Important: This page does not serve as legal advice. Please determine together with your legal advisor how GDPR and LGPD apply to your business.
🔢 Table of Contents
- Overview
- What is GDPR?
- What is LGPD?
- Is ZappWay Compliant?
- Data Processing & Responsibilities
- Your Data Rights
- Subprocessors
- Data Processing Agreement
1. Overview
ZappWay takes data protection seriously and complies with both the European Union’s General Data Protection Regulation (GDPR) and Brazil’s Lei Geral de Proteção de Dados (LGPD). This page outlines our compliance measures and your rights as a data subject.Key Compliance Points
- Full transparency about data collection and processing
- User control over all collected data
- Data minimization - we only collect what’s necessary
- Security measures to protect your information
- Right to deletion and data portability
- International data transfer safeguards
2. What is GDPR?
General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR) is a European Union (EU) privacy law that gives EU citizens and residents control over their personal data. Key Principles:- Lawfulness, fairness, and transparency
- Purpose limitation
- Data minimization
- Accuracy
- Storage limitation
- Integrity and confidentiality
- Accountability
Does GDPR Affect You?
Yes, if:- Your business is based in the European Union (EU)
- You process personal data of individuals in the EU
- You offer goods or services to people in the EU
- You monitor the behavior of people in the EU
- Names and email addresses
- IP addresses and location data
- Identification numbers
- Online identifiers (cookies, device IDs)
- Any information relating to an identified or identifiable person
3. What is LGPD?
Lei Geral de Proteção de Dados (LGPD)
The Brazilian General Data Protection Law (LGPD) is Brazil’s data protection regulation, similar to GDPR, that governs how personal data is collected, processed, and stored. Key Principles:- Purpose and necessity
- Free access to data
- Data quality and transparency
- Security and prevention
- Non-discrimination
- Accountability and responsibility
Does LGPD Affect You?
Yes, if:- Your business operates in Brazil
- You process personal data of individuals in Brazil
- You collect data within Brazilian territory
- You offer goods or services to people in Brazil
- Personal information (nome, CPF, RG, endereço)
- Sensitive data (origem racial, dados de saúde, biometria)
- Data about children and adolescents
- Any information that can identify a person
GDPR vs LGPD: Key Similarities
Both regulations share core principles:- Consent-based processing: Users must consent to data collection
- Right to access: Users can request their data
- Right to deletion: Users can request data removal
- Data portability: Users can transfer their data
- Breach notification: Companies must report data breaches
- Privacy by design: Data protection built into systems
- Significant penalties: Heavy fines for non-compliance
Key Differences
| Aspect | GDPR | LGPD |
|---|---|---|
| Territory | European Union | Brazil |
| Enforcement | Started May 2018 | Started September 2020 |
| Authority | National DPAs | ANPD (Autoridade Nacional) |
| Max Fine | €20M or 4% revenue | R$50M or 2% revenue |
| Age of Consent | 16 years (can be lowered to 13) | 18 years (parental consent required) |
4. Is ZappWay Compliant?
Yes, ZappWay Complies with Both GDPR and LGPD
ZappWay is based in Brazil and complies with both the GDPR framework (for EU users) and LGPD (for Brazilian users).The Measures We Took
1. Transparent Privacy Policy Our privacy policy provides complete information about:- What data we collect
- How we use your data
- Data retention periods
- International data transfers
- Your data protection rights
- How to exercise your rights
- View all data: Access your complete data at any time
- Export data: Download all your information
- Delete data: Permanently remove data from our systems
- Modify data: Update or correct your information
- Control sharing: Decide who has access to your data
- Encryption: Data encrypted in transit (TLS) and at rest (AES-256)
- Access controls: Role-based permissions and authentication
- Regular audits: Security assessments and penetration testing
- Monitoring: 24/7 security monitoring and threat detection
- Backups: Regular encrypted backups with 90-day retention
- Incident response: Documented breach notification procedures
- No unnecessary personal information
- Limited data retention periods
- Regular data cleanup and archival
- Purpose-specific data collection
- Default privacy-friendly settings
- Clear consent mechanisms
- Granular privacy controls
- Anonymous data processing where possible
- Right to access (Art. 15 GDPR / Art. 18 LGPD)
- Right to rectification (Art. 16 GDPR / Art. 18 LGPD)
- Right to erasure (Art. 17 GDPR / Art. 18 LGPD)
- Right to data portability (Art. 20 GDPR / Art. 18 LGPD)
- Right to object (Art. 21 GDPR / Art. 18 LGPD)
- Right to withdraw consent (Art. 7 GDPR / Art. 8 LGPD)
5. Data Processing & Responsibilities
Understanding Data Roles
Data Controller: The entity that determines the purposes and means of processing personal data. Data Processor: The entity that processes data on behalf of the controller.ZappWay’s Role
