Privacy Policy

We process personal data on behalf of our Clients to provide the WhatsApp integration and AI services. The types of data and purposes are outlined below:

Oracia processes personal data on the following legal bases (as applicable under relevant laws such as LGPD where applicable, and analogous principles in U.S. law):

• Performance of Contract: Most data processing is necessary to provide our services to our Clients – for example, transmitting and displaying WhatsApp messages as part of the service the Client has signed up for, or using message content to generate the AI reply suggestions requested by the Client. We consider this contractual necessity when serving our Clients.
• Legitimate Interests: We may process certain data for our legitimate interests, such as ensuring the security of the service, preventing fraud or misuse, and improving our platform’s features.
• Consent (for specific purposes): If we ever process personal data in a way that requires consent – for example, if a Client wishes to retain end-user chat data beyond the default retention or use WhatsApp template messages for marketing purposes to users – the Client is responsible for obtaining end-user consent in compliance with WhatsApp’s policies and applicable law. Oracia will rely on the Client’s representation that proper consent has been obtained. We do not engage in any direct marketing to end-users, but if a scenario arises that isn’t covered by the above bases, we would ensure to obtain consent as required (or have our Client obtain it).

We are committed to data minimization, meaning we keep personal data only for as long as necessary to fulfill the purposes outlined above or as required by law. Below are our retention practices for each category of data:

• WhatsApp Message Data: Stored for no more than 30 days by default, after which it is deleted or anonymized from our databases, unless an extension is justified by consent or legal necessity. This short retention window ensures that Oracia only maintains conversation history as needed for service functionality (e.g., so the AI can have context for recent chats, or to sync recent messages to a CRM) and for quality assurance, in line with WhatsApp’s expectation that data is used only to support the messaging interaction whatsapp.com.
• Account and Configuration Data: Maintained for the duration of the Client’s contract with us. If a Client stops using Oracia (e.g., terminates their subscription), we will delete or anonymize their account data and configuration after a grace period, unless required to retain it longer for legal compliance or legitimate business records.
• Usage Logs and Metrics: Detailed logs are kept for up to 90 days for troubleshooting and analytics. After ~90 days, we either delete these logs or aggregate/anonymize the data. For example, the number of messages sent or feature usage statistics may be retained in aggregate form (without personal identifiers) for longer to help us understand service usage over time, but individual event logs beyond 90 days are removed.
• User Credentials: Persist for as long as the user’s account is active. If an account is deleted or inactive, we remove or anonymize login credentials. (Note: Passwords are not stored in plaintext and our authentication is handled by a secure third-party service, so we have limited personal info in this category).
• Payment Information: We do not store full payment card details on our servers. Payment processing is handled by Stripe, which retains billing information in accordance with its legal obligations (e.g., for financial record-keeping, fraud prevention, and PCI compliance). We keep record of transactions (e.g. invoices, payment history) as long as required for accounting and compliance (typically 7 years in the U.S. for financial records), but this data generally contains minimal personal information (often just business contact info and partial card references).

When data is deleted from our systems, we ensure it is removed from production databases and request deletion from any sub-processor who was holding it on our behalf. Backups and archives are also configured not to retain deleted data beyond the retention period (for instance, any older message content in encrypted backups is rendered irretrievable after 30 days). In the event a Client leaves our service, we will ensure their WhatsApp Business Account data and any associated chat content is deleted from our systems within 30 days of contract termination (unless otherwise instructed or required) whatsapp.com.

We value your privacy and do not sell personal data to third parties. We will only share personal data in the following circumstances:

