Your Rights Under the LGPD at DavitAI
1. Introduction
This guide explains, in plain language, how DavitAI fully complies with the Brazilian General Data Protection Law (Law 13,709 of 14 August 2018 — Lei Geral de Proteção de Dados, or LGPD). It covers what personal data we process, why, for how long, and how you can exercise each of the nine rights guaranteed by Article 18 of the LGPD. This document complements the Privacy Policy and the Terms of Use. In case of conflict between these documents, the rule most favourable to the data subject prevails.
Last updated: 8 June 2026.
2. Who We Are as Data Controller
DavitAI is the data controller for personal data collected through the platform at davitai.com, the web apps app.davitai.com and admin.davitai.com, the automation workers, and the official support channels. Under the LGPD, the controller is the entity who makes the decisions on how personal data is processed.
- Brand: DavitAI (
davitai.com). - General contact: davitai@davitai.com.
- Data Protection Officer (DPO): davitai@davitai.com (subject line: DPO — LGPD).
- Brazilian Data Protection Authority (ANPD): www.gov.br/anpd — you can petition the ANPD directly if you believe your rights have not been addressed.
3. Legal Bases We Adopt (Article 7 of the LGPD)
DavitAI processes your personal data under the following legal grounds, always picking the most protective and specific basis for each purpose:
- Performance of a contract (Art. 7, V): running the platform, processing agent jobs, managing credits, billing, authentication and support. Without this basis we cannot deliver the contracted service.
- Consent (Art. 7, I): email marketing, web push, product analytics, non-essential cookies, and participation in optional surveys. You can revoke at any time.
- Compliance with a legal or regulatory obligation (Art. 7, II): retention of tax and accounting records, response to court orders, mandatory disclosures via Stripe to the Brazilian Central Bank, and reports to the ANPD when applicable.
- Legitimate interest (Art. 7, IX): fraud prevention, information security, credit-abuse mitigation, defence in legal claims, and improving agent quality — always preceded by a documented Legitimate Interest Assessment (LIA) that balances impacts on you.
- Credit protection (Art. 7, X): anti-fraud analysis on recurring payments.
4. Categories of Personal Data We Process
We restrict collection to the strict minimum required (necessity principle, Art. 6, III). The categories are:
- Identification and account data: name, email, password (stored as a bcrypt hash with salt — never in plain text), preferred language, and time zone.
- Authentication data: sessions, refresh tokens, OAuth grants when you connect external channels (Twitter/X, Instagram, WordPress, YouTube). OAuth tokens are encrypted with AES-256-GCM before being persisted.
- Usage and telemetry: agents used, prompts submitted, credits consumed, jobs created, results generated, access times, and anonymous performance metrics.
- Payment data: processed directly by Stripe, Inc., which is an independent controller of this data. DavitAI does not store full credit-card numbers on its servers.
- User-generated content: scripts, narrations, posts, thumbnails, and files submitted to agents — these belong to you (see Terms of Use §6).
- Technical data: IP address, user-agent, device type, screen resolution, Sentry error logs, and Web Vitals metrics.
- Communications data: messages sent through the contact form, support emails, and in-product chat.
5. Specific Purposes
Each data category is processed only for purposes compatible with the reason for collection (purpose principle, Art. 6, I):
- Authenticate, authorise, and personalise your experience on the platform.
- Execute the AI agents you have contracted and deliver their outputs.
- Process recurring charges, issue invoices, and manage refunds.
- Send essential transactional communications (email verification, payment failure, long-job completion).
- Detect fraud, abuse, and violations of the Terms of Use.
- Improve agent quality through anonymous and aggregated evaluation.
- Comply with applicable Brazilian and international legal obligations.
6. Sharing with Processors and Third Parties
DavitAI never sells, rents, or transfers your personal data for third-party marketing. We share only with processors that perform activities essential to the service, under written contracts and protection clauses equivalent to the LGPD:
- Stripe, Inc. — payment processing (US + EU, applicable Standard Contractual Clauses).
- Google Cloud Platform (Vertex AI) — execution of Gemini models for text, audio, and image generation. Processed in US/EU regions. DavitAI keeps the opt-out from prompt training flag enabled by default.
- Anthropic — Claude models for selected tasks. Equivalent policy: prompts are not used for training.
- Resend — transactional and marketing email delivery (only with consent).
