Privacy Policy
Last Updated: February 23, 2026
CHAUFFEUR (“Chauffeur,” “we,” “us,” or “our”) operates the Chauffeur platform — an AI-powered WhatsApp automation agent for beauty businesses — accessible at chauffeurapp.io (the “Service”).
This Privacy Policy (“Policy”) describes how we collect, use, store, share, and protect the personal data of individuals who access our website and/or use the Service (“you” or “User”). It applies to all direct and indirect users of the Service, regardless of geographic location.
By accessing our website and/or using the Service, you declare that you have read, understood, and agreed to all the terms of this Policy. If you do not agree with any provision herein, you must discontinue use of the Service immediately.
This Policy was drafted in accordance with the following regulatory frameworks:
- LGPD — Lei Geral de Proteção de Dados (Brazil, Law 13.709/2018)
- GDPR — General Data Protection Regulation (EU 2016/679)
- ISO/IEC 27001 — Information Security Management Systems
- NIST SP 800-53 — Security and Privacy Controls for Information Systems
- CIS Controls v8 — Center for Internet Security Best Practices
Should you require any additional clarification regarding this Policy, please contact us at: support@chauffeurapp.io
1. Definitions
For the purposes of this Policy, the following terms shall have the meanings set forth below, regardless of whether used in the singular or plural:
“Personal Data” means any information relating to an identified or identifiable natural person, including but not limited to name, email address, IP address, phone number, and payment information.
“Processing” means any operation or set of operations performed on personal data, including collection, recording, storage, use, sharing, transmission, and deletion.
“Data Controller” means the entity that determines the purposes and means of processing personal data. In the context of this Policy, Chauffeur acts as the Data Controller.
“Data Processor” means a third party that processes personal data on behalf of the Data Controller, pursuant to its instructions (e.g., Stripe, Vercel).
“Data Subject” means you — the natural person whose personal data is processed.
“ANPD” means the Autoridade Nacional de Proteção de Dados, Brazil's national data protection authority.
“Supervisory Authority” means the relevant data protection authority in the EU/EEA member state where you reside.
2. What Personal Data We Collect and How It Is Collected
The use of the Service and the creation of an account depend on the collection and storage of certain personal data that you share with Chauffeur, which may be collected in the following ways: (i) via the Stripe Checkout subscription process; (ii) automatically during website navigation; and (iii) through the WhatsApp integration when end-customers interact with the AI agent. Below is an exhaustive list of the data we collect:
2.1. Account & Billing Data
Collected when you subscribe to the Service via Stripe Checkout:
| Data | Purpose | Legal Basis |
|---|---|---|
| Email address | Account identification, billing receipts, service communications | Contract performance (GDPR Art. 6(1)(b); LGPD Art. 7, V) |
| Full name | Account personalization, invoice generation | Contract performance |
| Payment card information | Payment processing — handled exclusively by Stripe (PCI-DSS Level 1). We never store card numbers. | Contract performance |
| Billing address | Tax calculation and invoice generation | Legal obligation (GDPR Art. 6(1)(c); LGPD Art. 7, II) |
2.2. Technical Data
Collected automatically when you access our website:
| Data | Purpose | Legal Basis |
|---|---|---|
| IP address | Geographic region detection for local currency display (BRL, EUR, USD) | Legitimate interest (GDPR Art. 6(1)(f); LGPD Art. 7, IX) |
| Accept-Language header | Fallback for regional pricing when IP geolocation is unavailable | Legitimate interest |
2.3. WhatsApp Interaction Data (Product Usage)
Processed when your end-customers interact with your Chauffeur AI agent:
| Data | Purpose | Legal Basis |
|---|---|---|
| Phone number | WhatsApp message delivery and customer identification | Contract performance; Consent |
| Message content | AI-powered conversation handling and appointment booking | Contract performance; Consent |
| Appointment details | Scheduling and calendar management | Contract performance |
Chauffeur does not collect sensitive personal data (such as racial or ethnic origin, health data, religious beliefs, or biometric data) as defined by LGPD Art. 5, II or GDPR Art. 9.
3. Purposes of Processing
We process your personal data exclusively for the following purposes:
▪ Service Delivery: Providing, operating, and maintaining the Chauffeur platform and its AI-powered WhatsApp automation features.
▪ Billing & Payments: Processing subscriptions, issuing invoices, and managing your account through Stripe.
▪ Regional Pricing: Detecting your geographic region via IP address to display prices in your local currency.
▪ Service Communications: Sending transactional emails (payment confirmations, service updates, security alerts).
▪ Legal Compliance: Meeting tax, regulatory, and legal obligations applicable to our operations.
▪ Security & Fraud Prevention: Protecting the Service and our users from unauthorized access, fraud, and abuse.
We do not sell, rent, or trade your personal data. We do not use your data for advertising, profiling, or marketing purposes beyond transactional communications essential to the Service.
4. Third-Party Data Processors & Data Sharing
We share personal data only with trusted third-party processors that are contractually bound to process data solely under our instructions and in compliance with applicable data protection laws. The Chauffeur website may contain links to third-party websites over which we have no control; we recommend reviewing their respective privacy policies.
| Processor | Purpose | Data Shared | Compliance |
|---|---|---|---|
| Stripe, Inc. | Payment processing | Email, name, payment card, billing address | PCI-DSS Level 1, SOC 1 & 2, GDPR-compliant |
| Vercel, Inc. | Website hosting & CDN | IP address (via server headers) | SOC 2 Type II, GDPR-compliant |
| ip-api.com | IP geolocation lookup | IP address (only country code returned) | Minimal data transfer; no personal data stored |
5. International Data Transfers
Your data may be transferred to and processed in countries outside your country of residence, including the United States. When we transfer data internationally, we ensure adequate protection through:
▪ Standard Contractual Clauses (SCCs) approved by the European Commission (GDPR Art. 46(2)(c)).
