1. Who is the controller

This blog is maintained by Lairton Mendes (individual), responsible for decisions about the processing of personal data collected here. Contact: lairton.mendes@gmail.com.

2. What data we collect

We collect only the data strictly necessary to run the blog:

  • Comments: name (published), email (not published) and the comment body.
  • Newsletter: email address and a record of consent (timestamp, policy version).
  • Outbound link clicks: anonymized IP address (last octet zeroed for IPv4 / last 80 bits for IPv6), user-agent and referrer, used only for aggregate counting.
  • Server logs: IP address and technical metadata of each request.

3. Purpose and legal basis

  • Comments — purpose: enable public discussion of posts; legal basis: consent (art. 7, I of the LGPD).
  • Newsletter — purpose: notify about new posts; legal basis: consent (art. 7, I), with email confirmation (double opt-in).
  • Link clicks — purpose: measure aggregate interest in external references; legal basis: legitimate interest (art. 7, IX).
  • Logs — purpose: application security and abuse prevention; legal basis: legitimate interest (art. 7, IX).

4. Retention

  • Approved comments: as long as the post is published.
  • Spam-marked comments: up to 90 days, then deleted.
  • Unconfirmed subscribers: 7 days to confirm; after that the record is deleted.
  • Confirmed subscribers: until unsubscribe request.
  • Link clicks and logs: up to 12 months.

5. Sharing

We don't sell or share your data with third parties for commercial purposes. Data is stored on our own servers (MySQL database managed via Kamal/Docker). Infrastructure providers may have technical access strictly for hosting and backup.

6. Cookies

We use two categories of cookies:

  • Necessary (always active): Rails session and CSRF protection. The site won't work without them. Legal basis: legitimate interest.
  • Analytics (optional): Google Analytics 4, only loaded if you click Accept in the cookie banner. Legal basis: consent. You can revisit the decision at any time via Cookie preferences in the footer.

6.1. Google Analytics and international transfer

When you accept analytics cookies, we use Google Analytics 4 (processor: Google LLC, headquartered in the United States) to measure aggregate audience. The data collected includes a client identifier, IP address (anonymized by Google itself), pages visited, device and browser.

This is an international data transfer (art. 33 of the LGPD) to the United States, based on the consent you give in the banner (art. 33, VIII). Google acts as a processor under the Google Ads Data Processing Terms and equivalents.

You can withdraw consent at any time by clicking Cookie preferences in the footer and choosing Reject — from that moment on, Google Analytics is no longer loaded on your visits.

7. Your rights (art. 18 of the LGPD)

At any time and at no cost, you have the right to: confirm the existence of processing, access your data, correct incomplete/incorrect data, anonymize/block/delete data, request portability, withdraw consent and be informed about sharing.

To exercise any of these rights, use the form at /meus-dados or email the DPO (below). We'll respond within 15 days.

8. Security

We adopt reasonable technical and administrative measures to protect your data, including HTTPS, access controls on the admin area and filtering of sensitive data in logs. No system is 100% safe; in the event of a security incident that may cause relevant risk or harm, we'll notify the ANPD and affected data subjects as required by art. 48 of the LGPD.

9. Changes to this policy

This policy may be updated. The current version is shown at the top of this page. Material changes will be flagged to newsletter subscribers.

Data Protection Officer (DPO)

The DPO is the person responsible for receiving your requests, questions and complaints about the processing of your personal data.

DPO contact: lairton.mendes@gmail.com