Skip to main content
Important: ZappWay takes your privacy seriously and is committed to protecting your personal data in compliance with GDPR (EU) and LGPD (Brazil) regulations.

🔢 Table of Contents

  1. Introduction
  2. What Data We Collect
  3. How We Use Your Data
  4. Data We Share
  5. Data Retention
  6. Your Data Protection Rights
  7. Marketing Communications
  8. Cookies
  9. International Data Transfers
  10. Security Measures
  11. Children’s Privacy
  12. Changes to This Policy
  13. Contact Information

1. Introduction

ZappWay, registered at Avenida Brigadeiro Faria Lima, 1811, Esc 1120, Jardim Paulistano, São Paulo/SP, CEP 01452-001, Brazil, takes your privacy seriously and considers it important for your personal data (hereafter “your data”) to be treated with the necessary care and confidentiality at all times. This Privacy Policy explains how our organization collects, uses, processes, and protects your personal data, and why we do so. It applies to all users of our services and visitors to our website. If you have any questions after reading this Privacy Policy, please contact us at: [email protected]

Scope of This Policy

To avoid any misunderstandings, we clarify that this Privacy Policy applies to the processing of personal data from:
  • AI Employee Creators: Persons who create and manage AI Employees using ZappWay
  • End Users/Respondents: Persons who interact with AI Employees (through forms, chats, etc.)
  • Website Visitors: Persons who visit our marketing website and landing pages

Important Distinction: Data Controller vs Data Processor

ZappWay acts in different roles depending on the data: ZappWay as Data Controller:
  • For your account registration information
  • For billing and payment data
  • For website visitor analytics
  • For marketing communications
ZappWay as Data Processor:
  • For data collected through AI Employees you create
  • For form responses submitted to your AI Employees
  • For documents uploaded to your datastores
  • For conversations with your AI Employees
You (the AI Employee Creator) are the Data Controller for:
  • All data collected through your AI Employees
  • Form responses from end users
  • Documents you upload to datastores
  • Conversations with end users
This means you are responsible for ensuring compliance with GDPR/LGPD for data you collect through ZappWay. We provide the tools and infrastructure, but you control the purposes and means of processing.

2. What Data We Collect

Data We Collect from AI Employee Creators

When you create an account and use ZappWay services, we collect:

A. Registration Information

  • Name: First and last name
  • Email address: Used for account access and communications
  • Username: Your chosen account identifier
  • Password: Encrypted and securely stored
  • Account preferences: Settings and configurations

B. Billing Information

If you subscribe to a paid ZappWay plan:
  • Billing name and address
  • Payment method details: Credit card information (processed and stored by our payment provider Stripe, not by ZappWay directly)
  • Transaction history: Invoices, payment dates, amounts
  • Tax information: VAT numbers, tax IDs where applicable

C. AI Employee Data

  • AI Employee configurations: Names, instructions, settings
  • Datastore content: Documents and files you upload
  • Form responses: Data submitted through your AI Employees
  • Conversation logs: Interactions between your AI Employees and end users
  • Usage data: API calls, features used, performance metrics

D. Technical Data

  • IP address: For security and fraud prevention
  • Device information: Browser type, operating system, device type
  • Location data: Approximate location based on IP address
  • Session data: Login times, session duration
  • Cookies: See our Cookie Policy for details

E. Usage and Analytics Data

  • Feature usage: Which features you use and how often
  • Performance data: Load times, error rates, system performance
  • Navigation data: Pages visited, click patterns, time on page
  • Referral source: How you found ZappWay (search, ads, direct, etc.)

Data We Collect from Website Visitors

If you visit our website without registering:
  • Technical data: IP address, browser, device, operating system
  • Navigation data: Pages visited, time spent, referral source
  • Cookies: Essential and analytics cookies (with consent)
  • Form submissions: If you contact us or sign up for newsletters

Data We Collect from End Users/Respondents

When someone interacts with an AI Employee you created:
  • Response data: Information submitted through forms or chat
  • Conversation data: Messages exchanged with AI Employee
  • Metadata: Timestamp, IP address, device information
  • Interaction data: Features used, session duration
Important: For this data, YOU (the AI Employee Creator) are the data controller. ZappWay only processes this data according to your instructions. Respondents should contact you directly for any data requests.

