Privacy Policy

1. Introduction and Data Controller Identification

ChatSense ("we," "our," or "Platform") is an omnichannel customer service and conversational CRM platform that integrates channels such as WhatsApp, Instagram, Messenger, Telegram, TikTok, and Email, with artificial intelligence capabilities, automations, and relationship management features.

This Privacy Policy describes how we collect, use, store, share, and protect personal data processed on our platform, in compliance with the Brazilian General Data Protection Law (Law No. 13,709/2018 — LGPD), the European Union General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA/CPRA), and other applicable legislation.

Data Controller

Omega Capital Holding Gestao e Participacoes Empresariais Ltda
CNPJ: 58.557.020/0001-48
Address: Sao Paulo, SP, Brazil

With respect to the data of administrative users (team members, managers), Omega Capital Holding acts as the Controller under the LGPD and Data Controller under the GDPR.

With respect to the data of end customers (contacts, consumers) that are entered, received, or processed by our clients through the Platform, Omega Capital Holding acts as the Operator (LGPD) / Data Processor (GDPR), with the Platform client being the Controller of such data.

Data Protection Officer (DPO)

Email: privacidade@chatsense.app

2. Definitions

For the purposes of this Policy, the following definitions apply, in accordance with Article 5 of the LGPD and Articles 4 and 9 of the GDPR:

• Personal Data — any information relating to an identified or identifiable natural person (LGPD Article 5(I) / GDPR Article 4(1)).
• Sensitive Personal Data — personal data concerning racial or ethnic origin, religious conviction, political opinion, trade union membership, health data, sex life, genetic or biometric data, when linked to a natural person (LGPD Article 5(II) / GDPR Article 9).
• Data Subject — a natural person to whom the personal data being processed relates (LGPD Article 5(V) / GDPR: "Data Subject").
• Controller — a natural or legal person responsible for decisions regarding the processing of personal data (LGPD Article 5(VI) / GDPR: "Data Controller").
• Processor — a natural or legal person that processes personal data on behalf of the Controller (LGPD Article 5(VII) / GDPR: "Data Processor").
• Processing — any operation performed with personal data, including collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, archiving, storage, deletion, evaluation, control, modification, communication, transfer, dissemination, or extraction (LGPD Article 5(X) / GDPR: "Processing").
• Consent — a free, informed, and unambiguous expression by which the data subject agrees to the processing of their personal data for a specific purpose (LGPD Article 5(XII) / GDPR Article 4(11)).
• ANPD — the Brazilian National Data Protection Authority, the public administration body responsible for overseeing, implementing, and enforcing compliance with the LGPD (LGPD Article 5(XIX)).
• Sub-processor — a third party contracted by the Processor to carry out specific personal data processing activities on behalf of the Controller (GDPR: "Sub-processor").

3. Data Collected

3.1 Registration Data (Administrative Users)

• Full name, email address, and phone number
• Password (stored as an Argon2id hash — never in plaintext)
• Avatar/profile picture
• Role and permissions within the organization
• Preference settings (language, theme, notifications)

3.2 Contact / End Customer Data

• Name, phone number, and email address
• Message content exchanged through integrated channels
• Media sent or received (images, audio, videos, documents)
• Location data (when voluntarily shared by the contact)
• CRM fields: company, job title, document (CPF/CNPJ), date of birth
• Tags, notes, and custom fields assigned by the operator

3.3 Conversation Data

• Text and media content of messages
• Originating platform (WhatsApp, Instagram, Messenger, Telegram, TikTok, Email, Widget)
• Timestamps (date and time of sending, delivery, and reading)
• Assigned agent and bot status (active, paused, handoff)
• CSAT ratings and satisfaction survey data
• Sentiment classification and automatic tags (generated by AI)

3.4 Media Data

• Images, audio, videos, and documents sent/received in conversations
• Storage in S3-compatible object storage (self-hosted MinIO)
• Media metadata (MIME type, size, dimensions)

