Política de Privacidade

Last updated: March 18, 2026

Version: 1.1

Disclaimer: This English version is provided for informational purposes only. The legally binding version is the Portuguese original available at /privacidade. In case of any discrepancy, the Portuguese version shall prevail.

Controller: 45.597.034 Jonh Wilian Mariano Catalunha CNPJ: 45.597.034/0001-43 Address: Rua Silvino Gregório Dias, 323, Centro, Divino das Laranjeiras — MG Website: clickvault.com.br

Table of Contents

1. Introduction and Scope
2. Definitions
3. Categories of Data Subjects and Data Collected
4. Purposes and Legal Bases for Processing
5. Data Collection via the Protection Script (t.js)
6. Cookies and Tracking Technologies
7. Data Sharing and Sub-Processors
8. International Data Transfers
9. Data Retention and Deletion
10. Information Security
11. Data Subject Rights
12. Artificial Intelligence and Automated Decision-Making
13. Advertiser User Responsibilities (Controller)
14. Security Incidents
15. Data Protection Officer (DPO)
16. Records of Processing Activities (ROPA)
17. Updates to This Policy
18. Governing Law and Jurisdiction
19. Contact

1. Introduction and Scope

This Privacy Policy ("Policy") describes how 45.597.034 Jonh Wilian Mariano Catalunha ("ClickVault," "we," "our") — a legal entity registered under CNPJ 45.597.034/0001-43, headquartered at Rua Silvino Gregório Dias, 323, Centro, Divino das Laranjeiras — MG — processes personal data through the ClickVault platform, accessible at clickvault.com.br.

ClickVault is a SaaS (Software as a Service) platform for click fraud protection and traffic management for digital advertising, designed primarily for Google Ads advertisers. The platform detects fraudulent clicks, automatically blocks suspicious IPs through the Google Ads API, and provides data-driven campaign intelligence.

This Policy has been prepared in compliance with:

• Brazil's General Data Protection Law (LGPD) — Law No. 13,709/2018, as amended by Law No. 13,853/2019;
• Marco Civil da Internet (Brazilian Internet Bill of Rights) — Law No. 12,965/2014;
• Decree No. 8,771/2016, which regulates the Marco Civil da Internet;
• Consumer Protection Code — Law No. 8,078/1990, where applicable.

1.1 Scope

This Policy applies to two distinct categories of data subjects:

1. Advertiser Users — individuals or legal entities that register on the ClickVault platform, connect their Google Ads accounts, and use the traffic protection and analytics services.

2. Visitors to Protected Sites — individuals who access landing pages of advertisements protected by ClickVault. These visitors have no direct relationship with ClickVault, and their data is collected solely for the purpose of fraud detection and prevention.

1.2 Acceptance

By creating a ClickVault account or using our services, the Advertiser User acknowledges having read, understood, and agreed to the terms of this Policy. Visitors to Protected Sites are informed about the processing of their data through this Policy, which is publicly available; their data is processed on the legal basis of legitimate interest for fraud prevention.

2. Definitions

For the purposes of this Policy, the following definitions apply, in accordance with Article 5 of the LGPD:

3. Categories of Data Subjects and Data Collected

ClickVault processes personal data from two distinct categories of data subjects, each with different purposes, legal bases, and roles.

3.1 Advertiser Users (Category 1)

These are natural persons or representatives of legal entities who create an account on the ClickVault platform to use the traffic protection services.

Legal relationship: Controller (ClickVault) — Controller (Advertiser User). ClickVault is an independent controller of Advertiser User data; the Advertiser User utilizes the platform voluntarily and upon acceptance of the terms.

Data collected:

Data not collected from Advertiser Users:

• Credit or debit card data (processed exclusively by Stripe, PCI DSS Level 1 certified);
• Personal identity documents (CPF, RG);
• Sensitive personal data (Art. 11, LGPD).

3.2 Visitors to Protected Sites (Category 2)

These are individuals who click on Google Ads advertisements from ClickVault customers and access landing pages where the protection script (t.js) is installed. These visitors do not have a ClickVault account and do not interact directly with the platform.

Legal relationship: Controller (Advertiser User) — Processor (ClickVault). The Advertiser User, by installing the protection script on their website, acts as the controller of their visitors' data. ClickVault acts as the processor, processing data solely in accordance with the controller's instructions and for the specific purpose of fraud detection and prevention.

