Privacy Policy
Effective date: 2026-05-29 · Last updated: 2026-05-29 · Version 2
This policy explains how commoditizationstack.org (the "Service") collects, uses, stores, and protects personal data. Where multiple legal regimes apply — LGPD (Brazil, Law 13.709/2018), Marco Civil da Internet (Law 12.965/2014), Código de Defesa do Consumidor (Law 8.078/1990), GDPR (EU Regulation 2016/679), the ePrivacy Directive, CCPA / CPRA (California) — we apply the rule that is most restrictive on us and most favourable to you.
1. Controller and DPO
Controller (Controlador / Controller): the natural person who operates the Service, in connection with the working paper The Cost Gradient of the Build (ISBN 978-65-02-13475-7). For any matter, please contact the administrator.
DPO: Arthur de Miranda Neto. To exercise any data-protection right, please contact the administrator. The DPO is identified under Resolution CD/ANPD 2/2022 art. 11 and is the single point of contact for ANPD, EU supervisory authorities, and data subjects. The administrator routes requests labelled LGPD, GDPR, or CCPA to the appropriate procedure.
2. What we collect — and the strict commitment NOT to
Account-free local mode (collects nothing). The simulator can be used end-to-end without ever creating an account. In this mode every scenario, TRL answer, change-history entry, language preference, and parameter override is stored exclusively in your browser's localStorage — they never leave your device, and the operator has no way to read them. No analytics tag, no tracking pixel, no telemetry is sent. The site is fully usable, including offline, in this mode.
Your responsibility in local mode. Because nothing is sent to a server, the protection and continuity of the data is entirely yours: clearing the browser's storage, switching browsers, or losing the device destroys the data with no possibility of recovery on our side. Use the "Export scenarios archive" button in the scenarios sidebar to keep backups. On a shared computer (university lab, hot-desk office, family PC) other users of the same browser profile can read the same localStorage; activate the local vault(header lock icon) to encrypt your data at rest with a passphrase only you know — AES-GCM-256 with a key derived via PBKDF2-SHA-256 at 210 000 iterations, all in the browser, the passphrase never transmitted anywhere. If you forget the passphrase, the data cannot be recovered.
Account mode (cloud sync — opt-in). If you choose to create an account, we collect the minimum necessary to deliver the cross-device sync the account exists for:
- Account data: email (required), full name (required), institution (optional). Provided by you.
- Authentication artifacts: an Argon2id hash of your password (never the plaintext); if you use Google sign-in, the Google subject identifier.
- Service-state data tied to your account: scenarios you save, change-history entries you opt to sync, online-session heartbeats.
- Security telemetry: IP address and user-agent on authentication-class events (login, register, password reset, account-deletion request and confirm) and on administrative actions.
We do not collect: location, phone number, date of birth, payment data, social-network graphs, advertising identifiers, biometric data, or any data not listed above.
Sensitive data commitment (LGPD art. 5 II / art. 11, GDPR art. 9): we do not request, intentionally collect, or process sensitive personal data — racial or ethnic origin, religious conviction, political opinion, union or philosophical-organisation membership, health, sex life, genetic or biometric data. If you accidentally submit sensitive data (e.g. by typing it into a scenario name), contact the DPO and we will delete the affected record on confirmation.
Anti-enumeration design: the registration and forgot-password endpoints return the same response regardless of whether the email is already known to us. This means we cannot confirm or deny the existence of any account to a third party who only knows the email — including in response to ill-formed legal demands.
