Rafaela.ai Logo

Privacy Policy

Last updated: October 2025

1. Controller Identity and Contacts

Controller: SUPER MAKERS TECHNOLOGIES LTDA (CNPJ 60.544.817/0001-52) – Address: Rua Doutor Graciano Geribello, 308, Sala 4 – Bairro Alto, Itu/SP, 13.311-010, Brazil. DPO: privacidade@rafaela.ai | General: contato@rafaela.ai | WhatsApp: +55 11 98421-8920

2. Scope and Roles

Website and marketing capture: Rafaela.ai acts as a Controller for browsing and contact data. B2B service delivery (virtual assistant): Rafaela.ai generally acts as a Processor on behalf of the client (clinic/professional), the Controller, under contract and their instructions. Integrations with Meta channels (WhatsApp Business, Instagram Direct, Messenger) follow Meta policies and the Controller’s configuration.

3. Personal Data We Process

  • Identification and contact (name, phone, email)
  • Scheduling preferences and availability
  • Message content exchanged with the assistant
  • Appointment and confirmation data
  • Automatically collected: IP address, device/browser identifiers, usage analytics, cookies
  • From integrations: Meta account identifiers and message metadata; client’s scheduling systems

Sensitive data (health): clients should limit sensitive data to what is strictly necessary for scheduling. When unavoidable, processing is restricted to the specific purpose of booking, confirmation and related communication, with reinforced security.

4. Purposes

  • Provide scheduling and communication services
  • Operational communications: confirmations, reminders, rescheduling
  • Security, fraud prevention, monitoring and audit
  • Service improvement (telemetry and performance metrics)
  • Compliance with legal/regulatory requests
  • Marketing based on consent (e.g., newsletters, pixels)

Rafaela.ai does not use personal data to train public AI models without appropriate legal basis and/or explicit consent. Third-party AI providers are bound by contractual safeguards.

5. Legal Bases

  • Contract performance or preliminary steps
  • Legitimate interests for security, telemetry and service improvement
  • Legal obligation
  • Consent for cookies/marketing and optional processing
  • For sensitive data: consent and/or protection of life/health-care contexts, depending on Controller–Processor roles

6. Sharing and Processors

We share data with infrastructure providers (cloud/CDN), communication platforms (official WhatsApp Business, Instagram/Messenger APIs), monitoring/logging tools, client systems (agenda/EMR/CRM) and public authorities when required. All processors sign adequate data protection and confidentiality clauses.

7. International Transfers

Transfers may occur when vendors are located abroad. We adopt contractual safeguards, assess adequate protection, comply with ANPD guidance and apply encryption in transit and at rest where applicable.

8. Security

  • TLS in transit and encryption at rest where applicable
  • Least-privilege access control and strong authentication
  • Logging, monitoring and incident response
  • Environment segregation and backups
  • Periodic reviews and staff training

9. Retention

  • Operational data: retained for service provision and legal duties
  • Messages and metadata: per client configuration and law
  • Marketing: until consent is withdrawn
  • Logs/audit: per security policies and legal requirements

10. Cookies

Essential cookies for functionality; analytics and marketing (e.g., Meta Pixel) based on consent. Manage your preferences via the cookie banner (when displayed) or your browser settings.

11. Data Subject Rights

You may exercise access, correction, portability, deletion, anonymization, information about sharing, objection to legitimate-interest processing and review of automated decisions. Contact privacidade@rafaela.ai. We may request identity verification to protect your account and data.

12. Children

Services are not directed to minors. Where applicable, processing occurs only with specific consent and is limited to what is strictly necessary for scheduling.

13. AI and Automated Decisions

We use automation for routing and scheduling. You may request human support by the clinic. No decisions with significant impact will be made solely by automated means without proper legal basis and transparency.

14. Data Deletion – Meta

If you interacted via Meta channels, see instructions at /data-deletion or contact us: privacidade@rafaela.ai | WhatsApp +55 11 98421-8920.

15. Changes

This policy may be updated due to legal, technical or operational changes. We will notify material changes on the website and/or by email when required.

16. Contacts

  • DPO: privacidade@rafaela.ai
  • General: contato@rafaela.ai
  • WhatsApp: +55 11 98421-8920