- Sentry — error monitoring (IP and user-agent anonymised in production).
- Hetzner Cloud (Germany) — hosting of the Postgres database and Redis cache, within the European Union.
- Cloudflare — CDN, WAF, and DDoS protection.
The complete, up-to-date list of subprocessors is available on request from the DPO.
7. Your Rights as a Data Subject (Art. 18)
The LGPD grants you nine specific rights. At DavitAI all of them can be exercised free of charge:
- Confirmation that processing exists: know whether DavitAI processes data about you.
- Access: receive a legible copy of your personal data.
- Correction: update incomplete, inaccurate, or outdated data.
- Anonymisation, blocking, or deletion of unnecessary, excessive, or non-compliant data.
- Portability of data to another service provider (structured JSON format).
- Deletion of personal data processed on the basis of consent.
- Information about sharing with public and private entities.
- Information about the option not to consent and the consequences thereof.
- Revocation of consent at any time, simply and free of charge.
How to exercise
For any of the above rights, send a request to davitai@davitai.com with the subject LGPD Right — [name of the right]. We respond within 15 business days, as required by the LGPD. We may request identity verification to protect your data.
You can also use dashboard shortcuts: Settings → Privacy → Export data (access + portability) and Settings → Delete account (cascading deletion).
8. Data Retention — Specific Periods
We follow the rule: keep for the shortest period necessary to fulfil the purpose.
- Active account: account data is kept while the account is active.
- Account closed by the subject: anonymisation within 30 days; full deletion within 90 days.
- Account inactive for 24 months: prior notification + automatic deletion.
- Tax and accounting records (invoices, fiscal documents): 5 years from issuance (Brazilian Tax Code — Art. 174).
- Agent execution logs: 90 days (required for support and audit).
- Security and anti-fraud logs: 6 months.
- System access logs (Brazilian Internet Bill of Rights — Art. 15): 6 months.
- Full database backups: 30-day automatic rotation.
9. Information Security
We adopt technical and administrative measures aligned with the state of the art:
- Encryption in transit (TLS 1.3) and at rest (AES-256).
- OAuth tokens encrypted with AES-256-GCM before being written.
- Environment segregation (production, staging, development).
- Role-based access control (RBAC) and least-privilege principle.
- Continuous incident monitoring via Sentry and UptimeRobot.
- Quarterly internal audits and annual third-party penetration tests.
In the event of a personal-data incident, we will notify the ANPD and affected subjects in accordance with Art. 48 of the LGPD.
10. International Data Transfers
Running DavitAI involves international transfers for the purposes described:
- Vertex AI (GCP): processed in US and EU regions. Standard Contractual Clauses (SCC) apply.
- Stripe: US, with partial adequacy decision and SCC.
- Hetzner: Germany (GDPR/LGPD adequacy decision — equivalence recognised).
We ensure every transfer observes Chapter V of the LGPD.
11. Cookies and Similar Technologies
We use essential cookies (session, authentication, CSRF) without the need for consent, as permitted by Art. 7 of the LGPD. Analytics cookies (Google Analytics 4 configured with Consent Mode v2) and marketing cookies are activated only after your explicit authorisation in the cookie banner. You can review and revoke your choices at any time via the Cookies link in the footer.
12. Children and Adolescents
DavitAI is not directed at children under 13. For users aged 13 to 18 we require consent from at least one parent or legal guardian, as required by Art. 14 of the LGPD. We do not deliberately process minors’ data. If you are responsible for a minor who created an account, contact the DPO for immediate deletion.
13. Changes to This Policy
This policy may be updated to reflect legal, technical, or product changes. Material changes will be communicated by email with 15 business days’ notice. The date of the last update appears at the top of the page, and previous versions are archived on request from the DPO.
14. DPO Contact and Official Channels
To exercise rights, ask questions, or report incidents involving personal data, use one of the official channels:
- DPO — Email: davitai@davitai.com (subject: DPO — LGPD).
- General support: davitai@davitai.com.
- Contact page: /en/contact.
- About DavitAI: /en/about.
15. Effective Date
This version takes effect on 8 June 2026 and replaces all previous versions. Continued use of the platform after this date constitutes acceptance of this page, without prejudice to the consent-revocation rights described in section 7.
Related links: Privacy Policy · Terms of Use · Contact · About DavitAI · Agents.