3. Why we process (legal basis per operation)
| Operation | LGPD basis (art. 7) | GDPR basis (art. 6) |
|---|---|---|
| Account creation, login, sync | V (execução de contrato) | (b) performance of contract |
| Transactional emails | V (execução de contrato) | (b) performance of contract |
| Security telemetry, fraud defence | IX (legítimo interesse) | (f) legitimate interest |
| Audit-log entries documenting account-deletion and admin actions (kept indefinitely with PII redacted after 2 years — see Section 6) | II (obrigação legal) | (c) legal obligation |
| Connection/application logs (Marco Civil art. 15 §1°) | II (obrigação legal) | (c) legal obligation |
| Future marketing communications (not currently sent) | I (consentimento — opt-in) | (a) consent |
Marketing commitment: we currently send only transactional messages tied to your account (confirmation, password reset, account-deletion confirmation, deletion receipt). We do not send marketing or promotional email. If we ever introduce them, they will require an explicit opt-in you can revoke as easily as you gave it (LGPD art. 8 §5).
4. Cookies and similar technologies
We use one strictly-necessary cookie, cgrad_session: HTTP-only, Secure over HTTPS, SameSite=Lax, carries your signed JWT login token. Expires after 7 days or on sign-out. Without it, you cannot stay signed in — under ePrivacy art. 5(3) and ANPD's Guia de Cookies, strictly-necessary cookies are exempt from prior consent but require disclosure.
We also use your browser's localStorage to remember the workflow state, your TRL answers, language preference, and the auto-save toggle. These items never leave your device unless you sign in AND choose to sync. We do not use them for tracking, analytics, or advertising.
Cloudflare Turnstile (the bot-defence widget) may set transient cookies of its own; those are strictly necessary for the challenge mechanism.
5. Third-party processors (operadores)
Under LGPD art. 39 / GDPR art. 28, every processor that handles personal data on our behalf is listed with its purpose, jurisdiction, and the safeguard governing the relationship:
| Processor | Purpose | Jurisdiction | Safeguard |
|---|---|---|---|
| Contabo (IPB GmbH) | VPS hosting + Postgres | Germany (EU) | EU DPA on file |
| Cloudflare | CDN, Turnstile (bot defence) | US (regional caches) | EU SCCs + DPA |
| Resend | Transactional email delivery | US | EU SCCs + DPA · used only when EMAIL_BACKEND=resend |
| Google LLC | OAuth sign-in (only if you choose "Continue with Google") | US | EU SCCs + DPA (Google Terms) |
Transfers to processors outside the EU rely on Standard Contractual Clauses (SCCs) approved by the European Commission, supplemented by the technical measures listed in Section 10. For LGPD purposes, equivalent contractual safeguards are in place under art. 33 IV.
Each processor publishes its standard Data Processing Agreement (DPA) and SCCs as click-through documents on their platform; the operator has accepted them in the role of controller before activating each processor. By using the Service you acknowledge — without it substituting our own DPA obligations — this list of processors and the operator's having signed each one's standard DPA on your behalf as controller. You may withdraw at any time by deleting or anonymizing your account; we have no mechanism to opt you out of a single processor while keeping the others, since the Service's essential functions depend on each.
6. Retention — explicit table
| Category | Retention | Reason |
|---|---|---|
| Account, scenarios, history | While the account exists | Contract performance |
| Routine audit-log events (login, profile edit, scenario CRUD) | 180 days, then pruned | Marco Civil art. 15 §1° + minimisation (LGPD art. 6 III) |
| Compliance audit-log events (account-deletion requested/confirmed/approved, admin user actions) | Indefinite as event records. Plaintext PII fields (email, full name, IP) redacted after 2 years; structural fields (timestamps, counts, action) kept; a one-way HMAC of the email (email_lookup) is also kept indefinitely so we can later confirm a verified guess such as "did this specific email delete on day Y?" without reversing the hash or enumerating users — this is the load-bearing field for the permanent deletion-history requirement | CDC art. 27 (5-year prescription) + LGPD art. 16 II / GDPR art. 17(3)(b) — defence of legal claims, with minimisation |
| Encrypted backups | 14 days locally on the VPS; offsite follows the storage provider's lifecycle (typically 30 days) | Disaster-recovery floor |
| Marco Civil application logs (subset of audit log relevant to art. 15) | 6 months (minimum legal floor) | Marco Civil art. 15 §1° |
On a judicial preservation order (Marco Civil art. 22), the specific records named in the order are excluded from the prune until the order is lifted.
