Privacy Policy
Last updated: December 1, 2025
GDPR/LGPD Compliance: This Privacy Policy complies with the General Data Protection Regulation (GDPR), Brazil's General Data Protection Law (LGPD - Law No. 13.709/2018), and other applicable legislation.
Zapini is committed to protecting your privacy and personal data. This policy clearly and transparently describes how we collect, use, store, and protect your information.
1. Data Controller
For purposes of this Privacy Policy and GDPR/LGPD:
Address: São Paulo, SP - Brazil
Email: contato@zapini.app
2. Data We Collect
2.1 Registration Data
Information provided directly by you:
- Full name
- Email address
- Password (stored encrypted with bcrypt)
- Phone number (for account recovery)
- Company data (company name, tax ID) - optional
- Language preference
2.2 Platform Usage Data
Information generated during service use:
- WhatsApp instance connection data (number, status)
- Sent and received message history
- Imported and managed contacts
- Campaign and scheduling settings
- Activity and audit logs
- Usage metrics (messages sent, delivery rates)
2.3 Technical Data
Information collected automatically:
- IP address
- Browser type and version
- Operating system
- Access date and time
- Pages visited
- Time spent
- Device identifiers
2.4 Payment Data
- Processed directly by Stripe and Mercado Pago
- We do not store complete credit card data
- We only keep transaction references for history
3. Processing Purposes
We use your data for the following purposes:
| Purpose | Legal Basis (GDPR/LGPD) |
|---|---|
| Create and manage your account | Contract performance (Art. 7, V) |
| Provide contracted services | Contract performance (Art. 7, V) |
| Process payments | Contract performance (Art. 7, V) |
| Send service communications | Contract performance (Art. 7, V) |
| Send marketing communications | Consent (Art. 7, I) |
| Improve our services | Legitimate interest (Art. 7, IX) |
| Ensure platform security | Legitimate interest (Art. 7, IX) |
| Comply with legal obligations | Legal compliance (Art. 7, II) |
| Exercise rights in proceedings | Exercise of rights (Art. 7, VI) |
4. Data Sharing
We do not sell your personal data. We share information only in the following situations:
4.1 Service Providers
- Hosting: Secure servers with encryption
- Payments: Stripe and Mercado Pago (PCI-DSS compliant)
- Email: Transactional email providers
- Analytics: Analytics tools (anonymized data)
All providers are contractually required to protect your data.
4.2 Legal Requirements
We may disclose data when required by:
- Court order
- Request from competent authority
- Compliance with legal obligation
4.3 Protection of Rights
To protect our rights, property, or security, as well as those of our users.
4.4 Business Transfer
In case of merger, acquisition, or sale of assets, with prior notice to users.
5. Data Security
We implement robust technical and organizational measures:
5.1 Technical Measures
- Encryption in transit: TLS 1.2/1.3 on all connections
- Encryption at rest: Sensitive data encrypted in database
- Password hashing: Bcrypt with unique salt
- Firewall: Network and application protection (WAF)
- Backups: Encrypted daily backups
- Monitoring: 24/7 intrusion detection
5.2 Organizational Measures
- Restricted access with least privilege principle
- Two-factor authentication (2FA) available
- Team security training
- Internal data protection policies
- Periodic security audits
Notice: No system is 100% secure. In case of a security incident affecting your data, we will notify you and the relevant authorities as required by law.
6. Data Retention
We retain your data for the following periods:
| Data Type | Retention Period |
|---|---|
| Account data | While account is active + 90 days |
| Message history | 12 months (or per plan) |
| Access logs | 6 months (legal requirement) |
| Payment data | 5 years (tax legislation) |
| Backups | 30 days after deletion |
After the indicated periods, data is deleted or irreversibly anonymized.
7. Your Rights (GDPR/LGPD)
According to data protection laws, you have the following rights:
Confirmation and Access
Confirm if we process your data and obtain a copy of it.
Correction
Correct incomplete, inaccurate, or outdated data.
Anonymization/Blocking
Request anonymization or blocking of unnecessary data.
Deletion
Request deletion of data processed with consent.
Portability
Receive your data in structured format.
Revocation
Revoke consent at any time.
Information
Know who we share your data with.
Opposition
Oppose processing in violation of the law.
To exercise your rights, contact us at contato@zapini.app. We will respond within 15 business days.
8. Cookies and Technologies
We use cookies and similar technologies for:
8.1 Essential Cookies
- Authentication and session
- Language preferences
- Security (CSRF protection)
8.2 Performance Cookies
- Usage analysis (Google Analytics - optional)
- Performance optimization
You can manage cookies through your browser settings. Disabling essential cookies may affect platform functionality.
9. International Transfer
Your data may be processed on servers located outside your country (United States and Europe). In these cases:
- We use providers that guarantee adequate level of protection
- We apply approved standard contractual clauses
- We ensure compliance with applicable data protection laws
10. Minors
Zapini is not intended for persons under 18 years old. We do not intentionally collect data from minors. If we identify improper collection of minor data, we will proceed with immediate deletion.
11. Changes to This Policy
We may update this Policy periodically. In case of significant changes:
- We will post a notice on the platform
- We will send an email to users
- We will update the "last updated" date
We recommend reviewing this page periodically.
12. Contact and DPO
Data Protection Officer (DPO)
In compliance with data protection laws, we have designated a Data Protection Officer:
- Name: Zapini Privacy Department
- Email: contato@zapini.app
The DPO is responsible for:
- Accepting complaints and communications from data subjects
- Receiving communications from data protection authorities
- Guiding employees on data protection practices
Other Channels
- General email: contato@zapini.app
- Form: Contact Page
Data Protection Authority
If you are not satisfied with our response, you can contact the relevant data protection authority:
- Website: www.gov.br/anpd
13. Google User Data
Zapini integrates with Google services to provide enhanced functionality for our users. This section describes how we access, use, and protect data obtained through Google APIs.
13.1 Google Data We Access
When you connect your Google account, we may access the following data based on the permissions you grant:
- Google Calendar: View and manage calendar events to enable scheduling features and appointment management through our AI assistants.
- Gmail: Read email metadata and content to enable email-based automations, and send emails on your behalf when you configure email notifications.
- Google Sheets: Read and write data to your spreadsheets for data synchronization, reporting, and automation workflows.
- Google Drive: Access files metadata to locate and interact with your Google Sheets documents.
13.2 How We Use Google Data
Google user data is used exclusively to provide the services you request:
- Calendar data is used to check availability, schedule appointments, and send meeting reminders through WhatsApp
- Gmail data is used to enable email notifications and email-based automation workflows you configure
- Google Sheets data is used for data storage, reporting, and synchronization as configured by you
- We do not use Google user data for advertising purposes or sell it to third parties
Changes to Google Data Usage
We will notify you by email and through in-app notifications before making any material changes to how your Google user data is accessed, used, or shared. You will have the opportunity to review the changes and revoke access if you do not agree with the new terms.
13.3 Revoking Google Access
You can revoke Zapini's access to your Google data at any time:
- Through your Google Account settings at myaccount.google.com/permissions
- Through the Zapini integrations settings page in your account
- By contacting our support team at contato@zapini.app
13.4 Google API Services Compliance
Zapini's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. We only request the minimum permissions necessary to provide the services you configure, and we do not retain Google user data longer than necessary to fulfill the purposes for which it was collected.