Skip to content

Privacy Policy

Version: 1.5 Last revised: 2026-06-10 Effective as of: 2026-06-10

This English version is the legally binding and authoritative version of this Privacy Policy. Any translations provided are for convenience only. In the event of any conflict, discrepancy, or inconsistency, this English version shall strictly control in all instances.

CeroVueltas Privacy Policy

Website: CeroVueltas.com

Service Provider: SUITE IMPERIAL LLC, owner and operator of the CeroVueltas brand and platform.

This Privacy Policy explains how SUITE IMPERIAL LLC, doing business as CeroVueltas (“CeroVueltas,” “we,” “us,” or “our”), collects, uses, discloses, retains, and protects information in connection with CeroVueltas.com, the CeroVueltas dashboard, WhatsApp Business Platform integrations, Facebook Login, inbound automation, AI-assisted routing, RAG-based response generation, support, billing, security, and related services (collectively, the “Services”).

CeroVueltas is a strictly Business-to-Business (B2B) enterprise SaaS platform. This Privacy Policy is subordinate to our Terms of Service and, where applicable, our Data Processing Addendum ("DPA"), in accordance with the Order of Precedence established in Section 1 of the Terms of Service.

CeroVueltas handles personal information in two distinct legal capacities:

Capacity Whose data What this means
Controller / Business Customers: the businesses and organizations that register for and use the Services (including their authorized personnel). We determine how and why this data is processed. This Privacy Policy applies in full.
Processor / Service Provider End Users: individuals who communicate with our Customers via WhatsApp or website widgets connected to the Services. We process this data solely on behalf of, and under the instructions of, the Customer, who is the Controller. See Section 4 and Section 11.2.

If you are an End User (you chatted with a business via WhatsApp or a website widget powered by CeroVueltas): the business you communicated with (not CeroVueltas) is the Controller responsible for your personal data. Please direct any privacy or data deletion requests to that business directly.

CeroVueltas collects only information reasonably necessary to provide, secure, and support the Services.

  • Account Data: Business email address (stored encrypted), company name, account identifiers, and the authentication providers you use (Google, Facebook, or email). Authentication is managed through Google Firebase, and we never store raw passwords on our servers.
  • Billing Data: Payments are processed entirely by Stripe, Inc. We store only your Stripe customer identifier, transaction identifiers (to credit your account balances), and your plan level. We never collect, store, or have access to full payment card numbers.
  • WhatsApp / Meta Connection Data: Your WhatsApp Business Account (WABA) ID, Phone Number ID, public WhatsApp business number, Meta User ID, and the Meta access token required to route messages. Access tokens are stored encrypted using AES-256-GCM.
  • Knowledge Base Data: Text extracted from documents (e.g., PDF, TXT) and business rules you upload to provision the RAG (Retrieval-Augmented Generation) system. This content is vectorized and stored encrypted at rest.
  • Website and Visitor Data: Limited technical data described in Section 16 (Cookies & Tracking).

We have engineered the Services to collect and retain as little personal information as technically feasible:

  • IP addresses are never stored in plain text. Visitor and Customer IPs are processed through a keyed HMAC SHA-256 hash with a daily rotating salt, rendering them mathematically anonymous at the end of each day.
  • Automatic log redaction. Before any error or event is written to our security audit logs, automated systems detect and replace email addresses, phone numbers, and authentication tokens with redaction markers (e.g., [EMAIL], [PHONE], [REDACTED]).
  • Blind indexing. End User phone numbers are stored encrypted and are looked up at the database level only through a keyed HMAC SHA-256 blind index, never in plain text.
  • No media storage. We do not download or store images, audio, video, or document attachments sent by End Users via WhatsApp. Only plain text is processed.
  • Message truncation. Message content is strictly truncated to 4,096 characters to prevent abuse and is stored with AES-256-GCM encryption.

When End Users communicate with a Customer through the Services, we process the following data strictly on the Customer's behalf, governed by the DPA:

Data Treatment
WhatsApp phone number Encrypted at rest; pseudonymized via blind indexing (Section 4).
WhatsApp public profile name Captured only if intentionally transmitted by Meta.
Message content (text only) Truncated to 4,096 characters; encrypted at rest (AES-256-GCM).
Media attachments (images, audio, video, documents) Not downloaded, not stored, not processed.

The Customer determines the purposes of this processing. CeroVueltas uses End User data solely to provide the Services (message routing, AI-driven response generation, and dashboard display to the Customer) and never for its own purposes.

