Privacy Policy
Updated on June 10, 2025
1. Who We Are
Oracia Inc. (“Oracia,” “we”) is a U.S. SaaS provider delivering AI-driven WhatsApp automation for real-estate companies. This Policy complies with the WhatsApp Business Data Processing Terms, Meta’s messaging policies, and U.S. privacy laws (CCPA/CPRA) as well as the GDPR and LGPD.
2. Data We Process
| Data Category | Source | Purpose | Retention |
|---|---|---|---|
| WhatsApp message text, media IDs, timestamps | Webhook events from Meta | Display to agents; AI reply suggestions; store history; update CRM | ≤ 30 dias¹ |
| Account data (business name, WABA ID, phone IDs) | Embedded Signup & Graph API | Provision and administer the Client account | Life of contract |
| Usage metrics (clicks, Autopilot toggles) | In-app instrumentation | Product analytics and model tuning without message text | Aggregated/anonymous after 90 days |
| User credentials (work email, Clerk.dev ID) | Sign-up form | Authentication and access control | Life of account |
| Payment data (masked card, billing ID) | Stripe | Subscription charging | Per Stripe’s PCI rules |
¹ Extended storage: only if the Client captures explicit end-user consent or has a legal obligation; consent artefacts are logged.
3. Legal Bases
Contract performance; legitimate interest (fraud prevention, security, product improvement); end-user consent for any retention beyond 30 days or for marketing templates.
4. Retention
- Cloud-API message payloads kept ≤ 30 days by default.
- Encrypted backups exclude message content beyond 30 days; configuration and billing logs roll after 90 days.
- Deletion requests executed within 30 days.
5. Data Sharing
We do not sell personal data.
Sub-processors: AWS (hosting), Together.ai (LLM), LangSmith (tracing), Stripe (billing), Clerk.dev (auth) – each bound by a DPA/SCC that forbids independent model training or analytics and enforces deletion within our retention window. The current list is published at https://oracia.ai/subprocessors; Clients will receive at least 30 days’ notice of any change.
6. Security
- TLS 1.2+ in transit, AES-256 at rest, AWS KMS key management.
- Token storage in Secrets Manager.
- SOC 2 Type II audit in progress.
7. Data Subject Rights
Access, correction, portability, deletion – requests routed via the Client and honoured within 30 days.
8. International Transfers
Data stored exclusively in AWS us-east-1 / us-west-2; EU transfers rely on SCCs.
9. Breach Notification
Any breach impacting personal data will be reported to the Client (and regulators where required) within 72 hours of discovery.
10. End-User Transparency & Opt-Out Language
Clients must disclose Oracia’s processing to their WhatsApp users.
Recommended notice snippet (may be adapted):
“We use Oracia, a U.S.-based service provider, to store and process our WhatsApp chats for up to 30 days (longer only if you consent) so that our team can serve you faster. Your messages are encrypted and are never used to train AI models outside our account. Reply STOP at any time to opt out of future messages.”
11. Policy Changes & Contact
Updates will be posted here with a new effective date; material changes require re-acceptance.
Contact: privacy@e-vnts.com | E-VNTS CO – EIN 61-2104769 Chapman Rd, Suite 208, Newark DE 19702, USA.