• With the Client (Data Controller): If you are an end-customer communicating with one of our Client’s real estate agents via WhatsApp, the Client (real estate agent or their agency) is the primary party that controls your data. Oracia acts as a data processor on their behalf. We provide the Client with access to their WhatsApp conversation records and related analytics in our platform. The Client’s use of that data is governed by their own agreement with you and by WhatsApp’s policies. We contractually require Clients to obtain any necessary consent for using our service with your data whatsapp.comwhatsapp.com, and to abide by privacy laws and WhatsApp rules in their use of the data.
• Authorized Sub-processors: We use a select few trusted third-party service providers to help us deliver our service. These sub-processors only process data under our instructions and for the purposes outlined in this policy, in accordance with WhatsApp’s requirement that data may only be shared with third parties acting as service providers and bound by appropriate safeguardswhatsapp.comwhatsapp.com.
Our sub-processors include:
• Amazon Web Services (AWS) – Hosting infrastructure (cloud servers and databases) located in the United States where we store and process data.
• Together.ai and OpenAI – Providers of natural language processing models which power our AI reply suggestions and autopilot. These AI services are used in a privacy-protective way: message data is sent to these models only as needed to generate a reply, and we have agreements and technical measures to prevent these providers from using WhatsApp message data for their own purposes whatsapp.com.
• Clerk.dev – Authentication platform for managing user sign-up and login securely.
• Stripe – Payment processor for subscription billing; handles payment info securely and sends us billing confirmations.
• (Additional sub-processors, if any, would be updated to this policy.)

Each sub-processor is bound by a Data Processing Addendum (DPA) or equivalent contract with Oracia. These agreements include Standard Contractual Clauses where needed for international data transfers, and they forbid the sub-processor from accessing or using personal data for any purpose other than providing the service to Oracia whatsapp.com. They also require the sub-processor to implement robust security measures and to assist with data deletion requests promptly, aligning with our obligations.

• Within Oracia (Corporate affiliates): If our company has any affiliates, parent, or subsidiary companies in the future that are involved in providing the service, we may share data with them. Any such entity will uphold the same privacy commitments as described here. (At present, Oracia /E-VNTS Co. is a single entity with no separate affiliates processing data).
• Legal Compliance and Protection: We may disclose data if required by law or a valid legal process (e.g., in response to a subpoena or court order), or to the extent we believe in good faith that disclosure is necessary to exercise or defend our legal rights, investigate fraud, or protect our users. We will endeavor to notify the affected Client or user unless legally prohibited.

No Independent Third-Party Sharing:Aside from the above, Oracia does not share personal information with any third-party advertisers or unrelated services. We do not use WhatsApp data to enrich marketing databases or for any kind of profiling outside the scope of our service whatsapp.com. All usage of WhatsApp Business Solution data is confined to supporting the messaging interactions between the Client and their end-users whatsapp.com. Clients will be notified in advance (e.g., 30 days notice) if we intend to add or change any sub-processor that handles personal data, giving them the opportunity to object or opt out if they choose.

Oracia takes data security very seriously and has implemented administrative and technical safeguardsto protect personal data against unauthorized access, alteration, or destruction whatsapp.com. Our security measures include:

• Encryption: All communications with our platform (including WhatsApp messages received from Meta’s Cloud API and delivered to our Clients’ dashboards) are encrypted in transit using TLS 1.2+ protocols. Data stored in our databases (including message content, where applicable) is encrypted at rest using strong encryption standards (AES-256). We manage encryption keys securely, leveraging AWS Key Management Service (KMS) for server-side encryption keys.
• Access Controls: Access to production systems and data is restricted to authorized personnel on a need-to-know basis. We employ authentication, role-based access control, and rigorous permission management. Client accounts are protected by secure authentication (via Clerk.dev), and we support features like two-factor authentication where possible to prevent unauthorized account access.
• Secure Development Practices: Our engineering follows secure coding guidelines, and we regularly review our code for security vulnerabilities. We utilize HTTPS and signed API calls when interacting with Meta’s WhatsApp Cloud API endpoints. Webhook endpoints are secured and verified (e.g., we validate that incoming messages genuinely originate from WhatsApp).
• Infrastructure Security: Our servers are hosted in AWS data centers which have robust physical security and environmental controls. Within our cloud environment, we isolate databases and use VPC (Virtual Private Cloud) configurations to limit network access. We also keep audit logs of system access and have monitoring in place to detect suspicious activities.
• Third-Party Security: Each sub-processor we use is vetted for strong security practices. For instance, Stripe is a PCI-DSS Level 1 certified payment processor, Clerk.dev focuses on secure identity management, and AWS has multiple security certifications (ISO 27001, SOC 2, etc.). We also sign DPAs with these providers (as mentioned) to ensure they protect the data to the high standards we require.
• Compliance and Audits: We regularly review our compliance with LGPD, CCPA, and other applicable regulations. Employees are trained on data privacy and security, and we have internal policies to prevent any misuse of data.

