Back to home

Privacy Policy

KHAL Platform — Public Privacy Policy

Namastex Labs Serviços em Tecnologia LtdaBrazilian Tax ID (CNPJ) 46.156.854/0001-62Brazil — full registered address available upon request to the Data Protection OfficerVersion 1.1Effective: April 1, 2026Next scheduled review: April 2027

Namastex Labs Serviços em Tecnologia Ltda. (“Namastex”) is the controller of this Policy and the processor of personal data handled on behalf of its corporate customers (“Licensees”) through the KHAL platform. This Policy describes how we collect, use, store, share, and protect personal data. We commit to active transparency: what is published here is what we actually do — and what we do is auditable. This page is the canonical public source of the policy; internal copies under DPO control are versioned snapshots of this page.

1. Commitment, scope, and definitions

1.1. This Policy applies to Users, Licensees, and End Users who interact with the KHAL platform and to visitors to Namastex’s institutional website.

1.2. Namastex is committed to compliance with the Brazilian General Data Protection Law (LGPD — Law No. 13.709/2018) and other applicable data protection regulations. Where a reasonable interpretive doubt arises, we resolve it in favor of the most data-subject-protective alternative.

1.3. For purposes of this Policy, “personal data,” “sensitive personal data,” “data subject,” “controller,” “processor,” “processing,” and “DPO/Encarregado” have the meaning assigned to them by the LGPD.

2. Roles and processing agents

2.1. Under the LGPD, our role varies with the data flow:

  1. When we process End User data on behalf of a Licensee (the people served by Khal agents), Namastex is the processor; the Licensee is the controller.
  2. When we process registration data of Licensee staff using the admin console, Namastex may act as controller for its own purposes (authentication, security, billing) or jointly with the Licensee, as set forth in the contract.
  3. When we process data of leads, prospects, job applicants, our own staff, and visitors to this website, Namastex acts as controller.

3. Data we collect

3.1. The categories below reflect what we actually process. Categories not listed are not collected by the platform.

  1. Registration data: name, business email, role, phone, and authentication data (including second factor).
  2. Usage data: access logs, features used, time and frequency of use, IP address, session identifiers.
  3. Content data: agent configurations, knowledge bases, and inference parameters provided by the Licensee.
  4. End User data: data processed via the Licensee’s omnichannel — conversation transcripts, identifiers, and interaction history — under the Licensee’s instruction as controller.
  5. Website navigation data: pages visited, traffic origin, essential cookie identifiers, and analytics cookies (when enabled).

4. Purposes of processing

4.1. We process personal data for legitimate, specific purposes:

  1. Delivery of contracted services and continuous operation of the KHAL platform.
  2. Authentication, access control, and fraud prevention.
  3. Technical support, operational communication, and request handling.
  4. Continuous improvement of the platform, always based on aggregated metrics and anonymized data.
  5. Compliance with legal, regulatory, and contractual obligations.
  6. Generation of aggregated, anonymized reports and analytics, with no re-identification.

5. Legal bases

5.1. Personal data processing is grounded on the following LGPD legal bases (Articles 7 and 11):

  1. Performance of a contract (Art. 7, V) — for delivery of the platform and contracted services.
  2. Compliance with a legal or regulatory obligation (Art. 7, II) — for retention of mandatory logs and records and response to authority requests.
  3. Legitimate interest (Art. 7, IX) — for information security, fraud prevention, and service improvement, with a balancing test documented in a LIA filed by the DPO.
  4. Consent (Art. 7, I) — when applicable, for marketing communications, non-essential cookies, or processing of sensitive personal data formalized contractually.
  5. Health protection (Art. 11, II, ‘f’) or other Article 11 hypotheses — only if the Licensee contractually formalizes a sensitive-data scope, subject to a prior Data Protection Impact Assessment (DPIA/RIPD).

6. No use of personal data for AI training

6.1. Personal data of Licensees and End Users is not used to train AI models — neither Namastex’s nor any third party’s. This prohibition is contractual (a standard clause of our Data Processing Agreements — DPAs) and technically reinforced by training opt-out flags enabled with all language model (LLM) sub-processors we use.

