Legal Document

Privacy Policy · Klin OS

Data Controller: Klin Arts and Entertainment Ltd. · represented by Caio Klinger (CEO)

Data Protection Officer (DPO): Caio Klinger · caioklin.oficial@gmail.com

Last updated: April 23, 2026

Regulatory scope: LGPD (Brazilian Law 13,709/2018) · GDPR (Regulation (EU) 2016/679) · CCPA (California Consumer Privacy Act)

Honest context. Klin OS is an internal, private system of Klin Arts and Entertainment Ltd. It processes data of the company owner himself, Caio Klinger, collected via the official APIs of the platforms where he holds accounts (TikTok, Spotify, Instagram, YouTube, Facebook). The system does not collect data of third parties, offers no public sign-up, and does not sell or share information. This Policy exists because TikTok for Developers, Spotify for Developers and frameworks such as LGPD, GDPR and CCPA require formalization even for internal use.

1.Who We Are and How to Contact Us

Data Controller: Klin Arts and Entertainment Ltd., a Brazilian private legal entity under the Simples Nacional tax regime, legally represented by Caio Klinger (CEO).

Data Protection Officer (DPO): Caio Klinger.

Official channel to exercise rights, ask questions or submit complaints regarding data processing: caioklin.oficial@gmail.com.

2.Scope of this Policy

This Policy applies exclusively to data processing carried out by Klin OS, the internal operating system of Klin Arts. It does not apply to:

the public website caioklin.com, which has (or will have) its own specific policy;
the policies of integrated third-party platforms (TikTok, Spotify, Meta, Google), which remain fully applicable to their respective user relationships;
any other Klin Arts services or products to be launched later (Método Klin, etc.), whose specific policies will be published separately.

3.What Data Is Collected

Klin OS collects, exclusively via official APIs and with prior and express authorization of the account Owner (Caio Klinger), the following data:

Platform	Collected data	Purpose
TikTok	Basic profile info (user.info.basic), extended profile (user.info.profile), account stats (user.info.stats), list of published videos and their metrics (video.list)	Internal analytics of creator performance · support to content and brand decisions
Spotify	User profile, top tracks, top artists, artist's own catalogue, streaming metrics and playlists where applicable	Internal analytics of musical performance · monitoring of streaming goals
Instagram / Facebook (Meta Graph API)	Account information, media insights, aggregated metrics	Internal analytics of social performance · brand monitoring
YouTube (Data API)	Channel statistics, video metrics, aggregated analytics	Internal analytics of audiovisual performance
Business email	Metadata from business@caioklin.com inbox · headers and content relevant to internal operations	Professional correspondence organization and outreach
Internal operational data	Notes, contracts, briefs, financial records, goals, created by the Owner himself	Internal management of the company

Klin OS does not collect data of fans, external leads, unauthorized third parties, minors, or any special categories of sensitive personal data (LGPD art. 5, II · GDPR art. 9) beyond those eventually present in public content created by the Owner himself.

4.Legal Basis for Processing

Data processing by Klin OS is based, as applicable, on:

LGPD · art. 7, I · free, informed and unambiguous consent of the data subject;
LGPD · art. 7, IX · legitimate interest of the Controller in managing its business activity;
GDPR · art. 6(1)(a) · consent;
GDPR · art. 6(1)(f) · legitimate interest of the data controller;
CCPA · processing for business purpose within a direct relationship with the consumer, who in this case is the Owner himself.

5.Processing Purposes

The collected data is used exclusively for:

internal analytics of the artist Caio Klin's performance as a content creator and musician;
support to internal strategic decisions of Klin Arts and Entertainment Ltd.;
consolidation of metrics, briefs, contracts and operational workflows of the company;
compliance with legal, tax and contractual obligations of Klin Arts.

Data is not used for: third-party profiling, third-party behavioral advertising, sale, exchange, assignment or any form of direct monetization.

6.Data Sharing

Klin OS does not share data with third parties. Access to the system is restricted to the Owner (Caio Klinger) and, eventually, to internal collaborators expressly authorized, who are bound by contractual confidentiality duties.

The only exceptions to this rule are:

Legal obligation · a formal, duly substantiated request from a competent authority, strictly within the scope of the request;
Infrastructure providers · eventual cloud or storage service providers acting as data processors under the Controller's instructions and subject to contractual data protection clauses equivalent to this Policy.