We use Customer personal information to:

  1. Create, authenticate, and administer accounts;
  2. Provide, operate, secure, and troubleshoot the Services, including AI-driven response automation;
  3. Process payments, credit balances, and manage subscriptions;
  4. Send essential transactional communications;
  5. Detect, prevent, and respond to fraud, abuse, and security incidents;
  6. Comply with legal, tax, and accounting obligations; and
  7. Generate irreversibly anonymized, aggregated operational metrics for capacity planning and platform optimization. This statistical data contains no Customer Data, Knowledge Base content, or End User message content.

Where GDPR or similar laws apply, our legal bases are: performance of a contract (items 1 to 4), legitimate interests (items 5 and 7), and compliance with legal obligations (item 6).

The Services use Retrieval-Augmented Generation (RAG) and third-party Large Language Models accessed through AI API gateways with dynamic routing, as described in our Subprocessor List.

  • We do not use your data to train AI models. Consistent with Section 10.2 of the Terms of Service, CeroVueltas never uses Customer Data, Knowledge Base content, or End User messages to train any AI or machine learning model.
  • We solely select AI providers whose published policies prohibit using API data to train their general-purpose foundation models.
  • Certain AI providers may temporarily retain API logs strictly for security, abuse-monitoring, and trust-and-safety purposes, in accordance with their respective privacy policies.

We do not sell personal information. We do not rent or monetize personal data. We disclose personal information only in the following circumstances:

  1. To subprocessors: Entities providing infrastructure, payments, authentication, messaging, and AI inference, strictly as necessary to provide the Services. The current list is maintained in our Subprocessor List.
  2. To Advertising Partners: Subject to your consent via our cookie banner, we may "share" limited website browsing data with advertising platforms (e.g., Meta, TikTok, Google) to measure ad conversions. We never share End User WhatsApp data or Customer Knowledge Base content for advertising.
  3. To Meta Platforms, Inc. (WhatsApp Routing): As inherently required to route WhatsApp messages. Meta processes this data under its own terms and privacy policies.
  4. For legal reasons: When required by law, subpoena, or valid governmental request, or to protect the rights, safety, and security of CeroVueltas, our Customers, or the public.
  5. In a business transfer: In connection with a merger, acquisition, or sale of assets, subject to this Privacy Policy's commitments.
Data Retention
Customer account data Life of the account, plus deletion within 30 days of termination or verified request.
End User messages and identifiers Life of the Customer relationship, subject to Customer deletion instructions, automated Meta callbacks, or standard compliance windows.
Financial, billing, and balance-credit records Up to 7 years (U.S. tax and audit compliance).
Infrastructure backups Overwritten or purged within 90 days.
Hashed IP data Mathematically anonymized daily (rotating salt used strictly for rate-limiting).

Manual Deletion Requests: Customers may request complete deletion of their workspace, Knowledge Base, and associated End User data by submitting a written request to privacidad@cerovueltas.com. We will process and execute these deletions within thirty (30) days of verifying the identity of the requester.

Automated Meta Callbacks (Data Deletion): If Meta sends an automated data deletion request via webhooks (e.g., because a user requested Meta to delete their data directly from Facebook/WhatsApp), our systems will process and complete this request within a maximum window of up to thirty (30) days, aligning strictly with Meta's maximum allowed compliance timelines. To preserve irreversible statistical analytics and system ledger consistency, the specific Meta-provided identifiers and associated message content will be cryptographically destroyed and overwritten with the specific database tracking marker [PURGEDBYPRIVACY_REQUEST].

Fraud Prevention and Affiliate Integrity Tokens: To preserve the integrity of our referral and welcome bonus infrastructure, prevent industrial-scale financial abuse, and mitigate Sybil attacks, certain unique identifiers provided by Meta (such as WhatsApp Business Account IDs and Phone Number IDs) are processed through an irreversible, one-way cryptographic hash (SHA-256) upon onboarding. These cryptographically generated fraud-detection tokens contain zero raw end-user PII (Personally Identifiable Information) and cannot be reverse-engineered to identify a natural person. To maintain accurate deduplication defenses, these static cryptographic fingerprints are retained indefinitely in an append-only state within our internal security structures and are strictly excluded from standard or manual deletion workflows under the legal framework of Legitimate Interest (Prevention of Fraud and Security Integrity).

Disconnecting the CeroVueltas app from your Meta Business Manager or revoking WhatsApp permissions only removes our access to your Meta tokens (WABA ID, Phone ID). It does not automatically delete your Customer account, proprietary Knowledge Base, billing records, or historical dashboards. Complete account and Knowledge Base deletion must be explicitly requested via privacidad@cerovueltas.com.

