Privacy Policy

This Privacy Policy describes how Chevere SpA ("Chevereto", "we", "us", or "our") collects, uses, and shares information when you use Chevereto Cloud and its related services ("Service"). By using the Service, you agree to the practices described in this policy.

For the purposes of applicable data protection law, the data controller is Chevere SpA, Victoria 1260, Concepción, Chile.

1. Information We Collect

We collect only the information necessary to provide and operate the Service.

Account Information

When you register for an account, we collect your name, email address, and a hashed password. We do not collect phone numbers, physical addresses, or any other personal information at sign-up.

Billing and Transaction Information

Payment processing is handled entirely by Paddle (Paddle.com Market Limited, UK), who acts as the Merchant of Record for all transactions. Paddle collects and stores your billing details, including payment method and billing address. We receive and store a mirror of transaction records (subscription status, invoice history, plan details) so you can view them within the Service. We do not have access to your payment card details.

Usage and Technical Data

We collect technical information required to operate the Service, including IP addresses, browser type, request logs, and session data. This data is used exclusively for security, abuse prevention, and internal diagnostics. We do not use third-party analytics services.

User-Uploaded Content

Chevereto Cloud is a Bring Your Own Storage (BYOS) service. Files and media you upload are sent directly to the external storage provider you configure (e.g., Amazon S3, Google Cloud Storage). We process uploads transiently and ephemerally. Your files pass through our infrastructure only for the duration required to complete the upload operation and its processing. Uploaded content is never mirrored, stored, copied, or retained on our systems.

2. How We Use Your Information

We use the information we collect for the following purposes:

  • Service delivery: to create and manage your account, authenticate you, and provide the features of the Service.
  • Communications: to send transactional emails such as account confirmations, password resets, and service notifications.
  • Billing: to display your subscription and transaction history, and to process renewals via Paddle.
  • Security and integrity: to detect and prevent fraud, abuse, and unauthorized access.
  • Legal compliance: to comply with applicable laws and respond to lawful requests from public authorities.

We do not use your data for advertising, profiling, or sale to third parties.

3. How We Share Your Information

We do not sell, rent, or trade your personal information. We share data only with the following categories of service providers, and only to the extent necessary:

  • Paddle (Paddle.com Market Limited, UK): our Merchant of Record, who processes all payments and manages billing relationships. Paddle's own privacy policy governs its handling of payment data.
  • Amazon Web Services (AWS SES): used to deliver transactional emails. AWS processes email content in transit on our behalf.
  • Cloudflare, Inc. (USA): used as our content delivery network (CDN), for Turnstile (our privacy-first CAPTCHA service), and for Cloudflare for SaaS, which powers custom domain routing for the Service (including *.chevereto.app subdomains and user-configured custom domains). All HTTP requests to the Service, including those carrying authentication credentials and upload metadata, are proxied through Cloudflare's network. Cloudflare may process IP addresses, request headers, and request metadata as part of its network protection and routing services.
  • Infrastructure providers (USA): the servers and infrastructure hosting the Service are operated by providers located primarily in the United States. These providers process data on our behalf under contractual data processing terms.

We may also disclose your information if required by law, court order, or a request from a competent authority, or to protect the rights, property, or safety of Chevereto, our users, or the public.

Data Processing Agreements

Each subprocessor listed above operates under a Data Processing Agreement (DPA) or equivalent contractual terms that obligate them to process personal data only on our instructions and in accordance with applicable data protection law. Where relevant, their DPAs are publicly available:

  • Cloudflare: Cloudflare Data Processing Addendum, incorporated into the Self-Serve Subscription Agreement and Enterprise Subscription Terms of Service.
  • Paddle: DPA terms are included in Paddle's Merchant of Record agreement and governed by Paddle's own privacy policy.
  • AWS: Amazon's Data Processing Addendum is available through the AWS Service Terms.

4. Data Retention

We retain your account information for as long as your account is active. If you close your account or request deletion, we will delete your personal data within 30 days, except where retention is required by law (for example, financial transaction records required for tax compliance).

Transient data such as request logs may be retained for up to 90 days for security and operational purposes, after which they are permanently deleted.

5. Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, loss, alteration, or disclosure. Passwords are stored using industry-standard hashing algorithms and are never stored in plain text.

No transmission over the internet is completely secure. While we take all reasonable steps to protect your information, we cannot guarantee absolute security.

