Last updated: 7 May 2026 · Version 1.0
As SixTree is a Brazilian company, this Policy is governed by Brazilian law; the original Portuguese version prevails in case of interpretive doubt.
Having your personal data properly looked after is a right protected by Law No. 13,709 of 14 August 2018, known as the Brazilian General Data Protection Law (Lei Geral de Proteção de Dados Pessoais, LGPD), and an obligation of SixTree to you.
This Privacy Policy adopts a privacy by design approach and is intended to make transparent how SixTree processes your personal data, in compliance with:
This Policy applies to all personal data processed by SixTree in the context of its strategic advisory and product studio services, encompassing:
This Policy does not apply to third-party services, sites or products eventually accessed via links present in our channels. We recommend consulting the respective privacy policies of those third parties.
For the purposes of this Policy, the Controller of the personal data collected is the legal entity identified below:
SIXTREE CONSULTORIA EM DESENVOLVIMENTO SUSTENTÁVEL LTDA
CNPJ (Brazilian company registration number): 62.144.984/0001-31
Quadra ARNO 12, Alameda das Aroeiras, H.M. 02, Lote 03 — Palmas/TO, Brazil — Postcode 77.001-048
Institutional email for privacy matters: office@sixtree.co
For the better understanding of this document, we adopt the terms defined in Article 5 of the LGPD, summarised below:
We collect your personal data through different means, as detailed below. In accordance with the principle of necessity (Article 6, III, of the LGPD), we collect only the data strictly necessary to fulfil the purposes set out in this Policy.
| How we collect | What that means |
|---|---|
| Through your input | We collect data you voluntarily provide when filling in the Diagnostic Brief form, contact forms, commercial proposals or registrations on our official channels. |
| Through your interaction with the site | We collect data automatically generated when you browse sixtree.co, such as IP address, approximate geolocation (city or region), device type, operating system, browser, and pages visited, in compliance with Article 7, I, of the Internet Civil Framework. |
| Through cookies | Small text files sent by the site to your device, stored either temporarily or permanently. Information stored in cookies is also considered personal data and follows all the rules of this Policy. |
| Through technology providers | We collect data processed by our Processors (Google Workspace, Vercel, Google Analytics and Google reCAPTCHA), as detailed in Section 8. |
When you respond to the Diagnostic Brief, we collect:
SixTree does not collect sensitive personal data through the Diagnostic Brief form or at any other point of commercial interaction.
The sixtree.co site uses only two categories of cookies, described below. We do not use marketing cookies, behavioural advertising cookies or cross-site tracking cookies.
| Category | Purpose |
|---|---|
| Strictly necessary cookies | Ensure the technical functioning of the site, such as session, security and language preference. They cannot be disabled without affecting navigation. |
| Analytics cookies (Google Analytics) | Allow us to understand the aggregate use of the site for statistical and content improvement purposes. They can be disabled in your browser settings without affecting page functionality. |
The detailed list of cookies, with the name, purpose and duration of each, is available on request to the DPO at office@sixtree.co.
When you visit sixtree.co for the first time, we display a banner so you can decide about the use of analytics cookies (Google Analytics). By default, these cookies are disabled until you accept — in compliance with LGPD/GDPR and Google Consent Mode v2.
You can review or change your decision at any time by clicking Cookie settings (also available in the footer of every page). Your choice is stored locally on this device and is not shared with third parties.
