Privacy Policy

Vulcan Drive is a cloud storage service operated by Vulcan Apps (byvulcan.com), based in Brazil. This Privacy Policy describes how we collect, use, store and protect your personal data, in compliance with Brazil's General Data Protection Law (LGPD — Law No. 13.709/2018), the General Data Protection Regulation (GDPR — EU Regulation 2016/679), and the California Consumer Privacy Act (CCPA/CPRA — California Civil Code §1798.100 et seq.).

We collect only the data strictly necessary to operate the service: • Account data: email, password (stored as bcrypt hash), optional display name. Legal basis: Contract execution (LGPD art. 7.II, GDPR art. 6.1.b). • Usage data: metadata of uploaded files (name, size, MIME type, upload date). We do not read your file content beyond what is necessary for AI indexing — and this content is sanitized before any external transmission. Legal basis: Legitimate interest (LGPD art. 7.IX, GDPR art. 6.1.f) — necessary to provide indexing and search functionality. • Technical data: IP address, browser agent, session cookies — used exclusively for secure authentication and fraud prevention. Legal basis: Legitimate interest (LGPD art. 7.IX, GDPR art. 6.1.f) — security and fraud protection. • Payment data: processed exclusively by Stripe and Asaas. Vulcan Drive never stores card data. Legal basis: Contract execution (LGPD art. 7.II, GDPR art. 6.1.b). • AI classification data: anonymized file metadata for indexing and tagging purposes. Legal basis: Legitimate interest (LGPD art. 7.IX, GDPR art. 6.1.f) — service improvements.

Our data processing activities are grounded in the following legal bases under LGPD, GDPR and CCPA: PROCESSING ACTIVITY | LGPD LEGAL BASIS | GDPR LEGAL BASIS | CCPA LEGAL BASIS ──────────────────────────────────────────────────────────────────────────────────────── Account creation and maintenance | Art. 7.II (Contract) | Art. 6.1.b (Contract) | Necessary for contract execution Secure authentication and access | Art. 7.IX (Legitimate) | Art. 6.1.f (Legitimate) | Legitimate business interest Fraud prevention/security | Art. 7.IX (Legitimate) | Art. 6.1.f (Legitimate) | Legitimate business interest Payment processing | Art. 7.II (Contract) | Art. 6.1.b (Contract) | Necessary for contract execution AI-powered indexing and tagging | Art. 7.IX (Legitimate) | Art. 6.1.f (Legitimate) | Legitimate business interest Transactional communications | Art. 7.II (Contract) | Art. 6.1.b (Contract) | Necessary for transactional contact Compliance with legal obligation | Art. 7.III (Obligation) | Art. 6.1.c (Obligation) | Legal requirement Under CCPA, you have the right to know the purposes we use your data for and to receive disclosure about any sale or sharing of personal information (which does not occur in this service).

Your data is used to: • Authenticate your access and keep your session secure. • Organize, index and display your files within the service. • Generate intelligent tags and suggestions via AI (with prior PII sanitization — see Section 6). • Send essential transactional communications (password reset, email confirmation, security notifications). • Comply with legal and regulatory obligations. Explicit commitments: — We do NOT use your data for automated decision-making with legal or significant effects (GDPR art. 22). We do not create behavioral profiles. — We do NOT use your data for behavioral advertising or targeted advertising. — We do NOT sell your data. We do NOT share your files with third parties without your explicit authorization.

File and data storage: • All files are stored in Cloudflare R2 with AES-256 encryption at rest, in multiple regions (US/EU). • All account data and metadata are stored in Supabase (AWS us-east-1 infrastructure) with AES-256 encryption at rest. • All communication between you and our servers uses TLS 1.3 (encryption in transit). • Backups are performed across multiple geographic regions with redundancy. Access control: • Internal access to data is restricted by role-based access control (RBAC). • Passwords are never stored in plain text; we use bcrypt with random salt. • Two-factor authentication can be enabled by users. Audit and monitoring: • Audit logs are retained for 90 days. • Access logs are recorded and reviewed regularly. • We conduct annual independent third-party security reviews. Incident response: • In case of data breach affecting your personal data, we will notify competent authorities and affected users within 72 hours (GDPR art. 33), as required by law.

