Last updated: May 2, 2026

Privacy Policy

This policy describes which personal data sumno collects, on what legal basis, how it is processed, and what your rights as a data subject are, in compliance with the Brazilian General Data Protection Law (LGPD, Law No. 13,709/2018).

This is a courtesy translation. If versions or translations of this document diverge, the Portuguese version prevails.

1. Controller

sumno (corporate name pending registration — CNPJ in the process of incorporation). Contact for privacy matters: dpo@sumno.com.br.

2. Data Protection Officer (DPO)

The role of data protection officer is held by sumno's founder. For any communication related to data protection — including exercising the rights set out in art. 18 of the LGPD — use the email dpo@sumno.com.br.

3. Data we collect

We collect only what is strictly necessary to deliver the service:

  • Registration: the email address provided at sign-in.
  • Product usage: search identifiers (query, filters, result counts), papers viewed, summaries generated, and items saved to your library.
  • Product telemetry: anonymous or pseudonymized usage events (described in section 6).
  • Financial: Stripe customer identifier and subscription status. Card data is collected and stored by Stripe; sumno never has access to the full card number.
  • Operational: server error logs, without search or summary content.

4. Legal bases and purposes

Each item of data is processed under one of the hypotheses of art. 7 of the LGPD:

  • Performance of contract (art. 7, V): authentication, payment processing, delivery of the contracted features.
  • Consent (art. 7, I): product telemetry via PostHog — only after explicit acceptance in the cookie banner.
  • Legitimate interest (art. 7, IX): security, abuse prevention, and rate limiting — without affecting the fundamental rights of the data subject.
  • Legal and regulatory obligation (art. 7, II): retention of the minimum records required by the Brazilian Internet Civil Framework (Marco Civil da Internet, Law No. 12,965/2014).

5. Retention

Search history: 90 days from the record, with automatic daily purging. You can opt out of storing search history in My account.

Generated summaries: kept while the account is active, for reuse via cache (avoids repeating the AI call).

Personal library: kept while the account is active.

Subscription data: kept for the applicable mandatory fiscal retention period (at least 5 years after the last payment), under Brazilian law.

Access logs: up to 6 months, in compliance with the Marco Civil da Internet.

If you delete your account, all of the above is deleted, except what the law requires us to keep.

6. Sharing with processors

To operate the service, we share strictly necessary data with the following data processors:

  • Supabase (authentication and database) — hosted in the US. Sees: email, identifier, stored usage data.
  • Stripe (payments) — sees: cardholder name, email, billing address, card data (which stays with Stripe only). PCI-DSS compliant.
  • Anthropic (AI models) — sees: the abstract text sent for summarization. Does not see your email or account identifiers.
  • Resend (transactional email delivery) — sees: recipient email and sign-in link content.
  • PostHog (product analytics) — sees: pseudonymized identifier and usage events. IP is discarded at collection. Only after explicit consent in the banner.
  • Sentry (error reporting) — sees: stack traces and technical identifiers. No user data is sent.
  • Vercel (application hosting) — sees: HTTP requests, source IP (discarded after the request is processed).

7. Your rights as a data subject

Under art. 18 of the LGPD, you may, at any time:

  • Confirm whether your data is being processed.
  • Access the data we hold about you.
  • Correct incomplete, inaccurate, or outdated data.
  • Request anonymization, blocking, or deletion of unnecessary data or data processed in non-compliance.
  • Request data portability, subject to commercial and industrial secrecy.
  • Request deletion of data processed on the basis of consent.
  • Obtain information about data sharing.
  • Withdraw consent.

8. How to exercise your rights

Email your request to dpo@sumno.com.br. We respond within 15 calendar days of receipt. If the identity of the requester cannot be safely verified, we may ask for additional documentation.

9. Cookies

Details about which cookies we use and how you can control them are in the consent banner shown on your first visit, and can be reviewed at any time. Essential cookies (sign-in session, security) are used on the basis of contract performance and do not depend on consent.

10. Security

We adopt reasonable technical and administrative measures to protect data against unauthorized access, loss, or alteration: TLS in transit, row-level isolation (RLS) in the database, least-privilege administrative access, and security event logging.

11. International transfer

The processors listed in section 6 may keep copies of the data on servers outside Brazil (mainly the United States and the European Union). We select processors that offer adequate protection guarantees, under art. 33 of the LGPD.

12. Changes to this policy

We may update this policy to reflect changes in the service or in applicable regulation. Relevant changes are communicated by email and on this page. The date of the last update appears at the top of this document.

13. Competent authority

You may file complaints with the Brazilian National Data Protection Authority (ANPD) — www.gov.br/anpd — if you believe your rights were not honored.