Software, made with intention.
Correia Virtus is an independent software studio — designing and building digital products we'd use ourselves. Quiet work, patiently made.
A small studio, thoughtfully at work.
Correia Virtus LLC is an independent software company. We design, build, and ship digital products for real people — from household finance to everyday planning.
Every product is grounded in something we've lived firsthand. We work slowly, iterate carefully, and release only what we'd use ourselves.
Transparency
No hidden fees. No data selling. No advertising. Your information belongs to you — always.
Simplicity
Complex problems deserve clear answers. We build tools that feel quiet, considered, and calm.
Craft
Every detail is considered. Every edge case is thought through. The work is never rushed.
What we're currently building.
Four independent products, each released under the Correia Virtus name.
BudgetPilot
A personal budgeting app for individuals, couples, and families — zero-based budgeting with secure bank connectivity through Plaid. Designed for U.S. households, with USD currency, IRS-aligned tax tooling, and shared household access.
BudgetPilot Brasil
A versão brasileira do BudgetPilot, adaptada ao mercado nacional — conexão bancária via Open Finance (Pluggy), calculadoras de IRPF, INSS, MEI e CLT, valores em real, e categorias e estabelecimentos do dia-a-dia brasileiro. Privacidade · Termos
Military PCS Toolkit
A free suite of calculators and reference tools for U.S. service members planning a permanent-change-of-station move — PPM/DITY profit, DLA, MALT, weight allowance, per diem, and a customizable PCS checklist.
Virtus
Acompanhamento de carteiras de investimentos e proventos para o investidor brasileiro — ações, FIIs, ETFs, BDRs, Tesouro Direto, Renda Fixa e criptoativos numa única visão, com agenda e histórico de dividendos, comparativos contra Ibovespa/CDI/IPCA, e metas de renda passiva e patrimônio. Privacidade
Let's talk.
For product support, partnership inquiries, press, or anything else — we read every message.
Privacy Policy
1. Introduction
Correia Virtus LLC ("Correia Virtus," "we," "us," or "our") is an independent software studio organized under the laws of the State of Florida, United States. This Privacy Policy ("Policy") explains how we collect, use, disclose, retain, and protect personal information in connection with our products and services, including BudgetPilot (a personal budgeting application), the Military PCS Toolkit (a web-based collection of planning tools), and the website correiavirtus.com (collectively, the "Services").
This Policy is drafted to meet the requirements of the U.S. federal and state privacy laws identified in Section 11, the European Union General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"), the United Kingdom General Data Protection Regulation and Data Protection Act 2018 ("UK GDPR"), Canada's Personal Information Protection and Electronic Documents Act ("PIPEDA") and Quebec Law 25, Brazil's Lei Geral de Proteção de Dados ("LGPD"), South Africa's Protection of Personal Information Act ("POPIA"), Australia's Privacy Act 1988, Switzerland's revised Federal Act on Data Protection ("FADP"), and other substantially similar international frameworks.
By using the Services, you acknowledge that you have read and understood this Policy. If you do not agree with any part of this Policy, please discontinue use of the Services.
2. Who We Are and How to Reach Us
Data Controller (for GDPR/UK GDPR purposes): Correia Virtus LLC, Niceville, Florida, United States.
Privacy inquiries and rights requests: loading…
We do not currently maintain an EU or UK representative under Article 27 GDPR because we do not regularly offer Services to data subjects in those jurisdictions or monitor their behavior within the meaning of Article 3(2). If this changes, we will update this Policy and appoint a qualified representative accordingly.
3. Scope of This Policy
This Policy applies to personal information processed by Correia Virtus in connection with the Services. It does not apply to third-party websites, applications, or services that may be linked from the Services or that you choose to connect (such as your financial institution, Plaid, Apple, or Google), each of which is governed by its own privacy policy. We encourage you to review those policies.
4. Categories of Personal Information We Collect
The specific information we process depends on which part of the Services you use.
4.1 Account and Identifier Information
When you register for BudgetPilot, we collect: your name, email address, hashed password, account creation date, subscription status, and (if applicable) the subscription identifier issued by the Apple App Store or Google Play Store.
4.2 Financial Information (BudgetPilot only)
When you connect a financial institution through our banking-integration partner Plaid Inc. ("Plaid"), we receive: account type, institution name, masked account number, available and current balances, and transaction records (amount, date, merchant descriptor, category, currency, and pending status). We receive an encrypted Plaid access token that allows us to retrieve this information on your behalf. We do not receive, view, or store your online banking username, password, security questions, or any credential you provide to Plaid.
4.3 User-Generated Content
Budget categories, allocations, custom labels, notes, household membership, savings goals, and any other content you create within BudgetPilot.
4.4 Military PCS Toolkit Inputs
Inputs you enter into the calculators (such as rank, weight estimates, origin and destination locations, and projected move dates) are processed in your browser. We do not require an account to use the free calculators and we do not transmit or store these inputs on our servers unless you opt into a saved-plan feature that expressly states otherwise at the point of collection.
4.5 Device, Technical, and Usage Information
Device type, operating system and version, application version, IP address (truncated where practical), approximate geolocation derived from IP (country/region only), device language, referring URL, timestamps, crash diagnostics, and error logs. We do not collect precise geolocation.
4.6 Communications
If you contact us through the website form, email, or social channels, we process the information you provide (name, email, subject, message) and any related correspondence.
4.7 Biometric Identifiers
If you enable biometric authentication (Face ID, Touch ID, or equivalent fingerprint/face authentication on your device), the underlying biometric template is created, stored, and matched entirely on your device by the operating system. Correia Virtus receives only a cryptographic assertion that authentication succeeded. We do not collect, transmit, receive, or store biometric identifiers or biometric information as those terms are defined under the Illinois Biometric Information Privacy Act (740 ILCS 14), the Texas Capture or Use of Biometric Identifier Act, the Washington biometric statute (RCW 19.375), or analogous laws.
4.8 Sensitive Personal Information
Financial account information is treated as "sensitive personal information" under the California Privacy Rights Act and analogous laws. We do not knowingly collect government identifiers (e.g., Social Security numbers), health information, racial or ethnic origin, religious beliefs, sexual orientation, union membership, or biometric data. We do not use sensitive personal information for purposes beyond those reasonably necessary to deliver the Services.
5. How We Use Personal Information (Purposes and Legal Bases)
We use personal information only for the purposes described below. Where the GDPR, UK GDPR, Swiss FADP, or LGPD applies, we identify the legal basis for each purpose in brackets.
- To provide, maintain, and operate the Services; process your transactions; and display your financial information within BudgetPilot [performance of a contract].
- To authenticate you and secure your account, detect fraud, and protect against abuse [legitimate interest; legal obligation].
- To power automated transaction categorization and budgeting features (see Section 8 for AI-assisted categorization) [performance of a contract; legitimate interest].
- To respond to inquiries, provide customer support, and send transactional and service communications [performance of a contract; legitimate interest].
- To diagnose bugs, monitor performance, and improve the Services [legitimate interest].
- To comply with legal obligations, enforce our Terms of Service, and defend legal claims [legal obligation; legitimate interest].
- With your separate affirmative consent, to send optional product updates you may opt into [consent]; you may withdraw consent at any time.
We do not process personal information for behavioral advertising, ad targeting, cross-context behavioral advertising, profiling with legal or similarly significant effects, or the sale of personal information.
6. Sources of Personal Information
We obtain personal information (i) directly from you when you provide it; (ii) automatically through your use of the Services (device and usage data); and (iii) from third-party service providers acting on your behalf, specifically Plaid (which retrieves financial data from your authorized financial institution) and the Apple App Store or Google Play Store (which communicate subscription events).
7. Disclosures to Third Parties
We do not sell personal information. We do not share personal information for cross-context behavioral advertising. We disclose personal information only to the categories of recipients listed below, each bound by contractual confidentiality and data-protection obligations at least as protective as this Policy.
7.1 Service Providers and Sub-Processors
- Plaid Inc. — banking connectivity; retrieves financial account and transaction data from your institution on your authorization. Plaid's practices are governed by plaid.com/legal. You may revoke Plaid's access at any time through BudgetPilot or through Plaid's consumer portal at my.plaid.com.
- Cloud hosting and database infrastructure — U.S.-based providers that host application servers, managed databases, logs, and encrypted backups.
