Legal

Privacy Policy

Full transparency on your data, AI usage, and third-party integrations.

1. Data Controller Identification

The data controller for personal data processed on the AbstractOS platform is Abstract Prisma Technologies, a private legal entity headquartered in Brazil. Contact: contato@abprisma.com | abprisma.com. For LGPD/GDPR-related requests, see Section 14 of this Policy.

2. Data Collected

We collect the following data throughout your experience on the platform:

  • Account & registration data: full name, email address, profile type (developer, designer, entrepreneur, company), and primary objective stated during onboarding.
  • Financial data: Stripe customer ID, active plan, renewal date, and transaction history. We do not store sensitive card data — these are handled exclusively by Stripe.
  • Usage & tool data: credits consumed, tools used (Genesis, Builder, App Studio, QR Code, CV Optimizer, etc.), projects created, and AI generation history.
  • Content sent to AI: prompts, code, texts, and briefs provided for processing by generation tools. These are transmitted to AI providers (see Section 5) and are not retained for model training.
  • Business Studio OAuth data: when connecting Gmail or Outlook via Business Studio, we store encrypted access tokens used exclusively for operations authorized by the user.
  • QR Code analytics: when using dynamic QR codes, we collect scan data including IP address (anonymized after 90 days), country, device type, browser, and referrer URL.
  • Navigation & session data: essential authentication cookies (Supabase Auth), and localStorage data for cart (@abstract:cart), UI preferences, SEO history, and Academy progress. Data stays on your device.

3. Legal Bases for Processing (LGPD)

The processing of your personal data is conducted on the following legal bases set forth in Art. 7 of the LGPD:

  • Consent (Art. 7, I): for analytical and marketing cookies, non-essential email communications, and optional third-party integrations.
  • Performance of contract (Art. 7, V): to enable contracted features — authentication, credit management, AI content generation, and billing via Stripe.
  • Legitimate interest (Art. 7, IX): for aggregated usage analytics, fraud prevention, platform security, and continuous service improvement.
  • Legal obligation (Art. 7, II): to retain tax records and comply with judicial or administrative orders.

4. Purpose of Processing

We use your data exclusively for: (i) creating and managing your account and access sessions; (ii) delivering Studio and tool functionality; (iii) processing payments and managing your subscription; (iv) sending mandatory transactional communications (purchase confirmation, renewal, payment failure); (v) sending marketing communications when you provide consent; (vi) analyzing aggregated platform usage to improve services; (vii) complying with legal and regulatory obligations.

5. Artificial Intelligence & Sub-processors

To deliver AI content generation features, your context data is sent via API to the following sub-processors:

  • Google / Vertex AI (USA) — Gemini models for site, app, and content generation. DPA available at cloud.google.com/terms/data-processing-addendum.
  • OpenAI (USA) — GPT models for AI-assisted generation on paid plans. DPA available at openai.com/policies/data-processing-addendum.
  • DeepSeek (China) — models available on Pro plans. Data sent exclusively for request processing; not used for model training.
  • Resend (USA) — transactional and marketing email platform.
  • Google Analytics 4 (USA) — platform usage and behavior tracking with IP anonymization.
  • Google Ads / Conversions (USA) — conversion tracking for advertising campaigns, active only on purchase and success pages.

5.B Third-Party Integrations Authorized by the User

Beyond the sub-processors above, AbstractOS lets you voluntarily connect third-party services via OAuth or Personal Access Token. When you authorize a connection, we store the token encrypted at rest and use it solely to perform actions you request — like publishing an app, opening a Pull Request, or creating a payment product. You can revoke access at any time via Settings > Integrations or directly in the third-party service's dashboard. Supported integrations:

  • GitHub (USA) — OAuth with repo, workflow, and write:packages scopes. We create repositories and push commits on your behalf when you generate or refine apps in Prisma Studio. GitHub terms: docs.github.com/site-policy.
  • Vercel (USA) — OAuth with Projects, Deployments, Domains, and Environment Variables scopes. We publish generated apps, configure environment variables (like SUPABASE_URL and SUPABASE_ANON_KEY), and manage custom domains under your explicit command. Vercel DPA: vercel.com/legal/dpa.
  • Stripe Connect (Ireland + USA) — OAuth with read_write scope. For generated apps that accept payments, we create products, prices, and checkout sessions on behalf of your Stripe account. AbstractOS never has custody of transacted funds. Stripe DPA: stripe.com/legal/dpa.
  • Google Workspace — Gmail and Calendar (USA) — OAuth with Mail.Send, Mail.Read, and Calendar scopes. Used in Business Studio Inbox to read/reply to emails and sync the calendar. Terms: workspace.google.com/terms.
  • Microsoft 365 — Outlook (USA + EU) — OAuth with Mail.Read, Mail.Send, and Calendars.ReadWrite scopes. Same use as Google Workspace. Terms: microsoft.com/licensing.
  • Figma (USA) — Personal Access Token supplied by the user. Used solely to import design tokens (colors, typography, spacing) into Prisma Studio. Terms: figma.com/legal.
  • Meta — Facebook and Instagram Business (USA + Ireland) — OAuth with pages_manage_posts, instagram_content_publish, and related scopes. Used in Marketing Studio to schedule and publish content. Meta policy: facebook.com/legal.
  • LinkedIn (USA + Ireland) — OAuth with w_member_social and w_organization_social scopes. Used in Marketing Studio for posting on personal profiles and Company Pages. LinkedIn policy: linkedin.com/legal.

