Goodfellas
Português

This is a working translation. The Brazilian Portuguese version prevails in case of conflict.

Privacy Policy

GOODFELLAS CIÊNCIAS DAS ARTES MARCIAIS LTDA. · CNPJ 48.534.700/0001-92

Registered office: Rua Francisco Conde, 300, Vila Rosália, ZIP 07070-010, Guarulhos/SP, Brazil

Contact: [email protected] · Privacy/DPO: [email protected]

Version 4.0 · updated July 1, 2026 · LGPD, GDPR and other applicable laws

Contents
  1. 1. Definitions
  2. 2. Data we collect
  3. 3. How we collect
  4. 4. Purposes and legal bases
  5. 5. Sharing
  6. 6. Cookies and similar technologies
  7. 7. International data transfer
  8. 8. Retention and deletion
  9. 9. Information security
  10. 10. Data subject rights
  11. 11. Children’s and teenagers’ data
  12. 12. Region-specific notices
  13. 13. DPO and contact
  14. 14. Changes to this policy
  15. 15. Governing law and jurisdiction

GOODFELLAS respects your privacy. This Policy describes how we collect, use, share and protect personal data in the app and platform, offered internationally, seeking a uniform standard under the LGPD, the GDPR (EU), the UK GDPR and other laws applicable to your location. Regional notices prevail for users in the respective region (Section 12).

1. Definitions

  • Personal data: information relating to an identified or identifiable natural person.
  • Sensitive data / special category: health, biometrics, racial origin, among others.
  • Data subject: the person the data relates to (you).
  • Controller: GOODFELLAS; Processor: who processes data on the Controller’s behalf.
  • Processing: any operation on personal data.

2. Data we collect

2.1. Registration/identification: full name (and social name, if applicable), tax ID (CPF/CNPJ), profile photo, gender, age/date of birth, email, phone/WhatsApp, address and, where available, graduation certificates (belt), team and academy.

2.2. Geolocation: device location for location-based features; precise location depends on device permission and can be turned off.

2.3. Sporting activity: check-ins, attendance, class history, challenge participation and progress.

2.4. Content you submit: photos, videos and images.

2.5. Bot interaction: commands and messages (including via messaging apps) and processing history.

2.6. Payment: billing data for plans/trainings/subscriptions/challenges, processed mainly by payment providers and app stores; may be stored for future purchases. We do not store full card data.

2.7. Technical/browsing (automatic): IP, device identifiers, OS, app version, logs and cookies/similar technologies.

Gender is collected, among other purposes, to operate the challenge matchmaking set out in the Terms of Use.

3. How we collect

We collect data (i) directly from you; (ii) automatically (cookies, logs, location sensors); and (iii) from third parties (academies, teams, payment providers, app stores).

4. Purposes and legal bases

We process data under LGPD (art. 7) and GDPR (art. 6) bases, depending on your location:

  • registration, authentication and service delivery — performance of a contract;
  • location-based features — contract and/or consent (precise location);
  • recording trainings/challenges/graduation/progress — contract and legitimate interest;
  • identity verification and fraud prevention — legitimate interest and legal obligation;
  • payments — contract and legal obligation;
  • bot and support — contract and legitimate interest;
  • essential communications — contract; promotional — consent;
  • improvement, security and anti-fraud — legitimate interest;
  • legal obligations and record retention — legal obligation;
  • minors’ data — guardian’s consent, in the minor’s best interest.

5. Sharing

5.1. With infrastructure/cloud, payment and messaging providers and Processors, limited to the stated purposes and under security obligations.

5.2. With academies, teams and instructors you are linked to, as needed to manage the class and track training.

5.3. To comply with a legal obligation, court order or authority request. We do not sell your data.

6. Cookies and similar technologies

We use cookies/identifiers to authenticate, remember preferences, measure use and improve the experience. You can manage them; where required by law, we will ask for consent.

7. International data transfer

7.1. As we operate globally, data may be transferred/stored outside your country, including outside Brazil and the EU.

7.2. We adopt legally required safeguards — adequacy decisions, Standard Contractual Clauses (SCCs) and other safeguards.

7.3. Some countries impose transfer requirements and sometimes local storage; we will follow each jurisdiction’s law (Section 12).

8. Retention and deletion

8.1. We retain data as long as needed for the purposes, legal obligations and exercise of rights. Access logs: minimum legal term (e.g., 6 months in Brazil, Marco Civil).

8.2. Once processing ends, we securely delete data, except retention allowed by law.

9. Information security

9.1. Reasonable technical and administrative measures (access control, encryption where applicable, good practices).

9.2. In a relevant incident, we will notify data subjects and competent authorities (ANPD in Brazil; the EU supervisory authority) as and when the law requires.

10. Data subject rights

Under applicable law (LGPD, GDPR, UK GDPR and others), you may request:

  • confirmation and access to the data;
  • correction of incomplete/inaccurate/outdated data;
  • anonymization, blocking or deletion of unnecessary or non-compliant data;
  • portability;
  • deletion of consent-based data and withdrawal of consent;
  • objection and restriction, and information on sharing (GDPR);
  • to lodge a complaint with a data protection authority (ANPD, ICO, EU authority).

To exercise your rights: [email protected] (we may request information to confirm your identity).

11. Children’s and teenagers’ data

11.1. Processing in the minor’s best interest, with the consent of at least one parent/guardian, per the jurisdiction’s consent age (generally 16 in the EU, 13 under COPPA in the US, 18 in Brazil).

11.2. We collect only what is necessary; guardians may request access, correction or deletion at any time.

12. Region-specific notices

12.1. EEA and UK (GDPR/UK GDPR): rights under arts. 15–22 and the right to complain to your supervisory authority; we may appoint a representative and/or DPO where required.

12.2. United States (e.g., CCPA/CPRA in California): access, deletion, correction and the option to opt out of “sale”/“sharing” — we do not sell personal data.

12.3. China (PIPL), United Arab Emirates (PDPL) and Israel: specific requirements that may include reinforced consent, transfer restrictions and, in China, possible local storage. We will process data from these regions per local law.

13. DPO and contact

Questions and rights requests: [email protected], or via the registered office above.

14. Changes to this policy

We may update this Policy at any time; relevant changes will be communicated through official channels and/or the registered email, with the update date.

15. Governing law and jurisdiction

Governed by Brazilian law, without prejudice to the mandatory data-protection rules of the data subject’s country of residence. Courts of Guarulhos/SP, without prejudice to the consumer’s right to sue in their own domicile where local law so guarantees.

GOODFELLAS CIÊNCIAS DAS ARTES MARCIAIS LTDA. · CNPJ 48.534.700/0001-92 · Rua Francisco Conde, 300, Vila Rosália, ZIP 07070-010, Guarulhos/SP, Brazil

Version 4.0 · updated July 1, 2026

Terms of UsePortuguês