Privacy Policy

Last updated: May 5, 2026

Valhalla Barber ("we", "our", or the "Platform") is committed to protecting your personal data, in compliance with the Brazilian General Data Protection Law (LGPD — Law 13.709/2018) and applicable international standards.

1. Data We Collect

1.1 Data you provide

  • Full name, email, and phone when you create your account
  • Business data (barbershop name, address, business hours)
  • Information about clients you register on the Platform
  • Messages sent through the support chat
  • Uploaded images (services, profile photos, etc.)

1.2 Data collected automatically

  • IP address and approximate location
  • Browser type and operating system
  • Pages visited and time spent on the Platform
  • Cookies and similar tracking technologies

1.3 Payment data

Payment data (card number, CVV, expiry) is processed directly by Mercado Pago, our payment processor, and is never stored on our servers. We only receive a transaction identifier and the payment status.

2. Data Obtained from Meta (Facebook / WhatsApp Business)

When you connect your WhatsApp Business account through our integration, we receive the following data from Meta Platforms via the Graph API. This is described transparently below so you can give informed consent.

2.1 Permissions requested and what they grant

  • business_management— used to identify your Business Manager and the WhatsApp Business Account (WABA) that you grant to our app via GET /debug_token. We do not manage other Meta business assets (Pages, Ads Accounts, Catalogs) and do not read or modify any data outside the WABA you select.
  • whatsapp_business_management— used to: (a) list the phone numbers of your WABA via GET /{waba-id}/phone_numbers, (b) subscribe our app to your WABA webhooks via POST /{waba-id}/subscribed_apps, (c) synchronize message templates you create in the Platform back to Meta for approval.
  • whatsapp_business_messaging— used to send appointment confirmations, reminders, and AI-agent replies on your behalf via POST /{phone-number-id}/messages.

2.2 Data we store from Meta

  • Long-lived business access token (encrypted at rest)
  • WhatsApp Business Account ID (WABA ID)
  • Phone Number ID and display phone
  • Message templates you create or sync
  • Metadata of messages sent/received (timestamps, status, message ID)

We do not sell, rent, or share Meta-derived data with third parties. We do not use Meta data for advertising. The token is never sent to the browser or any third-party service.

2.3 How to revoke and delete Meta data

You can disconnect at any time inside the Platform (Dashboard → Settings → Integrations → WhatsApp → Disconnect), which immediately deletes the token, WABA ID and Phone Number ID and unsubscribes our app from your WABA webhooks. See the dedicated Data Deletion page for the full procedure.

3. Purposes of Processing

  • Service delivery: operate the Platform, manage your account, process appointments and payments
  • Communication: send notifications about your account, news and service updates
  • Customer messaging: deliver appointment confirmations, reminders, and replies through WhatsApp on behalf of the barbershop
  • Support: respond to your requests and provide technical assistance
  • Service improvement: analyze usage patterns to improve user experience
  • Legal obligations: comply with applicable legal and regulatory requirements

4. Legal Bases (LGPD)

  • Contract execution (Art. 7, V): for the provision of the contracted services
  • Consent (Art. 7, I): for marketing communications and non-essential cookies
  • Legitimate interest (Art. 7, IX): for Platform improvement and fraud prevention
  • Legal obligation (Art. 7, II): for tax and regulatory compliance

5. Data Sharing

  • Mercado Pago: payment processing (Mercado Pago Privacy Policy)
  • Meta Platforms: WhatsApp message delivery (WhatsApp Business Policy)
  • OpenAI: AI agent processing of anonymized conversation context (OpenAI Privacy Policy). We disable training on customer data.
  • Infrastructure providers: hosting (Railway, Vercel) and storage providers under data processing agreements
  • Authorities: when required by law or court order

We never sell, rent, or share your personal data with third parties for marketing purposes without your express consent.

6. Your Rights (LGPD)

  • Confirmation and access: know whether we process your data and obtain a copy
  • Correction: request correction of incomplete, inaccurate or outdated data
  • Anonymization or deletion: request anonymization or deletion of unnecessary data — see Data Deletion page
  • Portability: request transfer of your data to another service provider
  • Withdraw consent: revoke consent at any time
  • Object: object to processing in certain circumstances

7. Data Security

  • Encryption of data in transit (HTTPS/TLS)
  • Secure storage with access control
  • JWT authentication and bcrypt-hashed passwords
  • Meta business tokens encrypted at rest
  • Continuous security monitoring
  • Periodic backups

8. Data Retention

  • Active account: while your subscription is active
  • After deletion request: all personal data erased within 30 days
  • Tax records: 5 years per Brazilian tax law (anonymized invoice metadata only)

9. International Data Transfer

Some of our service providers may be located outside Brazil. In those cases, we ensure international data transfers comply with LGPD safeguards, including standard contractual clauses and certified data processing agreements.

10. Changes to this Policy

We may update this Privacy Policy periodically. Significant changes will be communicated by email or through Platform notice at least 15 days in advance. The date of the last update is always shown at the top of this page.

11. Contact & Data Protection Officer

You also have the right to file a complaint with the Brazilian National Data Protection Authority (ANPD) if you believe your rights have not been adequately addressed.