Reverba
Começar grátis

Legal document

Privacy Policy

How Oneck Creative LTDA (Brazilian Tax ID 37.874.433/0001-86), the entity behind the Reverba brand, processes personal data while operating the Reverba platform — in compliance with the Brazilian LGPD (Law 13.709/2018), the EU GDPR (Regulation 2016/679), and the data-handling requirements of the connected marketplaces (TikTok Shop, Mercado Livre, Shopee, Meta WhatsApp).

Last updated
Effective from
Version
v1.0

Ler em português (Brasil)

1. About this document

This Privacy Policy describes how Oneck Creative LTDA(“Reverba”, “we”, “us”) collects, uses, shares, stores and protects personal data while providing its conversational CRM for WhatsApp and marketplaces. It applies to:

  • Operators— natural persons who use the Reverba dashboard on behalf of the contracting company (“Customer”).
  • End contacts — final customers whose data is imported, synchronized, or received by the Operator through WhatsApp, TikTok Shop, Mercado Livre, or Shopee.
  • Visitors of the public website at reverba.com.br.

Reverba operates in two distinct roles depending on the data:

  • As Data Controller for Operator data, billing data, and product telemetry.
  • As Data Processorfor End-Contact data ingested by the Customer — the Customer is the Controller for that data, and Reverba processes it strictly under the Customer's documented instructions.

2. Who is the Controller

Oneck Creative LTDA, a Brazilian limited liability company registered under Tax ID (CNPJ) 37.874.433/0001-86, headquartered at Rua Servidão Cam — Ch Aurora, 0, Lote Chácara do Ipê Bairro da Graminha Limeira/SP — ZIP 13480-970, Brazil.

Data Protection Officer (DPO)

In compliance with LGPD Article 41 and GDPR Article 37, the official DPO contact is:

  • Email: privacidade@reverba.com.br
  • Phone: +55 19 98143-4313
  • Mailing address: Rua Servidão Cam — Ch Aurora, 0, Lote Chácara do Ipê — Bairro da Graminha — Limeira/SP — CEP 13480-970 — Brasil

The DPO is responsible for receiving communications from data subjects and the Brazilian Data Protection Authority (ANPD), advising employees on adequate practices, and other duties set by law.

3. Personal data we process

We process the following data categories, grouped by source:

Identificação do operador (cliente Reverba)

  • Nome completo
  • Endereço de e-mail corporativo
  • Senha (hash bcrypt — Reverba nunca tem acesso ao texto original)
  • Função na conta (OWNER, ADMIN, SELLER)
  • Endereço IP no login e datas de acesso (logs operacionais)

Identificação do contato (cliente final do operador)

  • Nome (quando informado pelo operador)
  • Telefone WhatsApp (E.164)
  • Email (opcional)
  • Endereço (opcional, importação CSV)
  • Histórico de compras vinculadas
  • Anotações livres do operador
  • Tags e segmentação derivada

Dados de marketplace (TikTok Shop, Mercado Livre, Shopee)

  • ID externo da loja e do pedido
  • Conteúdo das mensagens recebidas pelo operador (texto, mídia)
  • Status do pedido e dados de fulfillment
  • Tokens OAuth criptografados em repouso (AES-256-GCM)

Dados financeiros

  • Plano contratado (Starter, Pro, Business)
  • Valor das faturas e status de pagamento
  • Dados do método de pagamento (manipulados exclusivamente por Mercado Pago — Reverba não armazena dados de cartão)

Telemetria operacional

  • Logs de uso do produto (endpoint, status code, duração da request)
  • Eventos de auditoria de ações destrutivas
  • Métricas agregadas anônimas (Google Analytics via GTM com IP anonimizado)

We do not process sensitive data (race, religion, sexual orientation, health, genetic or biometric data, political opinion or union membership) as part of normal platform operation. If a Customer imports such data into free-form fields (e.g., notes), we reserve the right to remove or anonymize it during audit and notify the Customer.

4. Purposes and legal bases

Each data category is processed under a specific legal basis as per LGPD (Article 7) and GDPR (Article 6):

Legal basisLGPDGDPRApplies to
Execução de contratoArt. 7º, VArt. 6(1)(b)Dados de operadores (cadastro, login, billing) e dados que o operador insere para usar a plataforma
Legítimo interesseArt. 7º, IXArt. 6(1)(f)Telemetria operacional, prevenção de fraude e segurança da plataforma
Cumprimento de obrigação legalArt. 7º, IIArt. 6(1)(c)Retenção de notas fiscais, registros contábeis e logs de auditoria por prazos definidos em lei
ConsentimentoArt. 7º, IArt. 6(1)(a)Comunicações de marketing direto da Reverba ao operador (opt-in explícito) e cookies não-essenciais

Specific purposes

  • Service delivery: account creation, authentication, contact organization, message dispatch, subscription billing.
  • Operator support: answering questions via chat, email, or WhatsApp.
  • Platform security: fraud prevention, detection of misuse (cold prospecting), audit of destructive actions, attack mitigation.
  • Product improvement: aggregated usage analysis, telemetry with anonymized IP, A/B testing.
  • Institutional communication: notice of changes to terms, scheduled maintenance, product updates. Operators may opt out of marketing communication in account settings.
  • Legal compliance: invoice issuance, audit log retention as required by law, response to lawful requests from competent authorities.

