Important notice: The Portuguese version of this Policy, available at chatcheck.in/privacy, is the original and prevailing version. In case of any conflict or divergence between the Portuguese and the English versions, the Portuguese text shall prevail. This English version is provided for informational purposes only.
Mcmont Consultoria e Tecnologia Ltda., doing business as Chat Check-in ("Company," "we"), respects your privacy and is committed to protecting personal data, in compliance with Brazilian Law no. 13,709/2018 (General Personal Data Protection Law — LGPD), the Brazilian Civil Rights Framework for the Internet (Law no. 12,965/2014 — Marco Civil), and other applicable rules.
This Privacy Policy describes how we collect, use, store, share, and protect personal data related to the use of our SaaS platform for AI-powered automated WhatsApp customer service ("Platform" or "Service").
Processing observes the principles set forth in article 6 of the LGPD: purpose, adequacy, necessity, free access, quality of data, transparency, security, prevention, non-discrimination, and accountability. Where processing entails high risk to the rights and freedoms of data subjects (for example, intensive use of generative AI), we carry out a Data Protection Impact Assessment (DPIA / RIPD) in accordance with article 10 of the LGPD.
Mcmont Consultoria e Tecnologia Ltda. is a Brazilian limited liability company (sociedade empresária limitada), provider of the Chat Check-in service, an AI-powered WhatsApp automated customer service platform for inns, hotels, and businesses in the hospitality sector.
Depending on how the Service is used, we may collect and process the following categories of personal data:
We collect data (i) directly from the Client when they register and configure the Service; (ii) automatically through use of the Platform and similar technologies; (iii) through guests who send messages to the WhatsApp number configured by the Client, which will be processed by the Bot; and (iv) eventually from third parties, such as Meta/WhatsApp Business Platform, payment processors, and AI providers.
Personal data is used, where applicable, for the following purposes:
We process personal data on the following legal bases set forth in the LGPD (articles 7 and 11), as applicable to each purpose:
With respect to Client registration data and technical Platform data, Mcmont Consultoria e Tecnologia Ltda. acts as Controller.
With respect to data of guests/end users who interact with the Bot configured by a Client, Mcmont Consultoria e Tecnologia Ltda. acts as Processor (Operator), processing such data on behalf of and according to the instructions of the Client, who is the Controller. The Client is solely responsible for:
We strongly recommend that the Client present this Policy and their own privacy policy to guests before initiating automated interactions.
We do not sell personal data. Where applicable, we share data with the following processors and partners, identified by name with the country in which they process the data and the purpose:
Some of the processors listed in section 7 are headquartered or process data outside Brazil. We carry out international transfers based on article 33 of the LGPD, primarily under item V (necessity for performance of the contract with the Client) and, where applicable, items II (international cooperation) or IX (specific consent). We adopt standard contractual clauses and, when available, vendor compliance certifications.
United States. AWS, Stripe, Meta/WhatsApp, Resend, Sentry, and OpenAI process data on servers in the United States. We maintain Data Processing Agreements (DPAs) with these vendors and, where applicable, clauses that prohibit the use of data for model training.
People's Republic of China. Currently, part of message traffic may be processed by the AI provider DeepSeek, based in China, for the exclusive purpose of generating automated responses in the customer service flow. The transfer is based on LGPD art. 33, V (performance of contract), and Mcmont continuously evaluates applicable contractual clauses with this vendor. In a future version of the Platform, the Client will be able to choose among AI providers (including exclusively OpenAI/US); until then, Clients who prefer not to have data processed in China should request this configuration via [email protected].
Data is stored for the time necessary to fulfill the purposes for which it was collected, observing the principles of necessity and minimization (LGPD, art. 6, III). The following retention periods apply:
After the retention periods end, data will be deleted or anonymized, unless there is a legal duty of preservation.
We adopt reasonable technical and administrative measures to protect personal data against unauthorized access, loss, alteration, destruction, or any form of inadequate processing, including:
Non-discrimination principle. In compliance with LGPD art. 6, IX, we ensure that personal data will not be used for discriminatory, unlawful, or abusive purposes. We do not perform profiling that produces legal effects on or significantly affects the interests of data subjects.
Incident response. Despite our efforts, no system is completely impenetrable. In the event of a security incident that may pose risk or relevant harm to data subjects, we will adopt the following procedure, in compliance with article 48 of the LGPD and ANPD Resolution CD/ANPD nº 15/2024:
Pursuant to article 18 of the LGPD, the data subject has the right to obtain:
You also have the right to object to processing based on legitimate interests, pursuant to LGPD art. 18, §2 in conjunction with art. 7, IX, except where there is an overriding legal basis (compliance with legal obligation, performance of contract, or regular exercise of rights).
Requests must be sent to [email protected]. We may request additional information to confirm the requester's identity. When we act as Processor (data of guests), we will forward the request to the corresponding Client Controller.
Direct channel for Clients. Clients with an active account have access to the Dashboard › My data area to exercise all of these rights in a facilitated manner: export a structured copy of their own data, correct registration information, manage granular consents (marketing and telemetry), consult the consent history, and register requests for deletion of specific guest data received directly by the Client.
The Platform uses cookies, localStorage, sessionStorage, and third-party SDKs, organized into four categories: essential (authentication, session, and security — required and non-removable), functional (browsing preferences), analytical (error telemetry via Sentry, loaded only with consent), and marketing (currently not in use).
The details of each cookie/storage (name, provider, purpose, duration, and category) are described in the Cookie Policy. Consent is collected on first access through a banner with options to accept all, accept essential only, or customize by category, and can be revised at any time by clicking "Manage cookie preferences" in the website footer.
The Client area of the Platform (registration, dashboard, and panel) is not directed at individuals under 18. We do not intentionally collect data of Clients who are minors. If we identify such a scenario, the account will be terminated and the data deleted.
Underage end-user guests. As Processor, we may occasionally receive data of guests who are children or adolescents, depending on the type of establishment served by the Client. Pursuant to article 14 of the LGPD, the processing of data of children under 12 depends on specific and highlighted consent of at least one parent or legal guardian, and the processing of data of adolescents between 12 and 18 requires informed consent appropriate to the condition of adolescents. This obligation lies with the Client (Controller of guest data), who is responsible for verifying the age, obtaining parental consent where necessary, and providing clear information to the data subject and their guardians.
Parents, guardians, or the adolescent themselves may at any time request the deletion, correction, or clarification of data of a minor processed by the Platform by writing to [email protected]. We will forward the request to the corresponding Client Controller where applicable.
The Service uses generative AI models to process guest messages and generate automated responses. Message content is sent to the following providers, exclusively for this purpose:
Responses generated by the AI are probabilistic and may contain errors, inaccuracies, or inappropriate content. The Client is responsible for monitoring the operation of the Bot and for any decision made based on its responses.
We shall not be liable for any damages arising from (i) inadequate, irregular, or unlawful use of the Service by the Client; (ii) decisions made by the Client, their agents, or guests based on content generated by the AI; (iii) incidents caused by third parties (including Meta/WhatsApp, AI providers, payment processors, and cloud providers); or (iv) the Client's non-compliance with the data protection obligations incumbent upon them as Controller.
All limitation of liability clauses set forth in the Terms and Conditions of Use apply on a subsidiary basis.
This Policy may be modified at any time, at the Company's discretion, to reflect legal, regulatory, technological, or operational changes. Material changes will be communicated through the Platform dashboard or by email. Continued use of the Service after the new version becomes effective implies automatic and full acceptance.
For any questions, requests, or exercise of rights regarding this Policy and the processing of personal data, please contact our Data Protection Officer (DPO):