Data Processing Agreement - Creators

OVERVIEW

A. Hotmart provides a set of online resources and features that allow Creators to consume, create, promote and/or market products in a variety of digital formats. The Hotmart General Terms of Use ("Agreement") govern the access and use of: (i) the hotmart.com website and its subdomains; (ii) any other websites, interfaces, or applications on which Hotmart makes its features and functions available, including our applications for smartphones, tablets, or other electronic devices; and (iii) all services related to the resources and features made available by Hotmart.

B. By reason of the Agreement, and to provide all the resources and features hired and provided to the Creator, Hotmart and the Creator shall perform the Processing of Personal Data following the stipulated in the Agreement, as part of the rendering of the relevant services. This processing can be performed by:

B.1. Hotmart (“User Account Data”). In this case, the Parties acknowledge and agree that Hotmart acts in isolation, as an independent Controller, with respect to the Personal Data collected by Hotmart. 

B.2. The Creator. In such a case, the Parties acknowledge and agree that the Creator acts in isolation as an independent Controller concerning User Account Data that is transferred to and/or extracted from the Platform by the Creator (“Creator’s Data”).

B.3. Hotmart on behalf of the Creator. In such cases, the Parties acknowledge and agree that Hotmart acts as a Processor and the Creator acts as Controller with respect to Personal Data collected and/or generated directly by the Creator (“Creator’s Data”).

C. The Data Processing Agreement (“DPA”) defines the rules to be followed by the Parties in the processing of the Creator’s Data.

D. This DPA is entered into in the same manner as the Hotmart General Terms of Use and other policies, and are incorporated into them by reference, even if they are presented in separate texts. Hotmart and the Creator may be referred to together as “Parties” or separately as “Party.”

E. To make this DPA easier to read, we provide a Glossary, which lists the meaning of capitalized terms in the Agreement, in the DPA or other Hotmart Policies, especially the Privacy Policy. Any terms starting with capital letters and not otherwise defined in this DPA or other Hotmart Policies shall have the meaning assigned in applicable personal data protection laws. 

F. This DPA may be modified, replaced, or removed at any time, if necessary, to better represent the guidelines that must be observed by the Parties. This DPA and its updates supersede any proposals, contracts, prior understandings and agreements, verbal or written, that may exist between the Parties, especially regarding Personal Data.

1. Data Subjects Categories
   1. Creator’s Data Subjects Categories. The Data Subjects who have a direct relationship with the Creator, that is, end users ("Buyers"), Affiliates, Co-creators and, eventually, the Creator's Collaborators (who, for purposes of understanding this DPA, are included in the definition of Users).
2. Creator’s Data Categories
   1. Creator’s Data Categories. Creator’s Data may involve, for example, but not limited to registration data, financial information or any and all information transferred to the Creator and extracted, collected and/or generated by the Creator through the settings and use of the features and tools available to the Creator on the Platform depending on the type of User interaction with the Creator. 
   2. Creator’s Data Source. The Creator may collect additional data from the User. Creator’s Data may originate from: (i) collection carried out directly from the User; (ii) obtaining through third parties; and/or (iii) collection by automated means when the User accesses the Platform. In practice, Creator’s Data may be involved, for example, but not limited to (i) production of Creator’s content; (ii) disclosure of Creator’s content; (iii) configuration of the tools and functionalities available on the Platform, to meet the Creator's specific needs; (iv) use of Platform features such as chatbot, surveys, "free" spaces for filling, dissemination and events, according to the Creator's needs.
3. Hotmart's Features and Tools 
   1. Configuration and Usage. Hotmart provides the Creator with some features and tools that can be used and configured by the Creator depending on his/her specific needs, through acceptance by the Creator, demonstrating his/her interest in using them. For each functionality and tool, including those later developed by Hotmart, there are specific legal impacts related to the Creator's Data Processing. The features and tools made available by Hotmart may incorporate innovative technologies, including the use of artificial intelligence models or systems, which may involve the Processing of Creator Data. The Creator is responsible for understanding what his/her duties and responsibilities are when using and configuring each functionality and tool available on the Platform. 
   2. Creator Responsibility. Any damage caused by the non-alignment of the Creator's Data Processing and the features and tools used by the Creator to the local legislation to which it is subject will be the sole and exclusive responsibility of the Creator, who shall keep Hotmart harmless from any damage related to the use and configuration of the respective functionalities and/or tools, including those that incorporate innovative technologies..
4. Third-Party Features and Tools 
   1. Configuration and Usage. Hotmart may also provide the Creator with features and tools that are provided by third parties, Hotmart's commercial partners, and that may be useful to the Creator. When the features or tools are made available by third parties, the Creator will be bound by the terms and conditions stipulated by the provider of the respective features or tools, and it is their obligation to understand the entirety of these terms and conditions, which may differ from the conditions provided for in the Agreement or in this DPA.
      1. In certain cases, Creator may link third-party services to the Platform through application programming interfaces (APIs). These third-party services are not part of the scope of the Agreement's services and are not part of the Platform, being subject to different terms and conditions. Hotmart is not responsible for these services and when the Creator interacts with them, it is providing Personal Data directly to them. 

