1. Introduction and scope
This Privacy Policy describes how autoasistente.com (hereinafter, "the Platform," "we," or "the Service"), operated by Gomez Smart Group LLC, collects, uses, stores, shares, and protects the personal information of users who access the website autoasistente.com, the admin panel, and any related service.
This policy applies to:
- Visitors of the autoasistente.com website.
- Customers who purchase a subscription plan (Starter, Business, or Premium) to use our AI-powered virtual assistants.
- End users who interact with virtual assistants deployed on messaging channels (WhatsApp, Facebook Messenger, Instagram Direct) of the customer businesses.
- Employees and collaborators who access the business admin panel.
By using the Platform, you agree to the practices described in this Privacy Policy. If you do not agree with any of these practices, we recommend that you do not use our services.
2. Data controller
The controller responsible for processing personal data is:
Gomez Smart Group LLC acts as the data controller with respect to the data of customers and site visitors. With respect to the data of end users who interact with virtual assistants on the messaging channels of customer businesses, Gomez Smart Group LLC acts as a data processor, with the customer business being the data controller of such data.
3. Data we collect
3.1 Registration and account data
When you create an account on autoasistente.com, we collect:
- Full name of the account holder.
- Email address.
- Phone number (optional, for notifications and WhatsApp).
- Business or company name.
- Password (stored only as a cryptographic hash using bcrypt; we never store passwords in plain text).
- Role within the platform (owner, administrator, member).
3.2 Usage and browsing data
We automatically collect technical information when you use the Platform:
- IP address.
- Browser type and version.
- Operating system and device.
- Pages visited, time spent, and navigation patterns.
- Date and time of access.
- Referrer URL.
- Session identifier and authentication tokens (JWT).
- Browser User-Agent (logged in active sessions for security purposes).
3.3 Managed conversation data
Virtual assistants deployed across the client business's messaging channels process end-user messages. This includes:
- Content of text messages sent and received through WhatsApp (including QR-based connection via WAHA and the official WhatsApp Cloud API connection from Meta), Facebook Messenger, Instagram Direct and the embeddable Web Widget.
- Conversation metadata (date, time, channel identifier, sender identifier, assigned inbox).
- Contact name and phone number (as provided by the messaging platform APIs).
- Canonical conversation state (open, pending, resolved, snoozed, spam) and assignment to a team member of the business.
- Labels, private internal team notes and customer satisfaction (CSAT) survey results recorded when the conversation is closed.
- Conversation history kept for service continuity and conversational memory of the assistant.
- Multimedia attachments (images, audio, documents) when sent by the end user or replied to by the assistant or an employee.
This data is stored in the Platform's database in a per-business segregated fashion (multi-tenant isolation), so each business can only access conversations from its own channels and inboxes.
3.3.bis Web Widget visitor data
When the client business activates the Web Widget (an AI chat that can be embedded on any external site via a script published by the Platform), we collect from the visitor:
- Persistent anonymous visitor identifier (
visitor_pubid) stored in the browser to recognize the same visitor across sessions and allow continuity across multiple conversations.
- Visitor's public IP address and derived approximate geolocation (city and country) obtained from an IP-to-geo service, surfaced to the business in the panel for commercial context.
- Exact URL of the host site page where the conversation was started or resumed, updated as the visitor navigates.
- Browser User-Agent and minimal device data.
- Optional pre-chat form data configured by the business (name, email, phone or any other field the business chooses to request).
- Full content of messages exchanged with the assistant and, where applicable, with a human employee of the business.
The Web Widget uses its own tokens (public widget_website_token, per-session X-Widget-Session-Token) issued by the Platform. The client business can configure the proactive teaser message, bubble position, pre-chat form and avatar from the panel.
3.4 Payment data
For subscription payment processing, we use Stripe as our payment processor. With respect to payment data:
- We do not store credit or debit card numbers, expiration dates, or CVV codes on our servers.
- We store only the Stripe customer identifier (customer_id) and the subscription identifier (subscription_id) to manage the billing relationship.
- We log Stripe webhook events (event identifier, type, date) for idempotency and audit purposes.
- Stripe processes and stores payment data in accordance with its own privacy policy and PCI-DSS compliance.