Data We Do NOT Collect

  • Sensitive personal data: We do not intentionally collect racial/ethnic origin, political opinions, religious beliefs, health data, sexual orientation, or biometric data
  • Children’s data: We do not knowingly collect data from children under 18 (LGPD) or 16 (GDPR)
  • Unnecessary data: We practice data minimization and only collect what’s needed

3. How We Use Your Data

ZappWay is committed to transparency. We use your data only for legitimate purposes and with appropriate legal basis. We process your data based on:
  1. Consent: You explicitly agree to data processing (e.g., marketing emails)
  2. Contract: Necessary to provide our services to you
  3. Legitimate interests: For business operations, security, and improvements
  4. Legal obligation: To comply with laws and regulations

Purposes of Data Processing

A. Service Delivery and Operation

  • Account management: Create and maintain your account
  • Service provision: Enable AI Employee functionality
  • Feature access: Provide tools like datastores, forms, integrations
  • Technical support: Troubleshoot issues and provide assistance
  • Infrastructure: Host and operate our platform
Legal basis: Contract performance, legitimate interests

B. Service Improvement and Development

  • Product development: Build new features and improve existing ones
  • Performance optimization: Enhance speed, reliability, and user experience
  • Bug fixing: Identify and resolve technical issues
  • Quality assurance: Test and validate platform functionality
  • Analytics: Understand usage patterns and user needs
Legal basis: Legitimate interests

C. Security and Fraud Prevention

  • Account security: Protect against unauthorized access
  • Fraud detection: Identify and prevent fraudulent activity
  • Abuse prevention: Monitor for terms of service violations
  • System integrity: Maintain platform security and stability
  • Threat detection: Identify and respond to security threats
Legal basis: Legitimate interests, legal obligation

D. Communication with You

  • Essential notifications: Account-related updates, security alerts
  • Product updates: New features, improvements, changes
  • Support communications: Respond to your inquiries
  • Billing notifications: Payment confirmations, invoice reminders
  • Legal notices: Terms updates, policy changes
Legal basis: Contract performance, legal obligation
  • Promotional emails: New features, offers, company news
  • Product recommendations: Relevant features or upgrades
  • Educational content: Tutorials, tips, best practices
  • Event invitations: Webinars, workshops, conferences
Legal basis: Consent (you can opt out anytime)
  • Legal requests: Respond to court orders, subpoenas
  • Regulatory compliance: Meet GDPR, LGPD, and other legal requirements
  • Dispute resolution: Address legal claims or disputes
  • Law enforcement: Cooperate with authorities when required
Legal basis: Legal obligation

What We Do NOT Do with Your Data

  • Sell your data: We never sell personal data to third parties
  • Advertising: We don’t use your data for targeted advertising
  • Unrelated purposes: We don’t use data beyond stated purposes
  • Share without consent: We don’t share data except as described in Section 4
  • Profile without consent: We don’t create detailed profiles for marketing

4. Data We Share

We value your privacy and only share data when necessary to operate our service or as required by law.

