​

Privacy Policy

Effective Date: April 1, 2026 Last Updated: April 1, 2026 This Privacy Policy describes how [NOME_FANTASIA], registered under CNPJ [CNPJ] (“Upmetr”, “we”, “us”, or “our”) collects, uses, stores, and protects your personal data when you use our cloud infrastructure monitoring platform (“Service”). We are committed to protecting your privacy and complying with applicable data protection laws, including the Brazilian General Data Protection Law (LGPD — Lei 13.709/2018), the European General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA).

---

​

1. Data Controller

The data controller for personal data processed through the Service is:

• Company: [NOME_FANTASIA]
• CNPJ: [CNPJ]
• Address: Florianopolis, SC, Brazil
• Privacy Contact: privacy@upmetr.com

​

2. Data We Collect

​

Account Data

• Full name
• Email address
• Password (stored as bcrypt hash — we cannot read your password)
• Organization name
• Avatar image (optional)

​

Cloud Credentials

• Cloud provider API keys, IAM role ARNs, service account JSON, access tokens
• All credentials are encrypted at rest using AES-128-CBC with HMAC-SHA256 (Fernet encryption)
• Our API never returns decrypted credentials

​

Infrastructure Data

• Cloud resource metadata (instance IDs, types, regions, tags)
• Infrastructure metrics (CPU, memory, disk, network usage)
• Uptime monitoring results (response times, status codes, SSL certificate data)
• Cost and billing data from cloud providers
• Incident records

​

Usage Data

• Login timestamps and IP addresses
• Pages visited within the Service
• Feature usage patterns
• Audit log entries (for security tracking)

​

Billing Data

• Processed by Stripe — we do not store credit card numbers
• Stripe Customer ID and subscription metadata

​

3. How We Use Your Data

We use your data to: We do not:

• Sell your personal data to third parties
• Use your data for advertising or profiling
• Access your cloud credentials for any purpose other than providing the Service

​

4. Data Storage and Security

​

Encryption

• Cloud credentials: Fernet encryption (AES-128-CBC + HMAC-SHA256) at rest
• Passwords: bcrypt hashing (irreversible)
• MFA secrets: Fernet encryption at rest
• API tokens: SHA-256 hashing (irreversible)
• Encryption keys: Stored separately in AWS Systems Manager Parameter Store (production)

​

Network Security

• TLS 1.2/1.3 for all data in transit (HTTPS)
• HSTS enabled with ECDHE forward secrecy
• OCSP stapling for certificate validation

​

Access Controls

• Row-Level Security (RLS) in PostgreSQL ensures tenant data isolation
• Role-based access control (Viewer, Admin, Superadmin) within organizations
• All sensitive actions are logged in the audit trail

​

Infrastructure

• Data is hosted on infrastructure within AWS regions
• Database backups are encrypted

​

5. Data Sharing and Sub-processors

We share data with the following third-party processors, strictly to provide the Service: We do not share your data with any other third parties. If we add new sub-processors, we will notify you at least 30 days in advance.

​

6. Data Retention

After account deletion, all personal data is removed within 30 days, except where retention is required by law.

​

7. Your Rights Under LGPD

If you are located in Brazil, you have the right to:

• Access your personal data that we process
• Correct inaccurate or incomplete data
• Anonymize, block, or delete unnecessary or excessive data
• Data portability — receive your data in a structured, machine-readable format
• Delete your personal data (subject to legal retention requirements)
• Revoke consent for data processing where consent is the legal basis
• Information about third parties with whom we share your data
• Oppose processing activities that violate the LGPD

To exercise these rights, contact us at privacy@upmetr.com. We will respond within 15 days.

​

8. Your Rights Under GDPR

If you are located in the European Economic Area (EEA) or the United Kingdom, you have the right to:

• Access your personal data
• Rectification of inaccurate data
• Erasure (“right to be forgotten”)
• Restrict processing of your data
• Data portability
• Object to processing based on legitimate interest
• Lodge a complaint with your local supervisory authority

To exercise these rights, contact us at privacy@upmetr.com. We will respond within 30 days.

​

9. Your Rights Under CCPA

If you are a California resident, you have the right to:

• Know what personal information we collect and how it is used
• Delete your personal information
• Opt-out of the sale of personal information (we do not sell personal data)
• Non-discrimination for exercising your privacy rights

​

10. International Data Transfers

Upmetr is based in Brazil. Your data may be transferred to and processed in countries outside your country of residence.

• For Brazilian residents: International transfers are conducted in compliance with LGPD Chapter V, using Standard Contractual Clauses approved by the ANPD (Resolution CD/ANPD No. 19/2024)
• For EEA/UK residents: International transfers are conducted using EU Standard Contractual Clauses (Commission Decision 2021/914)

​

11. Cookies

The Service uses only essential session cookies required for authentication and functionality. We do not use tracking cookies, advertising cookies, or third-party analytics cookies.

​

12. Children’s Privacy

The Service is not intended for individuals under the age of 18. We do not knowingly collect personal data from children. If we discover that we have collected data from a child, we will delete it promptly.

​

13. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes, we will provide at least 30 days’ notice via email or a prominent notice in the Service.

​

14. Contact

For questions or requests regarding your privacy:

• Privacy Contact: privacy@upmetr.com
• General Contact: legal@upmetr.com
• Website: upmetr.com