1. Who We Are and How to Contact Us
This Privacy Policy describes how Chattie collects, processes, stores, and shares personal data, in compliance with the Brazilian General Data Protection Law (LGPD — Law No. 13,709/2018) and other applicable regulations.
2. Who This Policy Applies To
This Policy applies to:
- Platform Users: founders, consultants, SDRs, and commercial teams that subscribe to and use Chattie;
- Prospects/Leads: individuals whose data is imported by Users for prospecting campaigns.
Note for Leads
If you received a message sent via Chattie and wish to exercise your privacy rights (such as requesting removal of your data), please contact the company that sent the message. Chattie acts as a data processor in this relationship — the User (contracting company) is the responsible data controller. You may also contact us at privacy@trychattie.com for guidance.
3. Data We Collect
3.1 Chattie collects only the data strictly necessary to provide the service, in observance of the necessity principle set forth in Art. 6, III of the LGPD.
3.2 User data (Chattie customers)
| Category | Data |
|---|---|
| Account & registration | Full name, email, company, job title, password (cryptographic hash — never stored in plain text) |
| Billing | Name, tax ID, address — processed by an approved payment provider |
| Usage & configuration | Campaigns, agents, offers, prompts, preferences, usage history |
| Session token of the connected account (we do not store your LinkedIn password) | |
| Technical | IP address, browser, operating system, pages visited, activity logs |
3.3 Lead/Prospect data (imported by Users)
When the User imports leads for campaigns, Chattie processes the following data:
- Full name;
- LinkedIn profile URL;
- Current job title and company;
- Professional headline;
- Location;
- Profile picture (URL reference — the image is not stored directly);
- Message history exchanged during the campaign;
- Conversation status and AI qualification result.
This data is processed by Chattie as a data processor, under the instruction of the User (controller). The User is responsible for the legal basis that justifies processing.
3.4 Data we do NOT collect
- LinkedIn passwords or passwords for any third-party service;
- Full financial data (card numbers, bank details) — managed exclusively by the contracted payment processor;
- Sensitive data as defined by applicable data protection law (racial origin, health, biometrics, etc.).
4. How and Why We Use Your Data
For processing based on legitimate interest, Chattie has conducted a Legitimate Interest Assessment (LIA) confirming that the legitimate interest prevails over the rights and freedoms of the data subjects. The document is available upon request from the DPO at thiago@trychattie.com.
| Purpose | Data Used | Legal Basis |
|---|---|---|
| Service delivery | Account data, campaigns, leads | Contract performance |
| Payment processing | Billing data | Contract performance |
| Authentication & security | Email, password, IP, logs | Legitimate interest |
| AI message generation | Prompts, offer data, lead profile | Contract performance |
| Customer support | Account data, support history | Contract performance / Legitimate interest |
| Transactional communications | Contract performance | |
| Marketing communications | Email (with explicit consent at registration) | Consent |
| Product improvement (analytics) | Anonymized usage data | Legitimate interest |
| Legal obligations | Required data under applicable law | Legal obligation |
Marketing communications: consent is collected via a specific, optional checkbox at registration, separate from acceptance of the Terms of Use. Users may withdraw consent at any time by clicking the unsubscribe link in marketing emails, or by contacting hello@trychattie.com. Withdrawal does not affect prior processing.
5. Data Sharing with Third Parties
To operate, Chattie relies on infrastructure and specialized service providers. These partners access personal data only to the extent necessary for their functions and are contractually obligated to protect data in accordance with applicable law.
We do not sell, rent, or trade personal data with third parties for marketing purposes.
| Provider Category | Purpose | Data Involved |
|---|---|---|
| AI processing provider | Message generation and lead qualification | Product prompts, campaign context, lead data |
| LinkedIn integration provider | Message sending, connection requests, lead import | LinkedIn session token, campaign data |
| Payment processor | Subscription billing and receipt issuance | Billing data (name, tax ID, address) |
| Infrastructure & database provider | Platform hosting, storage, and processing | All platform data |
| Transactional email provider | Sending notifications and account confirmations | Name and email address |
| Customer support platform | In-platform support chat | Name, email, support conversation history |
6. International Data Transfers
Some of our providers operate fully or partially outside Brazil. These international transfers are conducted based on:
- Standard contractual clauses in accordance with applicable data protection regulations, established with each provider;
- Necessity for the performance of the contract with the User;
- Equivalent level of protection to the LGPD, verified for providers based in jurisdictions with compatible regulations.
All contracted providers hold certifications and policies compatible with international data protection standards.
7. Data Retention
| Data Category | Retention Period |
|---|---|
| Active account data | For the duration of the active subscription |
| Data after cancellation | 30 days (for possible reactivation), then deleted |
| Lead data in active campaigns | For the duration of the active subscription |
| Lead data inactive for 18+ months | Anonymized or deleted, unless User expressly re-confirms |
| Lead and conversation data after account closure | 30 days after account termination |
| Billing data and tax documents | 5 years — fiscal obligation |
| Security and access logs | 12 months |
| Database backups | Up to 90 days after permanent deletion |
After the above periods, data is deleted or irreversibly anonymized.
