Home

Legal

Privacy Policy

Last updated: 03/18/2026

This Privacy Policy describes how Turing ("Turing", "we") collects, uses, shares, and protects personal data in the context of using the app.turing.com.br platform and other related interfaces/plug-ins and services ("Services"), with primary storage and processing on AWS (United States).

By using the Services, you acknowledge that you have read and understood this Policy.

Table of Contents

1 Roles (Controller vs. Processor) and Scope 2 What data we collect (categories) 3 Processing purposes and legal bases (LGPD) 4 How data is processed (including AI/RAG) 5 Data sharing (processors and third parties) 6 International transfer (Brazil → USA) 7 Retention and deletion 8 Data subject rights (LGPD) 9 Information security 10 Cookies and similar technologies 11 Children and minors 12 Changes to this Policy 13 Data Protection Officer (DPO) Contact and Privacy Channel

1 Roles (Controller vs. Processor) and Scope

  • Corporate clients/Organizations. When Turing provides Services to an organization (e.g., a law firm or legal department) and you access through that organization, it is common for the Organization to be the Controller and Turing to act as Processor for content entered on the platform (conversations, documents, legal data).
  • End users. For registration, billing, security, marketing, and support data, Turing tends to act as Controller.
  • User content. "Content" includes messages, uploaded documents, generated outputs, Workflow/Grid executions, and entered legal data. Content processing may occur as Processor (when linked to the Organization) and, in some cases, as Controller (e.g., product improvement, when permitted and with an adequate legal basis).

Legal basis (LGPD): [Law 13,709/18, Arts. 5, VI and VII; 7; 11; 18].

2 What data we collect (categories)

Below is a map of the main data, aligned with the inventory provided by you.

2.1 Table — Data collected

Category Data Where/How it appears in the Services
Identity email, name, profile photo, nickname User registration (User model)
Professional occupation, bar association number/section/type, "about me" Profile (User model)
Preferences response style, custom instructions User preferences (User model)
Organization organization name, email whitelist, Stripe IDs Organization/whitelist/billing (Organization, EmailWhitelist)
Legal data / clients tax ID (CNPJ), legal name, address, cases, claim values, contracts, clauses Legal profiles and records (ClientProfile, MatterProfile, ContractProfile)
Conversations message content, summaries, query logs Chat and logs (Message, Conversation, QueryLog)
Feedback notes, comments, ratings Feedback
Documents uploaded files, metadata, processed content (chunks) File, KnowledgeBase
Agent memory episodic/semantic/procedural memories AgentMemory
Workflows execution input/output data Workflow Execution
Grid extracted values, rationale, citations GridCell

2.2 Automatically collected data (technical)

We collect typical technical data for operations and security:

  • Access logs: IP, date/time, endpoints, audit and security events
  • Device and browser data: operating system, user agent, settings
  • Usage data: features used, session duration, query volume
  • Cookies and similar technologies: essential (session/CSRF), functional, and, where applicable, analytics

3 Processing purposes and legal bases (LGPD)

We process personal data for the purposes below, always observing necessity, adequacy, and data minimization [Law 13,709/18, Art. 6].

3.1 Table — Purpose x Legal basis x Examples

Purpose Examples Legal basis (LGPD)
Provide and operate the Services authentication, chat/RAG execution, Workflows, Grid Performance of contract / preliminary procedures [Art. 7, V]
User support and customer service responding to tickets, investigating incidents Performance of contract [Art. 7, V] / legitimate interest (with assessment) [Art. 7, IX]
Security, fraud and abuse prevention misuse detection, rate limiting, auditing Legitimate interest [Art. 7, IX] / credit protection (if applicable) [Art. 7, X]
Personalization saving preferences, custom instructions Performance of contract [Art. 7, V] / legitimate interest [Art. 7, IX]
Product improvement and analytics performance metrics, model quality, logs Legitimate interest (with safeguards) [Art. 7, IX]
Legal/regulatory obligations record keeping, responding to court orders Compliance with legal obligation [Art. 7, II]
Marketing and communications newsletters, invitations, events Consent (when required) [Art. 7, I] / legitimate interest in B2B (when applicable) [Art. 7, IX]
Billing and financial management payment collection and anti-fraud Performance of contract [Art. 7, V] / legal obligation [Art. 7, II]

Sensitive data: as a rule, we do not request sensitive data as a requirement. If sensitive data is processed within the Content (e.g., health, biometrics), the provisions of [Art. 11, LGPD] and additional controls apply.

