iv) conditions for sub-processing; (v) obligations in case of a breach; and (vi) data return or deletion procedures.

4. Non-Use of Data for Artificial Intelligence Training

FORLEX undertakes the express and irrevocable commitment that personal data, usage data, and any content provided or generated by data subjects during the use of the Services will NOT be used, directly or indirectly, for:

  • Training, development, fine-tuning, validation, or improvement of artificial intelligence models, machine learning, or neural networks, whether by FORLEX or third parties;
  • Feeding knowledge bases, linguistic corpora, or datasets intended for the development of natural language processing (NLP) technologies or generative models;
  • Any form of data mining or automated pattern extraction to enhance AI algorithms or systems;
  • Creation of automated behavioral profiles to feed predictive models, except when strictly necessary for providing the contracted service and upon the Controller's specific consent.

This prohibition applies to all categories of data processed by FORLEX, including personal data, navigation data, metadata, interaction logs, executed queries, uploaded documents, and generated results. FORLEX guarantees that its sub-processors and AI service providers are contractually bound to observe this same restriction, forbidden from using any data processed through the FORLEX platform to train their models. Breach of this clause by sub-processors will be treated as a security incident, subject to the procedures in Section 12, and will prompt an immediate review of the contractual relationship.

Technical Note: FORLEX may use AI to provide the contracted Services (e.g., document analysis). This utilization operates exclusively at inference-time, without retention or reuse of the data for training.

5. Personal Information Collected

We collect information that can identify the data subject ("Personal Information") in the following scenarios:

5.1. Provided by the Data Subject

  • Registration Data: name, email, phone number, job title, company name, and other data necessary for account creation.
  • Communication Data: name, contact, and message content during interactions with FORLEX.
  • Payment Data: billing data processed by a PCI-DSS certified intermediary.
  • Support Data: name, email, phone number, and support request information.

5.2. Collected Automatically

  • Log Data: IP address, browser, date/time, visited pages.
  • Usage Data: features used, time zone, country, user-agent, device.
  • Device Data: OS, browser, and settings.
  • Cookies: as per Section 7.

5.3. Social Media

When interacting with our pages on social platforms, we may collect contact data voluntarily provided and receive aggregated analytics from the operators of those platforms.

6. Purposes and Legal Bases for Processing

FORLEX does not sell, trade, or rent personal data. Processing is carried out to:

PurposeDescriptionLegal Basis
Service ProvisionProvide, administer, and maintain the contracted Services.Contract performance (Art. 7, V, LGPD / Art. 6, 1, b, GDPR)
SupportAnswer support requests and inquiries.Contract performance (Art. 7, V, LGPD / Art. 6, 1, b, GDPR)
CommunicationOperational and contractual notifications.Legitimate interest (Art. 7, IX, LGPD / Art. 6, 1, f, GDPR)
ImprovementDevelop features and improve UX.Legitimate interest (Art. 7, IX, LGPD / Art. 6, 1, f, GDPR)
SecurityPrevent fraud and protect systems.Legal oblig. + Leg. interest (Art. 7, II/IX, LGPD)
Legal ObligationsComply with legal and regulatory obligations.Legal obligation (Art. 7, II/VI, LGPD / Art. 6, 1, c, GDPR)
Aggregated AnalysisAnonymized data for statistical purposes.Legitimate interest (without identification)

7. Cookie Policy

FORLEX adopts explicit and granular consent for non-necessary cookies, according to the ANPD Guide.

7.1. Classification

  • Necessary: essential for operation. Basis: Legitimate Interest. Cannot be disabled.
  • Analytical: user behavior. Basis: Consent.
  • Advertising: ad personalization. Basis: Explicit Consent.
  • Functionality: preferences (language, region). Basis: Legitimate Interest.

7.2. Consent

Cookie banner with three equitable options: Accept All; Reject Non-Necessary; Manage Cookies (categories disabled by default).

7.3. Mapping

CookieCategoryPurposeLegal BasisRetentionSharing
forlex-session-*NecessaryAuthenticationLeg. InterestSessionNo
i18n_redirectedFunctionalLanguageLeg. Interest12 monthsNo
ga_(id)AnalyticalTrafficConsent24 monthsGoogle (anonym.)

8. Sharing of Personal Data

  • Sub-processors: hosting, cloud, payments, analytics. Sharing exclusively for contractual obligations, under the terms of the DPA.
  • Corporate Transfers: in mergers, acquisitions, or reorganizations, safeguarding guarantees.
  • Legal Obligations: when required by law, regulation, or court order.
  • Affiliates: entities under common control with FORLEX, in compliance with this Policy.
  • Other Users: actions visible to users within the same organization.