- Authentication and payments — the Apple App Store and Google Play Store handle subscription billing, renewals, and refunds when you purchase through those platforms; we never receive your full payment card details.
- Anthropic, PBC — processes de-identified merchant descriptors and transaction amounts to assist with automated categorization when our built-in engine cannot determine a category. Only the merchant string and amount are transmitted; no name, email, account number, user identifier, or other directly identifying information is sent. Anthropic is contractually prohibited from using this data to train its models and is required to delete inputs on a short retention schedule.
- Web3Forms — processes contact-form submissions from correiavirtus.com and relays them to our support inbox.
- Error monitoring and analytics (privacy-preserving) — we may use tools that collect only aggregated or pseudonymous technical diagnostics.
7.2 Legal, Safety, and Corporate Transactions
We may disclose personal information (i) to comply with a subpoena, warrant, court order, or other legal process; (ii) to protect the rights, property, or safety of Correia Virtus, our users, or the public; (iii) to enforce our agreements; and (iv) in connection with a merger, acquisition, financing, reorganization, or sale of assets, in which case any successor will be required to honor this Policy.
8. Automated Processing and Artificial Intelligence
BudgetPilot uses a rule-based categorization engine and, where that engine cannot confidently categorize a transaction, a large-language-model API (Anthropic) to suggest a category. These suggestions are not automated decisions that produce legal or similarly significant effects on you within the meaning of GDPR Article 22. You remain free to accept, change, or override any category. We do not use your financial data to train any AI model, and we contractually require our AI provider not to train on our inputs.
9. Financial Privacy (Gramm-Leach-Bliley Act)
Because BudgetPilot accesses consumer financial account information, we treat such information as "nonpublic personal information" ("NPI") consistent with the principles of the Gramm-Leach-Bliley Act (15 U.S.C. §§ 6801–6809) and the Federal Trade Commission Safeguards Rule (16 C.F.R. Part 314). We limit collection of NPI to what is necessary to deliver the Services, and we do not share NPI with non-affiliated third parties for their own marketing. We maintain a written information-security program that includes administrative, technical, and physical safeguards appropriate to the size, scope, and nature of our business, including AES-256 encryption of sensitive credentials at rest, HTTPS/TLS for data in transit, access controls, periodic risk assessments, and security-incident response procedures.
10. International Transfers
Correia Virtus is based in the United States, and personal information we process is primarily stored and processed in the United States. If you access the Services from outside the United States, your information will be transferred to, stored in, and processed in the United States. Where personal information of individuals in the European Economic Area, United Kingdom, or Switzerland is transferred to the United States, we rely on appropriate safeguards under Chapter V of the GDPR, including the European Commission's Standard Contractual Clauses (Decision (EU) 2021/914) with our U.S. sub-processors, the UK International Data Transfer Addendum, and, where available, certifications under the EU–U.S., UK Extension, and Swiss–U.S. Data Privacy Framework programs administered by the U.S. Department of Commerce. You may request a summary of our transfer mechanisms by contacting us.
11. Your Rights
11.1 United States — State Privacy Rights
Depending on your state of residence, you may have some or all of the rights listed below under the following laws: the California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CCPA/CPRA"); Virginia Consumer Data Protection Act ("VCDPA"); Colorado Privacy Act ("CPA"); Connecticut Data Privacy Act ("CTDPA"); Utah Consumer Privacy Act ("UCPA"); Texas Data Privacy and Security Act ("TDPSA"); Oregon Consumer Privacy Act ("OCPA"); Montana Consumer Data Privacy Act ("MCDPA"); Iowa Consumer Data Protection Act ("ICDPA"); Tennessee Information Protection Act ("TIPA"); Florida Digital Bill of Rights ("FDBR"); Delaware Personal Data Privacy Act ("DPDPA"); New Hampshire Privacy Act ("NHPA"); New Jersey Data Privacy Act ("NJDPA"); Nebraska Data Privacy Act; Maryland Online Data Privacy Act ("MODPA"); Minnesota Consumer Data Privacy Act ("MCDPA"); Indiana Consumer Data Protection Act ("INCDPA"); Kentucky Consumer Data Protection Act ("KCDPA"); and Rhode Island Data Transparency and Privacy Protection Act ("RIDTPPA").
- Right to know / access: request confirmation of processing and a copy of the categories, sources, purposes, and recipients of your personal information.
- Right to delete: request deletion of personal information we have collected from you, subject to statutory exceptions.
- Right to correct: request correction of inaccurate personal information.
- Right to portability: request a copy of your personal information in a portable, machine-readable format.
- Right to opt out of sale, sharing, and targeted advertising: we do not sell personal information, do not share personal information for cross-context behavioral advertising, and do not engage in targeted advertising.
- Right to limit use of sensitive personal information: you may request that we limit our use of sensitive personal information to purposes reasonably necessary to provide the Services. We already operate this way by default.
- Right to opt out of profiling: we do not conduct profiling that produces legal or similarly significant effects.
- Right to non-discrimination / no retaliation: we will not discriminate against you, deny Services, or charge different prices because you exercise a privacy right.
- Right to appeal: residents of states granting an appeal right may appeal a denial of a privacy request by replying to our decision.
To exercise a right, contact us at the privacy address above. We will verify your identity using information on file and respond within the statutory period (generally 45 days, extendable by 45 days where permitted, and within 15 business days for Texas). An authorized agent may submit a request on your behalf with written authorization.
California "Shine the Light" (Cal. Civ. Code § 1798.83): we do not disclose personal information to third parties for their direct marketing purposes.
Nevada SB 220 (NRS 603A): Nevada residents may submit a verified request to direct us not to sell their covered personal information. We do not sell covered personal information.
11.2 European Economic Area, United Kingdom, and Switzerland
You have the following rights under the GDPR, UK GDPR, and FADP: access (Art. 15); rectification (Art. 16); erasure (Art. 17); restriction of processing (Art. 18); data portability (Art. 20); objection, including to processing based on legitimate interest (Art. 21); and the right not to be subject to solely automated decision-making, including profiling, that produces legal or similarly significant effects (Art. 22). Where we process on the basis of consent, you may withdraw consent at any time, without affecting the lawfulness of prior processing. You have the right to lodge a complaint with your national supervisory authority (for example, the Irish Data Protection Commission, the UK Information Commissioner's Office, or the Swiss Federal Data Protection and Information Commissioner). We would, however, appreciate the opportunity to address your concern first.
11.3 Canada
Under PIPEDA and provincial laws including Quebec Law 25, you may request access to and correction of your personal information, withdraw consent, and file a complaint with the Office of the Privacy Commissioner of Canada or the Commission d'accès à l'information du Québec.
11.4 Brazil
Under the LGPD, you have the rights of confirmation, access, correction, anonymization, portability, deletion, information about sharing, revocation of consent, and to petition the Autoridade Nacional de Proteção de Dados.
11.5 Other Jurisdictions
Residents of other jurisdictions, including South Africa (POPIA), Australia (Privacy Act 1988), Japan (APPI), Singapore (PDPA), and similar regimes, have rights that generally parallel those above. We honor verified rights requests regardless of your location.
12. Cookies and Similar Technologies
The Correia Virtus website uses strictly necessary cookies to operate the site (for example, session management and cross-site request forgery protection). We do not use advertising cookies, cross-site tracking pixels, or third-party marketing tags. We respect the Global Privacy Control ("GPC") signal and treat it as a valid opt-out of any sale or sharing that the CCPA, CPRA, Colorado Privacy Act rules, and Connecticut Data Privacy Act would recognize.
13. Data Retention
We retain personal information only as long as necessary for the purposes for which it was collected, to comply with legal obligations (including financial recordkeeping and tax laws), to resolve disputes, and to enforce our agreements. Inactive accounts are generally deleted twelve (12) months after the last sign-in, preceded by an advance notice by email. Upon receipt of a verified deletion request, we delete live-system personal information within thirty (30) days and purge encrypted backups within ninety (90) days. Certain records may be retained for longer if required by law, in which case we isolate and protect them against further use.
