PRIVACY POLICY
SCUTUM | ROC Intelligence
Last updated: May 2026
Version: 1.0
1. General Information
ROC Intelligence ("ROC", "we" or "our"), registered under CNPJ [65.601.795/0001-39], with
headquarters in [Brasília-DF], is the developer and operator of SCUTUM —
a confidential artificial intelligence solution for local document processing.
This Privacy Policy describes how we handle personal information in the context of the
SCUTUM institutional website and the SCUTUM application, in compliance with:
- •Brazilian General Data Protection Law (Lei nº 13.709/2018 — LGPD)
- •ANPD Regulatory Agenda 2025–2026
- •Brazilian Internet Civil Framework (Lei nº 12.965/2014)
- •Brazilian Consumer Protection Code (Lei nº 8.078/1990)
SCUTUM is a product of ROC Intelligence. Other ROC Intelligence products and services
have their own specific terms and policies, available through their respective channels.
2. Definitions
- •Personal Data: Information relating to an identified or identifiable natural person
- •Data Subject: The natural person to whom the personal data refers
- •Controller: ROC Intelligence, responsible for decisions regarding the processing of personal data
- •Processor: A party that processes data on behalf of the Controller
- •Processing: Any operation performed on personal data
- •Website: The SCUTUM institutional page (domain rocscutum.com)
- •Application: The SCUTUM software installed and run on the user's device
3. SCUTUM's Core Principle: Local Processing
SCUTUM was designed with privacy as a technical foundation, not an add-on feature.
This means:
The SCUTUM application does not transmit documents, content or processed data
to external servers.
All natural language processing, document analysis and insight generation occurs
exclusively on the user's device — whether computer or USB drive. Documents loaded
by the user in the application never leave the local environment, unless the user
explicitly opts for the external provider mode (described in section 4.2).
This architecture ensures sensitive data remains under the user's absolute control,
without dependence on cloud infrastructure or third parties for core operations.
4. Data Collected
4.1 Institutional Website Data
The SCUTUM website collects only the information strictly necessary to respond to
contact requests:
Provided directly by the user:
- •Full name and/or company name
- •Corporate email address
- •Job title and company (when voluntarily provided)
- •Content of messages submitted through the contact form
Collected automatically:
- •IP address
- •Browser type and operating system
- •Pages visited and date/time of access
- •Strictly necessary cookies for website operation
4.2 SCUTUM Application Data
Local mode (default):
The application does not collect, store or transmit any personal data or documents
to external systems. All processing occurs on the user's device.
External Provider Mode (optional, activated by the user):
SCUTUM optionally allows connection to external AI providers via API — such as
Anthropic, Google, Mistral, and others supported in the version in use. When this
mode is activated, the text of documents selected by the user is transmitted to
the chosen provider for processing. ROC Intelligence does not store this data in its systems.
The user configures their preferred provider and enters their own API key, maintaining
direct control over which external service is used.
Transmission is based on the user's explicit consent (Art. 7, I, LGPD), obtained
at the time of activating the external mode. For compliance with Art. 33 of the LGPD,
which requires a legal basis for international data transfers, ROC Intelligence adopts:
- •Explicit and informed user consent prior to each activation
- •Application of the Privacy Terms of the provider selected by the user,
available on each provider's website
- •The user may revoke consent at any time by simply not activating external mode in subsequent sessions
The list of supported external providers is available in the application documentation
and may be updated with each new version of SCUTUM.
ROC Intelligence recommends that documents subject to professional secrecy, judicial
confidentiality or legal obligations of confidentiality be processed exclusively in local mode.
License data (future phase):
When license verification is implemented, minimum activation data (device identifier,
license key) may be verified against our servers. This policy will be updated prior
to implementation of this feature.