3.5 Third-party integration data
If the customer business activates integrations with Google services, we collect and manage:
- Google Calendar: Email address of the configured calendar, and appointment and booking events created by the virtual assistant.
- Google Drive: Identifiers of folders and files created for the business, and assistant configuration documents.
- Google Sheets: Identifiers of spreadsheets used for product and service catalogs.
Access to these Google services is performed through a service account with domain-wide delegation. We do not access users' personal Google accounts.
3.6 Social-media comment data
When the customer business activates social media management, the Platform may process:
- Public user comments on Facebook and Instagram posts of the customer business.
- Public user identifiers from the social platforms (username, public profile ID).
- Comment metadata (date, time, associated post, comment identifier).
- Automated replies generated by the virtual assistant in response to those comments.
This data is processed solely for the purpose of engagement management and customer support on the business's social channels. The processing is performed on behalf of the customer business, which acts as the data controller with respect to its followers.
3.7 Payment reminder data
If the customer business uses the payment reminder or collections functionality, the Platform may store:
- Name of the debtor or customer of the business.
- Amount owed and description of the debt.
- Internal notes from the customer business related to collection.
- History of reminders sent (date, channel, delivery status).
This data is provided by the customer business and is processed under its responsibility. Auto Asistente acts as a data processor in this context.
3.8 Analytics and statistics data
The Platform generates and stores operational metrics for customer businesses, including:
- Message statistics (conversation volume, inbound and outbound messages per channel).
- Response times of the virtual assistant and the human team.
- Query resolution rates, bot-to-human handovers, and unanswered conversations.
- AI agent performance metrics (interactions per day, most active channels).
These statistics may contain data derived from conversations with end users, but they are presented in aggregate form. They are not used to make individualized decisions about end users.
3.9 WhatsApp Marketing campaign data
When the customer business uses the WhatsApp Marketing tool (see Section 14), the Platform stores:
- Recipient list for each campaign (phone numbers provided by the customer business).
- Content of the messages sent.
- Delivery status of each message (sent, delivered, failed).
- Campaign parameters: scheduling date, delay settings, attached media files.
The customer business is solely responsible for obtaining recipient consent. Auto Asistente acts exclusively as the technical processor for sending.
3.10 Contact data (automatic management)
The Platform automatically collects and consolidates contact data from managed conversations:
- Contact name (obtained from the WhatsApp, Facebook, or Instagram profile).
- Phone number (in WhatsApp conversations).
- User identifier on the corresponding messaging platform.
- First-interaction channel and contact date.
This data is stored on a per-business basis and is used to provide continuity in conversations and for contact management by the customer business.
3.11 Cookies and similar technologies
We use cookies and similar technologies for the operation of the Platform. Full details are provided in Section 13 of this policy.
4. Purpose of processing
We process personal data for the following purposes:
- Service delivery: Creating and managing user accounts, configuring and deploying AI-powered virtual assistants, processing conversations on messaging channels, and managing subscriptions.
- Payment processing: Managing subscription charges, issuing invoices, and administering the billing lifecycle through Stripe.
- Automated provisioning: Configuring Google resources (Drive, Sheets, Calendar), automation workflows, and AI agents for each customer business.
- Security and authentication: Verifying user identity, managing sessions, detecting suspicious activity, and protecting the integrity of the Platform.
- Communications: Sending service-related notifications, security alerts, operational reports, and product updates.
- Service improvement: Analyzing usage patterns to improve the functionality, performance, and user experience of the Platform.
- Technical support: Handling support requests, managing tickets, and resolving technical incidents.
- Legal compliance: Complying with applicable legal, regulatory, and tax obligations.
- Internal audit: Logging audit events for traceability, security, and dispute resolution.
- Payment reminder and collections management: Facilitating the sending of payment reminders to the business's customers through messaging channels, under the instruction and responsibility of the customer business.
- Social-media comment and engagement management: Monitoring, classifying, and responding to comments on Facebook and Instagram posts of customer businesses through the virtual assistant.
- Bulk messaging via WhatsApp (WhatsApp Marketing): Processing bulk messaging campaigns configured by customer businesses, including recipient list management, scheduling, and delivery tracking.
