Privacy Policy

Platform: SigmaAI is a multi-tenant WhatsApp AI automation platform for business communications.

Tenant: A customer (business, clinic, or organization) that uses SigmaAI to manage WhatsApp conversations.

End User: A customer of the Tenant who communicates with the Tenant's WhatsApp bot powered by SigmaAI.

Data Controller: The party that determines the purposes and means of data processing (typically the Tenant).

Data Processor: The party that processes data on behalf of the Controller (SigmaAI).

SigmaAI collects the following on behalf of Tenants:

• Conversation Text: Messages exchanged between End Users and the bot
• Metadata: Timestamps, sender/recipient IDs, conversation state, language
• Images & Media: Photos uploaded by End Users (for image triage in healthcare)
• Contact Information: Phone numbers, names, business contact details (from MCP integrations)
• Billing Data: Transaction history, subscription tier, API usage metrics

Tenant Control: Tenants determine what data is collected and retain full ownership. SigmaAI does not sell or use this data for purposes other than providing the service.

Tenant as Controller, SigmaAI as Processor: Tenants are the Data Controller. SigmaAI acts as a Data Processor and processes data only as instructed by the Tenant through the Platform.

Data Ownership: All data belongs to the Tenant. SigmaAI does not claim ownership of Tenant data and does not use it for commercial purposes beyond service delivery.

Processing Activities: Data is processed to:

• Deliver WhatsApp messages and AI responses
• Analyze conversation context and generate AI-powered replies
• Generate conversation summaries and reports
• Analyze images for triage (in healthcare use cases)
• Integrate with third-party tools (MCP servers, CRM, scheduling systems)
• Generate billing and usage analytics

Legal Basis for Processing (Art. 6):

• Consent — Art. 6(1)(a): For tracking cookies (Meta Pixel) and optional marketing communications
• Contract Performance — Art. 6(1)(b): For delivering the SigmaAI service to Tenants and processing End User messages
• Legitimate Interest — Art. 6(1)(f): For security monitoring, fraud prevention, and service improvement
• Legal Obligation — Art. 6(1)(c): For tax records, billing compliance, and regulatory requirements

Data Subject Rights: If you are located in the EU, EEA, or UK, you have the following rights under GDPR:

• Right of Access (Art. 15): Request a copy of your personal data
• Right to Rectification (Art. 16): Correct inaccurate or incomplete data
• Right to Erasure (Art. 17): Request deletion of your personal data
• Right to Restrict Processing (Art. 18): Request limitation of processing in certain circumstances
• Right to Data Portability (Art. 20): Receive your data in a structured, machine-readable format
• Right to Object (Art. 21): Object to processing based on legitimate interest, including profiling
• Rights Related to Automated Decision-Making (Art. 22): See "AI Processing & Automated Decisions" below

To exercise your rights, contact dpo@sigmaintel.io. We will respond within 30 days (extendable by 60 days for complex requests).

Right to Lodge a Complaint (Art. 77): You have the right to lodge a complaint with a supervisory authority in your EU/EEA member state of residence, place of work, or where the alleged infringement occurred.

Data Protection Officer: For GDPR-related inquiries, contact our DPO at dpo@sigmaintel.io.

Data Processing Location: Platform data is stored on servers located in Germany (EU). Conversation data may be transferred to the United States for AI processing (OpenAI, Anthropic, Google).

International Data Transfers: Transfers to the United States are governed by EU Standard Contractual Clauses (SCCs) and supplementary technical measures (TLS 1.2+ in transit, AES-256 at rest). We rely on the EU-US Data Privacy Framework where applicable.

Data Breach Notification: In the event of a personal data breach, SigmaAI will notify the relevant supervisory authority within 72 hours of becoming aware (Art. 33) and affected data subjects without undue delay when the breach poses a high risk to their rights (Art. 34).

Legal Basis: Data processing is lawful when:

• Consent (Art. 7, I): For tracking cookies and marketing communications
• Performance of contracts (Art. 7, V): For delivering the SigmaAI service to Tenants
• Legitimate interest (Art. 7, IX): For Tenant-to-customer communication and service improvement
• Legal obligation (Art. 7, II): For tax, billing, and regulatory compliance

Tenant as Data Controller: Tenants (the business) are the Data Controller (Controlador) under LGPD. SigmaAI is the Data Operator (Operador) and processes data only as instructed by the Tenant.

Data Subject Rights: End Users may exercise their rights under Law 13.709/2018 by contacting the Tenant or SigmaAI directly:

• Right to confirmation of data processing (Art. 18, I)
• Right to access their personal data (Art. 18, II)
• Right to correct inaccurate data (Art. 18, III)
• Right to anonymization, blocking, or deletion of unnecessary data (Art. 18, IV)
• Right to data portability (Art. 18, V)
• Right to deletion of data processed with consent (Art. 18, VI)
• Right to information about shared data and third parties (Art. 18, VII)
• Right to revoke consent (Art. 18, IX)

International Data Transfers: Conversation data may be processed by AI providers (OpenAI, Anthropic, Google) headquartered in the United States. These transfers are conducted under contractual clauses that ensure an adequate level of data protection as required by LGPD Art. 33.

