Privacy Policy

Last updated: 15 May 2026

This policy explains how personal data is collected and processed on sergioaguirre.com. It applies the Brazilian Lei Geral de Proteção de Dados (LGPD, Law 13.709/2018) and the EU General Data Protection Regulation (GDPR, Regulation 2016/679). If you do not agree with any part of this policy, please do not use the experiment dashboard or registration features.

1. Controller and Data Protection Contact

The data controller is Sergio Luiz Aguirre, the operator of this site. For all privacy matters, including the role of Data Protection Officer (Encarregado pelo Tratamento de Dados Pessoais, LGPD Art. 41), the contact is:

Email: contact@sergioaguirre.com

2. Minimum Age

This site is intended for adults. You must be at least 18 years old to register and participate. We do not knowingly collect data from minors (LGPD Art. 14, GDPR Art. 8). Birthdate is verified at signup and accounts created with a birthdate indicating an age below 18 are rejected.

3. Data We Collect

The site only collects personal data when you create an account to participate in listening experiments. The following categories are collected:

  • Account data: email address, hashed password.
  • Demographic data: birthdate, gender (optional, default "Prefer not to say").
  • Sensitive health data: self-declared hearing impairment status. This is a special category under GDPR Art. 9 and LGPD Art. 11.
  • Equipment data: headphone model, headphone type, soundcard (optional).
  • Experiment responses: trial answers, reaction times, ratings, optional free-text comments.
  • Consent records: timestamp and version of the consent you provided.

If you only browse the public portfolio pages without registering, no account data is collected. Analytics cookies are only set after your explicit acceptance (see Section 8).

4. Purposes and Legal Basis

Purpose Legal basis (GDPR / LGPD)
Account creation, authentication, access control. GDPR Art. 6(1)(b) contract / LGPD Art. 7º V execution of contract.
Academic research on spatial audio and audio quality (storage and analysis of experiment responses). GDPR Art. 6(1)(a) consent and Art. 9(2)(a) explicit consent for health data / LGPD Art. 7º I and Art. 11 II "a" specific consent.
Audience analytics via Google Analytics. GDPR Art. 6(1)(a) consent / LGPD Art. 7º I consent.
Security, fraud prevention, abuse detection. GDPR Art. 6(1)(f) legitimate interest / LGPD Art. 7º IX legitimate interest.

5. Retention and Account Deletion

Account and experiment data are kept while your account is active. When you click "Delete My Account" on the dashboard, the identifying fields on your account (email, password hash, audit IP) are erased and the row is permanently locked. You can no longer log in.

Your experiment responses (trial answers, reaction times, ratings) and the demographic context you provided for research (birthdate, gender, hearing impairment status, equipment) remain in the pseudonymized open-science dataset under a hashed participant identifier. This data cannot be linked back to you. Anonymized data falls outside the scope of personal data under LGPD Art. 12 and GDPR Recital 26.

If you would prefer full physical deletion of your responses as well, contact contact@sergioaguirre.com before clicking the dashboard button.

6. Your Rights

Under LGPD and GDPR you have the following rights:

  • Access: obtain confirmation of processing and a copy of your data.
  • Rectification: correct incomplete or inaccurate data.
  • Erasure / Anonymization: erase the identifiers on your account from the dashboard. Responses remain in the open-science dataset as anonymized records (see Section 5). For full physical deletion of responses, contact the controller directly.
  • Portability: receive your data in a structured, machine-readable format.
  • Anonymization, blocking or removal of unnecessary or excessive data (LGPD specific).
  • Withdrawal of consent at any time, without affecting processing already carried out under valid consent.
  • Object to processing based on legitimate interest.
  • Lodge a complaint with the Brazilian ANPD (gov.br/anpd) or the supervisory authority of your EU country.

To exercise any right that is not available directly in the dashboard, contact contact@sergioaguirre.com. Requests are answered within 15 days under LGPD and 30 days under GDPR.

7. Sharing and International Transfers

Personal data is not sold or shared with third parties for marketing. Pseudonymized research data (hashed participant identifier, age buckets, no email) is made available to any logged-in user as a CSV download to foster open science and reproducibility (LGPD Art. 12: anonymized data is not personal data; GDPR Recital 26). The site uses the following processors:

  • Hostinger International Limited: server hosting and MySQL database, located in São Paulo, Brazil.
  • Google Analytics (Google LLC, United States): only after your explicit consent. IP addresses are anonymized. See Google Privacy Policy.

For Brazilian subjects, primary storage is domestic (no international transfer). For EU subjects, storage in Brazil is a transfer outside the EEA covered by Hostinger's Standard Contractual Clauses (GDPR Art. 46) and the explicit consent you provide on registration. Transfers to Google (USA) rely on the EU-US Data Privacy Framework adequacy decision and on LGPD Art. 33 V (specific consent of the data subject).

8. Cookies

This site uses:

  • Strictly necessary cookies: PHP session cookie used to keep you logged in. No consent required.
  • Analytics cookies: Google Analytics (_ga, _ga_*). Loaded only after you click "Accept" in the cookie banner. You can revoke at any time via "Cookie Settings" in the footer.

9. Security

Passwords are stored using bcrypt hashing and never in plaintext. All requests are served over HTTPS. Cross-site request forgery (CSRF) tokens protect all state-changing endpoints. Sessions are regenerated on login to prevent fixation.

Consent audit IP addresses are truncated before storage (last octet for IPv4, last 80 bits for IPv6), matching the Google Analytics convention. This is sufficient to prove the network of origin without retaining per-host identifiers (LGPD Art. 6 II, GDPR Art. 25).

10. Data Breach Procedure

In the event of a security incident affecting personal data, the controller will notify the Brazilian ANPD and affected data subjects within a reasonable period (LGPD Art. 48), and the relevant EU supervisory authority within 72 hours where required (GDPR Art. 33), if the incident is likely to result in risk to your rights and freedoms.

11. Changes

This policy may be updated. The "Last updated" date at the top reflects the most recent version. Material changes to research processing will require a new consent.