Privacy Policy

GoMarketplace Exchange LLC is a company registered in the State of Delaware, United States ("Company", "we", "us", or "our"). We provide SaaS (Software as a Service) systems, website hosting and maintenance, and digital commerce services primarily to businesses located in Brazil.

Contact: [email protected]

We collect the following categories of personal information:

• Identity data: full name, company name, contact person name.
• Contact data: email address, phone number.
• Financial data: payment card information (processed exclusively by Stripe — we never store card numbers on our servers), billing address, transaction history.
• Technical data: IP address, browser type, device type, pages visited, session duration, referring URLs.
• Account data: login credentials (passwords stored as bcrypt hashes via Supabase Auth — we cannot read your password).
• Usage data: features accessed, actions performed within your client portal.
• Communication data: messages sent to us via our contact form or email.

We use your personal data for the following purposes:

• To create and manage your client account.
• To deliver and maintain the services you subscribe to.
• To process payments and send invoices through Stripe.
• To send service-related communications (billing alerts, system updates, maintenance notices).
• To respond to your support requests and inquiries.
• To comply with legal obligations under US law, Brazilian LGPD, and applicable international regulations.
• To detect, prevent, and respond to fraud, abuse, or security incidents.

We do not sell, rent, or trade your personal data to third parties for marketing purposes.

We process your personal data based on the following legal grounds:

• Contract performance: processing necessary to provide the services you contracted.
• Legal obligation: processing required by applicable law.
• Legitimate interests: fraud prevention, service security, and business operations.
• Consent: for optional communications and cookies (where required).

We only share your data with trusted third-party service providers that are necessary to deliver our services:

• Stripe Inc.— payment processing. Stripe is PCI DSS Level 1 certified. See Stripe's Privacy Policy at stripe.com/privacy.
• Supabase Inc. — cloud database and authentication hosting. Data stored on secure AWS infrastructure. See supabase.com/privacy.
• Vercel Inc. — website hosting. See vercel.com/legal/privacy-policy.

We may disclose your information if required by law, court order, or government authority.

We retain your personal data for as long as your account is active or as needed to provide services. After account termination:

• Account data is deleted within 90 days of request.
• Financial/billing records are retained for up to 7 years to comply with US tax and accounting regulations.
• Technical logs are retained for up to 12 months for security purposes.

Depending on your jurisdiction, you may have the following rights:

• Access: request a copy of your personal data.
• Correction: request correction of inaccurate data.
• Deletion: request deletion of your data ("right to be forgotten") — subject to legal retention obligations.
• Portability: request your data in a structured, machine-readable format.
• Objection: object to processing based on legitimate interests.
• Restriction: request restriction of processing in certain circumstances.

To exercise any of these rights, contact us at [email protected]. We will respond within 15 business days (LGPD) or 30 calendar days (GDPR/CCPA).

We implement industry-standard technical and organizational measures to protect your data:

• All data transmitted via HTTPS/TLS encryption.
• Passwords hashed using bcrypt (never stored in plain text).
• Database access protected by Row-Level Security (RLS) — each client can only access their own data.
• Stripe handles all payment card data (we are not PCI in-scope for card storage).
• Service-level credentials (API keys) stored as environment variables, never in code repositories.
• Security headers enforced on all pages (CSP, HSTS, etc.).
• Regular security reviews and dependency updates.

Despite our measures, no internet transmission is 100% secure. In the event of a data breach, we will notify affected users as required by applicable law.

GoMarketplace Exchange is based in the United States. If you are located in Brazil, the European Union, or another jurisdiction, your data may be transferred to and processed in the United States. We ensure such transfers comply with applicable data protection laws, including the Brazilian LGPD (Art. 33) and applicable international standards.

Our services are not directed to individuals under the age of 18 (or the applicable age of majority in your jurisdiction). We do not knowingly collect personal data from minors. If you believe we have inadvertently collected data from a minor, please contact us immediately.

We use cookies and similar technologies. Please see our Cookie Policy for details.

If you are a California resident, you have the right to: know what personal information we collect and how it is used; request deletion of your personal information; opt out of the sale of your personal information (we do not sell personal information); and not be discriminated against for exercising your rights. To submit a CCPA request, contact [email protected].

We may update this Privacy Policy from time to time. We will notify you of material changes by email or a prominent notice on our website at least 15 days before changes take effect. Continued use of our services after the effective date constitutes acceptance of the updated policy.

For any privacy-related questions or to exercise your rights, contact:

GoMarketplace Exchange LLC
Delaware, United States
Email: [email protected]