5. Who we share data with

Reverba shares data with third parties strictly necessary for platform operation. Each sub-processor operates under a contract with confidentiality and data protection clauses equivalent to those Reverba commits to with its Customers.

Sub-processorPurposeLocation
Hostinger / VPS proprietárioHospedagem do backend (Node.js / NestJS) e PostgresBrasil (data center em São Paulo)
VercelHospedagem do website estático e do app SPA (frontend)Edge global (CDN)
Mercado PagoProcessamento de pagamentos de assinaturaBrasil
Groq (Llama / Kimi via API)Variação de mensagens por IA (geração de texto)Estados Unidos
Firebase Cloud Messaging (Google)Push notifications para o painel webEstados Unidos / Europa
TikTok Shop Open PlatformIntegração com chat e pedidos do TikTok ShopSingapura / Estados Unidos (host global)
Mercado Livre Open PlatformIntegração com chat pós-venda e pedidos do Mercado LivreBrasil
Shopee Open PlatformIntegração com chat e pedidos da ShopeeBrasil / Singapura
Meta (WhatsApp Web)Origem do canal WhatsApp — a Reverba opera via extensão Chrome dentro do WhatsApp Web; nenhuma chamada à Cloud API oficial é feita pela ReverbaEstados Unidos

The list above is canonical. Any material change of sub-processor is communicated at least 14 days in advance via email to the Operator who owns the account.

We do not sell personal data. We do not share End-Contact data across Customers — multi-tenant isolation is validated by automated tests on every deploy.

6. Connected marketplaces

When a Customer connects a TikTok Shop, Mercado Livre, or Shopee store to Reverba via the official OAuth flow, they authorize the platform — on their behalf — to access only the scopes requested on the consent screen. For each marketplace:

TikTok Shop

  • Requested scopes: customer_service (buyer-seller conversations), order (order sync), webhook (real-time event delivery).
  • Data accessed: shop and order identifiers, conversation identifiers, content of buyer-seller messages (when initiated by the Operator), and order data needed to link conversations to purchase history.
  • OAuth tokens: stored encrypted at rest with AES-256-GCM. Reverba operates as a Service Provider App (not a Seller App) on behalf of the authorizing seller.
  • Revocation: the seller may revoke access at any time through the TikTok Shop Partner Center or the Reverba dashboard; Reverba erases tokens and stops any calls.
  • End of relationship: at contract termination with Reverba, or upon request, all TikTok Shop messaging and order data is deleted within 30 days, except where retention is required by applicable law.

Mercado Livre

Scopes: read, write (post-sale chat tied to pack_id), and VIS Leads (Vehicles, Real Estate, Services). Tokens encrypted at rest. Other rules equivalent to TikTok Shop.

Shopee

Scopes: sellerchat (pre- and post-sale chat) and order. Reverba operates inside the Shopee Open Platform as a whitelisted application. Tokens encrypted at rest.

WhatsApp Web

WhatsApp integration runs through a Chrome extension installed in the Operator's browser. Reverba does not call the WhatsApp Cloud API; messages travel directly between the Operator's browser and Meta's servers. Reverba syncs only metadata (phone, name, last message preview) into the multi-tenant dashboard to enable context-aware replies.

7. International data transfer

Reverba processes data primarily within Brazilian territory (dedicated VPS in São Paulo, Brazil). Specific operations involve cross-border transfer, always under the legal bases allowed:

  • AI inference (Groq) — United States. No prompt retention beyond aggregated provider operational logs.
  • Push notifications (Firebase Cloud Messaging, Google) — global.
  • Website CDN (Vercel) — global. Public content only (institutional + assets); no personal data on the CDN.
  • TikTok Shop and Shopee marketplaces — Singapore/US hosts as defined by the source platform.

For transfers to countries without an adequate level of protection, we sign Standard Contractual Clauses (SCCs under GDPR / specific clauses under LGPD Article 33) with each sub-processor.

8. Retention and disposal

Retention periods vary per category and purpose. See the detailed Data Retention document.

