Last Update Date: 01/30/2026
This Privacy and Security Policy describes how Onze News collects, uses, stores, and protects the personal data and corporate information of users of our platform. This document has been prepared in compliance with the General Data Protection Law (Law No. 13.709/2018 - LGPD) and reflects our technical architecture and security commitments.
Our platform operates on a robust multi-tenant architecture. Although we use a shared infrastructure, each client's (Organization) data is strictly isolated.
Logical Isolation: We use the unique organizationId identifier as the primary key in our database filters, ensuring that no organization has access to another's data.
Physical and Schema Security: Isolation occurs at both the query level and data relationships, with permission-based access control and JWT authentication.
Our services are hosted on AWS (Amazon Web Services), managed through the Railway PaaS provider.
Network Protection: We use dedicated VPCs (Virtual Private Clouds), Security Groups, and native subnets to isolate sensitive services (databases and secrets) from public access.
Attack Protection: We implement basic WAF (Web Application Firewall) and native DDoS protection provided by Cloudflare.
We collect strictly necessary data for account operation: Name, Email, and Cell Phone Number.
Protection: We ensure organizational isolation; only administrator members of your team/company can view your data. System access is protected by advanced authentication and SSL encryption in the database connection.
Deletion: In case of user removal, we apply secure deletion protocols.
Onze News does not store complete credit card numbers or security codes (CVV).
Processing: All processing is performed directly by Stripe.
Security: Stripe uses 256-bit SSL encryption, has PCI DSS and SOC 2 certification. In our database, we only maintain basic transaction identification data (e.g., last 4 digits of the card).
The Onze News platform performs automated extraction of journalistic information through web scraping in some of its functionalities, limited exclusively to content publicly available on websites without paywalls or technical access restrictions. Although the system captures the full text of the news, we do not use this textual expression to train our artificial intelligence models, nor do we perform any form of mass training with journalistic articles.
Web Scraping is intended to assist journalists using the platform when they wish to locate, consult, or retrieve public news, using them as a database and factual reference for the production of their own articles within onze news. This is a process that is already part of the traditional journalism routine — consulting public news to reconstruct facts — but here performed in a structured way for efficiency and precision purposes.
After capture, the 11JAI mechanism separates and structures only the factual data contained in the news (such as quotes, events, dates, occurrences, locations and people involved), discarding elements protected by copyright related to the way the text was written. Thus, we work exclusively with information of a public nature, ensuring respect for legislation and good practices for protecting authorial expression.
We use global APIs for natural language processing.
Inputs: Texts sent for generation are stored in our system for only 30 days for operational security and debugging purposes. After this period, they are automatically discarded.
Outputs: Generated content is not retained in AI API responses for training purposes.
Model Training: Our clients' data is not used for model training.
Style customization features (writing rules, style guides, and prompt templates) are stored in the organization profile.
Isolation: These artifacts are segregated by client. There is no sharing of "weights", embeddings, or rules between different newspapers. There is no risk of editorial style leakage from one organization to another.
Onze News does not perform prior active moderation on generated or inserted content.
Confidentiality and Copyright: The responsibility for using confidential data or data protected by copyright in prompts is exclusively the journalist/user's. We recommend caution when inserting sensitive information.
Filters: Although LLMs have native security filters, we do not apply additional layers of toxicity or defamation moderation.
All data traffic (Web, internal APIs, and calls to LLMs/Payments) is protected by TLS 1.2+. We use exclusive HTTPS and HSTS to prevent protocol downgrade.
For optimization, we use ephemeral in-memory cache.
Employees have restricted and limited access to client data only for administrative support and critical operations purposes.
We offer support for SSO (Single Sign-On) via SAML/OIDC and MFA on demand (via WorkOS), allowing integration with corporate directories (Google Workspace, AD) for greater governance.
Integrations occur via standard REST API. Client credentials (API Key/Secret) are stored securely and in isolation in the organization profile, used only for basic authentication in direct calls from our server to the client's CMS.
We maintain structured logs of critical actions for a minimum period of 1 year. This includes:
In compliance with LGPD, we respond to complete deletion requests. Upon request, we perform permanent removal (secure deletion) of personal data (name, email, phone) from our systems.
Currently, we do not have a public bug bounty program. We encourage responsible disclosure of vulnerabilities directly to our technical team for immediate correction. We are constantly evolving our internal security processes.
For data deletion requests, security questions or vulnerability reports, please contact us via email: contato@onze.news.