PalcoTimerPalcoTimer
Back

Privacy Policy

Last updated: May 2026

1. Introduction

This Privacy Policy describes how PalcoTimer collects, uses, shares and protects your personal data, in compliance with Brazil's LGPD (Law 13.709/2018) and aligned with GDPR principles. For any question or to exercise your rights, contact our Data Protection Officer (DPO) at dpo@palcotimer.com.

2. Data We Collect

We collect the following types of data:

  • Account info: name, email, password (hashed), profile picture when signing in with Google
  • Organization info: name, billing email, tax ID when provided
  • Product usage: access logs, room settings, preferences
  • IP address (anonymized — only the /24 IPv4 or /64 IPv6 prefix is kept)
  • Browser User-Agent (truncated to 120 chars, no fine fingerprint)
  • Payment data: name, email, tax ID — processed directly by gateways (we never store card data)
  • Google Analytics cookies (only with your consent)

3. Legal Basis

We process your data based on:

  • Contract performance: account, organization, product usage
  • Legal obligation: tax data, payment records
  • Consent: analytics cookies and marketing communications (always opt-in)
  • Legitimate interest: fraud prevention, platform security, anti-spam

4. Subprocessors

We share strictly necessary data with the following operators, all under data protection agreements:

  • Stripe (United States) — international card payment processing
  • AbacatePay (Brazil) — PIX payment and recurrence processing
  • Resend / SendGrid — transactional email delivery
  • Google Analytics 4 — aggregate usage analysis (only if you consent)
  • Google OAuth — optional sign-in via your Google account
  • Railway / Hostinger — hosting infrastructure

5. Security

We adopt technical and organizational measures to protect your data:

  • TLS 1.3 encryption in transit
  • Bcrypt password hashing (irreversible)
  • Session tokens with expiration
  • Immediate IP anonymization (truncation) before any persistence
  • Retention limits: 90 days for tracking records, 365 days for audit logs, 60 days for public Q&A metadata
  • Regular encrypted backups

6. Your Rights

At any time, you may request:

  • Confirmation of processing and access to your data
  • Correction of incomplete, inaccurate or outdated data
  • Anonymization, blocking or deletion of unnecessary data
  • Data portability to another provider
  • Withdrawal of consent at any time
  • Information about sharing with third parties

Today these requests are handled via email to the DPO (dpo@palcotimer.com). A self-service /account/privacy interface is coming soon.

7. Cookies and Tracking

Essential cookies (session, security) are required and cannot be disabled. Analytics cookies (Google Analytics) only load after your explicit consent via the banner shown on the first visit. You can review your choices anytime by clearing the stored consent — the banner will reappear.

8. Data Retention

Account and organization data are kept while the account is active. After deletion, personal data is removed within 30 days, except when retention is legally required (tax records for 5 years). Audit and tracking logs are automatically purged: 90 days (tracking), 365 days (audit), 60 days (public Q&A metadata).

9. Data Protection Officer (DPO)

To exercise rights, file complaints or ask questions about data processing, contact our DPO at dpo@palcotimer.com

10. Changes

We may update this policy. Material changes re-trigger the consent banner and may be communicated by email.

11. Contact

For general privacy questions, write to contact@palcotimer.com