Service Providers (Subprocessors)

We share data with trusted third-party service providers who help us operate ZappWay. All subprocessors:
  • Are contractually obligated to protect your data
  • Must comply with GDPR and LGPD requirements
  • Can only process data according to our instructions
  • Are regularly audited for security and compliance
Full list of subprocessors: See our GDPR/LGPD Compliance page for a complete, up-to-date list including:
  • Cloud hosting providers (Fly.io, Cloudflare)
  • Database services (DigitalOcean, Qdrant)
  • AI/LLM providers (OpenAI, Anthropic)
  • Payment processor (Stripe)
  • Analytics (Google Analytics)
  • Email services (Mailercloud)

When We Share Your Data

A. Service Delivery
  • With cloud hosting providers to store your data
  • With AI providers to process queries and generate responses
  • With payment processors to handle billing
B. Legal Requirements
  • To comply with legal obligations, court orders, or subpoenas
  • To enforce our Terms of Service
  • To protect our rights, property, or safety
  • To investigate fraud or security issues
C. Business Transfers
  • In the event of a merger, acquisition, or sale of assets
  • Your data may be transferred to the new entity
  • You will be notified of any such change
D. With Your Consent
  • When you explicitly authorize data sharing
  • For specific integrations you enable (Zapier, Slack, etc.)

Data Shared Between AI Employee Creators and End Users

Important: When you create an AI Employee, you control what data is collected from end users. We recommend:
  • Adding a privacy notice to forms explaining data collection
  • Informing users about data processing in AI Employee responses
  • Providing contact information for data requests
  • Being transparent about data usage and retention

5. Data Retention

How Long We Keep Your Data

We retain your data only as long as necessary for the purposes outlined in this policy or as required by law.

A. Account Data (AI Employee Creators)

While your account is active:
  • All account data is retained to provide services
  • You have full control to delete data at any time
  • AI Employee data, forms, and responses remain accessible
After account deletion:
  • Account data is immediately deleted from production systems
  • Data is permanently removed from backups within 90 days
  • Some data may be retained longer if required by law (e.g., tax records for 7 years)

B. AI Employee Data (Forms, Responses, Conversations)

You control retention:
  • As the data controller, you decide how long to keep this data
  • You can delete individual responses, forms, or entire datastores
  • Deleted data is immediately removed from production
  • Permanent deletion from backups within 90 days
We recommend:
  • Defining a data retention policy for your use case
  • Regularly reviewing and deleting old data
  • Documenting your retention periods for compliance

C. Billing Data

Retention period:
  • Transaction records: 7 years (required by tax laws)
  • Payment method details: Stored by Stripe according to their retention policy
  • Invoices: Retained for accounting and tax purposes

D. Analytics and Logs

Retention period:
  • System logs: 90 days
  • Analytics data: 24 months (aggregated and anonymized)
  • Security logs: 1 year (for audit and investigation)

E. Marketing Data

Retention period:
  • Active subscribers: Until you unsubscribe
  • After unsubscribe: 30 days (to honor unsubscribe requests)
  • You can request immediate deletion by contacting us

Data Recovery

Important: Once you delete data from ZappWay:
  • It cannot be recovered from production systems
  • After 90 days, it’s permanently deleted from all backups
  • We cannot restore deleted data
  • Make sure to export any data you need before deletion

6. Your Data Protection Rights

Under GDPR (EU) and LGPD (Brazil), you have comprehensive rights regarding your personal data.

Rights for AI Employee Creators

As a registered ZappWay user, you have the following rights:

1. Right of Access

What it means: You can request a copy of all personal data we hold about you. How to exercise:
  • Contact us at [email protected]
  • We’ll provide your data within 30 days (GDPR) or 15 days (LGPD)
  • Data will be provided in a structured, readable format

2. Right to Rectification

What it means: You can correct inaccurate or incomplete data. How to exercise:
  • Update account details directly in Account Settings
  • For other corrections, contact [email protected]
  • We’ll update your data within 30 days

3. Right to Erasure (Right to be Forgotten)

What it means: You can request deletion of your personal data. How to exercise:
  • Go to Account Settings → Delete Account
  • Or contact [email protected]
  • Data deleted immediately from production, removed from backups within 90 days
Limitations: We may retain data if required by:
  • Legal obligations (e.g., tax records)
  • Legitimate interests (e.g., fraud prevention)
  • Defense of legal claims