Data collected by the t.js script:

Data not collected from Visitors:

• Name, email, or any directly identifying information;
• Data from forms filled out on the advertiser's page;
• Browsing history beyond the landing page;
• Cookies — the t.js script does not set cookies on the visitor's device;
• Sensitive personal data (Art. 11, LGPD).

Fingerprint processing: The device fingerprint is calculated in the visitor's browser from technical characteristics (screen resolution, installed fonts, browser settings) and is immediately converted to a SHA-256 hash before any transmission. ClickVault never stores the raw fingerprint — only the irreversible hash, which does not allow reconstruction of the original device characteristics.

4. Purposes and Legal Bases for Processing

In accordance with the principles of purpose limitation, adequacy, and necessity (Art. 6, I, II, and III, LGPD), ClickVault processes personal data exclusively for the purposes set out below, each supported by a specific legal basis:

4.1 Processing of Advertiser User Data

4.2 Processing of Visitor Data from Protected Sites

4.3 Proportionality Test — Legitimate Interest (Art. 10, LGPD)

For the processing of Visitor data from Protected Sites based on legitimate interest, ClickVault has conducted the following balancing test, as required by Article 10 of the LGPD:

Legitimate interest identified: Fraud prevention and protection of the Advertiser User's assets against fraudulent clicks on digital advertising campaigns. Click fraud causes direct and measurable financial losses, estimated at billions of dollars annually in the global market.

Necessity: The processing of the listed technical data (IP, User Agent, fingerprint hash, geolocation) is strictly necessary to identify fraud patterns. It is not possible to detect fraudulent clicks without analyzing this technical information. Less intrusive methods (such as CAPTCHAs) are ineffective against sophisticated fraud and degrade the experience for legitimate visitors.

Reasonable expectation of the data subject: A visitor who clicks on an advertisement has a reasonable expectation that the destination website will implement security measures, including fraud protection. The collection of technical data for security purposes is standard practice and widely accepted in the industry.

Safeguards implemented:

• Collection limited to technical data — no directly identifying information;
• Fingerprint processed as an irreversible hash (SHA-256) — reconstruction is impossible;
• The script does not set cookies on the visitor's device;
• Data retained for a limited, configurable period set by the advertiser;
• No data is shared with third parties for advertising or marketing purposes;
• No behavioral profiling or cross-site tracking.

Conclusion: The fundamental rights and freedoms of the data subject do not override the controller's legitimate interest, considering (i) the exclusively technical nature of the data, (ii) the strict purpose of security and fraud prevention, (iii) the robust safeguards implemented, and (iv) the reasonable expectation of the data subject.

5. Data Collection via the Protection Script (t.js)

5.1 Technical Operation

The t.js protection script is a JavaScript snippet that the Advertiser User voluntarily installs on their landing pages. When loaded in the visitor's browser, the script:

1. Collects technical data about the visitor's device and connection (as described in Section 3.2);
2. Calculates the fingerprint hash locally in the browser using the SHA-256 algorithm;
3. Sends a single POST request to ClickVault's servers containing the collected data;
4. Does not persist any data on the visitor's device — no cookies, no local storage (localStorage/sessionStorage), no tracking pixels.

5.2 What the Script Does NOT Do

• Does not set cookies of any kind;
• Does not track the visitor across multiple sites or sessions;
• Does not access form data, text fields, or any information entered by the visitor;
• Does not intercept user interaction events (button clicks, scrolling, etc.);
• Does not load third-party scripts;
• Does not perform cryptocurrency mining or any processing unrelated to fraud detection;
• Does not transmit data to advertising networks, data brokers, or any third parties other than ClickVault.

5.3 Transparency

The t.js script source code can be inspected by any visitor using the browser's developer tools. The script is served from the clickvault.com.br domain and is not obfuscated in a way that would prevent technical auditing.

5.4 Advertiser User Responsibility

As detailed in Section 13, the Advertiser User is the controller of their visitors' data and is responsible for:

• Informing their visitors about the data collection through their own privacy policy;
• Ensuring that a valid legal basis exists for the data collection;
• Responding to data subject requests relating to data collected on their website.