Vulcan Drive uses AI (Claude Haiku by Anthropic) to classify and tag your files. We have implemented a multi-layer privacy pipeline: • Sensitive files (passwords, bank statements, medical exams, legal documents, API keys) are detected locally and NEVER sent to external AI models. • Before any AI processing, we remove detectable PII: tax IDs, names, emails, phone numbers, credit cards, API keys and other identifiable data are replaced by neutral tokens. • The AI model receives only anonymized text and file metadata — never raw identifiable data. • Replacement tokens exist only for the lifetime of the request and are never persisted. • Data sent to Anthropic is governed by a Data Processing Agreement (DPA) that prohibits use for model training. • No data is used to improve AI models or for training. Processing is limited to classification and tagging. • You can disable AI processing at any time in your account privacy settings.

We may share data with third parties (sub-processors) only in the following situations: DATA SHARING WITH INFRASTRUCTURE PROVIDERS: The following sub-processors operate under data processing agreements compatible with LGPD, GDPR and CCPA: Sub-processor | Function | Location | DPA ──────────────────────────────────────────────────────────────────────────────────────── Supabase | Database, authentication, API | US (AWS) | supabase.com/dpa Cloudflare R2 | File storage, CDN | US/EU | cloudflare.com/dpa Vercel | Web application hosting | US | vercel.com/dpa Stripe | Payment processing (intl) | US/EU | stripe.com/dpa Asaas | Payment processing (BR) | Brazil | asaas.com/termos Anthropic | AI indexing (Claude Haiku) | US | anthropic.com/policies All sub-processors operate under Data Processing Agreements (DPAs) or Standard Contractual Clauses (SCCs) that ensure protection equivalent to LGPD, GDPR and CCPA. LEGAL REQUIREMENT: • When ordered by competent judicial authority (warrant, subpoena), within the limits of the law. • We will make efforts to notify you, unless prohibited by law. RIGHTS PROTECTION: • In case of violation of Terms of Use requiring legal response or fraud investigation. EXPLICIT COMMITMENTS: — We never sell or rent your data to third parties. — We never share data for behavioral or targeted advertising. — We never share your personal files without explicit authorization.

Your data may be transferred to the United States and European Union through the following legal mechanisms: TRANSFER MECHANISMS: • Standard Contractual Clauses (SCCs) — standard agreements approved by the European Commission and compliant with GDPR Chapter V. • Data Processing Agreements (DPAs) — specific contracts that include adequate transfer clauses. • Encryption in transit (TLS 1.3) and at rest (AES-256) — reduces exposure risks during transfer. JUSTIFICATION: • Supabase (AWS us-east-1): database and authentication. • Cloudflare R2 (US/EU): file storage and CDN. • Vercel (US): web application hosting. • Anthropic (US): AI processing for indexing. • Stripe (US/EU): international payment processing. COMPLIANCE: • All transfers comply with LGPD art. 33 (consent or contractual necessity) and GDPR Chapter V (Standard Contractual Clauses). • For EU residents: you have the right to know about transfers and may exercise rights with your local data protection authority. • For California residents: information about overseas transfer is disclosed in this policy.

We retain your data only as long as necessary to fulfill the stated purposes. Specific retention periods: ACCOUNT DATA: • Retained while your account is active. • After closure: 30 days retention (for recovery), then permanent hard-delete. FILES IN TRASH: • Retained for 30 days. • After 30 days: permanent and irrecoverable deletion. AUDIT LOGS: • Retained for 90 days. • Then automatically removed. AI CLASSIFICATION LOGS: • Retained for 180 days (for quality analysis and service improvement). • Then automatically anonymized and removed. PAYMENT RECORDS: • Retained for 5 years (legal obligation for tax and accounting purposes). • Then removed, unless audit or pending litigation. CONSENT RECORDS: • Retained for 5 years (audit and regulatory compliance). EXCEPTIONS (Extended Retention): • If there is pending legal process, extended retention will be maintained until conclusion. • If there is fraud investigation, data may be retained as necessary. You can request deletion at any time (right to be forgotten — GDPR art. 17, LGPD art. 18.IV). We will delete your data within 30 days, except where retention is legally required.

