Ir para o conteúdo

Política de Privacidade

Última atualização: 2026-05-28

This document is published in English. A translated version is available on request to info+privacy@kuaray.tech. The English version is the legally authoritative text.

1. Who we are

"Kuaray Oka", "we", "us" refers to the operator of the Kuaray Oka service available at oka.kuaray.techand related domains (the "Service"). For data protection purposes, Kuaray Oka acts as the controller for personal data we collect about our account holders (customers), and as processor / operator for personal data our customers collect from visitors to their landing pages through the Service.

For privacy questions, data subject requests, or to reach our privacy contact / DPO / Encarregado, write to info+privacy@kuaray.tech.

2. What we collect and why

Account data — name, email, profile picture URL, password hash (if you sign up with email + password), Google ID (if you sign in with Google), workspace slug, timezone, language preference, country of residence, billing identifiers from Stripe. We also record which version of the Terms of Service and Privacy Policy you accepted at sign-up. Legal basis: contract performance (GDPR Art. 6(1)(b); LGPD Art. 7 V). Country of residence is additionally processed on the basis of legitimate interest (GDPR Art. 6(1)(f); LGPD Art. 7 IX) to determine which legal regime applies and which billing entity should invoice you.

Business and billing profile— when you complete our onboarding wizard, we collect customer type (individual / business), legal business name, tax identifier (CNPJ, EU VAT number, EIN, or equivalent), full billing address, your role or job title, business industry, team size, the primary use you make of the Service, an optional website URL, an optional phone number, and an optional "how did you hear about us" note. Legal bases vary by field: contract performance and legal obligation (GDPR Art. 6(1)(b)+(c); LGPD Art. 7 V+II — tax and accounting law) for legal name, tax identifier, and billing address; legitimate interest (GDPR Art. 6(1)(f); LGPD Art. 7 IX) for industry, team size, use case, website, job title, and referral source, so we can tailor templates and customer support to your context. You may object at any time (see Section 6). Phone number is only stored if you provide it; we use it only for sales follow-up on the same basis of legitimate interest.

Marketing consent — if you opt in to product updates and tips at sign-up (an unticked checkbox), we record the opt-in and its timestamp. Legal basis: consent (GDPR Art. 6(1)(a); LGPD Art. 7 I). You can withdraw at any time from the account settings page; the consent receipt is preserved as evidence (CDC, 5-year window).

Content you create — landing pages, sections, booking configurations, contact lists, page settings. Legal basis: contract performance.

End-user / visitor data on your published pages— when you publish a landing page that captures leads, bookings, or WhatsApp click-throughs, the visitor's name, email, phone, any custom form fields, conversation transcripts (for the WhatsApp AI agent), and attribution parameters (UTMs, referrer, click IDs) are stored on your behalf. For this data, you (the workspace owner) are the controller; we are the processor. See our Data Processing Agreement for the legal terms of that relationship.

Inbound WhatsApp messages → CRM records— when a visitor messages a WhatsApp number connected to one of your pages, we automatically create a Contact and a Lead in your CRM (using the visitor's phone number plus a short summary of their request). The visitor's legitimate-interest basis for being in touch (they initiated the conversation) carries our processing; any further use you make of the record — including marketing sends — is your decision as the controller and requires its own lawful basis.

Marketing attribution cookies — only set after you grant marketing-cookie consent on a Kuaray Oka–hosted page. Legal basis: consent (GDPR Art. 6(1)(a); LGPD Art. 7 I). You can withdraw consent at any time.

Technical logs — IP address and request metadata are processed transiently for rate-limiting and abuse prevention. IPs are held in memory only (10 minutes maximum) and not persisted to the database. Legal basis: legitimate interest (GDPR Art. 6(1) (f); LGPD Art. 7 IX).

3. Who we share data with

We use a small number of vetted sub-processors to operate the Service. The current list — including each provider, purpose, and processing location — is maintained at /legal/subprocessors. We notify customers of changes to that list before they take effect.

