Privacy Policy

We collect and process your personal data in accordance with the following legal bases, which may vary by jurisdiction:

Primary legal bases (US Operations):

• Consent: Where you have voluntarily provided personal data and explicitly consented to its processing
• Contractual Necessity: To fulfill our contractual obligations and service agreements with you
• Legal Obligation: Where required by applicable law or to comply with judicial authorities
• Legitimate Interest: For internal business operations, security, fraud prevention, and service improvement

Additional bases for Latin American operations:

We may rely on additional legal bases as required by local law, including vital interests, public interest, or other bases recognized under applicable regional legislation

Processing principles:

We adhere to the principles of lawfulness, consent, transparency, data quality, purpose limitation, proportionality, accountability, and data minimization as required by applicable privacy legislation, including the principles of prior information, express consent, and finality as required under Latin American privacy laws

Information you provide directly:

• Account Information: Full name, email address, phone number and physical address
• Profile Information: Additional information you choose to include in your user profile
• Communication Data: Information provided through support requests, surveys, feedback, and correspondence with our team
• Payment Information: Billing addresses and transaction details (processed securely through Stripe)
• Collection of personal identifiers (full name, email address, and phone number) is mandatory for all users and is required for the provision of our Services.

Information collected automatically:

• Device Information: Device type, operating system, unique device identifiers, and hardware specifications
• Log Data: IP addresses, browser type, pages viewed, time spent on the Services, referral URLs, and access times
• Usage Data: Information about your interactions with our Services, feature utilization, session data, and behavioral patterns
• Location Data: General geographic location based on IP address

Sensitive personal data, as defined by applicable law, may be collected only with your explicit consent and for specific, legitimate purposes related to service provision. We utilize cookies, web beacons, and similar tracking technologies to enhance user experience, remember preferences, and analyze service usage.

We process your personal data for the following legitimate business purposes:

• Service Provision: To provide, maintain, and improve our AI-powered platform and related services
• Account Management: To create and manage user accounts, authenticate users, and facilitate platform access
• Communication: To respond to inquiries, provide customer support, and send service-related notifications
• Product Development: To develop new features, enhance existing functionality, and optimize user experience
• Analytics and Insights: To analyze usage patterns, generate business intelligence, and improve service performance
• Legal Compliance: To comply with applicable laws, regulations, and legal obligations
• Security and Fraud Prevention: To protect against unauthorized access, detect fraudulent activities, and ensure platform security

Third-party services and data sharing:

Google Services Integration: Our Services integrate with Google Sign-In (OAuth), Google Drive, Google Calendar, and Firebase Services. We access Google user data (email addresses, user names, profile pictures, calendar data, Google Drive content) solely with your explicit consent

Stripe Payment Processing: All payment processing is handled through Stripe, Inc. using industry-standard SSL/TLS encryption. We do not store complete payment card information

Authorized Data Transfers: Personal data may be transferred to subsidiaries, affiliates, business partners, service providers, legal authorities when required by law, and professional advisors

Subprocessors: AWS, Supabase, OpenAI, Anthropic, Gemini, Firebase, Stripe, Meta, Pipedrive, Facto (Koywe), Railway, ClickUp

All data transfers are governed by appropriate contractual safeguards and data processing agreements.

We implement comprehensive safeguards to protect personal data:

Technical safeguards:

• AES-256 encryption for data in transit and at rest
• Role-based access control systems with multi-factor authentication
• Secure network protocols, firewalls, and intrusion detection systems
• Tokenization of sensitive payment information

Administrative safeguards:

• Regular privacy and security training for all personnel
• Strict need-to-know access principles and regular access reviews
• Comprehensive incident response procedures for security breaches
• Vendor management and ongoing monitoring of third-party service providers

Physical safeguards:

• Access-controlled data centers with environmental monitoring
• Secure disposal of hardware containing personal data
• Regular data backups with secure storage and tested recovery procedures

Our security program aligns with DCF-120, SOC 2 Type II, and ISO 27001 standards, with regular third-party audits.

We retain personal data only for as long as necessary to provide our services, comply with legal requirements, resolve disputes, and enforce agreements:

Customer Account Data: Retained for the duration of the active account. When closed, data enters an "expired" state and is retained only for legitimate business purposes or until deletion is requested

Deletion Requests: Upon approved request, personal data will be permanently deleted within seven (7) days

Backups: Database backups are retained for thirty (30) days before automatic deletion

Marketing Data: Retained until consent is withdrawn or for a maximum of three (3) years

All data deletion activities are carried out securely using industry best practices. Full Data Retention Policy: vambe.link/drp.