3.5 CRM Data

• Companies: name, document (CNPJ/CPF), address, phone, website
• Deals: title, amount, stage, closing date
• Deal activities: notes, calls, meetings, emails, tasks

3.6 Campaign Data

• Recipient list and segmentation
• Delivery status (sent, delivered, read, failed)
• Opt-out and unsubscribe records

3.7 Browsing Data (Widget Visitors)

• IP address (anonymized after processing)
• Browser user-agent
• Referrer URL
• Widget session identifier

3.8 Marketplace Data

• Installed applications and their configurations
• Integration data with third-party applications

3.9 Payment Data

• Processed entirely by our payment providers Asaas (Brazil) and Stripe (international)
• We do not store credit card numbers, CVVs, or complete payment data
• We retain only: subscription identifier, subscribed plan, payment status, and invoice history

4. Legal Bases for Processing

Each category of personal data is processed under one or more legal bases provided for in Article 7 of the LGPD and Article 6(1) of the GDPR:

4.1 Performance of Contract (LGPD Article 7(V) / GDPR Article 6(1)(b))

• Registration and account data — necessary for account creation and maintenance
• Conversation and message data — necessary for the provision of the customer service
• CRM data — necessary for customer relationship management
• Channel data — necessary for the integration and operation of communication channels

4.2 Consent (LGPD Article 7(I) / GDPR Article 6(1)(a))

• Sending marketing communications and campaigns
• Use of non-essential cookies (when applicable)
• Processing of end customer data in outbound campaigns

4.3 Legitimate Interest (LGPD Article 7(IX) / GDPR Article 6(1)(f))

• Aggregated and anonymous analytics for service improvement
• Fraud and abuse detection and prevention
• Platform security and threat protection
• Operational performance reporting

4.4 Legal Obligation (LGPD Article 7(II) / GDPR Article 6(1)(c))

• Tax and billing records — mandatory retention of 5 years
• Audit logs — compliance with the Brazilian Internet Civil Framework
• Compliance with judicial requests and competent authorities

5. Purpose of Data Use

We use the personal data collected exclusively for the following purposes:

• Service provision — operating the customer service platform, including sending and receiving messages, conversation management, and routing to agents
• AI processing — generating automated responses, classifying messages, analyzing sentiment, and providing response suggestions (detailed in Section 6)
• Analytics and reports — producing performance metrics, service reports, and satisfaction analyses in an aggregated and anonymous manner
• Security — user authentication, identity verification, protection against unauthorized access, and anomaly detection
• Fraud prevention — monitoring suspicious activities, rate limiting, and abuse control
• Legal compliance — fulfilling regulatory, tax, and audit obligations
• Customer support — addressing requests, resolving technical issues, and operational communication
• Continuous improvement — enhancing features based on aggregated and anonymous data

We do not sell, rent, or commercialize personal data for any purpose.

6. Processing by Artificial Intelligence

ChatSense uses artificial intelligence models to enhance customer service. This section transparently describes how data is processed by AI systems.

6.1 Data Sent to LLM Providers

To generate automated responses and assist human agents, the following data may be sent to language model providers (Google Gemini, OpenAI):

• Message history of the ongoing conversation
• Relevant knowledge base content (RAG chunks)
• System prompts configured by the administrator (AI agent instructions)

6.2 Exclusive Use for Inference

Data sent to AI providers is used exclusively for inference (response generation) and is NOT used for training the language models. Our contracts with Google and OpenAI guarantee that data sent via API is not used to improve or train their models.

6.3 Embeddings and Vector Search

Embeddings (numerical vectors) generated from knowledge base documents are stored locally in our PostgreSQL database using the pgvector extension. Embeddings are not shared with third parties after their generation.