4.3 Data NOT Collected
- •Biometric data (SCUTUM does not use facial recognition, voice recognition or biometrics)
- •Data from minors under 18. SCUTUM is intended exclusively for professional and corporate use by adults 18 and older. By using the website or application, the user declares they are 18 or older. Should ROC Intelligence identify that data of a minor was inadvertently collected, it will proceed to immediate deletion
- •Content of documents processed in local mode
- •Sensitive data as defined in Art. 5, II of the LGPD — intentionally
However, the user may upload documents containing sensitive data (e.g., health data,
racial origin, political beliefs, biometric data of third parties). In such cases, in local mode:
- •Data remains exclusively on the user's device
- •It is not transmitted to ROC Intelligence
- •It is not used to train or fine-tune AI models
- •It is protected by AES-256-GCM encryption
The user is responsible for ensuring they have an adequate legal basis to process
third-party sensitive data (e.g., explicit consent of the data subject, pursuant to Art. 11, I, LGPD).
In cases of technical support involving documents with sensitive data, ROC Intelligence
requires prior written authorization from the user, limits access to strictly necessary
personnel and deletes the data immediately after resolution.
5. Purposes of Processing
a) Contract Performance and Pre-Contract:
- •Responding to information and SCUTUM demonstration requests
- •Formalizing licensing and technical support
- •Processing acquisitions when available
b) Legitimate Interests of ROC Intelligence:
- •Communications about product updates (with opt-out available)
- •Aggregated statistical analysis of website access
- •Security and fraud prevention
c) Compliance with Legal Obligations:
- •Responding to requests from competent authorities
- •Tax and accounting obligations arising from transactions
d) Consent (when applicable):
- •Sending informational materials and news about SCUTUM and other ROC Intelligence products
Consent is obtained through:
- •An explicit, unchecked checkbox in the contact form, with clear text: "I authorize receiving communications about SCUTUM and ROC Intelligence products"
- •Recording of date, time and origin of consent
- •Email confirmation (double opt-in) for marketing communications
Consent may be revoked at any time:
- •Via the "Unsubscribe" link included in all emails sent
- •By request to contato@rocintelligence.com
- •Revocation is processed within up to 5 business days and does not affect processing carried out under other legal bases (e.g., contract performance)
6. Data Sharing
6.1 Service Providers
ROC Intelligence may share data with providers that support website operations,
such as hosting, transactional email and access analysis, always under contracts
that impose equivalent data protection obligations.
6.2 Public Authorities
Data may be shared pursuant to a court order, legal request from a competent
authority, or to comply with a legal obligation.
6.3 Other ROC Intelligence Products
In the context of a future integration of SCUTUM into the ROC Intelligence platform,
customer data may be shared internally to enable integrated features, always with
an adequate legal basis and prior notice to the data subject.
6.4 Applicable Protections
All providers and partners are subject to contracts requiring:
- •Use restricted to authorized purposes
- •Security measures equivalent to those adopted by ROC Intelligence
- •Compliance with the LGPD and applicable regulations
7. Information Security
7.1 Technical Measures
In the SCUTUM application:
- •AES-256-GCM encryption (AEAD mode) for data at rest on the device — ensures confidentiality, integrity and authenticity in a single operation
- •256-bit AES key generated via CSPRNG (cryptographically secure random number generator) or derived via PBKDF2-HMAC-SHA256 with 200,000 iterations and a 128-bit salt
- •96-bit GCM nonce, unique per operation, generated via CSPRNG
- •128-bit authentication tag in each cryptographic operation
- •bcrypt for session authentication — password never written to disk
- •SHA-256 for document hashing and insight integrity
- •PKCS#12 digital signature (RSA/ECDSA) with legal validity
- •Secure deletion of temporary files with 3-pass overwrite
- •Local audit trail of operations
In website infrastructure:
- •TLS 1.3 for data transmission
- •DDoS protection
- •Least-privilege access control
- •Access audit logs
7.2 Reference Frameworks
- •ISO/IEC 27001:2022
- •NIST Cybersecurity Framework
- •CIS Controls
7.3 Data Retention
| Data Type | Retention Period | Justification |
|---|---|---|
| Name, email, title, company | 12 months after last contact | Support and commercial follow-up |
| Contact message content | 12 months after last contact | Service history |
| Website access logs (IP, browser) | 90 days | Security and incident analysis |
| Analytical cookies | 12 months | Usage pattern analysis |
| License data (future phase) | License duration + 12 months | Tax compliance and audit |
Data is automatically deleted upon expiry of the above periods or immediately upon
request by the data subject, unless a legal retention obligation applies (e.g., tax
obligations requiring 5-year retention).