14. Security
We maintain administrative, technical, and physical safeguards designed to protect personal information against unauthorized access, disclosure, alteration, and destruction. These include: AES-256 encryption of sensitive credentials and Plaid access tokens at rest; TLS 1.2+ for all data in transit; principle of least privilege access controls; mandatory multi-factor authentication for administrative systems; routine vulnerability scanning and dependency monitoring; secure software-development practices; and a documented incident-response plan. No system is perfectly secure; in the unlikely event of a breach that triggers notification obligations, we will notify affected individuals and regulators as required by applicable law.
15. Children's Privacy
The Services are not directed to children under 13 (or under 16 in the EEA and UK, or the equivalent local age of digital consent). We do not knowingly collect personal information from children in those age groups. If you believe a child has provided us with personal information, please contact us and we will promptly delete it in accordance with the Children's Online Privacy Protection Act (15 U.S.C. §§ 6501–6506) and other applicable laws.
16. Do Not Track and GPC
We do not change behavior in response to "Do Not Track" browser signals because there is no industry consensus on interpretation. We do honor Global Privacy Control (GPC) signals as a valid opt-out where required by law.
17. Government Non-Affiliation
Correia Virtus LLC and its products are independent and are not affiliated with, endorsed by, or sponsored by the U.S. Department of Defense, any branch of the U.S. Armed Forces, the Defense Finance and Accounting Service, or any other government agency. References to military allowances and rates in the Military PCS Toolkit are based on publicly available sources and are provided for educational and planning purposes only.
18. Changes to This Policy
We may update this Policy from time to time to reflect changes in law, our Services, or our practices. When we make material changes, we will update the "Last Updated" date and, where required by law, provide advance notice through the Services, on our website, or by email. Continued use of the Services after the effective date constitutes acceptance of the updated Policy.
19. How to Contact Us
For privacy questions, to exercise any right described above, or to make a complaint, contact us at loading…. You may also write to us at: Correia Virtus LLC, Niceville, Florida, USA.
Terms of Service
This document also serves as the Terms of Use for the website correiavirtus.com. References to "Terms of Service," "Terms of Use," or "Terms" within this agreement are interchangeable and refer to this same document.
1. Agreement and Acceptance
These Terms of Service — which also operate as the Terms of Use for the website correiavirtus.com (collectively, the "Terms") — form a legally binding agreement between you and Correia Virtus LLC ("Correia Virtus," "we," "us," or "our") governing your access to and use of BudgetPilot, the Military PCS Toolkit, the website correiavirtus.com, and any other product or service we provide (collectively, the "Services"). By creating an account, downloading, installing, accessing, browsing, or otherwise using any part of the Services, you represent that you have read, understood, and agreed to be bound by these Terms and by our Privacy Policy, which is incorporated herein by reference. If you do not agree, you must not access or use the Services.
2. Eligibility
You must be at least 18 years of age (or the age of legal majority in your jurisdiction, whichever is greater) to create an account or enter into a subscription. The Services are not directed to individuals under 13, and where the EEA, UK, or equivalent applies, not directed to individuals under the applicable age of digital consent. You represent and warrant that you are not located in, ordinarily resident in, or otherwise subject to the laws of a country or region subject to comprehensive U.S. sanctions, and that you are not listed on any U.S. government list of prohibited or restricted parties.
3. The Services
BudgetPilot is a personal-budgeting application that helps individuals, couples, and families plan, categorize, and track spending. It integrates with participating financial institutions through Plaid to retrieve account balances and transaction data in read-only mode. BudgetPilot is a planning and informational tool; it is not a financial institution, does not hold customer funds, does not move money, and does not provide investment, tax, legal, or other professional advice.
The Military PCS Toolkit is a web-based collection of calculators and reference content designed to help individuals plan permanent-change-of-station moves. Calculators produce estimates based on publicly available information; they are not financial or legal advice and do not guarantee any particular outcome, entitlement, or reimbursement.
The website correiavirtus.com is an institutional presence describing our studio and products.
4. Accounts
Certain features require an account. You agree to provide accurate, current, and complete registration information and to keep it up to date. You are responsible for safeguarding your credentials (including any device-level biometric authentication) and for all activity under your account. Notify us promptly if you suspect unauthorized access. We may refuse, suspend, or terminate accounts at our discretion, including for suspected fraud or violation of these Terms.
5. Subscriptions, Billing, and Auto-Renewal
BudgetPilot is offered on a subscription basis. Current pricing and renewal terms are disclosed to you at the point of purchase and, where required by applicable law (including the U.S. Restore Online Shoppers' Confidence Act, California Automatic Renewal Law, and equivalent state and international statutes), immediately prior to the first charge. By subscribing, you authorize the platform operator (Apple or Google) to charge your selected payment method for the initial fee and for each renewal period at the then-current rate until you cancel.
Renewal and cancellation. Subscriptions renew automatically for successive periods unless canceled at least 24 hours before the end of the then-current period (or a different period disclosed at checkout). You may cancel at any time through your Apple ID subscription settings or Google Play subscription settings. Cancellation takes effect at the end of the then-current billing period; no partial refunds are provided for unused time, except where required by law.
Free trials and introductory pricing. If a free trial or introductory rate is offered, we will disclose its duration and the price that will apply at expiration. You must cancel before trial expiration to avoid conversion to a paid subscription.
Price changes. We may change subscription prices from time to time. Material price increases will be communicated at least 30 days in advance and will apply to renewals after the notice period. Where required by law, your affirmative consent will be obtained before any price increase takes effect.
Platform billing. Purchases made through the Apple App Store or Google Play Store are billed, processed, and refunded exclusively by those platforms under their terms. We cannot process refunds for platform-billed subscriptions; requests must be submitted through the platform. Correia Virtus does not hold, store, or have access to your full payment card or payment instrument details.
Taxes. Prices exclude applicable taxes unless otherwise stated. Where the platform is required to collect VAT, GST, or sales tax, those amounts are added at checkout.
6. Bank Connectivity via Plaid
BudgetPilot uses Plaid Inc. ("Plaid") to connect to your financial institution. By connecting an account, you acknowledge and agree that: (i) your use of Plaid is subject to Plaid's End User Services Agreement and Privacy Policy at plaid.com/legal; (ii) you authorize Plaid to collect, use, and share your financial information on your behalf in read-only mode; (iii) Correia Virtus never receives, views, or stores your online-banking credentials; (iv) access to transaction and balance data may be interrupted by your financial institution or by Plaid for reasons outside our control; and (v) you may revoke Plaid's access at any time within BudgetPilot or through Plaid's consumer portal at my.plaid.com. Correia Virtus is not responsible for the accuracy or completeness of data retrieved from your institution or for any outage or delay caused by Plaid or the institution.
7. Shared Household Access
BudgetPilot offers shared household access on a single subscription. By inviting another adult to your household, you authorize them to view and edit shared budgets, transactions, categories, and goals. You are solely responsible for deciding whom to invite and for any dispute between household members regarding shared data. Household members cannot view sign-in credentials or payment details of other members.
8. Artificial-Intelligence Features
BudgetPilot uses a large-language-model API operated by Anthropic, PBC to help categorize certain transactions when our built-in rules-based engine cannot. Only the merchant descriptor and amount are transmitted; no account identifier, name, or other direct identifier is sent. Categorizations are suggestions only; you may accept, edit, or override any categorization, and we are not responsible for financial outcomes derived from AI-assisted categorization. Our AI provider is contractually prohibited from using our inputs to train its models. AI features may be modified or discontinued with reasonable notice.
9. Accuracy and No Professional Advice
The Services are informational and planning tools. Calculators, budgets, categorizations, and reference information are estimates and may contain errors, omissions, or stale data. Nothing in the Services constitutes financial, investment, tax, accounting, legal, or professional advice. You are solely responsible for financial decisions you make. We strongly recommend consulting a qualified professional for consequential decisions. For matters covered by the Military PCS Toolkit, consult your Transportation Management Office, Finance office, or DFAS for authoritative guidance.
10. User Content and License
You retain all ownership rights in content you submit to the Services ("User Content"), including budget categories, notes, and custom labels. You grant Correia Virtus a limited, worldwide, non-exclusive, royalty-free license to host, store, process, transmit, and display your User Content solely to operate and provide the Services to you and, where applicable, to members of your household account. You represent that you have all rights necessary to submit your User Content and that it does not infringe any third-party right or applicable law.
