Sign in Request demo

Privacy

Privacy Policy

eMate Cloud acts as a data processor for its enterprise customers. This document describes what personal data we handle, why, for how long, and what rights you have.

Effective: 2026-06-03 · Version: 1.0

1. Data controller

Huifi S.A. (operator of eMate Cloud) acts as controller for data we collect directly (website visitors, sales prospects) and as processor for data that our enterprise customers load into platform.emate.cloud.

Contact: [email protected] (designated DPO).

2. Applicable regulations

  • EU: GDPR (Regulation 2016/679) + ePrivacy Directive 2009/136/EC
  • UK: UK GDPR + Data Protection Act 2018
  • Brazil: LGPD (Lei 13.709/2018)
  • Argentina: Ley 25.326 + Disposición 11/2006
  • Mexico: LFPDPPP
  • Colombia: Ley 1581/2012
  • California: CCPA / CPRA (limited — we do not sell data)

3. Personal data we process

3.1 Visitors of www.emate.cloud

  • Server logs: IP, user-agent, requested page, timestamp (30-day retention)
  • UI preferences: language, light/dark theme (in your localStorage only)
  • Contact form: name, email, message (24 months from last interaction)

3.2 Dashboard users at platform.emate.cloud

  • Account: name, email, tenant, role
  • Auth: bcrypt password hash, encrypted TOTP seed, active JWT
  • Audit log: actions taken (365 days hot + 7 years WORM)
  • Support: tickets and conversations (36 months retention)

3.3 Data processed on behalf of customers

As processor, we handle what the customer loads: domains, DNS configs, DMARC RUA reports (which include sender source IPs — potentially PII in some jurisdictions). Retention is chosen by the customer (90-2555 days) via the dashboard retention policy.

4. Legal bases (GDPR Art. 6)

Purpose Legal basis
Deliver the contracted service Contract performance (6.1.b)
Tax / invoicing obligations Legal obligation (6.1.c)
Security (logs, audit, IR) Legitimate interest (6.1.f)
Commercial communications Consent (6.1.a) — opt-in
Functional cookies / localStorage Strictly necessary (ePrivacy art 5.3)

5. Sub-processors

Current list of providers that process data on our behalf:

Provider Purpose Region
Amazon Web Services Compute, storage, DNS, email us-east-1, sa-east-1
Cloudflare CDN, WAF, DNS Global edge
SendGrid (Twilio) Outbound transactional email US
Anthropic AI Summary (Claude API) US
Stripe Payments (paid plans) US/EU
MaxMind GeoIP / ASN lookup US
AbuseIPDB, VirusTotal, GreyNoise, OTX, URLhaus Threat Intelligence (public IPs) US/EU

Formal full list (data categories per provider, regions, transfer framework, signable version): /en/legal/sub-processors/. Printable / signable version available at the same URL ("Print / Save PDF" button).

6. International transfers

For transfers outside the EU/EEA we use 2021 Standard Contractual Clauses (SCCs) and, where applicable, the UK International Data Transfer Agreement (IDTA). AWS and Cloudflare are SCC signatories.

7. Data retention

Category Period
HTTP / access logs 30 days
Support tickets 36 months from closure
Inactive accounts Soft-delete + 90-day hard-purge
Audit log 365 days hot PostgreSQL + 7 years S3 WORM
DMARC reports Tenant-configurable (90-2555 days)
Billing 10 years (AR tax obligation)

8. Data-subject rights

You can exercise at any time:

  • Access: get a copy of your data
  • Rectification: correct inaccurate data
  • Erasure: "right to be forgotten" (subject to legal obligations)
  • Portability: receive your data in structured format (JSON/CSV)
  • Object: reject processing based on legitimate interest
  • Restriction: limit processing while a complaint is evaluated
  • Withdraw consent: at any time without retroactive effect

Requests: write to [email protected]. We respond within 30 calendar days (15 in AR). No fee for legitimate requests.

Authority complaints: EU: your national DPA · UK: ICO · AR: AAIP · BR: ANPD.

9. Security

We implement appropriate technical and organisational measures (TOMs) aligned with ISO 27001 Phase 2 (SOC 2 Type II in progress, target May 2027). Detail in COMPLIANCE.md.

In case of a breach with risk to data-subject rights, we notify the authority within 72 hours and the subject without undue delay (GDPR Art 33/34).

10. Cookies and local storage

We only use strictly-necessary cookies and localStorage. Full inventory in our Cookie Policy.

11. Changes

Material changes are notified at least 30 days in advance by email to active users and via a dashboard banner. The current version and history are at this permanent URL.

12. Contact

DPO / Privacy: [email protected]
Data subject requests (DSAR): [email protected]
Security: [email protected]
Sales: [email protected]