Privacy Policy

Last updated: March 9, 2026

Table of Contents

1. Introduction
2. Data Controller
3. Data We Collect
4. Purposes of Processing
5. Legal Basis (LGPD Art. 7)
6. Your Rights (LGPD Art. 18)
7. Data Sharing
8. International Transfers
9. Data Retention
10. Cookies
11. Security
12. Data Protection Officer
13. Changes to This Policy
14. Contact

1. Introduction

Guara Cloud ("we", "our", or "Guara Cloud") is committed to protecting the privacy of your personal data. This Privacy Policy describes how we collect, use, store, and share your information in compliance with the Brazilian General Data Protection Law (Lei n. 13.709/2018 — LGPD) and other applicable legislation.

By using the Guara Cloud platform, you agree to the practices described in this policy. We recommend reading this document in full to understand how your data is processed.

2. Data Controller

The controller of your personal data is Guara Cloud, a Brazilian cloud infrastructure platform operating as a Platform-as-a-Service (PaaS).

Support: Open a support ticket
General contact: [email protected]
Privacy contact: [email protected]

3. Data We Collect

We collect the following types of personal data:

3.1 Account Data

Full name, email address, and profile picture provided by the OAuth provider (GitHub or Google).
Unique OAuth provider identifier (GitHub user ID, Google sub).

3.2 Payment Data

Billing information processed directly by Stripe. We do not store full credit card data on our servers.
Invoice history, subscribed plan, and subscription status.
During paid subscription checkout, we collect tax ID (CPF/CNPJ), billing address, and billing name. This data is processed and stored exclusively by Stripe, our payment processor, and is not stored on Guara Cloud servers.

3.3 Platform Usage Data

Projects created, services deployed, and deployment configurations.
Resource usage metrics (CPU, memory, bandwidth, build minutes).
Application logs and audit events.

3.4 Browsing Data

IP address, browser type, and operating system.
Pages visited on the website and dashboard.
Essential cookies required for platform functionality.

4. Purposes of Processing

We use your personal data for the following purposes:

Service delivery: providing, operating, and maintaining platform services, including container deployment, domain management, and scaling.
Billing: processing payments, issuing invoices, and managing subscriptions via Stripe.
Communication: sending service-related notifications (deploy alerts, payment notices, security updates) via Resend.
Security: preventing fraud, detecting malicious activity, and protecting platform integrity.
Service improvement: analyzing usage patterns to enhance user experience and optimize infrastructure.
Legal compliance: meeting tax, regulatory, and judicial obligations.

5. Legal Basis for Processing (LGPD Art. 7)

Your personal data is processed under the following legal bases provided by LGPD Art. 7:

Contract performance (Art. 7, V): to provide contracted platform services, including deployment, hosting, and technical support.
Consent (Art. 7, I): for non-essential cookies and marketing communications. Consent may be revoked at any time.
Legitimate interest (Art. 7, IX): for platform security, fraud prevention, service improvement, and aggregated usage analysis.
Legal obligation (Art. 7, II): to meet tax, regulatory, and audit requirements, including the collection of tax identification data (CPF/CNPJ) during paid subscription checkout.

6. Your Rights (LGPD Art. 18)

Under the LGPD, you have the following rights regarding your personal data:

Confirmation and access: confirm the existence of processing and access your data.
Correction: request correction of incomplete, inaccurate, or outdated data.
Anonymization, blocking, or deletion: request anonymization, blocking, or deletion of unnecessary, excessive, or non-compliant data.
Portability: request data portability to another service provider.
Consent-based deletion: request deletion of data processed based on consent.
Sharing information: be informed about public and private entities with whom your data is shared.
Consent revocation: revoke consent at any time, without affecting the lawfulness of prior processing.
Objection: object to processing based on grounds other than consent, in case of irregularity.

How to exercise your rights

To exercise any of the above rights, contact our Data Protection Officer (DPO) at: [email protected].

In accordance with LGPD Art. 19, we will respond to your request within 15 business days.

We share your personal data with third parties strictly necessary for platform operation. We do not sell, rent, or share your data for third-party marketing purposes.

Stripe (payment processing): receives billing data to process transactions in BRL. Stripe acts as a data processor under contract. Stripe Privacy Policy.
Resend (email delivery): receives email addresses for delivery of transactional notifications (deploy alerts, payment notices, security updates).
Cloudflare (CDN and security): processes browsing data (IP, headers) for DDoS protection and optimized content delivery.
GitHub (OAuth authentication and code integration): receives and provides identity data for authentication, plus code repository integration.
Google (OAuth authentication): provides identity data for authentication via Google OAuth.
Oracle Cloud Infrastructure (hosting and infrastructure): the platform infrastructure is hosted in the Sao Paulo region, Brazil.

8. International Data Transfers

Some of our data processors are headquartered or operate servers outside Brazil. International data transfers are carried out in compliance with LGPD Art. 33, using the following safeguards:

Standard contractual clauses with processors that ensure an adequate level of protection.
Processors in countries recognized by the ANPD as having an adequate level of data protection.
Specific and informed consent from the data subject, when applicable.

Guara Cloud's primary infrastructure is located in Sao Paulo, Brazil (OCI sa-saopaulo-1), ensuring that user application data remains within Brazilian territory.

9. Data Retention

We retain your personal data for the period necessary to fulfill the purposes described in this policy:

Account data: retained while your account is active.
Billing data: retained for up to 5 years after account closure, as required by Brazilian tax obligations.
Audit logs: retained according to the subscribed plan (1 day for Hobby, 7 days for Pro, 30 days for Business, 30 days for Enterprise).
Browsing data: retained for up to 6 months for security purposes.
Post-deletion data: after an account deletion request, data is removed within 30 days, except when retention is required by law.

10. Cookies

We use essential cookies for platform functionality. Currently, Guara Cloud uses only strictly necessary cookies:

Cookie	Purpose	Duration
`guara_cookie_consent`	Stores your cookie preference	1 year
`guara_session`	User authentication and session	Session

You can manage cookies in your browser settings. Disabling essential cookies may affect platform functionality.

11. Security

We implement appropriate technical and organizational measures to protect your personal data, including:

Encryption in transit (TLS/HTTPS) for all communications.
Role-based access control (RBAC) with tenant isolation.
Audit logs for all sensitive operations.
Network isolation between tenants.
Payment data processed exclusively by Stripe (PCI DSS certified).
Regular encrypted backups.

12. Data Protection Officer (DPO) — LGPD Art. 41

Our Data Protection Officer (DPO / Encarregado de Protecao de Dados) is responsible for the following duties in accordance with LGPD Art. 41:

Accepting complaints and communications from data subjects, providing clarifications, and adopting measures.
Receiving communications from the National Data Protection Authority (ANPD) and adopting measures.
Advising the organization's employees and contractors regarding data protection practices.
Carrying out any other duties determined by the data controller or established in complementary regulations.

DPO email: [email protected]

13. Changes to This Policy

We may update this Privacy Policy periodically. Significant changes will be communicated via email or platform notification at least 30 days in advance. Continued use of the services after changes constitutes acceptance of the updated policy.

We recommend reviewing this policy periodically to stay informed about how we protect your data.

14. Contact

For questions about this Privacy Policy or about the processing of your data:

Support: Open a support ticket
General email: [email protected]
Privacy email (DPO): [email protected]

In compliance with LGPD Art. 19, we respond to all data subject requests within 15 business days.