Privacy policy

Agendoaki ("Platform", "we", "us") is operated by Leonardo Vieira Carvalho (trade name: Agendo Aki Tecnologia LTDA), a Brazilian company registered under CNPJ 58.145.512/0001-26, digitally operated from Brazil.

For data protection inquiries, contact our Data Protection Officer (DPO) at: dpo@agendoaki.com.

We collect these categories of personal data:

• Account data: name, email, phone number, user type (client or Establishment), optional profile photo.

• Booking data: selected service, date, time, Establishment, staff member (if applicable), price, and appointment status.

• WhatsApp communication data: when an Establishment uses the official WhatsApp integration (Meta Cloud API) or the unofficial integration (Baileys), we process phone numbers, message content, timestamps, delivery status, and sending errors. These messages include confirmations, reminders, rescheduling, and cancellations.

• Payment data: processed exclusively by certified partners (Stripe, etc.); we do not store full credit card data.

• Usage data: pages visited, interactions, device/browser technical data (IP address, browser type, OS).

We process data on these legal bases:

• Contract performance: account creation, bookings, transactional communications (confirmation, reminders, changes, cancellations).

• Legitimate interests: platform security, fraud prevention, service improvement, aggregated analytics.

• Consent: marketing communications and newsletters. You may manage or withdraw consent in account settings.

• Legal obligation: tax, accounting, and regulatory compliance, responding to authorities.

When an Establishment uses WhatsApp, we act as a data processor on behalf of the Establishment (controller). The Establishment is responsible for the lawful basis for processing its clients' data.

We share personal data with:

• Partner Establishments: when you book, the Establishment receives your name, phone, email, and booking details to provide the service and contact you operationally (confirmations, delays, changes).

• Meta Platforms, Inc. (WhatsApp Cloud API): when the official integration is active, client messages are processed through Meta's Cloud API infrastructure. Meta acts as a sub-processor. Data may be processed in the United States and other jurisdictions. Meta is certified under the EU-US Data Privacy Framework. See Meta's Data Policy: https://www.facebook.com/policy.php.

• Technology vendors: hosting (Hostinger, Render, Vercel), transactional email (Brevo, formerly Sendinblue), payments (Stripe), analytics, error monitoring. All vendors are contractually bound to confidentiality and security.

• Competent authorities: when required by law or to protect rights, safety, and property.

We do not sell personal data to third parties.

Your data may be processed on servers outside your country of residence. We adopt contractual safeguards and select providers with recognized privacy certifications.

Agendoaki offers two WhatsApp integration modes, depending on the Establishment's choice:

• WhatsApp Official (Meta Cloud API): the Establishment connects their WhatsApp Business Account via Facebook/Meta OAuth. Messages are sent through the official Meta API and processed according to Meta's Data Policy and WhatsApp Business Platform Terms of Service.

• Unofficial WhatsApp (Baileys): the Establishment authenticates via a WhatsApp Web QR code. The session is stored encrypted in our database, and messages are sent through our real-time communication server. This mode is subject to WhatsApp's Terms of Service.

In both modes, the Establishment decides when and to whom to send messages, and is responsible for the applicable legal basis. Agendoaki acts as a data processor in this communication flow.

We retain data only as long as necessary: account data — while account exists; booking data — up to 5 years; WhatsApp messages — up to 2 years or until deletion request; access/error logs — up to 12 months.

Security measures: encryption in transit (TLS 1.2+) and at rest (AES-256), permission-based access control, two-factor authentication for admin access, continuous security monitoring, regular backups.

No system is risk-free. In case of a data breach posing relevant risk, we will notify authorities and data subjects as required by applicable law.

Depending on your jurisdiction, you may have rights to: access, rectification, erasure, restriction, portability, objection, and withdrawal of consent. To exercise your rights, email dpo@agendoaki.com. Response time: up to 30 days or as required by law. You may lodge a complaint with your local data protection authority.

We use cookies for essential operation, preferences, and analytics (Google Analytics, Vercel Analytics). Manage cookies in your browser. We do not use third-party behavioral advertising cookies in this version.

The Platform links to third-party services. This policy does not cover their data practices. See their privacy policies: Meta/WhatsApp: https://www.facebook.com/policy.php, Brevo: https://www.brevo.com/legal/privacypolicy/, Stripe: https://stripe.com/privacy, Hostinger: https://www.hostinger.com/privacy-policy, Vercel: https://vercel.com/legal/privacy-policy, Render: https://render.com/privacy.

The Platform is not intended for children under 13. We do not knowingly collect data from children under 13 without verifiable parental consent.

We may update this policy. Material changes will be notified by email (where applicable) and/or a Platform notice before taking effect. Please check this page regularly.