Privacy Policy
NM Digital Solutions is committed to protecting your personal data. This policy applies to all our products (MyChatAI, InstaMetrics, CommentAI and NotifyAI) and complies with both the LGPD (Brazil) and the GDPR (European Union), depending on the user's country of residence.
1. Who we are (Data controller)
NM Digital Solutions is a technology company that builds AI-powered SaaS tools for the Brazilian and European markets.
| Field | Information |
|---|---|
| Company | NM Digital Solutions |
| Website | nm-ds.com |
| [email protected] | |
| Markets | Brazil, Portugal, Germany, Austria, Switzerland |
2. Data we collect
We collect only the data strictly necessary to provide the contracted service:
- Account data: name, email address, password (stored as a bcrypt hash)
- Instagram profile data (InstaMetrics, CommentAI): username, public profile metrics, comments received on the customer's posts
- WhatsApp data (MyChatAI, NotifyAI): messages received and sent through the customer's WhatsApp number, conversation history
- Payment data: processed exclusively by Stripe — we do not store credit card details
- Usage data: access logs, platform usage metrics for support and service improvement purposes
- Technical data: IP address, browser type, operating system (collected automatically in server logs)
We do not collect special category data (health, ethnic origin, biometric data, etc.).
3. Purpose and legal basis
Each processing activity rests on a specific legal basis, as required by both LGPD and GDPR:
| Purpose | LGPD legal basis | GDPR legal basis |
|---|---|---|
| Provision of the contracted service | Performance of contract (art. 7, V) | Performance of contract (art. 6(1)(b)) |
| Payment processing | Performance of contract (art. 7, V) | Performance of contract (art. 6(1)(b)) |
| Transactional emails | Legitimate interest (art. 7, IX) | Legitimate interest (art. 6(1)(f)) |
| Security and fraud prevention | Legitimate interest (art. 7, IX) | Legitimate interest (art. 6(1)(f)) |
| Compliance with legal obligations | Legal obligation (art. 7, II) | Legal obligation (art. 6(1)(c)) |
| Marketing communications (optional) | Consent (art. 7, I) | Consent (art. 6(1)(a)) |
🇧🇷 LGPD
Processing of personal data complies with Brazil's General Data Protection Law (Lei nº 13.709/2018) and respects its principles of purpose, adequacy, necessity, free access, data quality, transparency, security, prevention, non-discrimination and accountability.
🇪🇺 GDPR
Processing of data of EU residents complies with the General Data Protection Regulation (EU) 2016/679 and respects the principles of lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality.
4. Use of Meta API
Our products use Meta APIs solely to deliver the contracted service:
| Product | Meta API used | Data accessed |
|---|---|---|
| MyChatAI | WhatsApp Business API | Messages received/sent by the customer |
| NotifyAI | WhatsApp Business API | Scheduled notification delivery |
| InstaMetrics | Instagram Graph API | Profile and post metrics |
| CommentAI | Instagram Graph API | Comments received and replies posted |
We fully comply with the Meta Platform Terms for Developers. Data obtained from the Meta API is used exclusively to provide the service to the authorising customer — never for advertising or sharing with third parties.
5. Data sharing
We do not sell, rent or share personal data. The only sub-processors we engage are:
| Sub-processor | Purpose | Country | Safeguards |
|---|---|---|---|
| Supabase | Database and authentication | USA / EU | EU Standard Contractual Clauses |
| Railway | Hosting and deployment | USA | EU Standard Contractual Clauses |
| Stripe | Payment processing | USA / EU | PCI DSS certification + SCCs |
| Resend | Transactional email | USA | EU Standard Contractual Clauses |
| Anthropic | AI processing (Claude API) | USA | EU Standard Contractual Clauses |
Each sub-processor is contractually bound to process data only on our instructions and to maintain a level of protection equivalent to that required by GDPR and LGPD.
6. International data transfers
🇪🇺 GDPR — Transfers outside the EU/EEA
Some of our sub-processors are based in the United States. Transfers of personal data of EU/EEA residents to the USA are carried out under the Standard Contractual Clauses (SCCs) approved by the European Commission (Implementing Decision (EU) 2021/914), as required by art. 46 GDPR.
🇧🇷 LGPD — International transfers
International transfers of data of Brazilian data subjects are carried out under adequate contractual safeguards or to countries offering a level of personal data protection equivalent to the LGPD (art. 33), with periodic compliance verification of sub-processors.