According to the LGPD, personal data may only be processed for legitimate, specific, explicit purposes that have been informed to the data subject (Article 6, I). Therefore, we collect your data, and only that which is necessary, for the following purposes:
| Purpose | Detail |
|---|---|
| To return the preliminary diagnosis | To send you, by email, a reading of your company's current moment based on the responses provided in the Diagnostic Brief. |
| To conduct the commercial relationship | To get in touch with you to schedule conversations, send proposals, execute contracts and manage the relationship with leads, prospects and clients. |
| To maintain history of your interactions | To preserve the history of your responses and prior contacts in order to support subsequent conversations, sparing you from repeating information. |
| To improve SixTree's methodology | To calibrate and improve SixTree's proprietary methodology through analysis of anonymised data, without the possibility of individual identification, under Article 12 of the LGPD. |
| To communicate institutional updates | To send communications about SixTree's services, content and updates, exclusively when you express explicit interest (specific opt-in). Withdrawal of consent is free and made easy. |
| To comply with legal obligations | To comply with legal, regulatory, accounting and tax obligations applicable to SixTree, as well as requests from competent authorities. |
| To defend SixTree's rights | To regularly exercise rights in judicial, administrative or arbitral proceedings (Article 7, VI, of the LGPD). |
In compliance with Article 7 of the LGPD, the processing of your personal data takes place under the following legal bases, depending on the purpose:
SixTree does not sell, lease or trade your personal data with third parties for marketing purposes. To carry out the purposes set out in this Policy, we rely on Processors and partners that may take part in the processing cycle of your data, always under contractual obligations of confidentiality and data protection.
The Processors listed below process your personal data on behalf of SixTree, under contract and exclusively for the authorised purposes:
| Processor | Purpose of processing |
|---|---|
| Google Workspace (Google LLC) | Email infrastructure, file storage (Drive), spreadsheets (Sheets) and automation (Apps Script). Google's policy: policies.google.com/privacy. |
| Vercel (Vercel, Inc.) | Hosting of sixtree.co and the Diagnostic Brief form. Policy: vercel.com/legal/privacy-policy. |
| Google Analytics (Google LLC) | Aggregate statistical analysis of site usage, as described in Section 5.2. Google's policy: policies.google.com/privacy. |
| Google reCAPTCHA (Google LLC) | Anti-spam service that protects the Diagnostic Brief form. When submitting the form, behavioural data (interaction with the page) is processed by Google. Policy: policies.google.com/privacy. |
When strictly necessary for the execution of the contracted services, personal data may be shared with solicitors, accountants, auditors and associated consultants, all bound by contractual obligations of confidentiality and data protection.
SixTree may share personal data with competent authorities in compliance with judicial orders, legitimate administrative requisitions, or in investigations related to illegal activities, fraud or threats to the security of persons or systems. Whenever possible and legally authorised, we will inform you of such sharing.
The Processors listed in Section 8.1 maintain technological infrastructure on servers located outside Brazilian territory, mainly in the United States of America. As a result, some of your data may be transferred internationally.
Such transfers take place in compliance with Chapter V of the LGPD (Articles 33 to 36) and with the applicable infralegal regulations issued by ANPD, by adopting specific safeguards provided in contracts with each Processor, including standard contractual clauses, confidentiality commitments and protection standards equivalent to or higher than those of Brazilian law.
SixTree keeps your personal data only for the time necessary to fulfil the purposes set out in this Policy, observing the following maximum periods:
| Data category | Retention period |
|---|---|
| Active leads and clients | For the duration of the relationship and for a further 5 (five) years after closure, to comply with tax and fiscal obligations, also observing the applicable limitation periods for defence in any judicial proceedings. |
| Non-engaged leads | 12 (twelve) months from last contact, at the end of which we send a re-engagement communication. Without response within 30 (thirty) additional days, the data is deleted or anonymised. |
| Site access logs | 12 (twelve) months, in compliance with Article 15 of Law No. 12,965/2014 (Internet Civil Framework) and Decree No. 8,771/2016. |
| Backups | Kept in sync with the primary database, with a daily copy and rotation every 90 (ninety) days. |
Once the retention period has ended, the data is securely deleted or anonymised, except for the legal hypotheses for retention provided in Article 16 of the LGPD.
