Qulture.Rocks Privacy Policy

Qulture.Rocks’ mission is to help companies (“Customers”) unlock the potential of their employees (“Users”). In order to fulfill our mission, we offer Customers several digital products and services, collectively known as our “Platform” or as our “Digital Services”, as well as content (e.g. from our blog), and courses (e.g. from Qulture.Rocks Academy and HR.Rocks, collectively known as “Courses” or “Events”), that are used and consumed by our Users to unlock their potential.

In order to attract new Customers, we also offer some of these contents and courses to prospective customers (“Prospects”) on our marketing websites (“Wesbite” or “Site”).

To conduct these activities, we need to collect and process some of our Users’ and Prospects’ personal data. This Privacy Policy seeks to clarify under which circumstances, we may collect data (“Data”), and how we treat and protect said Data. We take personal data protection very seriously and go to great lengths to protect User and Prospect Data.

Version 2.1, in effect as of October 6th, 2021.

Other relevant definitions

Throughout this Privacy Policy, the terms and expressions “Personal Data”, “Holder”, “Treatment”, “Controller” and “Operator” will have the definitions assigned by the Lei Geral de Proteção de Dados Pessoais (General Data Protection Law No. 13.709/2018, “LGPD”).

Some other definitions used throughout this document, such as “Platform”, “Digital Services”, “User” and “Customer”, can be found in the Qulture.Rocks’ Terms of Use: https://qulture.rocks/terms-of-use. If you are a User of the Platform and Digital Services, we strongly recommend that you read the Terms of Use.

Why we treat your personal data

We may collect and process your personal data in different situations, depending on your relationship with and the nature of your interaction with Qulture.Rocks. In summary, we treat your personal data when, as a User, (1) you access and use the Platform and Digital Services; or either as a User or Prospect, (2) you browse and interact with us through the Site ( https://qulture.rocks ), (3) you register and/or enroll in courses or HR-related events (such as the HR Rocks Academy (https://hr-rocks-academy.teachable.com), Qulture.Rocks Academy (https: //qulture-rocks.teachable.com), and our HR Rocks initiative (https://www.hr.rocks), and (4) we interact with you for promotional purposes, with information obtained through the Site or through ad platforms (Ads).

More specifically, we collect and process your personal data to:

Make the Platform and Digital Services available to the Customer and its Users. If you are a User who uses the Qulture.Rocks Platform and Digital Services on the course of your employment, then the company you work for is a Qulture.Rocks Customer. In such cases, regarding the data treatment, the Customer acts as controller, and Qulture.Rocks as operator. This means that it is the Customer who makes the relevant decisions about the purposes and means of processing personal data, and Qulture.Rocks acts in accordance with the Customer’s instructions to provide the Platform and Digital Services performance management solutions to the Customer and its Users. In order to find out the legal basis for the treatment of your data on the Platform, get in touch with the person in charge of Qulture.Rocks at the Client who registered you as a Platform User.

Establish communication with you. When you contact us through the Site (for example, by using the form on the page “Talk to a specialist”), you are registered as a User (for example, for the purpose of supporting or sending communications) or you are registered or enrolled in any activity on Teachable or HR Rocks, we use your contact details to communicate with you. The legal basis for this treatment is the legitimate interest of Qulture.Rocks in continuing to offer high quality services.

Enable your participation in our Qulture.Rocks Academy and HR.Rocks courses and events. When you register or sign up for some activity, course or training of Teachable, or in any event the HR Rocks, treat your personal data to enable their participation as well as to keep you informed about future activities. The legal basis for this treatment is the execution of a contract between you and Qulture.Rocks, to allow you to participate in our activities and to improve as a professional.

Send you promotional information. When you download any content available on our Site, when you take part in our Courses or when you contact us, we collect and use some of your personal data to send offers, promotions and more information about Qulture.Rocks services. In addition, we use third-party ad platforms (e.g. Google Ads, Facebook Ads, LinkedIn Ads) to identify your potential interest in activities, products and services such as those offered by Qulture.Rocks, and we also use the data that these platforms share with us, to promote our services and to send you our newsletter. The legal basis for this treatment is the legitimate interest of Qulture.Rocks in promoting its activities.                  

Receive your feedback to improve the Platform and Digital Services. When you send us your feedback about Qulture.Rocks, the Platform and/or Digital Services, Teachable or Qulture.Rocks activities, whether by email, chat, or other channels, we will treat the data provided by you only to improve our services. The legal basis for this treatment is the legitimate interest of Qulture.Rocks to continue improving its software and services, ensuring a high level of excellence for customers and users.

