Privacy Policy

1. Introduction

This Policy describes how Dartic collects, uses, stores and shares personal data of data subjects who access the service made available at dartic.io, in accordance with the Brazilian General Data Protection Law (LGPD, Federal Law No. 13,709/2018) and the Brazilian Civil Rights Framework for the Internet (Marco Civil, Federal Law No. 12,965/2014).

2. Controller and Data Protection Officer (DPO)

Controller

Samuel Pedro Pimenta Barbosa, natural person.

Data Protection Officer (DPO)

Samuel Pedro Pimenta Barbosa, contact: dodpit@outlook.com.

3. Data collected

• Identification and contact: email (when an account is created), name (if provided), and data obtained from OAuth providers (Google, GitHub) when social authentication is used.
• Access and navigation data: IP address (stored in hashed/cryptographic form), browser user-agent, timestamps, routes accessed.
• Product usage data: history of submitted SQL queries, favorites, saved dashboards, telemetry events essential to operation.
• Technical data: strictly necessary cookies and, subject to consent (opt-in), analytics and marketing cookies.

4. Legal bases (LGPD, art. 7)

Personal data is processed on the following legal bases:

• Item I — Consent: for newsletters, marketing communications and non-essential cookies. May be revoked at any time.
• Item II — Compliance with a legal or regulatory obligation: for the retention of internet application access logs under art. 15 of the Marco Civil (minimum period of 6 months).
• Item V — Contract performance: to create, maintain and operate the User's account, process SQL queries and deliver the Service described in the Terms of Service.
• Item IX — Legitimate interest: for fraud prevention, information security, mitigation of rate-limit abuse and product improvement, always with appropriate safeguards and balancing of the data subject's rights.

5. Purposes of processing

• to provide and operate the Service, authenticate Users and personalize the experience;
• to record and execute SQL queries, save dashboards and items marked as favorites;
• to maintain the technical integrity of the Service, monitor abuse and prevent fraud;
• to comply with legal log-retention obligations (Marco Civil) and respond to competent authorities upon judicial order;
• to communicate essential operational updates and, subject to consent, marketing communications.

6. Sensitive personal data (LGPD, art. 11)

Dartic does not collect or process sensitive personal data as defined in art. 5, II and art. 11 of the LGPD (data revealing racial or ethnic origin, religious beliefs, political opinions, trade-union membership, health, sex life, genetic or biometric data). Should processing of any such category ever become necessary, this Policy will be updated and the appropriate legal basis (consent or another lawful hypothesis under art. 11) will be obtained beforehand.

7. Automated decisions (LGPD, art. 20)

Dartic does not perform decisions based solely on automated processing of personal data that affect the data subject's interests, including decisions intended to define a personal, professional, consumer or credit profile, or aspects of personality. Accordingly, the right to review provided in art. 20 of the LGPD is not currently triggered. Should automated decision-making be adopted in the future, this Policy will be updated and the relevant rights and review mechanisms will be made available.

8. Retention of data

• Access logs (Marco Civil, art. 15): minimum of 6 months.
• Security audit logs: up to 3 years (statute of limitations under art. 206, §3, V of the Brazilian Civil Code for claims of civil redress).
• Account deleted by the User: grace period of 180 days during which the account is deactivated, after which the personal data is permanently erased (hard delete).
• Minimum data required to meet fiscal obligations: retained for up to 5 years, strictly limited to what is necessary.

9. Sharing with third parties (processors)

Dartic does not sell personal data. In order to operate the Service, it engages processors that handle data on the controller's behalf under contract:

• Cloudflare — CDN, Workers and abuse protection (global).
• AWS — Amazon Web Services — infrastructure (us-east-1 region).
• Supabase — managed database for authentication and user metadata.

Data may be shared with competent authorities in compliance with a judicial order or legal obligation.

10. International transfers

There is international transfer of personal data because the infrastructure providers (AWS, Cloudflare, Supabase) operate in datacenters outside Brazil. Transfers occur with appropriate safeguards: contracts with standard data protection clauses, confidentiality commitments, and technical and organizational measures compatible with the LGPD, in accordance with ANPD Resolution CD/2024 No. 4 (Resolution CD/ANPD nº 4/2024), which sets out the international transfer regime and the standard contractual clauses to be adopted.

11. Data subject rights (LGPD, art. 18)

The User may, at any time, exercise the following rights:

• confirmation of the existence of processing;
• access to the data;
• correction of incomplete, inaccurate or outdated data;
• anonymization, blocking or deletion of unnecessary or excessive data, or data processed in non-compliance with the LGPD;
• data portability to another supplier;
• deletion of data processed on the basis of consent (without prejudice to mandatory retention obligations);
• information about public and private entities with which the controller has shared data;
• information about the option not to provide consent and the consequences thereof;
• revocation of consent, pursuant to art. 8, §5 of the LGPD;
• opposition to processing carried out under one of the hypotheses dispensing with consent.

Right to lodge a complaint (art. 18, §1): the data subject may also petition, against the controller, before the ANPD (Brazilian Data Protection Authority), as well as before consumer protection agencies.

Response time: up to 15 days from receipt of the request, pursuant to art. 19, II of the LGPD.

12. How to exercise your rights

To exercise any of the rights described above, send an email to dodpit@outlook.com clearly stating the request and providing data that allows identity verification.

13. Cookies

Dartic currently uses only strictly necessary cookies required for Service operation:

• dartic_token — JWT authentication token (HttpOnly, SameSite=Lax, 24h), set after login.
• oauth_state — CSRF protection during OAuth login flow (Google/GitHub), short-lived.
• dartic-locale — language preference (EN/PT), 365 days. Functional/preference cookie.

Dartic does not currently use analytics or marketing cookies, nor does it share identifiers with advertising networks. Should analytics or marketing cookies be introduced in the future, activation will be preceded by a granular consent mechanism (opt-in), a cookie banner, and an update to this Policy.

Edge infrastructure (Cloudflare) may set its own strictly-necessary cookies (e.g. __cf_bm for bot protection), outside Dartic's direct control.

14. Information security

• connections protected by TLS (HTTPS) on every public interface;
• passwords stored with the argon2 hash;
• encryption at rest for managed databases;
• segregation of credentials, principle of least privilege and audit logs of administrative access.

In the event of a relevant security incident, Dartic will notify the ANPD and affected data subjects within the deadlines and in the manner required by the LGPD.

15. Children and adolescents

The Service is intended for individuals aged 18 and older. We do not intentionally collect data from children or adolescents; if identified, such data will be deleted.

16. Changes to this Policy

This Policy may be updated to reflect legal, technical or product changes. The then-current version will always be available at dartic.io/en/privacy-policy, identified by the effective date. Material changes will be communicated in advance.

17. Venue and governing law

This Policy is governed by Brazilian law. The venue of the judicial district of São Paulo/SP (Brazilian state of São Paulo) is hereby elected to settle any matters arising from it, waiving any other, however privileged it may be.

18. Related documents

• Terms of Service
• Sources and attributions