Privacy Policy

This policy describes how Pharma Global Pricing collects, uses, stores and shares personal data. It applies to all visitors of pharmaglobalprice.com and its related services.

1. Data we collect

• Registration: name, email, password (stored as a bcrypt hash — never in plain text).
• Usage: searches performed (term, type, date), packages purchased, token transactions.
• Payment: payments are processed exclusively via Stripe and Mercado Pago. We do not store card data — only the opaque transaction identifier returned by the provider.
• Technical: IP address, user agent, preferred language (in operational logs only, retained for up to 30 days).
• Analytics (optional): if Google Analytics 4 or Tag Manager are enabled, those platforms' standard trackers run. We do not send personally identifiable data to Google.

2. How we use the data

• Operate the account, process searches and bill tokens.
• Send transactional emails (password recovery, search completion, price-variation alerts for searches with active price-watch).
• Detect fraud, abuse and violations of the Terms of Use.
• Improve the product through aggregated and anonymized usage analysis.

3. Where data is stored

PostgreSQL database hosted on our own server in the European Union (Hetzner, Germany). Daily backups stay on the same server for 30 days and on an encrypted off-site destination. Transactional emails are sent via authenticated SMTP (Titan/Flockmail provider). Payments transit directly through the Stripe and Mercado Pago sites, outside our servers.

4. Cookies and local storage

• Session: signed httpOnly cookie, required to keep you logged in. The site does not work without it.
• Analytics (optional): if enabled, GA4/GTM set their own cookies according to Google's policy.

We do not use behavioral advertising cookies. We do not sell, rent or share personal data with third parties for marketing.

5. Sharing with third parties

Only with processors strictly necessary to the service:

• Stripe and Mercado Pago — payment processing (subject to their own privacy policies).
• Hetzner Online GmbH — infrastructure provider (EU).
• Titan / Flockmail — transactional email delivery.
• Google (only if Analytics is enabled) — aggregated anonymized metrics.

We do not share your individual queries with any third party nor with the regulatory agencies consulted (we access the public sources in our own name, not yours).

6. Retention

• Registration data: while the account is active.
• Search history: 12 months, then deleted/anonymized.
• Financial transactions: 5 years (tax obligation).
• Operational logs: 30 days.

7. Security

Mandatory TLS 1.2+ connections (HSTS preload), bcrypt-hashed passwords, short-lived JWTs, rate-limiting on public APIs, app/database separation, and daily backups. No system is 100% immune, but we follow OWASP Top 10 aligned best practices.

---

8. LGPD rights (Brazil — Law 13.709/2018)

As a personal-data subject resident in Brazil, you have the following rights guaranteed by the LGPD:

• Confirmation and access: know whether we process your data and receive a copy.
• Correction: update incomplete, inaccurate or outdated data.
• Anonymization, blocking or deletion of unnecessary, excessive or unlawfully processed data.
• Portability: receive your data in a structured format (JSON) to take to another provider.
• Deletion of personal data processed with your consent, except for cases of legal retention.
• Information about sharing — we list all processors in section 5.
• Consent withdrawal at any time.
• Objection to processing carried out under a consent-exemption hypothesis.

To exercise any of these rights, simply send an email to [email protected] describing the request. We respond within 15 days.

9. Data Protection Officer (DPO)

The Data Protection Officer can be contacted at [email protected].

10. Changes to this policy

Material changes will be notified by email 15 days in advance. The date at the top of this page is always the most recent record.