Privacy Policy
Last updated: June 5, 2026
This Policy describes how SOS Trono collects, uses, stores, and protects the personal data of platform users, in compliance with Brazil's General Data Protection Law (LGPD — Law No. 13,709/2018).
By using SOS Trono — whether through the website sostrono.com, the PWA, or the Android app available on the Google Play Store — you agree to the practices described here. If you do not agree, we recommend that you not use the platform.
1. Who we are (Data Controller)
SOS Trono is a collaborative platform for mapping public restrooms, available at sostrono.com, as an installable PWA, and as an Android app.
The data controller, pursuant to Article 5, VI of the LGPD, is:
- Vicente Bonatto (individual, legally responsible for the project)
- Official privacy channel: privacidade@marmontelo.com
- Alternative channel: the LIOVA chat inside the platform — opens a form that reaches the team directly
Formal requests regarding LGPD rights (Article 18) must be sent to the email above and will be answered within 15 days.
2. What data we collect
2.1. Data you provide directly
- Email and password (for local sign-up)
- Federated login identifiers (Google OAuth): email, name, profile picture, provider, and providerId
- Sign In with Apple (available in the iOS app once published): from Apple we receive a stable identifier (
sub) and, upon first consent, optionally your email. You may choose Apple Private Relay (an address such asxxx@privaterelay.appleid.com), in which case we never see your real email — Apple relays transactional messages. We treat the relay address like any ordinary email (with no attempt to unmask it). If you revoke Apple consent in iOS / iCloud settings, Apple notifies our server and the associated notification tokens are revoked within 30 days. - Display name (optional, used on public reviews)
- Profile picture (if you sign in with Google or upload one manually)
- Generated content: registered restrooms, reviews, photos, reports, visit history, favorites, earned badges
- Optional demographic data: age range, gender, country, and ZIP/postal code — collected via onboarding or the profile screen, only with explicit consent, with a "Prefer not to say" option. You may edit or delete it at any time under "Profile".
- Notification preferences and push tokens: VAPID endpoint (Web Push) and/or device token from APNs (iOS) / FCM (native Android) — only if you opt in to receive notifications. Tokens are opaque to us (they do not identify you outside Apple/Google).
- Messages sent through the contact form
2.2. Data collected automatically
- Approximate or precise location: used to center the map on you and, during active navigation, to calculate your proximity to the destination restroom. Collection requires consent from the browser or operating system. We do not request background location.
- Usage events (see section 2.4): each relevant action in the app (search, opening a restroom, navigation started, review submitted, photo uploaded, report, arrival) is recorded with date/time, a session identifier, the user ID, and, for some events, your approximate coordinate at the moment of the action. We use this data to improve the product and detect abuse. You may disable this collection at any time under Profile → Preferences → "Do not track my usage events".
- On-site search history: your last 50 searches are stored for your convenience (you may delete them at any time).
- Session cookie: an HttpOnly cookie containing a JWT that keeps you logged in.
- Access logs: IP address, user-agent, and timestamp, used for security, rate-limiting, and technical diagnostics.
2.3. Data we do NOT collect
- We do not use third-party tracking cookies
- We do not integrate third-party advertising or analytics SDKs (no Google Analytics, no Firebase Analytics, no AdMob, no Meta SDK, no Mixpanel, no PostHog)
- We do not collect advertising identifiers (IDFA/AAID)
- We do not access your calendar, contacts, or other device data beyond the scope described in section 3
- We do not track your location in the background (we do not request the
ACCESS_BACKGROUND_LOCATIONpermission) - We do not collect health data, financial data, audio, or private messages
2.4. Usage metrics (usage_events table)
To understand how the app is used and to improve the experience, we record first-party usage events (in our own database, without third-party SDKs). The fields collected for each event are:
- Event type: search, restroom view, navigation started, review opened/submitted, quick-review, report, photo upload, arrival
- Identifiers: your user ID and session ID
- Approximate coordinate (latitude/longitude) at the moment of geo-referenced events (search, navigation, arrival) — used in aggregate form to estimate coverage by region
- Reference to the restroom involved (when applicable)
- Technical metadata in JSON (e.g., calculated distance, search source) — no PII
Purposes: product improvement, abuse/fraud detection, aggregate coverage metrics (input for the future B2B urban-mobility API — always in aggregate form, never individual).