8.1. Sub-processor Management

All sub-processors are contractually obligated to: (i) process data according to FORLEX's instructions; (ii) implement compatible security; (iii) not use data for AI training; (iv) cooperate with audits. A list of sub-processors is available upon request to the DPO.

9. International Data Transfer

  • Storage in Brazil, EU, or the US, depending on the client's choice.
  • Transfers comply with Chapter V of the GDPR and Chapter V of the LGPD.
  • Brazil: SCCs from Resolution CD/ANPD No. 19 incorporated into the contract.
  • EU: EU-U.S. Data Privacy Framework (DPF) and European Commission SCCs as an additional safeguard.
  • Transfer Impact Assessment (TIA): impact assessment for each international transfer.

10. Data Subject Rights

Rights guaranteed by the LGPD (Art. 18) and GDPR (Arts. 15-22), including in the B2B model:

  • Confirmation and Access (Art. 18, I-II, LGPD / Art. 15, GDPR)
  • Rectification (Art. 18, III, LGPD / Art. 16, GDPR)
  • Anonymization, Blocking, or Elimination (Art. 18, IV, LGPD/Art. 17, GDPR)
  • Portability in structured format (Art. 18, V, LGPD / Art. 20, GDPR)
  • Deletion of data processed with consent (Art. 18, VI, LGPD / Art. 17, GDPR)
  • Information about Sharing (Art. 18, VII, LGPD)
  • Revocation of Consent (Art. 18, IX, LGPD / Art. 7, 3, GDPR)
  • Opposition to processing (Art. 18, §2, LGPD / Art. 21, GDPR)
  • Review of Automated Decisions (Art. 20, LGPD / Art. 22, GDPR)

Contact: privacy@forlex.ai. Response time: 15 business days, extendable per regulations. Identity verification may be required.

11. Automated Decisions and Profiling

FORLEX may use automated processes to provide the Services. In such cases:

  • No decision producing significant legal effects will be based solely on automated processing without human review.
  • The data subject can request information regarding criteria and procedures (Art. 20, §1, LGPD).
  • Data processed in automated operations is not retained for AI training (Section 4).

12. Information Security

Technical and organizational measures proportional to the risk (Art. 46, LGPD / Art. 32, GDPR):

  • Encryption: TLS 1.2+ in transit; AES-256 at rest.
  • Access Control: principle of least privilege with MFA.
  • Monitoring: IDS/IPS, continuous log analysis.
  • Internal Policies: documented with periodic review.
  • Training: continuous team training.
  • Audits: vulnerability testing and penetration testing.
  • Records: log of all processing operations (Art. 37, LGPD / Art. 30, GDPR).

12.1. Incident Management

In the event of a security incident posing a risk to data subjects:

  • Notification to the ANPD within a reasonable time (Art. 48, LGPD).
  • Notification to the supervisory authority within 72 hours (Art. 33, GDPR), when applicable.
  • Communication to affected data subjects when there is a high risk.
  • Full documentation of the incident.

12.2. Impact Assessment (DPIA)

FORLEX conducts a DPIA when processing may result in a high risk (Art. 38, LGPD / Art. 35, GDPR), especially in operations involving new technologies, large scale, or sensitive data.

13. Storage and Data Deletion

Retention period: 5 years or the duration of the contractual relationship (whichever is greater), unless otherwise required by law.

Upon termination:

  • Data will be securely deleted or irreversibly anonymized.
  • Data in backups will be isolated until final deletion.
  • The principle of necessity applies to the retention period.

14. Children and Adolescents

The Services are not directed to individuals under the age of 18 (Art. 14, LGPD / Art. 8, GDPR). Inadvertent collection should be reported to privacy@forlex.ai.

15. Links to Third-Party Sites

FORLEX is not responsible for the privacy practices of third-party sites. The data subject must consult the applicable policies.

16. Changes to this Policy

Substantial changes will be communicated via: (i) updated publication on the Site; (ii) email notification; (iii) prominent notice on the platform. Continued use implies acceptance.

17. Communication Policy

Communications restricted to relevant matters. Unsubscribe option available at any time.

Warning: FORLEX will NEVER ask for passwords or financial data by email or phone. Suspicious communications should be reported to privacy@forlex.ai.

18. Applicable Law and Jurisdiction

Governed by Brazilian law (LGPD). For data subjects in the EU, the GDPR applies additionally. Jurisdiction of the district of FORLEX's headquarters, reserving the data subject's right to their home jurisdiction.

19. Data Protection Officer (DPO)

  • Officer: Daniel Bichuetti
  • Email: privacy@forlex.ai
  • Address: Av Fued José Sebba, 700 - Goiânia/GO - CEP 74805-100

Document generated on 01/09/2026. Replaces all previous versions.

For questions or requests related to privacy, please contact us via email.

suporte@forlex.ai