Privacy.

Controller and DPO contact

agentshorts is a digital infoproduct operated by jplgroup. For this storefront, lead capture, post-purchase access, license activation, support, refund, and delivery flow, jplgroup is the controller of buyer, prospect, entitlement, and support records.

Data protection contact / DPO channel: [email protected]. The public storefront is served from agentshorts.dev; product access is delivered from access.agentshorts.dev.

What we collect

Storefront browsing: page requests, basic security logs, consent-banner choices, and cookieless aggregate analytics. We do not set advertising cookies. Plausible is used in cookieless mode and is not used for cross-site ad targeting.

Lead capture: when you request the PDF preview or launch updates, we collect the email address you submit, locale, consent state, source page, timestamps, confirmation status, and technical anti-abuse metadata. We use this only for requested nurture emails, product launch updates, consent audit, abuse prevention, and unsubscribe handling.

Checkout: when you click a buy button, you are redirected to Lemon Squeezy for international orders or Kiwify for Brazilian orders. Those providers process payment, tax, invoice, fraud-prevention, refund, and checkout data under their own controller or processor terms. agentshorts never receives your full card number.

After purchase: checkout providers send signed webhooks with buyer email, buyer name when provided, order identifier, product or tier purchased, checkout provider, entitlement status, refund or chargeback status, and invoice/receipt references. We use this data to deliver repository invitations, file access, transactional email, support, refunds, chargeback handling, license activation, and tax/accounting records.

Legal bases under LGPD Art. 7

• Contract execution: checkout handoff, product delivery, repository invitations, entitlement records, license-key creation, support tied to a purchase, refund processing, and access revocation after a refund or dispute.
• Legal or regulatory obligation: receipts, accounting records, tax evidence, fraud controls, chargeback records, and legally required response records.
• Legitimate interest: security logs, abuse prevention, license activation telemetry, dispute defense, product reliability, and aggregate cookieless analytics, balanced against user rights.
• Consent: optional lead nurture and marketing-style product updates. You can withdraw consent through unsubscribe links or by emailing the DPO channel.

Lead nurture

Lead nurture processing is optional and consent-based. If you submit an email for launch updates, we use Resend to send the requested sequence, confirmation messages, and unsubscribe notices. We keep a consent audit trail so we can prove when the subscription was requested and stop future nurture emails after an unsubscribe, objection, or deletion request.

Processors and external controllers

• Lemon Squeezy — international checkout, payment processing, tax, invoices, refunds, and payment compliance. DPA.
• Kiwify — Brazil checkout, payment processing, tax, invoices, refunds, and payment compliance. Kiwify references its DPA in its platform terms and publishes its privacy terms at Terms and Privacy Policy.
• Neon — hosted Postgres database for entitlements, hashed tokens, refund records, privacy request audit, and license activation events. DPA.
• Cloudflare R2 — private object storage and delivery support for paid digital assets. DPA.
• Resend — transactional and consent-based email delivery for access links, receipts, refund notices, launch updates, and unsubscribe handling. DPA.
• GitHub — repository invitation delivery when a product tier includes private repo access. DPA.
• Plausible — cookieless, aggregate website analytics without advertising profiles. DPA.
• Sentry — production error monitoring for the storefront and access service, with session replay disabled and no intentional buyer email, buyer token, order id, GitHub handle, or signed URL collection. DPA.

International transfers

Some processors operate outside Brazil, the EU, or your country of residence. We use the provider terms, DPAs, transfer clauses, and security commitments published by those vendors, and we limit shared data to what each vendor needs for checkout, delivery, support, security, analytics, or email.

Cookie and storage classification

Current storefront classification: advertising cookies: zero; analytics cookies: zero; strictly necessary storage: only when neededfor consent state, checkout handoff, access, fraud prevention, or security. Plausible analytics is cookieless and does not write browser cookies.

Retention under LGPD Art. 16

• Entitlement, buyer access, refund, and legal-claims records: 5 years after the purchase or last dispute activity.
• Receipts, invoice, tax, and accounting records: 7 years where needed for fiscal and accounting duties.
• Webhook event logs and provider event receipts: 90 days, unless a refund, fraud, abuse, chargeback, or legal hold requires longer retention.
• License activation telemetry: 12 months for warning-only abuse detection, support, and dispute defense.
• Deleted buyer records: 30-day soft-delete grace period before irreversible deletion or anonymization, unless retention is legally required.
• Lead nurture records: until unsubscribe, consent withdrawal, deletion request, or the end of the launch/nurture purpose, with minimal suppression records retained to honor opt-outs.

Your rights under LGPD Art. 18 and GDPR-style laws

You may request confirmation of processing, access, correction, deletion or anonymization, portability, information about sharing, review of automated decisions when applicable, consent withdrawal, and objection to processing based on legitimate interest. We also honor reasonable restriction and complaint workflows where local law grants those rights.

Send requests to [email protected]. We may need enough information to verify the request, such as the buyer token or order reference. If we cannot delete a record immediately because of tax, accounting, fraud-prevention, dispute, or legal-defense duties, we will explain the retained category and retention basis.

Security incidents and LGPD Art. 48

If a personal-data incident creates relevant risk or damage to data subjects, we will evaluate notification duties under LGPD Art. 48, GDPR-style breach rules where applicable, and provider incident commitments. Notices may go to ANPD, affected users, vendors, and payment providers depending on the incident.

Contact

jplgroup · [email protected]