Legal basis: legitimate interest (Article 7, IX of the LGPD), honoring the right to object via opt-out (trackingOptOut) in Profile.
Retention: raw data for up to 12 months. After that period, records are aggregated (without user and without exact coordinate) or discarded.
Anonymization after account deletion: when you delete your account, within 30 days the events in the usage_events table have their link to your user severed (userId → NULL) and the recorded coordinates are cleared (lat → NULL, lng → NULL). Only non-identifiable fields remain (event type, referenced restroom, technical metadata), exclusively for aggregate historical time-series purposes.
No automated decisions: the usage_events data is not used for automated decisions about you (Article 20 of the LGPD), nor for building individual predictive profiles, nor is it shared with third parties. It serves only internal, aggregate product analysis.
3. Permissions in the Android app
When you use SOS Trono on the Android app, the operating system may request permission for the following features. Each permission has a specific purpose and none are collected continuously:
- Precise location (
ACCESS_FINE_LOCATION): to show nearby restrooms and calculate distance during navigation. Requested only in the foreground (no background permission). - Camera (
CAMERA): only if you choose to take a photo to attach to a restroom or review. No silent use. - Gallery/Media (
READ_MEDIA_IMAGES): only if you choose to attach a photo already on your phone. - Internet (
INTERNET): required for any functionality.
You may revoke any of these permissions at any time in your Android settings. Permissions are requested at the moment of use, not on the app's first launch.
4. How we use your data (purposes)
Each category of data is processed for specific purposes, under an explicit legal basis:
| Purpose | LGPD legal basis |
|---|---|
| Create and maintain your account (local authentication or Google OAuth) | Performance of a contract (Art. 7, V) |
| Display nearby restrooms and calculate routes/distance | Performance of a contract + geolocation consent (Art. 7, I and V) |
| Publish collaborative content (restrooms, reviews, photos, reports) | Performance of a contract (Art. 7, V) |
| Automated moderation of short texts via AI | Legitimate interest (Art. 7, IX) |
| Send push notifications | Consent (Art. 7, I) |
Internal usage metrics (usage_events) and product improvement | Legitimate interest with opt-out (Art. 7, IX + Art. 18, §2) |
| Optional demographic data | Consent (Art. 7, I) |
| Access logs (IP, user-agent, timestamp) for security | Legal obligation (Marco Civil) + legitimate interest (Art. 7, II and IX) |
| Comply with judicial or governmental requests | Compliance with a legal obligation (Art. 7, II) |
5. Sharing and third-party processors
We do not sell individual personal data. We share your data only in the situations below. The third parties listed are processors (Article 5, VII of the LGPD) that handle data on our behalf.
5.1. Public content
Registered restrooms, reviews, photos, and display name are public by nature — after all, it is a collaborative map. Do not publish information you would not want other users to see.
5.2. Artificial intelligence provider (moderation)
To detect offensive, illegal, or out-of-scope content, we send short user-generated texts (restroom names, review comments) to a third-party AI provider. The provider processes the text, returns a classification (approved / pending / rejected), and does not retain the content for model training. We do not send your email, user ID, or other personal identifiers along with the prompt. This sharing involves an international data transfer — see section 6.
5.3. Photo storage
Photos you upload are stored on servers operated by SOS Trono, hosted on standard market cloud providers. Photo URLs are public (anyone with the link can view them) because the app displays images directly on the map.
5.4. Other technical providers
- Google Maps — map display and route calculation. Subject to Google's privacy policy.
- Google OAuth — sign-in with a Google account (optional). Only email, name, and profile picture are received.
