DavitAI Privacy Policy
1. Introduction and Scope
This Privacy Policy describes how DavitAI collects, uses, shares, stores, and protects the personal data of users, site visitors, paying customers, partner agencies, and job applicants. It applies to all official DavitAI surfaces: davitai.com, app.davitai.com, admin.davitai.com, public APIs, email communications, and any other integration identified with the DavitAI brand.
DavitAI is a Brazilian AI agent platform for content creators. We operate in compliance with the Brazilian General Data Protection Law (Law 13,709/2018 — LGPD), the European General Data Protection Regulation (GDPR — Regulation (EU) 2016/679), and, where applicable to California residents, the California Consumer Privacy Act (CCPA/CPRA).
Last updated: 8 June 2026. We recommend reading this together with the Terms of Use and the LGPD Rights guide.
2. Data We Collect
We collect only what is strictly necessary (minimisation principle). Categories include:
- Registration data: full name, email, password (stored as a bcrypt hash with salt — never in plain text), language, time zone.
- Authentication data: sessions, refresh tokens, OAuth connections for external channels (Twitter/X, Instagram, YouTube, WordPress). All OAuth tokens are encrypted with AES-256-GCM before being written to the database.
- Platform usage data: agents executed, prompts submitted, credits consumed, jobs created, content generated, execution history, and performance metrics.
- Payment data: processed directly by Stripe, Inc. under their own privacy policy. DavitAI stores only transaction metadata (status, amount, card brand) — never full card number, CVV, or expiry.
- Communications data: messages sent through the contact form, support emails, survey replies, and internal tickets.
- Automatic technical data: IP address, user-agent, device type, screen resolution, operating system, referrer, and Web Vitals metrics.
- Cookie data: essential cookies always; analytics and marketing only with consent.
We do not deliberately collect sensitive data (Art. 5, II of the LGPD). If you share sensitive information in agent prompts (racial origin, political opinion, health, biometric data), it will be processed only for immediate job execution and discarded according to our retention policy.
3. How We Use Your Data (Purposes)
Your data is processed strictly for:
- Service operation: authentication, authorisation, agent execution, credit management, user support.
- Billing and invoicing: processing recurring payments, issuing invoices, managing refunds.
- Transactional communications: email verification, payment failure alerts, long-job completion notices, security alerts.
- Marketing communications: newsletter, product updates, tips — only with explicit, revocable consent.
- Analytics and product improvement: only with consent, aggregated and anonymised whenever possible.
- Security and anti-fraud: abuse detection, credit-mining prevention, protection against automated attacks.
- Legal compliance: tax obligations, court orders, communications with the ANPD when applicable.
4. Legal Basis for Processing
DavitAI grounds each processing activity on one of the bases in Art. 7 of the LGPD (and the equivalent Art. 6 of the GDPR):
- Performance of a contract (LGPD Art. 7, V / GDPR Art. 6(1)(b)) — platform operation.
- Consent (LGPD Art. 7, I / GDPR Art. 6(1)(a)) — marketing, analytics, non-essential cookies.
- Legal obligation (LGPD Art. 7, II / GDPR Art. 6(1)(c)) — tax records, court orders.
- Legitimate interest (LGPD Art. 7, IX / GDPR Art. 6(1)(f)) — security, anti-fraud, quality improvement. Always preceded by a documented balancing test.
5. Sharing with Processors and Third Parties
DavitAI does not sell, rent, or trade personal data. We share exclusively with processors that perform services essential to the platform, under a data processing agreement (DPA) and protection clauses equivalent to the LGPD/GDPR:
- Stripe, Inc. — payment processing. Acts as independent controller for anti-fraud purposes.
- Google Cloud Platform (Vertex AI) — execution of Gemini models for text, audio, and image. DavitAI’s configuration disables the use of your prompts for training.
- Anthropic, PBC — Claude models for selected tasks. Input data is not used for training.
- Resend — transactional and marketing email delivery (with consent).
- Sentry — error monitoring (IP and user-agent anonymised in production).
- Hetzner Online GmbH (Germany) — hosting of the Postgres database, Redis cache, and workers, within the European Union.