11. Acceptable Use
You agree not to, and not to permit any third party to: (a) violate any law, regulation, or third-party right; (b) access, probe, or test the vulnerability of the Services without authorization; (c) interfere with, disrupt, or impair the Services or the servers or networks connected to them; (d) decompile, reverse engineer, disassemble, or attempt to derive source code or underlying data structures, except to the extent that such restriction is expressly prohibited by law; (e) scrape, harvest, or otherwise extract data from the Services using automated means; (f) introduce malware, viruses, or other harmful code; (g) impersonate any person or misrepresent your affiliation with any person; (h) use the Services for money laundering, terrorist financing, or other illegal financial activity; (i) resell, sublicense, or otherwise commercialize the Services without our prior written consent; (j) remove, obscure, or alter any proprietary notices; or (k) use the Services in a way that unreasonably interferes with other users' enjoyment.
12. Intellectual Property
The Services, including all text, graphics, logos, icons, interfaces, software, and underlying technology, are owned by Correia Virtus LLC or its licensors and are protected by United States and international copyright, trademark, trade-dress, patent, and other intellectual-property laws. "Correia Virtus," "BudgetPilot," and related marks are trademarks of Correia Virtus LLC. Subject to these Terms, we grant you a limited, revocable, non-exclusive, non-transferable, non-sublicensable license to use the Services for your personal, non-commercial use. All rights not expressly granted are reserved.
13. Third-Party Services
The Services may interoperate with or link to third-party services, including Plaid, the Apple App Store, Google Play, and your financial institutions. Your use of those services is governed by their terms and privacy policies. We are not responsible for, and do not endorse, third-party services, content, or practices.
14. Feedback
If you choose to submit ideas, suggestions, or feedback, you grant Correia Virtus a perpetual, irrevocable, royalty-free, worldwide license to use such feedback for any purpose, without obligation to you. You waive any moral rights in feedback to the extent permitted by law.
15. Service Availability
We strive to keep the Services available at all times but do not guarantee uninterrupted or error-free operation. The Services may be unavailable due to scheduled maintenance, force majeure, outages at third-party providers (including Plaid, cloud hosts, and the app stores), or other factors beyond our reasonable control. We do not offer a service-level agreement or uptime guarantee unless stated in writing.
16. Changes to the Services
We may add, modify, or discontinue features of the Services at any time. We will provide reasonable notice of material adverse changes where practicable.
17. Disclaimer of Warranties
TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, THE SERVICES ARE PROVIDED ON AN "AS IS" AND "AS AVAILABLE" BASIS WITHOUT WARRANTIES OF ANY KIND, WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE, INCLUDING WITHOUT LIMITATION IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, AND NON-INFRINGEMENT, AND ANY WARRANTIES ARISING OUT OF COURSE OF DEALING, USAGE, OR TRADE. WE DO NOT WARRANT THAT THE SERVICES WILL BE UNINTERRUPTED, ERROR-FREE, SECURE, OR ACCURATE, OR THAT ANY DATA RETRIEVED FROM THIRD-PARTY SOURCES (INCLUDING PLAID) WILL BE COMPLETE OR TIMELY. YOUR USE OF THE SERVICES IS AT YOUR SOLE RISK.
18. Limitation of Liability
TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT WILL CORREIA VIRTUS LLC, ITS OFFICERS, DIRECTORS, EMPLOYEES, CONTRACTORS, OR AFFILIATES BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, EXEMPLARY, OR PUNITIVE DAMAGES, OR FOR ANY LOSS OF PROFITS, REVENUE, DATA, GOODWILL, OR BUSINESS OPPORTUNITY, ARISING OUT OF OR RELATED TO THE SERVICES OR THESE TERMS, WHETHER UNDER CONTRACT, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY, OR ANY OTHER THEORY, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. IN NO EVENT WILL OUR AGGREGATE LIABILITY ARISING OUT OF OR RELATED TO THE SERVICES OR THESE TERMS EXCEED THE GREATER OF (A) THE AMOUNTS YOU PAID US FOR THE SERVICES IN THE TWELVE (12) MONTHS BEFORE THE EVENT GIVING RISE TO LIABILITY OR (B) ONE HUNDRED U.S. DOLLARS (US$100). NOTHING IN THESE TERMS LIMITS LIABILITY THAT CANNOT BE LIMITED UNDER APPLICABLE LAW, INCLUDING LIABILITY FOR GROSS NEGLIGENCE, WILLFUL MISCONDUCT, OR, WHERE APPLICABLE, DEATH OR PERSONAL INJURY CAUSED BY NEGLIGENCE, OR CERTAIN CONSUMER RIGHTS UNDER EU, UK, AUSTRALIAN, OR CANADIAN LAW.
19. Indemnification
To the extent permitted by law, you agree to indemnify, defend, and hold harmless Correia Virtus LLC and its officers, directors, employees, contractors, and affiliates from and against any claims, damages, losses, liabilities, costs, and expenses (including reasonable attorneys' fees) arising out of or related to: (i) your breach of these Terms; (ii) your violation of any law or third-party right; (iii) your User Content; or (iv) your misuse of the Services. This indemnity does not apply to the extent a claim arises from our gross negligence or willful misconduct.
20. Termination
You may stop using the Services and delete your account at any time. We may suspend or terminate your access if you breach these Terms, if required by law, or if we reasonably believe suspension is necessary to protect the Services or other users. Upon termination: your license to use the Services ends; we will delete your personal information per our Privacy Policy; and sections that by their nature should survive will survive.
21. Governing Law and Venue
These Terms are governed by the laws of the State of Florida, USA, without regard to conflict-of-laws rules. For consumers residing in the EEA, UK, Switzerland, or other jurisdictions that grant mandatory consumer protections, nothing in this section overrides those protections; you retain the benefit of the mandatory consumer-protection laws of your place of residence, and may bring actions in the courts of your place of residence where those laws so provide.
22. Dispute Resolution; Arbitration; Class-Action Waiver
Informal resolution first. Before filing any claim, you agree to contact us at the address in these Terms and allow 60 days for good-faith resolution.
Binding individual arbitration (U.S. users). If informal resolution fails, you and Correia Virtus agree that any dispute arising out of or relating to the Services or these Terms will be resolved by binding individual arbitration administered by the American Arbitration Association under its Consumer Arbitration Rules. Arbitration will take place in Okaloosa County, Florida, or by telephone/video, at your election. The arbitrator may award any relief a court could, except that the arbitrator may not consolidate claims or preside over class or representative proceedings.
Class and jury waiver. You and Correia Virtus waive any right to a jury trial and to participate in a class action, class arbitration, or representative action, except where such waiver is prohibited by applicable law.
Opt-out right. You may opt out of this arbitration agreement by sending written notice within 30 days after first accepting these Terms to the privacy address above, stating your name and that you opt out. Opting out will not affect other provisions.
Carve-outs. Either party may bring claims of infringement of intellectual-property rights, or seek injunctive relief, in a court of competent jurisdiction. Nothing in these Terms prevents you from bringing an individual action in small-claims court or reporting concerns to a government authority.
Non-U.S. consumers. This arbitration clause does not apply where prohibited by the mandatory law of your country of residence (including many EEA and UK consumers). In that case, disputes will be resolved by the competent courts of your place of residence.
23. Apple App Store Additional Terms
If you obtained BudgetPilot through the Apple App Store, you acknowledge that: (i) these Terms are between you and Correia Virtus only, not Apple Inc.; (ii) Apple has no obligation to provide maintenance or support; (iii) in the event of any failure of BudgetPilot to conform to any applicable warranty, you may notify Apple for a refund of the purchase price (if any); Apple has no other warranty obligations; (iv) Apple is not responsible for addressing claims by you or third parties relating to BudgetPilot or your possession or use of BudgetPilot, including product-liability, consumer-protection, or intellectual-property claims; (v) you represent that you are not in a U.S.-embargoed country and not on any U.S. government restricted-parties list; and (vi) Apple and its subsidiaries are third-party beneficiaries of these Terms with the right to enforce them against you.
24. Google Play Additional Terms
If you obtained BudgetPilot through Google Play, your download, installation, and use are additionally subject to the Google Play Terms of Service. Billing, refunds, and subscription management for Google Play purchases are handled by Google. Correia Virtus is responsible for BudgetPilot itself; Google is not a party to these Terms.
