Privacy Policy

You're trusting Verboo with data. Maybe your customers' names, their WhatsApp messages, or just your own login email. This document exists so you know what we do with that, no legalese in the way.

In 30 seconds:

• We collect the minimum needed for the platform to work.
• We do not sell data to anyone. Ever.
• Verboo does not use your conversations to train its own AI models.
• The LLMs that process messages (Anthropic, OpenAI, Google) operate in no-training mode under contract.
• You can ask for everything back, or delete everything, anytime.
• To exercise any right or ask anything: privacy@verboo.ai.

Verboo is operated by Verbeux Serviços Ltda., Brazilian CNPJ 46.214.362/0001‑86, headquartered at Rua Doutor Gilberto Studart, 55, Suite 1317, Tower 2, Cocó, Fortaleza‑CE, ZIP 60192‑105, Brazil.

In this text, "Verboo", "we" or "us" means that company. "You" is whoever uses the platform — through the dashboard, API, MCP, SDK or any channel we make available.

Three groups of data, no fancy wording:

What you give us. Name, email, phone, role, message content, uploaded files, account settings. You put it in, we read it.

What we collect automatically. IP, browser type, device IDs, access logs, chat logs, usage metrics. Standard telemetry — without it, we can't tell when something breaks.

What comes from integrations. When you connect a CRM, a spreadsheet, or WhatsApp Business, we get the data that system agrees to share with Verboo. You authorize, they send, we process.

Brazilian LGPD (Law 13.709/2018) lists legal bases — valid reasons to process personal data. The ones we use:

To fulfill the contract with you. Most of it. No data, no platform. You can't have an Assistant if we don't know your email to log in and process messages you send.

To comply with the law. Tax records, accounting, court orders. When regulation says to keep, we keep.

For legitimate interest. To detect fraud, prevent abuse, keep the platform stable and secure. Always trying to use the minimum needed.

By consent. For optional things — newsletter, analytics. You toggle it on and off.

This part trips people up, so here's a diagram:

You are the controller of your end customers' data. The clinic, the solar energy company, the e-commerce store — whoever runs the Assistant owns that conversation and decides what to collect, how long to keep, what for.

Verboo is the processor of that data. We run the infra and let the Assistant talk, but we only do what you instruct via platform configuration.

For your Verboo account's own admin data (login email, payment, settings), we are the controller — because Verboo decides how to handle that platform-usage info.

How we deal with AI is something peer companies often blur. Straight up:

Verboo does not train its own models with your data. Your conversations, your instructions, your files — none of that becomes our training material. Period.

The LLMs that power your Assistant operate in no-training mode. When a message needs inference, it goes to a provider (Anthropic, OpenAI, Google or an open model on dedicated infra). Our contracts with those providers lock training-on-content off. When we change or add a model, we keep the same standard.

What stays at the LLMs? Providers may retain logs short-term (typically 30 days) for abuse detection. After that, deletion. Per-provider details are in their own docs.

Verboo doesn't do everything in-house. We delegate technical pieces to trusted partners — they're sub-processors. They only touch data as far as needed for their service to work.

Categories and examples:

• Hosting and infra. Google Cloud Platform (Brazil/US) and server hosting providers.
• Payments. Stripe (US).
• WhatsApp Business API. Meta (US), via WhatsApp Cloud API or approved partners.
• AI Models (LLMs). Anthropic (US), OpenAI (US), Google (US) and open-source providers when applicable.
• Transactional email. Resend and similar.
• Telemetry and support. Sentry, Openreplay, Google Analytics.

When data leaves Brazil, the transfer follows standard contractual clauses and legal bases under art. 33 of LGPD (contract performance or consent, depending on the case). For the full and current list, write to privacy@verboo.ai.

Aligned with art. 46 of LGPD and ANPD best practices:

• Encryption in transit (TLS) and at rest.
• Role-based access control (RBAC) and multi-factor authentication for internal users.
• Periodic third-party penetration testing.
• Incident response plan with notification to ANPD and affected data subjects within 48 hours when the incident poses material risk.

Found a vulnerability? Send it to privacy@verboo.ai. Thanks in advance (we don't sue people for reporting in good faith).

Depends on the type of data and why it exists:

• Account and configuration data stay while your account is active.
• Conversation messages and logs stay available in the Lab for your platform's retention period and can be exported or deleted any time.
• Technical and audit logs are kept for up to 12 months to enable incident investigation.
• Tax and financial data follow the applicable legal period (usually 5 years).
• After account cancellation, you have 90 days to export. After that, we delete or anonymize, except where the law requires retention.

LGPD (art. 18) gives you a set of rights over your personal data. You can request, at any time:

• Confirmation that we process your data.
• Access to the data we hold.
• Correction of incomplete, inaccurate or outdated data.
• Anonymization, blocking or deletion of unnecessary or non-compliant data.
• Portability to another provider.
• Information about who we shared with.
• Consent withdrawal when processing is based on consent.

To exercise any of those, email privacy@verboo.ai. We respond within 15 business days.

We use strictly necessary cookies (to keep your session), performance cookies (to spot what's slow) and functional cookies (to remember preferences). You can manage them all in your browser. Blocking some cookies may break parts of the site.

The platform isn't for users under 13. If we notice we collected a child's data without proper authorization, we delete it quickly.

This Policy changes when laws change or services evolve. We notify by email or banner with 15 days' notice. The current version is always at verboo.ai/en/privacy-policy.

Data Protection Officer (DPO):

Name: Matheus Mafra
Email: privacy@verboo.ai
Address: Rua Doutor Gilberto Studart, 55, Suite 1317, Tower 2, Cocó, Fortaleza‑CE, ZIP 60192‑105, Brazil.