4.2. Disclaimer of Liability for Third Party Features and Tools. The Creator exempts Hotmart from any liability for the use of the features and tools made available by third parties that involve the Processing of the Creator's Data, being responsible for keeping Hotmart indemnified for any events arising from the use of these features and tools, including those that incorporate innovative technologies. If Hotmart suffers any loss as a result of the use, by the Creator, of features and tools made available by third parties, Hotmart will have the right of recourse against the Creator to recover any amounts that have been spent, directly or indirectly, due to the use of features or third-party tools.

1. Legal Impacts on Hotmart’s and Third Party Features and Tools
   1. Legal Impacts. It is the Creator's duty to verify that, for the Processing of the Creator's Data, the implementation and use of the features and tools provided by the Third Parties and/or Hotmart, in their specific context, is in line with all applicable regulations. As Hotmart operates globally, some features and tools available can be interpreted by local regulatory bodies in different ways, and it is solely up to the Creator to carry out this analysis and, if the features and tools can be interpreted in your location as not in line with local legislation, immediately cease using the features and tools, expressly communicating to Hotmart your interest in deactivating it. 
2. Duration of Hotmart's Processing of Creator’s Data
   1. Processing Duration. Creator’s Data will be processed by Hotmart until the termination of the Agreement with the Creator and/or when the Creator, at his/her discretion, requests Hotmart to delete the Personal Data.
   2. Subsequent Storage. With the observance of any of the hypotheses above, Hotmart shall continue storing the Creator’s Data for the period that is necessary for the fulfillment of its legal or regulatory obligations or to safeguard its rights or the Creator's rights in any administrative, judicial, or arbitration proceedings.

6.2.1. Storage for the Statute of Limitation. The Creator establishes that Hotmart shall store the Creator’s Data at least for the limitation period provided for in applicable law, for the filing of any claims against the Creator or against Hotmart, to be measured according to Hotmart's best interpretation, from the last interaction existing between the Data Subjects and Hotmart.

6.2.2. Retention for Legal Proceedings. In the event that administrative, judicial or arbitration proceedings are initiated regarding the Processing of Creator’s Data, Hotmart shall retain the respective Personal Data until the final and unappealable decision of the respective proceedings, continuing to store all information relating to the proceedings for the applicable statute of limitations for the filing of any termination lawsuits, or any type of lawsuit that has the capacity to reverse or nullify the final decision.

6.3. Data Deletion. The Creator is aware that after the expiration of the periods provided above, Hotmart will delete the Creator’s Data.