25. Electronic Communications and Notices
By creating an account or using the Services, you consent to receive electronic communications from us for transactional, administrative, security, legal, and service-related purposes (including receipts, security notices, and changes to policies). You may opt out of optional promotional communications. Legal notices to you may be posted in the Services or sent to the email address associated with your account. Notices to us must be sent to the privacy address in these Terms.
26. Force Majeure
We are not liable for delays or failures to perform caused by events beyond our reasonable control, including acts of God, pandemics, natural disasters, war, civil unrest, government action, cyberattacks, labor disputes, telecommunications or power failures, and failures of third-party service providers.
27. Assignment
You may not assign these Terms without our prior written consent. We may assign these Terms in connection with a merger, acquisition, corporate reorganization, or sale of assets, or otherwise with notice to you.
28. Export Controls
You agree to comply with all applicable U.S. export control and sanctions laws and regulations, including the U.S. Export Administration Regulations and Office of Foreign Assets Control sanctions.
29. Government End Users
If you are a U.S. government end user, the Services are "commercial items" and "commercial computer software" as defined in FAR 2.101 and DFARS 252.227-7014, licensed with only those rights as granted to all other end users under these Terms.
30. Severability; Waiver; Entire Agreement
If any provision of these Terms is held unenforceable, the remaining provisions will remain in effect, and the unenforceable provision will be modified to the minimum extent necessary to make it enforceable while preserving its intent. Our failure to enforce any right is not a waiver. These Terms, together with our Privacy Policy and any subscription terms disclosed at purchase, constitute the entire agreement between you and Correia Virtus regarding the Services and supersede any prior or contemporaneous agreements.
31. Changes to These Terms
We may modify these Terms from time to time. Material changes will be posted in the Services or on the website and, where required by law, communicated at least 30 days before they take effect. Your continued use after the effective date constitutes acceptance. If you do not agree, you must stop using the Services.
32. Contact
Questions about these Terms should be sent to loading…, or by mail to: Correia Virtus LLC, Niceville, Florida, USA.
Virtus — Política de Privacidade
Esta Política é específica do Virtus (também referido internamente como DividendPilot) e é lida em conjunto com a Política de Privacidade institucional da Correia Virtus acima. Havendo conflito quanto ao Virtus, prevalece esta Política, por descrever com maior precisão os fluxos de dados reais do Aplicativo. Para a versão em inglês, veja o final desta seção.
1. Introdução
A Correia Virtus LLC ("Correia Virtus", "nós" ou "nosso") é um estúdio independente de software constituído sob as leis do Estado da Flórida, Estados Unidos. Esta Política de Privacidade (a "Política") explica como coletamos, utilizamos, divulgamos, retemos e protegemos dados pessoais em conexão com o Virtus — nosso aplicativo nativo para acompanhamento de carteiras de investimentos e proventos (o "Aplicativo" ou o "Serviço"). O Aplicativo é distribuído pela Apple App Store e pelo Google Play e, futuramente, poderá ser distribuído para macOS e Windows.
Esta Política foi elaborada para atender aos requisitos da Lei Geral de Proteção de Dados Pessoais — Lei nº 13.709/2018 ("LGPD") e dos atos normativos da Autoridade Nacional de Proteção de Dados ("ANPD"); do GDPR (UE 2016/679); do UK GDPR; do CCPA/CPRA da Califórnia; das demais leis estaduais norte-americanas de proteção de dados enumeradas na Cláusula 12; do COPPA, da FADP suíça, da PIPEDA canadense e da Loi 25 do Quebec; e do Código de Defesa do Consumidor (Lei nº 8.078/1990).
Ao criar uma conta ou utilizar o Serviço, você declara ter lido e compreendido esta Política. Caso não concorde, não utilize o Serviço.
2. Quem Somos e Como nos Contatar
Controlador (LGPD, GDPR, UK GDPR, FADP): Correia Virtus LLC, Niceville, Flórida, Estados Unidos.
Contato para privacidade e exercício de direitos: loading…
Encarregado pelo Tratamento de Dados Pessoais (art. 41 da LGPD): até a indicação de Encarregado nominalmente designado, todas as comunicações de titulares brasileiros dirigidas ao Encarregado devem ser enviadas ao contato de privacidade acima, em português ou inglês, e serão recebidas e processadas pela equipe de privacidade da Correia Virtus LLC.
3. Definições
"Dado Pessoal" significa toda informação relacionada a pessoa natural identificada ou identificável (art. 5º, I, da LGPD; art. 4º(1) do GDPR; personal information no §1798.140(v) do CCPA). "Dado Pessoal Sensível" significa o dado que revele origem racial ou étnica, convicção religiosa, opinião política, filiação sindical, dado referente à saúde ou à vida sexual, dado genético ou biométrico (art. 5º, II, da LGPD; art. 9º do GDPR); informações financeiras recebem tratamento agravado nos termos do CCPA/CPRA e dos princípios do CDC e da LGPD. "Tratamento" significa toda operação realizada com Dados Pessoais (art. 5º, X, da LGPD). "Controlador" ("Controlador") significa a Correia Virtus LLC. "Operador" ("Operador") significa a pessoa que realiza o Tratamento em nome do Controlador. "Titular" significa a pessoa natural a quem se referem os Dados Pessoais.
4. Âmbito de Aplicação
Esta Política aplica-se aos Dados Pessoais tratados pela Correia Virtus em razão do Virtus. Não se aplica a (i) sites, aplicativos ou serviços de terceiros vinculados ao Aplicativo (incluindo a Apple App Store e o Google Play, regidos pelas respectivas políticas); (ii) as corretoras, custodiantes, bolsas ou bancos onde você efetivamente detém os ativos que registra no Aplicativo — o Aplicativo não se conecta a essas instituições; e (iii) as fontes públicas de dados de mercado que nosso backend consulta para enriquecer cotações e eventos corporativos, porque a essas fontes não enviamos qualquer Dado Pessoal seu.
5. Declaração do que o Virtus Não Faz
Estas declarações limitam materialmente o universo de Dados Pessoais que o Aplicativo poderia tratar:
- Sem integração com bancos ou corretoras. Não integramos Plaid, Pluggy, Belvo ou qualquer outro agregador de open banking, e não consumimos nenhuma API de corretora. Você insere manualmente os dados da sua carteira (ticker, quantidade, preço médio, data, corretora e classe do ativo).
- Sem integração com a B3 Open Investment na v1. Por decisão arquitetural (ADR-0002), a API da B3 está postergada. Caso venha a ser ativada, esta Política será atualizada e (onde a lei exigir) seu consentimento específico e granular será obtido antes de qualquer sincronização.
- Sem analytics, rastreamento ou atribuição. Não embarcamos Firebase Analytics, Sentry, Mixpanel, Amplitude, PostHog, Segment, Adjust, AppsFlyer, Branch, SDK da Meta, SDK da TikTok ou qualquer produto comparável de analytics, atribuição ou session replay. Verificado por inspeção do grafo de dependências.
- Sem publicidade. Sem anúncios, sem SDKs de redes de publicidade. Não vendemos Dados Pessoais e não compartilhamos Dados Pessoais para publicidade comportamental entre contextos (CCPA/CPRA e leis estaduais norte-americanas).
- Sem geolocalização precisa. Não solicitamos, recebemos ou armazenamos geolocalização precisa. O Aplicativo não declara nem solicita permissões de localização.
- Sem dados biométricos pessoais. Face ID, Touch ID e desbloqueio por digital/face do Android operam inteiramente no seu dispositivo. Recebemos apenas asserção criptográfica do tipo "sim/não". Não coletamos, transmitimos, recebemos ou armazenamos identificadores biométricos (art. 5º, II, da LGPD; BIPA; Texas CUBI; RCW 19.375; análogas).
- Sem acesso a contatos, fotos, microfone, câmera ou calendário. O Aplicativo não declara nem solicita essas permissões.
6. Categorias de Dados Pessoais que Coletamos
6.1 Dados Fornecidos por Você
Credenciais de conta: e-mail, senha (imediatamente convertida em hash com Argon2id, nunca armazenada em texto claro) e nome de exibição. Preferências: idioma (pt-BR / en-US / es-ES) e moeda (BRL / USD / EUR). Lançamentos da carteira: para cada operação, o ativo (ticker, classe, nome, moeda, setor e país enriquecidos), quantidade, preço unitário, data, valor total, corretora ou instituição, taxas, IR retido e anotações livres. Watchlist: tickers acompanhados. Metas: tipo (renda passiva ou patrimônio), valor-alvo, moeda, data-alvo. Configurações por ativo: toggle de DRIP e percentual opcional de retenção de IR no exterior. Comunicações: conteúdo de e-mails enviados ao suporte.
