Privacy Policy

Effective Date: April 11, 2026
Last Updated: April 11, 2026
Version: 1.0

1. Controller Identification

The data controller responsible for the processing of personal data described in this Privacy Policy is:

Legal Name	L2AD INFORMATICA LTDA
Trade Name	The Turn AI
CNPJ	23.089.779/0001-69
Registered Address	Calc das Margaridas, 163, Sala 02, Cond. Centro Comercial Alphaville, Barueri, SP, 06453-038, Brazil
Data Protection Officer (DPO)	Fabiano Funari Filho
DPO Contact	privacy@theturn.ai
General Inquiries	hello@theturn.ai
Website	https://theturn.ai

For the purposes of the EU General Data Protection Regulation (GDPR), the Brazilian Lei Geral de Proteção de Dados (LGPD, Law No. 13,709/2018), and any other applicable data protection legislation, L2AD INFORMATICA LTDA (“The Turn AI,” “we,” “us,” or “our”) acts as the data controller for the processing activities described herein, except where expressly stated otherwise.

2. Scope and Applicability

This Privacy Policy applies to all personal data processed in connection with:

Our website at theturn.ai and all subdomains;
Our AI Agents as a Service (AaaS) product, whereby autonomous AI agents communicate with end-users on behalf of our clients via WhatsApp, Telegram, webchat, email, SMS, and voice;
Our Professional Websites product, including AI-powered webchat widgets embedded on client websites;
Our SEO Pro dashboard product;
Our marketing and sales outreach activities, including automated email prospecting;
Any other service, product, or communication offered by The Turn AI.

This Policy applies regardless of how you interact with us—whether as a visitor to our website, a prospective lead, a paying client, or an end-user communicating with an AI agent deployed by one of our clients.

3. Important Disclosure: Use of Artificial Intelligence

The Turn AI deploys autonomous artificial intelligence agents. These agents are software programs powered by large language models (LLMs), not human beings.

When you communicate with an agent provided through The Turn AI’s platform—whether via WhatsApp, Telegram, webchat, SMS, email, or voice call—you are interacting with an AI system. In compliance with the EU AI Act (Regulation (EU) 2024/1689, Article 52), California Senate Bill 1001 (Cal. Bus. & Prof. Code § 17941), and equivalent transparency obligations under the LGPD, we make the following disclosures:

AI Nature: All agents deployed through our platform are AI-powered. They are not human operators. Agents may introduce themselves with a human-sounding name for conversational fluency, but they are at all times artificial intelligence systems.
Third-Party AI Models: Conversations are processed by third-party large language model providers, including Anthropic (Claude), OpenAI, and Google (Gemini), accessed through the OpenRouter routing service. The text of your conversations is transmitted to these providers for the purpose of generating responses.
Conversation Logging: All conversations with AI agents are recorded and stored for service delivery, quality assurance, dispute resolution, and to improve agent performance for the specific client whose agent you are communicating with.
Automated Decision-Making: AI agents perform automated decision-making, including lead qualification, appointment scheduling, and routing decisions. See Section 8 for further details on your rights regarding automated decisions.

If you are an end-user communicating with an AI agent deployed by one of our clients (for example, a patient contacting a dental clinic, a potential buyer contacting a real estate agent, or a guest contacting a property manager), please be aware that: (a) the AI agent is operated on our platform on behalf of the client business; (b) both The Turn AI and the client business may have access to your conversation data; and (c) The Turn AI acts as a data processor on behalf of the client (who acts as controller), except for our own legitimate interests in platform security, fraud prevention, and service improvement, for which we act as an independent controller.

4. Categories of Data Subjects and Personal Data Collected

4.1. Website Visitors

Data collected: IP address, browser type and version, operating system, referral source, pages visited, visit duration, approximate geolocation (country/city level), language preference, device type, cookies and similar tracking identifiers.

Method of collection: Automatically through cookies, server logs, and analytics tools.

4.2. Prospected Leads (Outbound Marketing)

Data collected: Business name, business owner or contact person’s name, email address, phone number, business address, industry/sector, website URL, information publicly available on Google Maps, business directories, and the open web.

Method of collection: Automated prospecting using Google Maps API and web search tools. Our AI agents (“scout” and “intel” agents) identify businesses that may benefit from our services. We then send outreach emails through SendGrid. Recipients who have not previously interacted with us receive cold outreach emails.