▪ Adequacy decisions issued by competent authorities, where available.
▪ LGPD Art. 33 safeguards for transfers originating from Brazil, including contractual clauses and assessment of the recipient country's data protection level.
6. Data Retention
We retain personal data only for as long as necessary to fulfill the purposes for which it was collected:
| Data Category | Retention Period | Rationale |
|---|---|---|
| Account data | Duration of active subscription + 30 days | Service provision and account recovery |
| Billing records | 5 years after last transaction | Tax and legal compliance obligations |
| WhatsApp interaction data | Duration of active subscription + 30 days | Service provision; deleted upon account termination |
| Technical data (IP, headers) | Not stored; processed in real-time only | Used solely for region detection at request time |
6.1. Upon termination of your account, we will retain your data for 30 (thirty) days to allow for data export requests. After this period, all personal data will be permanently and irreversibly deleted, except where retention is required by applicable law.
7. Your Rights as a Data Subject
In accordance with applicable data protection legislation, you have the following rights regarding your personal data:
7.1. Rights Under GDPR (EU/EEA Residents)
▪ Right of Access (Art. 15): Request a copy of the personal data we hold about you.
▪ Right to Rectification (Art. 16): Request correction of inaccurate or incomplete data.
▪ Right to Erasure (Art. 17): Request deletion of your personal data (“right to be forgotten”).
▪ Right to Restriction (Art. 18): Request limitation of processing of your data.
▪ Right to Data Portability (Art. 20): Receive your data in a structured, machine-readable format.
▪ Right to Object (Art. 21): Object to processing based on legitimate interest.
▪ Right to Lodge a Complaint: File a complaint with the competent Supervisory Authority in your member state.
7.2. Rights Under LGPD (Brazilian Residents)
▪ Confirmation & Access (Art. 18, I-II): Confirm whether we process your data and access it.
▪ Correction (Art. 18, III): Request correction of incomplete, inaccurate, or outdated data.
▪ Anonymization, Blocking, or Deletion (Art. 18, IV): Request anonymization or deletion of unnecessary or excessive data.
▪ Data Portability (Art. 18, V): Transfer your data to another service provider.
▪ Deletion of Consent-Based Data (Art. 18, VI): Request deletion of data processed based on your consent.
▪ Information on Sharing (Art. 18, VII): Know which third parties have access to your data.
▪ Consent Revocation (Art. 18, IX): Withdraw your consent at any time.
▪ Complaint to ANPD: File a complaint with the Autoridade Nacional de Proteção de Dados.
7.3. To exercise any of the rights listed above, please contact us at support@chauffeurapp.io. We will respond within 15 (fifteen) business days for requests under LGPD, or 30 (thirty) calendar days for requests under GDPR, from the date of receipt.
8. Data Security
We implement technical and organizational security measures aligned with ISO/IEC 27001, NIST SP 800-53, and CIS Controls, including but not limited to:
▪ Encryption in Transit: All data transmitted over TLS 1.2+ (HTTPS) encryption.
▪ Encryption at Rest: Sensitive data encrypted using AES-256 encryption standards.
▪ Access Control: Role-based access control (RBAC) with the principle of least privilege.
▪ Payment Security: All payment processing is handled exclusively by Stripe, which is PCI-DSS Level 1 certified. We never access, process, or store credit card numbers.
▪ Infrastructure Security: Hosted on SOC 2 Type II certified infrastructure with continuous monitoring.
▪ Incident Response: We maintain a formal incident response plan and will notify affected users within 72 (seventy-two) hours of a confirmed data breach, as required by GDPR Art. 33 and LGPD Art. 48.
While we implement the highest commercially reasonable standards of data security, no method of transmission over the Internet or method of electronic storage is 100% secure. We cannot guarantee absolute security of your data.
9. Cookies & Tracking Technologies
As of the date of this Policy, Chauffeur does not use cookies, tracking pixels, web beacons, or any third-party analytics scripts on our website (chauffeurapp.io). Your browsing activity on our site is not tracked or profiled in any way.
9.1. Should we introduce cookies or similar technologies in the future, we will: (a) update this Policy accordingly; (b) implement a compliant consent mechanism (cookie banner) before any tracking occurs; and (c) notify registered users of the change in advance.
10. Minors
The Service is restricted to individuals aged 18 (eighteen) years or older, in accordance with our Terms of Service. We do not knowingly collect personal data from minors. If we become aware that personal data from a minor has been collected, we will take immediate steps to permanently delete such data. If you are a parent or legal guardian and believe your child has provided personal data to us, please contact us at support@chauffeurapp.io.
11. Changes to This Policy
Chauffeur reserves the right to modify this Privacy Policy at any time. Whenever changes are made, you will be notified when accessing the Service or via the email registered with Chauffeur.
11.1. The “Last Updated” date at the top of this page will be updated accordingly.
11.2. For material changes, registered users will be notified via email at least 30 (thirty) days before the changes take effect.
11.3. Continued use of the Service after the updated Policy takes effect constitutes your acceptance of the changes. If you do not agree, you must discontinue use of the Service and request account deletion.
12. Contact & Data Protection Officer
If you have questions, concerns, or requests related to this Policy or to the processing of your personal data, please contact us through the following channels:
Chauffeur
General inquiries: support@chauffeurapp.io
Privacy, data requests & DPO: support@chauffeurapp.io
We are committed to resolving any privacy-related issues promptly. If you are unsatisfied with our response, you have the right to lodge a complaint with the competent data protection authority — the ANPD in Brazil or the relevant Supervisory Authority in the EU/EEA.