This Privacy Policy explains how Pipoh (operated by Rogério Gigo Marcondes Cesar, São Paulo · Brasil) collects, uses, shares, and protects your personal data when you use studio.pipoh.ai. It is designed to comply with LGPD (Lei 13.709/2018) and, for EEA visitors, GDPR.
DPO contact: privacy@pipoh.ai.
1. Data controller
Pipoh (Rogério Gigo Marcondes Cesar). Address: São Paulo, SP, Brasil (full address on request). DPO: founder (acting role).
2. Data we collect
- Account data — email, display name, profile picture (from Clerk).
- Authentication metadata — session tokens, sign-in IP, device fingerprint (handled by Clerk).
- Generation content — prompts, reference images you upload, AI outputs, edits, tags.
- Usage telemetry — page views, clicks, model selections, errors (PostHog · anonymized + privacy-masked).
- Wallet activity — Pips balance, purchases, debits per generation, plan changes.
- Cookies — see the Cookie Policy.
- Crash + performance data — stack traces, browser version, route URLs (Sentry · EU region · PII scrubbed).
- Email events — sends, deliveries, bounces (Resend webhooks).
We do not collect: payment card numbers (our payment processor Paddle holds those), biometrics, geolocation beyond IP-country, or content from outside the Pipoh app.
3. Legal bases (LGPD Art. 7 / GDPR Art. 6)
- Execução de contrato: account, generation, storage, wallet operations.
- Legítimo interesse: security, fraud prevention, rate limiting, debug traces, aggregate analytics.
- Consentimento: non-essential cookies, email marketing.
- Cumprimento de obrigação legal: fiscal records of paid transactions (5 years per Receita Federal).
You may withdraw consent for analytics/marketing without affecting core-service access.
4. Retention
- Account data: while active + 30 days post-deletion grace.
- Generation rows + files: lifetime of account; 30 days grace; then hard-delete from Neon + R2 + Cloudflare Stream.
- Wallet transactions: 5 years (Receita Federal) — anonymized after account deletion.
- Audit log of LGPD operations: 5 years.
- Sentry: 90 days. PostHog: 1 year. Resend logs: 30 days.
After hard-deletion, residue is the anonymized PipTransaction ledger (userId rewritten to SHA-256) and the audit log of the deletion itself.
5. Sub-processors
| Provider | Purpose | Region |
|---|---|---|
| Clerk | Authentication | US |
| Neon | Database (Postgres) | US-East (Ohio) |
| Cloudflare (R2 + CDN + WAF) | Files + edge + bot protection | Global |
| Resend | Transactional email | EU |
| Sentry | Errors + performance | EU (Frankfurt) |
| PostHog | Analytics + replay (consent-gated) | EU |
| Upstash | Rate limiting | EU-West |
| OpenAI | Image / text generation | US |
| Google (Gemini, Veo, Lyria) | Image / video / audio | US |
| Atlas Cloud (Kling, Wan, Seedance, Vidu, Qwen, Flux) | Image / video | US-managed regional |
| fal.ai + Freepik | Upscalers | US / EU |
| Paddle (when active) | Payments (Merchant of Record) | UK/EU/US |
| Vercel | Hosting | iad1 (US East) |
Each provider receives only what's necessary for its function and is bound by a DPA. List reviewed quarterly; material changes announced 30 days in advance.
6. International transfers
US-based sub-processors rely on the EU-US Data Privacy Framework (GDPR) and Cláusulas Contratuais Padrão approved by ANPD (LGPD Resolution CD/ANPD No. 19/2024).
7. Your rights (LGPD Art. 18 / GDPR Articles 15–22)
- Confirmation & access — confirm we hold your data and receive a copy (
/api/account/export). - Rectification — correct incomplete or inaccurate data (Account page).
- Anonymization or deletion — request deletion (
/api/account/delete· 30-day grace). - Portability — receive your data in machine-readable JSON.
- Information about sharing — see § 5 above.
- Withdraw consent — for analytics/marketing.
- Object to processing — based on legitimate interest, via privacy@pipoh.ai.
- Lodge a complaint — ANPD (anpd.gov.br/atendimento) or your local DPA.
Requests acknowledged within 15 days (ANPD guidance).
8. Security
- TLS 1.3 in transit. AES-256 at rest (Neon + R2 defaults).
- Clerk handles password hashing + MFA. Pipoh never stores raw passwords.
- Single-admin DB access today; multi-admin + audit logs in V2.
- Weekly
npm auditvia CI (Day 31 cravado). Critical CVEs patched within 48 hours.
Data breach affecting your data → notification within 72 hours per LGPD Art. 48 / GDPR Art. 33.
9. Children
Pipoh Studio is strictly for adults aged 18 and older. We do not knowingly collect or process personal data from anyone under 18. If we become aware that we have collected data from a person under 18, we will delete it promptly. If you believe a minor has provided us with personal data, contact privacy@pipoh.ai.
10. Changes
Material changes announced via email 30 days in advance.
11. Contact
DPO: privacy@pipoh.ai. Postal: São Paulo, SP, Brasil.