- Generation of analytics and usage statistics: Producing reports and performance indicators on the use of messaging channels, virtual assistant activity, and operational business metrics, to support informed decision-making by the customer business.
5. Legal basis for processing
The processing of personal data is based on the following legal grounds:
- Performance of a contract (Art. 6(1)(b) GDPR): Processing is necessary for the provision of the contracted service, including account creation, subscription management, virtual assistant configuration, and conversation processing.
- Consent (Art. 6(1)(a) GDPR): For the use of non-essential cookies, marketing communications, and the activation of optional integrations with third-party services.
- Legitimate interest (Art. 6(1)(f) GDPR): For continuous service improvement, Platform security, fraud prevention, and aggregated usage analysis.
- Legal obligation (Art. 6(1)(c) GDPR): For compliance with applicable tax, accounting, and regulatory obligations.
Where processing is based on consent, you have the right to withdraw it at any time without affecting the lawfulness of processing prior to withdrawal.
6. Sharing data with third parties
We share personal data only with third parties necessary for the provision of the service. We do not sell, rent, or transfer personal data to third parties for marketing purposes.
6.1 Stripe (payment processing)
- Data shared: Name, email, and payment card data (processed directly by Stripe).
- Purpose: Subscription payment processing, invoice management, and customer portal.
- Compliance: Stripe is PCI-DSS Level 1 compliant and operates under its own Privacy Policy.
6.2 Meta / Facebook / Instagram (messaging APIs)
- Data shared: Messages sent and received, platform user identifiers, and conversation metadata.
- Purpose: Operation of virtual assistants on Facebook Messenger and Instagram Direct.
- Compliance: The integration operates under Meta's policies and the Meta Business API terms of use.
6.3 WhatsApp
The Platform supports two WhatsApp connection modes that are mutually exclusive per business line:
- 6.3.a QR connection (WAHA): Sessions authenticated by scanning a QR code, managed via WAHA (WhatsApp HTTP API). This does NOT use Meta's official WhatsApp Business API. Data shared: text and multimedia messages, phone numbers, conversation metadata. The session is routed through a static residential proxy (see section 6.8) to preserve the stability of the business number.
- 6.3.b Official WhatsApp Cloud API (BYO-WABA): Official connection to Meta's WhatsApp Business Platform via Embedded Signup, in which the client business connects its own WhatsApp Business account (BYO-WABA = Bring Your Own WhatsApp Business Account). Data shared with Meta: messages, pre-approved templates, phone numbers, delivery metadata and number quality metrics. The operation is governed by Meta's WhatsApp Business Policy.
The client business chooses a single mode per line. The Platform may periodically monitor the quality status of Cloud API numbers and the validity of access tokens to alert the business.
6.4 Google (Calendar, Drive, Sheets)
- Data shared: Calendar events (appointments, bookings), configuration documents, and product catalogs in spreadsheets.
- Purpose: Appointment synchronization, business resource storage, and catalog management.
- Compliance: Access via service account with domain-wide delegation, in accordance with the Google Privacy Policy.
6.5 Artificial intelligence providers (language processing)
- Data shared: Conversation content processed to generate the virtual assistant's replies. Data is sent in a contextualized fashion and personally identifiable information is minimized.
- Purpose: Generation of intelligent replies by the virtual assistant, either on the messaging channels managed by the Platform or on the embedded Web Widget.
- Default providers: We use language models accessible via API such as OpenRouter (which routes to OpenAI, Anthropic, Google and others) as well as direct provider APIs when applicable.
- "Bring your own key" (BYOK) for the Web Widget: In the embedded Web Widget, the client business may choose to configure its own API key from a compatible provider (OpenAI, Anthropic, Google AI or OpenRouter). In that case, Widget messages are sent to the selected provider under the client business's own account and provider usage policy, and the Platform acts solely as the technical sender.
- Data handling: Data is processed in real time and, according to current provider policies, is not used to train models without consent. The client business may consult each provider's policy before enabling BYOK.
6.6 ElevenLabs (AI voice generation)
- Data shared: Text to be converted into audio, generated by the virtual assistant in response to conversations. No directly identifiable personal data is shared other than the content of the text message.