Analyze the use and performance of the Platform and Digital Services. To improve the functionality and resources of the Platform and Digital Services, as well as to identify and mitigate any problems, we analyze the usage data of the Platform and Digital Services. For these analyses, we use anonymized data (for example, usage statistics). An example of an analysis is the use of information provided by Users in response to questions from Qulture.Rocks, such as “How many feedbacks were exchanged this month?” Or “How long does a performance review last?”. The legal basis for this treatment is the legitimate interest of Qulture.Rocks to continue improving its software and services, ensuring a high level of excellence for customers and users.

Ensure your safety. Some of the data we collect from the use of the Platform, Digital Services, the Site, Courses and Events are used for security purposes, as described in this Privacy Policy and to meet certain legal and regulatory requirements, such as those of LGPD, Brazilian Civil Rights Framework for the Internet (Marco Civil da Internet) (Law No. 12.965/2014) and Decree 8.771/2014. The legal basis for this treatment is our compliance with legal and regulatory obligations, so that Qulture.Rocks continues to ensure adequate levels of security to its Customers, Users, and Prospects.

What data we collect and process

The types of personal data we collect and process also vary according to the nature of the relationship and interactions Qulture.Rocks has with you, with the data that you decide to share with us or that a Customer requires us to collect and process. However, it is possible to indicate what data, in general, we collect and treat as part of our activities:

Digital Platform and Services: in order to enable Users on the Digital Platform and Services, the Customer needs to register their employees. When registering and enabling their account, the Customer may provide the following personal data:

- Name
- CPF (Brazil’s Taxpayer Registry Number)
- E-mail address                  

In addition, there are several other fields with personal and professional information that can be filled by the Customer or directly by our Users (according to the settings established by the Customer). This information may be mandatory or optional, as determined by the Customer. This information includes (but is no restricted to):

- Area
- Position
- Date of last job move
- Date of admission
- Date of termination  
- Date of birth  
- Department  
- Salary range  
- Training attendance history  
- Photo  
- Identifiers  
- Location  
- Reason for termination                  
- Job level  
- Country of residence  
- Government-issued ID numbers  
- Gender                  

The Platform also allows Customers to create other data fields customized for their needs. Therefore, other personal data may be collected and processed, as defined by Customers in their positions as data Controllers.

Furthermore, the Platform and Digital Services collect and process some data related to their performance and professional development, reviews by their managers and colleagues, among other profile and classification information about them. Such data are collected and/or generated from their interaction with the Customer and other Users on the Platform and Digital Services. This information is used by you and the Customer to manage your performance and professional development. In other words: Qulture.Rocks does not profile or classify Users – such profiling or classification is performed by the Customer and the Users themselves, when they interact with each other through the Platform and Digital Services.

Website: when you sign up for our newsletter, we collect the following data:

- E-mail address                  

When you use the Site to contact us (for example, on the “Request ademo” page), we may request the following information:

- Name
- E-mail address
- Telephone
- Company
- Position
- Company Department
- Approximate number of employees

We also collect your personal data when you download certain content available on our Site, such as Kits, Templates and other materials. We generally use this information to send you our promotional and institutional materials. These data include:

- Name
- E-mail address
- Telephone
- Company
- Position
- Company Department
- Approximate number of employees            

In addition, we post job openings on our Site. The registration and monitoring of the selection process takes place through the Candidate Portal in the Kenoby software. In these cases, through this partner, we collect and process the following data:

- Name
- E-mail address                  

Our Site uses cookies. Later on, this Privacy Policy explains how we collect and use such information.

Ads: When you browse the Internet and certain services, such as LinkedIn, some ad platforms we work with identify your interest in performance management, HR solutions or similar products/services. These platforms may collect and use certain personal data about you to target Qulture.Rocks ads to you.

HR Rocks and Teachable
: when you register with HR Rocks or Teachable, or when you register for an event on these platforms, we can collect and process the following personal data (depending on the platform):

- Name
- E-mail address
- Telephone
- Company
- Position
- Company Department
- Approximate number of employees          

Security and technical performance: In addition, when you interact with the Platform, with Digital Services, with the Site and with HR Rocks and Teachable , we may also collect some data for the purposes of security and technical performance of these activities, such as:

- Browser information (name, version
- Operating system information (name and version)                  
- Monitor resolution                  
- Location                  
- IP address                  
- URLs visited                  
- Interaction with interface components                  
- Logs (date and time)                

We use that data to record the activities of Users at the Platform to investigate any problems and to improve the Platform.