CategoryRetention periodAfter expiration
Operator data (account)While the account is activeDeleted within 30 days after cancellation
End-Contact data imported by CustomerWhile the Customer account is activeDeleted within 30 days after cancellation
Messages (WhatsApp, marketplaces)While the account is activeDeleted within 30 days after cancellation
Marketplace OAuth tokensUntil revoked or expiredDeleted immediately when revoked
Invoices and tax data5 yearsKept by legal obligation (Brazilian Law 5.474/68 and tax regulations)
Audit logs2 yearsAutomatically deleted
Operational backupsRolling 30-day windowAutomatically overwritten

9. Information security

We adopt technical and organizational measures proportional to the processing risk, as required by LGPD Article 46 and GDPR Article 32. Summary of current controls — full detail in our Information Security Policy:

  • Encryption in transit: TLS 1.2+ on every public endpoint, HSTS, security headers via helmet.
  • Encryption at rest: passwords with bcrypt (cost 10), marketplace OAuth tokens with AES-256-GCM, database disk encrypted by VPS provider.
  • Multi-tenant isolation: each account operates in an isolated logical namespace via AsyncLocalStorage + Prisma middleware — automated tests validate isolation on every deploy.
  • Access control: short-lived JWT (15 min), rotating refresh tokens, OWNER/ADMIN/SELLER roles, least privilege at the endpoint level.
  • Input validation: global pipe with whitelist + forbidNonWhitelisted rejects any field not declared in DTOs.
  • Rate limiting: throttler on sensitive endpoints (login, password recovery, signup).
  • Authenticated webhooks: HMAC-SHA256 validation on every inbound webhook (TikTok Shop, Shopee, Mercado Livre, Meta); optional IP allowlist for additional defense.
  • Auditing: every destructive or permission-changing action is recorded in AuditLog with actor, timestamp, source IP, and sanitized payload.
  • Structured logs: Pino with request-id on every call — facilitates incident correlation.
  • Monitoring: health/ready and health/live probed by the load balancer; alerts on outages.
  • Vulnerability management: dependencies kept current via recurring npm audit; critical security patches applied within 7 business days.

We acknowledge limits: Reverba does not yet hold formal ISO 27001 or SOC 2 Type 2 certification. Customers requiring such certifications (healthcare, finance) are advised to use the official WhatsApp Business API instead.

10. Data subject rights

LGPD (Article 18) and GDPR (Articles 15-22) grant data subjects a set of rights. Reverba honors them free of charge, upon verified identity request, within 15 calendar days.

  • Confirmation and access — know whether we process your data and obtain a copy.
  • Rectification — update incomplete, inaccurate, or outdated data.
  • Anonymization, blocking, or erasure — for unnecessary, excessive, or unlawfully processed data.
  • Portability — export your data in a structured, machine-readable format (JSON or CSV).
  • Erasure of data processed under consent, except for mandatory retention.
  • Information about sharing — which public and private entities have access to the data.
  • Withdrawal of consent at any time.
  • Objection to processing carried out on the legal basis of legitimate interest.

To exercise any of these rights, contact the DPO at privacidade@reverba.com.br.

If you are an End-Contact (final customer of an Operator) and wish to delete your data: your request will be forwarded to the Operator (Reverba Customer), who is the Controller of your data. Reverba executes the operation as soon as it receives a documented instruction from the Controller.

11. Cookies and telemetry

The public Reverba website uses a minimal set of cookies and telemetry:

  • Strictly necessary cookies: dashboard authentication, CSRF prevention. No consent required (LGPD Article 7, V — contract performance).
  • Google Analytics via Google Tag Manager — anonymized IP, no cross-site tracking. Legal basis: legitimate interest to understand aggregate usage patterns and improve the site.
  • No third-party marketing cookies (Meta Pixel, third-party ads). We are not an adtech operation.

For full opt-out of telemetry, enable “Do Not Track” in your browser or use an extension such as uBlock Origin.

12. Children and minors

The Reverba platform is not intended for users under 18. We do not knowingly collect data from children or adolescents. Should we become aware of such processing without specific consent from the legal guardian (Brazilian ECA Article 14 §1; LGPD Article 14), we will erase the records immediately.

13. Changes to this policy

This policy may be revised to reflect regulatory changes, new sub-processors, or product changes. For material revisions (affecting subject rights or legal bases), we will notify Operators by email at least 14 days in advance. The current version is always shown at the top of this document. Prior versions can be requested from the DPO.

14. How to contact us

For any questions, exercise of subject rights, or report of a security incident, contact the DPO:

You are also entitled to file a complaint with the Brazilian Data Protection Authority (ANPD) at gov.br/anpd if you believe the processing of your data does not comply with the LGPD.

Related documents: Terms of Service, Information Security Policy, Data Retention, Incident Response.

Canonical URLs: https://reverba.com.br/privacy (EN), https://reverba.com.br/privacidade (PT-BR).