When You Use ZappWay Services
You are the Data Controller for:- Form responses you collect
- Documents uploaded to datastores
- Customer data processed by AI Employees
- Any personal information collected through your AI Employees
- Storing form responses on your behalf
- Processing queries through AI Employees
- Indexing documents in datastores
- Executing automations you configure
For Your ZappWay Account
ZappWay is the Data Controller for:- Your account registration information
- Billing and payment details
- Usage analytics and logs
- Support communications
Your Responsibilities as Data Controller
1. Legal Basis for Processing Ensure you have a legal basis under GDPR/LGPD:- Consent: User explicitly agrees to data collection
- Contract: Processing necessary to fulfill a contract
- Legal obligation: Required by law
- Legitimate interests: Necessary for your business interests
- Vital interests: Necessary to protect someone’s life
- Public task: Necessary for public interest tasks
- What data you collect
- Why you collect it
- How long you store it
- Who you share it with
- Their rights under GDPR/LGPD
- Access their data
- Correct inaccurate data
- Delete their data
- Export their data
- Object to processing
- Withdraw consent
- Log in to your ZappWay dashboard
- Navigate to the relevant datastore or form
- Search for the individual’s data
- Export, modify, or delete as requested
- Respond to the individual within legal timeframes:
- GDPR: 1 month (extendable to 3 months)
- LGPD: 15 days (extendable with justification)
- Define retention periods for different data types
- Regularly review and delete old data
- Document your retention policy
- Honor deletion requests
- Assess the breach: Determine scope and impact
- Notify ZappWay: Contact [email protected] immediately
- Notify authorities:
- GDPR: Within 72 hours to supervisory authority
- LGPD: In reasonable timeframe to ANPD
- Notify affected individuals: If high risk to their rights
- Document the breach: Keep records of the incident
What Happens with Form Data?
ZappWay provides form services and tools but is not the owner of collected responses. Key Points:- You (the AI Employee creator) are the data controller for form responses
- ZappWay is the data processor storing information on your behalf
- You have full control over the data you collect
- You determine retention periods while your account is active
- You can export or delete form responses at any time
- Deletions you make are permanent and immediate in production
- Deleted data is removed from backups within 90 days
- We cannot recover data once you delete it
6. Your Data Rights
Under GDPR and LGPD, You Have the Right To:
1. Right to Access (Transparency)
Request a copy of all personal data we hold about you. How to exercise:- Email [email protected] with subject “Data Access Request”
- Include your account email and any specific data categories
- We will respond within 30 days (GDPR) or 15 days (LGPD)
- Copy of your personal data
- Categories of data processed
- Purposes of processing
- Recipients of your data
- Retention periods
2. Right to Rectification (Correction)
Correct inaccurate or incomplete personal data. How to exercise:- Update your account information directly in dashboard settings
- Email [email protected] for data you cannot modify yourself
- We will update your information within 30 days
3. Right to Erasure (Right to be Forgotten)
Request deletion of your personal data. How to exercise:- Go to Account Settings → Delete Account
- Or email [email protected] with subject “Data Deletion Request”
- We will delete your data within 30 days
- Data removed from backups within 90 days
- Legal obligations
- Legitimate interests (e.g., fraud prevention)
- Public interest or scientific research
- Defense of legal claims
4. Right to Data Portability
Receive your data in a structured, machine-readable format. How to exercise:- Go to Account Settings → Export Data
- Or email [email protected] with subject “Data Portability Request”
- We will provide data in JSON or CSV format
- You can transfer data to another service
5. Right to Object
Object to processing of your personal data. How to exercise:- Email [email protected] with subject “Objection to Processing”
- Specify which processing activities you object to
- We will assess and respond within 30 days
6. Right to Restrict Processing
Request limitation of how we process your data. When applicable:- You contest the accuracy of data
- Processing is unlawful but you don’t want deletion
- We no longer need the data but you need it for legal claims
- You’ve objected to processing pending verification
7. Right to Withdraw Consent
Withdraw consent for data processing at any time. How to exercise:- Update consent preferences in Account Settings
- Unsubscribe from marketing emails
- Email [email protected] to withdraw specific consents
8. Right to Lodge a Complaint
File a complaint with supervisory authorities. EU/GDPR:- Contact your national Data Protection Authority (DPA)
- List of DPAs: https://edpb.europa.eu/about-edpb/board/members_en
- Contact ANPD (Autoridade Nacional de Proteção de Dados)
- Website: https://www.gov.br/anpd/
- Email: [email protected]
7. Subprocessors
How Do We Use Your Personal Data?
