How we process your personal data

Data Controller (for Vectorspace's own data): Vectorspace Ltda., CNPJ 19.198.267/0001-63, with registered office at Rua Fernando Silva, 190, 9th floor, Suite 912, Jardim Astro, Sorocaba/SP, CEP 18.017-158, Brazil.

Data Processor (for data processed on behalf of customers): Vectorspace acts as a processor when handling end-user data for customers who contract the platform, following documented instructions from the customer-controller.

Data Protection Officer (DPO): hello@vectorspace.digital

(a) Customer data (legal entity and representatives): name, corporate email, phone, title, CNPJ, payment data, and information required to perform the contract.

(b) End-user data from widget interactions: message content sent to the chatbot, IP address, anonymous session identifier, date and time of interactions, device/browser information (user agent), and referrer.

(c) Website visitor data: browsing data collected via first-party analytics cookies; contact forms optionally filled.

(d) Customer-collaborator data (Dashboard/Desk access): name, email, authentication credentials, access logs, and administrative activity records.

Contract performance (LGPD art. 7, V / GDPR art. 6(1)(b)): enabling the platform contracted by the customer.

Legal obligation (LGPD art. 7, II / GDPR art. 6(1)(c)): tax invoicing, bookkeeping, regulatory retention.

Legitimate interest (LGPD art. 7, IX / GDPR art. 6(1)(f)): fraud monitoring, information security, abuse prevention, aggregate analytics.

Consent (LGPD art. 7, I / GDPR art. 6(1)(a)): where applicable, for non-essential cookies and marketing communications.

(i) Provide the contracted Services to the customer;

(ii) Index and make the customer's knowledge base available for consultation via the chatbot;

(iii) Generate responses via third-party language models;

(iv) Produce aggregate usage analytics for the customer and for Vectorspace;

(v) Process payments and issue fiscal documents;

(vi) Communicate with the customer about changes, incidents, or operational aspects of the Services;

(vii) Ensure platform security and prevent fraud, abuse, and usage contrary to the Terms.

Vectorspace shares data with subprocessors essential to platform operation, all contractually bound to protection standards equivalent to those practiced by Vectorspace. Current subprocessor categories:

Language model (LLM) provider — response generation — United States.

Application hosting provider — API execution — United States.

Managed database provider — storage, authentication, and data persistence — United States.

Transactional email provider — operational email delivery — United States.

Messaging provider (for customers with the WhatsApp add-on) — message sending and receiving — United States.

Website hosting provider — site and dashboard delivery — United States.

The detailed subprocessor list, including legal name, service provided, and processing region, is available at any time upon formal request to the DPO (hello@vectorspace.digital), as required by applicable data-protection law.

Data is not sold, rented, or transferred to third parties for such third parties' marketing purposes.

Data may be transferred outside Brazil due to the use of the subprocessors listed above, all headquartered or operating in the United States. Such transfers observe LGPD art. 33 and, where applicable, GDPR safeguards (standard contractual clauses or equivalent mechanisms).

Vectorspace makes efforts to select providers with mature privacy and security programs.

Widget interaction data: retained by default while the contract is in effect, unless the customer configures shorter retention.

Accounting and tax data: retained for mandatory legal periods (typically 5 years in Brazil).

Customer data after contract termination: retained for 30 (thirty) days to allow export, after which it is irreversibly deleted, barring legal obligations to the contrary.

Security logs: retained for up to 180 (one hundred and eighty) days.

Vectorspace adopts technical and organizational measures to protect data, including: encryption in transit (TLS 1.2+), multi-tenant isolation of knowledge bases (independent vaults per project), role-based access control, federated authentication, administrative access logs, periodic backups, and documented incident-response procedures.

No system is absolutely immune to risk. In the event of a security incident with impact to personal data, we will notify data subjects and the ANPD as required by LGPD art. 48 (or the competent authority under GDPR).

Under LGPD (art. 18) and GDPR, data subjects have the right to:

(a) confirm the existence of processing;

(b) access their data;

(c) correct incomplete, inaccurate, or outdated data;

(d) request anonymization, blocking, or deletion of unnecessary, excessive, or non-compliant data;

(e) request portability to another provider, where applicable;

(f) withdraw consent where consent is the legal basis used;

(g) file a complaint with ANPD (Brazil) or the competent supervisory authority (EU).

When Vectorspace acts as processor (end-user data of customers), data-subject requests will be forwarded to the customer-controller, who is responsible for deciding how to respond. Our DPO assists with technical processing of such requests.

To exercise rights: hello@vectorspace.digital. We respond within 15 (fifteen) days.

The vectorspace.digital website uses a minimum set of essential cookies (session, language preference) and, occasionally, first-party analytics cookies to understand aggregate usage patterns. No third-party advertising tracking cookies are used on the website.

The widget embedded on customer websites uses only session storage to maintain conversation context within the current tab — no cookies are set by the widget.

The Vectorspace platform is not intended for individuals under 18. Vectorspace does not knowingly collect minors' data. If we become aware otherwise, we will delete the data and notify the responsible customer.

Customers operating chatbots targeting potentially-minor audiences must independently ensure parental consent and the applicable legal safeguards.

This Policy may be updated periodically. Material changes will be communicated by email (customers) or by banner on the site (visitors) at least 30 (thirty) days in advance.

The last-updated date appears at the top of this document.

For questions about this Policy or to exercise data-subject rights:

Data Protection Officer (DPO): hello@vectorspace.digital

General contact: hello@vectorspace.digital