Privacy Policy

Tesserra operates the platform at tesserra.io. Under applicable data protection law (including LGPD and GDPR where relevant), we act as controller for registration, billing, and commercial relationship data, and as processor for data the Customer stores and processes on the Platform on behalf of their Organization.

• Registration and account: name, work email, organization, role, IP address, and authentication records.
• Payment: processed by Stripe (PCI DSS). Tesserra does not store full card numbers.
• Platform operation: domains, DNS records, email configuration, files, project metadata, and resource usage.
• Support and communication: ticket content, contact forms, and commercial correspondence.
• Audit and security: login logs, authentication failures, administrative actions, and infrastructure events.

Data is used to provision and operate the Platform, authenticate users, process billing, provide support, meet legal and regulatory obligations, improve security, and — when authorized — communicate relevant service updates.

We share data only with subprocessors essential to operations: Stripe (payments), infrastructure and hosting providers, and communication tools required for support. We do not sell personal data. Subprocessors are selected with security criteria aligned with Platform risk.

Data may be processed outside Brazil depending on cluster locations chosen by the Customer or subprocessors' residency. Where applicable, we use contractual clauses and technical measures to protect transferred data.

We apply logical per-Organization isolation, encryption in transit (TLS 1.2+), bcrypt (cost 12) password hashing, rate limiting, account lockout, security headers, and server-side logging of selected sensitive events. Additional details are in the platform security documentation.

We retain data while the account is active and for the period required after closure to meet fiscal, contractual, and legal obligations — typically up to five years unless a different requirement applies. Backups follow a compatible expiration policy.

Data subjects may request confirmation, access, correction, anonymization, portability, deletion, or information about sharing via the contact form (topic: privacy/data protection). We respond within applicable legal timeframes.

We use cookies strictly necessary for authentication and language preferences. We do not use advertising or commercial profiling cookies.

This Policy may be updated. Material changes will be communicated at least 30 days in advance by email or notice in the console.