LGPD Compliance
Last updated: March 9, 2026
1. LGPD Compliance Commitment
Guara Cloud is fully committed to compliance with the Brazilian General Data Protection Law (Lei n. 13.709/2018 — LGPD). As a Brazilian company processing personal data of Brazilian developers, LGPD compliance is not just a legal obligation but a fundamental pillar of our operation.
Our platform was designed from the ground up with the principles of privacy by design and privacy by default, as advocated by LGPD Art. 46. All architectural and operational decisions consider data protection as a primary requirement.
The principles guiding our data processing (LGPD Art. 6):
- Purpose: personal data is collected solely for platform operation. No secondary use without consent.
- Adequacy: only data necessary for the stated purpose is collected.
- Necessity: minimal data collection. CPF/CNPJ, billing address, and billing name are collected only during paid subscription checkout and stored exclusively by Stripe.
- Free access: data subjects can query their data at any time through the dashboard or by contacting the DPO.
- Data quality: we maintain accurate and up-to-date data, synchronized with OAuth providers.
- Transparency: clear and accessible information about data processing.
- Security: technical and administrative measures to protect personal data.
- Prevention: proactive actions to prevent harm to data subjects.
- Non-discrimination: data processing is never used for discriminatory purposes.
- Accountability: demonstrating LGPD compliance through documentation and audits.
2. Legal Bases for Data Processing (Art. 7)
All personal data processing at Guara Cloud is grounded in one of the legal bases provided by LGPD Art. 7. Below, we detail each legal basis used and the corresponding data:
2.1 Contract Performance (Art. 7, V)
Primary legal basis for most processed data:
- Account data (name, email, profile picture) for account creation and maintenance.
- Payment data (via Stripe) for subscription processing and billing.
- Platform usage data for delivery of contracted services.
- Application logs for technical support and troubleshooting.
2.2 Consent (Art. 7, I)
Used for activities requiring explicit agreement from the data subject:
- Acceptance of Terms of Service and Privacy Policy during registration.
- Non-essential cookies (currently not in use).
- Marketing communications (when implemented).
Consent may be revoked at any time without prejudice to the lawfulness of prior processing.
2.3 Legitimate Interest (Art. 7, IX)
Used for activities that benefit both the platform and users:
- Platform security and fraud prevention.
- Aggregated metric analysis for service improvement.
- Detection of malicious activities or acceptable use violations.
2.4 Legal Obligation (Art. 7, II)
- Retention of billing data for 5 years (tax obligations).
- Retention of access logs for 6 months (Marco Civil da Internet, Art. 15).
- Cooperation with judicial and regulatory authorities when required by law.
- Collection of CPF/CNPJ, billing address, and billing name during paid subscription checkout — Legal Obligation (LGPD Art. 7, II): Brazilian tax legislation requires CPF/CNPJ for tax compliance purposes.
3. Data Subject Rights and How to Exercise Them
The LGPD (Art. 18) guarantees data subjects a set of rights that can be exercised at any time. At Guara Cloud, we have implemented mechanisms to address each of them:
| Right | How to Exercise | Response Time |
|---|---|---|
| Confirmation and access | Dashboard or email to DPO | 15 business days |
| Correction | Dashboard (profile data) or email to DPO | 15 business days |
| Anonymization/blocking/deletion | Email to DPO | 15 business days |
| Portability | Email to DPO (JSON export) | 15 business days |
| Deletion (consent-based data) | Dashboard or email to DPO | 15 business days |
| Sharing information | This page or email to DPO | 15 business days |
| Consent revocation | Dashboard or email to DPO | Immediate |
| Objection to processing | Email to DPO | 15 business days |
Contact channel: all requests can be made via email at [email protected]. We will confirm receipt within 2 business days and respond fully within 15 business days, as required by LGPD Art. 19.
4. Data Protection Officer (DPO) — Art. 41
In compliance with LGPD Art. 41, Guara Cloud has designated a Data Protection Officer (DPO / Encarregado de Protecao de Dados) responsible for:
- Accepting complaints and communications from data subjects and providing clarifications.
- Receiving communications from the ANPD (National Data Protection Authority) and adopting measures.
- Advising employees and contractors on data protection practices.
- Maintaining the record of personal data processing operations (Art. 37).
- Conducting data protection impact assessments when necessary (Art. 38).
- Carrying out any other duties determined by the data controller or complementary regulations.
DPO contact: [email protected]
The DPO's identity and contact information are published as required by LGPD Art. 41, §1, and communicated to the ANPD.