7. Where the data is
Primary processing happens on a server hosted in Germany (Contabo data centre, EU). For users in the EU/EEA, this primary processing involves no transfer outside the EEA.
However, the following operations may temporarily transfer specific fields to processors outside the EEA, under the SCCs listed in Section 5: email delivery via Resend (US); Turnstile and CDN edges via Cloudflare (US/regional); Google OAuth (US) — only if you select Google sign-in.
EU users who want to avoid any non-EEA transfer can: (a) decline Google sign-in (use email/password), (b) request the operator to switch EMAIL_BACKEND to an EU-hosted SMTP provider (the architecture supports it via a single environment variable).
8. Your rights — full LGPD art. 18 catalogue
- Confirmation of processing (LGPD art. 18 I): ask the DPO.
- Access (LGPD art. 18 II, GDPR art. 15): download a JSON dump from Account settings → Export your data.
- Rectification — correção (LGPD art. 18 III, GDPR art. 16): edit name and institution on Account settings.
- Anonymisation, blocking, or deletion (LGPD art. 18 IV): the deletion and anonymisation flows on Account settings implement two of the three. For blocking (temporary suspension of processing without full deletion), contact the DPO. Note on the deletion workflow: to defend against rushed mistakes and obvious account takeovers, the deletion has three steps — you confirm in Settings, you confirm again via an email link, then the administrator approves the deletion from the admin panel. We commit to acting on every confirmed request within 14 days; if no administrator has acted by then, the system auto-approves so we stay within LGPD art. 18 §3°'s 15-day legal deadline. Anonymisation remains self-service (no admin step) because the action is less destructive.
- Portability — portabilidade (LGPD art. 18 V, GDPR art. 20): the JSON dump in Access is the portability artifact.
- Deletion of data treated based on consent (LGPD art. 18 VI): same flow as full account deletion; email the DPO for partial deletion of consent-based fields (currently we hold no consent-only fields).
- Information about with whom we share data (LGPD art. 18 VII): the processor table in Section 5 is updated whenever it changes.
- Information about consent refusal consequences (LGPD art. 18 VIII): you can refuse Cloudflare Turnstile by declining the challenge — you will not be able to register or request a password reset from that IP. You can decline Google OAuth and use email/password instead.
- Revocation of consent (LGPD art. 8 §5, GDPR art. 7(3)): equally simple to giving it. You can revoke any consent-based processing at any time without retroactive effect.
- Human review of automated decisions (LGPD art. 20, GDPR art. 22): see Section 9.
- Right to lodge a complaint: ANPD Canal do Titular (Brazil), your national supervisory authority (EU), or the California Attorney General (CA).
We respond to a verified request within 15 days (LGPD art. 19 §1° standard) for confirmation and access, and within the GDPR's 30-day ceiling for any other right — whichever is shorter for the specific request.
9. Automated decision-making
The Service runs an automated valuation engine (DCF, segment models, sensitivity, Monte Carlo) and an optional TRL adjustment that modifies the WACC inputs based on your readiness profile. These are automated decisions that can affect your interests as a user — even though they are heuristic, decision-support outputs and not regulated financial advice.
Under LGPD art. 20 and GDPR art. 22, you have the right to request:
- a plain-language explanation of which inputs and which rules produced a given output (the source code of the engines is published under MIT licence; we will, on request, walk you through your specific scenario);
- human review of any automated decision the Service produced, by emailing the DPO with a copy of the scenario JSON;
- our description of the criteria, including segment templates, default values, and adjustment magnitudes — all of which are documented in
docs/trl-methodology.mdin the public repository.
We do not use the Service's automated outputs to make decisions about you (we do not score, rank, or restrict access based on your scenarios). The outputs are produced for you, to inform your own decisions.
10. Security
Transit: TLS 1.2+ via Let's Encrypt with HSTS (max-age=31536000) on every request.
