Privacy Policy

Last updated: April 30, 2026

This policy explains what data Beadify collects, why we collect it, and the choices you have. It is written to comply with the Brazilian General Data Protection Law (LGPD, Law 13.709/2018) and the EU General Data Protection Regulation (GDPR).

Data controller

Beadify APP Studio is the controller of your personal data. For privacy questions, data access requests, or to reach our Data Protection Officer (Encarregado / DPO), contact [email protected]. Postal address available on request.

What we collect

• Account data: email address, hashed password, account creation date.
• Pattern data: the bead patterns and source images you save.
• Billing data: subscription tier, billing status, and a Stripe customer ID. We never see or store your card details.
• Technical logs: IP address, user agent, and timestamps of requests, kept for security and debugging.

Legal bases (LGPD / GDPR)

• Performance of the contract (LGPD Art. 7º, V / GDPR Art. 6(1)(b)): account creation, pattern storage, billing, support.
• Legitimate interest (LGPD Art. 7º, IX / GDPR Art. 6(1)(f)): security logs, fraud prevention, abuse detection.
• Legal obligation (LGPD Art. 7º, II / GDPR Art. 6(1)(c)): tax records, responses to lawful requests from authorities.
• Consent (LGPD Art. 7º, I / GDPR Art. 6(1)(a)): optional product update emails, when offered.

What we don't do

• We do not sell your data to anyone.
• We do not use your patterns to train AI models.
• We do not run cross-site tracking or advertising pixels.
• We do not share your email with third parties except the subprocessors listed below.

Subprocessors

We rely on the following third parties to operate the service. Each receives only the data needed to perform its role:

• Stripe, Inc. (USA) — payment processing.
• Cloudflare, Inc. (USA) — CDN, DNS, DDoS protection.
• Our hosting and email providers — server hosting and transactional email (password reset, receipts). Current providers disclosed on request.
• Google Fonts (USA) — web font delivery (loaded by your browser when you visit a page).

International data transfers

Some subprocessors are based outside Brazil and the EU (primarily the United States). When personal data is transferred internationally, we rely on the legal mechanisms allowed by LGPD Art. 33 and GDPR Art. 46 (such as Standard Contractual Clauses) and on the recipients' own compliance frameworks.

Payments

Payments are processed by Stripe. We never see or store your card details. Stripe's privacy policy applies to payment data — see stripe.com/privacy.

Cookies

We use a single session cookie for authentication and a localStorage key for your theme preference. Stripe sets its own cookies on its checkout pages. No advertising or analytics cookies.

Retention

• Account and pattern data: kept while your account is active.
• After account deletion: deleted within 30 days, except records we must retain for legal or tax obligations (typically up to 5 years for billing records under Brazilian law).
• Technical logs: kept for up to 12 months, then deleted or anonymized.

Your rights

Under LGPD (Art. 18) and GDPR (Arts. 15–22) you have the right to:

• Confirm whether we process your data and access a copy of it.
• Correct incomplete, inaccurate, or outdated data.
• Request anonymization, blocking, or deletion of unnecessary or excessive data.
• Request data portability (export in a structured, machine-readable format).
• Withdraw consent at any time (where processing is based on consent).
• Object to processing based on legitimate interest.
• Receive information about with whom we share your data.

Most actions can be done from your account settings. For anything else, email [email protected] — we respond within 15 days. If you believe your rights have been violated, you may file a complaint with Brazil's ANPD (gov.br/anpd) or your local EU supervisory authority.

Children

Beadify is not intended for children under 13. Users between 13 and 17 may use the service with the consent of a parent or legal guardian, in line with LGPD Art. 14. If you are a parent and believe your child created an account without permission, contact us and we will delete it.

Security

Passwords are stored hashed (bcrypt). Traffic is encrypted in transit (HTTPS). We follow reasonable technical and organizational measures to protect your data, but no system is perfectly secure.

Security incidents

If a data breach occurs that may cause relevant risk or harm to data subjects, we will notify the Brazilian National Data Protection Authority (ANPD) and affected users in a reasonable timeframe, in line with LGPD Art. 48 and GDPR Arts. 33–34.

Changes

If we make material changes to this policy we will notify active users by email and update the date at the top of this page. Continued use after the effective date means you accept the updated policy.

Contact

Beadify APP Studio · [email protected]