8. Data Subject Rights (LGPD)
Pursuant to Arts. 17 and 18 of the LGPD, the data subject has the right to:
- •Confirmation and Access: to know whether we process their data and to access it
- •Correction: to correct incomplete, inaccurate or outdated data
- •Anonymization, Blocking or Deletion: of unnecessary or excessive data
- •Right to Erasure: to request deletion of stored personal data, except where a legal retention obligation applies
- •Portability: to receive data in a structured format
- •Information: about with whom we share their data
- •Revocation of Consent: at any time, without prejudice
- •Objection: to processing carried out on the basis of legitimate interest
- •Review of Automated Decisions: to request human review where applicable
How to exercise your rights:
- •Email: contato@rocintelligence.com
- •Response period: up to 15 business days
9. Artificial Intelligence
9.1 AI in the SCUTUM Application
The language models used by SCUTUM (Qwen2.5-7B-Instruct, Phi-3.5-mini and,
optionally, models from external providers configured by the user) process documents
provided by the user to generate analyses and responses. In local mode, this processing
occurs entirely on the device and does not involve automated decisions about the user —
only about the content of documents the user chose to analyze.
9.2 Transparency and Oversight
ROC Intelligence maintains human oversight over the development and updating of
models used in SCUTUM, with periodic evaluations of performance, bias and ethical suitability.
9.3 Compliance
- •NIST AI Risk Management Framework
- •OECD Guidelines for Trustworthy AI
- •PL 2.338/2023 (Brazil, under review)
10. Cookies
The SCUTUM website uses:
- •Strictly Necessary: essential for website operation, no consent required
- •Analytical (optional): for understanding website usage in aggregated form, subject to consent
The user can manage cookies through their browser settings.
11. Security Incidents
In the event of an incident that may pose a material risk to data subjects:
- •Immediate detection, containment and investigation
- •Notification to the ANPD within 72 hours of ROC Intelligence becoming aware of the incident, pursuant to Art. 33 of the LGPD, including: description of the incident, categories and volume of data affected, and measures taken
- •Direct communication to the data subject when the incident may cause material risk or harm
- •Full documentation of the incident, root cause and remediation measures
Incident management officer: DPO (contato@rocintelligence.com)
Reporting channel: contato@rocintelligence.com
12. DPO — Data Protection Officer
Name: [DPO of ROC Intelligence]
Email: contato@rocintelligence.com
Responsible for receiving data subject complaints, guiding the team and maintaining
communication with the ANPD.
13. Changes to this Policy
Changes will be communicated by notice on the website and/or by email to customers,
with at least 15 days' advance notice for material changes.
History:
- •v1.0 (May/2026): Initial version — SCUTUM standalone
- •v1.1 (planned): Update for integration with the ROC Intelligence platform
14. Governing Law and Jurisdiction
Applicable law: Federative Republic of Brazil
Jurisdiction: [City/Headquarters of ROC Intelligence], [State]
15. Contact
ROC Intelligence
CNPJ: [65.601.795/0001-39]
Address: [Q CRS 516 BLOCO B, Nr 69, ASA SUL, BRASILIA - DF, CEP 70.381-525]
Privacy & Data: contato@rocintelligence.com
General contact: contato@rocintelligence.com
CONSENT
By using the SCUTUM website, the user declares having read and understood this Privacy
Policy and agrees to the data processing described herein, in accordance with the LGPD.
LEGISLATIVE REFERENCES
- •Lei 13.709/2018 (LGPD)
- •Lei 12.965/2014 (Brazilian Internet Civil Framework)
- •Lei 8.078/1990 (Brazilian Consumer Protection Code)
- •Resolução ANPD 23/2024
- •ISO/IEC 27001:2022 | NIST CSF | CIS Controls
Document: May 2026
Next review: November 2026 or upon integration with the ROC Intelligence platform
Officer: CISO/DPO ROC Intelligence
© 2026 ROC Intelligence. SCUTUM is a registered product of ROC Intelligence.