7.Storage and Security

Data processed by Klin OS is stored primarily on a local-first basis, in an environment under the Owner's direct control (personal machine), with encrypted cloud backups where applicable.

Technical and organizational measures include, without limitation:

encryption of API access tokens;
strict access control based on individual credentials;
exclusive use of official platform APIs, with no unauthorized scraping;
periodic update of security mechanisms;
confidentiality duty imposed on any internal collaborator who accesses the system.

In the event of a security incident posing relevant risk to data subjects, Klin Arts will notify the Brazilian National Data Protection Authority (ANPD) and/or the competent European data protection authority within the timeframe required by applicable law (72 hours under GDPR, reasonable time under LGPD), as applicable.

8.International Data Transfers

The platforms integrated with Klin OS (TikTok, Spotify, Meta, Google and others) are operated by companies headquartered and with infrastructure outside Brazil, notably in the United States and other global jurisdictions. By using Klin OS, the Owner acknowledges and authorizes that data collected via these APIs may travel through such jurisdictions in accordance with the respective platforms' policies.

International transfers observe:

LGPD · arts. 33 to 36 · legal grounds for international data transfer;
GDPR · Chapter V (arts. 44 to 50) · adequate safeguards through standard contractual clauses, adequacy decisions or equivalent mechanisms offered by the recipient platforms themselves.

9.Data Retention

Data is retained for the period strictly necessary to fulfill the purposes described in this Policy, observing at least the legal retention periods applicable to tax, accounting and contractual obligations (typically five to ten years in Brazil, depending on document nature).

Once the purpose ends, data is deleted, anonymized or blocked, as applicable, except in cases of mandatory legal retention (LGPD art. 16 · GDPR art. 17(3)).

10.Rights of the Data Subject

Regardless of the applicable regime (LGPD · GDPR · CCPA), the data subject may, at any time, exercise the following rights with Klin Arts:

Access to processed data (LGPD art. 18, II · GDPR art. 15 · CCPA §1798.100);
Rectification of incomplete, inaccurate or outdated data (LGPD art. 18, III · GDPR art. 16);
Erasure of data processed based on consent (LGPD art. 18, VI · GDPR art. 17 · CCPA §1798.105);
Anonymization or blocking of unnecessary or excessive data (LGPD art. 18, IV);
Portability to another service provider (LGPD art. 18, V · GDPR art. 20);
Information regarding entities with which data was shared (LGPD art. 18, VII);
Withdrawal of consent at any time, without prejudice to prior processing (LGPD art. 8, §5 · GDPR art. 7(3));
Objection to processing based on legitimate interest (GDPR art. 21);
Non-discrimination for the exercise of these rights (CCPA §1798.125);
Complaint to the ANPD (Brazil), to the competent European data protection authority or to the California Attorney General, as applicable.

To exercise any of these rights, simply send a request to the DPO at caioklin.oficial@gmail.com, including identification and objective description of the request. A response will be provided within 15 (fifteen) days under LGPD and 30 (thirty) days under GDPR/CCPA.

11.Cookies and Similar Technologies

As an internal system rather than a public website, Klin OS does not use third-party tracking cookies. Only session tokens and encrypted credentials necessary for secure system operation and authentication with integrated APIs may be used. These are strictly functional and involve no advertising or profiling.

12.Children and Minors

Klin OS is not intended for children or minors, nor does it intentionally collect personal data of individuals under 18 (eighteen) years of age. Should improper processing of minors' data become known, it will be deleted immediately.

13.Changes to this Policy

This Policy may be updated at any time to reflect legal, operational or technological changes. The latest version will always be available on this page, with the new "Last updated" date clearly indicated.

Material changes significantly impacting the data subject's rights will be specifically communicated whenever technically feasible.

14.Governing Law and Jurisdiction

This Policy is governed by the laws of the Federative Republic of Brazil, without prejudice to the concurrent application of GDPR (for data of subjects residing in the European Union) and CCPA (for data of California residents).

The Courts of the District of São Paulo, State of São Paulo, Brazil, are elected as competent to settle disputes related to this Policy, without prejudice to the right of a data subject residing in another jurisdiction to bring action in their legally competent domicile forum, pursuant to applicable consumer and data protection legislation.