6. Infrastructure & Storage

Your data is stored on the following infrastructure: Supabase (PostgreSQL + Auth + Storage) — relational database, authentication, and generated file storage, servers in the USA; Vercel — web application hosting and serverless functions with global CDN; Vercel KV / Upstash Redis — temporary AI response cache to reduce costs and latency, data expires automatically; Google Cloud Run — App Studio execution sandbox for app generation and preview, isolated environments with a 30-minute TTL.

7. International Data Transfers

Due to the nature of the listed sub-processors, your data may be transferred and processed in the United States and, in the case of DeepSeek, in China. All international transfers are conducted with the appropriate safeguards required by the LGPD (Art. 33), including standard contractual clauses and GDPR compliance by US-based partners.

8. Data Retention

We retain your data for the following periods:

  • Account and profile data: for as long as the account is active and for 5 years after termination, to meet tax and legal obligations.
  • Financial transaction data: 5 years as required by Brazilian tax legislation.
  • AI usage logs: 12 months for support and dispute resolution purposes.
  • QR Code analytics: individual IPs are anonymized after 90 days; aggregated data is retained indefinitely.
  • After account termination and the applicable retention period, data is irreversibly deleted.

9. Cookies & Similar Technologies

We use the following tracking technologies:

  • Essential session cookies (Supabase Auth): required for authentication and security. Cannot be disabled.
  • Browser localStorage: we store UI preferences, shopping cart (@abstract:cart), SEO analysis history, temporary content, and Academy progress. Data stays only on your device.
  • Google Analytics 4 (cookies _ga, _ga_*): usage and behavior tracking with anonymized IP. Can be managed at myaccount.google.com/data-and-privacy.
  • Google Ads (cookie _gcl_*): conversion tracking for advertising campaigns, active only on purchase and success pages.

10. Your Rights (LGPD Art. 18)

As a data subject, you have the following rights guaranteed by the LGPD:

  • Confirmation of processing and access: confirm whether your data is being processed and access the full list.
  • Correction: request the update of incomplete, inaccurate, or outdated data.
  • Anonymization, blocking, or deletion: of data that is unnecessary, excessive, or processed in noncompliance.
  • Portability: receive your data in a structured format for transfer to another provider.
  • Deletion: request the deletion of data processed based on consent.
  • Information on sharing: know which partners your data is shared with.
  • Withdrawal of consent: withdraw consent at any time, without prejudice to processing carried out previously.
  • Petition to ANPD: file a petition with Brazil's National Data Protection Authority in case of non-compliance.

11. Data Security

We adopt appropriate technical and organizational measures to protect your data against unauthorized access, loss, alteration, or improper disclosure, including: TLS/HTTPS encryption in transit, Row-Level Security (RLS) in the Supabase database, encrypted Business Studio OAuth tokens, role-based access control, and continuous security monitoring. In the event of a security incident affecting your data, Abstract will notify data subjects and the ANPD within legal timeframes.

12. Children & Minors

The AbstractOS platform is intended exclusively for individuals aged 18 and over. We do not intentionally collect personal data from children or minors. If we identify that data from minors was collected without the consent of legal guardians, we will proceed with immediate deletion.

13. Policy Changes

This Privacy Policy may be updated periodically to reflect changes in services, legislation, or privacy practices. Material changes will be communicated by email at least 15 days in advance. The most recent version will always be available at abprisma.com/legal/privacy.

14. Contact & Privacy Channel

To exercise your LGPD rights, request information about data processing, or file a complaint, contact us:

  • Email: contato@abprisma.com
  • Support form: available in the platform's Dashboard (abprisma.com → Dashboard → Support)
  • National Data Protection Authority (ANPD): gov.br/anpd for formal petitions