We may also use this information in cases where it is necessary to prove to the Customer that the User has taken any action. In such cases, Qulture.Rocks also acts as an operator, acting on behalf of the Customer.

With whom we share your personal data

Qulture.Rocks, like other cloud companies, uses some third party services and platforms to carry out its activities. Consequently, in order to make the Platform, Digital Services, Site, HR Rocks, Teachable and other resources available and operational, Qulture.Rocks shares data (that is, sends and/or receives personal data) with third parties.

Qulture.Rocks does not exchange or sell your personal data to any third parties.  

Qulture.Rocks signs contracts or contractual amendments targeting data protection (so-called “Data Protection Agreements” or “DPAs”) with third parties.

Qulture.Rocks shares data with the following third parties and for the following purposes:



Heroku: Server and database used by Qulture.Rocks, which has Amazon Web Services infrastructure. To provide its services, Qulture.Rocks needs a database for storing information. For that, Qulture.Rocks sends to Heroku the data and information of the users that are collected on the Platform. Location : 21155 Smith Switch Road, Ashburn, VA – United States.

Hotjar: Tool that analyses Users interaction with the Platform, to identify user behavior and implement improvements. Hotjar also triggers satisfaction surveys within the Platform. To provide its services, Hotjar requires identified data and information from Platform users. Sending user data and information to Hotjar enables improvements to be implemented by the Qulture.Rocks team. Location : AWS Ireland.

Intercom: Customer support service, help and communication center, to enhance users’ personalized service and communication experience. To provide its services, Intercom requires identified data and information from Platform users. Sending user data and identified information to the Intercom is what makes it possible to provide personalized service to the user by the Qulture.Rocks team. In addition to technical support, the User can answer a satisfaction survey about the service received, in which case, we store the survey response and the data of the respondent. Location : 55 2nd Street, 4th Floor, San Francisco, CA 94105 – United States.

Mixpanel: Service for analyzing user interaction with the Platform to make improvements to the Platform and solve problems, based on the information collected. To provide its services, Mixpanel requires identified data and information of Platform users. Sending identified data and information from users to Mixpanel is what allows improvements and troubleshooting by the Qulture.Rocks team on the Platform. Location: One Front Street, 28th Floor, San Francisco, CA 94111 – United States.

Papertrail: Service for registering calls (requests) made by users to the Platform. To provide its services, Papertrail requires the sending of parameters for each call, so that users’ actions can be triggered. We emphasize that encrypted data, such as passwords, are encrypted before being sent by Qulture.Rocks. The sending of the parameters of each call is what allows the user to interact with the Platform, whether reading or writing data. The stored logs allow the recovery of data that is not saved in the database, as well as the action record of each user for auditing purposes. Location: United States.

Planhat: Customer service. This service assists Qulture.Rocks in customer service, aiming to reduce the risk of cancellation of services, sale of products and to maximize the customer’s stay. In order to provide its services, Planhat requires the sending of identified data and information of users of the Platform. Sending identified user data and information enables Qulture.Rocks to provide customer support services and carry out analyzes to improve the Platform. We also conduct user satisfaction surveys to help develop improvements to the Platform. Location : Germany and the Netherlands.

Sendgrid (Twilio): Service for sending e-mails.To provide its services, Sendgrid requires the following user data: name, company and e-mail. Location : United States.

Sentry: Platform error tracking service. To provide its services, Sentry requires the following user data: IP.  Sending this data makes it possible to Qulture.Rocks monitor the Platform for errors. Location: United States.

New Relic: Platform error tracking service. To provide its services, New Relic requires the following user data: IP.  Sending this data makes it possible for Qulture.Rocks to monitor the Platform for errors.  Location: 188 Spear St., Suite 1000, San Francisco, CA USA 94105.  

Remora (Rsync.net): Backup of the Platform database external to Heroku. We have an automatic system with end-to-end encryption of offsite backups, that is, outside the Amazon infrastructure, through the Remora service. The backups are stored on rsync.net. Location: 910 15th St., Denver, CO 80202, United States.

Amazon AWS: Platform for infrastructure services, such as file storage. Location: United States.

Cloudinary: Platform for image storage.  Stores user photos and images attached to text. Location: United States.

Cloudflare: Provides security and reliability tools used on the Platform and websites, such as rate limit and firewall (WAF). Stores user data in the logs, such as IP, system settings and the device that was used to access the platform. Location: United States.


