|

// privacy policy

Privacy Policy

Last updated: June 16, 2026

This Privacy Policy explains how BRLabs Ltda. (“Martex”, “we”, “us”) collects, uses, stores, and protects your personal data when you use the Martex platform at themartex.com.

1. Who we are

Martex is a SaaS platform operated by BRLabs Ltda., a Brazilian limited liability company registered under CNPJ 61.115.832/0001-48, with registered office at Rua Pais Leme, 215, Conj 1713, Pinheiros, São Paulo - SP, ZIP 05424-150, Brazil.

For privacy-related questions or to exercise your rights, contact our Data Protection Officer at brlabsgroup@gmail.com.

2. What data we collect

2.1 Account data

When you sign up: your name, email address, and a password (stored hashed by Firebase Authentication, never in plain text).

2.2 Authentication & Google API integrations

When you connect Google APIs (Google Analytics 4, Google Tag Manager, Google Sheets, Google Drive) via OAuth 2.0: we receive an access token and a refresh token. Refresh tokens are encrypted at rest using Google Cloud KMS before being stored in our database. We never receive or store your Google password.

We only request the scopes you have authorized, and we use these scopes solely to perform the operations you initiate within the platform.

2.3 Payment data

Payment processing is delegated to Stripe, Inc. Martex never receives or stores full card numbers, CVVs, or full billing addresses. We retain only: Stripe Customer ID, Stripe Subscription ID, subscription status, current period end, billing currency, the last 4 digits of the card on file (for display only), and invoice records.

2.4 Data generated via the Chrome extension

The Martex Chrome extension, when installed by you, captures the following from websites you visit during audit sessions: dataLayer events, network requests to tracking services (GA4, GTM, Meta Pixel, etc.), cookies and storage entries, and DOM elements you interact with.

This data is processed in your browser and only sent to Martex servers when you explicitly initiate an audit or save a session. The extension does not transmit data in the background or without your action.

Permissions required by the extension and their purposes:

  • host_permissions: <all_urls> — to instrument tracking on any site you audit
  • webRequest — to capture tracking pixel network calls
  • storage — to persist your extension preferences locally

2.5 Platform usage data

When you use the platform: workspace names, client names, dataLayer blueprints you create, audit results, monitoring scenarios (Pulse), event configurations, comments, custom dimensions, and similar configuration data.

2.6 PII detection

Martex includes automated detection of personally identifiable information (PII) such as email addresses, CPFs, CNPJs, credit card patterns, and phone numbers, inside event parameters and user properties read from Google Analytics.

We detect, flag, and report; we do not store the actual PII values. Detection reports show counts and parameter names only — never the offending strings themselves.

2.7 Cookies and similar technologies

We use strictly necessary cookies for authentication (session token), language preference, and security (CSRF protection). We do not use third-party analytics cookies on the platform itself.

A separate Cookie Notice will be published documenting every cookie individually.

3. How we use your data

We process your data to:

  • Provide the Martex platform (creating and managing audits, blueprints, monitoring, alerts)
  • Send transactional emails (password reset, billing notifications, monitoring alerts) via Resend
  • Process payments via Stripe
  • Authenticate with Google APIs on your behalf (only with your explicit OAuth consent)
  • Improve the platform via aggregated, anonymized usage patterns (no individual user profiling)
  • Comply with legal obligations (tax records, fraud prevention)

4. Subprocessors

We rely on the following third-party processors. Each is contractually bound to data protection obligations and processes data only on our documented instructions.

SubprocessorPurposeLocation
Google LLC (Firebase, Cloud Functions, KMS, Firestore)Authentication, storage, compute, encryptionUnited States (us-central1)
Vercel Inc.Frontend hosting and edge deliveryGlobal edge network
Stripe Inc.Payment processingUnited States, Ireland
Resend Inc.Transactional email deliveryUnited States
Google APIs (via your OAuth)GA4, GTM, Sheets, Drive integrationsYour Google account region

We do not sell your personal data. We do not share data with any third party that is not a contractually bound subprocessor listed above.

5. International data transfers

Martex stores data in Google Cloud's us-central1 region (Iowa, United States). Vercel may cache static assets globally on its edge network. These transfers from Brazil to the United States are governed by standard contractual clauses (SCCs) and adhere to LGPD Article 33 requirements.

If you are located in the European Union or United Kingdom, the same SCCs satisfy GDPR Articles 44–49 and the UK International Data Transfer Agreement.

6. Your rights

Under the LGPD (Brazilian Law 13.709/2018) and, where applicable, the GDPR and UK GDPR, you have the right to:

  • Access — request a copy of personal data we hold about you
  • Rectification — correct inaccurate or incomplete data
  • Deletion — request deletion of your data (“right to be forgotten”)
  • Portability — receive your data in a structured, machine-readable format
  • Restriction — limit how we process your data
  • Objection — object to processing based on legitimate interests
  • Withdraw consent — revoke OAuth access or any consent at any time
  • Lodge a complaint — with the Brazilian National Data Protection Authority (ANPD), or your local supervisory authority in the EU/UK

To exercise any of these rights, email brlabsgroup@gmail.com. We respond within 15 business days as required by LGPD Article 19.

You can revoke Google OAuth access at any time at myaccount.google.com/permissions without contacting us.

7. Data retention

We retain your data while your account is active. After you cancel your subscription or delete your account:

  • 30 days post-cancellation: data is retained in a soft-deleted state, recoverable on request
  • After 30 days: complete and irreversible deletion from our active databases. We do not keep long-term backups beyond this window.

Some data may be retained beyond 30 days only if required by law (e.g., financial records for tax purposes, typically 5 years per Brazilian tax code).

8. Security

  • All data in transit is encrypted via TLS 1.2 or higher
  • All data at rest is encrypted (Google Cloud default + KMS for sensitive fields such as OAuth refresh tokens)
  • Passwords are never stored in plain text (bcrypt hashing via Firebase Authentication)
  • Principle of least privilege for internal access
  • Regular security review of code dependencies

No system is 100% secure. If we become aware of a breach affecting your personal data, we will notify you and the ANPD as required by LGPD Article 48.

9. Children

Martex is not directed to children under 18 years old. We do not knowingly collect data from minors. If you believe a minor has provided us with personal data, contact us and we will delete it.

10. Changes to this policy

We may update this policy from time to time. Material changes will be notified by email to registered users at least 30 days before they take effect. The “Last updated” date at the top reflects the most recent revision.

11. Contact

BRLabs Ltda. (CNPJ 61.115.832/0001-48)
Rua Pais Leme, 215, Conj 1713, Pinheiros
São Paulo - SP, 05424-150, Brazil

Data Protection Officer: Caue Bertolino
Email: brlabsgroup@gmail.com