4 How data is processed (including AI/RAG)

Turing offers features that may process Content through third-party services for:

  • Response generation and classification (LLMs)
  • Embeddings and vector search (for context retrieval)
  • Document parsing (structured extraction from PDFs/DOCX/PPTX)
  • Cloud integrations (Google/Microsoft) when you connect your account

5 Data sharing (processors and third parties)

We share data only when necessary to operate the Services, fulfill obligations, or at your choice (e.g., integrations).

5.1 Table — Main third parties and data sent

Third Party / Category Purpose Data potentially sent
AWS (USA) hosting and storage (S3/RDS/etc.) account data, Content, logs, files
Anthropic (Claude) response generation conversation/document excerpts per prompt/context
OpenAI embeddings and/or chat (when applicable) text for embeddings and messages
Cohere reranking queries and candidate chunks
Voyage AI multilingual embeddings document chunks
Azure Document Intelligence parsing document bytes
Nango OAuth proxy identifiers and OAuth tokens (stored/managed via Nango)
Google APIs (via Nango) Drive/Gmail/Calendar data strictly necessary for the requested action
Microsoft Graph (via Nango) OneDrive/SharePoint data strictly necessary for the requested action
Stripe billing billing and subscription data
ElevenLabs TTS/STT audio/text for synthesis/ASR
Mailchimp email marketing name/email and communication preferences
ClickUp feedback management feedback content (as configured)
DataJud (CNJ), LexML legal research search terms (queries)
ReceitanetBX tax queries CPF/CNPJ and search parameters

Note: integrations (Google/Microsoft) are triggered only when you connect and request related features.

6 International transfer (Brazil → USA) and AWS storage

Data processed by Turing may be stored and processed in the United States, on AWS infrastructure (and, as per the listed vendors, by other sub-processors), in compliance with the LGPD [Law 13,709/18, Arts. 33 to 36].

7 Retention and deletion

Turing does not have an automatic global TTL for most data, as per its current design, which requires transparency and governance.

7.1 General rules (operational guidelines)

Data type Default retention How to delete
User account while the account is active and as required by legal obligations request deletion/account closure
Conversations and logs as long as necessary for operations, auditing, and support; backups may exist for a limited period deletion upon request (subject to scope and legal basis)
Documents/KB manual deletion by user/admin; no automatic global TTL deletion in the app (removes S3 + indexes + DB, when applicable)
Agent memory may have optional expires_at; expired memories may be consolidated/removed controls in the memory/settings area
Billing data as required by legal/tax obligations as per legal deadlines

Backups: even after deletion, residual data may persist in backups for a limited period until secure overwrite/purge, in accordance with continuity practices.

8 Data subject rights (LGPD)

You may exercise the rights provided under the LGPD [Art. 18], including:

  • Confirmation of processing and access
  • Correction of incomplete/inaccurate data
  • Anonymization, blocking, or deletion (when applicable)
  • Portability (when applicable)
  • Information about data sharing
  • Withdrawal of consent (when consent is the legal basis)
  • Objection to processing based on legitimate interest (when applicable)

8.1 How to make a request

Send your request to: suporte@turing.com.br

We may request identity verification to prevent fraud, a practice aligned with market standards.

When the Organization is the Controller: we will direct or guide you to contact the administrator/controller (e.g., law firm/company), pursuant to the applicable agreement.

9 Information security

We adopt reasonable technical and organizational measures to protect data against unauthorized access, loss, and alteration, with mandatory HTTPS:

  • Access control through roles/permissions
  • Session management (sessionid cookie) and CSRF protection (csrftoken + header)
  • Internal service tokens (e.g., X-Internal-Service-Token)
  • Security monitoring and logs (as needed)
  • Cloud storage with security controls (AWS)

10 Cookies and similar technologies

We use cookies for:

  • Essential: authentication/session and security (CSRF)
  • Functional: user preferences
  • Analytics (when applicable): usage metrics for product improvement

You can manage cookies in your browser; disabling essential cookies may affect functionality.

11 Children and minors

The Services are intended for a professional audience. We do not direct the Services to individuals under 18 years of age. If we identify improper collection, we will take measures for deletion and blocking.

12 Changes to this Policy

We may update this Policy periodically. We will publish the current version and, when applicable, notify you by email or within the product itself.

13 Data Protection Officer (DPO) Contact and Privacy Channel

DPO: Gabriel Leal

Email: suporte@turing.com.br

Address: Turing Desenvolvimento de Software LTDA
Avenida Jose de Sousa Campos 507 Loja 03 Edif Toulon
Cambui, Campinas — SP, 13025-320