6.2 Dados Coletados Automaticamente
Logs de servidor: IP de origem, timestamps, método e rota HTTP, status de resposta e (em caso de erro) stack trace anonimizado; uso exclusivo para segurança, detecção de abuso e operação de infraestrutura; retenção 30 dias. Diagnósticos de falha: via mecanismos padrão (Apple crash reporting no iOS; Google Play Console crash + ANR no Android). Não integramos Crashlytics, Sentry ou SDK comparável. Token de notificação push: APNs (iOS) / FCM (Android) emite token específico do dispositivo, armazenado para entregar notificações em dias de pagamento de proventos. Você pode revogá-lo a qualquer momento.
6.3 Dados Pessoais Sensíveis
Não coletamos, conscientemente, identificadores governamentais (CPF, RG, Título de Eleitor, passaporte, SSN), dados de saúde, origem racial ou étnica, convicções religiosas, orientação sexual, filiação sindical, identificadores biométricos ou geolocalização. As informações financeiras inseridas são tratadas como sensíveis sob §1798.140(ae)(1)(L) do CCPA/CPRA e sob os princípios reforçados do CDC e da LGPD; utilizamo-las apenas para a prestação do Serviço.
6.4 Crianças e Adolescentes
O Serviço não é dirigido a crianças. Não coletamos, conscientemente, Dados Pessoais de pessoa com menos de 13 anos nos EUA (COPPA, 15 U.S.C. §§ 6501-6506), com menos de 12 anos no Brasil (art. 14 da LGPD), ou com menos da idade aplicável de consentimento digital (em regra, 16 anos) no EEE/Reino Unido. Constatada coleta nessas condições, procederemos à eliminação imediata.
7. Finalidades de Tratamento e Bases Legais
Tratamos Dados Pessoais apenas para as finalidades abaixo. Identificamos a base legal correspondente sob LGPD (art. 7º) e GDPR (art. 6º); as business purposes do CCPA/CPRA acompanham:
- Criar e manter sua conta; autenticá-lo; proteger sessões com JWT RS256 e rotação de refresh token [LGPD art. 7º, V e VII; GDPR art. 6º(b) e (f)].
- Armazenar e exibir carteira, watchlist, metas e configurações [LGPD art. 7º, V; GDPR art. 6º(b)].
- Calcular valor da carteira, rentabilidades e comparativos com benchmarks; ingerir dados de mercado server-side sem expor seus Dados Pessoais [LGPD art. 7º, V e IX; GDPR art. 6º(b) e (f)].
- Enviar comunicações transacionais, inclusive notificações push em dias de pagamento de proventos sobre os quais você optou por ser alertado [LGPD art. 7º, V, IX, ou I; GDPR art. 6º(b) ou (a)].
- Detectar, prevenir e reagir a fraude, incidentes, abuso e atividade ilícita; aplicar rate limit [LGPD art. 7º, IX e VI; GDPR art. 6º(f) e (c)].
- Cumprir obrigações legais (tributárias, contábeis, antilavagem, atendimento a ordem judicial) [LGPD art. 7º, II; GDPR art. 6º(c)].
- Diagnosticar bugs e monitorar desempenho via relatórios de falha do iOS e do Android [LGPD art. 7º, IX; GDPR art. 6º(f)].
- Exercer, defender ou estabelecer pretensões [LGPD art. 7º, VI; GDPR art. 6º(f)].
- Comunicar-se com você quando você acionar o suporte [LGPD art. 7º, V e IX; GDPR art. 6º(b) e (f)].
- Se e quando você optar por ativar a funcionalidade opcional de pesquisa por IA (Cláusula 9), transmitir metadados públicos não identificáveis de ticker à Anthropic, PBC [LGPD art. 7º, I; GDPR art. 6º(a) — consentimento].
Não tratamos Dados Pessoais para publicidade comportamental, venda de dados, profiling com efeitos jurídicos ou significativos (art. 20 LGPD / art. 22 GDPR), ou treinamento de modelos de IA/ML com seus inputs.
7.1 Fontes Externas de Dados de Mercado (Sem Envio de Dados Pessoais)
Para enriquecer cotações e eventos corporativos, nosso backend consulta: BRAPI (cotações brasileiras), dados abertos da CVM (dividendos e eventos), SGS do Banco Central do Brasil (CDI, IPCA, SELIC, USD/BRL), endpoint público do Yahoo Finance (candles históricos, Ibovespa, S&P 500), CoinMarketCap (cripto, quando ativado), e Alpha Vantage ou Polygon.io (ações e REITs dos EUA, quando ativado em escala). Nenhum Dado Pessoal seu é transmitido a essas fontes — enviamos apenas o ticker público e parâmetros de requisição.
8. Compartilhamentos e Destinatários
Não vendemos Dados Pessoais. Não compartilhamos Dados Pessoais para publicidade comportamental entre contextos. Compartilhamos apenas com as categorias abaixo, vinculadas contratualmente a obrigações de confidencialidade e proteção ao menos tão protetivas quanto esta Política:
- Railway Corp. — Platform-as-a-Service que hospeda nossa API Rust + Axum, PostgreSQL 16 (com TimescaleDB) e Redis. A Railway opera sobre o Google Cloud Platform. Estados Unidos.
- Google Cloud Platform (Alphabet Inc., como provedor de infraestrutura da Railway) — computação, armazenamento e rede. Estados Unidos.
- Apple Inc. — Apple App Store (distribuição); cobrança de assinatura (quando monetizado); APNs (entrega de push). Estados Unidos.
- Google LLC — Google Play (distribuição); cobrança de assinatura (quando monetizado); Firebase Cloud Messaging (entrega de push). Estados Unidos.
- Anthropic, PBC (funcionalidade opcional, sob consentimento) — API de LLM que alimenta narrativa opcional de pesquisa por ativo; não ativa por padrão. Quando ativada, transmite apenas metadados públicos do ticker (símbolo, nome, setor, P/L, dividend yield, ROE e contagem de proventos recentes); nenhuma informação identificadora de usuário é enviada. A Anthropic está contratualmente proibida de treinar modelos com nossos inputs. Estados Unidos.
Podemos divulgar Dados Pessoais (i) para cumprir intimação, mandado, ordem judicial ou outro processo legal válido, inclusive solicitação de autoridade brasileira transmitida pelos canais próprios; (ii) para proteger direitos, propriedade ou segurança da Correia Virtus, de usuários ou do público; (iii) para fazer cumprir nossos contratos; e (iv) no contexto de fusão, aquisição, financiamento, reorganização ou alienação de ativos. Contestaremos solicitações legais excessivamente amplas ou viciadas.
9. Decisões Automatizadas e Inteligência Artificial
O Serviço não toma qualquer decisão a seu respeito que produza efeitos jurídicos ou similarmente significativos (art. 20 da LGPD; art. 22 do GDPR). Análises de carteira, gráficos de desempenho, projeções de proventos, simulações de Monte Carlo e alertas de concentração são cálculos quantitativos aplicados de forma uniforme; têm caráter informativo, não decisório, e você permanece o único responsável por qualquer decisão de investimento.
O Aplicativo poderá, somente se você optar afirmativamente por ativar, exibir narrativa por ativo ("Resumo IA") gerada pela API da Anthropic, PBC. Quando ativada, a chamada transmite apenas o ticker público, nome longo, setor, P/L, dividend yield, ROE e contagem de eventos recentes — nenhum desses elementos identifica você. A funcionalidade vem desativada por padrão. A Anthropic está contratualmente proibida de treinar seus modelos com nossos inputs, e a saída é apresentada como material de pesquisa, não como recomendação de investimento. Você pode recusar o uso a qualquer momento e tem o direito (art. 20 LGPD; art. 22 GDPR) de solicitar revisão por pessoa natural de qualquer decisão que entenda ter sido tomada com base unicamente em Tratamento automatizado.