6. Cookies and Tracking Technologies

6.1 Cookies Used by the ClickVault Platform

The ClickVault platform uses only strictly necessary cookies required for the operation of the service, as detailed below:

6.2 Cookies Not Used

ClickVault does not use:

• Analytics or audience measurement cookies (Google Analytics, Hotjar, etc.);
• Marketing or advertising cookies (Facebook Pixel, Google Ads remarketing, etc.);
• Third-party cookies for any purpose;
• Non-essential personalization or preference cookies;
• Tracking pixels or web beacons.

6.3 Cookie Consent

Because ClickVault uses only strictly necessary cookies for the provision of the contracted service, ClickVault does not display a cookie consent banner. This is consistent with the ANPD's guidance that essential cookies may be used on the basis of Art. 7, V (performance of a contract) and Art. 7, IX (legitimate interest) of the LGPD, without requiring specific consent.

6.4 Protection Script and Cookies

As detailed in Section 5, the t.js protection script does not set cookies of any kind on the devices of Visitors to Protected Sites.

7. Data Sharing and Sub-Processors

ClickVault shares personal data exclusively with the processors (sub-processors) listed below, all of which are bound by agreements that include data protection clauses, in compliance with Article 39 of the LGPD:

7.1 Contracted Processors

7.2 Local Processors (No Data Transfer)

7.3 Artificial Intelligence

7.4 Data Sharing Not Performed

ClickVault does not share personal data with:

• Advertising networks or marketing platforms;
• Data brokers or data enrichment companies;
• Social networks for advertising purposes;
• Any third party for purposes other than those described in this Policy;
• Governments or public authorities, except when required by law, regulation, or a valid court order.

7.5 Google API Services — Limited Use

"ClickVault's use of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements."

In compliance with Google's Limited Use requirements, ClickVault:

1. Uses data from Google APIs exclusively for the purposes described in this Privacy Policy — click fraud detection, automatic blocking of fraudulent IPs, and delivery of campaign intelligence reports;
2. Does not transfer data to third parties, except where strictly necessary for the provision of the service (sub-processors listed in Section 7.1), as required by law, or with the explicit consent of the user;
3. Does not use Google API data for advertising, marketing, audience targeting, or any other commercial purpose unrelated to the click fraud protection functionality;
4. Restricts human access to data to situations where there is a demonstrated need for security purposes, legal compliance, or with the user's consent, and always in accordance with the principle of least privilege.

7.6 Google Ads API OAuth Scopes

ClickVault requests only the OAuth scopes strictly necessary for the click fraud detection and automatic IP blocking functionality. No additional scopes are requested.

The adwords scope is the standard scope required by the Google Ads API for any operation. ClickVault uses this scope exclusively for:

• Reading campaign data: Retrieving campaign names, IDs, and statuses from the Advertiser User's account for display on the dashboard and correlation with click data;
• Managing IP exclusion lists: Adding and removing fraudulent IP addresses from campaign criteria, protecting the advertiser's budget.

8. International Data Transfers

8.1 Identification of Transfers

In accordance with Article 33 of the LGPD, ClickVault transfers personal data internationally to the following countries:

In particular, the integration with the Google Ads API involves the following specific international transfers:

• Submission of fraudulent IP address lists to Google's servers in the USA for addition to campaign exclusion lists;
• Transmission of OAuth 2.0 tokens (AES-256 encrypted) and Google Ads account IDs for API authentication and operation;
• Receipt of campaign data (names, IDs, status) from Google's servers.

These transfers are based on Art. 33, II, "b" (standard contractual clauses via Google DPA) and Art. 33, V (performance of a contract).

8.2 Protection Mechanisms

International transfers are carried out on the basis of the following mechanisms, pursuant to Article 33 of the LGPD:

1. Standard Contractual Clauses (SCCs) — Art. 33, II, "b": All international processors have DPAs (Data Processing Agreements) incorporating internationally recognized standard data protection clauses, in compliance with the European Commission's Standard Contractual Clauses (cross-adequacy decision);

2. Contractual necessity — Art. 33, V: The transfer is necessary for the performance of the contract between the data subject (Advertiser User) and the controller (ClickVault), since the technological infrastructure that enables the service is hosted in the United States;

3. Protection of life or physical safety — Art. 33, VI: With respect to fraud prevention, the transfer contributes to the financial protection of the data subject.

