Privacy Policy

Mabenn ("Mabenn", "we") takes the privacy and protection of your personal data seriously. This Privacy Policy explains what data we collect, why we collect it, on what legal basis, who we share it with, how long we keep it, and how you can exercise your rights under Brazil's General Personal Data Protection Law (Lei nº 13.709/2018 — LGPD).

Mabenn is a rental management platform for landlords who manage their own properties and the tenants who rent from them. This policy describes both the data we process today, during the pre-launch waitlist phase, and the data we intend to process once the product is available. Where the distinction matters, it is marked explicitly.

The Portuguese version of this policy, published at mabenn.com.br/privacidade, is the legally binding version. This English translation is provided for convenience.

Controller identity

In this pre-launch phase, the controller of your personal data is Brandon Fleming, the founder operating Mabenn as an individual (pessoa física). Mabenn is not yet incorporated as a legal entity; once the company is incorporated, this policy will be updated with the controller's legal name, CNPJ, and address. Until then, contact is via the privacy email below.

The controller is the party responsible for decisions about how your personal data is processed.

Contact and Data Protection Officer (DPO)

For any question about this policy, about how we process your data, or to exercise your rights, contact us:

  • Privacy email: privacidade@mabenn.com.br
  • Data Protection Officer (encarregado): during this pre-launch phase, the controller (Brandon Fleming) acts as the privacy point of contact, via the email above.

The Data Protection Officer is the channel of communication between you, Mabenn, and Brazil's National Data Protection Authority (ANPD).

Data we collect

What we collect today, on the waitlist

In the current pre-launch phase, Mabenn collects only the minimum needed to run the waitlist:

  • Email address — to confirm your signup and let you know when the product launches.
  • Role indication — whether you signed up as a landlord or a tenant.
  • Anonymous usage data — described under "Cookies and tracking technologies", below.

In this phase, we do not collect CPF, property addresses, bank data, payment receipts, or documents.

What we intend to collect once the product launches

When the product is available and you create an account and connect a property, we intend to process the following categories of data:

  • Account and profile data — name, photo, CPF/CNPJ, and contact details.
  • Property data — address, characteristics, and associated service providers.
  • Contract data — parties, rent amount, dates, adjustment index, and the terms of the rental contract.
  • Bank data via Open Finance — when you connect a bank account, we receive and store financial transactions from the accounts you authorized, through regulated Open Finance providers. Access is read-only — Mabenn does not move money.
  • Charges and payments — charge definitions (rent, condo, utilities), monthly instances, payment matches, and the monthly ledger history.
  • Boletos and bills — boletos discovered via DDA issued to the registered CPF, and utility bills sent to the property's ingestion email address.
  • Uploaded documents — bills, receipts, and rental-related documents that you or the other party upload.
  • Reputation — landlord and tenant reputation scores and the concrete events that drive them (on-time payments, response times, resolved disputes).
  • Communications and disputes — maintenance requests, contract questions, negotiations, and disputes recorded inside the platform.
  • Notifications and audit — notification delivery records and the audit trail of changes to sensitive data.
  • Usage data — product events and usage metrics, described under "Cookies and tracking technologies".

We collect only the personal data necessary for its intended purpose (data minimization). We do not collect sensitive personal data — such as health or biometric data — and uploaded documents must be limited to rental-related documents.

Purpose and legal basis for each processing activity

We process personal data only when there is a legal basis under the LGPD. The list below describes the purpose and legal basis for each category.

  • Waitlist (email and role) — to run the waitlist and notify you about launch. Legal basis: consent (Art. 7, I).
  • Account, profile, and property data — to create and maintain your account and properties. Legal basis: contract performance (Art. 7, V).
  • Contracts, charges, payments, boletos, ledger, and documents — to provide the rental management service: tracking rent and bills, matching payments, generating adjustments and notices, and keeping the record of the rental. Legal basis: contract performance (Art. 7, V).
  • Bank data via Open Finance — to detect and match rent and bill payments from the accounts you authorized. Legal basis: contract performance (Art. 7, V), upon your explicit authorization with the Open Finance provider.
  • Reputation and disputes — to build verified, portable reputations and record rental-related disputes. Legal basis: contract performance (Art. 7, V).
  • Product analytics and usage metrics — to understand usage and improve the product. Legal basis: legitimate interest (Art. 7, IX), with a documented Legitimate Interest Assessment.
  • Marketing emails and sharing with third parties for their own purposes — only where applicable. Legal basis: consent (Art. 7, I), which you may revoke at any time.

Data sharing and third parties

Mabenn does not sell your personal data. We share data only with service providers (processors) that handle data on Mabenn's behalf, under contract and within the purposes described in this policy:

  • Supabase — database, authentication, and storage, hosted in the sa-east-1 region (São Paulo, Brazil).
  • PostHog — product analytics and usage metrics.
  • Vercel — hosting and delivery of the web application.
  • Resend — sending and receiving email.

Once the product is available, Open Finance providers (for bank connection) and DDA boleto-discovery providers will also act as processors, within the purposes described above.

International data transfers

Mabenn's primary database is hosted in Brazil, in the sa-east-1 region (São Paulo), on Supabase. Some processors — Vercel, PostHog, and Resend — may process data outside Brazil. Where an international transfer occurs, it is supported by adequate safeguards, including data processing agreements (DPAs) with standard contractual clauses (SCCs), as required by the LGPD.

Retention periods

We keep personal data only for as long as necessary for the purposes for which it was collected, or for the period required by law. During the waitlist phase, we keep your email until launch or until you ask us to remove it. Once the product is available, we will apply the following periods:

  • Active account data — account duration + 30 days.
  • Published statements — 5 years.
  • Payment records — 5 years.
  • Uploaded bills and documents — tenancy + 1 year, or 5 years, whichever is longer.
  • Analytics events — 2 years, then anonymized.
  • Deleted account data — deleted within 30 days (except where retention is required by law).
  • Audit logs — 5 years.

Your rights as a data subject (Art. 18)

The LGPD grants you, the data subject, the following rights. We respond to any request within 15 days:

  • Confirmation and access — know whether we process your data and access it.
  • Correction — correct incomplete, inaccurate, or outdated data.
  • Deletion — request deletion of your account and your data, with the proper cascade ("Delete my account"), except where retention is required by law.
  • Portability — export your data in a readable format (JSON/CSV).
  • Consent revocation — revoke, at any time, consent given for consent-based processing.
  • Information about sharing — know which entities we share your data with.
  • Complaint to the ANPD — file a complaint with Brazil's National Data Protection Authority.

To exercise any of these rights, write to privacidade@mabenn.com.br.

Cookies and tracking technologies

While you are only browsing the public pages, Mabenn uses anonymous usage analytics under legitimate interest — we do not identify visitors who are only browsing. When you join the waitlist and give us your email, we begin associating your analytics activity with your email, on the basis of the consent you give by joining the list, to measure conversion and prepare for launch. Inside the authenticated product, analytics are identified under legitimate interest, and you can turn them off at any time through an opt-out toggle in your account.

Security and incidents

We apply technical and organizational measures to protect your data, including row-level security on tables holding property and user data, audit trails of sensitive changes, and secure document storage. In the event of a security incident that may pose a relevant risk, we will notify the ANPD and affected data subjects within the timeframes required by law.

Changes to this policy

We may update this policy to reflect changes in the product, the law, or our practices. When a change is material, we will notify you through the appropriate channels. The date of the last update is shown below.

Last updated: May 29, 2026

This is a draft pending review by qualified Brazilian legal counsel. It does not constitute legal advice.