Cavac Privacy Policy

Effective Date: April 21, 2026

Last Updated: April 27, 2026

1. Introduction

This Policy explains how Victor Aguiar Souza Springer, acting as controller, processes personal data and basic technical data related to the use of Cavac.

Cavac is the mobile/web product operated by Victor Aguiar Souza Springer. Contact: contact@cavac.app.

2. Data we collect

Victor Aguiar Souza Springer processes only the data needed for account management, authentication, basic product operation, and the features actually offered.

That data may include:

Account and authentication data:

  • email
  • account identifier
  • authentication method used in the product, such as email/password or Google
  • session state and information needed to keep you signed in
  • basic data made available by the selected login provider, such as name and email, when you use Google sign-in and those data are provided to Cavac

Profile data:

  • first name
  • last name
  • display name or visible name, when applicable

Product content data:

  • charts you create, save, duplicate, share, or publish
  • metadata associated with those charts
  • chart visibility state, including whether a chart is published or unpublished
  • favorite records linked to your account
  • records needed to support read-only sharing
  • study progressions and other study materials associated with product use, when applicable

Basic technical data:

  • internal identifiers
  • session identifiers
  • platform and app version
  • build number and application environment
  • timestamps of essential operations
  • technical logs related to errors, security, and authentication, when generated in the normal operation of the service

Analytics and product usage data:

  • events related to authentication, profile completion, chart opening, search, playback, study, favorites, sharing, publishing, and saved preferences
  • account or user identifiers when needed to associate events with authenticated use of the product
  • event metadata such as event source, platform, app version, build number, environment, session, and technical usage indicators
  • limited usage metrics such as search result counts, effective playback duration, and functional event context

Observability and diagnostics data:

  • error, performance, availability, and service operation data
  • limited technical context needed to diagnose failures and monitor service integrity

Support data:

  • information you send in support requests, complaints, or rights requests
  • content of messages sent through in-app feedback or support forms, when available
  • authenticated identifiers used to associate a support or feedback request with the account that sent it

Waitlist data:

  • email submitted on the cavac.app landing page
  • the language code (pt-BR or en) selected on the landing page
  • the timestamp when the consent checkbox was accepted, the version of that consent, and the version of this Policy in force at that moment
  • a hashed representation of the IP address that submitted the request and the browser user-agent string, kept solely for consent audit purposes

3. Legal bases for processing

Victor Aguiar Souza Springer processes personal data under the legal bases that are applicable in each case, which may include:

  • performance of a contract or steps taken at your request before entering into a contract, to create and maintain your account, authenticate access, operate product features, and provide the requested service;
  • compliance with legal or regulatory obligations, when processing is necessary to meet legal, regulatory, tax, security, or lawful authority requirements;
  • legitimate interests, when necessary for basic service security, abuse prevention, failure diagnosis, observability, limited product analytics, product support, and the regular operation of Cavac, subject to the rights and freedoms of the user;
  • consent, where processing depends on that legal basis under applicable law.

4. Provision of data

Some personal data are necessary to create and maintain the account, authenticate access, and operate essential Cavac features.

If those data are not provided, parts of the product may not work properly, including login, account access, profile features, publishing, sharing, and support.

5. Automated decision-making

Cavac does not use automated decision-making or profiling that produces legal effects concerning you or similarly significant effects within the meaning of applicable law.

6. How we use data

Victor Aguiar Souza Springer uses this data to:

  • create and maintain your account
  • authenticate access through email/password or Google
  • maintain your profile in the product
  • store and display charts under the app's visibility rules
  • operate private favorites, read-only sharing, and publishing to authenticated users inside the app
  • show visible authorship when that is part of the chart
  • operate study progressions and study materials offered by the product
  • host, deliver, and maintain the web version of the product
  • send operational, support, feedback, or other service-related emails, when applicable
  • maintain basic security, prevent abuse, and diagnose failures
  • monitor errors, performance, and availability
  • measure feature usage and product evolution through limited product analytics
  • respond to support, complaints, and product-related requests
  • comply with applicable legal or regulatory obligations

This Policy should not be read as authorization for broad behavioral collection or unrestricted monitoring. The processing described here is limited to what is needed to operate the actual product.

7. Cookies and similar technologies

The web version of Cavac may use cookies, local storage, and similar browser technologies to:

  • keep sessions and authentication working
  • support third-party sign-in, security controls, and delivery of the web application
  • remember basic state necessary for product operation
  • enable technical diagnostics needed for service stability and operation
  • enable non-essential web analytics only after the user gives positive consent, where applicable
  • on the cavac.app landing page, store a single key in browser local storage, cavac-landing-language, to remember the selected interface language; the same purpose is served by reading the browser's navigator.languages value on first visit to redirect to the matching language version. Both are functional and not used for analytics or tracking.

Browser settings may block some of these technologies, but doing so may affect login and essential functionality.