6. How We Protect Your Privacy

Beyond general security measures, we have made deliberate architectural decisions to minimize privacy exposure. The following practices are built into the Service:

  • ID cloaking: Internal record identifiers are never exposed through any interface or API. Enumeration attacks targeting our user or resource IDs are not viable.
  • Isolated third-party identifiers: When interacting with Paddle (our Merchant of Record) or any other external service, we use a separate external identifier that is distinct from our internal IDs. We never expose internal IDs to third parties, and we do not provide any endpoint that allows mapping between external and internal identifiers.
  • No third-party login providers: We do not offer "Sign in with Google", "Sign in with GitHub", or any equivalent OAuth-based login. Our authentication system is fully owned and operated by us, with no dependency on external identity providers.
  • No email reputation lookups: We never submit your email address to Akismet, StopForumSpam, or any other third-party reputation or spam-detection service.
  • No content scanning: User-uploaded files are never inspected, scanned, or processed by any automated system on our side. Files pass through our infrastructure transiently and are stored exclusively in your own external storage.
  • No third-party email marketing recipients: Your email address is never shared with email marketing platforms. Any communications we send use self-hosted tooling, keeping your address entirely within our systems.
  • No behavioral analytics: We do not use session recording, heatmap tools, or behavioral analytics platforms such as Hotjar or FullStory. We have no visibility into how you interact with the interface beyond standard request logs.
  • Restricted employee access: Access to user account data by Chevereto staff is limited to cases where a user has opened a support ticket and explicitly requested assistance. Access is scoped to the assigned ticket.
  • Comprehensive audit logging: Account access, session activity, configuration changes, and infrastructure operations are recorded in dedicated audit logs, enabling review of any access or modification to your data.

7. Cookies

We use cookies and similar technologies strictly for the operation of the Service, including session management and authentication ("keep me logged in"). We do not use cookies for advertising or cross-site tracking.

Cloudflare Turnstile may set functional cookies as part of its bot-detection process. Cloudflare does not use Turnstile data for advertising purposes.

You can configure your browser to refuse cookies, but doing so may prevent certain features of the Service from functioning correctly.

8. Your Rights

Subject to applicable law, you have the right to:

  • Access the personal data we hold about you.
  • Correct inaccurate or incomplete personal data.
  • Delete your personal data (right to erasure).
  • Receive a copy of your personal data in a machine-readable format (data portability).
  • Object to or restrict certain processing activities.
  • Withdraw consent at any time where processing is based on consent.

To exercise any of these rights, contact us at support@chevereto.com. We will respond within 30 days.

9. International Data Transfers

Chevere SpA is incorporated in Chile. The Service's infrastructure is located primarily in the United States. If you access the Service from a country with different data protection laws, your information will be transferred to and processed in the United States and Chile.

For users in the European Economic Area (EEA) or United Kingdom, such transfers are carried out under Standard Contractual Clauses (SCCs) approved by the European Commission, or other legally recognized transfer mechanisms, to ensure an adequate level of data protection.

10. Children's Privacy

The Service is not directed to individuals under the age of 13. We do not knowingly collect personal data from children. If you believe a child has provided us with personal information, please contact us and we will delete it promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or by posting a prominent notice in the Service prior to the changes taking effect. The date at the top of this page reflects the last revision. Continued use of the Service after changes constitutes acceptance of the updated policy.

12. Contact

For questions, requests, or concerns about this Privacy Policy or our data practices, please contact:

Chevere SpA
Victoria 1260, Concepción, Chile
support@chevereto.com

13. Additional Information for EEA and UK Users

If you are located in the European Economic Area (EEA) or the United Kingdom, this section applies to you in addition to the general policy above.

Legal Basis for Processing

We process your personal data under the following legal bases:

  • Contract performance (Art. 6(1)(b) GDPR): processing necessary to deliver the Service under our Terms of Service, including account management, authentication, and transactional communications.
  • Legitimate interests (Art. 6(1)(f) GDPR): processing for security, fraud prevention, and operational logging, where our interests are not overridden by your rights.
  • Legal obligation (Art. 6(1)(c) GDPR): processing required to comply with applicable law.

Your GDPR Rights

In addition to the rights described in Section 7, you have the right to lodge a complaint with your local data protection supervisory authority. A list of EEA supervisory authorities is available at edpb.europa.eu.

International Transfers

Transfers of your personal data outside the EEA or UK are made on the basis of Standard Contractual Clauses (SCCs) as described in Section 8.

14. Additional Information for California Residents

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), may provide you with additional rights.

Categories of Personal Information Collected

In the past 12 months, we have collected the following categories of personal information: identifiers (name, email address, IP address) and commercial information (transaction and subscription records mirrored from our payment processor).

Sale or Sharing of Personal Information

We do not sell or share your personal information with third parties for cross-context behavioral advertising.

Your California Rights

Subject to verification of your identity, you may request to: know what personal information we collect about you; delete your personal information; correct inaccurate personal information; and opt out of any future sale or sharing (none currently occurs). To submit a request, email support@chevereto.com.

Governing Law

This Privacy Policy is governed by the laws of the Republic of Chile, specifically Ley N° 19.628 sobre Protección de la Vida Privada and its successor Ley N° 21.719 sobre Protección de Datos Personales (entering into force December 2026).

Nothing in this clause limits rights you may have under applicable local law, including the GDPR where it applies.