Skip to main content
RhemaAI

Legal · OrientMe / RhemaAI

Privacy Policy

Effective: April 30, 2026 · Version 1.0

1. Who we are

OrientMe Tecnologia Ltda. (“OrientMe”, “we” or “us”), a Brazilian company, is the data controller for personal data processed through the RhemaAI product, available at orientme.com.br.

This Privacy Policy describes how we collect, use, store and protect your personal data, in compliance with the Brazilian General Data Protection Law (LGPD — Law No. 13,709/2018) and other applicable regulations.

2. Data we collect

2.1 Account data

  • Name and email address (provided on sign-up or via social login)
  • Profile photo (when provided via OAuth provider)
  • Language preferences and account settings

2.2 Payment data

  • Billing information processed by Stripe Inc. — we do not store credit card data on our servers
  • Subscription and transaction history

2.3 Usage and analytics data

  • Pages visited, session duration and feature interactions — collected by Google Analytics 4 only with your consent
  • Device and browser identifiers (anonymized)

2.4 Technical and log data

  • IP address (partially anonymized)
  • Browser user-agent
  • Access timestamps for security and diagnostic purposes

2.5 User-generated content

  • Texts, sermon outlines and other content entered into the platform for AI-assisted generation

3. Legal basis

All data processing is grounded in at least one of the following legal bases under the LGPD:

PurposeLegal basis
Service deliveryArt. 7, V — contract performance
Payment processingArt. 7, V — contract performance
Transactional communicationsArt. 7, V — contract performance
Usage analytics (GA4)Art. 7, I — consent
Security and fraud preventionArt. 7, IX — legitimate interest
Legal complianceArt. 7, II — legal obligation

4. Purpose of processing

We use your personal data to:

  • Create and maintain your account on the RhemaAI platform
  • Process subscription payments and issue fiscal documents when applicable
  • Provide AI-assisted sermon generation and pastoral support features
  • Send service communications, updates and account notifications
  • Analyze usage patterns to improve the product experience (with consent)
  • Detect and prevent fraudulent activities or platform abuse
  • Comply with legal obligations and respond to competent authorities

We do not use your data for automated decisions that produce legal or similarly significant effects without human oversight.

5. Data sharing

We share personal data only with the following categories of recipients, all subject to contractual data protection obligations:

5.1 Sub-processors

  • Vercel Inc. (USA) — hosting infrastructure and content delivery
  • Stripe Inc. (USA) — payment processing; PCI-DSS level 1 certified
  • Google LLC (USA) — analytics (GA4), only with consent; anonymized data
  • OAuth providers (Google, GitHub) — authentication via NextAuth.js, minimum necessary data only

5.2 International transfers

The sub-processors listed are located in the USA. Transfers occur based on Standard Contractual Clauses and/or equivalent certifications (such as the Data Privacy Framework), as permitted by Brazil's ANPD.

5.3 Authorities

We may disclose data to government authorities when required by law, court order or valid legal process in Brazil.

We do not sell personal data to third parties.

6. Retention and deletion

We retain your data for the time necessary for the described purposes:

  • Account data: for the duration of the account + 5 years after closure (legal period)
  • Payment data: 5 years after the transaction (tax obligation)
  • Security logs: 6 months, unless an investigation is ongoing
  • Analytics data: as per GA4 configuration (default: 14 months)
  • Generated content: while the account is active; deleted within 30 days of request

After retention periods, data is anonymized or securely deleted.

7. Security

We adopt appropriate technical and organizational measures to protect your data, including:

  • Encrypted communications via TLS 1.2+
  • Role-based access control (RBAC)
  • Password storage with bcrypt hashing (no plain-text storage)
  • Continuous access monitoring and anomaly detection
  • Periodic security reviews

In the event of a security incident that results in significant risk or harm, we will notify Brazil's ANPD and affected data subjects within the legal timeframe.

8. Cookies and similar technologies

8.1 Essential cookies (always active)

Required for the website to function, such as session authentication and security preferences. These cannot be disabled.

8.2 Analytics cookies (require consent)

Google Analytics 4 uses cookies to collect aggregated information about site usage. These cookies are only activated after you accept our cookie banner. You can revoke consent at any time by clicking “Manage cookies” in the footer.

We do not use marketing, behavioral advertising or cross-site tracking cookies.

9. Your rights

You have the following rights regarding your personal data under the LGPD:

  • Confirmation and access: confirm whether we process your data and obtain a copy
  • Correction: request update of incomplete, inaccurate or outdated data
  • Anonymization, blocking or deletion: of unnecessary or non-compliant data
  • Data portability: receive your data in a structured, interoperable format
  • Deletion: of data processed based on your consent
  • Information on sharing: know which entities your data is shared with
  • Revocation of consent: revoke previous consents at any time
  • Objection: object to processing based on legitimate interest
  • Review of automated decisions: request review of decisions made solely by automated means

To exercise any of these rights, contact us at the email in section 10. We will respond within 15 business days.

You may also file a complaint with Brazil's National Data Protection Authority (ANPD) at gov.br/anpd.

10. Contact and DPO

For questions, data subject requests or communications related to this Policy:

  • DPO email: [EMAIL DO DPO]
  • Website: orientme.com.br
  • Controller: OrientMe Tecnologia Ltda., Brazil

11. Changes to this Policy

This Policy may be updated periodically. We will notify material changes by email or via a prominent notice on the platform, with at least 30 days advance notice where possible. The effective date at the top of the document indicates the most recent version.

12. Governing law

This Policy is governed by the laws of the Federative Republic of Brazil, in particular the LGPD (Law No. 13,709/2018). The courts of São Paulo, SP, Brazil shall have exclusive jurisdiction to resolve any disputes.