Privacy Policy
Last updated: February 2026
1. Introduction and Data Controller
MoldaSpace is a product of AFPrado LTDA, a company registered under CNPJ 46.297.368/0001-64, located at Av Ernani Batista Rosas, 2037, 84035-610, Ponta Grossa, PR, Brasil ("we," "our," or "us").
This Privacy Policy explains how we collect, use, store, share, and protect your personal data when you use our web application and services. This policy is drafted in compliance with the Brazilian General Data Protection Law (Lei Geral de Proteção de Dados Pessoais - LGPD, Lei 13.709/2018) and other applicable data protection regulations.
By using MoldaSpace, you acknowledge that you have read and understood this Privacy Policy.
2. Data Protection Officer (DPO / Encarregado)
In compliance with Art. 41 of the LGPD, we have appointed a Data Protection Officer (Encarregado de Proteção de Dados):
Name: André Prado
Email: privacy@moldaspace.com
The DPO is responsible for receiving communications from data subjects and the Brazilian National Data Protection Authority (ANPD), as well as providing guidance on data protection practices within our organization.
3. Data We Collect
We collect the following categories of personal data:
3.1 Account Data
When you create an account through our authentication provider (Clerk), we collect your name, email address, and profile information provided by your authentication method (e.g., Google, GitHub).
3.2 Payment Data
Payment processing is handled by Stripe. We do not store your credit card numbers or full banking information. We retain transaction identifiers, purchase history, and credit balance information.
3.3 Content Data
When using our services, we store images you upload to the platform, AI-generated images created through our service, project names and organizational data, and prompts and transformation requests.
3.4 Usage Data
We automatically collect information about how you use our services, including pages visited, features used, time and date of visits, time spent on pages, and interaction patterns.
3.5 Analytics Data
With your consent, we collect analytics data through PostHog, including session recordings, feature usage patterns, and performance metrics. This data collection only occurs after you provide explicit consent through our cookie consent banner.
3.6 Device and Browser Information
We collect technical information such as browser type and version, operating system, screen resolution, device type, and IP address.
4. Purpose and Legal Basis (Art. 7 LGPD)
For each data processing activity, we rely on the following legal bases as established by Art. 7 of the LGPD:
| Processing Activity | Legal Basis (LGPD) |
|---|---|
| Account creation and management | Contract execution (Art. 7, V) |
| Payment processing | Contract execution (Art. 7, V) |
| AI image generation | Contract execution (Art. 7, V) |
| Image storage (Cloudflare R2) | Contract execution (Art. 7, V) |
| Analytics (PostHog) | Consent (Art. 7, I) |
| Email campaigns | Consent (Art. 7, I) |
| Security and fraud prevention | Legitimate interest (Art. 7, IX) |
| Legal compliance | Legal obligation (Art. 7, II) |
When processing is based on consent, you may withdraw your consent at any time without affecting the lawfulness of processing performed prior to the withdrawal.
5. Data Sharing with Third Parties
We share personal data with the following third-party service providers, solely for the purposes described in this policy:
| Service | Purpose | Location |
|---|---|---|
| Clerk | Authentication and user management | USA |
| Stripe | Payment processing | USA |
| Cloudflare R2 | Image storage | Global CDN |
| OpenRouter | AI image generation | USA |
| Neon | Database hosting | USA |
| Vercel | Application hosting | USA |
| PostHog | Analytics (with consent) | EU/USA |
| Resend | Transactional and marketing email | USA |
Each of these providers has their own privacy policies and data protection practices. We select providers that demonstrate adequate data protection standards.
6. International Data Transfers
Your personal data may be transferred to and processed in countries outside of Brazil, including the United States and other countries where our service providers operate.
In accordance with Chapter V of the LGPD (Arts. 33-36), these international transfers are carried out based on the following safeguards:
- Service providers that comply with adequate data protection standards equivalent to the LGPD;
- Standard contractual clauses that ensure the protection of your personal data;
- Your specific and informed consent for international transfers when required.
We continuously monitor our service providers to ensure they maintain appropriate data protection measures.
7. Data Retention
We retain your personal data only for as long as necessary to fulfill the purposes described in this policy, or as required by law:
- Account data: Retained while your account is active, plus 6 months after account deletion to allow for reactivation requests;
- Payment records: 5 years from the transaction date, as required by Brazilian tax and commercial law;
- Generated images and content: Retained while your account is active and deleted upon account closure;
- Analytics data: 12 months from collection;
- Email communication logs: 2 years from the date of communication.
After the retention period expires, your data will be securely deleted or anonymized.
8. Your Rights (Art. 18 LGPD)
Under the LGPD, you have the following rights regarding your personal data:
- Confirmation of processing: The right to confirm whether we process your personal data;
- Access: The right to access your personal data held by us;
- Correction: The right to request correction of incomplete, inaccurate, or outdated data;
- Anonymization, blocking, or deletion: The right to request anonymization, blocking, or deletion of unnecessary, excessive, or non-compliant data;
- Data portability: The right to request the portability of your data to another service provider;
- Deletion: The right to request deletion of personal data processed with your consent;
- Information about sharing: The right to obtain information about public and private entities with which we share your data;
- Information about consent denial: The right to be informed about the consequences of denying consent;
- Consent revocation: The right to revoke your consent at any time.
How to exercise your rights: Send an email to privacy@moldaspace.com with your request. We will respond within 15 business days, as required by the LGPD.
You also have the right to file a complaint with the Brazilian National Data Protection Authority (ANPD) if you believe your data protection rights have been violated.
10. Security Measures
We implement appropriate technical and organizational measures to protect your personal data, including:
- HTTPS encryption for all data in transit;
- Secure authentication through Clerk with multi-factor authentication support;
- Role-based access controls limiting data access to authorized personnel;
- Regular security reviews and vulnerability assessments;
- Data encryption at rest for stored information;
- Private cloud storage with access controls for uploaded and generated images.
While we strive to protect your personal data, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security but are committed to continuously improving our security practices.
11. Children's Privacy
MoldaSpace is not intended for users under 18 years of age. We do not knowingly collect personal data from minors. If you are a parent or guardian and believe your child has provided us with personal data, please contact us immediately at privacy@moldaspace.com. If we become aware that we have collected personal data from a minor, we will take steps to delete that information promptly.
12. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors.
For material changes, we will notify you via email to the address associated with your account. The updated policy will also be posted on this page with a revised "Last updated" date.
Your continued use of the service after the effective date of any changes constitutes your acceptance of the updated policy.
13. Contact
If you have questions about this Privacy Policy, wish to exercise your data protection rights, or have concerns about our data practices, please contact us:
Data Protection Officer (DPO): André Prado
Email: privacy@moldaspace.com
Support: support@moldaspace.com
Legal: legal@moldaspace.com
Address: Av Ernani Batista Rosas, 2037, 84035-610, Ponta Grossa, PR, Brasil
Company: AFPrado LTDA - CNPJ 46.297.368/0001-64