Privacy Policy
Last updated: April 2026
BitCubo LTDA ("BitCubo", "we"), CNPJ 31.314.893/0001-73, operator of the PodCubo platform ("Platform", "Service"), is committed to protecting the privacy of your personal data, in compliance with the Brazilian General Data Protection Law (LGPD - Law n. 13.709/2018) and other applicable legislation.
By using the Platform, you agree to the practices described in this Privacy Policy.
1. Data Controller
BitCubo LTDA CNPJ: 31.314.893/0001-73 General email: mauro@bitcubo.com.br Privacy email (DPO): privacidade@podcubo.com
2. Data Collected
2.1 Registration Data
- Full name, email, and profile photo obtained via OAuth providers (GitHub, Google)
- Unique OAuth identifiers
2.2 Payment Data
- Billing information processed by the payment gateway (C6 Bank for PIX)
- Invoice history, plan details, and subscription status
- CPF/CNPJ provided at the time of payment
Important: We do not store credit card data on our servers. All financial transactions are processed directly by the payment gateway.
2.3 Platform Usage Data
- Projects (stacks) created, applications deployed, and configurations
- Resource metrics (CPU, memory, disk, bandwidth)
- Application logs and audit events
2.4 Navigation Data
- IP address, browser type, and operating system
- Pages visited on the website and dashboard
- Essential cookies for platform operation
2.5 Data We Do NOT Collect
- Environment variable values — only key names are used internally (e.g., for AI Insight error diagnostics). Values are never accessed, stored, or transmitted to third parties.
- Your application content — your database data, files, and source code remain exclusively in your stack containers.
3. Processing Purposes
Your personal data is processed for the following purposes:
- Service provision: application deployment, container management, domains, SSL certificates, backups, and monitoring
- Billing and payments: PIX processing, subscription management, and invoice issuance
- Service communications: deployment notifications, payment alerts, security updates, and maintenance notices
- Security and fraud prevention: protecting the platform against unauthorized access and abuse
- Service improvement: aggregated usage analysis for platform evolution
- Legal obligations: compliance with tax, regulatory, and judicial requirements
4. Legal Basis (LGPD Art. 7)
| Legal Basis | Application |
|---|---|
| Contract execution (Art. 7, V) | Providing contracted services (deployment, hosting, backups) |
| Consent (Art. 7, I) | Non-essential cookies and marketing communications (revocable at any time) |
| Legitimate interest (Art. 7, IX) | Platform security, fraud prevention, service improvement, and aggregated usage analysis |
| Legal obligation (Art. 7, II) | Tax, regulatory, and audit requirements, including billing data retention |
5. Data Subject Rights (LGPD Art. 18)
You have the following rights regarding your personal data:
- Confirmation and access: know whether we process your data and obtain a copy
- Correction: request correction of incomplete, inaccurate, or outdated data
- Anonymization, blocking, or deletion: of unnecessary, excessive data or data processed in non-compliance with LGPD
- Portability: transfer of your data to another service provider
- Deletion: of data processed based on consent
- Information: about which third parties your data is shared with
- Consent revocation: at any time, without affecting prior processing
- Opposition: to processing based on legitimate interest, in case of LGPD non-compliance
How to exercise your rights: Send your request to privacidade@podcubo.com. We will respond within 15 business days per LGPD Art. 19.
6. Third-Party Data Sharing
We do not sell, rent, or share your personal data for marketing purposes. Sharing occurs only with the following service providers, acting as data processors:
| Third Party | Purpose | Data Shared |
|---|---|---|
| C6 Bank | PIX payment processing | Billing data, amount, CPF/CNPJ |
| Amazon SES | Transactional email delivery | Recipient email, notification content |
| Cloudflare | CDN, DDoS protection, and reverse proxy | IP address, traffic data |
| GitHub | OAuth authentication and repository integration | Name, email, profile photo, access token |
| OAuth authentication | Name, email, profile photo | |
| Hetzner | Infrastructure hosting | Data stored on servers (encrypted in transit) |
| Anthropic | Error diagnostics via AI Insight | Error logs (no environment variable values) |
All third parties are bound by contractual data protection obligations.
7. International Data Transfers
In compliance with LGPD Art. 33, international data transfers occur through:
- Standard contractual clauses with processors
- Transfer to countries with adequate protection levels recognized by ANPD
- Specific informed consent when applicable
Main infrastructure: Servers located in Germany (Hetzner), with Cloudflare protection. Payment data processed in Brazil (C6 Bank).
8. Data Retention
| Data Type | Retention Period |
|---|---|
| Account data | While the account is active |
| Billing data | Up to 5 years after closure (Brazilian tax requirement) |
| Application logs | Per user configuration (real-time by default) |
| Navigation data | Up to 6 months for security purposes |
| After account deletion | Data removed within 30 days, unless legal retention is required |
9. Cookies
We use only essential cookies for platform operation:
| Cookie | Purpose | Duration |
|---|---|---|
| Authentication session | Keep user logged into the dashboard | Session |
We do not use tracking cookies, third-party analytics, or advertising cookies. Disabling essential cookies may impair Platform functionality.
10. Security
We adopt the following technical and administrative measures to protect your data:
- Encryption in transit: TLS/HTTPS across all communications
- Network isolation: rootless containers with Podman, each stack isolated in its own pod
- Automatic SSL certificates: via Let's Encrypt and Caddy, automatically renewed
- DDoS protection: Cloudflare proxy on all HTTP apps
- Encrypted backups: stored in S3-compatible storage with restricted access
- Secure authentication: OAuth via GitHub/Google, JWT tokens with expiration
- No root access: containers run in rootless mode (no superuser privileges)
11. Data Protection Officer (DPO) — LGPD Art. 41
The Data Protection Officer is responsible for:
- Accepting complaints and communications from data subjects and ANPD
- Providing clarifications and taking action
- Advising staff on data protection practices
- Performing additional duties assigned by the controller
DPO Contact: privacidade@podcubo.com
12. Changes to this Policy
We may periodically update this Privacy Policy. Material changes will be communicated via email or Platform notification with a minimum of 30 days notice. Continued use of the Platform after changes constitutes acceptance of the new policy.
13. Contact
- General email: mauro@bitcubo.com.br
- DPO / Privacy: privacidade@podcubo.com
- WhatsApp: +55 11 93380-0117
All data subject requests will be responded to within 15 business days (LGPD Art. 19).
BitCubo LTDA — CNPJ 31.314.893/0001-73