Back to Home

Privacy Policy

Last updated: 2026-02-16

1. Introduction and Data Controller

This Privacy Policy (version 1.0, effective February 16, 2026) describes how StringLab Tecnologia Ltda ('StringLab', 'we', 'our') collects, uses, stores, and protects your personal information when you use our tennis racket stringing management platform. We are committed to protecting your privacy and complying with Brazil's General Data Protection Law (LGPD - Law 13.709/2018), the European Union's General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA).

Data Controller:

StringLab Tecnologia Ltda

Brazil

2. Data We Collect

We collect different types of information depending on how you use our services:

CategoryData CollectedPurpose
Account DataName, email, password (cryptographic hash), profile photo (URL), account type (player/shop), email verification dateAccount creation and management, authentication
Racket and Setup DataBrand, model, technical specifications (weight, balance, stiffness), serial number, nickname, strings used, tension, stringing history, performance feedback (power, control, comfort, spin), QR code tokenProvide core service: history, versioning, and setup recommendations
Usage and Technical DataIP address, browser type, user agent, pages visited, access times, error events (via Sentry), push notification data (endpoint, public keys)Improve service, detect issues, ensure security, deliver push notifications
Payment DataStripe customer ID, subscription and invoice IDs, payment status, invoice URLs. We do not store credit card data - it is processed directly by StripeProcess subscriptions, payments, and invoice generation

3. How We Use Your Data

We use your data to:

  • Provide and maintain StringLab services (racket registration, stringing jobs, feedback, QR codes, shop workflow)
  • Communicate with you about your account, service updates, and support via email (Resend) and push notifications
  • Analyze and improve our services, develop new features using aggregated and anonymized data
  • Protect against fraud, abuse, and technical issues, manage sessions and authentication tokens
  • Comply with legal and regulatory obligations, including tax data retention
  • Send marketing communications (only with your explicit consent, which can be withdrawn at any time)

5. Legal Basis for Processing

We process your data based on:

  • Contract Performance (LGPD Art. 7, V / GDPR Art. 6(1)(b)): Necessary to provide the services you requested, including account management, racket registration, and shop services
  • Consent (LGPD Art. 7, I / GDPR Art. 6(1)(a)): For marketing, non-essential cookies, health data (arm sensitivity), AI profiling, and push notifications. You can withdraw at any time without affecting basic services
  • Legitimate Interest (LGPD Art. 7, IX / GDPR Art. 6(1)(f)): For service improvements with aggregated data, security, fraud prevention, and error monitoring
  • Legal Obligation (LGPD Art. 7, II / GDPR Art. 6(1)(c)): To comply with legal requirements, including shop tax data retention and consent record-keeping

6. Data Retention

We retain your data according to the specific periods indicated in Section 2 for each category. In summary: account data is kept while the account is active; tax and payment data for 5 years per tax law; technical logs for 90 days; consent records for 5 years after revocation. Accounts inactive for more than 3 years will be notified, and if no response within 30 days, deleted. You can request account deletion at any time through settings or by contacting our DPO. Deletion follows the 30-day grace period process described in our Terms of Service.

7. Your Rights

You have the following rights regarding your personal data, guaranteed by LGPD and GDPR:

  • Right to Access (LGPD Art. 18, II / GDPR Art. 15): Know what data we have about you and obtain a copy
  • Right to Rectification (LGPD Art. 18, III / GDPR Art. 16): Correct inaccurate or incomplete data
  • Right to Erasure (LGPD Art. 18, VI / GDPR Art. 17): Request deletion of your data ('right to be forgotten'), except where legal retention obligations apply
  • Right to Restriction (GDPR Art. 18): Limit how we use your data in certain circumstances
  • Right to Portability (LGPD Art. 18, V / GDPR Art. 20): Receive your data in a structured, machine-readable format (JSON)
  • Right to Object (LGPD Art. 18, IV / GDPR Art. 21): Object to processing based on legitimate interest or AI profiling
  • Consent Withdrawal (LGPD Art. 18, IX / GDPR Art. 7(3)): Withdraw consent for marketing, cookies, AI, and push notifications at any time, without affecting the lawfulness of prior processing

10. Cookies and Tracking Technologies

We use cookies and similar technologies to improve your experience. Essential cookies are necessary for the site to function (authentication, session, language preferences). Analytics cookies (Sentry) help us monitor errors and improve the service. Marketing cookies are used only with your consent. You can manage your cookie preferences at any time through the cookie banner or in your account settings.

11. Third-Party Services and Data Sharing

We share data with third parties only when necessary to operate our service. We do not sell your data. Third parties include:

  • Stripe: Stripe (USA): Payment processing for B2B and Pro plans, PCI-DSS compliant. Data shared: email, customer and subscription IDs
  • Sentry: Sentry (USA): Error and performance monitoring. Data shared: technical error data, anonymized IP, user agent
  • Google OAuth: Google (USA): Google OAuth authentication (optional). Data shared: email, name, profile photo

12. International Data Transfers

Your data is stored on servers in Brazil. Some third-party services (Stripe, Sentry, Google, Cloudflare, Resend) may process data in the United States and other countries. These transfers are protected by: Standard Contractual Clauses (SCCs) approved by the European Commission; adequacy certifications where available; third-party privacy policies that meet LGPD and GDPR requirements. You may obtain copies of transfer safeguards by contacting our DPO.

14. Children's Privacy

Our services are not directed to children under 16 in the European Union (per GDPR Art. 8) or under 13 in other jurisdictions. We do not knowingly collect data from minors. If you are a parent or guardian and believe your child has provided data without parental consent, contact us at [email protected] so we can delete the data.

15. Changes to This Policy

We may update this Privacy Policy periodically. We will notify you of significant changes by email or site notice at least 30 days in advance. The current version and version number are at the top of this document. Changes requiring new consent will only apply after your acceptance.

16. Contact and Data Protection Officer (DPO)

To exercise your rights, ask questions, or make privacy complaints, contact us:

Email: [email protected]

Data Protection Officer (DPO): [email protected]