Privacy Policy
Version 1.0 -- Effective April 12, 2026
1. Data Protection Officer (DPO)
Pursuant to art. 41 of the Brazilian LGPD, Fulgurite's Data Protection Officer is:
Vinicius Souza dos Reis LGPD channel: suporte@fulgurite.io
To exercise your rights as a data subject or ask questions about this Policy, contact the DPO.
2. Data We Collect
3.1 Registration Data (via Google OAuth)
When you log in, we collect: - Your full name - Your email address - Your Google profile picture URL
3.2 Usage Data
When you use the platform, we record: - Event and error logs - Campaigns created (name, settings, status) - Credits consumed and billing transactions - Preference data (e.g., language, theme)
3.3 Campaign Contact Data
Contact data uploaded to campaigns (names, emails, job titles, companies, and related information) belongs to third parties (Data Subjects) and is provided exclusively by the User. Fulgurite processes this data as a Processor, without additional analysis, enrichment, or unauthorized sharing.
3. Purposes and Legal Bases (LGPD art. 7)
| Purpose | Legal basis |
|---|---|
| Service provision (draft creation, campaign management) | Performance of contract (art. 7, V) |
| Account authentication and security | Performance of contract (art. 7, V) |
| Fraud and abuse prevention | Legitimate interest (art. 7, IX) |
| Internal analytics and service improvement | Legitimate interest (art. 7, IX) |
| Billing and tax obligations | Compliance with legal obligation (art. 7, II) |
| Service update communications | Performance of contract / Legitimate interest |
| Terms of Service consent records | Compliance with legal obligation / Consent (art. 7, I) |
4. Sharing with Sub-Processors
Fulgurite shares strictly necessary data with the following sub-processors:
| Sub-processor | Function | Location |
|---|---|---|
| Supabase | Database hosting | USA (AWS) |
| Railway | Application hosting | USA |
| Anthropic / OpenAI | LLM processing for draft generation | USA |
| Stripe | Payment processing (where applicable) | USA |
| OAuth, Gmail API and email sending (where applicable) | USA |
All sub-processors are bound by data protection contractual clauses and may not use the data for their own purposes.
5. International Data Transfers
The sub-processors listed above are located in the United States. Fulgurite adopts the following safeguards for international data transfers:
- Internationally recognized standard contractual clauses;
- Sub-processors' compliance certifications (e.g., ISO 27001, SOC 2);
- Explicit consent from the User in the Terms of Service (art. 33, I, LGPD).
6. Data Retention
| Category | Retention Period |
|---|---|
| Registration data (active account) | While the account exists |
| Registration data (closed account) | 5 years (tax and legal obligations) |
| Usage logs | 6 months |
| Campaign contact data | Up to 30 days after account closure |
| Consent records (ToS) | Indefinite (legal obligation -- LGPD) |
7. Data Subject Rights (LGPD art. 18)
You have the following rights regarding your personal data:
- Confirmation and access: confirm the existence of processing and obtain a copy of your data;
- Correction: correct incomplete, inaccurate, or outdated data;
- Anonymization, blocking, or deletion: of unnecessary, excessive, or unlawfully processed data;
- Portability: receive your data in a structured, interoperable format;
- Deletion: of data processed based on consent, except where retention is legally required;
- Information on sharing: know with whom your data is shared;
- Revocation of consent: withdraw consent at any time, without affecting the lawfulness of prior processing.
To exercise any of these rights, contact the DPO: suporte@fulgurite.io. We will respond within 15 business days.
8. Data Security
- Encryption in transit: all communications use TLS 1.2 or higher.
- Encryption at rest: data stored on Supabase and Railway with encryption by default.
- Access control: OAuth authentication, encrypted sessions, environment segregation.
- Monitoring: access logs and anomaly alerts.
- Updates: dependencies and security patches applied periodically.
In the event of a security incident that may pose risk or harm to Data Subjects, we will notify the ANPD and affected individuals within the timeframe prescribed by the LGPD.
9. Cookies and Similar Technologies
Fulgurite uses exclusively:
- Essential session cookies: to keep you authenticated while using the platform (required for operation -- login does not function without them).
We do not use tracking, advertising, or third-party analytics cookies.
10. Children's Privacy
The Service is not directed at individuals under the age of 18. We do not knowingly collect personal data from minors. If you believe we have collected data from a minor, contact the DPO to have the data deleted.
11. Google API Data Policy Compliance
Fulgurite's use of Google APIs complies with the Google API Services User Data Policy, including the Limited Use requirements:
- We access Gmail exclusively to create email drafts on the User's behalf.
- We do not use Google data for advertising or AI model training.
- We do not sell data obtained from Google APIs.
12. Additional Rights for California Residents (CCPA/CPRA)
If you are a California resident, in addition to the rights in Section 7, you have additional rights under the CCPA/CPRA:
- No sale of data: Fulgurite does not sell or share your personal data with third parties for their own commercial purposes.
- Limit use of sensitive personal information: we do not collect sensitive personal data beyond what is necessary to provide the Service.
- Response timeframe: requests will be answered within 45 calendar days.
To exercise your rights or request more information: suporte@fulgurite.io.
13. Changes to This Policy
When material updates are made to this Policy:
- The version will be incremented in this document's frontmatter;
- On the next session, Users will be redirected to a re-acceptance screen;
- The update date will be reflected in this document's
updated_atfield.
14. Data Controller
Fulgurite, registered under CNPJ no. 65.961.687/0001-77, with registered address in Sao Paulo, State of Sao Paulo, Brazil ("Fulgurite" or "we"), is the Controller of personal data collected in relation to Users of the platform (registration and usage data).
For the contact data that Users upload to their campaigns, Fulgurite acts as a Processor, handling such data exclusively on behalf of and as instructed by the User-Controller. See Clause 6 of the Terms of Service.
15. DPO Contact
Vinicius Souza dos Reis Email: suporte@fulgurite.io
For privacy matters, data subject requests, and security incidents.