6.4 Automated Decisions

ChatSense may make the following automated decisions:

• Sentiment analysis — classification of message tone (positive, neutral, negative)
• Auto-tagging — automatic assignment of tags based on conversation content
• Priority classification — determination of service urgency
• Intelligent routing — directing the conversation to the most suitable agent or team

In compliance with Article 20 of the LGPD and Article 22 of the GDPR, the data subject has the right to request human review of decisions made solely on the basis of automated processing that affect their interests, including decisions intended to define their personal, professional, consumer, or credit profile.

6.5 RAG Context (Retrieval-Augmented Generation)

When the AI agent responds to a message, relevant excerpts from the knowledge base are retrieved via vector search and injected into the prompt sent to the model. Only the relevant excerpts are shared — not the complete knowledge base.

6.6 Audio Transcription (STT)

Audio files received in conversations may be sent to Google or OpenAI transcription services for conversion to text. Audio is processed exclusively for transcription purposes and is not retained by the providers after processing.

6.7 Image Analysis

Images received in conversations may be sent to the Google Vision API exclusively for generating a textual description of the content, enabling the AI agent to understand the visual context. Images are not retained by the provider after processing.

7. Data Sharing

We share personal data only with the sub-processors strictly necessary for the operation of the service, as detailed below:

7.1 Sub-processors

• Google Cloud (Gemini API) — AI inference, response generation, audio transcription, and image analysis
• OpenAI — embedding generation for vector search in the knowledge base
• Meta Platforms — message delivery via WhatsApp Business API, Instagram Direct, and Facebook Messenger
• Telegram — message delivery via Telegram Bot API
• TikTok — message delivery via TikTok Business API
• Stripe — international payment processing (credit card)
• Asaas — payment processing in Brazil (PIX, bank slip, credit card)
• MinIO / S3 — object storage (media) on self-hosted infrastructure
• Client SMTP servers — email delivery when the email channel is configured by the client
• Client webhook endpoints — data delivery to URLs configured by the client in automation actions

7.2 Non-Commercialization Commitment

We do not sell, rent, exchange, or commercialize personal data with third parties for any purpose, including marketing, advertising, or behavioral profiling.

8. International Data Transfers

Due to the use of international sub-processors, personal data may be transferred to countries outside Brazil and the European Economic Area (EEA), notably to the United States (Google, OpenAI, Meta, Stripe).

These transfers are carried out with the following safeguards:

• Standard Contractual Clauses (SCCs) — as approved by the European Commission and recognized by the ANPD, ensuring an adequate level of protection
• Adequacy decisions — when the destination country has an adequacy decision recognized by the competent authority
• Specific contractual terms — contracts with sub-processors include data protection obligations equivalent to those provided for under the LGPD and the GDPR
• Data Processing Agreements (DPAs) — data processing agreements entered into with all relevant sub-processors

International transfers comply with the provisions of Article 33 of the LGPD and Chapter V (Articles 44 to 49) of the GDPR.

9. Storage and Security

We adopt robust technical and organizational measures to protect personal data against unauthorized access, loss, alteration, or destruction:

9.1 Encryption

• At rest — channel tokens, credentials, and secrets encrypted with AES-256-GCM
• Passwords — Argon2id hash with a unique salt per user (never stored in plaintext)
• In transit — mandatory TLS 1.2/1.3 for all communications, with HTTP/3 (QUIC) support

9.2 Multi-tenant Isolation

• Row-Level Security (RLS) — database-level isolation in PostgreSQL, ensuring that each organization accesses exclusively its own data
• Every database query is contextualized with the organization identifier

9.3 Authentication and Access Control

• Authentication via JWT with short-lived tokens + refresh tokens
• Two-factor authentication support (MFA/TOTP)
• Role-based access control (RBAC) with granular permissions
• Single Sign-On (SSO) via OIDC for enterprise organizations