10. Transferência Internacional de Dados
O Virtus é operado a partir dos Estados Unidos, e seus Dados Pessoais são armazenados e tratados primariamente nos Estados Unidos.
10.1 Do Brasil para os Estados Unidos
Os Estados Unidos não foram reconhecidos pela ANPD como país de proteção adequada na acepção do art. 33, I, da LGPD. Fundamentamos a transferência nas bases do art. 33: (i) seu consentimento específico e destacado, prestado no momento do cadastro e reconfirmável a qualquer tempo (art. 33, VIII); e (ii) cláusulas-padrão contratuais aprovadas pela ANPD nos termos da Resolução CD/ANPD nº 19/2024, incorporadas aos contratos com Operadores localizados nos Estados Unidos (art. 33, II, "d"). Se você não consentir, o Serviço não pode lhe ser prestado e você não deve criar uma conta.
10.2 Do EEE / Reino Unido / Suíça para os Estados Unidos
Valemo-nos das garantias do Capítulo V do GDPR — Cláusulas Contratuais-Padrão da Comissão Europeia (Decisão UE 2021/914), UK International Data Transfer Addendum e, se aplicável, programas EU–U.S., UK Extension e Swiss–U.S. Data Privacy Framework.
11. Retenção de Dados
- Conta ativa (perfil, carteira, watchlist, metas, configurações, tokens de push): mantidos enquanto a conta existir.
- Contas inativas: excluídas 12 (doze) meses após o último login, mediante aviso prévio por e-mail enviado com pelo menos 30 (trinta) dias de antecedência.
- Solicitação de eliminação: dados ativos eliminados em até 30 dias; backups criptografados expurgados em até 90 dias.
- Logs de servidor: 30 dias.
- Diagnósticos de falha: 90 dias.
- Identificadores de cobrança de assinatura (quando monetizado): conforme a legislação fiscal e contábil (em regra, 5 a 7 anos).
Quando você apaga a conta, a rotina DELETE /v1/me remove as linhas associadas ao seu usuário nas tabelas transactions, portfolios, watchlist_items, accounts, user_asset_settings, goals, push_tokens, refresh_tokens e reconciliation_conflicts.
12. Seus Direitos
12.1 Brasil — art. 18 da LGPD
Você, titular de dados, tem direito a obter de nós, a qualquer momento, gratuitamente: (1) confirmação da existência de Tratamento; (2) acesso; (3) correção; (4) anonimização, bloqueio ou eliminação de dados desnecessários, excessivos ou tratados em desconformidade com a LGPD; (5) portabilidade; (6) eliminação de dados tratados com base em consentimento; (7) informação sobre as entidades com as quais compartilhamos seus dados; (8) informação sobre a possibilidade de não fornecer consentimento e as consequências; (9) revogação do consentimento a qualquer tempo; e (10) não ser submetido a decisão tomada unicamente com base em Tratamento automatizado (art. 20). Reclamações podem ser apresentadas à ANPD em gov.br/anpd.
12.2 Califórnia — CCPA/CPRA
Residentes na Califórnia têm direito de saber, eliminar, corrigir, portar, opt-out de venda ou compartilhamento (não realizamos nenhum), limitar uso de informações sensíveis (já operamos assim), não retaliação e recurso. "Shine the Light" (Cal. Civ. Code § 1798.83): não divulgamos a terceiros para marketing direto deles. Nevada SB 220: não vendemos.
12.3 Demais Leis Estaduais Norte-Americanas
Dependendo do estado de residência, você tem direitos substancialmente semelhantes sob:
- Vigentes em 2023: Virgínia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA).
- Vigentes em 2024: Texas (TDPSA), Oregon (OCPA), Montana (MCDPA), Flórida (FDBR).
- Vigentes em 2025: Iowa (ICDPA), Delaware (DPDPA), New Hampshire (NHPA), Nova Jersey (NJDPA), Nebraska Data Privacy Act, Tennessee (TIPA), Minnesota (MCDPA), Maryland (MODPA — Tratamento ativo em 1º abr 2026).
- Vigentes em 1º jan 2026: Indiana (INCDPA), Kentucky (KCDPA), Rhode Island (RIDTPPA).
Em todos esses estados você tem direito a acesso, eliminação e opt-out de venda, compartilhamento e publicidade direcionada; na maioria também tem direito a correção, portabilidade, opt-out de profiling e recurso. Honramos o sinal universal Global Privacy Control ("GPC") onde a lei estadual o reconheça. Como não realizamos nenhuma das atividades sujeitas a opt-out, o efeito prático do GPC, no nosso caso, é a confirmação da postura existente.
12.4 EEE, Reino Unido e Suíça — GDPR / UK GDPR / FADP
Você tem direitos de acesso (art. 15), retificação (art. 16), eliminação (art. 17), restrição (art. 18), portabilidade (art. 20), oposição — inclusive ao Tratamento fundado em interesse legítimo (art. 21) — e de não ser submetido a decisão exclusivamente automatizada (art. 22). Pode apresentar reclamação à autoridade de supervisão do seu país.
12.5 Canadá e Outras Jurisdições
Sob a PIPEDA e a Loi 25 do Quebec, você pode requerer acesso e correção, retirar consentimento e apresentar reclamação ao Office of the Privacy Commissioner of Canada ou à Commission d'accès à l'information du Québec. Residentes em outras jurisdições (Austrália, Japão, Singapura, África do Sul) têm direitos paralelos.
12.6 Como Exercer Seus Direitos
Escreva para loading…. Iremos confirmar o recebimento, verificar sua identidade (correspondência com o e-mail cadastrado e, conforme a sensibilidade, solicitar elemento adicional), e responder no prazo da lei aplicável: 15 dias corridos para confirmação de Tratamento (art. 19 da LGPD); 45 dias sob a maioria das leis estaduais norte-americanas (prorrogáveis); 15 dias úteis no Texas (TDPSA); 1 mês sob o GDPR (art. 12(3), prorrogável). Disponibilizamos canal interno de recurso. Não discriminaremos o titular nem cobraremos preço diferenciado pelo exercício de direito.
13. Segurança
Adotamos salvaguardas administrativas, técnicas e físicas, incluindo hash de senha com Argon2id; JWT assinados em RS256 com rotação de refresh token; TLS 1.2+ em trânsito; criptografia em repouso em PostgreSQL gerenciado; princípio do menor privilégio; MFA obrigatório para acesso administrativo; varredura periódica de vulnerabilidades; práticas seguras de desenvolvimento (revisão de código, SQL com checagem em tempo de compilação via sqlx, linters obrigatórios em CI); e plano documentado de resposta a incidentes.
14. Cookies, Armazenamento Local e Tecnologias de Rastreamento
O Virtus é um aplicativo móvel nativo; não opera website que use cookies. O Aplicativo armazena no dispositivo tokens de sessão e o mínimo necessário (refresh token, preferência de URL-base, idioma) via Keychain (iOS) ou EncryptedSharedPreferences (Android). Não instala cookies de rastreamento de terceiros, identificadores de publicidade, web beacons, pixel tags ou ferramentas de session replay. O Aplicativo declara NSPrivacyTracking = false em seu Apple Privacy Manifest e não solicita App Tracking Transparency.
15. Divulgações na Apple App Store e no Google Play
As informações constantes do "Privacy Nutrition Label" da App Store e do formulário de "Data Safety" do Google Play estão em conformidade com esta Política. Se você identificar divergência, contate-nos.
16. Comunicação de Incidentes de Segurança
Comprometemo-nos a (i) comunicar à ANPD e aos titulares brasileiros qualquer incidente de segurança que possa acarretar risco ou dano relevante, em prazo razoável (art. 48 da LGPD), com as informações exigidas pelo art. 48, §1º; (ii) notificar a autoridade de supervisão competente em até 72 horas da ciência (art. 33 GDPR), quando aplicável, e notificar titulares afetados (art. 34) quando o risco for elevado; e (iii) notificar residentes e procuradores-gerais estaduais norte-americanos nos prazos das respectivas leis de notificação (30 a 90 dias).
17. Alterações desta Política
Podemos atualizar esta Política periodicamente. Alterações materiais serão refletidas na data de "Última Atualização" e, quando exigido por lei, comunicadas por meio do Serviço, no nosso website ou por e-mail. A continuidade do uso após a vigência constitui aceite.