You have the following rights regarding your personal data: RIGHT TO ACCESS (LGPD 18.I, GDPR 15, CCPA 1798.100): • Confirm whether we process your personal data. • Request a copy of all data we hold about you. • Response within 15 days (LGPD) or 30 days (GDPR/CCPA). RIGHT TO CORRECTION (LGPD 18.II, GDPR 16, CPRA 1798.106): • Correct incomplete, inaccurate or outdated data. • Request that we update your data. • Response within 15 days (LGPD) or 30 days (GDPR/CCPA). RIGHT TO DELETION / RIGHT TO BE FORGOTTEN (LGPD 18.IV, GDPR 17, CCPA 1798.105): • Request deletion of your personal data. • Limitations: data necessary for security, legal compliance or rights defense may be retained. • Response within 15 days (LGPD) or 30 days (GDPR/CCPA). RIGHT TO DATA PORTABILITY (LGPD 18.V, GDPR 20): • Request your data in structured, common and machine-readable format (e.g.: JSON, CSV). • Right to transfer data to another service. • Response within 15 days (LGPD) or 30 days (GDPR). RIGHT TO WITHDRAW CONSENT (LGPD 8, GDPR 7.3): • If you consent to processing, you can withdraw at any time. • Withdrawal does not affect prior processing before the request. RIGHT TO OBJECT (LGPD 18.VI, GDPR 21): • Object to processing of your data for legitimate interest. • We may refuse if we have compelling legal grounds. • Response within 15 days (LGPD) or 30 days (GDPR). RIGHT TO INFORMATION ABOUT SHARING (LGPD 18.III): • Request information about whom your data has been shared with. • Includes list of sub-processors and purposes of sharing. RIGHT TO LIMIT PROCESSING (GDPR 18, LGPD 18): • Request that we limit processing while you verify data accuracy. RIGHT TO NON-DISCRIMINATION (CCPA 1798.125): • You will not be discriminated against for exercising your privacy rights (no degraded service or higher price). HOW TO EXERCISE YOUR RIGHTS: Send request to: privacy@byvulcan.com Include: your account email, description of request, and identity proof (copy of ID for verification). RESPONSE TIMELINES: • LGPD: 15 days (extendable by another 15 days in case of complexity). • GDPR: 30 days (extendable in complex cases). • CCPA: 45 days (extendable by another 45 days in case of complexity).

If you are a California resident, you have the following additional rights under CCPA/CPRA: RIGHT TO OPT-OUT OF SALE / SHARING (CCPA 1798.120, CPRA): • COMMITMENT: Vulcan Drive DOES NOT SELL or SHARE personal information of California residents. • You have the right to opt-out of sale/sharing (not applicable, as we do not sell). • No data sale activities occur in this service. RIGHT TO LIMIT USE OF SENSITIVE DATA (CPRA 1798.121): • Sensitive data (SSN, credit card number, biometric, sexual orientation, precise location) are not collected or processed by this service. • If identified by mistake, will be immediately deleted. RIGHT TO ANNUAL DISCLOSURE (CCPA 1798.100 et seq.): • Once every 12 months, you can request detailed disclosure about: - Categories of information collected - Purposes of use - Categories of third parties with whom we share - Retention period for each category RIGHT TO CORRECTION (CPRA 1798.106): • Already included in our general rights policy (previous section). RIGHT TO DELETION (CCPA 1798.105): • Already included in our general rights policy (previous section). RIGHT TO ACCESS (CCPA 1798.100): • Already included in our general rights policy (previous section). HOW TO EXERCISE: Send request to: privacy@byvulcan.com Response within 45 days (CCPA) or 30 days (CPRA). To appeal decisions about rights denial, contact the California Attorney General: oag.ca.gov/privacy

Vulcan Drive is not intended for individuals under 18 years of age and does not intentionally collect personal data of minors. COPPA PROTECTION (USA, under 13): • Under the Children's Online Privacy Protection Act (COPPA), Vulcan Drive does not collect data from children under 13. • If we discover data of a child under 13 was collected, we will immediately delete it without retention. • Parents/guardians can contact privacy@byvulcan.com to report. GDPR PROTECTION (EU, under 16): • For EU residents, processing data of children under 16 requires parental/guardian consent. • The service is recommended for use by those 16 years and older. • If we discover inadequate consent, data will be immediately deleted. LGPD PROTECTION (Brazil, under 18): • The service is recommended for those 18 years and older (as per LGPD art. 14). • For minors under 18, processing requires specific parental/guardian consent. • If we discover minors without appropriate consent, data will be immediately deleted. CONTACT IN CASE OF CONCERN: If you are a parent/guardian with concerns about a minor's data, contact: privacy@byvulcan.com