Power BI: Microsoft platform used to generate internal and external reports in an anonymized and clustered format, with the objective of tracking and analyzing financial information and customer satisfaction surveys. The data is extracted from our internal platforms and inserted into a spreadsheet model, which is imported into PowerBI. After that, the report is created and then exported in PDF or PowerPoint format to be sent to the team or potential investors.  For the these analyses, we collect data on monthly fees and additional charges for each customer, contract starting and ending dates, contract modification or cancellation dates, satisfaction survey responses, customer segment and business model, and the ISM or CSM responsible for the account. Location: São Paulo, Brazil.

Slack: Platform used for company’s internal communication. The Platform sends automatic and manual notifications, and also provides Customer content, such as compliments and pending tasks. The read data is used only for each functionality’s integration purposes. Qulture.Rocks does not perform any manual queries to the client data it has access to in Slack, nor does it store this data. If the Client opts to use the integration with this software, the Platform accesses data such as user lists and their emails, messages from channels where the integration was added, as well as allowing the sending of direct messages. Location: United States.

Google Data Studio: Platform integrated in the G Suite package designed to manipulate, generate and share dynamic dashboards that evaluate the performance of employees in performance evaluations, and other products such as 1:1s, feedbacks and feelings. Aggregated data from the results of the evaluations are used to build these analyses, in addition to information such as the names of each employee, areas, and positions. The performance appraisal data is extracted for manipulation using the Platform’s “export” tool and stored in Google Drive in spreadsheet format before being imported into Data Studio. For other products, data is usually extracted through custom queries in Metabase and stored in Google Drive as well. Once the analyses are completed, the reports are made available to the customer in a safe way, ensuring customization in the level of permission for each relevant recipient.
Location: São Paulo, Brazil

Public sites, such as Website and Teachable, and other tools:

Management tools and business communication for internal use of Qulture.Rocks
: We use some tools to investigate problems or orders, in developers and people of the Customer Success team exchange information with data from Users, as well as store information of potential new Customers in the team Marketing and Sales.  

Prodpad: User feedback management system on the Platform. When you send feedback about the Platform, we keep, in addition to the text, your name, email and company. When the product team decides to research any evolution of the Platform’s functionalities, it consults the feedbacks received and can contact the person who sent them to arrange interviews or to communicate that the feedback was granted. Location: 33 New Road, Brighton – UK.

RD Station: Digital marketing automation tool. We conduct lead capture, campaigns, lead nutrition and generation of qualified business opportunities. Form data is stored within our website (access to content, registration for courses, events and webinars, in addition to demo requests from our platform). This data (name, email, telephone, company name, number of employees in the company, area of ​​activity of the company and position) is combined with the history of the lead’s interactions with our content, and used to qualify business opportunities. Location: Council Bluffs, Iowa, USA.

Meetime: SDR management system for qualifying leads for the sales area. We send user data stored on RD Station. Location: United States.

Cloudflare: Provides security and reliability tools used on the Platform and websites, such as rate limit and firewall (WAF). Stores user data in the logs, such as IP, system settings and the device that was used to access the platform. Location: United States.

Cookies policy (Platform and Website)

A cookie, in the context of the internet, is a text that a server (the computer that hosts an app or website you are using) sends to your browser (i.e., Chrome, Safari, et. al.) with some information that customizes your use of said website or app..In our platform, we encrypt your user ID in a cookie to control your session as a logged-in user on the Platform, for example in order to know for how long you’ve been logged in. If that file is changed, we require that you log in (with your credentials such as your password) again.In our Site, we use cookies to store and remember your language preferences, as well as to understand how our users collectively use our website (e.g., which pages are most visited, or for how long).

Qulture.Rocks website: On the www.qulture.rocks website, we use the following cookies:

- IP2Location: IP2Location is a geolocation search technology by IP address. Your cookie is used to display the website in the best available language according to the user’s location.      
- Polylang: Polylang is a tool used to make websites multilingual. Your cookie is used to remember the language selected by the user when he returns to visit the site again.      
- Google Optimize: We use Google Optimize to perform A/B tests on our website. Your cookie is used to determine the inclusion of a user in an experiment and the expiration date of experiments in which a User has been included.      
- Google Analytics: Google Analytics is a tool that helps website owners measure how users interact with their content. As a user navigates between pages, Google Analytics records information about these pages, such as their URL. Google Analytics cookies are used to distinguish users and control the rate of requests.      