- Cloudflare, Inc. — CDN, WAF, and DDoS protection.
The complete, up-to-date list of subprocessors is available on request from the DPO.
6. Your Rights as a Data Subject
Under the LGPD, GDPR, and CCPA, you have broad rights over your personal data — all of which can be exercised free of charge:
- Access and confirmation of processing.
- Correction of incomplete, inaccurate, or outdated data.
- Deletion of data processed on the basis of consent.
- Anonymisation or blocking of unnecessary or non-compliant data.
- Portability in structured JSON format.
- Information about sharing with third parties.
- Revocation of consent at any time.
- Objection to processing based on legitimate interest (GDPR Art. 21).
- Non-discrimination for exercising rights (CCPA §1798.125).
- Opt-out of “sale” of personal data (CCPA — not applicable to DavitAI, as we do not sell).
To exercise any right, email davitai@davitai.com or consult the detailed guide at /en/legal/lgpd. Response within 15 business days.
7. Data Retention
We follow specific periods per category, always justified by the purpose:
- Registration data: kept while the account is active.
- Closed account: anonymisation within 30 days; full deletion within 90 days.
- Account inactive for 24 months: prior notification + automatic deletion.
- Tax and accounting records: 5 years (Brazilian Tax Code — Art. 174).
- Agent execution logs: 90 days.
- Security and anti-fraud logs: 6 months.
- System access logs (Brazilian Internet Bill of Rights — Art. 15): 6 months.
- Full backups: 30-day automatic rotation.
8. Security Measures
We implement technical and organisational controls aligned with the state of the art:
- Encryption in transit (TLS 1.3) and at rest (AES-256).
- OAuth tokens encrypted with AES-256-GCM before any persistence.
- Role-based access control (RBAC), least-privilege principle.
- Complete segregation between production, staging, and development.
- Continuous incident monitoring via Sentry, real-time alerts.
- Quarterly internal audits; annual penetration tests by qualified third parties.
- Strong password policy and planned support for multi-factor authentication (MFA).
In the event of a personal-data incident, we will notify the ANPD and affected subjects within the LGPD time limits (Art. 48) and the GDPR (Art. 33 — 72 hours).
9. International Data Transfers
Running DavitAI involves necessary and protected international transfers:
- Vertex AI (GCP): US and EU — Standard Contractual Clauses (SCC).
- Stripe: US — partial adequacy decision + SCC.
- Hetzner: Germany — covered by the GDPR, recognised as adequate by the ANPD.
- Cloudflare: multiple regions — SCC and Data Processing Addendum.
All transfers follow Chapter V of the LGPD and Chapter V of the GDPR.
10. Cookies, Analytics, and Consent Mode
We use essential cookies (session, authentication, CSRF) without requiring consent. Analytics cookies (Google Analytics 4 configured with Consent Mode v2) and marketing cookies require explicit consent via the banner. You can review and revoke your choices at any time by clicking the Cookies link in the page footer.
Full detail of cookies, purpose, duration, and provider is available within the banner interface.
11. Children’s Privacy
DavitAI is not directed at children under 13. In compliance with the US COPPA (Children’s Online Privacy Protection Act) and Art. 14 of the LGPD, we do not deliberately collect data from minors. For users aged 13 to 18 we require consent from a legal guardian. If we identify a minor’s account without authorisation, the account is removed and the data deleted.
12. Changes to This Policy
This Policy may be updated periodically. Material changes (change of purpose, new significant subprocessor, change of retention) will be communicated by email with at least 15 business days’ notice. The date of the last update appears at the top of this page, and previous versions are archived on request from the DPO.
13. Data Protection Officer (DPO) Contact
For all matters relating to privacy, data protection, or exercising rights:
- DPO: davitai@davitai.com (subject: DPO — LGPD/GDPR).
- Contact page: /en/contact.
- Brazilian Data Protection Authority (ANPD): www.gov.br/anpd — for regulatory complaints.
- About DavitAI: /en/about.
Related links: LGPD Rights · Terms of Use · Contact · About DavitAI · Available agents.