- Purpose: Generation of synthesized voice responses for channels that support audio.
- Compliance: ElevenLabs operates under its own Privacy Policy. Processed text data is not used to train voice models without consent.
6.7 Hosting provider (OVH)
- Data shared: All data stored on the Platform resides on servers managed by OVH.
- Purpose: Hosting of server infrastructure, databases, and Platform services.
- Location: Servers located in OVH data centers.
- Compliance: OVH operates under its own Data Protection Policy.
6.8 Residential proxy provider (Webshare)
- Data shared: Traffic from WhatsApp sessions connected by QR (WAHA) is routed through static residential IP addresses to preserve the stability and reputation of the client business's number. Proxies transport encrypted traffic and do not access message content.
- Purpose: Operational stability of QR-based WhatsApp sessions.
- Provider: Webshare. The Platform reserves the right to change provider at any time while maintaining equivalent security and data protection standards.
6.9 IP geolocation service (Web Widget)
- Data shared: Web Widget visitor's IP address, queried against an IP-to-geo service to obtain approximate city and country.
- Purpose: Commercial context for the client business (showing where the visitor is connecting from).
- Handling: Queries are performed in real time and are not used for marketing.
7. International data transfers
Because autoasistente.com operates globally and uses service providers located in different jurisdictions, your personal data may be transferred to and processed outside your country of residence, including:
- United States: Stripe (payment processing), AI providers (language processing).
- Canada: Application servers (OVH).
- European Union / International: Google (Workspace services).
For transfers to countries that do not provide an adequate level of protection under applicable law, we implement the following safeguards:
- Standard contractual clauses approved by the competent authorities.
- Assessment of the destination country's data protection laws.
- Supplementary technical measures (encryption in transit and at rest).
You may request additional information about the safeguards applied to international transfers by writing to us at [email protected].
8. Data security
We implement appropriate technical and organizational measures to protect personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:
Technical measures
- Encryption in transit: All communications between the user's browser and our servers are conducted over HTTPS/TLS.
- Password hashing: Passwords are stored using the bcrypt algorithm with salt, making it computationally infeasible to recover the original password from the hash.
- Token-based authentication: We use JSON Web Tokens (JWT) with short expiration (15 minutes) for access tokens and automatic rotation of refresh tokens (30 days).
- Two-factor authentication (2FA): Users can enable two-factor authentication through TOTP apps (Google Authenticator, Authy, etc.) for an additional layer of security.
- Multi-tenant isolation: Each business's data is isolated at the application and database levels, ensuring that no business can access another's data.
- Role-based access control (RBAC): The system implements granular permissions by role (owner, administrator, member) and by panel section.
- Session logging: Each active session records the IP address and User-Agent of the device, allowing the user to revoke suspicious sessions.
- Event auditing: Critical actions are recorded in an audit log with full traceability.
- Idempotent webhooks: Stripe events are processed idempotently to prevent duplicate operations.
Organizational measures
- Restricted access to production servers limited to authorized personnel.
- Periodic review of security and access policies.
- Incident response procedure for security breaches.
- Periodic database backups.
While we implement robust security measures, no system is entirely impervious. In the event of a security breach affecting your personal data, we will notify you and the competent authorities as soon as reasonably possible, in accordance with applicable law.
9. Data retention
We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, unless a legal obligation requires a longer retention period.
| Data type |
Retention period |
| Account data (registration) |
While the account is active + 12 months after deletion |
| Conversation data |
While the subscription is active + 90 days after cancellation |
| Billing data |
5 years from the last transaction (tax obligation) |
| Access and audit logs |
12 months from generation |
| Refresh tokens |
30 days from issuance or until revocation |
| Support tickets |
24 months from closure |
| Cookie data |
According to the duration of each cookie (see Section 13) |
| WhatsApp Marketing campaigns |
While the subscription is active + 90 days after cancellation |
| Social-media comments |
While the subscription is active + 90 days after cancellation |
Web Widget conversations (including visitor_pubid, IP and approximate geo, page URL, messages) |
While the subscription is active + 90 days after cancellation |
| WhatsApp Cloud API templates and metadata |
While the subscription is active + 90 days after cancellation |
| Labels, internal notes and CSAT results |
While the subscription is active + 90 days after cancellation |
At the end of the retention period, data is securely deleted or irreversibly anonymized for statistical purposes.
