Privacy Policy

The data controller for personal data processed on the Platform is:

YOUSENDR TECNOLOGIA E MARKETING LTDA

Address: Alameda Prudente de Moraes, 388, Mercês, Curitiba/PR, ZIP 80430-234, Brazil.

Data Protection Officer (DPO): dpo@stackhub.cc

We collect the following categories of personal data:

Account data: name, email, profile picture, language preference.

Authentication data: identifiers from OAuth providers (Google, GitHub) and tokens we issue.

Usage and telemetry data: actions performed on the Platform, session identifiers, IP address, user agent and timestamps, used to operate, secure, and improve the service.

User content: artifacts you create (agents, skills, rules, hooks, commands, MCP servers, output styles, claude.md, stacks, projects, workflows, AI flows), linked files, messages exchanged with AI agents, and collaboration metadata.

Payment data: for marketplace sellers and buyers, tax identification, banking and card data are collected and processed directly by Stripe, Inc.; we do not store full card numbers.

Cookies and similar technologies: identifiers stored locally for authentication, language preference, and security.

We process your data on the following legal bases (LGPD, Art. 7; GDPR, Art. 6):

Performance of a contract: to create and maintain your account, host your artifacts, process payments, and provide the marketplace.

Consent: for marketing communications, for the specific transfer of personal data to Stripe, Inc. (United States) during seller onboarding and checkout, and for non-essential cookies.

Legitimate interests: for security, fraud prevention, aggregated product metrics, and continuous improvement, always balanced against the data subject's rights.

Legal or regulatory obligation: for tax retention, anti-money-laundering (KYC) and responses to lawful requests by competent authorities.

Data is processed to:

provide, maintain and operate the Platform and its features;

authenticate users and protect accounts;

enable collaboration in workspaces, projects and stacks;

process marketplace transactions, including seller onboarding, payouts, refunds and disputes;

execute AI workflows, including artifact generation via Gemini models;

calculate sales taxes via Stripe Tax;

detect and prevent fraud, abuse, sock-puppeting and unauthorized activity;

comply with legal, tax, and regulatory obligations;

communicate product updates, support, and contractual changes.

We share personal data with the following processors (sub-processors), strictly for the purposes above:

Stripe, Inc. (United States): payment processing, KYC seller onboarding, tax calculation (Stripe Tax) and payouts.

Google LLC / Google Cloud (servers in us-east4, United States): hosting (Cloud Run, App Hosting), database (Firestore), authentication (Firebase Auth), file storage and logs.

Google LLC — Vertex AI / Gemini: prompt processing and response generation by AI models when you use AI-assisted features.

Upstash, Inc. (United States): rate limiting via Redis, with retention limited to ephemeral counters.

We do not sell personal data to third parties and do not share data for purposes incompatible with those declared in this Policy.

Some of the processors listed are based in the United States. International transfers occur on the following grounds (LGPD, Art. 33; GDPR, Chap. V):

performance of the contract with the data subject;

Standard Contractual Clauses entered into with each processor, as required by the European Commission and accepted by the Brazilian ANPD;

specific consent, where applicable (for example, when starting Stripe seller onboarding).

We keep records of these safeguards and may make a summary available upon request to the DPO.

We retain personal data for as long as necessary for the purposes for which it was collected and to comply with legal obligations.

Active account: while your account remains active.

After account deletion: identifying data is anonymized within 30 days; minimal audit logs may be preserved for up to 5 years for fraud prevention and tax compliance.

Tax and financial data: up to 5 years after the triggering event, in accordance with Brazilian tax law and the law of sellers' jurisdictions.

Consent records: preserved in versioned form as proof of compliance.

In accordance with the LGPD (Art. 18) and the GDPR (Arts. 15 to 22), you may exercise the following rights:

Confirmation and access: know whether we process your data and obtain a copy.

Rectification: request correction of incomplete, inaccurate or outdated data.

Anonymization, blocking or deletion of unnecessary, excessive, or unlawfully processed data.

Portability: receive your data in a structured, interoperable format.

Erasure of data processed on the basis of consent.

Information about the public and private entities with whom we share your data.

Withdrawal of consent at any time, with prospective effects.

Objection to processing carried out on the basis of legitimate interests.

Review of automated decisions that affect your interests.

Complaint to the Brazilian National Data Protection Authority (ANPD) or to the competent supervisory authority in your EU country of residence.

You can exercise your rights:

directly within the Platform, under Settings → Privacy, where data download and deletion requests are available;

by emailing the DPO at dpo@stackhub.cc, identifying yourself sufficiently to confirm your identity.

We respond within 15 days for information requests and within 30 days for requests requiring operational actions (such as definitive deletion), except in duly justified exceptional situations.

We use cookies and local storage strictly necessary for the Platform's operation (authentication, language preference, attack protection) and optional analytics cookies subject to your consent. You can manage your cookie preferences at any time in your browser settings.

The Platform is not intended for users under 18 years of age. We do not knowingly collect data from children. If we identify such processing, we will delete the data immediately.

We adopt appropriate technical and administrative measures to protect your data, including: encryption in transit (TLS) and at rest; role-based and attribute-based access control (RBAC/ABAC); database-level security rules; secret management via Google Secret Manager; auditing of sensitive events; encrypted backups and environment segregation.

This Policy may be updated periodically. When a material change occurs, we will notify users by email or in-app banner at least 15 days in advance. Version history is preserved and the current version always shows its last-updated date.

In compliance with the LGPD (Art. 41) and the GDPR (Art. 37), the DPO can be reached at dpo@stackhub.cc, or by post at the Controller's address indicated in Section 1.