Privacy Policy

Who We Are — Data Controller

This Privacy Policy applies to the use of ThairaAI (thaira.ai), an AI-powered assistant that connects to your WhatsApp, Telegram, Gmail, and Google Calendar to help you read and reply to messages, send emails, and manage your schedule. The service is operated by THAIRAHUB TECNOLOGIA DA INFORMAÇÃO LTDA, registered under CNPJ 64.477.587/0001-07, headquartered at Rua Rio Grande do Norte, 1436, Sala 813, Savassi, Belo Horizonte/MG, CEP 30130-138, Brasil ("ThairaAI", "we", "Controller").

For purposes of Brazil's General Data Protection Law (LGPD), THAIRAHUB TECNOLOGIA DA INFORMAÇÃO LTDA acts as the Controller of personal data collected and processed through the platform.

1. Policy Availability

This Privacy Policy is made available on a dedicated page in HTML format, is accessible from the homepage and from prominent locations within the application, and will be updated whenever there are relevant changes to data processing practices.

2. What Personal Data We Collect

2.1. Registration data — When you create an account we collect your full name, email address, and profile photo, whether you sign in with Google or with an email and password (authentication is handled by Firebase Authentication, a Google service).

2.2. Usage and metering data — We automatically collect your IP address, browser type, operating system, device identifiers, date and time of access, and activity logs. To operate and bill the service we also record AI usage metering: the number of requests, token counts, the model used, and the associated cost.

2.3. Communication content — When you connect a channel (WhatsApp or Telegram) or a Google account (Gmail and Google Calendar), we process the messages and calendar events necessary to generate the replies and assistance you request, and we send the emails you compose and confirm in the app — we do not read your Gmail inbox. Message and AI requests are routed through our managed gateway solely to produce the responses you ask for. This content is not used to train AI models.

2.4. Connected-account credentials — To keep your connections active, we store the OAuth access and refresh tokens for your Google account (Gmail and Calendar) and the session credentials for your messaging channels. These credentials are stored encrypted and are used only to maintain the integration you authorized.

2.5. Billing data — When you subscribe to a paid plan, Stripe processes your payment. We store order metadata (amount, plan, and date) but never your full card details.

3. Legal Bases and Purposes of Processing

We process your data based on:

• Contract execution (Art. 7, V, LGPD) — to create your account, connect your channels and accounts, generate replies and assistance, process payments, and provide support;
• Legitimate interest (Art. 7, IX, LGPD) — platform security, fraud prevention, service improvement, and metering and capping of usage;
• Legal obligation — tax record retention as required by Brazilian law;
• Consent — to connect your Google and messaging accounts, and for optional communications such as product updates and tips.

4. How We Store Personal Data

We use Google Cloud Platform (Cloud Run and Cloud SQL) hosted in the United States and Firebase (Google) for authentication. International data transfers comply with Article 33 of the LGPD. Data is protected with TLS/SSL encryption in transit and at rest.

5. Who We Share Data With

We do not sell your personal data. We may share data with:

• Google Cloud Platform — infrastructure and storage;
• Firebase (Google) — authentication;
• Stripe — payment processing;
• Messaging providers — Meta (WhatsApp) and Telegram, as the channels you choose to connect;
• AI providers — accessed through our managed gateway solely to generate the responses you request; no data is used to train AI models.

All third parties act as data processors under contractual obligations compliant with the LGPD.

WhatsApp connectivity. WhatsApp integration is provided through an unofficial, open-source WhatsApp API (based on the code-chat-br/whatsapp-api project and the Baileys library), not the official WhatsApp Business API. Your WhatsApp messages are therefore processed through a self-hosted gateway that we operate, rather than through Meta's official Business API. This software is not affiliated with or endorsed by WhatsApp LLC or Meta Platforms, Inc.

6. Automated Processing

We use your messages, the emails you compose, calendar events, and preferences to generate AI-powered replies and suggestions on your behalf. No fully automated decisions with legal effects are made about you. You remain responsible for reviewing and for any message sent through the service.

7. Data Retention and Deletion

Personal data is processed while your account is active. After account closure, data may be retained for up to 3 years per Brazilian Civil Code prescriptive periods, or longer when required by law (e.g., billing records). Disconnecting a channel or Google account revokes the related stored credentials.

You may request deletion of your data at any time by emailing agent@thairahub.com.

8. Security

Security measures include TLS/SSL encryption in transit, encrypted access tokens, restricted access controls, and continuous security monitoring.

9. Your Rights (LGPD, Art. 18)

You may request at any time via agent@thairahub.com:

• Confirmation that we process your data;
• Access to your personal data;
• Correction of incomplete or inaccurate data;
• Anonymization, blocking, or deletion of unnecessary data;
• Data portability;
• Information about third parties with whom we share data;
• Revocation of consent;
• Review of automated decisions.

We will respond within 5 business days.

10. Cookies and Analytics

We may use Google Analytics to collect anonymized information about usage trends. No names, emails, or phone numbers are collected by Google Analytics. You can opt out via your browser settings.

11. Children's Privacy

ThairaAI is not directed at children under 18. We do not knowingly collect personal data from minors. If you believe a minor has provided us data, contact us at agent@thairahub.com.

12. Changes to This Policy

We will notify users of significant changes via the platform or email. Continued use after changes constitutes acceptance of the updated Policy.

13. Google API Services — Limited Use

ThairaAI's access to and use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

When you connect your Google account, ThairaAI requests only the scopes needed for the features you use:

• Send email on your behalf (gmail.send) — to send replies and messages you compose and confirm in the app. This permission does not allow ThairaAI to read your inbox.
• Manage your calendar (calendar) — to check availability, create the appointments you confirm, and let you select or create a dedicated booking calendar.
• Basic profile (openid, email, and profile) — to sign you in and show which account is connected.

We use Google user data only to provide and improve these user-facing features. We do not transfer or sell this data to third parties except as needed to provide the service, comply with applicable law, or as part of a merger or acquisition with prior notice. We do not use Google user data for advertising, and we do not allow humans to read your Google data unless you give affirmative consent for specific messages, it is necessary for security purposes (such as investigating abuse), or to comply with applicable law. You can disconnect your Google account at any time, which revokes the stored credentials. ThairaAI does not use Google user data to train generalized or non-personalized AI/ML models.

14. Data Protection Officer (DPO)

To exercise your rights under the LGPD, contact our Data Protection Officer: