ORACIA Privacy Policy

ORACIA (operated by E-VNTS Co., referred to as "ORACIA," "we," "us," or "our") is a software-as-a-service provider offering an AI-driven WhatsApp messaging solution for real estate professionals. Our platform enables real estate agents (our "Clients") to automate and enhance their WhatsApp conversations with their customers through an AI "autopilot" agent and smart reply suggestions.

This Privacy Policy explains how we collect, use, share, and protect personal data in the course of providing our services. It is designed to comply with WhatsApp's Business Terms and Policies, as well as applicable privacy laws in the regions we operate (including the United States of America and Brazil). We are committed to using WhatsApp Business data solely for the benefit of our Clients and in line with WhatsApp's requirements.

We process personal data on behalf of our Clients to provide the WhatsApp integration and AI services. The types of data and purposes are outlined below:

ORACIA processes personal data on the following legal bases (as applicable under relevant laws such as the LGPD in Brazil and applicable US regulations):

• Performance of Contract: Most data processing is necessary to provide our services to our Clients—for example, transmitting and displaying WhatsApp messages as part of the service the Client has signed up for, or using message content to generate the AI reply suggestions requested by the Client. We consider this a contractual necessity.
• Legitimate Interests: We may process certain data for our legitimate interests, such as ensuring the security of the service, preventing fraud or misuse, and improving our platform's features.
• Consent (for specific purposes): If we ever process personal data in a way that requires consent—for example, if a Client wishes to retain end-user chat data beyond the default retention or use WhatsApp template messages for marketing purposes—the Client is responsible for obtaining end-user consent in compliance with WhatsApp's policies and applicable law. ORACIA relies on the Client's representation that proper consent has been obtained.

We are committed to data minimization, meaning we keep personal data only for as long as necessary to fulfill the purposes outlined above or as required by law.

• WhatsApp Message Data: Stored for no more than 30 days by default, after which it is deleted or anonymized, unless an extension is justified by consent or legal necessity. This ensures ORACIA only maintains conversation history as needed for service functionality (e.g., context for AI) and quality assurance.
• Account and Configuration Data: Maintained for the duration of the Client's contract. If a Client terminates their subscription, we will delete or anonymize their account data after a grace period, unless required to retain it for legal compliance.
• Usage Logs and Metrics: Detailed logs are kept for up to 90 days for troubleshooting. After ~90 days, we either delete these logs or aggregate/anonymize them (e.g., retaining only non-identifiable statistics).
• User Credentials: Persist as long as the account is active.
• Payment Information: We do not store full payment card details. Transaction records (e.g., invoices) are kept as long as required for accounting compliance (typically 7 years for US financial records).

Deletion Protocol: When data is deleted, we ensure it is removed from production databases and request deletion from any sub-processor holding it. Backups are configured to overwrite deleted data within a reasonable cycle (e.g., 30 days). If a Client leaves our service, we ensure their WhatsApp Business Account data is removed within 30 days of termination.

We value your privacy and do not sell personal data to third parties. We will only share personal data in the following circumstances:

• With the Client (Data Controller): If you are an end-customer communicating with a real estate agent via WhatsApp, that agent (our Client) is the controller of your data. ORACIA acts as a processor. We provide the Client access to their conversation records. The Client's use of that data is governed by their own privacy policy and WhatsApp's rules.
• Authorized Sub-processors: We use a select few trusted third-party service providers to help us deliver our service. These sub-processors only process data under our instructions and are bound by Data Processing Addendums (DPAs) and confidentiality obligations. Our core sub-processors include:
  • Amazon Web Services (AWS): Hosting infrastructure (US-based).
  • Together.ai and OpenAI: Providers of LLMs for AI suggestions. Note: Data is sent to these models only to generate replies; we have agreements preventing them from using your data to train their general models.
  • Clerk.dev: Secure authentication management.
  • Stripe: Payment processing.
• Legal Compliance: We may disclose data if required by law, subpoena, or court order, or to protect our legal rights, investigate fraud, or protect user safety.
• No Independent Third-Party Sharing: ORACIA does not share personal information with advertisers or unrelated services. We do not use WhatsApp data to enrich marketing databases or for profiling outside the scope of our service.

