1. Data controller
The controller of your personal data is Keebai SpA, Chilean Tax ID 78310041-K, with registered office in Viña del Mar, Valparaíso Region, Chile (hereinafter 'Keebai', 'we', or 'the Company'). We operate the website keebai.com and the SaaS platform at app.keebai.com. For privacy inquiries and to exercise your rights: privacy@keebai.com.
2. Applicable legal framework
This policy is governed by Chilean Law No. 19.628 on the Protection of Privacy currently in force, and is aligned in advance with Law No. 21.719, which modernizes the Chilean personal data protection regime and enters into general force in December 2026. Where applicable, we also follow practices aligned with the European Union General Data Protection Regulation (GDPR) for users or customers in that jurisdiction.
3. Personal data we collect
Account data: name, email address, phone number, company, role, and access credentials. Service usage data: content of conversations processed through Keebai, channel identifiers (WhatsApp, Instagram, email, webchat), operational metadata (latency, timestamps, volume). Technical data: IP address, device identifier, user-agent, cookies, advertising identifiers. Commercial data: billing and payment information processed by our payment provider. Marketing and browsing data on keebai.com: pages visited, interaction events (CTA clicks, form submissions, WhatsApp clicks), traffic source (UTM, referrer). We do not collect sensitive data (racial origin, health, political affiliation, sexual life, or other categories under Art. 2(g) of Law 19.628 / special categories under Law 21.719) unless you provide them voluntarily while using the service.
4. Purposes of processing
We process your personal data for the following specific purposes: (a) providing and operating the contracted service, including message processing and training private AI models exclusive to your account; (b) performing the service contract and complying with tax, accounting and regulatory obligations; (c) providing technical and commercial support; (d) sending operational communications (service changes, security alerts, billing); (e) measuring advertising effectiveness and optimizing our campaigns on social networks and search engines; (f) analyzing website usage to improve it; (g) preventing fraud and protecting service security. We never use the content of your conversations to train public models, nor do we share it with third parties for advertising purposes.
5. Legal bases
Processing of your data is based, as applicable, on: (a) your express, free, informed and specific consent, given upon registration, cookie acceptance, or marketing subscription; (b) performance of the service contract you have entered into with us, or pre-contractual measures requested by you; (c) compliance with legal obligations (tax, accounting, regulatory); (d) the company's legitimate interest in operating, securing and improving the service, as well as measuring the effectiveness of our advertising, balanced against your fundamental rights. You may withdraw your consent at any time without affecting the lawfulness of prior processing.
6. Cookies and tracking technologies
We use first- and third-party cookies to operate the site, remember preferences, and measure audience. Strictly necessary cookies: session management, language and security (no consent required). Analytics and marketing cookies: traffic measurement, conversion events, and personalized advertising (consent required). Meta cookies: '_fbp' and '_fbc', which identify browsers for advertising attribution, with an approximate duration of 90 days. You may manage and revoke consent at any time from your browser settings, as well as from Meta's privacy controls at https://www.facebook.com/adpreferences.
7. Meta Pixel and Conversions API
We use the Meta Pixel (ID 1583388733358824) and the Meta Conversions API (CAPI) operated by Meta Platforms Ireland Limited to measure the effectiveness of our advertising campaigns on Facebook and Instagram, optimize ad delivery, and build custom audiences. Through these technologies we share with Meta: IP address, user-agent, cookie identifiers (_fbp/_fbc), URL visited, interaction events (PageView, ViewContent, Lead, Schedule, Contact), and, when you provide them in forms, contact data (email, phone) hashed with SHA-256 prior to transmission. Meta acts as an independent controller with respect to data received via the Pixel, and as a data processor with respect to data sent via CAPI under the Business Tools Terms. More info: https://www.facebook.com/privacy/policy/. To opt out of this processing, you may reject marketing cookies on the site or configure your browser to block third-party cookies.
8. Google API Services and Google user data
Keebai allows users to optionally connect their Google account to enable specific product features. Authentication is performed via Google OAuth 2.0, and we request only the following minimum necessary scopes: (a) https://www.googleapis.com/auth/userinfo.email to identify the connected account; (b) https://www.googleapis.com/auth/calendar to create, read, update and delete events on the user's calendar in order to coordinate bookings and appointments handled by the AI assistant; (c) https://www.googleapis.com/auth/drive.readonly to read in read-only mode the files that the user explicitly selects, for the sole purpose of ingesting them into the user's private knowledge base used by their assistant. Keebai's use and transfer to any other app of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically: we do not use Google user data to serve advertising or to build advertising audiences; we do not use content obtained from Drive, Calendar or any other Google API to train generalized or third-party AI models; we do not sell the data; we do not transfer the data to third parties except (i) to provide or improve user-facing features of the service, (ii) to comply with a legal obligation, or (iii) as part of a merger, acquisition or sale of assets, with prior notice to the user; and we do not allow humans to read the data, unless the user has given explicit consent for specific support actions, it is necessary for security purposes (e.g., abuse investigation), it is required by law, or the data has been aggregated and irreversibly anonymized for operational maintenance. OAuth tokens are stored encrypted at rest on AWS infrastructure in the United States and are automatically revoked when the integration is disconnected. You may revoke Keebai's access to your Google account at any time from your Keebai dashboard or directly at https://myaccount.google.com/permissions.