4.3. Paying Clients (Businesses)

Data collected: Full name, email address, phone number, business name, industry/profession, billing address, payment information (processed by Stripe; we do not store credit card numbers), service plan and usage data, login credentials (hashed), support communications, onboarding information (business description, target audience, services offered, pricing, procedures).

Method of collection: Directly from you during purchase, onboarding, and ongoing use of our services.

4.4. End-Users of Client Agents

Data collected: Name (if provided), phone number, email address (if provided), messaging platform identifier (WhatsApp JID, Telegram ID, webchat session ID), the full content of conversations with the AI agent, timestamps, language, any files or media shared during conversations (images, documents, audio), and any information you voluntarily provide during the conversation (which may include sensitive categories depending on the context—for example, health information shared with a medical practice’s agent, or financial information shared with a real estate agent).

Method of collection: Automatically when you communicate with an AI agent through any supported channel.

Important notice: You may not be aware that The Turn AI processes your data when you communicate with what appears to be a business’s own assistant. This Privacy Policy and the AI disclosure requirements referenced in Section 3 are intended to address this transparency gap. Our AI agents are configured to identify themselves as AI when directly asked.

5. Purposes and Legal Bases for Processing

The table below describes each processing activity, its purpose, and the corresponding legal basis under both the GDPR (Article 6) and the LGPD (Article 7).

Processing Activity	Purpose	GDPR Legal Basis (Art. 6)	LGPD Legal Basis (Art. 7)
Serving the website and collecting analytics	Website functionality, performance monitoring, audience understanding	Art. 6(1)(f) — legitimate interest in understanding website usage	Art. 7, IX — legitimate interest
Placing analytics cookies (Google Analytics)	Measuring site traffic, user behavior, and marketing effectiveness	Art. 6(1)(a) — consent (via cookie banner)	Art. 7, I — consent
Automated business prospecting (scout/intel agents)	Identifying potential clients for outbound sales	Art. 6(1)(f) — legitimate interest in direct marketing to businesses	Art. 7, IX — legitimate interest
Sending cold outreach emails	Direct marketing to prospective business clients	Art. 6(1)(f) — legitimate interest (B2B soft opt-in / Recital 47); unsubscribe link included in every email	Art. 7, IX — legitimate interest (B2B context)
Processing payments	Fulfilling purchase transactions	Art. 6(1)(b) — performance of a contract	Art. 7, V — performance of a contract
Client onboarding and account management	Setting up AI agents, configuring services, ongoing support	Art. 6(1)(b) — performance of a contract	Art. 7, V — performance of a contract
AI agent conversations with end-users (on behalf of client)	Providing the contracted AI agent service to the client’s end-users	Art. 6(1)(f) — legitimate interest of the client in serving their customers; the client-controller may also rely on Art. 6(1)(b) (contract with their customer)	Art. 7, IX — legitimate interest of the client-controller
Logging and storing conversations	Service delivery, quality assurance, dispute resolution, legal compliance	Art. 6(1)(f) — legitimate interest; Art. 6(1)(c) — legal obligation (where applicable)	Art. 7, IX — legitimate interest; Art. 7, II — legal obligation
Transmitting conversation text to third-party LLM providers	Generating AI responses (core service functionality)	Art. 6(1)(f) — legitimate interest (necessary for service operation); supported by contractual safeguards with sub-processors	Art. 7, IX — legitimate interest
Lead qualification and scoring (automated profiling)	Prioritizing leads for client’s sales process	Art. 6(1)(f) — legitimate interest of the client; subject to Art. 22 rights (see Section 8)	Art. 7, IX — legitimate interest; subject to Art. 20 rights (see Section 8)
Sending transactional emails (confirmations, onboarding links)	Service fulfillment	Art. 6(1)(b) — performance of a contract	Art. 7, V — performance of a contract
Push notifications	Alerting clients about agent activity, new leads, usage	Art. 6(1)(a) — consent (opt-in required)	Art. 7, I — consent
Voice calls via AI agent	Outbound sales calls on behalf of The Turn AI	Art. 6(1)(f) — legitimate interest in B2B marketing; disclosed as AI per Section 3	Art. 7, IX — legitimate interest
Usage metering and cost tracking	Billing, plan enforcement, fraud prevention	Art. 6(1)(b) — performance of a contract; Art. 6(1)(f) — legitimate interest	Art. 7, V — contract performance; Art. 7, IX — legitimate interest

Special categories of data (GDPR Art. 9 / LGPD Art. 11): We do not intentionally collect special category data (health, racial/ethnic origin, political opinions, religious beliefs, sexual orientation, biometric data, or trade union membership). However, end-users may voluntarily disclose such information during conversations with AI agents (for example, health information when speaking with a medical practice’s agent). Where this occurs, processing is based on the explicit consent implicit in the data subject’s voluntary disclosure (GDPR Art. 9(2)(a); LGPD Art. 11, I), and the data is processed solely for the purpose of the conversation. We instruct our clients to implement appropriate notices where their agents are likely to process sensitive data.