7. Security
We implement appropriate technical and organisational measures to protect personal data against unauthorised access, loss or destruction:
- Passwords stored as bcrypt hashes (cost factor 12)
- All communications encrypted via HTTPS/TLS 1.2+ across all products
- Meta API access tokens never exposed to the frontend — stored encrypted on the server
- All webhooks verified with HMAC-SHA256 signatures
- Database access restricted by Row Level Security (Supabase)
- Session authentication with short-lived JWTs
- Rate limiting on critical routes to prevent abuse
🇪🇺 GDPR — Data breach notification
In the event of a personal data breach that poses a risk to the rights and freedoms of data subjects, we will notify the competent supervisory authority within 72 hours of becoming aware (art. 33 GDPR). Affected data subjects will be notified without undue delay where the breach is likely to result in a high risk (art. 34 GDPR).
🇧🇷 LGPD — Security incidents
In the event of a security incident involving personal data, we will notify the National Data Protection Authority (ANPD) and affected data subjects within a reasonable period, in accordance with art. 48 of the LGPD.
8. Data retention
| Data type | Retention period | Justification |
|---|---|---|
| Account data | Account lifetime + 30 days | Service provision |
| WhatsApp conversation history | 12 months | Support and service continuity |
| Instagram metrics | 24 months | Historical trend analysis |
| Billing logs | 10 years | Tax and legal obligation |
| Access logs (security) | 90 days | Abuse detection and security |
After account cancellation, all data is deleted within the periods indicated above, unless a longer retention is required by law.
9. Your rights
Both LGPD and GDPR grant you extensive rights over your personal data:
Access
Obtain confirmation and access to the data we hold about you.
Rectification
Correct incomplete, inaccurate or outdated data.
Erasure
Request the deletion of your personal data ("right to be forgotten").
Restriction
Restrict processing of your data in certain circumstances.
Portability
Receive your data in a structured, machine-readable format.
Objection
Object to processing based on legitimate interest.
Withdraw consent
Withdraw consent at any time without affecting the lawfulness of prior processing.
Automated decisions
Not be subject to decisions based solely on automated processing with significant effects.
To exercise any of these rights, contact us at [email protected]. We will respond within 30 days (LGPD) / 1 month (GDPR), extendable by a further 2 months in complex cases.
🇪🇺 GDPR — Right to lodge a complaint
If you believe that processing of your personal data infringes the GDPR, you have the right to lodge a complaint with the supervisory authority in your Member State. In Portugal: CNPD (cnpd.pt). In Germany: BfDI (bfdi.bund.de). In Austria: DSB (dsb.gv.at).
🇧🇷 LGPD — Right to petition
You have the right to petition the National Data Protection Authority (ANPD) against the controller in the event of non-compliance with the LGPD (art. 18, §1). More information at gov.br/anpd.
10. Cookies and similar technologies
We use only strictly necessary cookies required for the service to function:
| Cookie | Purpose | Duration |
|---|---|---|
| next-auth.session-token | Authentication and session maintenance | 30 days |
| next-auth.csrf-token | Protection against CSRF attacks | Session |
| next-auth.callback-url | Redirect after login | Session |
We do not use tracking, advertising or third-party analytics cookies. There is no cookie banner because we only use strictly necessary cookies, which do not require consent under the GDPR (Recital 47).
11. Minors
Our services are intended for users who are at least 18 years old (or the legal age of majority in their country). We do not knowingly collect personal data from minors. If we become aware that data from a minor has been collected without parental consent, we will delete it immediately.
12. Changes to this policy
We may update this policy periodically. Material changes will be communicated by email with at least 15 days notice. The "last updated" date at the top of this document always reflects the version currently in force.
Continued use of the service after changes take effect constitutes acceptance of the updated policy.
13. Contact & Data Protection Officer
🇪🇺 GDPR — Data Protection Officer (DPO)
For questions related to the processing of personal data of EU residents, you can contact our privacy officer at [email protected].
🇧🇷 LGPD — Data Protection Officer (Encarregado)
The officer responsible for personal data processing can be contacted at [email protected], in accordance with art. 41 of the LGPD.
| Contact type | Address |
|---|---|
| Privacy / DPO | [email protected] |
| General support | [email protected] |
We respond to all requests within a maximum of 30 days from receipt.