ZappWay acts as a data controller for your account information (registration, billing, etc.) and as a data processor for data you collect through AI Employees. What we DO:- Use data to provide and improve our services
- Share data with subprocessors (see table below)
- Process data according to your instructions
- Sell personal data to third parties
- Use data for unrelated marketing purposes
- Serve advertisements based on your data
- Share data beyond what’s necessary for operations
Our Subprocessors
We only share your information with service providers who help us operate our business. All subprocessors are required to comply with GDPR and LGPD frameworks.| Software | Use | Location | GDPR/LGPD Compliance |
|---|---|---|---|
| Fly.io | Application hosting | 🇪🇺 EU | GDPR Compliance |
| Cloudflare R2 | File upload storage | 🇪🇺 EU | DPA |
| DigitalOcean PostgreSQL | Primary database | 🇪🇺 EU | GDPR Compliance |
| Qdrant | Vector database (AI search) | 🇪🇺 EU | Privacy Policy |
| OpenAI | LLM provider (AI responses) | 🇺🇸 US | Terms of Use |
| Anthropic | LLM provider (AI responses) | 🇺🇸 US | Privacy Policy |
| Stripe | Payment processing | 🇺🇸 US | GDPR Guide |
| Google Analytics | Analytics (not used to track AI Employees) | 🇺🇸 US | GDPR Compliance |
| Mailercloud | Marketing emails | 🇺🇸 US | Privacy Policy |
International Data Transfers
Some subprocessors are located outside the EU/EEA and Brazil. We ensure adequate protection through: For GDPR (EU transfers):- Standard Contractual Clauses (SCCs): EU-approved contracts
- Adequacy decisions: Countries deemed adequate by EU Commission
- Supplementary measures: Additional technical safeguards
- International transfer agreements: Compliant with ANPD requirements
- Standard contractual clauses: Based on LGPD requirements
- Adequate level of protection: Verification of destination country laws
- We use Standard Contractual Clauses
- Data is encrypted in transit and at rest
- Access is limited to necessary operations only
- We regularly review their security practices
Subprocessor Changes
We maintain the right to add or change subprocessors. We will:- Notify you of changes via email
- Provide 30 days notice before onboarding new subprocessors
- Allow you to object to new subprocessors
- Offer alternatives if you object
8. Data Processing Agreement
What is a DPA?
A Data Processing Agreement (DPA) is a legal contract between a data controller and data processor that defines:- Responsibilities for data protection
- Security measures
- Data breach procedures
- Subprocessor arrangements
- Audit rights
ZappWay’s DPA
We have a standardized Data Processing Agreement available for all customers. To request our DPA:- Email: [email protected]
- Subject: “Data Processing Agreement Request”
- Include: Your company name and account email
- Processing instructions and scope
- Data subject rights procedures
- Security measures and obligations
- Subprocessor list and terms
- Breach notification procedures
- Audit and compliance terms
- International data transfer provisions
- Termination and data return procedures
Important: ❗ We cannot modify or sign custom DPAs. Instead, we’ve put significant effort into creating a standardized DPA that aligns with GDPR and LGPD regulations and protects all parties involved. Our standard DPA meets the requirements of both GDPR Article 28 and LGPD Article 41.Why we use a standard DPA:
- Consistency: Same protections for all customers
- Compliance: Reviewed by legal experts for GDPR/LGPD compliance
- Efficiency: Fast turnaround without lengthy negotiations
- Updates: Easy to update for regulatory changes
- Scalability: Allows us to serve customers effectively
Alternative Options
If our standard DPA doesn’t meet your needs:- Enterprise plans: May have more flexibility (contact [email protected])
- Self-hosting: Consider our self-hosted option for full control
- Hybrid approach: Use ZappWay for non-sensitive data only
📞 Support & Resources
Questions About Compliance?
Data Protection Contact:- Email: [email protected]
- Subject: “GDPR/LGPD Question”
- Response time: 2-3 business days
- Email: [email protected]
- Live chat: Available in dashboard
- Documentation: Help Center
Additional Resources
GDPR Resources: LGPD Resources: ZappWay Resources:Report a Data Breach
If you discover a potential data breach involving ZappWay: Immediate action:- Email: [email protected] with subject “SECURITY BREACH”
- Include: Description, affected data, estimated impact
- We will respond within 24 hours
- Acknowledge and investigate (within 24 hours)
- Contain and remediate the breach
- Assess risk to data subjects
- Notify authorities if required (within 72 hours for GDPR)
- Notify affected users if high risk
- Provide detailed incident report
✅ Quick Compliance Checklist
For AI Employee Creators (Data Controllers)
- Add privacy notice to forms collecting personal data
- Define data retention periods
- Document legal basis for data processing
- Have process for handling data subject requests
- Review and update privacy policies regularly
- Train team on GDPR/LGPD requirements
- Implement data breach response plan
- Request ZappWay’s DPA if needed
- Keep records of processing activities
- Conduct Data Protection Impact Assessments (DPIAs) for high-risk processing
For ZappWay Users (Data Subjects)
- Review ZappWay’s privacy policy
- Understand what data is collected
- Know your rights (access, deletion, portability, etc.)
- Update privacy preferences in account settings
- Know how to export your data
- Know how to delete your account
- Contact [email protected] for data requests
- Report concerns to supervisory authorities if needed
Last Updated: January 2025
Version: 1.0
Regulatory Compliance: GDPR (EU Regulation 2016/679) & LGPD (Lei 13.709/2018)