Vulcan Drive uses only strictly necessary cookies for security and functionality: NECESSARY COOKIES: • Authentication: session cookies to keep you logged in. • CSRF Protection: anti-forgery token for security. • Language preferences: your preferred language (PT, EN, ES). COOKIES NOT USED: — We do not use tracking or analytics cookies (Google Analytics, Hotjar, etc.). — We do not use advertising or remarketing cookies. — We do not use third-party cookies for behavioral or tracking purposes. FUTURE: If we implement optional cookies in the future (e.g.: analytics for improvements), we will implement explicit consent banner as per GDPR art. 82 and provide easy opt-out option. CONTROL: You can disable cookies in your browser, but this may affect service functionality (login, CSRF). NAVIGATION DATA: • Server logs contain IP, user-agent, accessed URLs (standard web hosting practice). • This data is retained for 90 days for security and debugging. • It is not used for behavioral tracking.

In case of security breach or incident affecting your personal data, you will be notified as required by law: IMMEDIATE NOTIFICATION: • Once the breach is confirmed, we will initiate notification process. • Timeline for notification: within 72 hours (GDPR art. 33, LGPD art. 47) or as required by law. NOTIFICATION CONTENT: You will receive information about: • Nature of breach (unauthorized access, theft, data corruption, etc.). • Data affected (data categories, estimated number of records). • Possible consequences for you. • Measures taken to mitigate the incident (e.g.: password reset, system isolation). • Contact for clarification and support (privacy@byvulcan.com). NOTIFICATION TO AUTHORITIES: • We will notify ANPD (National Data Protection Authority) as per LGPD art. 47. • We will notify relevant DPA in each affected country as per GDPR art. 33. • We will notify law enforcement authorities if required. TRANSPARENT COMMUNICATION: • We will maintain open and clear communication with all affected parties. • We will provide support, guidance on protection (e.g.: credit monitoring) and channels for questions. INVESTIGATION: • We will conduct forensic investigation to determine root cause. • We will implement fixes to prevent recurrence.

As required by GDPR art. 30 and LGPD art. 37, we maintain complete records of our data processing activities: RECORDS MAINTAINED: • Name and contacts of controller and data protection officer. • Categories of data processed (account data, usage data, technical data, etc.). • Categories of recipients (sub-processors, legal authorities). • Retention periods for each category. • Technical and organizational description of security measures. • Legal justification for each processing activity. • Data Protection Impact Assessments (DPIA) where applicable. ACCESS: • These records are made available to supervisory authorities (ANPD, DPA) upon formal request. • Individuals can request information about processing as per right to access (Section 10). AUDIT: • Records are reviewed annually by our compliance team. • Any change in processing activities is documented.

We may update this Privacy Policy periodically to reflect legal, technological or operational changes. CHANGE PROCEDURE: • Minor changes (clarifications, small additions) may be implemented immediately. • Significant changes will be communicated by email to all users at least 15 days in advance. • You will receive clear notification about what changed and when it takes effect. CONTINUED USE: • Continued use of the service after new conditions take effect implies acceptance. • If you disagree with changes, you can close your account as per Terms of Use. VERSION HISTORY: • Version 1.0 (March 29, 2026): Initial policy with 11 sections. • Version 2.0 (April 5, 2026): Complete expansion with LGPD, GDPR, CCPA, 17 sections. You can request complete history at: privacy@byvulcan.com

To exercise rights, clarify questions or report privacy concerns: VULCAN DRIVE PRIVACY TEAM: • DPO / Data Protection Officer: privacy@byvulcan.com • Legal matters: legal@byvulcan.com • General support: support@byvulcan.com • Address: Brazil COMPETENT AUTHORITIES: For Brazil residents: • National Data Protection Authority (ANPD) • Website: gov.br/anpd • You can file a formal complaint if your rights are not respected. For European Union residents: • You have the right to lodge a complaint with your country's Data Protection Authority (DPA). • Your country's DPA can be found at: edpb.eu • Prior contact with us is not necessary, but we encourage clarification first. For California residents (USA): • California Attorney General — Consumer Privacy Bureau • Website: oag.ca.gov/privacy • You can file a complaint about CCPA/CPRA violation. COOPERATION WITH AUTHORITIES: • Vulcan Drive fully cooperates with data protection supervisory authorities. • We will respond to authority requests within legal timelines. DIRECT SUPPORT: • For questions about your rights or this policy, please contact privacy@byvulcan.com first. • Response within 15 days (LGPD), 30 days (GDPR) or 45 days (CCPA/CPRA).