11.1 Customers

You may request access to, a portable copy of, correction of, or deletion of your account data at any time by writing to privacidad@cerovueltas.com. We will verify your identity and respond within the timeframes required by applicable law.

11.2 End Users (WhatsApp / Widget Users)

CeroVueltas acts solely as a Data Processor regarding End User data. If you are an End User and wish to access or delete your data, you must contact the business you communicated with, which is the Controller responsible for your information. Upon a verified instruction from that business, we will execute deletion through the purge process described in Section 9.

11.3 International Visitors

The Services are operated from the United States and are not actively targeted at jurisdictions outside the United States. We have not appointed an EU or UK representative or a Data Protection Officer. If you access the Services from outside the United States, you acknowledge that your data will be processed in the United States and in the jurisdictions listed in our Subprocessor List, and that your use of the Services is governed strictly by United States law as set forth in our Terms of Service.

We send only essential transactional emails (e.g., password recovery via Firebase, payment receipts via Stripe, security alerts). We do not send marketing newsletters or mass email campaigns from the platform. Because we send no direct marketing communications, no marketing opt-out is required for platform emails.

This section applies to California residents where the California Consumer Privacy Act (CCPA), as amended by the CPRA, applies.

13.1 Categories of Personal Information Collected: We collect identifiers, commercial information, internet or electronic network activity, and sensitive personal information (such as account credentials and message content where processed through the Services). We use sensitive personal information solely for the purposes permitted under CCPA regulations (e.g., providing the Services, security, and integrity), and therefore do not offer a separate "Limit the Use" option.

13.2 Sources and Purposes: We collect information from Customers, End Users, Meta, browsers, payment processors, and service providers for the purposes described in Section 5 and Section 6.

13.3 No Sale / Limited Sharing: We do not sell personal information. We may "share" limited browsing data (via tracking pixels) with advertising platforms for cross-context behavioral advertising, subject to your control via our cookie consent banner. We never sell or share End-User WhatsApp data.

13.4 California Rights: You may have the right to know, access, correct, delete, and opt-out of the "sharing" of personal information. You can exercise your right to opt-out via our cookie banner or by broadcasting an opt-out preference signal, such as the Global Privacy Control (GPC). We honor Global Privacy Control (GPC) signals as a valid opt-out of sharing. Submit other requests to privacidad@cerovueltas.com.

CeroVueltas uses commercially reasonable administrative, technical, and organizational measures designed to protect information, including AES-256-GCM encryption at rest, TLS encryption in transit, runtime-only secrets injection, and strict Content Security Policy (CSP) protections. A summary of our security measures is set out in Annex II of the DPA.

The Services are intended for B2B use and are not directed to children. Customers must not use the Services to knowingly collect personal information from individuals under 18 years of age. If we learn that personal information of a minor has been processed, we will take appropriate steps to delete it (if it is Customer account data) or instruct the relevant Customer to take appropriate action (if it is End User data).

We utilize both strictly necessary cookies and, subject to your consent, performance and marketing tracking technologies.

Cookie Type Duration Purpose
__Host-cv_sess / cv_secure_sess Strictly necessary Session Encrypted session management (HttpOnly, Strict)
nr_identity Strictly necessary 30 days Account persistence token
cv_lang Functional Persistent Language preference
cv_ref Functional 30 days Referral/affiliate attribution (stores a random UUID only)

16.1 Analytics & Consent Management: We use privacy-first, cookieless web analytics (Cloudflare Insights) to monitor platform health and performance. We use CookieYes as our Consent Management Platform. Subject to your explicit consent through the CookieYes banner, we may deploy marketing pixels (e.g., Meta Pixel, TikTok Ads, Google Ads) to measure website advertising effectiveness. If you decline marketing cookies, these trackers are strictly disabled.

We may update this Privacy Policy from time to time. For material changes, we will provide at least thirty (30) days' prior notice consistent with Section 21.6 of the Terms of Service. The effective date of this Privacy Policy is indicated at the top of this page.

  • Privacy & Deletion Requests: privacidad@cerovueltas.com
  • Legal Notices: legal@cerovueltas.com
  • Postal: SUITE IMPERIAL LLC, 8206 LOUISIANA BLVD NE, STE A #696, Albuquerque, New Mexico, 87113, USA. (Note: Strictly for legal and administrative letter mail. For security and compliance processing, this corporate address does not accept packages, parcels, or physical goods of any kind; such items will be automatically refused).

SUITE IMPERIAL LLC New Mexico, USA.