5. Data Processing Inventory
In accordance with LGPD Art. 37, we maintain a record of personal data processing operations. Below is a summary of the inventory:
| Category | Data | Legal Basis | Retention |
|---|---|---|---|
| Account | Name, email, photo, OAuth ID | Contract | Active account + 30 days |
| Payment | Stripe customer ID, invoices | Contract / Legal | 5 years |
| Billing identity | CPF/CNPJ, billing address, billing name | Legal obligation | Managed by Stripe |
| Platform usage | Projects, deploys, metrics | Contract | Active account |
| Audit logs | Actions, timestamps, IPs | Legitimate interest / Legal | 1-30 days (by plan) |
| Browsing | IP, user agent, cookies | Legitimate interest | 6 months |
| Consent | Terms acceptance, cookies | Consent | Active account |
6. International Data Transfer Safeguards
In accordance with LGPD Art. 33, international transfer of personal data is only permitted under specific conditions. Guara Cloud adopts the following safeguards:
6.1 Primary Infrastructure
Guara Cloud's primary infrastructure is located in Sao Paulo, Brazil (OCI sa-saopaulo-1). User application data remains within Brazilian territory.
6.2 International Processors
Some data processors are headquartered or process data outside Brazil:
- Stripe (USA): standard contractual clauses and compliance certifications.
- Resend (USA): standard contractual clauses for email processing.
- Cloudflare (USA): global CDN network with points of presence in Brazil.
- GitHub (USA): OAuth authentication and code integration.
6.3 Protection Mechanisms
- Standard Contractual Clauses (SCCs) with all international processors.
- Verification that the destination country provides an adequate level of protection or that the processor adopts compatible safeguards.
- Minimization of data transferred internationally.
- Encryption in transit for all transfers.
7. Data Breach Notification Procedures
In compliance with LGPD Art. 48, Guara Cloud has defined procedures for handling security incidents involving personal data:
7.1 Detection and Assessment
- Continuous monitoring of logs and security alerts.
- Immediate assessment of incident severity and scope.
- Classification of the incident regarding risk to data subjects.
7.2 ANPD Notification
If the incident may pose a relevant risk or harm to data subjects, the ANPD will be notified within a reasonable timeframe, including:
- Description of the nature of the personal data affected.
- Information about the data subjects involved.
- Indication of the technical and security measures used.
- Risks related to the incident.
- Measures taken or to be taken to reverse or mitigate the effects.
7.3 Data Subject Notification
Affected data subjects will be notified via email within a reasonable timeframe, with clear information about the nature of the incident, data affected, and recommended measures.
8. National Data Protection Authority (ANPD)
The ANPD (Autoridade Nacional de Protecao de Dados) is the federal body responsible for overseeing the protection of personal data in Brazil and enforcing the LGPD.
Guara Cloud maintains a cooperative relationship with the ANPD and commits to:
- Promptly responding to any requests, notifications, or determinations from the ANPD.
- Providing requested information and documents within established deadlines.
- Implementing corrective or preventive measures as determined by the ANPD.
- Reporting security incidents as described in Section 7.
If you believe your rights have not been adequately addressed by Guara Cloud, you may file a complaint with the ANPD:
- Website: www.gov.br/anpd
9. Consent Mechanisms
When consent is the legal basis used, Guara Cloud implements the following mechanisms, in accordance with LGPD Art. 8:
9.1 Registration Consent
- Mandatory checkbox accepting Terms of Service and Privacy Policy.
- Direct links to the complete documents.
- Timestamped consent record.
- Consent is specific, freely given, informed, and unambiguous.
9.2 Cookie Consent
- Cookie banner displayed on first visit.
- Option to accept or reject non-essential cookies.
- Preference stored in the
guara_cookie_consentcookie.
9.3 Consent Revocation
- Consent can be revoked at any time through the dashboard or by emailing the DPO.
- Revocation is processed immediately, without prejudice to the lawfulness of prior processing.
- The revocation procedure is as simple as the consent granting procedure (Art. 8, §5).
10. Data Minimization Practices
In compliance with the necessity principle (Art. 6, III), Guara Cloud adopts the following data minimization practices:
- Minimal collection: CPF/CNPJ, billing address, and billing name are collected during paid subscription checkout and stored exclusively by Stripe, our international payment processor. Guara Cloud does not store this data on its own servers. Legal basis: Legal Obligation (LGPD Art. 7, II) — Brazilian tax legislation requires CPF/CNPJ for tax compliance purposes. All other account data comes exclusively from the OAuth provider.
- Delegated payments: all credit card data is processed directly by Stripe. No card data is stored on our servers.
- Limited retention: logs and temporary data have defined retention periods and are automatically deleted after expiration.
- Metric anonymization: aggregated usage data for analysis is anonymized, removing any information that could identify the data subject.
- Restricted access: only employees and systems that need data to perform their functions have access, following the principle of least privilege.