ORACIA has implemented robust administrative and technical safeguards to protect personal data against unauthorized access, alteration, or destruction.

• Encryption: All communications (including WhatsApp messages) are encrypted in transit using TLS 1.2+. Data stored in our databases is encrypted at rest using strong standards (AES-256). We manage keys via AWS Key Management Service (KMS).
• Access Controls: Access to production systems is restricted to authorized personnel on a need-to-know basis, protected by multi-factor authentication (MFA).
• Secure Development: We utilize HTTPS, signed API calls, and verified webhooks when interacting with Meta's WhatsApp Cloud API. Our code is regularly reviewed for vulnerabilities.
• Infrastructure Security: Our servers are hosted in AWS data centers with industry-leading physical security (ISO 27001, SOC 2). We use Virtual Private Clouds (VPCs) to isolate databases.

Because our services involve a chain of relationships (ORACIA as processor, the Real Estate Agent as controller, and the End-User as consumer), we facilitate rights as follows:

• Access and Correction: End-users should primarily direct requests to the real estate business (our Client) they interacted with. However, you may also contact us at legal@oracia.co, and we will assist or forward your request to the appropriate Client.
• Deletion: You have the right to request deletion of your data. End-users or Clients may email legal@oracia.co. We will verify the request and delete relevant personal data (including WhatsApp message content) from our systems within 30 days, or sooner if required by law.
• Opt-Out of Communications: If an end-user replies "STOP" or blocks the business on WhatsApp, ORACIA's platform detects this and prevents further automated messaging to that user. We strictly enforce WhatsApp's opt-out policies.

ORACIA is based in the United States, and our primary data hosting is in US data centers (AWS us-east-1 / us-west-2). If you access our service from outside the US (e.g., Brazil), your data will be transferred to the United States.

For Individuals in Brazil (LGPD Compliance):

We ensure appropriate safeguards are in place for cross-border data transfers to countries that may not have the same level of data protection laws as Brazil. These safeguards include:

1. Standard Contractual Clauses (SCCs): We incorporate standard data protection clauses in our agreements with Clients and sub-processors to ensure the security and confidentiality of data during transfer.
2. Data Transfer Agreements: We utilize intra-group or third-party agreements that mandate compliance with LGPD principles regarding data subject rights and security measures.
3. Transparency and Consent: By using our services, you acknowledge and consent to the transfer of data to the US for the specific purposes outlined in this policy.

We continually monitor legal developments (such as adequacy decisions by the ANPD) and will adjust our transfer mechanisms as required to maintain full compliance.

In the event of a data breach, ORACIA will:

1. Promptly Assess the scope and impact of the incident.
2. Notify Clients without undue delay (within 72 hours of confirmation) if their data is compromised.
3. Notify Regulators/Individuals if required by applicable law, providing details on the nature of the breach and steps taken to mitigate it.

Note: We have had no data breaches to date and work continuously to minimize this risk.

Disclosure to End-Users: ORACIA acts as a service provider. We require our Clients to be transparent with their customers. Clients should inform end-users that a third party (ORACIA) processes their WhatsApp messages.

Compliance: Clients are contractually obligated to comply with WhatsApp's Business Messaging Policy and applicable privacy laws. Misuse of the platform (e.g., spam, harassment) will result in service suspension.

We may update this Privacy Policy to reflect changes in practices or legal requirements. Material changes will be notified to Clients via email or in-app alerts. The "Last Updated" date at the top indicates the latest revision.

If you have questions regarding this Privacy Policy, please contact us:

• Email: legal@oracia.co
• Postal Address: E-VNTS Co. (d/b/a ORACIA) – 254 Chapman Rd, Suite 208, Newark, DE 19702, USA.