Privacy Policy

Last updated: 2026-05-07 (beta — under legal review)

1. Controller

Vocabula is operated by Paulo Oliveira (sole proprietor pending legal entity formation). Contact for data protection: dpo@vocabula.app.

2. Legal bases (LGPD Art. 7)

• Performance of contract (Art. 7º, V): account, payment, service delivery.
• Consent (Art. 7º, I): cookies, marketing communications.
• Legitimate interest (Art. 7º, IX): security audit logs, fraud prevention, rate limiting.
• Legal obligation (Art. 7º, II): tax retention of payment records (5 years — Brazilian Tax Code).

3. Data we collect

• Email, name, password hash (argon2id)
• Date of birth (for 18+ age check — see Section 8)
• Learning progress (lessons, activities, scores)
• Comments and community participation
• IP hash (SHA-256 — never plaintext) and user agent for security
• Payment metadata via Stripe (we do not store card numbers)

4. International transfer

Your data is stored on servers located in the United States (Neon Database, us-east region). By creating an account, you consent to this transfer (LGPD Art. 33, II).

5. Third parties

We share data with:

• Neon (database hosting, USA)
• Vercel (application hosting, edge global + USA)
• Stripe (payment processing, USA — PCI-DSS compliant)
• Sentry (error tracking, USA — PII scrubbed via beforeSend hook)
• Microsoft Azure (TTS audio generation, configurable region)

6. Your rights (LGPD Art. 18)

You may at any time:

• Access your data via "Export my data" in your account settings
• Correct inaccurate data via account settings
• Request deletion (anonymization within 30 days, hard delete within 90 days)
• Port your data in JSON format
• Withdraw consent for marketing/cookies
• Object to processing based on legitimate interest

Email dpo@vocabula.appwith subject "LGPD request". We respond within 15 days.

7. Retention

• Account data: while active. After cancellation: anonymized in 30 days, deleted in 90 days.
• Audit logs (security): 2 years.
• Payment records: 5 years (Brazilian Tax Code obligation).
• Tokens (password reset, etc): 15 minutes.

8. Age requirement

Vocabula is intended for users aged 18 and over. We do not knowingly collect data from minors.

9. Breach notification

We notify ANPD (Brazilian DPA) within 48 hours of becoming aware of a security incident with significant risk or harm to data subjects, in compliance with Resolution CD/ANPD nº 15/2024.

10. Changes to this policy

We notify users via email of material changes. Current version always available at this URL.

This document is in beta. Final legally-reviewed version pending. Contact dpo@vocabula.app for questions.