BLIND

Security

Data Protection

Last updated: May 4, 2026

BLIND treats personal data as a responsibility, not an asset. This page describes the technical and organizational controls we apply to protect customer information end-to-end.

Security Pillars

Encryption in transit

All traffic between your device and our servers is encrypted with HTTPS using TLS 1.3. HTTP requests are automatically redirected to HTTPS.

No payment data stored

Card numbers, CVV, and banking credentials never touch our servers. Stripe (PCI-DSS Level 1) handles all payment processing.

Restricted access

Personal data is accessible only to authorized personnel on a need-to-know basis. All access is logged and reviewed.

Secrets isolation

API keys and credentials live in server-side environment variables. The client bundle contains no secrets.

Security headers

We enforce HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy on every response.

Audit and review

Regular dependency audits, code reviews, and incident-response drills.

1. Security Practices

Our infrastructure follows industry best practices:

  • HTTPS-only with HSTS preload eligibility.
  • Strict Content Security Policy on sensitive routes.
  • Server-side validation of every payment intent.
  • Automatic dependency vulnerability scanning.
  • Principle of least privilege across all systems.

2. Encryption

In transit: TLS 1.3 with strong cipher suites. Certificates are managed automatically and renewed before expiration.

At rest: Order records and customer data are stored in encrypted databases with AES-256 disk encryption provided by our cloud infrastructure.

3. Access Control

  • Administrative panels require authentication and are not exposed on public navigation.
  • Role-based access: only fulfillment staff can view shipping addresses; only finance can access invoice records.
  • All admin actions are logged with timestamp and user identifier.
  • Production secrets are rotated periodically and never committed to source control.

4. Data Retention

We retain personal data only as long as needed to operate the service and meet legal obligations:

  • Order records: 5 years (Brazilian tax law).
  • Support correspondence: 2 years.
  • Inactive accounts: anonymized after 24 months.
  • Access logs: 6 months.

Customers may request earlier deletion of personal data by writing to support@blindglasses.com.br, subject to legal retention requirements.

5. Third-Party Sharing

Personal data is shared with the minimum third parties required to fulfill orders:

  • Logistics carriers (e.g., Correios, regional carriers): receive name, address, and phone for delivery.
  • Stripe: receives transaction amount, currency, and a tokenized payment instrument. We do not transmit raw card data.
  • Marketplace integrations(TikTok Shop, Mercado Livre, Shopee): exchange order data for purchases made via those channels, in accordance with each platform's data security requirements.

We do not share data with advertisers, brokers, or any party for marketing purposes.

6. Incident Response

In the event of a confirmed data breach affecting personal data, we will notify affected users and the Brazilian National Data Protection Authority (ANPD) without undue delay, in accordance with LGPD Article 48.

7. Reporting a Vulnerability

If you believe you have discovered a security vulnerability, please report it responsibly to support@blindglasses.com.br. We will acknowledge your report within 72 hours.

Your data is protected and encrypted.

HTTPS · TLS 1.3 · No payment data stored · LGPD compliant