This policy establishes the procedures Oversee Tecnologia LTDA ("Oversee", "we", "us") follows when receiving requests from law enforcement agencies, government authorities, or other public entities seeking access to personal data or user information processed by our platform.

We are committed to protecting our users' privacy and fundamental rights while complying with applicable legal obligations under Brazilian law, including the Lei Geral de Proteção de Dados (LGPD — Law No. 13,709/2018), the Marco Civil da Internet (Law No. 12,965/2014), and other applicable regulations.

1. Mandatory Legitimacy Review

Every request from a public authority for user data must undergo a mandatory legitimacy review before any information is disclosed. This review is conducted by our Legal and Privacy team and includes the following steps:

1.1. Identity and Authority Verification

We verify the identity and authority of the requesting party to confirm they are a legitimate public entity with jurisdiction over the matter.

1.2. Request Requirements

We confirm that the request is made in writing, on official letterhead, and includes:

• The legal basis for the request (specific law or regulation)
• The purpose and scope of the data being requested
• Identification of the specific users or accounts involved
• A valid court order, warrant, or equivalent legal instrument, where required by law

1.3. Legal Compliance Assessment

We assess whether the request complies with applicable laws, including but not limited to:

• Lei Geral de Proteção de Dados (LGPD — Law No. 13,709/2018)
• Marco Civil da Internet (Law No. 12,965/2014)
• Brazilian Federal Constitution (Article 5, Sections X and XII)
• Any applicable international agreements or treaties

1.4. Proportionality

We evaluate whether the request is proportionate to the stated objective and does not exceed what is necessary for the investigation or proceeding.

1.5. Rejection of Non-Compliant Requests

Requests that do not meet the above criteria will be rejected or returned to the requesting authority with an explanation of the deficiency.

2. Contesting Unlawful Requests

Oversee reserves the right to contest, challenge, or refuse any request for user data that we determine to be unlawful, overbroad, or otherwise improper.

2.1. Invalid Requests

If a request lacks a valid legal basis, is overly broad in scope, or does not comply with applicable procedural requirements, we will notify the requesting authority and decline to produce the data.

2.2. Rights Violations

If we believe a request violates the constitutional rights of our users or conflicts with applicable data protection laws, we will seek legal counsel and may take the following actions:

• File a formal objection with the requesting authority
• Challenge the request through appropriate judicial channels
• Seek a protective order or injunction to prevent disclosure
• Report the matter to the Autoridade Nacional de Proteção de Dados (ANPD) if the request conflicts with the LGPD

2.3. User Notification

We will notify the affected user(s) about the existence of a data request unless we are legally prohibited from doing so (e.g., by a court-imposed gag order or secrecy requirement). If such a prohibition exists, we will revisit the restriction periodically and notify the user as soon as legally permitted.

2.4. No Bulk Access

Under no circumstances will Oversee voluntarily provide bulk or indiscriminate access to user data, nor will we create or maintain "backdoors" for government surveillance.

3. Data Minimization

When Oversee is legally compelled to disclose user data in response to a valid and lawful request, we apply strict data minimization principles to limit the scope of disclosure.

3.1. Minimum Necessary Disclosure

We will disclose only the minimum amount of personal data strictly necessary to satisfy the specific legal obligation. No additional data beyond what is explicitly requested and legally required will be provided.

3.2. Scope Narrowing

Before producing data, we will:

• Narrow the scope of the response to the specific users, accounts, or time periods identified in the request
• Exclude any data categories not explicitly covered by the legal basis cited
• Remove or redact information that is not relevant to the stated purpose
• Anonymize or pseudonymize data where possible without undermining the purpose of the request

3.3. Communication Content

We will not disclose the content of private communications unless compelled by a valid court order that specifically authorizes such disclosure, as required by the Marco Civil da Internet (Article 10, §2).

3.4. Metadata Separation

Metadata (such as access logs, IP addresses, or timestamps) may be disclosed separately from content data when the legal basis supports only metadata access.

4. Request Logging and Record-Keeping

Oversee maintains a detailed internal log of all data requests received from public authorities. This log is confidential and is maintained to ensure accountability, transparency, and compliance with our legal obligations.

4.1. Information Recorded

For each request, the following information is recorded:

• Date the request was received
• Identity of the requesting authority and the individual officer or representative
• Legal basis cited in the request
• Description of the data requested
• Users or accounts affected
• Result of the legitimacy review (approved, rejected, or contested)
• Legal reasoning supporting the decision
• Description of data disclosed (if any), including the scope and format
• Date of response or disclosure
• Names and roles of internal personnel involved in the review and decision
• Any correspondence or objections exchanged with the requesting authority

4.2. Retention

These records are retained for a minimum of five (5) years, in compliance with applicable legal retention requirements.

4.3. Access Control

Access to the request log is restricted to authorized members of the Legal and Privacy team. The log is reviewed periodically to identify trends, ensure consistency of decisions, and improve internal processes.

4.4. Transparency Reporting

Oversee may publish an annual transparency report summarizing the number and types of government data requests received, the number of requests complied with, and the number of requests contested or rejected. This report will contain only aggregate data and will not identify individual users or specific investigations.

5. Contact

For questions about this policy or to submit a lawful data request, please contact:

Oversee Tecnologia LTDA
Privacy and Data Protection Team
Email: privacy@getoversee.ai

6. Changes to This Policy

We may update this policy from time to time to reflect changes in applicable law, regulatory guidance, or our internal practices. The "Last Updated" date at the top of this document indicates when the most recent revision was made.