Back to home

Privacy Policy

KHAL Platform — Namastex Tecnologia Ltda.

Effective Date: April 2026

Namastex Tecnologia Ltda. (“Namastex”) values the privacy and protection of the personal data of its users and clients. This Privacy Policy describes how we collect, use, store, and protect personal data in the context of the KHAL Platform.

1. INTRODUCTION AND COMMITMENT

1.1. This Privacy Policy applies to all Users, Licensees, and End Users who interact with the KHAL Platform.

1.2. Namastex is committed to compliance with the Brazilian General Data Protection Law (LGPD — Law No. 13,709/2018) and other applicable data protection legislation.

1.3. By using the Platform, the data subject consents to the practices described in this Policy, where applicable as a legal basis.

2. DATA PROCESSING AGENTS

2.1. For LGPD purposes:

  1. Namastex acts as a Data Processor when processing personal data on behalf of the Licensee.
  2. The Licensee acts as a Data Controller with respect to the personal data of its customers and End Users.

2. DATA PROCESSING AGENTS (cont.)

2.2. For registration and Platform usage data of the Licensee's Users, Namastex acts as a Data Controller.

3. DATA COLLECTED

3.1. The Platform may collect and process the following categories of data:

  1. Registration Data: name, corporate email, job title, phone number, authentication data.
  2. Usage Data: access logs, features used, times and frequency of use, IP address.
  3. Content Data: information entered by the Licensee on the Platform, including agent configurations and knowledge bases.
  4. End User Data: data processed through omnichannel channels, such as conversation transcripts, identification data, and interaction history.

4. PURPOSES OF DATA PROCESSING

4.1. Data is processed for the following purposes:

  1. Provision of contracted services and Platform operation;
  2. Authentication and access control;
  3. Technical support and communication with Users;
  4. Continuous improvement of the Platform and development of new features;
  5. Compliance with legal and regulatory obligations;
  6. Generation of aggregated and anonymized reports and analytics.

5. LEGAL BASIS

5.1. The processing of personal data by Namastex is based on the following LGPD legal grounds:

  1. Contract performance (Art. 7, V): for data necessary for service provision;
  2. Legitimate interest (Art. 7, IX): for Platform improvement and security;
  3. Legal obligation compliance (Art. 7, II): for retention of mandatory logs and records;
  4. Consent (Art. 7, I): where applicable, for marketing communications or use of non-essential cookies.

6. USE OF ANONYMIZED DATA

6.1. Namastex may use anonymized and aggregated data to improve its AI models and services.

6.2. Anonymized data does not allow the identification of the data subject, directly or indirectly, and is not subject to the LGPD.

6.3. The anonymization process follows recognized technical standards and is irreversible.

7. COOKIES AND TRACKING TECHNOLOGIES

7.1. The Platform may use cookies and similar technologies for:

  1. Essential cookies: necessary for Platform operation (authentication, session management);
  2. Analytics cookies: for understanding usage patterns and improving the experience.

7. COOKIES AND TRACKING TECHNOLOGIES (cont.)

7.2. The User may manage cookie preferences through browser settings. Disabling essential cookies may impair Platform functionality.

8. SHARING WITH THIRD PARTIES

8.1. Namastex may share personal data with:

  1. Cloud infrastructure providers (processing and storage);
  2. AI model providers (for natural language processing and response generation);
  3. Analytics and monitoring tools;
  4. Competent authorities, when required by law or court order.

8. SHARING WITH THIRD PARTIES (cont.)

8.2. All third parties are subject to data protection agreements that ensure an adequate level of security.

8.3. For international data transfers, Namastex adopts safeguards such as standard contractual clauses or verifies the adequacy of the destination country.

9. STORAGE AND SECURITY

9.1. Data is stored on cloud infrastructure with recognized security certifications.

9.2. Technical and organizational measures adopted include:

  1. Encryption in transit (TLS) and at rest;
  2. Role-based access control (RBAC);
  3. Continuous monitoring and anomaly detection;
  4. Regular backups with recovery testing;
  5. Immutable audit logs;
  6. Periodic security testing (penetration testing).

9. STORAGE AND SECURITY (cont.)

9.3. Despite the measures adopted, no system is completely immune to risks. Namastex is committed to acting with diligence and transparency in the event of incidents.

10. SENSITIVE PERSONAL DATA

10.1. The Platform does not intentionally collect sensitive personal data (racial origin, religious conviction, health data, etc.).

10.2. If the Licensee processes sensitive data through the Platform, it is entirely responsible for ensuring an adequate legal basis and informing the data subjects.

11. DATA RETENTION

11.1. Personal data will be retained for the time necessary to fulfill the purposes for which it was collected.

11.2. After termination of the contractual relationship, data will be retained for up to 5 (five) years for compliance with legal obligations, or for a longer period when required by specific legislation.

11.3. Audit log data is retained for a minimum of 6 (six) months, in accordance with the Brazilian Internet Civil Framework (Marco Civil da Internet).

12. DATA SUBJECT RIGHTS

12.1. Under the LGPD, personal data subjects have the right to:

  1. Confirmation of the existence of data processing;
  2. Access to personal data;
  3. Correction of incomplete, inaccurate, or outdated data;
  4. Anonymization, blocking, or deletion of unnecessary or excessive data;
  5. Data portability to another provider;
  6. Deletion of data processed with consent;
  7. Information about sharing with third parties;
  8. Revocation of consent.

12. DATA SUBJECT RIGHTS (cont.)

12.2. To exercise their rights, data subjects may contact us through the channel indicated in Section 14 (Data Protection Officer).

12.3. Requests will be responded to within 15 (fifteen) business days, as provided by the LGPD.

13. SECURITY INCIDENTS

13.1. In the event of a security incident involving personal data, Namastex undertakes to:

13.2. Notify the affected Licensee within 72 (seventy-two) hours of confirming the incident.

13.3. Report to the Brazilian National Data Protection Authority (ANPD) and affected data subjects, where applicable, in accordance with Art. 48 of the LGPD.

14. DATA PROTECTION OFFICER (DPO)

14.1. The Data Protection Officer (DPO) of Namastex is: Name: Cezar Vasconcelos | Email: dpo@khal.ai

14.2. The DPO is responsible for receiving communications from data subjects and the ANPD, and for advising the organization on data protection practices.

15. PROVISIONS REGARDING END USERS (OMNICHANNEL)

15.1. End User data processed through omnichannel channels is the responsibility of the Licensee (Controller).

15.2. The Licensee must ensure that:

  1. It has an adequate legal basis for processing its End Users' data;
  2. It provides a transparent privacy notice to End Users;
  3. It obtains consent when necessary, especially for voice call recording;
  4. It implements data retention and disposal practices for End User data.

15. PROVISIONS REGARDING END USERS (cont.)

15.3. Namastex processes such data exclusively in accordance with the Licensee's instructions and within the limits of the Licensing Agreement.

16. CHANGES TO THIS POLICY

16.1. Namastex may amend this Privacy Policy at any time, with 15 (fifteen) business days' prior notice.

16.2. Substantial changes will be communicated through the Platform and/or by email.

16.3. The updated version will always be available on the Platform and on the Namastex institutional website.