Privacy Policy

Platform: SigmaAI is a multi-tenant WhatsApp AI automation platform for business communications.

Tenant: A customer (business, clinic, or organization) that uses SigmaAI to manage WhatsApp conversations.

End User: A customer of the Tenant who communicates with the Tenant's WhatsApp bot powered by SigmaAI.

Data Controller: The party that determines the purposes and means of data processing (typically the Tenant).

Data Processor: The party that processes data on behalf of the Controller (SigmaAI).

SigmaAI collects the following on behalf of Tenants:

• Conversation Text: Messages exchanged between End Users and the bot
• Metadata: Timestamps, sender/recipient IDs, conversation state, language
• Images & Media: Photos uploaded by End Users (for image triage in healthcare)
• Contact Information: Phone numbers, names, business contact details (from MCP integrations)
• Billing Data: Transaction history, subscription tier, API usage metrics

Tenant Control: Tenants determine what data is collected and retain full ownership. SigmaAI does not sell or use this data for purposes other than providing the service.

Tenant as Controller, SigmaAI as Processor: Tenants are the Data Controller. SigmaAI acts as a Data Processor and processes data only as instructed by the Tenant through the Platform.

Data Ownership: All data belongs to the Tenant. SigmaAI does not claim ownership of Tenant data and does not use it for commercial purposes beyond service delivery.

Processing Activities: Data is processed to:

• Deliver WhatsApp messages and AI responses
• Analyze conversation context and generate AI-powered replies
• Generate conversation summaries and reports
• Analyze images for triage (in healthcare use cases)
• Integrate with third-party tools (MCP servers, CRM, scheduling systems)
• Generate billing and usage analytics

Legal Basis: Data processing is necessary for the performance of the contract between the Tenant and SigmaAI.

Data Subject Rights: Tenants must provide End Users with the ability to exercise their GDPR rights:

• Right of Access: Tenants can export all data via the Portal
• Right to Erasure: Tenants can delete conversations and personal data
• Right to Rectification: Tenants can update or correct data
• Right to Data Portability: Tenants can export data in machine-readable format
• Right to Object: Tenants can disable AI processing and opt for manual mode

Data Protection Addendum: SigmaAI and Tenant agree to the EU Standard Contractual Clauses (SCCs) for lawful data transfers.

Data Transfers: Data may be transferred to non-EU countries only where SigmaAI has established adequate safeguards (SCCs, adequacy decisions).

Legal Basis: Data processing is lawful when:

• Performance of contracts (Art. 7, II)
• Legitimate interest of the Tenant (Art. 7, IX) — communication with customers
• Legal obligation (Art. 7, IV)

Tenant as Data Controller: Tenants (the business/clinic) are the Data Controller under LGPD. SigmaAI is the Data Operator.

Data Subject Rights: Tenants facilitate End Users' rights under Law 13.709:

• Right to access their personal data
• Right to correct inaccurate data
• Right to deletion (within 30 days)
• Right to transfer data to another service
• Right to know which data is processed and why

LGPD Officer Contact: For LGPD-related inquiries, Tenants should contact their local data protection officer or SigmaAI support.

SigmaAI retains data according to the following schedule:

Deletion on Termination: Upon account termination, all Tenant data is exported within 30 days and permanently deleted.

Encryption in Transit: All data transmitted to/from SigmaAI is encrypted using TLS 1.2+.

Encryption at Rest: Database records are encrypted using industry-standard AES-256 encryption.

Access Controls:

• Role-based access control (RBAC) for admin dashboard
• JWT authentication for Tenant portal access
• IP whitelisting and rate limiting for API endpoints
• Audit logging of all administrative actions

Security Audits: SigmaAI conducts regular security assessments and penetration testing. Results available upon request.

SigmaAI uses the following third-party services to deliver the Platform:

Data Processor Agreements: SigmaAI has data processing agreements with all third-party providers.

AI Context: To generate AI responses, SigmaAI sends conversation context (recent messages, customer profile, business knowledge) to AI providers.

No Model Training: SigmaAI does not use Tenant conversation data to train or fine-tune AI models. Data is used only to generate responses in real-time.

Tenant Control: Tenants can:

• Choose which AI provider powers their bot (OpenAI, Anthropic, Google, Groq, Mistral)
• Disable AI processing and switch to manual mode
• Configure which data is sent to AI models
• Request data not to be sent to specific providers

AI Limitations: AI models may generate inaccurate, incomplete, or harmful responses. Tenants are responsible for reviewing AI output before delivery to End Users.

Portal Cookies: SigmaAI uses session cookies (JWT) to authenticate Tenant Portal access. These are essential for service operation and contain no tracking data.

Third-Party Analytics: The landing page does not use third-party analytics or tracking scripts. We do not track user behavior on appai.sigmaintel.io.

Server Logs: Web server access logs are retained for 90 days for security and debugging purposes only.

Support Contact: For privacy questions, data subject rights requests, or security concerns, contact: support@sigmaintel.io

Policy Changes: SigmaAI may update this Privacy Policy at any time. Significant changes will be notified to Tenants. Continued use of the Platform indicates acceptance of changes.

Effective Date: This policy is effective March 10, 2026.