8.3 Additional Safeguards

• Encryption in transit (TLS 1.2+) for all transfers;
• Encryption at rest on destination servers;
• Restricted access controls (principle of least privilege);
• Continuous security monitoring by processors;
• Processors' contractual commitment to notify security incidents.

8.4 Data Subject Rights Regarding International Transfers

Data subjects may request information about the public and private entities with which ClickVault has shared their data, including international transfers, through the contact channel indicated in Section 19.

9. Data Retention and Deletion

9.1 Retention Periods

ClickVault applies retention periods proportionate to the purpose of processing, in accordance with the principle of necessity (Art. 6, III, LGPD):

9.2 Data Deletion

Upon expiration of the retention period or at the data subject's request, data is:

1. Permanently deleted from primary databases;
2. Deleted from backups during the next backup rotation cycle (up to 30 additional days);
3. Made unrecoverable through data sanitization processes.

9.3 Exceptions to Deletion

Data may be retained beyond the stated periods solely when:

• A legal or regulatory obligation requires retention (Art. 16, I, LGPD);
• The data is necessary for the regular exercise of rights in judicial, administrative, or arbitration proceedings (Art. 16, IV, LGPD);
• The controller uses the data exclusively in anonymized form (Art. 16, IV, LGPD).

10. Information Security

ClickVault implements technical and administrative measures designed to protect personal data against unauthorized access and accidental or unlawful destruction, loss, alteration, communication, or disclosure, in compliance with Article 46 of the LGPD and Article 13 of Decree 8,771/2016.

10.1 Technical Measures

10.2 Administrative Measures

• Password policy: Passwords stored using bcrypt hashing; minimum complexity requirements enforced;
• Principle of least privilege: Access to data and systems restricted to the minimum necessary;
• Periodic access reviews: Regular verification of access permissions;
• Dependency updates: Monitoring and updating of libraries and frameworks to address vulnerabilities;
• Processor agreements: All processors are bound by agreements that include data protection and confidentiality clauses.

10.3 Compliance with the Marco Civil da Internet

In compliance with Article 13 of Decree 8,771/2016, ClickVault:

• Maintains strict control over data access, with defined responsibilities and personnel who may access data;
• Employs authentication mechanisms for access to records;
• Maintains a detailed inventory of access to connection and application logs;
• Uses log management solutions employing techniques that ensure data integrity.

11. Data Subject Rights

ClickVault guarantees data subjects the exercise of all rights provided for in Article 18 of the LGPD:

11.1 Implemented Rights

11.2 How to Exercise Your Rights

Advertiser Users can exercise most of their rights directly through the ClickVault platform dashboard:

• Access and correct personal data in account settings;
• Revoke Google Ads access;
• Delete their account and all associated data;
• Export data (in progress).

For rights that require manual handling or for any inquiries, the data subject should contact the Data Protection Officer (DPO) at dpo@clickvault.com.br, providing:

• Full name;
• Email address associated with the account (if applicable);
• Description of the right to be exercised;
• Any additional information to facilitate identification of the data subject and the data.

Visitors to Protected Sites should exercise their rights with the Advertiser User (controller) whose website they visited. ClickVault, as the processor, will assist the controller in fulfilling such requests. If the visitor is unable to identify the controller, they may contact ClickVault at the email above for guidance.

11.3 Response Times

• Simplified confirmation: Immediately where possible, or within 15 (fifteen) business days;
• Full disclosure: Within 15 (fifteen) business days from the request, pursuant to Art. 19, II, LGPD;
• Data deletion: Within 15 (fifteen) business days, except for data subject to legal retention requirements (Section 9.3).

11.4 Identity Verification

To protect the data subject, ClickVault may request additional information for identity verification before fulfilling certain requests, particularly those involving data access, deletion, or portability.

12. Artificial Intelligence and Automated Decision-Making

12.1 Use of Artificial Intelligence

ClickVault uses artificial intelligence (Google Gemini) to provide insights and recommendations on digital advertising campaigns. The use of AI is limited to:

• Analysis of aggregated and anonymized campaign metrics;
• Generation of optimization recommendations;
• Identification of patterns in traffic data.

No personally identifiable information (PII) is sent to the AI system. All data is aggregated and anonymized before processing.