At rest (column-level): your email, full name and institution are stored as AES-256-GCM ciphertext in the Postgres users table — never as plaintext. A deterministic HMAC-SHA256 sibling of the normalised email (kept in a separate email_lookup column with a unique index) is the only way the application can locate a row by email; the plaintext never appears in SQL. Passwords are Argon2id-hashed (memory-hard, no plaintext, no reversible encryption). One-time tokens (email confirm, password reset, account-deletion confirm, account-anonymization confirm) are SHA-256-hashed at rest and single-use.
At rest (disk-level): the VPS's underlying disk is hosted by a Tier-IV ISO-27001-certified data centre in Germany (Contabo). We rely on the provider's physical security; we do not add full-disk encryption at the OS layer because the encryption key would have to live on the same machine, which buys nothing against an attacker with root. The column-level encryption above is the load-bearing protection against a disk leak — the bytes are ciphertext even if the disk image walks out the door.
Backups: GPG-encrypted with the operator's public key before they leave the database container. The private key is held offline (hardware token / air-gapped storage). Offsite backups are uploaded as ciphertext blobs only.
Operational defences: rate-limited authentication endpoints, anti-enumeration design on register and forgot-password (same response for known and unknown emails), per-IP slow-down on credential stuffing.
Despite these measures, no online service is breach-proof. If a personal-data breach affecting you occurs, we will notify you and the relevant supervisory authority within 2 working days of becoming aware (Resolution CD/ANPD 15/2024 — 2 dias úteis), and within GDPR's 72-hour deadline (art. 33) — whichever is sooner.
11. Children and adolescents (LGPD art. 14)
The Service is intended for adults of 18 or more with professional or academic interest in firm valuation and technology-readiness assessment. We do not knowingly process data from anyone under 18.
If you are under 18, please do not register without the consent of your parents or legal guardian and the involvement of an adult educator. If you are under 12, your parents or legal guardian must contact the DPO in writing to authorise any processing in advance, per LGPD art. 14 §1°.
If we discover an account belongs to a person under 18 for whom we do not hold the appropriate guardian authorisation, we will block processing pending verification and offer the guardian the option to delete the account.
12. Brazilian Internet Bill of Rights (Marco Civil)
We comply with Lei 12.965/2014, in particular: connection and application logs are retained for the minimum periods required by arts. 13 and 15, and are made available only upon judicial order (arts. 10 and 22). Disclosure of records outside a judicial order requires the explicit basis listed in art. 7 X. We do not voluntarily disclose user data to non-judicial requests except for security or fraud-defence purposes consistent with the legal bases above.
13. California residents (CCPA / CPRA)
You have the right to know what is collected, the right to delete, the right to correct, the right to opt out of sale or sharing for cross-context behavioural advertising, the right to limit the use of sensitive personal information, and the right to non-discrimination for exercising any of these rights.
We do not sell personal information, do not share it for cross-context behavioural advertising, and do not process sensitive personal information. Sections 8 and 9 above cover your access, deletion, correction, and automated-decision rights without any additional ceremony. To exercise California-specific rights, contact the DPO with "CCPA" in the subject line.
14. Transparency commitments
We commit to publishing, on the Transparency page, an annual aggregated report of: number of judicial preservation/disclosure orders received, number of LGPD/GDPR access and deletion requests received and satisfied, and any data-protection incidents reported under the deadlines of Section 10.
15. Changes to this policy
We may update this policy. Material changes are announced on the landing page, the changelog, and (for signed-in users) by email at least 15 days before they take effect. The "Last updated" date at the top reflects the latest revision; prior versions are archived on request.
16. Liability and compensation
Under LGPD art. 42, controller and processor are jointly and severally liable for damages caused by processing in breach of the Law. Nothing in our Terms of Use limits your statutory rights to compensation under LGPD art. 42, CDC art. 14, or the equivalent provisions in your jurisdiction.
Questions or requests: contact the administrator. The DPO responds within the deadlines in Section 8.