Privacy Policy

This Policy describes how Xamar processes personal data. The service is operated by RASU TECNOLOGIA LTDA, registered under Brazilian Corporate Tax ID (CNPJ) 62.121.803/0001-51, headquartered at Av. Paulista, nº 1471, conj. 1110, Bela Vista, São Paulo — SP, Brasil ("RASU", "we").

Xamar is a multi-tenant SaaS that connects Brazilian companies to the official WhatsApp Business API operated by Meta Platforms, Inc. ("Meta") via Meta Cloud API.

For purposes of this Policy, we are Controllers of personal data of our direct customers (Xamar account administrators) and Processors of data handled on behalf of those customers (including data of their end-users who receive or send WhatsApp messages).

In accordance with Article 41 of the Brazilian General Data Protection Law (LGPD), our official DPO channel is dpo@xamar.com.br.

3.1. Customer registration

• Full name of legal representative and admin users
• Business e-mail address
• Phone number
• Company tax ID (CNPJ) and corporate name
• Billing address
• Password (stored using bcrypt hashing)

3.2. Technical usage data

• IP address and approximate geolocation
• Browser type, operating system and device
• Access, action and error logs
• Session and security cookies (no third-party tracking cookies)

3.3. WhatsApp Business data

When the customer connects its WABA (WhatsApp Business Account) to Xamar via Meta's Embedded Signup, the following data flows through our infrastructure:

• WABA identifiers, phone number ID and approved templates
• Messages sent and received by the customer and its contacts
• Attached media (image, audio, video, documents)
• Conversation metadata (timestamps, delivery/read status)
• Phone numbers of the customer's contacts

Important: Meta is the primary controller of message data exchanged via WhatsApp. We act as processors of such data on behalf of the customer.

3.4. Payment data

Payments are processed by Stripe, Inc. We do not store full credit-card numbers — only tokens and the last 4 digits for visual identification.

• Performance of contract — to deliver the contracted service (signup, message processing, billing).
• Legal obligation — issuance of invoices, log retention as required by regulation.
• Legitimate interest — platform security, fraud prevention, aggregated anonymous analytics.
• Consent — marketing communications, when applicable.

We share personal data only with subprocessors essential to operating the service, under contracts containing data-protection clauses:

Some subprocessors are located outside Brazil (USA, EU). Such transfers are carried out under Article 33 of the LGPD and observe adequate safeguards (standard contractual clauses, countries deemed adequate by the European Commission, or specific data subject consent when applicable).

• Registration data: during the contract term + 5 years after termination (tax obligations).
• Technical logs: 6 months for troubleshooting; 12 months for security and access logs (Brazilian Civil Rights Framework for the Internet).
• WhatsApp messages: while the customer account is active. After cancellation, data is deleted within 30 days, except where legal retention applies.
• Financial data: 5 years (Brazilian accounting and tax law).

You have the right, upon request, to:

• Confirm the existence of processing
• Access your data
• Correct incomplete, inaccurate or outdated data
• Anonymize, block or delete unnecessary or non-compliant data
• Port data to another provider
• Delete data processed on the basis of consent
• Information about sharing
• Withdraw consent
• File a complaint with the Brazilian DPA (ANPD) or your local DPA

To exercise any right, write to privacy@xamar.com.br. We will respond within 15 days.

We adopt technical and administrative measures including:

• Encryption in transit (TLS 1.3) on all communications
• Passwords stored with bcrypt hashing (cost ≥ 12)
• Signed JWT tokens and rotatable secrets
• Admin panel protected by Cloudflare Access (2FA)
• Firewall (UFW) limiting exposed ports; database has no direct internet access
• Encrypted backups in redundant storage
• Least-privilege principle for internal access

In the event of a security incident that may pose risk to data subjects, we will notify the ANPD and the affected individuals as required by Article 48 of the LGPD.

We use only strictly necessary cookies (session, CSRF protection, language preferences). We do not use advertising cookies or third-party trackers on this site.

Xamar is intended exclusively for legal entities and their authorized representatives over 18 years of age. We do not knowingly collect data from minors.

We may update this Policy. Material changes will be communicated via e-mail or via notice in the platform dashboard at least 15 days in advance. The current version is always available at https://xamar.com.br/en/privacy.

Questions, requests or complaints regarding personal data processing:
privacy@xamar.com.br (general) · dpo@xamar.com.br (DPO)