We strive to apply industry best practices and continually improve our safeguards. If you have any questions about our security measures, feel free to contact us (see Contact section below).

Because our services involve a chain of relationships (Oracia as a service provider, the real estate company/agent as the business client, and the end-user as the consumer), we aim to facilitate data subject rights in coordination with our Clients:

• Access and Correction:If you are an end-user of one of our Clients (for example, a customer who has been chatting with a real estate agent via WhatsApp), you have the right to request access to the personal data we process about you and to request correction of any inaccuracies. In most cases, you should direct your request to the real estate business (our Client) that you interacted with, as they are in the best position to verify your identity and provide the information (and they can then work with us to obtain or correct the data). However, you may also contact Oracia directly at legal@oracia.co with such requests, and we will assist or forward your request to the appropriate Client when applicable. We will respond to access requests within a reasonable time frame and in accordance with applicable law.
• Deletion:You have the right to request deletion of your personal data. As a processor, Oracia will delete WhatsApp conversation data for a given end-user either upon request by our Client or upon a direct verified request by the end-user. To request deletion of your data from our systems, you or your agent may email us at legal@oracia.co. We will verify the request as needed (for security, we may need to confirm with the Client or verify your identity) and then delete the relevant personal data within 30 days, or sooner if required by law. This deletion includes removing your WhatsApp message content from our databases and instructing our sub-processors to do the same. Keep in mind that the Client (real estate agent) may still have copies of the conversation outside of our system (e.g., on their phone or CRM) which you would need to request from them separately. Oracia’s deletion will cover data on our platform and backups.
• Opt-Out of Communications: WhatsApp’s policies give users control – if you no longer wish to receive messages from a business via WhatsApp, simply reply “STOP” or use WhatsApp’s built-in block feature. Our Clients are obligated to respect such opt-outs whatsapp.com. Oracia’s platform will assist Clients in honoring opt-outs by, for example, not allowing the AI autopilot or any agent to message a number that has indicated they want to opt out. If you have any issues with unsubscribing, you can contact us and we will help ensure your number is no longer contacted through our service.
• Non-Discrimination:Oracia will never discriminate or retaliate against an individual for exercising their privacy rights.

Please note that for end-users of our Clients, we may refer your request to the relevant Client when appropriate, since they are the primary controller of your data. If you contact us directly, please provide the name of the real estate agent or company you interacted with and the timeframe of your interaction, so we can identify data in our system.

For Clients (real estate agents/companies): if you have an account with Oracia, you can access and update certain information directly via our platform (e.g., your profile info, notification preferences). You can also request deletion of your account data by contacting us. Deleting your account will remove your personal data and configuration from Oracia, though we may retain minimal information as required for legal or financial record-keeping post-termination.

Oracia is based in the United States, and our primary data hosting is in the U.S. (AWS us-east-1 and us-west-2 data centers. If you are accessing our service from outside the U.S. (for example, our Clients in Brazil or any end-users in other countries), this means your personal data will be transferred to and stored on servers in the United States. The U.S. may not have the same level of data protection laws as your home country, but we take measures to protect your information as described in this policy.

For individuals in Brazil (under LGPD), we ensure that appropriate safeguards are in place for cross-border data transfers. These may include:

• For Brazil, we handle data in accordance with the LGPD’s requirements for international transfer, which similarly may involve contractual protections and adherence to enforcement of data subject rights. (Brazil’s data authority has not yet issued official standard clauses at the time of this policy, but we contractually commit to LGPD principles and obtain consent for the transfer when required.)
• We continually monitor legal developments around international data flows and will adjust our practices if needed (for example, if new frameworks or regulations come into effect).

By using our service or by engaging with our Clients (e.g., sending messages to a real estate agent who uses Oracia), you acknowledge that your personal data will be transferred to our U.S. systems for processing. We will handle that data lawfully and securely regardless of where it is processed.

