Privacy Policy — SuperDMZ
Last updated: June 1, 2026
DestinoLivre Tecnologia Ltda, operator of the SuperDMZ service, takes your privacy seriously. This policy describes what data we collect, how we use it, with whom we share it, and your rights, in compliance with Brazil's LGPD (Law 13.709/2018) and the EU's GDPR.
For technical details on how traffic inside tunnels is processed (TLS, log retention, opaque TCP mode) and our vulnerability disclosure policy, see our Security page.
1. Data controller
2. Data we collect
- Account: name, email and password (stored only as a one-way hash — not even we can recover it; bcrypt algorithm).
- Billing: handled entirely by Stripe. We do not store credit card numbers on our servers — we only receive the payment status, last 4 digits and brand.
- Service usage: tunnels created (hostname, allowed IPs, port), aggregated traffic per tunnel and per month, online/offline status.
- Technical logs: IP address, browser, date and time, actions performed in the panel (create/edit/delete tunnel, login). Tunnel access tokens are automatically redacted in logs.
- Communication: messages sent through the contact or support forms (name, email and content).
3. How we use your data
- Operate and maintain the service (authentication, tunnel provisioning, billing).
- Send operational notifications by email (2FA verification, tunnel offline, payment receipts).
- Detect and prevent fraud, abuse and attacks against the infrastructure.
- Comply with legal and tax obligations.
- Improve the product (aggregated and anonymous usage analytics).
4. Legal bases for processing
5. Sharing with third parties
- Stripe (USA) — payment processing. Receives name, email and card data (sent directly from your browser via Stripe Elements, never passing through our servers).
- Brevo / Sendinblue (EU) — transactional email delivery (2FA, welcome, alerts).
- GoDaddy (USA) — creation and removal of DNS records (CNAME for HTTP tunnels on the dmzgate.com domain).
- Cloudflare (USA) — authoritative DNS for the superdmz.com domain (does not receive your personal data — only DNS queries).
- Anthropic (USA) — AI provider used for specific panel features; per Anthropic's commercial terms, data sent via the API is not used to train models.
- Google (Google Ads) (USA) — advertising tag (gtag.js, loaded from googletagmanager.com) for conversion measurement and remarketing of our campaigns. Sets advertising cookies in your browser.
We never sell, rent or assign your data for third-party advertising or marketing. Our use of Google Ads is solely to measure and promote our own campaigns.
6. Cookies and similar technologies
PHPSESSID— required to keep your session logged in (essential).sdmz_lang— stores your selected language (preference, expires in 1 year)._csrf— protects forms against CSRF attacks (essential).sdmz_cookie_ok— records that you have seen this notice (preference).Google cookies (_ga, _gcl_*, etc.)— set by the Google Ads tag (gtag.js) for conversion measurement and remarketing of our advertising campaigns (third-party).
For advertising, we use the Google Ads tag (gtag.js), which sets third-party cookies to measure conversions and remarket our ads. We do not use social network cookies or third-party analytics. You can manage or opt out of these cookies in Google Ad Settings and in your browser options.
7. How long we keep data
- Active account: for as long as your account exists.
- Deleted account: data is purged 48h after deletion confirmation (there is a recovery window via email link).
- Invoices and tax records: 5 years after the last payment, per legal requirement (tax and accounting).
- Access logs (nginx): 14 days, with tokens automatically masked.
- Application logs (audit): 90 days.
8. Your rights as data subject
- Request access to your data.
- Fix incorrect data directly in the panel (Account page).
- Change your primary email (with code confirmation + alert to the old email).
- Request account deletion directly in the panel.
- Request data portability (export in a readable format).
- Withdraw consent and revoke processing authorizations.
- File a complaint with the data protection authority (ANPD in Brazil, your local DPA in the EU).
Written requests: [email protected].
9. Security
10. Processing of minors' data
In compliance with applicable data protection law (LGPD Art. 14 in Brazil, GDPR in the EU), if we become aware that an account was created by someone under 18 without the specific and highlighted consent of at least one parent or legal guardian, the account will be suspended and associated data will be deleted. Legal guardians who identify this situation can request immediate deletion at [email protected].
11. Changes to this policy
12. Contact
DestinoLivre Tecnologia Ltda — Brazil.