6. Automated Decision-Making and Profiling

In accordance with GDPR Article 22 and LGPD Article 20, we provide the following information about automated decision-making and profiling activities conducted through our platform.

6.1. What Automated Decisions Are Made

Our AI agents perform the following automated processing that may produce legal or similarly significant effects on data subjects:

Lead Qualification: AI agents assess the quality and purchase intent of a lead based on conversational inputs, assigning internal classifications such as “New,” “Hot,” “Qualified,” “Converted,” or “Lost.” This classification determines the priority and nature of follow-up communications the lead receives.
Lead Routing: Based on the content of a conversation, agents may decide whether to handle a query autonomously, escalate to a human operator, schedule an appointment, or discontinue engagement.
Response Generation: All replies sent by AI agents to end-users are autonomously generated by large language models based on the conversation context, the client’s business rules, and knowledge base.
CRM Pipeline Management: Where integrated with a client’s CRM, agents may automatically move deal records between pipeline stages based on conversational outcomes.
Email and Message Dispatch: AI agents may autonomously decide to send follow-up emails, WhatsApp messages, or calendar invitations based on conversation context.

6.2. Logic Involved

Automated decisions are generated by third-party large language models (currently Anthropic Claude Sonnet and Haiku, accessed via OpenRouter) operating under structured prompts and business rules defined by our clients. The models evaluate conversational inputs against these rules to produce classifications, responses, and actions. The models are probabilistic and do not use deterministic scoring algorithms; outputs may vary for identical inputs.

6.3. Significance and Consequences

Automated lead qualification may affect whether and how a business follows up with you, the priority assigned to your inquiry, and the speed and nature of service you receive. In most cases, a human operator employed by the client business retains the ability to override agent decisions.

6.4. Your Rights Regarding Automated Decisions

Under GDPR Article 22 and LGPD Article 20, you have the right to:

Obtain an explanation of the logic involved in automated decisions that affect you;
Request human review of any automated decision;
Express your point of view and contest the decision;
Request that a decision not be based solely on automated processing where it produces legal or similarly significant effects.

To exercise these rights, contact privacy@theturn.ai. Where the automated decision was made by an AI agent operating on behalf of one of our clients, we will coordinate with the client to address your request.

7. Sub-Processors and Third-Party Service Providers

We share personal data with the following categories of third-party sub-processors. All sub-processors are bound by data processing agreements that include appropriate safeguards.

Sub-Processor	Purpose	Data Shared	Location
OpenRouter, Inc.	AI model routing — transmits conversation text to LLM providers (Anthropic, OpenAI, Google) for response generation	Conversation text, session metadata	United States
Anthropic, PBC (via OpenRouter)	Large language model provider (Claude) — generates AI responses	Conversation text	United States
OpenAI, LLC (via OpenRouter)	Large language model provider — backup/alternative model; audio transcription (Whisper)	Conversation text, audio files	United States
Google LLC (via OpenRouter)	Large language model provider (Gemini) — voice AI conversations	Conversation text	United States
Stripe, Inc.	Payment processing	Name, email, payment instrument details, billing address, transaction amounts	United States
Twilio, Inc.	SMS and WhatsApp message delivery	Phone numbers, message content	United States
Telnyx, Inc.	Voice calls (SIP trunking) and SMS delivery	Phone numbers, call recordings/transcripts, SMS content	United States
Twilio SendGrid	Transactional and marketing email delivery	Email addresses, names, email content	United States
DigitalOcean, LLC	Cloud infrastructure hosting (servers)	All data processed on our platform is stored on DigitalOcean infrastructure	United States
Convex, Inc.	Backend database and serverless functions	Lead data, webhook payloads	United States
Google LLC (Analytics)	Website analytics	IP address (anonymized), browsing behavior, device data, cookies	United States
ElevenLabs, Inc.	Conversational voice AI for outbound calls	Conversation transcripts, phone numbers	United States
Meta Platforms, Inc.	Instagram content publishing (via Graph API)	Published content (no personal data of users)	United States

No model training: We do not provide client data or end-user conversation data to any third party for the purpose of training or fine-tuning AI models. Our agreements with LLM providers prohibit the use of API inputs for model training. Conversation data sent to LLM providers is used solely for real-time response generation and is subject to the providers’ respective data processing terms.