6.2. Anonymized or aggregated data, which cannot directly or indirectly re-identify the data subject, may be used for product evolution, in compliance with LGPD Article 12.

7. Cookies and tracking technologies

7.1. We use cookies strictly necessary for authentication and platform operation. Analytics cookies, when enabled, rely on consent and may be disabled at any time via browser settings or the consent banner (when applicable).

7.2. Disabling essential cookies may impair platform functionality, such as keeping the authenticated session alive.

8. Sub-processors and third-party sharing

8.1. To deliver the platform we engage rigorously assessed sub-processors, formalized via a Data Processing Agreement (DPA). The canonical list below is kept up to date on this page; material changes are communicated to Licensees with 30 (thirty) days’ advance notice.

8.2. International transfers occur only to the sub-processors listed above, with contractual safeguards (DPAs including standard transfer clauses) and technical safeguards (masking of personal identifiers before sending to LLM providers).

8.3. Ad-hoc disclosures to competent authorities occur only upon a valid legal request, in proportional scope, and with auditable record.

Sub-processorPurposeHosting countrySafeguard
Oracle Cloud InfrastructureHosting (compute, Kubernetes, database, storage)Brazil (sa-saopaulo-1)DPA + ISO 27001 + SOC 2 Type II
AnthropicLanguage model (Claude)United StatesDPA + SOC 2 Type II + training opt-out
OpenAILanguage model (GPT) and moderationUnited StatesDPA + SOC 2 Type II + ISO 27001 + training opt-out
GoogleLanguage model (Gemini)United StatesDPA + SOC 2 + ISO 27001 + training opt-out
WorkOSSSO, MFA, and identity managementUnited StatesDPA + SOC 2 Type II
CloudflareDNS, CDN, WAF, and edge protectionGlobal anycast networkDPA + ISO 27001 + SOC 2 Type II
SentryError and performance monitoringUnited StatesDPA + SOC 2
Bitwarden (self-hosted)Operational secrets vaultBrazil (self-hosted)Operated by Namastex; SOC 2 Type II of upstream product

9. Storage, encryption, and security measures

9.1. Operational data is stored on Oracle Cloud Infrastructure, São Paulo region (sa-saopaulo-1), within Brazilian territory. Operational personal data is not replicated outside Brazil. International transfers occur only on calls to LLM providers, with personal identifiers masked before sending.

9.2. We apply encryption at rest (AES-256) and in transit (TLS 1.2+, with TLS 1.3 preferred).

9.3. Before any data is sent to a language model provider, direct personal identifiers (national ID, email, phone, unique identifiers) are replaced with pseudonymized tokens consistent within the session. The reversal key does not persist outside the Namastex/OCI environment.

9.4. Additional technical and organizational measures include:

  1. Role-based access control (RBAC) with 4 levels and least-privilege principle.
  2. Mandatory multi-factor authentication (MFA) for Namastex staff.
  3. Per-customer isolation: dedicated Kubernetes namespace and dedicated PostgreSQL database per Licensee.
  4. Continuous monitoring (Sentry, Uptime Kuma) and credential leak detection (GitGuardian).
  5. Regular backups with routine restore testing and retention per the internal Backup Policy.
  6. Centralized audit logs retained for at least 180 days.
  7. Vulnerability management on servers and applications (Dependabot, periodic scans) and a roadmap toward formal external penetration testing.

10. Sensitive personal data and minors

10.1. The KHAL platform does not intentionally collect sensitive personal data (racial origin, religious belief, health data, biometrics, political opinion, etc.). If a Licensee formalizes a use case involving sensitive data, Namastex requires a prior Data Protection Impact Assessment (DPIA/RIPD) and a specific contractual addendum before any processing begins.

10.2. Processing of children’s and adolescents’ data is the sole responsibility of the Licensee (controller), with appropriate legal basis and consent of at least one parent or legal guardian when required by LGPD Article 14, §1. We do not perform commercial profiling of minor data subjects.

