Transparency about how we handle your data

Zault Storage is a SaaS platform for operational database backups. The data controller for personal data processed in this context is the product owner identified on this site and in the platform’s public settings.

To exercise rights under applicable data protection law, ask privacy questions, or report incidents involving personal data, use the support channel available in the platform after registration or the institutional contacts published on this site.

When required by law, we will indicate the Data Protection Officer (DPO) through the Service’s official channels.

This policy applies to use of the web panel, related public pages, account registration, integrated support, and other features where personal data is processed.

It does not replace the terms of storage providers, cloud vendors, or servers you configure on your own. In those cases, you must also observe those third parties’ policies.

Processing complies with Brazil’s LGPD (Law No. 13,709/2018), the Brazilian Internet Civil Framework (Law No. 12,965/2014), consumer protection rules where applicable, and other laws in force in Brazil.

When you are located in another country, local data protection rules may also apply to the extent compatible with this policy.

For registration, authentication, support, billing, and account operation data, Zault Storage generally acts as controller.

For data you enter to run backups — such as access credentials, connection parameters, routine metadata, and operational records — Zault Storage generally acts as processor, handling such information according to your instructions to deliver the contracted Service.

Backup files are stored in the destination you define (platform-managed storage, S3-compatible bucket, or SFTP/NAS destination). Ownership and governance of backup content remain with you, unless otherwise required by law.

Identification and account data: name, email, phone (when provided), profile photo, user identifiers, access role, account status, and preferences.

Authentication and security data: access credentials (stored with protection measures), session tokens, email verification and password recovery records, and, when enabled, data linked to social login.

Usage and operation data: access logs, date and time of use, IP address, browser or device type, session identifiers, audit events, and technical information for diagnosis, abuse prevention, and Service improvement.

Backup configuration data: labels, hosts, ports, database names, connection users, credentials and secrets required for execution (including SSH keys and storage tokens), compatibility profiles, retention policies, execution history, job status, checksums, artifact sizes, and restore metadata.

Communication data: messages sent to in-platform support and, if you choose to integrate, identifiers linked to notifications through messaging apps you authorize.

Plan and billing data, when applicable: subscribed plan, usage limits, subscription status, and payment confirmations received from payment providers. We generally do not store full card details when payment is processed by a third party.

Contract performance and preliminary steps (LGPD, art. 7, V): create and maintain account, authenticate, allow configuration of connections, storages, and routines, run requested backups and restores, apply plan limits, and provide support.

Legitimate interest (art. 7, IX), where applicable and after balancing assessment: platform security, fraud and abuse prevention, operational continuity, technical improvement, audit records, and defense of rights in disputes.

Compliance with legal or regulatory obligations (art. 7, II): response to authority requests, record retention when required, and other legal duties.

Consent (art. 7, I), when used: optional marketing communications, non-essential cookies or similar technologies, and optional integrations requiring express authorization.

Regular exercise of rights (art. 7, VI): billing, default coverage, and resolution of contractual disputes, where applicable.

We use cookies and equivalent technologies strictly necessary for the Service, such as session authentication, language preferences, and confirmation of sensitive actions.

Non-essential third-party cookies — such as those linked to sign-up abuse protection or integrated search — require prior consent, as described in the cookie banner and dedicated Cookie Policy.

We do not currently use advertising, behavioral profiling, or marketing analytics cookies. See the Cookie Policy for the full inventory, purposes, retention periods, and how to manage your preferences.

We may share data with providers that help operate the Service — for example, hosting, transactional email, payment processing, monitoring, and cloud storage — under contracts requiring confidentiality, security, and purpose limitation.

When you configure your own destinations (BYOS, SFTP/NAS, or equivalent), data and backup files may be transferred directly to those environments under your responsibility.

We may disclose data when required by law, court order, competent authority request, or to protect rights, security, and integrity of the Service and third parties, within legal limits.

We do not sell your personal data.

Technology providers used to operate the Service may process data in other countries. When this occurs, we will adopt safeguards compatible with LGPD, such as contractual clauses, destination country assessment, or another applicable legal mechanism.

When you configure storages outside Brazil, you acknowledge that the chosen destination may involve international transfer of backup files under your instruction.

We retain personal data for as long as necessary for the purposes described in this policy, contract performance, legal compliance, dispute resolution, and security.

Operational records, logs, and execution history may be kept for periods proportionate to operation, audit, and incident prevention, and deleted or anonymized when no longer needed, except where legal retention is required.

Connection credentials and secrets remain stored while needed for active routines or until you request deletion compatible with ongoing operations.

After account closure, we may retain data for the period necessary for legal obligations, defense of rights, and internal safety backups, followed by deletion or anonymization.

We adopt reasonable technical and organizational measures to protect personal data, including access control, encryption of sensitive credentials, environment segregation, event logging, and secure development practices.

Security also depends on user conduct: password protection, SSH key management, least-privilege permissions on databases and storages, and periodic access review.

No system is completely risk-free. In the event of a relevant incident that may cause risk or harm to data subjects, we will adopt response and communication measures as required by applicable law.

You may request, under LGPD: confirmation of processing; access to data; correction of incomplete, inaccurate, or outdated data; anonymization, blocking, or deletion of unnecessary, excessive, or unlawfully processed data; portability to another provider, where applicable; deletion of consent-based data, subject to legal exceptions; information about sharing; information on the possibility of withholding consent and its consequences; and withdrawal of consent when that is the basis used.

Send your request through the support or contact channel indicated in this policy with sufficient identification information. We may request additional data to confirm your identity and assess legal or operational limitations.

We will respond within legal timeframes. Some requests may be fulfilled partially when retention is necessary for legal obligations, contract performance, defense of rights, or ongoing backups.

The Service is intended for users with legal capacity to contract or with authorization from a legal representative, as applicable.

We do not intentionally collect children’s data without compliance with LGPD rules on guardian consent, when required.

We may update this policy to reflect legal, operational, or Service feature changes. The effective date will be shown at the top of the document.

Relevant changes may be communicated through notice in the Service, email, or other appropriate means. Continued use after changes take effect may indicate acknowledgment, without prejudice to non-waivable rights under law.

Without prejudice to contacting us directly, you may contact Brazil’s National Data Protection Authority (ANPD) at https://www.gov.br/anpd