1. Data Subjects Rights 
   1. Assistance. The Creator is aware that Hotmart will assist the Creator in fulfilling their obligations related to the rights of the Creator’s Data Subjects and will respond to requests made by Users, relative to the exercise of the Creator’s Data Subject rights and respond directly to the Data Subjects according to the type of request received. 
   2. Evaluation of Requests. Hotmart shall evaluate which Data Subject requests may be fulfilled in the exact manner in which they were made, and which requests must be rejected or supplemented by the Data Subjects before they can be fulfilled. 
      1. In the event that the Creator contacts Hotmart requesting to fulfill a request made by a Data Subject, which was directed to the Creator, the Creator will be fully responsible for ensuring the confirmation of the Data Subject’s identity by means of verifications performed directly by the Creator. In case there is no expressed manifestation of the Creator indicating that a certain request should not be fulfilled, Hotmart will understand that the Creator has already confirmed the identity of the Data Subject, there being no question about the Data Subject’s legitimacy to make the respective request. Any damages caused by Hotmart's response to requests from Creator’s Data Subject, including security incidents caused by the failure to verify the identity of the Data Subject, shall be the sole and exclusive responsibility of the Creator.
   3. Response Timeframe. Requests from Data Subjects will be responded to by Hotmart within the timeframe that is feasible for Hotmart to provide the requested information or perform the intended actions.
2. Sharing of Creator’s Data 
   1. Sharing with Authorities. Hotmart shall comply with all legal or regulatory obligations, including orders from competent governmental authorities, requiring the sharing of the processed Creator’s Data with the respective governmental authorities, to the exact extent requested by the governmental authorities or imposed by applicable law.
   2.  Between Hotmart-related Companies. The sharing of Creator’s Data may occur between Hotmart's parent companies, subsidiaries, or companies under common control of Hotmart, under the Agreement.
3.  Confidentiality Imposed on Hotmart Employees
   1. Collaborator Confidentiality Obligation. Hotmart Collaborators involved in the Processing of Creator’s Data receive training on the subject of personal data protection and are subject to the obligation of confidentiality, either by virtue of their respective employment contracts or by virtue of having entered into specific confidentiality agreements.
4.  Information Security Measures
   1. Security Measures. Hotmart employs security, technical and organizational measures necessary to protect Personal Data, pursuant to the terms of the Cyber and Information Security Policy. These efforts are aimed at mitigating risks of destruction, accidental or unlawful loss, changes, unauthorized disclosure or access, or any other form of unlawful, improper or unauthorized handling. 
5. Sub-processors
   1. Hiring Sub-processors. The Creator grants general and unrestricted permission for Hotmart to employ such sub-processors as it sees fit in the performance of the Creator’s Data Processing activities requested by the Creator. Sub-processors may be chosen freely by Hotmart, without any interference from the Creator, provided that they are bound by terms no less stringent than those set forth in this DPA. Hotmart will be liable for the acts performed by its sub-processors, which violate the terms of the contracts signed with them.
   2. Waiver of Communication. The Creator waives any type of notification or communication regarding the replacement or addition of new sub-processors chosen by Hotmart, provided that the choice is made in good faith, and that the sub-processors are able to implement security measures no less stringent than those provided in this DPA.
   3. Information about Sub-processors. If the Creator is interested in knowing which sub-processors are hired by Hotmart for the Processing of Personal Data it has requested, it may forward a request to this effect to the following email: privacy@hotmart.com. When the identity of the sub-processors used may constitute a Hotmart trade secret, or when its disclosure may result in the violation of the contract signed between it and Hotmart, the Creator will have access to information about the activities performed by the sub-processors and their field of activity, without specifying their identity.
6.  Security Incidents

12.1. Incidents within the Hotmart Environment. In the event of a security incident involving Creator’s Data, which occurs within the environment controlled by Hotmart, including, but not limited to, improper, unauthorized access and leaked or loss of data, regardless of the reason that caused it, Hotmart shall notify the Creator, in writing, within a reasonable time from the date of acknowledgment of the event, according to what is feasible considering the extent of the incident and its consequences on the maintenance of the Hotmart systems, containing, at least: (i) date and time of the incident; (ii) date and time of the acknowledgment of the incident; (iii) list of the categories of Personal Data affected by the incident; (iv) list and number of the Data Subjects affected, in a concrete or potential manner; (v) contact information of the Data Protection Officer (DPO); (vi) description of the possible consequences of the incident; (vii) indication of measures being taken to repair the damage and prevent new incidents.

12.1.1. If Hotmart does not have all the information indicated above, at the time of sending the communication, it shall send it gradually, in order to ensure the greatest possible speed in the initial communication, complementing it as soon as other relevant details become available.

12.2. Communications. Hotmart may, at its sole discretion, make such communications as it deems relevant to protect its reputation and its brands in the event of security incidents caused within the environment it or the Creator controls, to the relevant authorities and to the Data Subjects, regardless of any prior notice to the Creator.

1. International Transfers
   1. Document Safeguarding. In the event that there are international transfers of Creator’s Data, Hotmart will implement technical and organizational measures to ensure greater protection for Creator’s Data that may be transferred.
   2. UK transfers. If the Creator is located in the United Kingdom, the Parties undertake to sign, as an attachment to this DPA, the version of the International Data Transfer Agreement issued by the Information Commissioner's Office that is made available by Hotmart to the Creator upon request via email privacy@hotmart.com, an instrument that will guide all international transfers made from the United Kingdom to other countries not recognized as appropriate jurisdictions by the Information Commissioner's Office. 
      1. References to the International Data Transfer Agreement. The Parties agree that the Creator's identity and contact data will be considered as if they had been included as a data exporter in the version of the International Data Transfer Agreement to be signed between the Parties and made available by Hotmart to the Creator upon request via email privacy@hotmart.com, even if not expressly stated therein, and the start date of the respective instrument will be adopted as the same date of signature of this DPA. All processing activities and characteristics defined in this DPA will also be considered as incorporated into the text of the International Data Transfer Agreement, allowing all Personal Data processed by Hotmart under this DPA to be transferred from the United Kingdom to other countries.
   3. Transfers from the European Union. If the Creator is located in the European Union, the Parties undertake to sign, as an annex to this DPA, Module Two of the Annex to the Implementation Decision of the European Commission No. 2021/914 (Standard Contractual Clauses), in the version made available by Hotmart to the Creator upon request through the email privacy@hotmart.com, an instrument that will guide all international transfers made from the European Union to other countries not recognized as appropriate jurisdictions by the European Commission. 
      1. References to the Standard Contractual Clauses. The Parties agree that the Creator's identity and contact data will be considered as if they had been included as a data exporter in the version of the Standard Contractual Clauses to be signed between the Parties and made available by Hotmart to the Creator upon request through the email privacy@hotmart.com, even if not expressly stated therein, and the start date of the respective instrument will be adopted as the same date of signature of this DPA. All processing activities and characteristics defined in this Term will also be considered incorporated into the text of the Standard Contractual Clauses, allowing all Personal Data processed by Hotmart under this DPA to be transferred from the European Union to other countries. 

