Privacy and Data Protection Policy

1.1. In the operation of the LIFE15 platform, the allocation of legal responsibility is clearly divided to ensure full compliance with the LGPD, the GDPR and US state legislation:

• LIFETECH as Data Controller: LIFETECH acts as Controller in the processing of registration data, security logs, technical support data and financial information of pastors, tenant administrators, disciplers and church leaders (PLATFORM USERS), since it directly determines the technical purposes and operational means of such processing;
• LIFETECH as Processor (Sub-processor) of Data: LIFETECH acts strictly as a Processor (and as a sub-processor in infrastructure integrations) in the processing of the personal data of new members registered by the church and spiritual conversion interactions (NEW BELIEVERS). The CONTRACTING CHURCH acts solely as Data Controller. It is the sole party legally responsible for obtaining the highlighted consent, defining which new believers will be entered into the platform, configuring the theological themes and handling any rights requests exercised by its members.

The platform limits the collection of personal data to what is strictly necessary to enable ecclesiastical consolidation activities and network security:

• Platform Users' Data (Administrative Panel): full name, corporate/ecclesiastical email address, mobile phone number, name of the affiliated ecclesiastical organization, administrative role/function and logical access logs;
• New Believers' Data (entered by the church or collected via the AI and VSL Player): full name, mobile phone number (for sending WhatsApp messages), age range, gender, marital status, neighborhood of residence (for proximity and geographic location purposes on the community map), date and place of conversion, history of participation and clicks on the lessons and tracks of the faith journey, viewing progress and quizzes completed on the VSL Player, prayers submitted and the entire content of the dialogues and questions held with the Pastoral AI Agent.

3.1. The LIFE15 platform processes information directly associated with religious conviction and affiliation with a religious organization, which is formally classified as Sensitive Personal Data in accordance with Article 5, II, of the LGPD and as a Special Category of Data under Article 9(1) of the GDPR.

3.2. To legitimize the processing of this sensitive data, the CONTRACTING CHURCH (as controller) undertakes to collect, in advance and in a free, specific and highlighted manner, the consent of new believers for the start of the LIFE15 consolidation journey.

3.3. Restriction on Use of AI Dialogues: all dialogues, prayer outpourings, theological prayers and feelings analytically processed by the Pastoral AI Agent are strictly confidential and logically isolated at the tenant and database level. Such information is used exclusively to generate dynamic responses and issue ecclesiastical alerts to the pastors registered on the CONTRACTING CHURCH's account, and its use by LIFETECH for commercial, advertising, third-party commercial purposes or for training global artificial intelligence models of the Google Gemini API is strictly prohibited.

The platform implements rigorous safeguards for the processing of personal data of children and adolescents according to the user's jurisdiction of access:

4.1. Digital ECA (Brazil - Law no. 15.211/2025): in compliance with the Brazilian Digital Statute of the Child and Adolescent and the regulations in force of the ANPD, the LIFE15 platform:

• expressly prohibits the use of ineffective age self-declaration mechanisms (such as free-text boxes or simple "I am over 18" confirmation buttons) to access interactive features, chats and AI dialogues;
• requires the implementation of auditable and secure age-assurance methods based on age-estimation biometrics, facial validation or automated cross-checking with the CPF registration base in a fully integrated manner;
• requires that accounts of new believers under 16 (sixteen) years of age be mandatorily linked to the registered profile of a parent or duly verified legal guardian on the platform, providing complete parental supervision tools;
• complies with the safety-by-design regime, refraining from behavioral profiling, targeted advertising or commercial exploitation based on minors' data, as well as from adopting manipulative design practices aimed at keeping the minor engaged on the platform beyond the established daily pedagogical limit of 15 minutes.

4.2. COPPA Compliance (United States): the CONTRACTING CHURCH undertakes to obtain Verifiable Parental Consent (VPC) under the guidelines of the Federal Trade Commission (FTC) before entering the personal data of any new believer under 13 (thirteen) years of age into the LIFE15 ecosystem, securely recording such authorization in the system's administrative tools.

