Privacy Policy
1. Who we are
Data Controller: Carniatto Labs, a Brazilian company operating the Brivoo service in the European Union under the General Data Protection Regulation (GDPR, Regulation EU 2016/679).
Our servers are located in Germany (European Union), operated by Hetzner Online GmbH.
2. Data we collect
Data you provide:
- â—†Full name or company name
- â—†Email address
- â—†Phone number
- â—†Type of service provided (e.g. Electrician, Plumber)
- â—†City of operation
- ◆Professional logo — optional, paid plan only
- â—†Data in your quotes: your clients' name and phone number
Data collected automatically:
- â—†Access date and time
- â—†Usage data: quotes created, statuses, public link views
- â—†Device technical data: browser type, operating system
Payment data: Processed directly by Stripe, Inc. We do not store card data or banking information.
3. Purpose and legal basis
| Purpose | Legal basis (GDPR Art. 6) |
|---|---|
| Creating and managing quotes | Performance of contract (Art. 6.1.b) |
| Authentication and session management | Performance of contract (Art. 6.1.b) |
| Transactional notifications | Performance of contract (Art. 6.1.b) |
| Payment processing | Performance of contract (Art. 6.1.b) |
| Country detection | Legitimate interest (Art. 6.1.f) |
| Rate limiting and security | Legitimate interest (Art. 6.1.f) |
| Legal compliance | Legal obligation (Art. 6.1.c) |
We do not use your data for advertising or sell it to third parties.
4. Infrastructure and recipients
4.1 Own infrastructure
Database, authentication and file storage hosted on Carniatto Labs's own servers via self-hosted Supabase, in Germany (EU). Data does not leave European territory through this component.
4.2 Data processors
| Processor | Data received | Purpose | Country |
|---|---|---|---|
| Stripe, Inc. | Name, email, phone, city | Payment processing | USA |
| Resend, Inc. | Email, provider name | Transactional emails | USA |
| Upstash Redis | Counters | Rate limiting | USA |
| ViaCep / Zippopotam | Postal code | Address autocomplete | — |
International transfers to the USA are covered by the European Commission's Standard Contractual Clauses (GDPR Art. 46.2.c) and the EU-US Data Privacy Framework.
5. Retention periods
| Data | Retention period |
|---|---|
| Active account data | While the account exists |
| Quotes and items | While the account exists |
| Local drafts (localStorage) | Deleted on logout |
| After account deletion | Deleted immediately |
6. Your rights (GDPR Arts. 15–22)
| Right | How to exercise | Timeframe |
|---|---|---|
| Access | Settings → Export data (JSON) | Immediate |
| Rectification | Settings → Edit profile | Immediate |
| Erasure | Settings → Delete account | Immediate |
| Portability | Settings → Export data (JSON) | Immediate |
| Objection / Restriction | contato@carniatto.com | 1 month |
| Withdraw consent | contato@carniatto.com | 15 business days |
You have the right to lodge a complaint with your national supervisory authority. A full list is available at: edpb.europa.eu/about-edpb/board/members
7. Cookies and local storage
- ◆Session cookies: required for authentication — exempt from consent as strictly necessary (GDPR Recital 47)
- ◆Encrypted localStorage (AES-GCM): quote drafts — deleted on logout
We do not use tracking cookies, behavioral analytics, or advertising.
8. Security
- â—†Data in transit protected by TLS 1.3
- ◆Authentication via magic link and OAuth — no passwords stored
- â—†Database access restricted by Row Level Security (RLS)
- â—†Security audited against OWASP Top 10
9. Data Protection Officer (DPO)
Carlos Henrique Carniatto
Email: contato@carniatto.com
Company: Carniatto Labs
10. Changes to this policy
We will notify you by email at least 15 days in advance of any significant changes.
Applicable version: European Union / EEA · GDPR (Regulation EU 2016/679) · Last updated: May 2026 · Version 1.1
Brivoo · Carniatto Labs · May 2026