Privacy Policy
Last updated: 29 June 2026
This Privacy Policy explains how Malta Digital (CNPJ 51.110.175/0001-92), operating as Gaffer FC ("we", "us", "our"), collects, uses, and protects your personal data when you use gafferfoot.com ("the Service"). We comply with Brazil's Lei Geral de Proteção de Dados (LGPD – Law 13.709/2018) and, where applicable, the EU General Data Protection Regulation (GDPR).
1. Data We Collect
We collect the following categories of personal data:
- Account data: email address, name, and profile information you provide when registering via Clerk Authentication.
- Payment data: billing details processed by Stripe, Inc. We do not store card numbers — Stripe handles all payment data under PCI-DSS compliance.
- Usage data: progress through lessons, quiz scores, and feature interactions, stored to personalise your learning experience.
- Technical data: IP address, browser type, and device information collected automatically by our hosting provider (Vercel) for security and performance.
- Cookies: session cookies set by Clerk to keep you logged in. We do not use advertising or tracking cookies.
2. Legal Basis for Processing (LGPD / GDPR)
- Contract performance: processing your account and payment data to deliver the Service you purchased.
- Legitimate interest: maintaining security, preventing fraud, and improving the Service.
- Legal obligation: retaining transaction records as required by Brazilian tax and commercial law.
3. How We Use Your Data
- Create and manage your account
- Process your purchase and verify entitlement
- Save your learning progress across sessions
- Send transactional emails (purchase confirmation, password reset)
- Respond to support requests
- Comply with legal obligations
We do not sell, rent, or share your data with third parties for marketing purposes.
4. Third-Party Sub-Processors
We share data with the following sub-processors solely to operate the Service:
| Provider | Purpose | Data transferred |
|---|---|---|
| Clerk, Inc. (USA) | Authentication & session management | Email, name, auth tokens |
| Stripe, Inc. (USA) | Payment processing | Billing details, purchase history |
| Vercel, Inc. (USA) | Hosting & CDN | IP address, request logs |
| Neon, Inc. (USA) | Database | Account & progress data |
All US-based providers operate under Standard Contractual Clauses (SCCs) or equivalent safeguards for international data transfers.
5. Data Retention
- Account data is retained while your account is active.
- Transaction records are retained for 5 years to comply with Brazilian fiscal legislation (Lei 9.430/1996).
- Upon account deletion, personal data is erased within 30 days, except where retention is legally required.
6. Your Rights
Under LGPD (Art. 18) and GDPR (Arts. 15–22), you have the right to:
- Access the personal data we hold about you
- Correct inaccurate or incomplete data
- Request deletion of your data ("right to be forgotten")
- Restrict or object to processing
- Data portability in a structured, machine-readable format
- Withdraw consent at any time (where processing is based on consent)
To exercise any right, email us at brndorust@gmail.com. We will respond within 15 business days.
7. Security
We implement appropriate technical and organisational measures to protect your data, including TLS encryption in transit, access controls, and using PCI-DSS-compliant payment processing. No transmission over the internet is 100% secure; we cannot guarantee absolute security.
8. Children
The Service is not directed at children under 16. We do not knowingly collect data from children. If you believe a child has provided us data, contact us and we will delete it promptly.
9. Changes to This Policy
We may update this policy periodically. Material changes will be communicated via email or a prominent notice on the site at least 15 days before taking effect, as required by LGPD Art. 8 §6.
10. Contact & Data Protection Officer
Malta Digital
CNPJ: 51.110.175/0001-92
Email: brndorust@gmail.com
If you are unsatisfied with our response, you may lodge a complaint with the Brazilian Data Protection Authority (ANPD) at www.gov.br/anpd.