Privacy Policy
In compliance with LGPD (Brazilian Law 13.709/2018)
Version 1.0 · Effective: January 2025 · Last updated: 01/05/2025
1. Introduction and Definitions
A StageHex Tecnologia LTDA ("StageHex", "we", "our" or "Controller"), a private law entity established in Brazil, presents this Privacy Policy in compliance with the Brazilian General Data Protection Law (Law No. 13.709/2018 - LGPD), the Brazilian Civil Rights Framework for the Internet (Law No. 12.965/2014) and other applicable regulations.
Important Definitions (Art. 5 of LGPD)
- Personal Data
- Information related to an identified or identifiable natural person
- Data Subject
- Natural person to whom the personal data refers
- Controller
- Person who makes decisions about data processing (StageHex)
- Processing
- Any operation performed with personal data
- Data Protection Officer (DPO)
- Person appointed to act as a communication channel between controller, data subjects and ANPD
2. Personal Data Collected
We only collect data strictly necessary to provide our services, respecting the principle of minimization (Art. 6, III of LGPD).
Registration Data
- Full name
- Email address
- Password (stored with cryptographic hash)
- Profile picture (optional)
Technical Data
- IP address and approximate location
- Device identifier (Device ID)
- Operating system and version
- StageHex application version
Usage Data
- Access and navigation logs
- Features used
- Date and time of access
- Anonymized performance metrics
Financial Data
- Subscription history
- Payment status
- Billing data (via Stripe)
* Credit card data is processed exclusively by Stripe (PCI-DSS)
Data We DO NOT Collect
StageHex does not collect sensitive data (Art. 5, II of LGPD), such as racial origin, religious beliefs, political opinion, health data, genetic or biometric data, unless strictly necessary and with express and highlighted consent from the data subject.
3. Processing Purposes
Personal data is processed for specific, explicit and legitimate purposes, according to Art. 6, I of LGPD:
- Service Provision: Allow access and use of the StageHex platform, including project management, file export and data synchronization
- Account Management: Creation and maintenance of your account, authentication, password recovery and essential communications
- Licensing: Subscription management, license validation, authorized device control and billing
- User Support: Handling requests, resolving technical issues and meeting demands through official channels
- Security: Fraud prevention, misuse detection, threat protection and access auditing
- Improvements: Analysis of anonymized metrics to improve features, performance and user experience
- Legal Obligations: Compliance with tax, accounting, regulatory obligations and response to court orders
4. Legal Bases for Processing (Art. 7 of LGPD)
All personal data processing carried out by StageHex is based on one of the legal bases provided for in Art. 7 of LGPD:
| Processing | Legal Basis | Foundation |
|---|---|---|
| Account creation and platform use | Contract Execution | Art. 7, V |
| Subscription and payment management | Contract Execution | Art. 7, V |
| Essential communications | Contract Execution | Art. 7, V |
| Security and fraud prevention | Legitimate Interest | Art. 7, IX |
| Anonymized metrics analysis | Legitimate Interest | Art. 7, IX |
| Tax obligations compliance | Legal Obligation | Art. 7, II |
| Promotional communications | Consent | Art. 7, I |
5. Data Sharing
StageHex DOES NOT sell, rent or trade your personal data.
Your data may be shared only in the following situations:
Service Providers (Processors)
Companies hired to assist in service provision, bound by contract and obligated to maintain confidentiality:
- Stripe — Payment processing
- Hostinger — Hosting, CDN and email sending
- PostgreSQL — Database
Authorities and Legal Obligations
We may share data when required by law, court order, request from competent authority, or to protect rights, property or safety of StageHex, our users or third parties.
6. Information Security
We adopt technical and administrative measures capable of protecting personal data from unauthorized access and accidental or unlawful situations (Art. 46 of LGPD):
- Encryption in Transit: All communications use HTTPS/TLS 1.3
- Encryption at Rest: Sensitive data is encrypted in the database
- Password Hashing: Passwords stored with secure algorithms (bcrypt/argon2)
- Access Control: Principle of least privilege and robust authentication
- Monitoring: Audit logs and anomaly detection
- Backups: Regular and tested security copies
Although we adopt rigorous measures, no system is 100% secure. In case of a security incident that may result in relevant risk or damage, we will notify ANPD and affected data subjects as per Art. 48 of LGPD.
7. Data Retention
Personal data will be kept only for the time necessary to fulfill the purposes for which it was collected (Art. 16 of LGPD):
| Data Type | Retention Period |
|---|---|
| Active account data | While the account is active |
| Data after account deletion | Up to 30 days (grace period for recovery) |
| Tax and billing data | 5 years (legal obligation - Art. 174 of CTN) |
| Access logs (Civil Framework) | 6 months (Art. 15 of Law 12.965/2014) |
| Data for legal defense | Until statute of limitations (up to 5 years - CDC) |
8. Your Rights as Data Subject (Art. 18 of LGPD)
You have the right, at any time and upon request:
- Confirmation and Access: Confirm the existence of processing and access your data
- Correction: Request correction of incomplete, inaccurate or outdated data
- Anonymization, Blocking or Deletion: Request when data is unnecessary or processed in non-compliance
- Portability: Request data portability to another service provider
- Deletion: Request deletion of data processed based on consent
- Sharing Information: Know with which entities your data has been shared
- Consent Revocation: Revoke consent at any time
- Opposition: Oppose processing when performed based on legitimate interest
How to Exercise Your Rights
To exercise any of these rights, contact us through our data subject channel:
Response time: up to 15 business days (Art. 18, § 5)
10. International Data Transfer
Some of our service providers may be located outside Brazil. In these cases, we ensure that transfer occurs only to countries with adequate level of protection or through appropriate safeguards (Art. 33 of LGPD), such as standard contractual clauses.
11. Children and Adolescents Data
StageHex is intended for users over 18 years old or over 16 years old with authorization from legal guardians. We do not intentionally collect data from children under 12 years old. If we identify such collection, the data will be deleted immediately (Art. 14 of LGPD).
12. Changes to this Policy
This Policy may be updated periodically. Substantial changes will be communicated through the registered email or platform notification, with a minimum advance notice of 15 days before they take effect.
We recommend reviewing this page periodically. The last update date is indicated at the beginning of the document.
13. Contact and Data Subject Channel
Brazilian National Data Protection Authority (ANPD)
If you believe that the processing of your personal data violates applicable law, you may file a complaint with the Brazilian National Data Protection Authority (ANPD).
www.gov.br/anpd