We do not sell personal data. We do not share personal data with advertisers. We do not use customer or visitor content to train machine-learning models.

4. International transfers

Our infrastructure runs on Amazon Web Services in the United States (region us-east-1). If you or your end-users are in the European Economic Area, the United Kingdom, Switzerland, or Brazil, your personal data is transferred to the United States. We rely on the EU Commission's Standard Contractual Clauses (2021/914) for EU/UK/CH transfers, and on contractual safeguards with our sub-processors for LGPD transfers (Art. 33 II). Our sub-processors are certified under the EU–US Data Privacy Framework where applicable.

5. How long we keep data

Account data — for the lifetime of your account plus 30 days, after which it is permanently deleted.

Workspace content (pages, leads, contacts, bookings) — for the lifetime of your workspace. When you delete your account, your workspace and all associated visitor data are cascaded-deleted from our primary database within 24 hours, and purged from encrypted backups within 30 days.

WhatsApp conversation history — retained for 12 months by default. After that, transcripts (whatsapp_conversations) are hard-deleted by an automatic nightly job. The matching CRM Lead record survives the longer 24-month lead retention window, but its free-text fields (the customer's first message + the agent's captured inquiry summary) are scrubbed at the 12-month mark so the highest-sensitivity content doesn't outlive the transcript. You can shorten the window per workspace from the dashboard settings (coming soon).

Billing records — retained for the period required by applicable tax and accounting law (typically 5–10 years).

Application logs — retained for 90 days in CloudWatch, then automatically purged.

6. Your rights

You have the right to:

  • access the personal data we hold about you;
  • correct inaccurate data;
  • delete your data (right to erasure / direito de eliminação);
  • receive your data in a portable, machine-readable format;
  • object to or restrict processing based on legitimate interest;
  • withdraw consent for processing based on consent;
  • lodge a complaint with your supervisory authority. In Brazil that is the ANPD (anpd.gov.br). In the EU it is the authority of the member state where you live.

To exercise any of these rights, email info+privacy@kuaray.tech. We respond within 15 days for LGPD requests and within 30 days (extendable by 60 days for complex requests) for GDPR requests. Account holders can also self-delete their account via the in-product flow; this triggers the same cascade described in Section 5.

7. Security

Data in transit is encrypted with TLS 1.2+. Data at rest in our primary database, backups, and object storage is encrypted with AES-256. Passwords are hashed with bcrypt. Secrets are held in AWS Secrets Manager and accessed via narrowly scoped IAM roles. Database network access is restricted to our application containers. We will notify affected customers without undue delay (and within 72 hours where required by GDPR Art. 33) in the event of a personal-data breach affecting their data.

8. Cookies and similar technologies

We use strictly-necessary cookies to keep you signed in (Auth.js session token), remember your region (region), and forward your sign-up choices to the backend during the sign-in round-trip (kuaray-tz, kuaray-locale, kuaray-terms-ack, kuaray-privacy-ack, kuaray-country, kuaray-marketing — each 5–10 minute lifetime). We also use a short-lived banner-dismissal cookie (kuaray-profile-banner-dismissed, 7 days) to remember when you have dismissed the "complete your profile" prompt on the dashboard. These are not subject to consent.

We use one optional cookie, oka_first_touch(30-day lifetime), to record the marketing source of a visitor's first visit to a Kuaray Oka–hosted page. This is set only after you grant marketing-cookie consent. You can revoke consent at any time via the cookie banner; this will delete the cookie.

9. Children

Kuaray Oka is a B2B product for business operators. We do not knowingly create accounts for users under 18. If you believe a minor has created an account, write to info+privacy@kuaray.tech and we will delete it.

10. Changes to this policy

We may update this policy. Material changes are announced in-app and by email at least 14 days before they take effect. The "Last updated" date at the top of this page reflects the most recent revision.

← Kuaray Oka