4.3. GDPR Compliance (European Union): the processing of information of new believers under 16 (sixteen) years of age (or a lower legal limit adopted by the European Union Member State, never below 13 years) will only be considered lawful upon verification of the express consent given by the holder of parental responsibility over the child, in accordance with Article 8 of the GDPR.

5.1. In order to make the intelligent suggestion and direct the new believer to their ideal pastoral companion swiftly, the platform adopts a hybrid intelligence algorithm that calculates an affinity score from zero to one hundred based on the following structured mathematical equation:

Where:

• Affinity is the final affinity score generated between the new believer and the discipler;
• Deterministic Cross-Check (weight of 80%) is calculated based on objective structured data (mandatory gender exclusion and matching of compatible age range, marital status and proximity of registered neighborhood);
• Heuristic AI Component (weight of 20%) is inferred through the Google Gemini artificial intelligence, which qualitatively analyzes the themes of preliminary theological doubt and the discipler's counseling preferences.

5.2. The NEW BELIEVER has the fundamental right to request human review and supervision of any suggestion or triage carried out automatically by the algorithm, in accordance with the guidelines of Article 20 of the LGPD and the GDPR rules.

LIFETECH shares personal data only with technology infrastructure partners and cloud operators to enable the delivery and technical functionality of the software, as mapped below:

7.1. Given the use of the global cloud services described in Section 6, the personal data processed by the LIFE15 platform is transferred internationally to servers located in the United States and the European Union.

7.2. LIFETECH ensures that all international transfer operations of personal data of new believers and users are strictly shielded by adequate legal mechanisms, in particular the adoption of Standard Contractual Clauses (SCCs) approved by the European Commission and full compliance with the regulatory parameters and guidelines issued by the Brazilian National Data Protection Authority (ANPD).

8.1. The sensitive and registration personal data processed in LIFE15 is kept in the active system only for the term of the licensing relationship maintained with the CONTRACTING CHURCH, or for the duration of the NEW BELIEVER's 90-day consolidation journey, respecting legal retention obligations (such as the mandatory recording of connection logs under the Internet Civil Framework for a period of 6 months).

8.2. Two-Phase Disposal: a request for definitive deletion or the revocation of consent by a data subject shall take place under the following technical stages:

• Logical Deletion (Soft Delete): an instantaneous process in which the subject's data record is marked as unavailable in the database, immediately interrupting the D+N messaging flow on WhatsApp and preventing any logical query via the administrative API or Supabase RLS;
• Physical Deletion (Hard Delete): processing of the elimination of structured data at the hard-disk level and elimination of backup copies, or a process of irreversible mathematical anonymization within up to 30 (thirty) days after the processing of the logical deletion.

9.1. All subjects of personal data processed by LIFE15 may exercise their rights of confirmation, access, rectification, data portability, deletion and revocation of consent in a simplified and free manner by sending a written request addressed to our Data Protection Officer (DPO) through the email address privacidade@life15.com.br.

9.2. California Opt-Out Mechanism (CCPA/CPRA): to ensure compliance with US state data privacy laws, subjects located in the State of California (US) have the right to limit the processing of their Sensitive Personal Information (SPI) to strictly necessary service functions. The platform's administrative panel prominently provides the "Limit the Use of My Sensitive Personal Information" link, and the system natively and automatically honors and processes the Global Privacy Control (GPC) signals transmitted by internet browsers.

10.1. LIFETECH adopts high technical and organizational security standards to ensure the isolation, confidentiality and integrity of all confidential information processed by the platform.

10.2. The LIFE15 security infrastructure encompasses:

• End-to-end encryption for data in transit with HTTPS and TLS 1.3 protocols;
• Encryption of data stored at rest with the advanced AES-256 standard;
• Active access monitoring and system audits based on the best ISO 27001 cybersecurity compliance guidelines;
• Firewalls and security filters against distributed denial-of-service (DDoS) attacks on the application front-end.

This Privacy Policy is up to date and fully in force as of June 19, 2026.