9.4 Infrastructure Protection

• SSRF protection — blocking requests to private IP ranges (RFC 1918, loopback, ULA) in webhooks and automations
• Rate limiting — request rate control per IP and per account
• Complete audit logs — all actions recorded with IP, user-agent, and timestamp
• DragonflyDB for cache and sessions — no persistent personal data
• Kubernetes infrastructure with Envoy Gateway, HSTS, and CSP headers
• HMAC-SHA256 verification on inbound webhooks to ensure authenticity

10. Data Retention

Personal data is retained for the period strictly necessary for the purposes described in this Policy, subject to the following retention periods:

• Messages and conversations — maintained during the account's active period, plus 30 days after account deletion to allow recovery
• Media (images, audio, videos, documents) — configurable retention period per organization (media_retention_days parameter); default: indefinite retention during the account's active period
• Audit logs — 12 months, in compliance with the Brazilian Internet Civil Framework
• Billing and tax data — 5 years, pursuant to tax law obligations
• Account data — 30 days after account deletion request
• Meta-originated data — up to 90 days after channel disconnection, as required by the Meta Platform
• Backups — automatic rotation every 30 days

After the retention periods expire, data is securely and irreversibly deleted, including backups containing such data within the rotation cycle.

11. Data Subject Rights

We respect the rights of personal data subjects as provided for under applicable legislation. Below we detail the rights by jurisdiction:

11.1 LGPD (Law No. 13,709/2018 — Article 18)

• Confirmation — confirm the existence of processing of your data
• Access — obtain a copy of the personal data we process
• Correction — request the correction of incomplete, inaccurate, or outdated data
• Anonymization, blocking, or deletion — of unnecessary, excessive, or non-compliant data
• Portability — receive your data in a structured and interoperable format
• Deletion — request the deletion of data processed on the basis of consent
• Information about sharing — know with which entities your data is shared
• Information about non-consent — be informed about the consequences of not providing consent
• Revocation of consent — withdraw consent at any time, without affecting the lawfulness of processing carried out previously

11.2 GDPR (Regulation EU 2016/679 — Articles 15 to 22)

• Right of access (Article 15) — obtain confirmation and a copy of the personal data processed
• Right to rectification (Article 16) — correction of inaccurate data
• Right to erasure (Article 17) — deletion of data ("right to be forgotten")
• Right to restriction (Article 18) — restriction of processing in certain circumstances
• Right to data portability (Article 20) — receive data in a machine-readable format
• Right to object (Article 21) — object to processing based on legitimate interest
• Rights related to automated decision-making (Article 22) — not be subject to exclusively automated decisions with significant effects, and request human review

11.3 CCPA/CPRA (California, USA)

• Right to know — know what personal data is collected, used, and shared
• Right to delete — request the deletion of personal data
• Right to opt-out of sale — we do NOT sell personal data; this right is automatically satisfied
• Right to non-discrimination — not be discriminated against for exercising privacy rights
• Right to limit use of sensitive data — limit the use and disclosure of sensitive personal data

11.4 How to Exercise Your Rights

• Email — send your request to privacidade@chatsense.app
• Platform settings — use the privacy options available in your account settings
• API — dedicated endpoints for export (/contacts/:id/gdpr-export) and deletion (/contacts/:id/gdpr-erase) of contact data

11.5 Response Timeframes

• LGPD — up to 15 business days from confirmation of the data subject's identity
• GDPR — up to 30 calendar days, extendable by an additional 60 days in complex cases
• CCPA/CPRA — up to 45 calendar days, extendable by an additional 45 days upon notification

12. Cookies and Tracking Technologies

We use exclusively strictly necessary cookies for the operation of the platform:

• JWT session cookie — user authentication on the platform (expiration as per session configuration)
• Theme preference — local storage of light/dark theme choice
• Widget session — visitor identification in embeddable chat widget sessions (first-party cookie)

We do not use tracking, analytics, advertising, or third-party cookies. We do not participate in behavioral advertising networks and do not perform cross-site tracking.

For detailed information about specific cookies, please refer to our Cookie Policy available on the platform.