8. Authentication, hosting, and providers

Victor Aguiar Souza Springer offers authentication through email/password and Google.

Based on the current state of the product, Cavac uses:

  • Supabase, for authentication, backend, database, storage, and edge functions
  • Google, for Google sign-in and related identity flows
  • Firebase Hosting, for hosting and delivery of the web app
  • Resend, for sending support, feedback, and other operational service emails when applicable, and for sending waitlist confirmation emails and product updates to users who signed up through the landing page
  • Sentry, for observability, error monitoring, and performance monitoring
  • PostHog, for product analytics and event measurement

The list of relevant third parties may be updated as the service evolves operationally.

When you use third-party login, the related processing may also depend on that provider's own terms and policies.

9. Data sharing

Inside the product itself, some data may become visible to other users according to Cavac's rules:

  • published charts are visible to authenticated users inside the app
  • unpublished charts do not enter that general visibility
  • sharing is read-only
  • favorites are private per user
  • a chart may show visible authorship in the app

Outside those product-use situations, Victor Aguiar Souza Springer may share data only with third parties needed for:

  • authentication
  • infrastructure
  • web hosting
  • email delivery
  • product analytics
  • observability and technical diagnostics
  • technical support
  • compliance with legal obligations
  • response to valid requests

10. International data transfers

Cavac may use technical and infrastructure providers that operate in more than one country. As a result, some data may be processed or stored outside the user's country of residence.

Based on the operational setup currently described for the service, the product's primary infrastructure currently involves Germany and Brazil, without prejudice to additional processing by providers operating in other countries.

Where international data transfers occur, Victor Aguiar Souza Springer will use the legally required measures and appropriate safeguards applicable under the relevant law, including where processing involves authentication, hosting, analytics, observability, or email providers.

11. Storage and retention

Victor Aguiar Souza Springer stores data for the period needed for each processing category, taking into account its purpose and the applicable operational and legal requirements.

In general terms:

  • account and profile data remain while the account is active or while needed to maintain access and product operation
  • product content remains while needed to operate the features you use, including visibility, sharing, favorites, and publishing, according to the service flow
  • support, feedback, and complaint records may be kept while needed for handling, follow-up, defense of rights, and operational improvement
  • technical logs, analytics, and monitoring data may be kept for limited periods compatible with security, diagnosis, abuse prevention, stability, and the settings of the providers used
  • waitlist data (email, language, consent record) is kept while you remain on the waitlist or until you ask to be removed by writing to contact@cavac.app or by using the unsubscribe link in any waitlist email

Residual data may remain for a limited period in backups and technical records, according to the adopted architecture and applicable obligations.

You may request account deletion in the app at Settings > Account > Delete account. If the in-app flow is unavailable for your version or environment, the request may also be sent to contact@cavac.app. A public account deletion reference page is also available at https://cavac.app/en/account-deletion/.

When an account is deleted, data will stop being maintained in active production systems to the extent compatible with the product flow, without prejudice to retention that is necessary for legal, regulatory, security, fraud prevention, dispute resolution, service integrity, or technical backup reasons.

12. User rights

Depending on applicable law, you may request from Victor Aguiar Souza Springer:

  • confirmation that processing exists
  • access to your data
  • correction of incomplete, inaccurate, or outdated data
  • deletion, anonymization, or blocking, when applicable
  • portability, when applicable
  • information about sharing with third parties
  • objection or review, when applicable law provides that right
  • withdrawal of consent, where processing relies on consent

Requests should be sent to contact@cavac.app.

Victor Aguiar Souza Springer may ask for reasonable information to verify your identity before processing the request.

13. Right to lodge a complaint with a supervisory authority

If applicable law gives you that right, you may also lodge a complaint with the competent data protection supervisory authority, including in the country where you reside or where you believe the relevant violation occurred. In Brazil, this may include the Autoridade Nacional de Proteção de Dados (ANPD).

14. Security

Victor Aguiar Souza Springer adopts reasonable measures to protect data against unauthorized access, accidental loss, improper alteration, and abusive use, considering the nature of the service and available technical resources.

Where technically feasible, Cavac also seeks to reduce exposure of direct data in monitoring and diagnostic tools.

No system is completely invulnerable, and for that reason absolute security cannot be guaranteed.

15. Minors

Cavac is not intended for use by children under 13, unless applicable law requires a higher minimum age or authorization from a parent or guardian.

16. Changes

Victor Aguiar Souza Springer may update this Policy to reflect changes in the product, the providers used, service operation, or legal requirements. The current version will be made available together with its effective update date.

17. Language

This Policy may be made available in more than one language. In the event of a material divergence between versions, the Brazilian Portuguese version will prevail unless applicable law requires a different interpretation.

18. Contact

Questions, complaints, and privacy-related requests should be sent to contact@cavac.app.