SixTree adopts good information security practices aligned with the applicable technical and regulatory standards, in compliance with Articles 46 to 49 of the LGPD. The main measures are described below:
| Measure | Description |
|---|---|
| Logical access controls | Access restricted to the authorised SixTree team, under contractual obligations of confidentiality. Multi-factor authentication required on all accounts that store personal data. |
| Cryptographic controls | Encryption in transit (HTTPS/TLS) and at rest, in accordance with the standards of certified providers. |
| Backup copies | Automated backups performed periodically, with scheduled rotation, ensuring the recovery of data in case of incident. |
| Event recording and traceability | Relevant access and actions are recorded in logs, allowing identification of those responsible and reconstitution of events for audit and security purposes. |
| Anti-abuse and anti-fraud | Automatic anti-spam and anti-fraud mechanisms in the Diagnostic Brief form, including Google reCAPTCHA. |
| Contractual accountability | The contracts entered into with Processors include clauses on data protection and accountability in case of non-compliance. |
Despite the measures adopted, no system is absolutely immune to incidents. If you suspect a security incident involving your data, please contact us immediately at office@sixtree.co. In case of an incident that may entail relevant risk or harm to data subjects, SixTree will notify ANPD and the affected data subjects within the deadlines and in the form provided in Article 48 of the LGPD.
As the holder of your personal data, you have rights clearly defined by the LGPD. Under Article 18, you may, at any time and upon request:
| Right | What it means |
|---|---|
| Confirmation of the existence of processing | To know whether SixTree processes personal data about you. |
| Access to data | To obtain clear and transparent information about which personal data SixTree processes about you. |
| Correction | To request the correction of incomplete, inaccurate or outdated data. |
| Anonymisation, blocking or deletion | To request the anonymisation, blocking or deletion of unnecessary or excessive data, or data processed in non-compliance with the LGPD. |
| Data portability | To request the portability of your data to another service provider, observing ANPD regulations and commercial and industrial secrets. |
| Deletion of data processed under consent | To request the deletion of personal data processed on the basis of your consent, except for legal retention obligations under Article 16 of the LGPD. |
| Information on data sharing | To obtain information about the public and private entities with which SixTree has shared use of your data. |
| Information on the possibility of not consenting | To obtain information on the possibility of not providing consent and on the consequences of refusal. |
| Objection | To object to processing carried out on the basis of one of the hypotheses dispensing consent, in the event of non-compliance with the LGPD. |
| Withdrawal of consent | To withdraw consent at any time, by express manifestation through a free and easy procedure, without prejudice to the lawfulness of the processing carried out previously. |
| Review of automated decisions | To request the review of decisions taken solely on the basis of automated processing of personal data that affect your interests, under Article 20 of the LGPD. SixTree informs that it does not make fully automated decisions producing legal effects on data subjects. |
To exercise any of these rights, write to office@sixtree.co with the subject “Data Subject Rights, LGPD”. The response will be provided within the legal deadline, generally within 15 (fifteen) days from receipt of the request. Complex requests may require an additional period, duly justified and communicated to you.
SixTree may request additional information to confirm your identity before fulfilling the request, as a security measure.
SixTree's services are intended exclusively for adults aged 18 or over acting in a professional or business context. We do not knowingly collect personal data from children and adolescents, in accordance with Article 14 of the LGPD.
If inadvertent collection of a minor's data is identified, SixTree will proceed with immediate deletion, except for legal retention obligations. Communications to this effect should be addressed to office@sixtree.co.
If you consider that your request has not been adequately addressed by SixTree, or that there has been non-compliance with the LGPD in relation to your data, you may file a complaint directly with the Brazilian National Data Protection Authority (ANPD), through the channels available at www.gov.br/anpd.
This Policy may be updated periodically to reflect changes in our practices, in applicable legislation or in the technology infrastructure used. We seek the constant improvement of this document, and you will always be notified when a relevant change occurs here.
Whenever there is a relevant change, we will notify by email the active subjects in our database and update the “Last updated” date at the top of this document. Previous versions are available on request to the DPO, at office@sixtree.co.
Data Protection Officer (DPO): Emerson Zotti
Contact email: office@sixtree.co
For any questions, requests or complaints related to this Policy or to the processing of your personal data by SixTree, please contact us at office@sixtree.co. We respond within the legal deadline.
This Policy is governed by Brazilian law, in particular:
The forum of the data subject's domicile is elected to settle any disputes related to this Policy, without prejudice to ANPD's competence in matters of its administrative attribution.
SixTree, strategic advisory and product studio.