Privacy policy

This English version constitutes the legal basis for any formal inquiries regarding this Privacy Policy.

1. INTRODUCTION

Vambe AI, Inc., a Delaware corporation with principal offices in Texas ("Vambe," "Company," "we," "us," or "our") is committed to protecting the privacy and personal data of our users ("User," "you," or "your") in accordance with applicable privacy laws and industry standards, including DCF-120, SOC 2, and ISO 27001 compliance frameworks.

This Privacy Policy governs our data practices across all jurisdictions where we provide services, including the United States, Chile, Mexico, Colombia, and Argentina. While Vambe operates under United States law as the primary data controller, we comply with applicable local privacy laws in jurisdictions where we provide services, including Mexico's Federal Law on Protection of Personal Data Held by Private Parties (LFPDPPP), Chile's Law 19.628, Colombia's Law 1581 of 2012, and Argentina's Personal Data Protection Act (PDPA).

2. LEGAL BASIS AND PRINCIPLES FOR DATA PROCESSING

We collect and process your personal data in accordance with the following legal bases, which may vary by jurisdiction:

Primary Legal Bases (US Operations):

• Consent: Where you have voluntarily provided personal data and explicitly consented to its processing
• Contractual Necessity: To fulfill our contractual obligations and service agreements with you
• Legal Obligation: Where required by applicable law or to comply with judicial authorities
• Legitimate Interest: For internal business operations, security, fraud prevention, and service improvement

Additional Bases for Latin American Operations: We may rely on additional legal bases as required by local law, including vital interests, public interest, or other bases recognized under applicable regional legislation.

Processing Principles: We adhere to the principles of lawfulness, consent, transparency, data quality, purpose limitation, proportionality, accountability, and data minimization as required by applicable privacy legislation, including the principles of prior information, express consent, and finality as required under Latin American privacy laws.

3. CATEGORIES OF PERSONAL DATA COLLECTED

3.1 Information You Provide Directly

• Account Information: Full name, email address, phone number, physical address, password, and authentication credentials
• Profile Information: Additional information you choose to include in your user profile
• Communication Data: Information provided through support requests, surveys, feedback, and correspondence with our team
• Payment Information: Billing addresses and transaction details (processed securely through Stripe)

3.2 Information Collected Automatically

• Device Information: Device type, operating system, unique device identifiers, and hardware specifications
• Log Data: IP addresses, browser type, pages viewed, time spent on the Services, referral URLs, and access times
• Usage Data: Information about your interactions with our Services, feature utilization, session data, and behavioral patterns
• Location Data: General geographic location based on IP address

3.3 Sensitive Personal Data

Sensitive personal data, as defined by applicable law, may be collected only with your explicit consent and for specific, legitimate purposes related to service provision.

3.4 Cookies and Tracking Technologies

We utilize cookies, web beacons, and similar tracking technologies to enhance user experience, remember preferences, and analyze service usage. For detailed information regarding our cookie practices, please refer to our Cookie Usage Policy.

4. PURPOSES AND USES OF PERSONAL DATA

We process your personal data for the following legitimate business purposes:

• Service Provision: To provide, maintain, and improve our AI-powered platform and related services
• Account Management: To create and manage user accounts, authenticate users, and facilitate platform access
• Communication: To respond to inquiries, provide customer support, and send service-related notifications
• Product Development: To develop new features, enhance existing functionality, and optimize user experience
• Analytics and Insights: To analyze usage patterns, generate business intelligence, and improve service performance
• Legal Compliance: To comply with applicable laws, regulations, and legal obligations
• Security and Fraud Prevention: To protect against unauthorized access, detect fraudulent activities, and ensure platform security

5. THIRD-PARTY INTEGRATIONS AND DATA SHARING

5.1 Google Services Integration

Our Services integrate with various Google services and Firebase to enhance functionality:

Google Services Utilized:

• Google Sign-In (OAuth): For user authentication and account access
• Google Drive: To enable document storage and retrieval within our platform
• Google Calendar: For scheduling integration and calendar synchronization
• Firebase Services: Including analytics, crash reporting, performance monitoring, and backend infrastructure

Google Data Accessed:

• Email addresses for authentication and service communications
• User names and profile pictures for personalized user experience
• Calendar data for scheduling integration
• Google Drive content for document management functionality

We access Google user data solely with your explicit consent and use it exclusively for the stated purposes. We do not share this data with unauthorized third parties.