Encarregado de Protecao de Dados (DPO): For LGPD-related inquiries, data subject rights requests, or complaints, contact our Data Protection Officer at: dpo@sigmaintel.io

CCPA / CPRA (California): If you are a California resident, you have the following rights under the California Consumer Privacy Act (as amended by the California Privacy Rights Act):

• Right to Know (Civil Code 1798.100): Request disclosure of the categories and specific pieces of personal information we collect, the sources, the business purpose, and third parties we share it with
• Right to Delete (1798.105): Request deletion of your personal information
• Right to Correct (1798.106): Request correction of inaccurate personal information
• Right to Opt-Out of Sale or Sharing (1798.120): See "Sale and Sharing" disclosure below
• Right to Limit Use of Sensitive PI (1798.121): Request that we limit use of sensitive personal information to what is necessary for the service
• Right to Non-Discrimination (1798.125): We will not discriminate against you for exercising your privacy rights

Response Timeframe: We will acknowledge your request within 10 business days and respond within 45 calendar days (extendable by an additional 45 days with notice).

Sale and Sharing of Personal Information: SigmaAI does not sell personal information for monetary consideration. When cookie consent is granted, the Meta (Facebook) Pixel on our landing page may constitute "sharing" of personal information for cross-context behavioral advertising as defined by CPRA. You may opt out of this sharing by rejecting cookies via our consent banner or by clicking the "Do Not Sell or Share My Personal Information" link.

Categories of PI Collected (past 12 months):

Other US State Laws: SigmaAI respects the data privacy rights granted by state privacy laws including the Virginia CDPA, Colorado CPA, Connecticut CTDPA, Utah UCPA, Texas TDPSA, Oregon OCPA, Montana MCDPA, and similar legislation. Residents of these states may exercise equivalent data rights by contacting support@sigmaintel.io.

Children's Privacy: SigmaAI is not directed at individuals under 16 years of age. We do not knowingly collect personal information from children. If we learn that we have collected data from a child, we will delete it promptly.

SigmaAI retains data according to the following schedule:

Deletion on Termination: Upon account termination, all Tenant data is exported within 30 days and permanently deleted.

Encryption in Transit: All data transmitted to/from SigmaAI is encrypted using TLS 1.2+.

Encryption at Rest: Database records are encrypted using industry-standard AES-256 encryption.

Access Controls:

• Role-based access control (RBAC) for admin dashboard
• JWT authentication for Tenant portal access
• IP whitelisting and rate limiting for API endpoints
• Audit logging of all administrative actions

Security Audits: SigmaAI conducts regular security assessments and penetration testing. Results available upon request.

SigmaAI uses the following third-party services to deliver the Platform:

Data Processor Agreements: SigmaAI has data processing agreements with all third-party providers.

AI Context: To generate AI responses, SigmaAI sends conversation context (recent messages, customer profile, business knowledge) to AI providers.

No Model Training: SigmaAI does not use Tenant conversation data to train or fine-tune AI models. Data is used only to generate responses in real-time.

Automated Decision-Making (GDPR Art. 22): SigmaAI uses AI to automatically generate responses to End User messages. This constitutes automated processing. Important safeguards:

• AI responses are generated based on the Tenant's knowledge base and configuration — not independent profiling of End Users
• No decisions with legal or similarly significant effects (credit, employment, insurance) are made by the AI
• Tenants can configure human review for all AI responses before delivery
• End Users can request human intervention by asking to speak with a person at any time, which triggers handoff to the Tenant

Tenant Control: Tenants can:

• Choose which AI provider powers their bot (OpenAI, Anthropic, Google, Groq, Mistral)
• Disable AI processing and switch to manual mode
• Configure which data is sent to AI models
• Request data not to be sent to specific providers

AI Limitations: AI models may generate inaccurate, incomplete, or harmful responses. Tenants are responsible for reviewing AI output before delivery to End Users.

Portal Cookies: SigmaAI uses session cookies (JWT) to authenticate Tenant Portal access. These are essential for service operation and contain no tracking data.

Cookie Consent: Non-essential tracking cookies are loaded only after you provide explicit consent via the cookie banner on our website, in compliance with LGPD Art. 7, I and GDPR Art. 6(1)(a).

Third-Party Analytics: When consent is given, the landing page uses the following tracking tools:

You can withdraw consent at any time by clearing your browser cookies or local storage and revisiting the site.

Server Logs: Web server access logs are retained for 90 days for security and debugging purposes only.

Contact Information:

• General Support: support@sigmaintel.io
• Data Protection Officer (DPO): dpo@sigmaintel.io — for privacy rights requests, GDPR/LGPD inquiries, and data breach reports

Policy Changes: SigmaAI may update this Privacy Policy. For material changes that affect how your personal data is processed, we will notify Tenants via email at least 30 days before the changes take effect. Where required by applicable law (GDPR, LGPD), we will obtain your consent before implementing material changes. Minor clarifications or corrections may be made without prior notice.

Effective Date: This policy is effective March 17, 2026.