Qulture.Rocks Platform: On the Platform, we use the following cookies:

- Third party – Cloudflare: https://support.cloudflare.com/hc/en-us/articles/200170156-Understanding-the-Cloudflare-Cookies.
- Third party – Hotjar: https://help.hotjar.com/hc/en-us/articles/115011789248-Hotjar-Cookie-Information.
- Third party – Intercom: https://www.intercom.com/help/en/articles/2361922-intercom-messenger-cookies.
- Third party – Mixpanel: https://mixpanel.com/legal/privacy-policy.      Third party – Planhat https://www.planhat.com/cookie-policy.
Cookie for login with Google      AllowMe identification cookie, a service that increases security in user authentication, available to some Customers according to the contracted plan.      
- Qulture cookies: XSRF-TOKEN – our protection token for XSRF ( https://en.wikipedia.org/wiki/Cross-site_request_forgery )      _qulture_session_cross_subdomain – our session token for platform authentication      

HR.Rocks: At HR.Rocks (https://www.hr.rocks), we use the following cookies:

-SquareSpace: website building service. There are security cookies, user session registration      
- Google Analytics: used for analysis of usage, clicks, pages visited, where users arrive from the site      
- Facebook: usage tracking to show relevant ads to the user on Facebook      
- LinkedIn: usage tracking to show relevant ads to the user on LinkedIn      
- Cookies to store user preferences, such as language      

Teachable: At Teachable, we use the following cookies:

- Cloudflare: cookies to identify users by IP and apply security settings, without storing personal information.      
- User session registration cookies to show the member area without having to log in again, in addition to preferences, such as language.      
- Segment.io: registration of usage by users.      
- Google Analytics: used for analysis of usage, clicks, pages visited, where users arrive from the site.      

What are your rights?

According to LGPD, the holder of personal data (as the case may be, you) has a number of rights that can be exercised in the face of the controller. That includes:

- Confirmation of the existence of treatment              
- Access to personal data                  
- Correction and update                  
- Request for anonymization, blocking or elimination                  
- Portability                  ,
- Information about shared use                  
- Revocation of consent                  
- Information about the possibility of not consenting                  
- Opposition to treatment                  
- Automated decision review                  

By making the Platform and Digital Services available to the Customer and its Users, and by ensuring its security, Qulture.Rocks acts merely as an operator on behalf of the Customer. For this reason, to exercise such rights in relation to access and use of the Platform and Digital Services as a User, you must make the request directly to the Customer (that is, the company that has granted you User access to the Platform and the Services Digital). If you send the request directly to Qulture.Rocks, we will forward it to the Customer so that appropriate measures can be taken.

For other purposes, in which Qulture.Rocks acts as a controller (that is, to communicate with you, to enable your participation in HR Rocks and Teachable, to send promotional information or to receive feedback to improve the Platform and Digital Services), you can contact us at legal@qulture.rocks.

How we keep your personal data safe

To maintain the security of your personal data, we use industry standard technologies, always updated in their latest stable versions. In addition, we have suppliers and partners who also have a high level of commitment to information security.

In addition, Qulture.Rocks has policies, procedures and controls aimed at information security and protection of personal data. This includes internal training, confidentiality agreements with employees, computer protection, periodic information security meetings, among other safe practices.

Qulture.Rocks provides access to personal data only to those employees who have a strict need to access it due to the role they perform. Such access is restricted and such employees are properly trained and qualified to handle personal data safely. In addition, all access to User data on the Platform by these employees is recorded with identification, action taken and time.

To avoid accidents and violations regarding your personal data, we have a list of controls that the engineering team needs to follow whenever dealing with infrastructure and software development. Checks range from strict permissioning to backup policy settings.

We have the practice of mandatory information security study by all Qulture.Rocks employees. Periodically, all employees take courses, readings, watch videos and respond to assessments on various security-related topics, such as legislation, hacker attack methods, strong password practices, among others.

How we handle cases of suspected personal data breaches

We have a security incident policy that provides an action plan for personal data breaches. In case of data leakage, we will notify companies, affected users and the brazilian National Authority for the Protection of Personal Data (ANPD) within 24 hours of the identification and confirmation of the incident.

Security incidents

To report security incidents, send an email to security@qulture.rocks describing as many details of the situation as possible. We will make every effort to respond as quickly as possible, with a maximum period of 24 hours of identification and confirmation that the incident has occurred.

How long do we keep your personal data

We keep your personal data only for as long as necessary to serve the purpose for which such data is processed. Therefore, the period for which we maintain this data may vary, depending on the purpose of the treatment, the applicable legal and regulatory obligations, among other factors. In cases where, due to the purpose or technical limitations, it is not possible to delete or anonymize your personal data (for example, for backup purposes), we will keep such data only for conservation purposes (without secondary use), in a safe environment and with greater access restriction.

Contact details

To contact us, just send an email to help@qulturerocks.com, or talk to us via chat accessing the Platform.Data Protection Officer – DPO: Thais Lima (dpo@qulture.rocks).