10. User rights
In accordance with applicable data protection law, you have the following rights regarding your personal data:
- Right of access: Request a copy of the personal data we hold about you, including information on how it is processed.
- Right to rectification: Request correction of inaccurate or incomplete personal data. You can update most of your data directly from the admin panel.
- Right to erasure ("right to be forgotten"): Request deletion of your personal data when it is no longer necessary for the purpose for which it was collected, when you withdraw consent, or when you object to the processing.
- Right to data portability: Receive your personal data in a structured, commonly used, and machine-readable format (for example, JSON or CSV), and transmit it to another controller.
- Right to object: Object to the processing of your personal data based on legitimate interest, including profiling.
- Right to restriction of processing: Request the temporary restriction of the processing of your data in certain circumstances.
- Right not to be subject to automated decision-making: Not be subject to decisions based solely on automated processing that produce legal or similarly significant effects.
- Right to withdraw consent: If the processing is based on your consent, you may withdraw it at any time.
To exercise any of these rights, you can:
We will respond to your request within a maximum period of 30 calendar days. For complex or multiple requests, the period may be extended by up to 60 additional days, with prior notice.
If you believe that the processing of your data does not comply with current regulations, you have the right to file a complaint with the competent data protection authority in your jurisdiction.
11. Minors' data
The autoasistente.com Platform is not directed at minors under 18 years of age. We do not knowingly collect personal data from minors.
If you are a parent or legal guardian and become aware that a minor under your responsibility has provided personal data through the Platform, please contact us at [email protected] so that we can take the necessary steps to delete such data.
With respect to end users who interact with virtual assistants deployed on messaging channels, customer businesses are responsible for complying with applicable regulations regarding minors' data protection in their respective jurisdictions.
12. Changes to this policy
We reserve the right to update or modify this Privacy Policy at any time. When we make material changes:
- We will update the "Last updated" date at the top of this page.
- We will post a visible notice on the Platform or in the admin panel.
- For changes that significantly affect data processing, we will send a notification by email to the address associated with your account.
We recommend reviewing this policy periodically. Your continued use of the Platform after the publication of changes constitutes your acceptance of them.
Previous versions of this policy will be available upon request.
13. Cookies and similar technologies
We use cookies and similar technologies to ensure the correct operation of the Platform and to improve the user experience.
13.1 Types of cookies we use
| Type |
Purpose |
Duration |
| Essential / Technical |
Necessary for the operation of the Platform: authentication (JWT), session management, language preference, CSRF protection. |
Session / up to 30 days |
| Functional |
Remember user preferences such as selected language (ES/EN/PT), panel settings, and the state of interface elements. |
Up to 12 months |
| Analytics |
Collect anonymous information about the use of the Platform to improve functionality and performance. |
Up to 24 months |
13.2 Local storage (localStorage)
In addition to cookies, we use the browser's local storage (localStorage) to:
- Store authentication tokens (access token and refresh token).
- Save language preferences and interface settings.
- Maintain the user's session state.
13.3 How to manage cookies
You can control and manage cookies through:
- Browser settings: Most browsers allow you to block or delete cookies from their settings. Consult your browser's help for specific instructions.
- Selective disabling: You can disable non-essential cookies without affecting the basic operation of the Platform.
Important: If you disable essential cookies or delete local storage data, you may be unable to use certain features of the Platform, such as automatic sign-in.
13.4 Third-party cookies
Some third-party services integrated into the Platform may set their own cookies:
- Stripe: Security and fraud-prevention cookies during payment processing.
- Google Fonts: Functional cookies for optimized font loading.
- Font Awesome (cdnjs): Content-delivery cookies for icons.
- Google Tag Manager / Google Analytics 4: Anonymous analytics cookies measuring traffic, page views, acquisition sources and performance of the public autoasistente.com site.
