Legal
Privacy Policy
Last updated: May 14, 2026
This Privacy Policy describes how Claudlabs ("we", "us", or "our") collects, uses, and protects personal data when you use the Claudlabs Waitlist Service ("Service"). This policy applies to all users, including subscribers who join waitlists and operators who create and manage them.
This policy is written in compliance with the Brazilian General Data Protection Law (Lei Geral de Proteção de Dados — LGPD, Law No. 13,709/2018) and applies to all users, including those located in Brazil.
1. Data We Collect
Subscribers (people who join a waitlist)
- Email address (required) — used to confirm your subscription and send notifications
- Name (optional) — if provided by you during signup
- Custom field metadata (operator-defined) — additional fields the waitlist operator may configure for collection
Operators (people who create and manage waitlists)
- Email address
- Name
- Avatar URL
- GitHub ID or Google ID (via OAuth authentication)
Automatically collected
- Session tokens (hashed before storage)
- Timestamps — creation and update times for records
2. Purpose of Processing
We process your personal data for the following purposes:
- Waitlist management and subscriber notifications — adding you to a waitlist and communicating updates
- Email confirmation (double opt-in) — verifying that you own the email address you provided
- Operator authentication and dashboard access — allowing operators to sign in and manage their waitlists
- Launch notification emails — notifying subscribers when a product or service launches
3. Legal Basis for Processing (LGPD Art. 7)
We process personal data under the following legal bases as defined by LGPD Article 7:
- Consent (Art. 7, I) — Subscribers provide consent when signing up for a waitlist. Operators provide consent when signing in via OAuth (GitHub or Google). Consent can be revoked at any time.
- Legitimate interest (Art. 7, IX) — We process certain data as necessary for the operation of the Service, including maintaining security, preventing abuse, and ensuring the platform functions correctly.
4. Data Sharing with Third Parties
We share personal data with the following third-party service providers, strictly as necessary to operate the Service:
Resend (email delivery)
Receives subscriber email addresses for the purpose of sending confirmation emails, launch notifications, and other transactional messages.
Cloudflare (infrastructure)
Provides the underlying infrastructure including Workers (compute), D1 (database), and KV (key-value storage) where your data is processed and stored.
GitHub (OAuth authentication)
Used for operator authentication. We receive your name, email, and GitHub ID when you sign in with GitHub.
Google (OAuth authentication)
Used for operator authentication. We receive your name, email, avatar, and Google ID when you sign in with Google.
Google Fonts (typography)
Used to load typefaces on the page. Your IP address may be shared with Google when fonts are loaded.
Note: We plan to remove this external dependency in a future update by self-hosting fonts.
5. Data Retention
We retain personal data only as long as necessary for the purposes described in this policy:
| Data | Retention Period |
|---|---|
| Subscriber data | Until deletion is requested by the subscriber, or the operator deletes the waitlist |
| Operator data | Until account deletion |
| Session data | 30-day expiry |
| Magic link tokens | 15-minute expiry |
| OAuth state tokens | 10-minute expiry |
6. Your Rights (LGPD Art. 18)
Under the LGPD, you have the following rights regarding your personal data. To exercise any of these rights, contact us at the email address listed in Section 8.
- Confirmation of processing — You may request confirmation that we process your personal data.
- Access to data — You may request access to the personal data we hold about you.
- Correction of data — You may request correction of incomplete, inaccurate, or outdated data.
- Anonymization, blocking, or deletion — You may request anonymization, blocking, or deletion of unnecessary or excessive data, or data processed in non-compliance with the LGPD.
- Data portability — You may request the transfer of your personal data to another service provider.
- Deletion of data processed with consent — You may request deletion of personal data processed on the basis of your consent.
- Information about shared data — You may request information about which third parties your data has been shared with.
- Revocation of consent — You may revoke your consent at any time. This will not affect the lawfulness of processing carried out prior to the revocation.
7. Cookies
We use a single cookie strictly for authentication purposes:
Cookie name: session
- Purpose: Authentication — maintains your signed-in session
- Flags: HttpOnly, Secure, SameSite=Lax
- Expiry: 30 days
We do not use tracking cookies, analytics cookies, or any third-party cookies.
8. Data Protection Officer (Encarregado)
For any questions about this Privacy Policy, to exercise your data subject rights, or to file a complaint, please contact our Data Protection Officer:
Email: b@claudlabs.com
9. Security Measures
We implement the following technical measures to protect your personal data:
- All tokens (session, magic link, OAuth state) are hashed with SHA-256 before storage
- Cookies are transmitted over HTTPS only (Secure flag enabled)
- Input validation is enforced on all API endpoints
- HTML sanitization is applied to email templates to prevent injection attacks
10. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page. We encourage you to review this policy periodically.