4. Right to Restrict Processing

What it means: You can request that we limit how we process your data. How to exercise:
  • Contact [email protected]
  • We’ll store your data but not actively process it
  • Processing restrictions remain until your issue is resolved

5. Right to Data Portability

What it means: You can receive your data in a machine-readable format and transfer it to another service. How to exercise:
  • Export AI Employee data in CSV format from your dashboard
  • Request full account data export at [email protected]
  • Data provided in JSON or CSV format

6. Right to Object

What it means: You can object to processing of your data for certain purposes. How to exercise:
  • Contact [email protected] with your objection
  • We’ll assess and respond within 30 days
  • You can always opt out of marketing communications
What it means: You can withdraw consent for data processing at any time. How to exercise:
  • Update preferences in Account Settings
  • Unsubscribe from marketing emails via unsubscribe link
  • Contact [email protected]
Note: Withdrawal doesn’t affect processing done before withdrawal.

8. Right to Lodge a Complaint

What it means: You can file a complaint with data protection authorities. Where to complain:

Rights for End Users/Respondents

If you’ve submitted data through a ZappWay AI Employee: Important: The AI Employee Creator is responsible for your data, not ZappWay. We only process this data on their behalf. To exercise your rights:
  1. First contact: The person or organization that created the AI Employee
  2. If unavailable: Contact us at [email protected] and we’ll help connect you with the creator
  3. We’ll assist: If the creator is unresponsive, we’ll help facilitate your request
Your rights include:
  • Access to your submitted data
  • Correction of inaccurate data
  • Deletion of your data
  • Objection to processing
  • Data portability

7. Marketing Communications

What We Send

If you register for ZappWay, we may send you:
  • Product updates: New features, improvements, releases
  • Company news: Blog posts, announcements, company updates
  • Educational content: Tutorials, best practices, tips
  • Promotional offers: Discounts, special offers, upgrades
  • Event invitations: Webinars, workshops, conferences

Your Control

You always have the right to opt out:
  • Unsubscribe link: Every marketing email includes an unsubscribe option
  • Account settings: Manage email preferences in your account
  • Contact us: Email [email protected] to opt out
Transactional emails: Even if you opt out of marketing, you’ll still receive:
  • Account security notifications
  • Billing and payment confirmations
  • Service updates affecting your account
  • Responses to your support requests
These are necessary for service operation and cannot be disabled. We send marketing communications based on:
  • Consent: You opted in during registration or via email preferences
  • Legitimate interest: Soft opt-in (existing customer relationship)
You can withdraw consent at any time without affecting your service access.

8. Cookies

What Are Cookies?

Cookies are small text files placed on your device by websites you visit. They help websites remember your preferences and improve your experience.

How ZappWay Uses Cookies

We use cookies to:
  • Remember your login: Stay signed in across sessions
  • Maintain preferences: Language, theme, settings
  • Analytics: Understand how users interact with our platform
  • Security: Detect and prevent fraud
  • Performance: Optimize loading times and functionality

Types of Cookies We Use

A. Essential Cookies (Required)

  • Session cookies: Maintain your login session
  • Security cookies: Protect against CSRF attacks
  • Authentication: Verify your identity
  • Cannot be disabled: Required for platform functionality

B. Analytics Cookies (Optional)

  • Google Analytics: Track page views, user flows
  • Performance metrics: Load times, error rates
  • Aggregated data: Anonymized usage statistics
  • Can be disabled: Via cookie banner or browser settings

C. Preference Cookies (Optional)

  • UI preferences: Dark mode, language selection
  • Feature settings: Dashboard layout, notification preferences
  • Can be disabled: Via cookie settings
On your first visit:
  • We show a cookie banner explaining our use of cookies
  • You can accept all, reject optional, or customize settings
  • Essential cookies are always active (required for functionality)
Manage cookies:
  • Update preferences via the cookie banner
  • Change settings in your browser
  • Full details in our Cookie Policy

Third-Party Cookies

Some cookies are set by third-party services we use:
  • Google Analytics: Analytics and reporting
  • Stripe: Payment processing
  • OpenAI/Anthropic: AI functionality
These third parties have their own privacy policies governing cookie use.