12.2 Automated Decision-Making

ClickVault uses automated decision-making processes for:

1. Fraud Score calculation: A numerical score assigned to each visit based on objective technical parameters (IP, User Agent, geolocation, behavioral pattern). The score does not involve behavioral, social, or psychological profiling — it is exclusively a technical analysis of fraud indicators.

2. Automatic IP blocking: IPs that exceed the Fraud Score threshold set by the Advertiser User are automatically added to the Google Ads exclusion list.

12.3 Right to Review (Art. 20, LGPD)

Data subjects have the right to request a review of decisions made solely on the basis of automated processing of personal data that affect their interests, pursuant to Article 20 of the LGPD.

Advertiser Users: May adjust the detection and blocking thresholds, individually review blocked IPs, and reverse manual blocks through the platform dashboard.

Visitors to Protected Sites: May request a review through the Advertiser User (controller) or directly from ClickVault, which will provide clear information about the criteria used in the automated decision, subject to trade and industrial secrets (Art. 20, par. 1, LGPD).

13. Advertiser User Responsibilities (Controller)

13.1 Role of the Advertiser User

By installing the t.js protection script on their website and using ClickVault's services, the Advertiser User acts as the controller of the personal data of visitors to their website. ClickVault acts as the processor, processing data solely in accordance with the controller's instructions and for the purpose of fraud detection and prevention.

13.2 Advertiser User Obligations

The Advertiser User is responsible for:

1. Informing their visitors about the data collection through the protection script, including this information in their own privacy policy;

2. Ensuring an adequate legal basis for the collection of visitor data. ClickVault recommends using legitimate interest (Art. 7, IX, LGPD) for fraud prevention purposes; however, the responsibility for defining and documenting the legal basis rests with the controller;

3. Responding to data subject requests — visitors to their website should exercise their rights with the controller (Advertiser User). ClickVault will cooperate in fulfilling these requests in its capacity as processor;

4. Setting appropriate retention periods for visit data by configuring the appropriate period on the platform;

5. Not using the collected data for purposes other than click fraud protection and traffic analysis;

6. Complying with applicable data protection legislation in their jurisdiction.

13.3 Data Processing Agreement (DPA)

ClickVault's Terms of Service include clauses that establish the reciprocal responsibilities between the controller and the processor, in compliance with Article 39 of the LGPD, including:

• Processing instructions;
• Confidentiality obligations;
• Security measures;
• Conditions for sub-contracting (sub-processors);
• Cooperation with the controller;
• Deletion or return of data upon termination of the contract;
• Provision of information for audits.

14. Security Incidents

14.1 Definition

A security incident is any confirmed adverse event involving a breach of personal data security, such as unauthorized access, accidental or unlawful destruction, loss, alteration, or any form of inadequate or unlawful processing that may pose a risk or significant harm to data subjects (Art. 46, LGPD).

14.2 Notification Procedure

In compliance with Article 48 of the LGPD, ClickVault follows these procedures in the event of a security incident:

1. Detection and containment — Immediate identification of the incident, containment of the damage, and preservation of evidence;

2. Risk assessment — Analysis of the nature of the affected data, impacted data subjects, volume of data, and potential for harm;

3. Notification to the ANPD — Communication to the regulatory authority within a reasonable timeframe, including:

   • Description of the nature of the personal data affected;
   • Information about the data subjects involved;
   • Description of the technical and security measures in place;
   • Risks associated with the incident;
   • Measures taken to reverse or mitigate the effects of the harm;

4. Notification to data subjects — Communication to affected data subjects when the incident may pose a risk or significant harm, informing them of:

   • The nature of the incident;
   • The data potentially compromised;
   • The mitigation measures taken;
   • Recommendations for the data subject (e.g., password change).

14.3 Timeframes

ClickVault commits to reporting security incidents:

• To the ANPD: within 72 (seventy-two) hours of confirming the incident, in accordance with international best practices;
• To affected data subjects: simultaneously or within 48 (forty-eight) hours of notifying the ANPD.

14.4 Incidents at Processors

The processors contracted by ClickVault (Section 7) are contractually required to notify ClickVault of any security incidents involving personal data processed on its behalf within no more than 72 (seventy-two) hours of detection.