13. Minors

ChatSense is a B2B platform intended for businesses and professionals. Our services are not directed at individuals under 18 years of age.

We do not intentionally collect personal data from children or adolescents. In compliance with Article 14 of the LGPD, if we identify that data from minors has been collected without the specific consent of a parent or legal guardian, we shall proceed with the immediate deletion of such data.

With respect to COPPA (Children's Online Privacy Protection Act — USA), we do not intentionally collect personal information from children under 13 years of age. If you believe that data from a minor has been provided to our platform, please contact us immediately at privacidade@chatsense.app.

14. Changes to This Policy

This Privacy Policy may be updated periodically to reflect changes in our practices, services, or legal requirements.

In the event of material changes, we commit to:

• Providing 15 days' prior notice before the changes take effect
• Sending a notification by email to administrators of all active organizations
• Displaying an informational banner within the platform during the transition period
• Maintaining the version history of this Policy accessible to data subjects

Continued use of the platform after the notification period constitutes acceptance of the changes. If you disagree with the modifications, you may request the deletion of your account and data before the new version takes effect.

15. Contact and Data Protection Officer (DPO)

For questions, requests to exercise your rights, or complaints related to the processing of personal data, please contact:

Omega Capital Holding Gestao e Participacoes Empresariais Ltda
CNPJ: 58.557.020/0001-48
Address: Sao Paulo, SP, Brazil

Data Protection Officer (DPO)
Email: privacidade@chatsense.app

If you believe that the processing of your personal data violates applicable legislation, you have the right to file a complaint with the competent data protection authority:

• Brazil — National Data Protection Authority (ANPD): www.gov.br/anpd
• European Union — supervisory authority of the Member State where the data subject resides
• California (USA) — California Privacy Protection Agency (CPPA)

16. Jurisdictional Addendum

The following supplements apply depending on the data subject's jurisdiction:

16.1 CCPA/CPRA — California Consumer Privacy Act

For residents of the State of California (USA), we additionally inform:

• Categories of personal information collected: identifiers (name, email, phone), commercial data (transaction history), internet activity (access logs, platform interactions), professional data (job title, company)
• Purposes of collection: service provision, security, legal compliance, service improvement (as detailed in Section 5)
• Sale or sharing: We do NOT sell or share personal information for cross-context behavioral advertising
• Consumer rights: right to know, delete, correct, opt-out of sale (not applicable — we do not sell data), and non-discrimination
• Submission methods: email to privacidade@chatsense.app or via platform settings

16.2 GDPR — General Data Protection Regulation

For data subjects in the European Economic Area (EEA), United Kingdom, and Switzerland:

• Legal bases by processing activity: as detailed in the mapping provided in Section 4 of this Policy
• Transfers to third countries: data may be transferred to the USA (Google, OpenAI, Meta, Stripe) based on Standard Contractual Clauses (SCCs) and appropriate supplementary measures
• DPO designation: the Data Protection Officer can be contacted at privacidade@chatsense.app
• Supervisory authority: data subjects have the right to file a complaint with the data protection authority of the Member State where they reside, work, or where the alleged infringement occurred
• Data Protection Impact Assessment (DPIA): we conduct DPIAs for high-risk processing activities, including AI processing and automated decisions

16.3 APPI — Act on the Protection of Personal Information (Japan)

For data subjects in Japan:

• Business operator handling personal information: Omega Capital Holding Gestao e Participacoes Empresariais Ltda acts as a Handling Business Operator under the APPI
• Notification of purpose of use: the purposes of use of personal data are described in Section 5 of this Policy, and data subjects will be notified of any changes
• Cross-border transfers: personal data may be transferred to countries outside Japan (Brazil, USA). These transfers are carried out based on contractual agreements ensuring an equivalent level of protection, as required by the APPI and the PPC (Personal Information Protection Commission) guidelines
• Data subject rights: the right to request disclosure, correction, suspension of use, and deletion of retained data, as provided for under the APPI