Privacy Policy
Last updated: July 3, 2026
1. Who we are
Squado is operated by Dropa Tecnologia Ltda (CNPJ 54.954.663/0001-74), a company incorporated in Brazil, with registered address at Avenida Paulista, 1471, Conj. 1110, Bela Vista, São Paulo - SP, 01311-927, Brazil ("Squado", "we", "us"). Squado is an organization design platform for engineering teams, available at squado.io and app.squado.io.
For the purposes of the Brazilian General Data Protection Law (LGPD) and the EU General Data Protection Regulation (GDPR), Squado acts as the controller for account and website data, and as a processor/operator for the workspace content you and your team add to the platform.
2. What we collect
Account data
- Name, email address, and password (stored as a secure hash) when you create an account.
- Billing details when you subscribe to a paid plan. Card data is collected and stored by Stripe, our payment processor - it never touches Squado's servers.
Workspace content
- The organization data you add: team structures, member names, roles, email addresses, allocations, hourly rates and costs, OKRs, and ceremonies.
- This may include personal data about your team members. You are responsible for having a lawful basis to add it, and we process it only to provide the service to you.
Usage data
- Standard server logs (IP address, browser type, pages visited, timestamps) for security and reliability.
- Website analytics through Google Analytics (see Cookies below).
3. How we use your data
- To provide, operate, and improve Squado.
- To process payments and send billing-related emails.
- To send transactional emails (trial reminders, security notices, product changes). Marketing emails are opt-in and every one has an unsubscribe link.
- To detect abuse and keep the platform secure.
We do not sell your data. We do not use your workspace content to train AI or machine-learning models. AI features (such as org import) process your data only to produce the result you asked for.
4. Legal bases
We process data under the following bases (LGPD art. 7 / GDPR art. 6): performance of a contract (running your account and workspace), legitimate interest (security, product analytics), consent (marketing emails, non-essential cookies), and compliance with legal obligations (tax and billing records).
5. Cookies and analytics
- Essential cookies - session and authentication cookies required for app.squado.io to work. These cannot be disabled.
- Analytics - we use Google Analytics, loaded through Google Tag Manager, on our website to understand aggregate traffic. Google Analytics sets its own cookies and processes IP addresses. You can opt out with the Google Analytics opt-out browser add-on or by blocking analytics cookies in your browser.
6. Who we share data with
We share data only with the subprocessors we need to run the service:
| Provider | Purpose | Location |
|---|---|---|
| Supabase | Database, authentication, and file storage | United States |
| Vercel | Website hosting | United States (global CDN) |
| Render | Application API hosting | United States |
| Stripe | Payment processing | United States |
| Google Analytics | Website traffic analytics | United States |
Each provider is bound by its own data processing agreement. We may also disclose data if required by law, and we will tell you when we are allowed to.
If your company needs a signed Data Processing Agreement (DPA) with Squado, request one at hello@squado.io.
7. International transfers
Your data is stored in the United States by the providers above. Where LGPD or GDPR applies, transfers rely on the safeguards those providers offer, such as standard contractual clauses and equivalent mechanisms.
8. Security
- Every workspace is isolated with PostgreSQL Row-Level Security - one customer's data is never visible to another.
- Data is encrypted in transit (TLS) and at rest.
- Financial data inside a workspace has its own per-person visibility controls, set by your workspace admins.
- Access to production systems is restricted and logged.
9. Retention and deletion
- While your account is active, we keep your data so the service works.
- After a trial ends, your workspace becomes read-only and is kept so you can pick a plan later.
- If you delete your account (or ask us to), we delete your workspace content within 30 days, except records we must keep for legal or billing reasons.
10. Your rights
Under the LGPD (art. 18) and, where applicable, the GDPR, you can ask us to confirm what we process, access it, correct it, delete it, export it in a portable format, or restrict and object to certain processing. You can also withdraw consent at any time.
To exercise any of these rights, email hello@squado.io. We respond within the legal deadlines. If you believe we have not handled your data properly, you can also contact the Brazilian data protection authority (ANPD) or your local supervisory authority.
If your personal data was added to a workspace by your employer, that workspace's admins control it - we will route your request to them where the law requires.
11. Children
Squado is a business tool and is not directed at anyone under 16. We do not knowingly collect data from children.
12. Changes to this policy
If we make material changes, we will email account owners and update the date at the top of this page at least 15 days before the changes take effect.
13. Contact
Privacy questions, requests, and complaints: hello@squado.io.
Data protection contact (Encarregado channel under LGPD): hello@squado.io.