> ## Documentation Index
> Fetch the complete documentation index at: https://docs.upmetr.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Privacy Policy

> How Upmetr collects, uses, and protects your data

# Privacy Policy

**Effective Date:** April 1, 2026
**Last Updated:** April 1, 2026

This Privacy Policy describes how \[NOME\_FANTASIA], registered under CNPJ \[CNPJ] ("Upmetr", "we", "us", or "our") collects, uses, stores, and protects your personal data when you use our cloud infrastructure monitoring platform ("Service").

We are committed to protecting your privacy and complying with applicable data protection laws, including the Brazilian General Data Protection Law (LGPD — Lei 13.709/2018), the European General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA).

***

## 1. Data Controller

The data controller for personal data processed through the Service is:

* **Company:** \[NOME\_FANTASIA]
* **CNPJ:** \[CNPJ]
* **Address:** Florianopolis, SC, Brazil
* **Privacy Contact:** [privacy@upmetr.com](mailto:privacy@upmetr.com)

## 2. Data We Collect

### Account Data

* Full name
* Email address
* Password (stored as bcrypt hash — we cannot read your password)
* Organization name
* Avatar image (optional)

### Cloud Credentials

* Cloud provider API keys, IAM role ARNs, service account JSON, access tokens
* **All credentials are encrypted at rest** using AES-128-CBC with HMAC-SHA256 (Fernet encryption)
* Our API never returns decrypted credentials

### Infrastructure Data

* Cloud resource metadata (instance IDs, types, regions, tags)
* Infrastructure metrics (CPU, memory, disk, network usage)
* Uptime monitoring results (response times, status codes, SSL certificate data)
* Cost and billing data from cloud providers
* Incident records

### Usage Data

* Login timestamps and IP addresses
* Pages visited within the Service
* Feature usage patterns
* Audit log entries (for security tracking)

### Billing Data

* Processed by **Stripe** — we do not store credit card numbers
* Stripe Customer ID and subscription metadata

## 3. How We Use Your Data

We use your data to:

| Purpose                                                    | Legal Basis (GDPR)      | Legal Basis (LGPD)    |
| ---------------------------------------------------------- | ----------------------- | --------------------- |
| Provide the Service                                        | Performance of contract | Execution of contract |
| Send alerts and notifications                              | Performance of contract | Execution of contract |
| Process payments                                           | Performance of contract | Execution of contract |
| Send transactional emails (welcome, verification, billing) | Performance of contract | Execution of contract |
| Security monitoring and audit logging                      | Legitimate interest     | Legitimate interest   |
| Service improvement and analytics                          | Legitimate interest     | Legitimate interest   |
| Respond to support requests                                | Performance of contract | Execution of contract |
| Comply with legal obligations                              | Legal obligation        | Legal obligation      |

**We do not:**

* Sell your personal data to third parties
* Use your data for advertising or profiling
* Access your cloud credentials for any purpose other than providing the Service

## 4. Data Storage and Security

### Encryption

* **Cloud credentials:** Fernet encryption (AES-128-CBC + HMAC-SHA256) at rest
* **Passwords:** bcrypt hashing (irreversible)
* **MFA secrets:** Fernet encryption at rest
* **API tokens:** SHA-256 hashing (irreversible)
* **Encryption keys:** Stored separately in AWS Systems Manager Parameter Store (production)

### Network Security

* TLS 1.2/1.3 for all data in transit (HTTPS)
* HSTS enabled with ECDHE forward secrecy
* OCSP stapling for certificate validation

### Access Controls

* Row-Level Security (RLS) in PostgreSQL ensures tenant data isolation
* Role-based access control (Viewer, Admin, Superadmin) within organizations
* All sensitive actions are logged in the audit trail

### Infrastructure

* Data is hosted on infrastructure within AWS regions
* Database backups are encrypted

## 5. Data Sharing and Sub-processors

We share data with the following third-party processors, strictly to provide the Service:

| Sub-processor        | Purpose                      | Data Shared                  |
| -------------------- | ---------------------------- | ---------------------------- |
| **Stripe**           | Payment processing           | Email, name, billing data    |
| **Resend (AWS SES)** | Transactional email delivery | Email address, name          |
| **AWS**              | Cloud infrastructure hosting | All service data (encrypted) |

We do not share your data with any other third parties. If we add new sub-processors, we will notify you at least 30 days in advance.

## 6. Data Retention

| Data Type              | Retention Period                       |
| ---------------------- | -------------------------------------- |
| Infrastructure metrics | 30 days                                |
| Uptime metrics         | 90 days                                |
| Audit logs             | 90 days                                |
| Account data           | Until account deletion                 |
| Incident records       | Until account deletion                 |
| Billing records        | As required by law (typically 5 years) |

After account deletion, all personal data is removed within 30 days, except where retention is required by law.

## 7. Your Rights Under LGPD

If you are located in Brazil, you have the right to:

* **Access** your personal data that we process
* **Correct** inaccurate or incomplete data
* **Anonymize, block, or delete** unnecessary or excessive data
* **Data portability** — receive your data in a structured, machine-readable format
* **Delete** your personal data (subject to legal retention requirements)
* **Revoke consent** for data processing where consent is the legal basis
* **Information** about third parties with whom we share your data
* **Oppose** processing activities that violate the LGPD

To exercise these rights, contact us at **[privacy@upmetr.com](mailto:privacy@upmetr.com)**. We will respond within 15 days.

## 8. Your Rights Under GDPR

If you are located in the European Economic Area (EEA) or the United Kingdom, you have the right to:

* **Access** your personal data
* **Rectification** of inaccurate data
* **Erasure** ("right to be forgotten")
* **Restrict** processing of your data
* **Data portability**
* **Object** to processing based on legitimate interest
* **Lodge a complaint** with your local supervisory authority

To exercise these rights, contact us at **[privacy@upmetr.com](mailto:privacy@upmetr.com)**. We will respond within 30 days.

## 9. Your Rights Under CCPA

If you are a California resident, you have the right to:

* **Know** what personal information we collect and how it is used
* **Delete** your personal information
* **Opt-out** of the sale of personal information (we do not sell personal data)
* **Non-discrimination** for exercising your privacy rights

## 10. International Data Transfers

Upmetr is based in Brazil. Your data may be transferred to and processed in countries outside your country of residence.

* **For Brazilian residents:** International transfers are conducted in compliance with LGPD Chapter V, using Standard Contractual Clauses approved by the ANPD (Resolution CD/ANPD No. 19/2024)
* **For EEA/UK residents:** International transfers are conducted using EU Standard Contractual Clauses (Commission Decision 2021/914)

## 11. Cookies

The Service uses only **essential session cookies** required for authentication and functionality. We do not use tracking cookies, advertising cookies, or third-party analytics cookies.

## 12. Children's Privacy

The Service is not intended for individuals under the age of 18. We do not knowingly collect personal data from children. If we discover that we have collected data from a child, we will delete it promptly.

## 13. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes, we will provide at least **30 days' notice** via email or a prominent notice in the Service.

## 14. Contact

For questions or requests regarding your privacy:

* **Privacy Contact:** [privacy@upmetr.com](mailto:privacy@upmetr.com)
* **General Contact:** [legal@upmetr.com](mailto:legal@upmetr.com)
* **Website:** [upmetr.com](https://upmetr.com)