We may engage additional sub-processors from time to time. Material changes to our sub-processor list will be reflected in updates to this Privacy Policy.

8. International Data Transfers

The Turn AI is a Brazilian company. However, our server infrastructure and the majority of our sub-processors are located in the United States. This means that personal data collected from data subjects located in Brazil, the European Economic Area (EEA), the United Kingdom, Switzerland, or any other jurisdiction is transferred to and processed in the United States.

We implement the following safeguards for international transfers:

Brazil → US: Transfers are conducted in accordance with LGPD Article 33 and are based on: (i) standard contractual clauses approved by the ANPD (when available); (ii) binding corporate rules or equivalent contractual commitments with sub-processors; and (iii) the legitimate activities of the controller performed in its own interest, provided that fundamental rights are respected.
EEA/UK → US: Transfers are conducted pursuant to: (i) EU-US Data Privacy Framework (where the sub-processor is certified); (ii) Standard Contractual Clauses adopted by the European Commission (Decision 2021/914); or (iii) other approved transfer mechanisms under GDPR Chapter V. We assess the adequacy of protection in the destination country and implement supplementary measures where necessary.
Other jurisdictions: We rely on applicable lawful transfer mechanisms as required by local law.

You may request a copy of the relevant transfer safeguards by contacting privacy@theturn.ai.

9. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, as described below. When retention periods expire, data is deleted or irreversibly anonymized.

Data Category	Retention Period	Justification
Website analytics data	26 months	Google Analytics default retention; anonymized after expiry
Prospected lead data (outbound marketing)	12 months from last interaction, or until opt-out/unsubscribe	Legitimate interest in B2B marketing; deleted promptly upon unsubscribe
Client account data	Duration of the contractual relationship plus 5 years	Contract performance; tax and accounting obligations (Brazilian tax law requires 5-year retention of commercial records)
Payment and billing records	5 years from the date of the transaction	Tax, accounting, and legal compliance obligations
AI agent conversation logs (end-users)	12 months from the date of the conversation, or the duration of the client’s contract, whichever is longer	Service delivery, quality assurance, dispute resolution
End-user lead data captured by agents	Duration of client’s contract plus 6 months	Service delivery to the client; deleted after contract termination and wind-down period
Files uploaded during conversations (images, PDFs, audio)	90 days	Transient operational use; automatically purged
Onboarding data (business descriptions, rules, knowledge base)	Duration of client’s contract plus 30 days	Service delivery; deleted upon contract termination
Support and helpdesk communications	3 years	Quality assurance and dispute resolution
Cold outreach email records	6 months from last email sent, or until unsubscribe	CAN-SPAM and equivalent compliance record-keeping

We may retain data for longer periods where required by applicable law, regulation, or legal proceedings, or where necessary to establish, exercise, or defend legal claims.

10. Data Subject Rights

Depending on your jurisdiction, you may have some or all of the following rights with respect to your personal data. These rights apply under the GDPR (Articles 15–22), LGPD (Articles 17–21), the California Consumer Privacy Act (CCPA/CPRA), and other applicable data protection laws.

Right of Access: You may request confirmation of whether we process your personal data and, if so, obtain a copy of such data and information about how it is processed.
Right to Rectification: You may request correction of inaccurate or incomplete personal data.
Right to Erasure (Right to be Forgotten): You may request deletion of your personal data, subject to legal retention requirements and other lawful grounds for continued processing.
Right to Restriction of Processing: You may request that we restrict the processing of your personal data in certain circumstances (e.g., while we verify the accuracy of data you have contested).
Right to Data Portability: You may request that we provide your personal data in a structured, commonly used, machine-readable format, or transmit it directly to another controller where technically feasible.
Right to Object: You may object to processing based on legitimate interests (including profiling). Where you object, we will cease processing unless we demonstrate compelling legitimate grounds that override your interests. You may object to direct marketing processing at any time, and we will cease such processing without exception.
Right Not to be Subject to Automated Decision-Making: As detailed in Section 6, you may request human review of decisions made solely by automated means that produce legal or similarly significant effects.
Right to Withdraw Consent: Where processing is based on consent, you may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing performed prior to withdrawal.
Right to Information about Sharing: Under the LGPD, you may request information about the public and private entities with which we have shared your data.
Right to Non-Discrimination: Under the CCPA/CPRA, you will not be discriminated against for exercising your privacy rights.