9. International Data Transfers

Data Storage Locations

ZappWay operates globally with infrastructure in:
  • European Union (EU): Primary data hosting
  • Brazil: Local data processing for Brazilian users
  • United States: Some service providers (OpenAI, Stripe, etc.)

EU Data Transfers (GDPR)

When we transfer data from the EU to countries outside the EU/EEA: Safeguards we use:
  • Standard Contractual Clauses (SCCs): EU-approved contracts with data processors
  • Adequacy decisions: Transfers to countries deemed adequate by EU Commission
  • Supplementary measures: Additional encryption and access controls
  • Data Processing Agreements: Legal contracts with all processors
US Service Providers: For transfers to the United States (OpenAI, Anthropic, Stripe):
  • We use Standard Contractual Clauses
  • Data is encrypted in transit and at rest
  • Access limited to necessary operations only
  • Regular security audits and compliance reviews

Brazilian Data Transfers (LGPD)

When we transfer data from Brazil to other countries: Safeguards we use:
  • International transfer agreements: Compliant with ANPD requirements
  • Standard contractual clauses: Based on LGPD Article 33
  • Adequate level of protection: Assessment of destination country laws
  • User consent: When required by LGPD

Your Rights

You have the right to:
  • Be informed about international transfers
  • Object to transfers to specific countries
  • Request information about safeguards in place
Contact [email protected] for details about specific transfers.

10. Security Measures

How We Protect Your Data

ZappWay implements comprehensive security measures to protect your data from unauthorized access, loss, or misuse.

A. Technical Security

Encryption:
  • In transit: TLS 1.3 encryption for all data transmission
  • At rest: AES-256 encryption for stored data
  • Backups: Encrypted backup storage
Access controls:
  • Authentication: Secure password hashing (bcrypt)
  • Authorization: Role-based access control (RBAC)
  • Multi-factor authentication: Available for all accounts
  • API keys: Secure token-based API access
Infrastructure security:
  • Firewall protection: Network-level security
  • DDoS protection: Via Cloudflare
  • Intrusion detection: Real-time monitoring
  • Regular patching: Automated security updates

B. Organizational Security

Employee access:
  • Principle of least privilege: Staff access limited to job requirements
  • Background checks: Screening for sensitive positions
  • Confidentiality agreements: All staff sign NDAs
  • Security training: Regular awareness programs
Policies and procedures:
  • Incident response plan: Documented breach procedures
  • Data classification: Clear data handling guidelines
  • Change management: Controlled deployment processes
  • Vendor management: Third-party security assessments

C. Monitoring and Auditing

Continuous monitoring:
  • 24/7 monitoring: Automated threat detection
  • Log analysis: Security event correlation
  • Vulnerability scanning: Regular security assessments
  • Penetration testing: Annual third-party audits
Audit trails:
  • Access logs: Who accessed what and when
  • Change logs: Data modification tracking
  • Compliance audits: Regular GDPR/LGPD reviews

D. Data Breach Response

In the unlikely event of a data breach: Our process:
  1. Detection and containment (within hours)
  2. Impact assessment (within 24 hours)
  3. Notification to authorities (within 72 hours for GDPR, reasonable timeframe for LGPD)
  4. User notification (if high risk to rights)
  5. Remediation and lessons learned
Your responsibilities:
  • Report suspected breaches immediately to [email protected]
  • Cooperate with investigation
  • Notify your users if you’re the data controller

Security Best Practices for Users

We recommend:
  • Use strong, unique passwords
  • Enable multi-factor authentication
  • Keep software and browsers updated
  • Don’t share account credentials
  • Review account activity regularly
  • Log out from shared devices
  • Report suspicious activity immediately

