Privacy
Privacy policy
Version 2.0 · Last updated: 2026-05-17
[v2 draft — final legal review pending]
Who we are
Apex Labs (apxlbs) is a digital infrastructure studio operated by Rodrigo Teixeira. We are the data controller for the personal information described in this policy.
Encarregado de dados (DPO) / Privacy contact: [email protected] (Rodrigo Teixeira). Inquiries acknowledged within 5 business days, resolved within 30 days per LGPD Art. 18 and GDPR Art. 12.
What we collect
We collect the minimum needed to operate the site and respond to inquiries:
- ▸ Form submissions — name, email, company, role, project details, budget band, timeline. Voluntary; collected only when you fill a form.
- ▸ Newsletter email — only if you subscribe. One-click unsubscribe in every email.
- ▸ Anonymous analytics — page views, referrers, viewport, device class via Vercel Analytics. No cookies, no cross-site tracking, no device fingerprinting.
- ▸ Server logs — IP address, user-agent, request paths. Used for security + abuse prevention; rotated every 30 days.
- ▸ Authentication state — for admin/portal users only: a session cookie + (for admins) a 12-hour 2FA freshness cookie. See/cookiesfor the complete cookie inventory.
We do not sell, rent, or trade personal information. Period.
Sub-processors (who we share data with)
Per LGPD Art. 39, here is the complete list of processors who handle data on our behalf:
| Processor | Purpose | Region |
|---|---|---|
| Vercel | Hosting + CDN + analytics | US/EU multi-region |
| Neon | Postgres database | US (us-east-1) |
| Cloudflare | DNS + WAF + edge cache | Global |
| Resend (when active) | Transactional email + newsletter | US |
| Stripe (when active) | Payment processing for paid diagnostics | US/global |
| Google (SMTP, when active) | Magic-link sign-in delivery | Global |
| PostHog (optional) | Product analytics | US |
| Sentry (when active) | Error monitoring | US |
Each sub-processor is contractually bound to act only on our instructions. Most are outside Brazil; international transfers occur under the standard contractual clauses published by each provider (LGPD Art. 33 §IV).
How we use it
Form submissions are used solely to evaluate engagement fit, respond to your inquiry, and — if you opted in — send Lab Notes. The legal basis is your consent (the act of filling the form) or our legitimate interest in operating the business (responding to inbound business inquiries).
For paid engagements, the legal basis becomes contract (LGPD Art. 7 §V / GDPR Art. 6(1)(b)).
Automated decisions
Per LGPD Art. 20: when you submit an application form, we apply an automated lead-scoring routine that combines your budget band, revenue range, and timeline to assign a tier (priority / qualified / review). The score does not auto-reject anyone — it only routes the inquiry for human review.
You can request human review of any automated classification by emailing [email protected].
Retention
- ▸ Form submissions — indefinite while engagement is active or being evaluated; deleted on request.
- ▸ Newsletter subscribers — until you unsubscribe (one-click).
- ▸ Server access logs — 30 days, then automatically rotated.
- ▸ Audit log of sensitive actions — 12 months, then archived.
- ▸ Authentication sessions — 30 days max from creation; you can sign out earlier.
- ▸ Two-factor secrets — until you disable 2FA on your account.
Your rights
Per LGPD Art. 18 and GDPR Art. 15-22, you can:
- ▸ Confirm whether we process your data (access)
- ▸ Receive a copy of your data (portability)
- ▸ Correct inaccurate data (rectification)
- ▸ Request deletion (erasure / right to be forgotten)
- ▸ Anonymize, block, or restrict processing
- ▸ Object to processing or revoke consent
- ▸ Be informed of sub-processors who received your data
- ▸ Request human review of automated decisions
Email [email protected] with the subject line “Privacy request” and we'll respond within 30 days.
Security
All traffic is TLS 1.2+; sessions are HttpOnly + Secure + SameSite cookies; two-factor secrets are AES-256-GCM encrypted at rest; recovery codes are bcrypt-hashed; passwords are not used anywhere. Read more in our security disclosure and security.txt.
In the event of a data breach affecting your personal information, we will notify you within 72 hours of detection per LGPD Art. 48 / GDPR Art. 33.
Cookies
We use only strictly-necessary cookies (authentication + CSRF + anonymized analytics). No advertising cookies, no third-party tracking pixels, no behavioral profiling. Full inventory at /cookies.
Children
This site is intended for business operators. We do not knowingly collect information from anyone under 18.
Changes
If this policy changes materially, we publish a new version with a fresh “last updated” date. Material changes are emailed to admin-allowlisted users. Non-material clarifications are tracked in the git history of this repository.