10.1. How to Exercise Your Rights

To exercise any of the above rights, send a request to:

Email: privacy@theturn.ai
Subject line: “Data Subject Rights Request”

We will verify your identity before processing your request. We may ask for information sufficient to confirm you are the person whose data is the subject of the request. We will respond within 30 days (GDPR) or 15 days (LGPD), unless an extension is lawfully permitted, in which case we will notify you of the extension and the reasons for it.

If your request relates to data processed by an AI agent operating on behalf of one of our clients, we may need to coordinate with the relevant client to fulfill your request. We will inform you if this is the case.

10.2. Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority:

Brazil: Autoridade Nacional de Proteção de Dados (ANPD) — www.gov.br/anpd
European Union: The supervisory authority in the EU Member State of your habitual residence, place of work, or place of the alleged infringement
United Kingdom: Information Commissioner’s Office (ICO) — ico.org.uk

11. Cookies and Tracking Technologies

11.1. What Cookies We Use

Cookie / Technology	Provider	Type	Purpose	Duration
_ga, _ga_*	Google Analytics	Analytics	Distinguish unique visitors, measure page views, sessions, traffic sources	Up to 2 years
theturn_lang	The Turn AI (first-party)	Functional	Store language preference	Persistent (localStorage)
Session/auth tokens	The Turn AI (first-party)	Strictly necessary	Maintain authenticated sessions in client dashboards	Session
Push notification preferences	The Turn AI (first-party)	Functional	Store push notification opt-in state	Persistent (localStorage)

11.2. Cookie Consent

Strictly necessary cookies and functional cookies (such as language preference) do not require consent. Analytics cookies (Google Analytics) are placed only after you provide consent through our cookie banner, where required by applicable law. You may withdraw consent at any time by clearing your browser cookies or adjusting your browser settings.

11.3. Do Not Track

Our website does not currently respond to “Do Not Track” browser signals. We honor opt-out mechanisms described in this section.

12. Data Security

We implement appropriate technical and organizational measures to protect personal data against unauthorized access, alteration, disclosure, or destruction. These measures include, but are not limited to:

Encryption of data in transit (TLS/SSL for all web traffic and API communications);
Access controls with hashed credentials and per-tenant data isolation;
Firewall protection on server infrastructure;
Intrusion detection and prevention systems (fail2ban);
Regular data backups with defined retention;
Session isolation per contact in messaging channels (per-channel-peer architecture), preventing cross-conversation data leakage;
OAuth token isolation per tenant for third-party integrations;
Prompt injection defenses in AI agent configurations;
Access logging and monitoring.

No method of transmission over the internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your personal data, we cannot guarantee absolute security.

13. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of natural persons, we will:

GDPR (Article 33): Notify the relevant supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of the breach. Where the breach is likely to result in a high risk to individuals, we will also notify affected data subjects without undue delay (Article 34).
LGPD (Article 48): Notify the ANPD and affected data subjects within a reasonable timeframe as determined by the ANPD, describing the nature of the data affected, the risks involved, the measures taken to mitigate harm, and the measures recommended for data subjects to protect themselves.
Client notification: Where the breach involves data processed on behalf of a client (AI agent conversations), we will notify the affected client without undue delay to enable them to fulfill their own notification obligations.

14. Children’s Privacy

Our services are not directed to individuals under the age of 18. We do not knowingly collect personal data from children. Our AI agents are designed for business-to-business and business-to-consumer interactions in professional contexts (sales, customer service, real estate, healthcare administration, etc.) and are not intended for use by minors.

If we become aware that we have collected personal data from a child under 18 (or the applicable age of consent in the child’s jurisdiction), we will take steps to delete such data promptly. If you believe that a child has provided personal data to us, please contact privacy@theturn.ai.

15. Controller-Processor Relationship

The Turn AI operates in a dual capacity depending on the context:

Context	The Turn AI’s Role	Client’s Role
Our own website, marketing, outreach, and direct sales	Controller	N/A
AI agent conversations with end-users on behalf of a client	Processor (for service delivery) and Independent Controller (for platform security, fraud prevention, and aggregate analytics)	Controller
Client dashboard, account management, billing	Controller	Data subject

Where we act as a processor on behalf of our clients, we process data strictly in accordance with the client’s instructions as documented in our data processing agreement. Our clients, as controllers, are responsible for ensuring that they have an appropriate legal basis for their end-users’ data to be processed through our platform, and for providing appropriate privacy notices to their end-users.

