11. Overview & Scope
Who we are
AZ Technology Soluções Digitais LTDA, CNPJ 27607249000116, operator of ZildaChat ("we", "our", "us"), is an AI-powered chat platform. This Privacy Policy applies to all users of our website, mobile applications, and services globally.
This Privacy Policy governs the collection, processing, storage, and transfer of personal data by ZildaChat. By using our services, you acknowledge that you have read and understood this policy.
This policy applies to:
- All visitors to our website (zildachat.ai)
- Registered users of the ZildaChat platform
- Users of our API and developer tools
- Business customers and their end users
22. Data We Collect
Account Data
- Full name
- Email address
- Password (hashed, never stored in plain text)
- Profile picture (optional)
- Account creation date
Conversation Data
- Chat messages and AI responses
- Conversation history and metadata
- Files and attachments you share
- Feedback and ratings you provide
Technical Data
- IP address (anonymized after 90 days)
- Browser type and version
- Operating system
- Device identifiers
- Session tokens (encrypted)
Usage Data
- Features accessed and frequency
- Error logs (anonymized)
- Performance metrics
- Referral source (anonymized)
⚠️ Sensitive Data
We do NOT intentionally collect sensitive personal data such as racial or ethnic origin, political opinions, religious beliefs, health data, biometric data, or financial information.
33. Legal Basis for Processing (LGPD / GDPR)
Under the Brazilian General Data Protection Law (LGPD) and the EU General Data Protection Regulation (GDPR), we process your personal data based on the following legal grounds:
Consent (Art. 7, I LGPD / Art. 6(1)(a) GDPR)
For marketing communications, optional analytics, and non-essential cookies. You may withdraw consent at any time.
Contract Performance (Art. 7, V LGPD / Art. 6(1)(b) GDPR)
To provide the ZildaChat service, process your account, and deliver AI responses.
Legal Obligation (Art. 7, II LGPD / Art. 6(1)(c) GDPR)
To comply with applicable laws, court orders, and regulatory requirements.
Legitimate Interests (Art. 7, IX LGPD / Art. 6(1)(f) GDPR)
For fraud prevention, security monitoring, and service improvement.
Vital Interests (Art. 7, VI LGPD / Art. 6(1)(d) GDPR)
In emergency situations to protect life or physical safety.
44. How We Use Your Data
We use your personal data strictly for the following purposes, applying the principle of data minimization:
🚫 We NEVER:
- • Sell your personal data to third parties
- • Use your conversations to train AI models without explicit opt-in consent
- • Share your data with advertisers or data brokers
- • Use your data for automated decision-making that produces legal effects without human review
55. Data Sharing & Third Parties
We share your data only in limited, controlled circumstances. All third-party processors are bound by Data Processing Agreements (DPAs):
Recipient
AI Infrastructure Providers
Purpose
Processing AI requests
Safeguard
DPA + encryption in transit and at rest
Recipient
Cloud Hosting (Supabase/AWS)
Purpose
Data storage and infrastructure
Safeguard
SOC 2 Type II certified, data encrypted at rest (AES-256)
Recipient
Analytics (anonymized only)
Purpose
Service improvement metrics
Safeguard
No PII transmitted, IP anonymization enabled
Recipient
Legal Authorities
Purpose
Compliance with court orders
Safeguard
Only when legally required; we notify users when permitted by law
66. International Data Transfers
Your data may be transferred to and processed in countries outside your country of residence. When transferring data internationally, we ensure adequate protection through:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Adequacy decisions where the destination country provides equivalent protection
- Binding Corporate Rules (BCRs) for intra-group transfers
- ANPD-approved mechanisms for transfers from Brazil under LGPD Art. 33
77. Data Retention
88. Your Rights
Under LGPD, GDPR, and other applicable laws, you have the following rights regarding your personal data:
Right of Access
Request a copy of all personal data we hold about you
Right to Rectification
Correct inaccurate or incomplete personal data
Right to Erasure
Request deletion of your personal data ("right to be forgotten")
Right to Restriction
Restrict processing of your data in certain circumstances
Right to Portability
Receive your data in a structured, machine-readable format
Right to Object
Object to processing based on legitimate interests or for direct marketing
Right vs. Automation
Not be subject to solely automated decisions with significant effects
Right to Withdraw Consent
Withdraw consent at any time without affecting prior processing
How to exercise your rights
Submit a request to privacy@zildachat.ai or through your account Settings → Privacy. We will respond within 15 days (LGPD) or 30 days (GDPR). Identity verification may be required.
99. Security Measures
We implement industry-leading security measures to protect your data:
Encryption
AES-256 at rest, TLS 1.3 in transit. All passwords hashed with bcrypt.
Access Control
Zero-trust architecture. Role-based access control (RBAC). MFA required for all staff.
Monitoring
24/7 intrusion detection, anomaly detection, and automated threat response.
Secure Development
OWASP Top 10 compliance, regular penetration testing, code security reviews.
Data Isolation
Strict tenant isolation. Your data is never mixed with other users' data.
Breach Response
Notification within 72h (GDPR) / 2 business days (LGPD) of confirmed breach.
1010. Children's Privacy
Age Restriction
ZildaChat is not directed to children under the age of 13 (or 16 in the EU/EEA under GDPR). We do not knowingly collect personal data from children. If you believe a child has provided us with their data, please contact us at privacy@zildachat.ai.
1111. California Residents (CCPA/CPRA)
Under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), California residents have additional rights:
- Right to Know: Request disclosure of personal information collected, used, disclosed, or sold
- Right to Delete: Request deletion of personal information we have collected
- Right to Opt-Out: Opt out of the "sale" or "sharing" of personal information (we do not sell data)
- Right to Correct: Request correction of inaccurate personal information
- Right to Limit: Limit use of sensitive personal information
- Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights
To submit a CCPA request, contact us at privacy@zildachat.ai. We will verify your identity before processing requests.
1212. Brazilian Residents (LGPD)
Under the Lei Geral de Proteção de Dados (LGPD), data subjects in Brazil have the following rights (Art. 18):
1313. Policy Changes
We may update this Privacy Policy periodically. When we make material changes, we will:
- Notify you via email (if you have an account)
- Display a prominent notice on our website
- Update the "Last updated" date at the top of this policy
- For significant changes, request renewed consent where required by law
Continued use of our services after the effective date constitutes acceptance of the updated policy.
1414. Contact & Data Protection Officer
Privacy Team
privacy@zildachat.ai
AZ Technology Soluções Digitais LTDA · CNPJ 27607249000116
Response within 15–30 days
Data Protection Officer (DPO)
dpo@zildachat.ai
LGPD Encarregado de Dados
GDPR Data Protection Officer
You also have the right to lodge a complaint with your local supervisory authority: ANPD (Brazil), ICO (UK), CNIL (France), or your national data protection authority.