Privacy Policy

Last updated: March 18, 2026

1. Who controls your data

The controller responsible for processing your personal data is:

Pedro Martinez
Email: support@pmatz.com
Brazil

2. What data we collect

2.1 Account data (authentication)

When you create a Cafezin account, we collect:

• Email address
• Name, if you choose to provide it during signup
• Signup date and time
• An automatically generated unique user identifier

This data is stored in Supabase (see section 5).

2.2 Subscription data

If you subscribe to a Cafezin paid plan:

• Subscription status, such as active or canceled
• Billing period dates
• Subscription identifiers generated by Paddle

We do not have access to your payment details such as card numbers or bank information. That information is processed exclusively by Paddle (see section 5).

2.3 AI usage data

When you use Cafezin's AI features, the messages you send are transmitted to the AI provider you selected or to Cafezin's managed AI gateway. Cafezin itself does not store the content of your AI conversations. Provider-specific processing depends on the route you use, such as GitHub Copilot or Cafezin AI via OpenRouter.

2.4 Public site analytics and contact requests

On the public Cafezin website, we collect limited landing-site data to understand which pages are visited and whether visitors click download or checkout actions. This may include:

• Page path and visit timestamp
• Language, referrer, and coarse interaction events such as download clicks
• Name, optional email, and message when you submit the public contact form

This data is limited to the marketing site and does not include the content of your files inside the app.

2.5 Data we do NOT collect inside the app

• The content of your files and Markdown documents
• The content of your canvas or slide decks
• App telemetry about your document contents
• Location data
• Browsing history

Cafezin is a desktop app that runs locally. Your files stay on your device and are not sent to any Cafezin server.

3. How we use your data

• Authentication: to verify your identity when you sign in
• Subscription management: to enable paid-plan features for active subscribers
• Transactional communication: to send payment confirmations and account notices when necessary
• Website analytics: to understand which public pages, downloads, and checkout entry points are working
• Support: to respond to questions and requests sent by email

We do not sell, rent, or share your data with third parties for marketing or advertising.

4. Legal basis under the LGPD

• Performance of a contract: processing needed to provide the service you requested, such as account creation and paid-plan access
• Consent: when applicable, we obtain your explicit consent
• Legitimate interest: fraud prevention and service security
• Legal obligation: when required by law or court order

5. Subprocessors and third parties

We use the following third-party services to operate Cafezin:

• Supabase (United States) for authentication and account data storage. Privacy Policy
• Paddle (United Kingdom) for payment processing and subscription management. Paddle acts as the Merchant of Record. Privacy Policy
• AI providers used by the customer or by Cafezin AI, such as GitHub / Microsoft and OpenRouter, for AI response generation.
• Vercel Web Analytics for privacy-friendly aggregate website analytics on the public landing site. Privacy Policy

6. International data transfers

Some subprocessors listed above are located outside Brazil. Those transfers rely on standard contractual clauses and other adequacy mechanisms recognized by the ANPD, as permitted by the LGPD.

7. Data retention

• Account data: retained while your account is active and for up to 30 days after deletion
• Subscription data: retained for up to 5 years for tax and accounting obligations under Brazilian law
• Security logs: retained for up to 12 months

8. Your rights under the LGPD

As a data subject, you have the following rights:

• Access: know what data we hold about you
• Correction: fix incomplete or inaccurate data
• Deletion: request deletion of your data
• Portability: receive your data in a structured format
• Withdrawal of consent: revoke consent at any time
• Objection: object to certain processing activities
• Information about sharing: know with whom your data has been shared

To exercise any of these rights, contact us at support@pmatz.com. We respond within up to 15 business days.

9. Security

We adopt appropriate technical and organizational measures to protect your data against unauthorized access, loss, or disclosure, including:

• Encrypted communications over HTTPS/TLS
• Row Level Security (RLS) on the database
• Secure authentication through Supabase Auth (bcrypt + JWT)
• Secrets and API keys stored in a secure environment, never in source code

10. Cookies

The Cafezin landing site does not use advertising cookies. It uses a small language preference cookie to remember whether you prefer the English or Portuguese version of the site, and it may use privacy-friendly analytics that do not rely on cookies to measure page visits and conversion events on the public website. The desktop app may also store local session cache in localStorage, and that data remains only on your device.

11. Children

Cafezin is not directed to children under 13 and does not knowingly collect data from children. If you believe we collected data from a minor, contact us so we can remove it.

12. Changes to this policy

We may update this Privacy Policy from time to time. When material changes occur, we will notify you by email and update the “Last updated” date at the top of this page. Continued use of Cafezin after the changes take effect constitutes acceptance of the new policy.

13. Contact and data protection contact

For questions, requests, or complaints related to privacy:

Pedro Martinez
Email: support@pmatz.com

You may also file a complaint directly with Brazil's ANPD (National Data Protection Authority).