16. Marketing Communications and Opt-Out

16.1. Outbound Email Marketing

Our automated prospecting system identifies businesses that may benefit from our services using publicly available information. We send commercial emails to business contacts. Every outreach email includes a clearly visible unsubscribe link. Upon unsubscribe, we will cease sending marketing emails within 10 business days and add the email address to our suppression list. To opt out, you may also email privacy@theturn.ai with the subject line “Unsubscribe.”

16.2. Outbound Voice Calls

We may place automated outbound voice calls using AI-powered voice agents for B2B sales purposes. These calls are made to business phone numbers identified through public directories. The AI agent will identify itself as an artificial intelligence system at the beginning of the call. You may request to be placed on our do-not-call list during the call or by contacting privacy@theturn.ai.

17. California-Specific Disclosures (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (as amended by the California Privacy Rights Act). In the preceding 12 months, we have collected the following categories of personal information as described in Cal. Civ. Code § 1798.140:

Identifiers (name, email, phone, IP address)
Commercial information (purchase history, service usage)
Internet or electronic network activity (browsing history, search history, interaction with website)
Professional or employment-related information (business name, industry, job title)
Inferences drawn from the above (lead qualification scores, interest levels)

We do not “sell” or “share” personal information as those terms are defined under the CCPA/CPRA. We do not use sensitive personal information for purposes beyond those permitted by the CCPA/CPRA.

AI Disclosure (California SB 1001): Pursuant to California Business and Professions Code Section 17941, we disclose that our AI agents are bots. They are not human. They are designed to communicate with users for the purpose of sales, customer service, and lead qualification on behalf of businesses. This disclosure is also made in Section 3 of this Privacy Policy and is implemented within the agents’ operational parameters.

18. EU AI Act Compliance

Under the EU Artificial Intelligence Act (Regulation (EU) 2024/1689), our AI agents are classified as limited risk AI systems subject to transparency obligations under Article 52. In particular:

Persons interacting with our AI agents are informed that they are interacting with an AI system (Article 52(1));
AI-generated content (text, voice) produced by our agents is identified as artificially generated where required (Article 52(3));
We maintain technical documentation, logging, and human oversight capabilities as appropriate to the risk classification of our systems.

We do not deploy AI systems classified as “high-risk” or “unacceptable risk” under the EU AI Act. Our agents do not perform social scoring, biometric identification, or emotion recognition.

19. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

Update the “Last Updated” date at the top of this page;
Post the revised Privacy Policy on our website;
For paying clients: notify you by email at the address associated with your account at least 15 days before the changes take effect;
Where required by law, obtain your renewed consent before applying changes that materially affect the processing of your personal data.

We encourage you to review this Privacy Policy periodically. Your continued use of our services after the effective date of any changes constitutes your acceptance of the revised Privacy Policy, to the extent permitted by law.

20. Governing Law and Jurisdiction

This Privacy Policy is governed by the following laws:

For data subjects in Brazil: The LGPD (Lei Geral de Proteção de Dados, Law No. 13,709/2018) and Brazilian law. Disputes shall be submitted to the courts of São Paulo, State of São Paulo, Brazil.
For data subjects in the European Economic Area or United Kingdom: The GDPR (Regulation (EU) 2016/679) or UK GDPR, as applicable. You retain the right to bring claims before the courts of your habitual residence.
For data subjects in the United States: The laws of the State of Florida, United States. Disputes shall be submitted to the state or federal courts located in Orange County, Florida, except where superseded by mandatory state consumer protection laws (such as the CCPA/CPRA for California residents).
For all other data subjects: The mandatory data protection laws of your jurisdiction apply to the extent they provide protections that cannot be waived by contract.

Nothing in this Privacy Policy limits your rights under applicable mandatory data protection legislation.

21. Contact Information

For any questions, concerns, or requests regarding this Privacy Policy or our data processing practices, please contact us:

Data Protection Officer	Fabiano Funari Filho
Privacy inquiries	privacy@theturn.ai
General inquiries	hello@theturn.ai
Postal address	Calc das Margaridas, 163, Sala 02, Cond. Centro Comercial Alphaville, Barueri, SP, 06453-038, Brazil

We aim to respond to all privacy-related inquiries within 15 business days.

This Privacy Policy was last updated on April 11, 2026.