In the unfortunate event of a data breach, Oracia will promptly take steps to mitigate the damage and comply with notification obligations. This means:

• Prompt Assessment: As soon as we become aware of a security incident, our team will activate our incident response plan to contain and investigate the breach. We will determine the scope of data affected.
• Notification to Clients: If a breach involves or compromises data, we will notify the Client(s) without undue delay – within 72 hours of confirming the breach, whenever feasible.
• Notification to Individuals and Regulators: Depending on the type of data and applicable laws, we or our Client will notify the individuals (end-users) and any required regulatory bodies.
• Details in Notification: Our breach notifications will include information about the nature of the incident, the data involved (to the extent known), steps we have taken to address it. We will also provide contact information for further inquiries.

Please note, we have not had any data breaches to date. We continuously work to maintain strong security to minimize this risk.

Disclosure to End-Users: Oracia acts as a service provider to businesses. We require our Clients (the real estate companies/agents using our platform) to be transparent with their customers about the use of our service in handling their WhatsApp communications. This means the Client should inform their end-users that a third-party (Oracia) may process their WhatsApp messages on the business’s behalf. For example, Clients can include a notice in their own privacy policy or user communications. We encourage our Clients to obtain any necessary opt-ins and to comply with WhatsApp’s opt-out and disclosure rules for automated messaging.

To assist our Clients, we provide recommended language they can use to explain Oracia’s involvement. For instance, a Client might disclose to their users:

“We use Oracia, a secure third-party service in our WhatsApp chats, so that I can respond to you faster and assist you in the best manner. Your messages remain end-to-end encrypted in transit via WhatsApp and are used only to service your requests. You can opt out of WhatsApp communications at any time by replying STOP, and we will honor that.

The above is a sample for illustration; each Client is responsible for tailoring their notice. The key point is that end-users should not be surprised by the use of an AI assistant or the involvement of Oracia in the conversation. This transparency builds trust and also fulfills the “necessary notice” requirement of WhatsApp’s policies whatsapp.com.

Opt-Out Handling: As mentioned in the Data Subject Rights section, if an end-user opts out (e.g., says “STOP” or equivalent), Oracia’s platform will flag that contact and ensure no further automated messages are sent on behalf of the Client, and that the Client is aware of the opt-out. We log such opt-outs and the Client can remove or block the contact in their system. This helps and assures that our Clients comply with WhatsApp’s messaging rules regarding respecting user choices whatsapp.com.

Client Compliance with WhatsApp Terms:We also contractually obligate our Clients to comply with WhatsApp’s Business Solution Terms and Messaging Policy when using our service. Any misuse of our platform (such as sending unsolicited bulk messages, harassment, prohibited content, etc.) can and will result in suspension of service. This protects both user privacy and ensures we remain in good standing with WhatsApp’s terms of service.

Oracia itself is independently responsible for abiding by WhatsApp’s terms as a service provider. We strictly use WhatsApp Business APIs as intended, and all data we handle from WhatsApp is processed only for the purpose of delivering messages and related features to our Clients whatsapp.com. We do not use this data to profile WhatsApp users or for any separate analytics unrelated to messaging service whatsapp.com. Our internal policies and technical controls enforce this separation.

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or for any other operational reasons. If we make material changes (for example, if we start processing new categories of personal data or change how long we keep data), we will provide notice to our Clients and, where required, to end-users. Notification may occur by email, through an in-app alert, or via an update on our website. The “Last Updated” date at the top will always indicate when the latest changes were made.

If you are a Client and you object to any updates, you may cease using our service or discuss concerns with us. For end-users, material changes that require your consent will be communicated through the relevant Client (your relationship is primarily with the real estate company). We encourage anyone reading this policy to review it periodically to stay informed about how we protect your information.

If you have any questions, concerns, or requests regarding this Privacy Policy or how your data is handled, please contact us:

Email: legal@oracia.co

Postal Address: E-VNTS Co. (d/b/a Oracia) – 254 Chapman Rd, Suite 208, Newark, DE 19702, USA.