11. Children’s Privacy

Age Restrictions

ZappWay services are not intended for children:
  • LGPD (Brazil): Under 18 years old
  • GDPR (EU): Under 16 years old (or lower age set by member state)
  • General: Under 13 years old (COPPA compliance)

We Do Not Knowingly Collect Children’s Data

If you’re a parent or guardian:
  • We do not knowingly collect data from children
  • If you believe a child has provided us data, contact us immediately
  • We will delete the data as soon as we verify the issue
To report:
  • Email: [email protected]
  • Subject: “Child Privacy Concern”
  • Include: Child’s information and verification of guardianship
We will:
  • Investigate within 48 hours
  • Delete all associated data
  • Block future account creation
  • Notify you of actions taken

AI Employee Creators’ Responsibilities

If you collect data through AI Employees:
  • You must ensure respondents meet minimum age requirements
  • Add age verification to forms if collecting from minors
  • Obtain parental consent where required
  • Comply with local laws regarding children’s data

12. Changes to This Policy

How We Update This Policy

We may update this Privacy Policy from time to time to reflect:
  • Changes in our data practices
  • New features or services
  • Legal or regulatory requirements
  • User feedback and best practices

Notification of Changes

For material changes:
  • We’ll notify all account holders via email
  • Notification sent at least 30 days before changes take effect
  • Material changes include: new data processing purposes, changes to data retention, new data sharing arrangements
For minor changes:
  • We’ll update this page with the new policy
  • “Last updated” date will be modified
  • We may announce changes via blog or dashboard notification

Your Acceptance

By continuing to use ZappWay after policy changes:
  • You accept the updated Privacy Policy
  • If you disagree, you can delete your account
  • Deletion must be done before the new policy takes effect

Policy Version History

Current version: 2.0
Last updated: January 2025
Previous versions: Available upon request at [email protected]

13. Contact Information

Privacy Inquiries

For questions, concerns, or requests regarding your privacy: Email: [email protected]
Subject: “Privacy Inquiry”
Response time: Within 2-3 business days

Data Protection Officer (DPO)

For GDPR/LGPD-related inquiries: Email: [email protected]
Subject: “Data Protection Request”
Response time: Within 2-3 business days

Security Concerns

For security issues or data breaches: Email: [email protected]
Subject: “SECURITY ISSUE” or “DATA BREACH”
Response time: Within 24 hours

Mailing Address

ZappWay
Avenida Brigadeiro Faria Lima, 1811, Esc 1120
Jardim Paulistano
São Paulo/SP
Brasil 🇧🇷
CEP 01452-001

Office Hours

Support availability:
  • Email support: 24/7 (response within 24-48 hours)
  • Live chat: Monday-Friday, 9 AM - 6 PM BRT (Brazilian Time)
  • Emergency security issues: 24/7

Additional Resources

Quick Reference

For AI Employee Creators

Your responsibilities:
  • You are the data controller for data collected through your AI Employees
  • Provide privacy notices to respondents
  • Handle data subject requests from respondents
  • Define data retention periods
  • Ensure GDPR/LGPD compliance for your use case
Your rights:
  • Access, rectify, delete, or export your account data
  • Object to processing or restrict processing
  • Withdraw consent for marketing
  • Lodge complaints with authorities

For End Users/Respondents

Your rights:
  • Contact the AI Employee creator for data requests
  • Contact ZappWay if creator is unavailable
  • Lodge complaints with data protection authorities
Privacy protection:
  • AI Employee creators control your data
  • ZappWay processes data on their behalf
  • Your data is protected by GDPR/LGPD

For Website Visitors

What we collect:
  • Technical data (IP, browser, device)
  • Navigation data (pages visited)
  • Cookies (with consent)
Your control:
  • Manage cookie preferences
  • Opt out of analytics
  • Contact us to delete visitor data
Last Updated: January 2025
Version: 2.0
Effective Date: January 1, 2025
Regulatory Compliance: GDPR (EU Regulation 2016/679) & LGPD (Lei 13.709/2018)