- Meta Pixel: Meta tracking pixel and cookies measuring ad conversions on Facebook and Instagram. Activated only when the visitor accepts analytics cookies.
13.5 First-party telemetry of the public site (tracker.js)
The public autoasistente.com site loads a first-party telemetry script (app.autoasistente.com/tracker.js) that records anonymous events such as page views, CTA clicks, scroll depth and time on page without third-party cookies, with the sole purpose of improving conversion and the site content. It is not used for individual visitor profiling and is not joined with personally identifiable data.
13.6 Web Widget embedded on third-party sites
When the client business embeds the Web Widget on its own site, the Widget bundle may use first-party storage (localStorage on the host domain) to store the visitor_pubid, the conversation state and chat UI preferences. The Widget iframe (hosted at app.autoasistente.com) may have storage partitioned by the browser due to anti-tracking policies; the Platform includes a recovery mechanism via visitor_pubid to preserve conversation continuity across sessions even when the iframe storage is partitioned.
14. WhatsApp Marketing tool
14.1 Nature of the service
Auto Asistente offers a marketing tool that allows users to send promotional messages through the WhatsApp platform. The WhatsApp Marketing feature does NOT use the official WhatsApp Business API. It is an independent marketing-automation tool that facilitates communication between businesses and their contacts, using the phone number provided by the user.
14.2 Usage requirements
- The user must have an active plan (Starter, Business, or Premium) to access this feature. Users on the Trial plan do not have access.
- The user must connect their own phone number to send messages. We strongly recommend using a disposable prepaid number exclusively for this purpose.
- The user is solely responsible for obtaining prior consent from recipients before sending messages.
- The user must comply with all applicable laws and regulations, including but not limited to: the CAN-SPAM Act, GDPR, TCPA, and local consumer protection laws.
14.3 Limitation of liability
Auto Asistente and Gomez Smart Group LLC are NOT responsible for:
- Restrictions, suspensions, or permanent bans of WhatsApp numbers resulting from the use of this tool.
- Loss of access to WhatsApp accounts, phone numbers, contacts, or associated data.
- Direct, indirect, incidental, special, or consequential damages arising from the use of this feature.
- The content of messages sent by users through this tool.
- Changes to WhatsApp's policies or terms of service that affect the operation of this tool.
14.4 Acceptable use
The user agrees to:
- Not send illegal, offensive, defamatory, threatening content or content that violates the rights of third parties.
- Not use the tool to send spam, phishing, malware, or any fraudulent content.
- Not use the primary phone number of their business for bulk sending.
- Respect reasonable sending rates and limits to prevent abuse.
- Maintain a contact list based on explicit consent (opt-in).
14.5 Costs and billing
Use of WhatsApp Marketing has a cost based on prepaid credits. Credits are consumed for each send performed. Current costs are displayed in the admin panel. Auto Asistente reserves the right to modify rates with prior notice. Unused credits are non-refundable except in cases of proven technical failure.
14.6 Service termination
Auto Asistente reserves the right to suspend or terminate access to the WhatsApp Marketing tool without prior notice if misuse, violation of these terms, or activity that places the service infrastructure at risk is detected.
15. Affiliate Program — Data and Privacy
By participating in the Auto Asistente Affiliate Program, the following data is collected and processed:
- Affiliate data: Unique affiliate code, selected payout method (PayPal, Dominican bank account, or ACH/Wire details), and commission and payment history.
- Tracking data: When you click on an affiliate link, a cookie (
affiliate_ref) is stored with a duration of 90 days. Clicks are recorded with a SHA-256 hash of the IP address and the browser User-Agent (the IP address and User-Agent are not stored in plain text). This is used exclusively for fraud detection and commission attribution.
- Referral data: When a user registers through an affiliate link, their account is linked to the corresponding affiliate. The affiliate can view the name, contracted plan, and commission status of their referrals, but does not have access to sensitive data such as passwords, conversations, or the referral's financial information.
- Payment data: The banking information provided by the affiliate (PayPal email, account number, routing number, etc.) is stored securely and is used exclusively to process commission payments.
This data is retained while the affiliate maintains an active account. Upon request to delete the account, all affiliate program data will be deleted in accordance with the data deletion section of this policy.