5.2 Stripe Payment Processing

All payment processing is handled through Stripe, Inc. Payment card information, billing addresses, and transaction amounts are transmitted directly to Stripe using industry-standard SSL/TLS encryption. We do not store complete payment card information on our servers. Stripe processes payment data in accordance with their Privacy Policy and Terms of Service.

5.3 Authorized Data Transfers

Personal data may be transferred to the following categories of recipients:

• Related Third Parties: Subsidiaries, affiliates, and business partners for service enhancement and value proposition expansion
• Service Providers: Technical infrastructure providers, cloud storage services, and platform maintenance vendors
• Legal Authorities: Judicial authorities, regulatory bodies, and law enforcement agencies when required by applicable law
• Professional Advisors: Legal counsel, auditors, and compliance consultants as necessary for business operations

All data transfers are governed by appropriate contractual safeguards, including data processing agreements that ensure recipient compliance with applicable privacy laws and security standards.

6. DATA SECURITY AND PROTECTION MEASURES

We implement comprehensive technical, administrative, and physical safeguards to protect personal data:

Technical Safeguards:

• Encryption: AES-256 encryption for data in transit and at rest
• Access Controls: Role-based access control systems with multi-factor authentication
• Network Security: Secure network protocols, firewalls, and intrusion detection systems
• Data Tokenization: Tokenization of sensitive payment information

Administrative Safeguards:

• Employee Training: Regular privacy and security training for all personnel with data access
• Access Management: Strict need-to-know access principles and regular access reviews
• Incident Response: Comprehensive incident response procedures for security breaches
• Vendor Management: Due diligence and ongoing monitoring of third-party service providers

Physical Safeguards:

• Secure Facilities: Access-controlled data centers with environmental monitoring
• Equipment Security: Secure disposal of hardware containing personal data
• Backup and Recovery: Regular data backups with secure storage and tested recovery procedures

Compliance Standards: Our security program aligns with DCF-120, SOC 2 Type II, and ISO 27001 standards, with regular third-party audits and assessments to ensure ongoing compliance.

7. DATA RETENTION AND DELETION

We retain personal data only for as long as necessary to provide our services, comply with legal and regulatory requirements, resolve disputes, and enforce our agreements.

• Customer Account Data: Retained for the duration of the active account. When an account is closed, data enters an “expired” state and is retained only as long as necessary for legitimate business purposes (e.g., historical analysis, metrics, legal compliance) or until deletion is requested by the customer.
  
  
• Deletion Requests: Upon an approved customer request, personal data will be permanently deleted within seven (7) days.
  
  
• Backups: Database backups containing customer data are retained for thirty (30) days before automatic deletion.
  
  
• Marketing and Commercial Data: Retained until consent is withdrawn or for a maximum of three (3) years, whichever comes first.
  
  

All data deletion activities are carried out securely, using industry best practices to ensure that data cannot be reconstructed. Deletion events are logged and documented for audit purposes.

You can view the full Data Retention Policy at vambe.link/drp.

8. YOUR PRIVACY RIGHTS

8.1 Universal Rights (All Jurisdictions)

As the owner of personal data provided to Vambe, you have the following rights:

Access: You may request access to your personal data and details regarding its processing Rectification: You may request correction of inaccurate or incomplete personal data Cancellation/Deletion: You may request deletion of your personal data when no longer necessary Opposition: You may object to processing of your personal data for specific purposes

8.2 Additional Rights by Jurisdiction

For Users in Mexico: You have ARCO rights (Acceso, Rectificación, Cancelación, Oposición) as established under the LFPDPPP, including the right to limit use and disclosure of your personal data.

For Users in Chile: You have rights of information, access, rectification, cancellation, and opposition as provided under Law 19.628.

For Users in Colombia: You have rights to know, update, rectify, and delete your personal data as established under Law 1581 of 2012.

For Users in Argentina: You have rights of access, rectification, updating, and deletion as provided under the PDPA.

8.3 Exercise of Privacy Rights

To exercise your privacy rights, submit a written request to privacy@vambe.ai with the subject line "Privacy Rights Request - [Your Country]".

Response Timeframes:

• Standard Response: 15 business days (to comply with most restrictive regional requirements)
• Complex Requests: Up to 30 calendar days with notification of extension
• Emergency Requests: 48 hours for security-related matters

10. INTERNATIONAL DATA TRANSFERS

Primary Processing Location: All personal data is transferred to and processed in the United States, where Vambe maintains its primary infrastructure and operations.

