Epic — Privacy Policy

1. Data We Collect

1.1 Data you provide

• Name, email, password (or social login), company, job title.
• Content you submit to Epic (e.g., ideas, documents, prompts, PRDs/PRPs), comments, attachments, and project metadata.

Legal bases (LGPD): performance of a contract and preliminary procedures; legitimate interest to improve the Service, subject to your rights.

1.2 Data collected automatically

• Technical logs about access and usage (IP address, timestamps, device identifiers, pages/actions, telemetry, crash/error data).
• Cookies and similar technologies for authentication, security, preferences, and analytics (manageable in your browser).

Internet Civil Framework: we retain application access logs for 6 months under secrecy and security controls.

1.3 Google integrations (optional)

If you connect your Google account via OAuth, we collect only what is necessary for the features you enable (e.g., email/ID for login). We comply with the Google API Services User Data Policy — Limited Use (see Section 4).

Default Google scopes used by Epic:

• openid
• email
• profile

Additional scopes will be requested only if you opt in to features that require them, with clear purpose shown in the interface before consent.

2. Purposes of Processing

• Provide and operate Epic; authenticate users; maintain security and reliability; prevent abuse/fraud.
• Support and communications about the Service (product changes, updates, important notices).
• Product improvement using aggregated/anonymous metrics and usability testing.
• User-requested integrations (e.g., Google), strictly for the selected functionality.
• Legal compliance and the exercise/defense of legal claims.

3. AI Processing and Service Providers (Processors)

To deliver “AI Product Manager” capabilities, Epic may process your text/documents through cloud providers and/or AI model services under data processing agreements and security controls (encryption in transit, access control, audit logs). We do not use your data to train third-party, general-purpose models outside the scope of the Service.

4. Google OAuth & “Limited Use”

When you connect your Google account, we:

1. Limit our use of Google user data solely to provide and improve user-facing features of Epic.
2. Do not transfer data to third parties, except (i) as necessary to provide the feature; (ii) with your explicit consent; (iii) to comply with law; or (iv) in a corporate transaction (with notice).
3. Do not use Google data for advertising (including retargeting or personalized ads).
4. Do not allow human reading of Google data, except with your explicit consent, for security/bug investigations, or where required by law.

You can revoke Epic's access at any time in your Google Account Security Settings.

5. Sharing of Personal Data

We may share personal data with:

• Service providers/processors (hosting, monitoring, analytics, support), strictly to deliver the Service.
• Authorities when required by law, court order, or valid request.
• Corporate transactions (merger, acquisition, asset sale), maintaining protections consistent with this Policy and notifying users.

When we act as a processor for enterprise customers, we follow the customer's (controller's) documented instructions in accordance with LGPD.

6. International Transfers

Your data may be processed by providers outside Brazil. In such cases, we implement appropriate safeguards required by LGPD (Arts. 33 et seq.), including contractual protections ensuring an adequate level of protection.

7. Information Security

We implement technical and organizational measures proportionate to risk, including encryption in transit, role-based access control, periodic permission reviews, audit logging, and secure development practices. We maintain application access logs for at least 6 months in controlled environments.

8. Retention and Deletion

• Active accounts: we keep data as long as necessary to provide the Service.
• Logs (Internet Civil Framework): retained for 6 months unless a different legal obligation applies.

After the purpose ends or upon your deletion request, we securely delete or anonymize data unless we must retain it under a valid legal basis (e.g., fraud prevention, billing, legal obligations).

9. Your Rights (LGPD, Art. 18)

You may request: confirmation and access to data; correction of inaccurate/outdated data; anonymization, blocking, or deletion of unnecessary/excess data; portability; information about sharing; withdrawal of consent; and review of automated decisions where applicable.

To exercise your rights, contact our DPO at legal@donoshq.com.

10. Cookies

We use essential cookies (authentication, security) and functional/analytics cookies to improve your experience. You can manage cookies in your browser; some features depend on them.

11. Legal Bases (LGPD)

• Performance of a contract (provision of Epic).
• Compliance with legal/regulatory obligations (e.g., log retention).
• Legitimate interests (product improvement under safeguards, fraud prevention).
• Consent (when required, e.g., optional integrations or specific communications).

12. Children and Adolescents

Epic is intended for professional use by adults. We do not knowingly collect data from children under 13. If you believe a minor has provided data, contact the DPO for appropriate removal.

13. Changes to This Policy

We may update this Policy to reflect legal, regulatory, or product changes. We will post the revised version with a new effective date and, for material changes, provide additional notice.

14. Contact

Data Protection Officer (DPO)
Email: legal@donoshq.com
Postal address: Av. Eng. Luiz Carlos Berrini, 155–255, Torre Kansas, ZIP 04571-900, São Paulo/SP, Brazil