- Google Play Services — only in the Android app, managed by the device's operating system.
- Browser Web Push service (Mozilla, Google, Apple) — delivery of the push notifications you subscribed to.
- ImprovMX — forwarding of the
privacidade@marmontelo.comemail to the controller's inbox. - Backblaze B2 (offsite backup) — encrypted storage of operational database backups (no routine human access).
5.5. Aggregate statistics
Data without personal identification may feed a future B2B API (mobility, urban planning). It will always be aggregate data, never individual.
5.6. Legal obligation
Data may be provided to competent authorities upon a court order or a valid legal request.
6. International data transfers
Pursuant to Article 33 of the LGPD, we inform you that part of the data may be processed outside Brazil:
- AI provider for moderation — servers in the United States. Text sent: restroom names and review comments.
- Google (Maps, OAuth, Play Services) — global infrastructure, with a presence in the US, Europe, and other countries.
- ImprovMX — servers in the United States. Receives only the content of emails sent to
privacidade@marmontelo.com. - Backblaze B2 — servers in the United States. Stores full database backups (compressed and encrypted in transit).
The legal basis for these transfers is the performance of a contract with you (Art. 33, II) and the consent (Art. 33, VIII) implied by your use of the platform. The selected processors offer contractual and technical safeguards consistent with the LGPD.
7. Legal bases (LGPD)
The processing of your data is based on:
- Performance of a contract (Art. 7, V): necessary to provide the service you requested
- Consent (Art. 7, I): collection of optional data, such as location, demographic data, and push
- Legitimate interest (Art. 7, IX): platform security, content moderation, internal usage metrics, and product improvements
- Compliance with a legal obligation (Art. 7, II): retention of access logs as required by law
8. Data retention
- Account data: while your account is active
- Search history: a maximum of 50 entries per user, with older ones removed automatically
- Usage events (
usage_events): up to 12 months in raw form. Afterward, aggregated (without user and without coordinate) or discarded. - Access logs: up to 6 months, as provided by Brazil's Internet Civil Framework (Marco Civil)
- Moderation logs: up to 12 months for auditing and appeal purposes. The user identifier is pseudonymized within 30 days of the record, keeping only the moderation outcome (approved/pending/rejected) and the category, with no direct link to the data subject.
- Operational backups: local rotation of 7 days and an offsite copy for up to 30 days. In the event of a deletion request, personal data is removed from the active databases immediately; backups expire through the rotation cycle above.
- After account deletion: personal data (email, password, name, picture, demographics, preferences, push tokens, favorites, visit history) is removed or anonymized within 30 days. Public content (restrooms, reviews, photos, reports) remains in the collaborative repository but is reassigned to an anonymous sentinel user ("removed user"), eliminating any direct link to you. Coordinates and identifiers in
usage_eventsandmoderationLogsare also pseudonymized.
9. Your rights (LGPD Art. 18)
As a data subject, you have the right to:
- Confirm the existence of processing of your data
- Access a copy of the data we hold about you
- Correct incomplete, inaccurate, or outdated data
- Request the anonymization, blocking, or deletion of unnecessary data
- Request the portability of your data to another provider (in a structured, interoperable format)
- Delete your personal data (except data we must retain by legal obligation)
- Know with whom we share your data
- Withdraw consent previously given (including disabling usage-event collection under "Profile → Preferences")
- Object to processing that violates the LGPD
- Request human review of automated decisions (e.g., AI moderation that rejected your content)
To exercise any of these rights:
- Delete your account directly: Profile → Delete my account (in-app flow with confirmation)
- Write to privacidade@marmontelo.com
- Open the LIOVA chat inside the platform
We will respond within 15 days.
9-A. Privacy notice for U.S. residents (CCPA/CPRA)
If you are a California resident (or a resident of another U.S. state with an applicable privacy law), you have the right to: know what personal data we collect and the purposes for which we use it; access and delete your data; correct inaccurate data; and not be discriminated against for exercising these rights.