18. Lei Aplicável, Foro e Arbitragem
Esta Política rege-se pelas leis do Estado da Flórida, EUA, e integra os Termos de Uso da Correia Virtus, em especial as cláusulas de Governing Law and Venue e Dispute Resolution; Arbitration; Class-Action Waiver, aplicando-se a cláusula de arbitragem, a renúncia à class action e o mecanismo de opt-out. Para titulares brasileiros, nada nesta Cláusula limita as proteções do CDC ou da LGPD, tampouco o direito de ajuizar ação no foro de sua residência; para consumidores do EEE, Reino Unido e Suíça, o mesmo se aplica às proteções imperativas do consumidor.
19. Inexistência de Vínculo Governamental
A Correia Virtus LLC e o Serviço são independentes e não são afiliados, endossados ou patrocinados pela Comissão de Valores Mobiliários, pelo Banco Central do Brasil, pela B3 S.A. – Brasil, Bolsa, Balcão, pela Securities and Exchange Commission, pela FINRA, pelo Departamento do Tesouro dos EUA ou por qualquer outro órgão público. Referências a dados de mercado e proventos baseiam-se em fontes públicas e têm finalidade exclusivamente informativa. O Virtus não constitui recomendação de investimento.
20. Canais de Reclamação
Brasil: Autoridade Nacional de Proteção de Dados (ANPD) — gov.br/anpd. EEE / Reino Unido / Suíça: autoridade de supervisão do seu país (Reino Unido: ico.org.uk). EUA: Federal Trade Commission, procurador-geral do estado, e (na Califórnia) California Privacy Protection Agency. Canadá: Office of the Privacy Commissioner of Canada. Encorajamos o contato prévio conosco.
21. Como Nos Contatar
Para dúvidas, exercício de direitos ou reclamações, escreva para loading…, ou por correio: Correia Virtus LLC, Niceville, Flórida, EUA.
📄 English version — click to expand
The Portuguese version above is the primary version. The English text below is a translation provided for convenience. In case of conflict, the Portuguese version controls for Brazilian Data Subjects.
1. Introduction
Correia Virtus LLC operates Virtus, a native mobile application for tracking investment portfolios and dividend income, distributed via the Apple App Store and Google Play. This policy is drafted to satisfy LGPD, GDPR, UK GDPR, CCPA/CPRA, every other US state comprehensive privacy law, COPPA, FADP, PIPEDA, and Quebec Law 25.
2. What Virtus Does NOT Do
No bank or brokerage connectivity (no Plaid, Pluggy, Belvo). No B3 Open Investment integration in v1 (deferred per ADR-0002). No analytics or attribution SDKs (no Firebase Analytics, Sentry, Mixpanel, Amplitude, PostHog, Adjust, AppsFlyer, Meta SDK, TikTok SDK). No advertising. No precise geolocation. No biometric personal data leaves your device. No contacts, photos, microphone, camera, or calendar access.
3. Personal Data We Collect
From you: email, password (Argon2id-hashed), display name, language and currency preferences, your manually-entered portfolio (asset, quantity, price, date, broker, fees, withholding, notes), watchlist tickers, goals, per-asset settings, support communications. Automatically: server logs (IP, timestamps, route, status, anonymized error traces — retained 30 days), Apple/Google platform-default crash diagnostics, APNs/FCM push tokens for dividend-payday notifications. We do NOT collect government identifiers, health data, biometrics, geolocation, or any sensitive category beyond the financial inputs you choose to record.
4. Purposes and Legal Bases
We process personal data to operate the Service: authenticate you (LGPD Art. 7(V)(VII); GDPR Art. 6(b)(f)); store and display your portfolio (LGPD Art. 7(V); GDPR Art. 6(b)); compute valuations and benchmarks; send transactional notifications including opt-in push on dividend paydays; detect fraud and abuse; comply with legal obligations; diagnose bugs; defend legal claims; respond to support. The optional AI-summary feature (Section 6 below) is only activated upon your opt-in consent (LGPD Art. 7(I); GDPR Art. 6(a)).
We do NOT process personal data for behavioral or interest-based advertising, sale, profiling with legal effects (LGPD Art. 20 / GDPR Art. 22), or training of any AI/ML model on your inputs.
5. Recipients
Railway Corp. (PaaS hosting); Google Cloud Platform (Railway's underlying provider); Apple Inc. (App Store, APNs, future IAP); Google LLC (Play Store, FCM, future IAP); Anthropic, PBC (optional opt-in AI feature only, transmitting only public ticker metadata, no user-identifying data, contractually prohibited from training on our inputs). All US-based.
6. Automated Decision-Making and AI
The Service makes no decision about you that produces legal or similarly significant effects (LGPD Art. 20; GDPR Art. 22). The optional "AI Summary" per-asset narrative (powered by Anthropic) is opt-in, off by default; when activated, only public ticker metadata is sent. The output is research material, not investment advice.
7. International Data Transfers
Virtus is operated from the United States. The US has not been declared adequate by the ANPD under LGPD Art. 33(I). We rely on (i) your specific, informed consent given at registration (LGPD Art. 33(VIII)) and (ii) ANPD-approved Standard Contractual Clauses under Resolution CD/ANPD No. 19/2024 (LGPD Art. 33(II)(d)). For EEA/UK/Swiss transfers, we rely on Chapter V GDPR safeguards including EU SCCs (Decision (EU) 2021/914), the UK IDTA, and where applicable the EU–U.S., UK Extension, and Swiss–U.S. Data Privacy Framework.
8. Retention
Active accounts kept while account exists. Inactive accounts deleted 12 months after last sign-in, with 30 days' advance notice. Deletion requests: live data within 30 days, encrypted backups within 90 days. Server logs 30 days. Crash diagnostics 90 days. Subscription billing identifiers per tax law (5–7 years).
9. Your Rights
You have rights to access, correction, deletion, portability, opt-out (where applicable), and to lodge a complaint with a supervisory authority. Specific rights vary by jurisdiction — LGPD Art. 18 for Brazil; CCPA/CPRA for California; substantially similar rights under VCDPA, CPA, CTDPA, UCPA, TDPSA, OCPA, MCDPA, FDBR, TIPA, ICDPA, DPDPA, NHPA, NJDPA, Nebraska Data Privacy Act, MCDPA-MN, MODPA, INCDPA, KCDPA, RIDTPPA; GDPR Articles 15–22 for the EEA; UK GDPR for the UK; FADP for Switzerland; PIPEDA and Quebec Law 25 for Canada. We honor Global Privacy Control (GPC) signals where state law requires.
10. Security
Argon2id password hashing, RS256 JWT with refresh rotation, TLS 1.2+ in transit, encryption at rest on managed PostgreSQL, least-privilege access, mandatory MFA for admin, dependency scanning, secure SDLC with code review and compile-time-checked SQL, documented incident response.
11. Breach Notification
We commit to notify (i) the ANPD and affected Brazilian Data Subjects of any breach causing relevant risk or damage, in a reasonable period (LGPD Art. 48); (ii) the competent EU/UK supervisory authority within 72 hours of awareness (GDPR Art. 33), and affected subjects when risk is high (Art. 34); and (iii) US residents and state AGs within statutory timeframes (30–90 days).
12. Changes
Material updates will be reflected in the "Last Updated" date and, where legally required, communicated through the Service, on the website, or by email.
13. Governing Law
Governed by Florida law; forms part of, and is read together with, the Correia Virtus Terms of Service (Sections 21 and 22 — Governing Law and Dispute Resolution / Arbitration). Brazilian Data Subjects retain CDC/LGPD protections and the right to sue in their place of residence; EEA/UK/Swiss consumers retain mandatory consumer-protection rights.
14. Government Non-Affiliation
Correia Virtus LLC and the Service are independent, NOT affiliated with, endorsed by, or sponsored by CVM, Banco Central do Brasil, B3, the U.S. SEC, FINRA, U.S. Treasury, or any government agency. Virtus is not investment advice.
15. Contact
For privacy questions, rights requests, or complaints, contact the privacy team email above, or write to Correia Virtus LLC, Niceville, Florida, USA. Brazilian complaints may also be filed with the ANPD (gov.br/anpd); US complaints with the FTC (ftc.gov) or your state attorney general; UK with the ICO (ico.org.uk); Canada with the OPC (priv.gc.ca).