11. Data retention

11.1. Personal data is retained for as long as needed for the purposes for which it was collected, observing the operational parameters below:

  1. Operational data (transcripts, session content): 30 days by default, unless a specific contractual configuration applies.
  2. Audit and security logs: at least 180 days, aligned with our internal Backup Policy and the Brazilian Internet Civil Framework (Law No. 12.965/2014, Art. 15).
  3. Licensee and User registration data: throughout the contractual relationship and for up to 5 (five) years after termination, to comply with legal and statute-of-limitations obligations, except where a longer specific legal term applies.
  4. Backups: rotating cycles with maximum 90-day retention for operational backups; legal retention applied per a versioned internal table.

12. Data subject rights and how to exercise them

12.1. Data subjects are entitled to (LGPD Art. 18):

  1. Confirmation of the existence of processing.
  2. Access to the personal data.
  3. Correction of incomplete, inaccurate, or outdated data.
  4. Anonymization, blocking, or deletion of unnecessary, excessive, or non-compliant data.
  5. Portability to another service or product provider.
  6. Deletion of data processed under consent, in the cases of Art. 16.
  7. Information on public and private entities with which the controller has shared data.
  8. Information on the possibility of withholding consent and its consequences.
  9. Withdrawal of consent.

12.2. To exercise any of these rights, contact the DPO via the channels in Section 14. We acknowledge receipt within 5 (five) business days and provide an effective response within 15 (fifteen) days, per Art. 19, §1. When Namastex acts as processor, we route the request to the competent controller, per LGPD Art. 39.

12.3. Namastex does not charge for handling data subject rights, except where expressly permitted by law.

Exercise my rights

13. Security incidents and notification

13.1. In the event of a security incident involving personal data, Namastex follows the internal Incident Response procedure:

13.2. Immediate assessment of scope and severity upon confirmation.

13.3. Notification to the affected Licensee within 24 hours as an operational target, observing the maximum legal and contractual deadline of 72 hours under LGPD Art. 48.

13.4. Notification to the Brazilian Data Protection Authority (ANPD) and to affected data subjects when applicable, per ANPD guidance in force.

13.5. Lessons learned and corrective measures are documented and reviewed by the DPO.

14. Data Protection Officer (DPO / Encarregado)

14.1. DPO: Cezar Vasconcelos.

14.2. Contact channels:

  1. Primary DPO email: dpo@namastex.ai (alias dpo@khal.ai active).
  2. Alternate privacy and incident channel: privacidade@namastex.ai.

14.3. The DPO is responsible for receiving communications from data subjects and from the ANPD, advising the organization on personal data protection practices, and performing the other duties under LGPD Art. 41, §2. The Appointment Record is available upon request.

15. Provisions on End Users (omnichannel)

15.1. End User data processed via Licensee omnichannels is the responsibility of the Licensee (controller). As processor, Namastex handles such data exclusively per the Licensee’s documented instructions and within the licensing agreement.

15.2. The Licensee is responsible for:

  1. Maintaining an appropriate legal basis to process their End Users’ data.
  2. Providing a transparent privacy notice to End Users.
  3. Obtaining consent where necessary, especially for voice call recording.
  4. Implementing retention and disposal policies appropriate to End Users.
  5. Handling End User data subject rights requests (Namastex provides operational support per contract).

16. Small-Scale Processor classification and governance

16.1. Namastex Labs is classified as a small-scale processing agent under ANPD Resolution CD/ANPD No. 2/2022 and adopts the simplified regime set forth in the ANPD Guide for Small-Scale Processing Agents (2024), without prejudice to the substantive obligations of the LGPD.

16.2. Privacy governance is exercised directly by the DPO, with formal escalation to the CEO for decisions with contractual or legal impact, and with periodic, documented review of the policy, procedures, and Record of Processing Activities (RoPA).

17. Changes to this policy

17.1. We may update this Policy from time to time. Material changes (those that affect the processing of personal data of Licensees) are communicated 30 (thirty) days in advance, per our standard DPA. Non-material editorial changes (corrections, style adjustments) may be published with 15 (fifteen) days’ notice.

17.2. Change notifications are provided through the platform and/or by email to the Licensees’ registered contacts; the version history is maintained under DPO control and is available upon request.

17.3. The version in force is always the one published on this page.

This Privacy Policy is the canonical public version. Internal copies kept by the DPO are versioned snapshots for audit purposes. In the event of any apparent divergence, this public version prevails.