Privacy Policy
1. Scope and Controller
This Policy applies to all interactions with Web Chat, the Maritaca API, on-premise distributions of Sabiá models, and the management and documentation platform. The controller is Maritaca Inteligência Artificial Ltda., CNPJ 48.565.396/0001-40.
2. Data Collection Channels
We only collect information necessary for the service, originating from registration (name, email, company, password hash), user content (prompts, texts, files), technical logs (IP, timestamp, token count, approximate geolocation), cookies, support records, and payment processors (e.g., Stripe). We do not use public databases or process sensitive data or data of minors.
3. Retention
Registration data is kept while the account is active, plus five years. User content is retained for thirty days. Technical logs last eighteen months; financial records, ten years per tax law.
4. Legal Bases
We execute the contract to provide the service; protect legitimate interests to prevent fraud and improve experience; comply with legal obligations; and obtain consent when required (marketing or analytical cookies).
5. Purposes of Use
Operate, maintain and improve the services; measure token consumption and bill; provide support and administrative communications; develop new features without using user content for re-training models (unless explicitly agreed); and meet legal or judicial obligations.
6. Sharing
Data is only shared with service providers under confidentiality, legal authorities, corporate successors with equivalent protection levels, or third parties indicated by the user with consent. External links have their own policies.
7. Cookies
We use strictly necessary cookies for authentication and load-balancing; optional analytical cookies for metrics (up to twelve months); and functional cookies for language (up to six months). The user can manage preferences via the banner or browser, knowing that refusing essential cookies may affect service.
8. Security
We apply TLS 1.2+ encryption in transit and AES-256 at rest, RBAC, environment separation, ongoing audits and annual penetration tests, following ISO 27001 guidelines.
9. Disposal
Once retention periods end, data is anonymized or destroyed via data shredding techniques, except for legal obligations.
10. Data Subject Rights
Confirm processing, access, correct, port, anonymize, block or delete data; contest processing based on legitimate interest; revoke consent; and request review of automated decisions. We may request identity validation and decline requests covered by legal obligations or trade-secret protection, always with justification.
11. International Transfers
When using cloud infrastructure outside Brazil, we ensure equivalent protection via standard contractual clauses or adequacy verification.
12. Children and Adolescents
Services are intended for users 18+; data of minors is removed once identified.
13. Changes
Material changes will be communicated 30 days in advance, and previous versions will remain available for consultation.
14. Contact
15. Version History
- July 15, 2025 (current version)