We do not sell or share your personal data for third-party behavioral advertising, as those terms are defined by the CCPA/CPRA. We do not use advertising SDKs, third-party trackers, or advertising identifiers.
To exercise your rights, write to privacidade@marmontelo.com. You may use an authorized agent; we may verify your identity before fulfilling the request.
10. Automated decisions and the right to human review (LGPD Art. 20)
SOS Trono uses a language model (LLM) for automated moderation of user-generated content — including registered restroom names, review comments, and descriptive texts. The purpose is to detect hate speech, sexual content, third-party personal data, spam, and profanity before they are published.
This automated moderation can result in three decisions: approved (immediate publication), pending (awaits human review before publishing), or rejected (not published). In accordance with Article 20 of the LGPD, you have the right to request human review of any automated decision that affects your interests.
10.1. How to request human review
- For now: send an email to privacidade@marmontelo.com stating the type of rejected content (review, restroom name, photo, etc.), the identifier (when available), and the reason you disagree with the decision.
- In an upcoming release: we are rolling out a dedicated "Request human review" button in the app (next to the moderation error screen), so that the request automatically enters the queue of our Data Protection Officer (DPO).
10.2. Response time (SLA)
We are committed to responding to human-review requests within 7 business days of receipt, within the general 15-day period set by the LGPD. The DPO reviews the context, the content's history, and the original automated-model decision, and may uphold the rejection (if the content truly violates the Terms of Use) or reverse the decision (republishing the content, where applicable).
10.3. Information we record about the automated decision
For each relevant automated decision, we record: the analyzed text, the model's verdict (approved/pending/rejected), the detected categories, a confidence score, and the date/time. This data is stored in internal moderation records, is accessible to the data subject upon request (Art. 18 II), and is used by the DPO when reviewing your request.
Technical limits: pursuant to Article 20 §1 of the LGPD, we clarify that the moderation model applies toxicity-detection rules, keyword matching, and contextual classification; it does not intentionally make discriminatory decisions based on gender, race, religion, or sexual orientation, but it may err in ambiguous cases — hence the importance of the human-review channel.
11. Security and incidents
We adopt technical and organizational measures to protect your data:
- Passwords stored with bcrypt (one-way cryptographic hash)
- HTTPS/TLS communication for all traffic
- HttpOnly and Secure session cookies (not accessible by third-party JavaScript)
- Restricted and audited database access
- Rate limiting on sensitive endpoints
- Monitoring of errors and suspicious activity in production
- Daily database backup with offsite retention and a documented restore procedure
Even so, no system is 100% secure. In the event of a security incident that results in relevant risk or harm to data subjects, pursuant to Article 48 of the LGPD:
- We will notify the ANPD (Brazil's National Data Protection Authority) within 2 business days of identifying the incident, with a description of the nature of the affected data, the number of data subjects involved, the technical measures adopted, and the mitigation plan.
- We will notify the affected data subjects at their registered email, within the same period, with practical mitigation instructions (e.g., changing the password).
12. Children and adolescents
SOS Trono is intended for users aged 13 and older. We do not knowingly collect data from children under 13. If you are responsible for a child who has submitted data without authorization, write to privacidade@marmontelo.com so that we can remove it.
13. Cookies
We use only the session cookie, which is necessary to keep you logged in. We do not use third-party tracking, advertising, or analytics cookies. Your privacy is not monetized through cookies.
14. Changes to this Policy
We may update this Policy periodically. Significant changes will be communicated through the website itself, by email, or via the app. The date of the last update appears at the top of this page.
15. Contact and Data Protection Officer (DPO)
For any privacy question, to exercise your LGPD rights, or to report incidents:
- Data Protection Officer (DPO): Vicente Bonatto
- Official email: privacidade@marmontelo.com
- Alternative channel: the LIOVA chat inside the platform
These channels are monitored, and we will respond within 15 business days, as required by the LGPD.