8. Your Rights as a Data Subject
You have the right to:
| Right | How to Exercise |
|---|---|
| Confirmation and Access — know if we process your data and obtain a copy | privacy@trychattie.com |
| Correction — fix incomplete, inaccurate, or outdated data | Settings panel or privacy@trychattie.com |
| Anonymization, blocking, or deletion of unnecessary data | privacy@trychattie.com |
| Portability — receive your data in a structured format | privacy@trychattie.com |
| Deletion of consent-based data | privacy@trychattie.com |
| Withdrawal of consent | privacy@trychattie.com |
| Objection — to processing based on legitimate interest | privacy@trychattie.com |
| Review of automated decisions — request human review | privacy@trychattie.com — see Section 8-A |
| Information about data sharing | Covered in this Policy — Section 5 |
Response time: we respond to all requests within 15 (fifteen) business days. We may request identity verification before processing a request.
8-A. Automated Decisions
Chattie uses language models (AI) to make the following automated decisions about leads' personal data:
| Automated Decision | General Logic | Consequence for the Data Subject |
|---|---|---|
| Lead qualification (ICP Scoring) | The AI evaluates the lead's profile (job title, company, industry, size) against the ideal customer criteria defined by the User and assigns a qualification status (qualified / not qualified / uncertain) | The lead may be included or excluded from prospecting campaigns based on this classification |
| Message generation and sequencing | The AI drafts outreach message content based on the lead's profile, the User's offer, and the conversation history, also determining the timing and order of sending | The lead receives AI-generated personalized messages and may or may not receive certain approaches depending on conversation status |
A data subject affected by these automated decisions may request human review at any time at privacy@trychattie.com. Chattie will respond within 15 (fifteen) business days, identifying the User responsible for the campaign so the data subject may also exercise their rights directly with the data controller.
Important limitation: lead qualification and message generation are carried out under the User's (controller's) instructions. Chattie, as a processor, may direct the data subject to exercise their rights directly with the User responsible for the campaign.
9. Cookies and Tracking Technologies
| Type | Purpose | Required? | Legal Basis |
|---|---|---|---|
| Session cookies | Keep the user authenticated during platform use | Yes | Contract performance |
| Preference cookies | Save interface settings | Yes | Contract performance |
| Analytics cookies | Understand how the platform is used (aggregated, anonymized data) | No — opt-in via banner | Consent |
| Support cookies | Enable the customer support chat | No — opt-in via banner | Consent |
When accessing the Chattie website, the User will be presented with a cookie banner allowing them to accept only essential cookies or manage categories individually. The preference is stored and can be revisited at any time via the link in the site footer. Essential cookies cannot be disabled as they are necessary for platform functionality.
10. Data Security
Chattie adopts technical and organizational measures to protect personal data against unauthorized access, alteration, disclosure, or destruction, including:
- Encryption in transit (TLS 1.2+) and at rest;
- Passwords stored with robust cryptographic hashing (never in plain text);
- Role-based access control (RBAC) within workspaces;
- Tenant data isolation — each account is an independent workspace;
- Infrastructure hosted on SOC 2-certified providers;
- Regular backups with controlled retention;
- Continuous monitoring of access and activity logs.
In the event of a security incident resulting in significant risk or harm to data subjects, Chattie will notify the competent data protection authority within 3 (three) business days of confirming the incident. Affected data subjects will be notified in a timeframe proportional to the severity and scope of the incident.
Chattie maintains an up-to-date Data Protection Impact Assessment (DPIA) and Incident Response Plan. No security measure is 100% foolproof.
11. Children
Chattie is a platform intended exclusively for adults for commercial purposes. We do not intentionally collect data from individuals under 18 years of age — whether Users or leads imported by Users. If we identify that data from a minor was inadvertently collected, we will delete it immediately and notify the responsible User.
12. External Links and Integrations
Chattie may contain links to external services. This Policy does not apply to those services. We recommend reading the privacy policies of each externally accessed platform, especially LinkedIn, whose policy governs the profile data processed through the platform.
13. Changes to This Policy
This Policy may be updated periodically. Material changes will be communicated by email and/or platform notification at least 15 (fifteen) days in advance. The effective date at the top of the document indicates the version in force. The complete version history is available at trychattie.com/legal/changelog and previous versions may be requested at privacy@trychattie.com.
14. Data Protection Authority
If you believe your rights have been violated and have not obtained adequate resolution through our channels, you may contact the relevant data protection authority in your jurisdiction. In Brazil: Autoridade Nacional de Proteção de Dados (ANPD) at www.gov.br/anpd.