Regional Transfer Frameworks:

• Mexico: Transfers conducted under binding corporate rules and adequate security measures as required by LFPDPPP
• Chile: International transfers with adequate protection levels and user consent where required
• Colombia: Transfers with authorization and adequate security measures under Law 1581
• Argentina: Transfers to countries with adequate protection levels or with specific safeguards under PDPA

Safeguards for All Transfers:

• Standard contractual clauses adapted for Latin American requirements
• Ongoing adequacy assessments of US data protection standards
• Binding data processing agreements with all service providers
• Regular compliance audits and security assessments

11. REGIONAL COMPLIANCE SPECIFICATIONS

11.1 Mexico-Specific Provisions

• INAI Compliance: We maintain compliance with Instituto Nacional de Transparencia requirements
• Sensitive Data: Additional protections for sensitive personal data as defined under LFPDPPP
• Notice Requirements: Spanish-language privacy notices available upon request

11.2 Chile-Specific Provisions

• Registration: Compliance with database registration requirements where applicable
• Cross-Border Transfers: Adequate protection measures for international data transfers
• Consent Standards: Express consent for sensitive data processing

11.3 Colombia-Specific Provisions

• SIC Compliance: Adherence to Superintendencia de Industria y Comercio requirements
• Authorization: Express and prior authorization for personal data processing
• Data Retention: Compliance with Colombian data retention standards

11.4 Argentina-Specific Provisions

• AAIP Compliance: Alignment with Agencia de Acceso a la Información Pública standards
• Adequate Countries: Transfers conducted under adequate protection framework
• Consent Mechanisms: Clear and unambiguous consent procedures

12. BREACH NOTIFICATION

In the event of a personal data breach that may result in a risk to your rights and freedoms, Vambe will take immediate steps to assess, contain, and remediate the incident.

• Regulatory Authorities: We will notify the appropriate supervisory authority without undue delay and, where required by law (such as under the GDPR), within seventy-two (72) hours of becoming aware of the breach.
  
  
• Affected Users: If the breach is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay, typically within seventy-two (72) hours after confirmation of the breach.
  
  
• High-Risk Breaches: In cases where the breach poses an immediate and severe risk, notification may be made sooner, generally within twenty-four (24) hours.
  
  
• Regional Requirements: We comply with specific breach notification requirements in each jurisdiction, including notifying relevant local authorities or agencies where required by law.
  
  

All notifications will include information on the nature of the breach, its potential impact, measures taken or proposed to mitigate risks, and guidance on how you can protect yourself.

13. CHILDREN'S PRIVACY

Age Requirements by Jurisdiction:

• United States: Services not intended for children under 13
• Mexico, Chile, Colombia, Argentina: Additional protections for minors under 18, with parental consent required for users under legal age of majority

14. GOVERNING LAW AND DISPUTE RESOLUTION

Primary Jurisdiction: This Privacy Policy is governed by the laws of the State of Delaware and the United States, where Vambe AI, Inc. is incorporated and maintains its principal operations.

Regional Compliance: While US law governs our operations, we comply with mandatory local privacy law requirements in each jurisdiction where we provide services. In case of conflict between US law and local mandatory provisions, local law shall prevail to the extent required.

Dispute Resolution: Disputes related to privacy matters may be resolved through:

• Direct contact with our privacy team at privacy@vambe.ai
• Local privacy authority complaints where applicable
• Alternative dispute resolution mechanisms as provided by applicable law

15. CONTACT INFORMATION

Primary Contact (All Jurisdictions):
Vambe AI, Inc.
Tech Team - Marketing Team (Comms & Public Affairs)
privacy@vambe.ai
Subject Line: "Privacy Inquiry - [Your Country]"

Regional Contact Points:

• Mexico: privacy@vambe.ai (Subject: "México Privacy Request")
• Chile: privacy@vambe.ai (Subject: "Chile Privacy Request")
• Colombia: privacy@vambe.ai (Subject: "Colombia Privacy Request")
• Argentina: privacy@vambe.ai (Subject: "Argentina Privacy Request")

Response Commitment: We respond to all privacy inquiries within 48 hours and resolve requests within applicable legal timeframes, using the most restrictive regional requirement as our global standard.