15. Data Protection Officer (DPO)

In compliance with Article 41 of the LGPD, ClickVault has appointed the following Data Protection Officer:

15.1 DPO Responsibilities

Pursuant to Article 41, par. 2, of the LGPD, the Data Protection Officer is responsible for:

I. Receiving complaints and communications from data subjects, providing clarifications, and taking appropriate action;

II. Receiving communications from the ANPD and taking appropriate action;

III. Advising employees and contractors regarding data protection practices;

IV. Performing any additional duties assigned by the controller or established by applicable regulations.

15.2 Availability

The identity and contact information of the Data Protection Officer are publicly disclosed in this Privacy Policy and on the ClickVault website, clearly and prominently, preferably in the website footer, in compliance with Article 41 of the LGPD.

16. Records of Processing Activities (ROPA)

In compliance with Article 37 of the LGPD, ClickVault maintains records of the personal data processing activities it carries out, covering:

16.1 Contents of the Records

• Purpose of processing;
• Description of the categories of data subjects and personal data;
• Categories of recipients;
• International transfers;
• Retention periods;
• Description of security measures.

16.2 Availability

The records of processing activities may be requested by the ANPD at any time. ClickVault keeps these records up to date and available for review.

16.3 Data Protection Impact Assessment (DPIA)

ClickVault has prepared a Data Protection Impact Assessment (referred to as RIPD under the LGPD), pursuant to Article 38, addressing processing activities that may pose risks to civil liberties and fundamental rights, in particular:

• Processing based on legitimate interest (visitor data);
• Automated decision-making (Fraud Score and IP blocking);
• International data transfers;
• Integration with the Google Ads API (data transfer to Google, OAuth 2.0, automated IP exclusion).

The DPIA specific to the Google Ads API integration is documented in lgpd/ripd-google-ads-api.md.

The DPIA is available to the ANPD upon formal request.

17. Updates to This Policy

17.1 Periodic Review

ClickVault reserves the right to update this Privacy Policy at any time, in order to adapt it to new legal, regulatory, or case-law requirements, or as a result of changes to our services, technologies, or data processing practices.

17.2 Notification of Changes

Changes will be communicated to Advertiser Users through:

• Material changes: Email notification and prominent notice on the platform with at least 15 (fifteen) days' advance notice;
• Non-material changes: Update of the "Last updated" date at the top of this Policy and publication on the website.

17.3 Continued Use

Continued use of ClickVault's services following notification of material changes constitutes implied acceptance of the new terms. If the Advertiser User does not agree with the changes, they may close their account at any time.

17.4 Version History

18. Governing Law and Jurisdiction

18.1 Governing Law

This Privacy Policy is governed by and construed in accordance with the laws of the Federative Republic of Brazil, in particular:

• Law No. 13,709/2018 (General Data Protection Law — LGPD);
• Law No. 13,853/2019 (Amendments to the LGPD and establishment of the ANPD);
• Law No. 12,965/2014 (Marco Civil da Internet);
• Decree No. 8,771/2016 (Regulation of the Marco Civil da Internet);
• Law No. 8,078/1990 (Consumer Protection Code), where applicable;
• ANPD regulations and guidelines, as published.

18.2 Dispute Resolution

Any disputes arising from this Policy shall preferably be resolved amicably. If that is not possible, the data subject may:

1. Contact the DPO (Section 15) for an attempted administrative resolution;
2. File a petition with the ANPD (Art. 18, par. 1, LGPD) — www.gov.br/anpd;
3. Contact the local Procon (consumer protection agency);
4. Bring a legal action before the competent court.

18.3 Jurisdiction

The courts of Governador Valadares — MG are elected as the exclusive venue for resolving any disputes arising from this Policy, to the exclusion of any other, however privileged, without prejudice to the consumer's right to bring proceedings in the jurisdiction of their domicile, pursuant to Art. 101, I, of the Consumer Protection Code.

19. Contact

For any questions, inquiries, complaints, or to exercise your rights under this Privacy Policy and regarding the processing of your personal data, please contact us:

19.1 National Data Protection Authority (ANPD)

If the data subject believes that ClickVault's processing of their personal data violates data protection legislation, they may file a complaint directly with the National Data Protection Authority (ANPD):

ClickVault — Intelligent Protection for Your Digital Traffic.

45.597.034 Jonh Wilian Mariano Catalunha CNPJ: 45.597.034/0001-43 Divino das Laranjeiras — MG, Brazil

Document last updated on March 18, 2026.