13.4. Transfers from the European Union and the United Kingdom. In the event that Creator Data is transferred both from the European Union and the United Kingdom to other countries, not considered as adequate jurisdictions by the European Commission and the Information Commissioner's Office, and provided that such circumstance is expressly communicated by the Creator to Hotmart, the Parties undertake to sign, as an annex to this DPA, Module Two of the Annex to the Implementation Decision of the European Commission No. 2021/914 (Standard Contractual Clauses), in the version made available by Hotmart to the Creator upon request through the email privacy@hotmart.com, with the addition of the International Data Transfer Addendum issued by the Information Commissioner's Office, respecting the references mentioned in the clauses above.

1. Hotmart Cooperation
   1. Impact Reporting. When stipulated by applicable laws as an expressed legal obligation, Hotmart will assist the Creator, to the extent possible, in the preparation of Personal Data Protection Impact Reports by providing information that may eventually be known only to Hotmart, and that is strictly necessary for the preparation of the respective documents.
   2. Audit. When stipulated by applicable laws as an expressed legal obligation, Hotmart shall provide the Creator with the information necessary to demonstrate its compliance with the applicable data protection laws.
      1. Audit of Systems and Facilities. Hotmart will conduct an audit of its systems and facilities to confirm their compliance with applicable data protection laws, to be conducted by independent external auditors, chosen at Hotmart's sole discretion. The respective audit report will be made available to the Creator, except for the portions that may compromise the security of Hotmart's systems and facilities, or its trade or industry secrets, which will be blocked out before being made available to the Creator. The audit report made available to the Creator shall be treated as Hotmart’s confidential information, and the Creator is expressly prohibited from sharing the report with any third party, under penalty of bearing the losses and damages caused by its improper sharing.
   3. Unlawful Instructions. Hotmart will inform the Creator if, in its opinion, any of their instructions for Personal Data Processing violate the Agreement and/or applicable data protection laws. Hotmart, however, is not obliged to perform a comprehensive and detailed assessment of the legality of the instructions provided by the Creator, which are presumed to be lawful, and the Creator is fully liable for any loss caused to Hotmart in the event that its instructions are interpreted by competent authorities as unlawful.

15. Creator Obligations

15.1. Creator Obligations. The Creator is subject to certain obligations when acting as Controller. The Creator declares and warrants that it complies with the requirements set out in the applicable legislation, in particular compliance with the principles of Processing, verification of the appropriate legal basis, adoption of security measures, registration of activities and the obligation to report security incidents to the Authorities and Data Subjects, when applicable:

15.1.1. The Creator shall inform Hotmart of any notification, subpoena, service of process or communication of claims made by Data Subjects, investigations or inquiries initiated by competent authorities, or any administrative, judicial or arbitration proceedings initiated by Data Subjects or by competent authorities, when they are related to the Processing of Personal Data carried out under the Agreement or this DPA, allowing Hotmart, if interested, to participate in the preparation of the response to be carried out by the Creator in each of the cases above 

15.1.2. Communication about the occurrence of a security incident that occurred in the environment controlled by the Creator must be made through the email security@hotmart.com. In addition, the Creator must inform Hotmart if any sharing of Personal Data with the Creator should continue or if it should be suspended until the Creator completely resolves the consequences of the security incident. 

1. If the Creator does not have all the information indicated above at the time of sending the communication, they must send it gradually, in order to ensure the greatest possible celerity in the initial communication, complementing it as soon as other details relevant information becomes available. 
2. The Creator must inform Hotmart, by email security@hotmart.com, which official channel must be used by Hotmart to forward communications related to security incidents that occurred in the environment controlled by it.

16. General Provisions

16.1. Independence of the Provisions. If any provision of this DPA is deemed void, invalid , or unenforceable, the remaining provisions shall remain valid and effective. The null, invalid or unenforceable provision shall be amended to ensure its validity and effectiveness, preserving the intentions of the Parties.

16.2. Survival. This DPA shall survive the termination or expiration of the relationship between the Parties with respect to Personal Data Processing activities arising under the Contracts which continue, even after termination or expiration of this DPA, even if only for purposes of complying with a legal or regulatory obligation.