Privacy Policy.

This Policy applies to all personal data processed in connection with our electronic security monitoring activities — including clients who contract our monitoring services, individuals whose images are captured by CCTV systems we monitor, individuals whose access events are recorded by access control systems we manage, website visitors who submit quote requests, and any person whose data we process. We process personal data both as a controller (for client and contract data) and as a processor / operator (for surveillance footage and alarm event data collected at client properties, where the client is the controller and we act on their instructions).

A. Client and contract data (Multicam as controller):

• Client name (individual or company), CPF or CNPJ, address of the monitored property, WhatsApp, email and emergency contact — for the monitoring contract and NF-e issuance.
• Technical data about the security system installed at the client property — equipment type, zones, alarm codes — necessary to provide the monitoring service.
• Alarm event history per client — date, time and type of event — retained as part of the service log and used to assess the performance of the security system.

B. Surveillance data at client properties (Multicam as processor/operator):

• CCTV footage: Images captured by cameras installed at client properties, transmitted to or accessible by our monitoring central. This data belongs to the client (as controller) — we process it on their behalf under the monitoring contract.
• Alarm event data: Triggered zone, time, duration and reset of each alarm event at the client property — used for incident response and reporting.
• Access control logs: For properties with access control monitoring — records of who accessed which area at what time, including biometric data where biometric readers are installed. Biometric data is sensitive personal data under LGPD Art. 5º, II and is subject to the heightened protections of Art. 11.

C. Website and quote data:

• Name, WhatsApp and property description when submitting a quote request via the website.
• Technical data — IP address, browser type and pages visited.

• Police / law enforcement (Polícia Militar do RS, Polícia Civil): In the event of a confirmed intrusion or security incident — footage and alarm event logs shared only upon formal request, court order, or under imminent safety necessity. Always documented and logged.
• Client emergency contact: Designated by the client in the monitoring contract — alerted in case of confirmed alarm event when the client cannot be reached.
• Monitoring equipment suppliers / technical support: Technical data about the security system (not surveillance footage or personal data) shared where necessary for equipment maintenance or troubleshooting.
• SEFAZ-RS / Receita Federal: NF-e data — client CNPJ or CPF on service invoices.
• ISS / Prefeitura de Flores da Cunha: ISS bookkeeping on monitoring services rendered.
• PROCON-RS / Senacon: When required in consumer disputes.
• Legal authorities: When required by court order or administrative authority.

Our monitoring central and primary data infrastructure are based in Flores da Cunha, RS. CCTV footage and alarm event data from client properties are processed in Brazil. Some monitoring platforms and remote access applications may operate servers in international data centres — where this is the case, we ensure data transfer is subject to the protections of Art. 33 of the LGPD and that the platform has adequate data protection certifications. Tax records (NF-e) are processed exclusively in systems certified by the Receita Federal and SEFAZ-RS.

• Alarm event logs (date, time, type): Retained for 2 years — used for service performance analysis and as documentary record in case of insurance claims or disputes about the monitoring service.
• Access control logs (non-biometric): Retained for 90 days by default, unless the client (as controller) specifies a different retention period in the contract.
• Biometric access control data: Retained only for the duration of the service contract — deleted upon contract termination, as biometric data cannot be regenerated and its prolonged retention poses disproportionate risk to data subjects.
• Client and contract data: Retained for the duration of the contract and for 5 years after termination — consistent with tax retention requirements for NF-e and standard contractual limitation periods.
• NF-e (ISS Flores da Cunha / SEFAZ-RS): Minimum 5 years as required by Brazilian tax law.
• Website quote requests without contract: Up to 1 year from the date of the request.

• Access to live CCTV feeds from client properties restricted to monitoring central operators during active shifts — no unrestricted access to recorded footage;
• Client alarm codes and property access credentials stored in encrypted systems with role-based access control;
• Biometric data stored in access-controlled databases separate from general client data, with encryption at rest;
• CCTV footage transmitted to monitoring central via encrypted channels (TLS);
• Physical security of the monitoring central (Flores da Cunha) — our own premises are secured with the systems we sell, providing a practical demonstration of our standards;
• Staff trained on LGPD obligations specific to surveillance data — including the prohibition on accessing footage for purposes other than security monitoring;
• NF-e issued using a certified digital certificate (A1/A3) approved by the Receita Federal;
• Website encrypted (HTTPS);
• Incident response procedures in accordance with LGPD Art. 48.

Clients (as controllers of surveillance data at their properties): As the client who contracted our monitoring service, you are the controller of the CCTV footage and alarm event data at your property. You have the right to access footage and logs, to request their deletion (subject to incident-related retention), and to instruct us to share footage with specified parties. We process this data on your instructions.

Third parties captured by surveillance systems (e.g., employees, visitors): If your image was captured by a CCTV system that Multicam monitors, your privacy rights are exercised primarily against the controller — the property owner who installed the camera. We can direct your request to the appropriate client if you identify the specific property and incident.

All data subjects — LGPD rights:

• Confirmation and Access (Art. 18, I–II): Confirm what data we hold and receive a copy.
• Deletion (Art. 18, IV): Request deletion — subject to legal retention obligations (NF-e: 5 years; incident footage: as described in Section 07).
• Complaint to the ANPD (Art. 18, §1º): Lodge a complaint at www.gov.br/anpd.

We respond within 15 business days.

Our website may use cookies for essential functionality and aggregated performance analytics. We do not use behavioural tracking or advertising cookies. Cookie preferences can be managed through your browser settings.

Our electronic security monitoring services are directed at adult individuals and organisations. CCTV systems installed at properties may capture images of minors — for example, at family homes or schools. In these cases, the camera installation and monitoring is contracted by and under the responsibility of the adult client. We apply heightened care in any situation involving footage of minors: such footage is never shared beyond the strict necessity of an active security incident, and we treat any image of a minor in our systems with the protections applicable to minors' data under LGPD Art. 14.

Access to footage by Multicam operators: Our monitoring central operators in Flores da Cunha access live and recorded footage from client properties only for the following purposes: (a) responding to an active alarm event; (b) verifying a triggered zone; (c) responding to a client request for footage review; (d) system testing and quality verification. Operators do not access footage for any other purpose. Access to client footage systems by Multicam staff is logged — any access outside the above purposes would constitute a breach of our operating procedures and LGPD obligations.

This Policy may be updated to reflect changes in our activities, in the LGPD, in ANPD guidance on surveillance and biometric data, or in the tax legislation of Rio Grande do Sul. Material changes will be communicated by email to all active monitoring clients. Given the sensitivity of the data we process, we will always provide at least 30 days' notice before any material change takes effect.

All privacy requests should be directed to our Data Protection Officer (LGPD Art. 41):