Universal Rights (All Jurisdictions):

Access: You may request access to your personal data and details regarding its processing

Rectification: You may request correction of inaccurate or incomplete personal data

Cancellation/Deletion: You may request deletion of your personal data when no longer necessary

Opposition: You may object to processing of your personal data for specific purposes

Additional Rights by Jurisdiction:

For Users in Mexico: You have ARCO rights (Acceso, Rectificación, Cancelación, Oposición) as established under the LFPDPPP, including the right to limit use and disclosure of your personal data

For Users in Chile: You have rights of information, access, rectification, cancellation, and opposition as provided under Law 19.628

For Users in Colombia: You have rights to know, update, rectify, and delete your personal data as established under Law 1581 of 2012

For Users in Argentina: You have rights of access, rectification, updating, and deletion as provided under the PDPA

Exercise of Privacy Rights:

To exercise your privacy rights, submit a written request to privacy@vambe.ai with the subject line "Privacy Rights Request - [Your Country]".

Response Timeframes:

Standard Response: 15 business days (to comply with most restrictive regional requirements)

Complex Requests: Up to 30 calendar days with notification of extension

Emergency Requests: 48 hours for security-related matters

Primary Processing Location: All personal data is transferred to and processed in the United States, where Vambe maintains its primary infrastructure and operations.

Regional Transfer Frameworks:

Mexico: Transfers conducted under binding corporate rules and adequate security measures as required by LFPDPPP

Chile: International transfers with adequate protection levels and user consent where required

Colombia: Transfers with authorization and adequate security measures under Law 1581

Argentina: Transfers to countries with adequate protection levels or with specific safeguards under PDPA

Safeguards for All Transfers:

Standard contractual clauses adapted for Latin American requirements

Ongoing adequacy assessments of US data protection standards

Binding data processing agreements with all service providers

Regular compliance audits and security assessments

Mexico-Specific Provisions:

INAI Compliance: We maintain compliance with Instituto Nacional de Transparencia requirements

Sensitive Data: Additional protections for sensitive personal data as defined under LFPDPPP

Notice Requirements: Spanish-language privacy notices available upon request

Chile-Specific Provisions:

Registration: Compliance with database registration requirements where applicable

Cross-Border Transfers: Adequate protection measures for international data transfers

Consent Standards: Express consent for sensitive data processing

Colombia-Specific Provisions:

SIC Compliance: Adherence to Superintendencia de Industria y Comercio requirements

Authorization: Express and prior authorization for personal data processing

Data Retention: Compliance with Colombian data retention standards

Argentina-Specific Provisions:

AAIP Compliance: Alignment with Agencia de Acceso a la Información Pública standards

Adequate Countries: Transfers conducted under adequate protection framework

Consent Mechanisms: Clear and unambiguous consent procedures

In the event of a personal data breach that may result in a risk to your rights and freedoms, Vambe will take immediate steps to assess, contain, and remediate the incident.

Regulatory Authorities: We will notify the appropriate supervisory authority without undue delay and, where required by law (such as under the GDPR), within seventy-two (72) hours of becoming aware of the breach.

Affected Users: If the breach is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay, typically within seventy-two (72) hours after confirmation of the breach.

High-Risk Breaches: In cases where the breach poses an immediate and severe risk, notification may be made sooner, generally within twenty-four (24) hours.

Regional Requirements: We comply with specific breach notification requirements in each jurisdiction, including notifying relevant local authorities or agencies where required by law.

All notifications will include information on the nature of the breach, its potential impact, measures taken or proposed to mitigate risks, and guidance on how you can protect yourself.

Primary Jurisdiction: This Privacy Policy is governed by the laws of the State of Delaware and the United States, where Vambe AI, Inc. is incorporated and maintains its principal operations.

Regional Compliance: While US law governs our operations, we comply with mandatory local privacy law requirements in each jurisdiction where we provide services. In case of conflict between US law and local mandatory provisions, local law shall prevail to the extent required. Vambe operates under Latin American data protection laws. European Union data protection laws (e.g., GDPR) do not apply.

Dispute resolution:

• Direct contact with our privacy team at privacy@vambe.ai
• Local privacy authority complaints where applicable
• Alternative dispute resolution mechanisms as provided by applicable law

Primary contact (All Jurisdictions):

• Vambe AI, Inc. - Tech Team, Growth Team (Comms & Public Affairs)
• Email: privacy@vambe.ai
• Subject Line Format: "Privacy Inquiry - [Your Country]"

Regional contact points:

For region-specific inquiries, please use the following subject line formats:

• Mexico: "México Privacy Request"
• Chile: "Chile Privacy Request"
• Colombia: "Colombia Privacy Request"
• Argentina: "Argentina Privacy Request"

Response commitment:

We respond to all privacy inquiries within 48 hours and resolve requests within applicable legal timeframes, using the most restrictive regional requirement as our global standard.