← Back to Pipoh

Privacy Policy

Última atualização:

This Privacy Policy explains how Pipoh (operated by Rogério Gigo Marcondes Cesar, São Paulo · Brasil) collects, uses, shares, and protects your personal data when you use studio.pipoh.ai. It is designed to comply with LGPD (Lei 13.709/2018) and, for EEA visitors, GDPR.

DPO contact: privacy@pipoh.ai.

1. Data controller

Pipoh (Rogério Gigo Marcondes Cesar). Address: São Paulo, SP, Brasil (full address on request). DPO: founder (acting role).

2. Data we collect

We do not collect: payment card numbers (our payment processor Paddle holds those), biometrics, geolocation beyond IP-country, or content from outside the Pipoh app.

3. Legal bases (LGPD Art. 7 / GDPR Art. 6)

You may withdraw consent for analytics/marketing without affecting core-service access.

4. Retention

After hard-deletion, residue is the anonymized PipTransaction ledger (userId rewritten to SHA-256) and the audit log of the deletion itself.

5. Sub-processors

ProviderPurposeRegion
ClerkAuthenticationUS
NeonDatabase (Postgres)US-East (Ohio)
Cloudflare (R2 + CDN + WAF)Files + edge + bot protectionGlobal
ResendTransactional emailEU
SentryErrors + performanceEU (Frankfurt)
PostHogAnalytics + replay (consent-gated)EU
UpstashRate limitingEU-West
OpenAIImage / text generationUS
Google (Gemini, Veo, Lyria)Image / video / audioUS
Atlas Cloud (Kling, Wan, Seedance, Vidu, Qwen, Flux)Image / videoUS-managed regional
fal.ai + FreepikUpscalersUS / EU
Paddle (when active)Payments (Merchant of Record)UK/EU/US
VercelHostingiad1 (US East)

Each provider receives only what's necessary for its function and is bound by a DPA. List reviewed quarterly; material changes announced 30 days in advance.

6. International transfers

US-based sub-processors rely on the EU-US Data Privacy Framework (GDPR) and Cláusulas Contratuais Padrão approved by ANPD (LGPD Resolution CD/ANPD No. 19/2024).

7. Your rights (LGPD Art. 18 / GDPR Articles 15–22)

  1. Confirmation & access — confirm we hold your data and receive a copy (/api/account/export).
  2. Rectification — correct incomplete or inaccurate data (Account page).
  3. Anonymization or deletion — request deletion (/api/account/delete · 30-day grace).
  4. Portability — receive your data in machine-readable JSON.
  5. Information about sharing — see § 5 above.
  6. Withdraw consent — for analytics/marketing.
  7. Object to processing — based on legitimate interest, via privacy@pipoh.ai.
  8. Lodge a complaint — ANPD (anpd.gov.br/atendimento) or your local DPA.

Requests acknowledged within 15 days (ANPD guidance).

8. Security

Data breach affecting your data → notification within 72 hours per LGPD Art. 48 / GDPR Art. 33.

9. Children

Pipoh Studio is strictly for adults aged 18 and older. We do not knowingly collect or process personal data from anyone under 18. If we become aware that we have collected data from a person under 18, we will delete it promptly. If you believe a minor has provided us with personal data, contact privacy@pipoh.ai.

10. Changes

Material changes announced via email 30 days in advance.

11. Contact

DPO: privacy@pipoh.ai. Postal: São Paulo, SP, Brasil.