9. Subprocessors and international transfers
To operate the service, we transfer personal data to the following subprocessors located outside Chile: Amazon Web Services Inc. (United States) for hosting and infrastructure; Meta Platforms Ireland Limited (Ireland) and its affiliates for advertising measurement; Google LLC (United States) when the user connects their Google account for Calendar or Drive; language model providers (OpenAI, Anthropic, Google) in the United States, under data processing agreements with zero retention; payment providers (Stripe, Fintoc) in the United States and Chile; and transactional email providers. These international transfers are carried out under contractual clauses that ensure a level of protection equivalent to that required by Chilean law, in accordance with Art. 27 et seq. of Law 21.719. The complete and updated list of subprocessors is available upon request at privacy@keebai.com.
10. Retention periods
We retain your data only for as long as strictly necessary to fulfill the stated purposes. Account data: while the account is active and up to 30 days after cancellation. Conversation content: for the period defined in your plan (12 months by default), deleted within 30 days of cancellation. Accounting and billing data: 6 years pursuant to Chilean tax obligations. Security and audit logs: 12 months. Marketing cookies: up to 90 days or until you revoke consent. Data sent to Meta via Pixel/CAPI: in accordance with Meta's retention policies, generally 2 years for event data. Data obtained from Google APIs (Calendar/Drive): calendar events and Drive file references are retained only while the integration is active; OAuth tokens are deleted within 7 days of disconnection or revocation; files imported from Drive into the knowledge base follow the retention period of the contracted plan. After these periods, data is deleted or irreversibly anonymized, unless a longer legal retention obligation applies.
11. Your rights as a data subject
Under Law 19.628 and Law 21.719, you hold the following rights over your personal data: (a) Access: to know what data we hold about you and request a copy; (b) Rectification: to correct inaccurate, outdated or incomplete data; (c) Erasure: to request deletion of your data where applicable; (d) Objection: to object to processing on legitimate grounds, including stopping processing for direct marketing; (e) Portability: to receive your data in a structured, commonly used format and transmit it to another controller; (f) Restriction: to suspend processing while a request is resolved; (g) Not to be subject to automated individual decisions, including profiling, that produce significant legal effects without your consent. These rights are personal, free of charge, and exercised directly by the data subject or a duly accredited legal representative.
12. How to exercise your rights
To exercise any of the above rights, send a request to privacy@keebai.com indicating: your full name and RUT or identity document number, a copy of your ID or equivalent document to verify your identity, a clear description of the right you are exercising and the data it refers to, and a postal or electronic address to receive our response. We will respond within a maximum of 30 calendar days. If your request is complex or you have submitted multiple requests, we may extend the deadline with justification and notify you. If a request is manifestly unfounded or excessive, we may refuse to act on it or charge a reasonable fee, providing a justified explanation.
13. Complaints to the authority
If you believe your request has not been properly handled or that we have violated your rights, you may file a complaint with the Chilean Council for Transparency (currently competent under Law 19.628) or with the Personal Data Protection Agency once it is established under Law 21.719. You may also pursue a habeas data action before the competent civil courts in Chile. Before resorting to the authority, we encourage you to contact us directly to resolve any concern.
14. Security and breach notification
We apply technical and organizational measures reasonable and proportionate to risk, including encryption in transit (TLS 1.2+) and at rest, role-based access control, multi-factor authentication, environment segregation, audit logs, periodic security assessments, and incident response plans. In the event of a security breach affecting personal data and posing a significant risk to data subjects' rights, we will notify the competent authority and affected subjects without undue delay, in accordance with the timelines and requirements of Law 21.719.
15. Minors
Our service is not directed to children under 14. We do not knowingly collect personal data from children. If you are between 14 and 18 years old, you require authorization from your parent or legal guardian to create an account. If we become aware that we have collected data from a minor without valid authorization, we will delete it without delay. If you are a parent or legal guardian and believe your child has provided us with data without your consent, please contact privacy@keebai.com.
16. Changes to this policy
We may update this policy periodically to reflect changes in our practices, applicable regulations, or services offered. We will publish the updated version at this same URL with the new update date. If changes are material, we will notify data subjects through reasonable means (email, prominent notice on the site or platform) with sufficient advance notice. Your continued use of the service after the changes take effect constitutes acceptance of the updated policy.
17. Contact
For any inquiry about this policy, the exercise of your rights, or complaints related to your personal data: privacy@keebai.com. To report security incidents: security@keebai.com. Postal address: Viña del Mar, Valparaíso Region, Chile. If we have appointed a Data Protection Officer (DPO) or representative, their details will be published in this same section as required under Law 21.719.