Privacy Policy — Kobana Team

Last updated: April 24, 2026.

This Privacy Policy describes how Kobana Tecnologia Ltda. ("Kobana", "Owner" or "we") collects, uses, shares, stores and protects personal data processed in Kobana Team, our team of artificial intelligence agents for Brazilian finance.

This Policy supplements Kobana's Privacy Policy and the Kobana Team Terms of Use. In case of specific conflict regarding Kobana Team, this Policy prevails.

---

1. Owner and Data Controller

Kobana Tecnologia Ltda.

• CNPJ: 05.813.794/0001-26
• Address: Calçada das Margaridas, 163, Sala 02, Centro Comercial Alphaville — Barueri, SP, ZIP 06453-038
• Data Protection Officer (DPO) / LGPD contact: lgpd@kobana.com.br
• General contact: contato@kobana.com.br

2. Roles: Controller and Processor

When the User uses Kobana Team to process data of their customers, suppliers, employees and other third parties (for example, to issue charges, reconcile payments, respond to a debtor, run payroll):

• The User is Controller of such personal data;
• Kobana is Processor, handling it in accordance with the Controller's documented instructions and the purposes of this Policy and the Terms.

When Kobana processes data of the User and their registered collaborators (e.g., registration, billing, support, platform security):

• Kobana is Controller of such data.

Both parties will comply with Law No. 13.709/2018 (LGPD) and, where applicable, the GDPR and other equivalent regulations.

3. Categories of data collected

3.1 Data provided directly by the User

Full name, corporate email, phone, job title, CPF/CNPJ, corporate name, address, billing data, social media profiles when provided.

3.2 Data uploaded to the agents (Inputs)

Messages, documents, spreadsheets, PDFs, audio, images, emails, code and any other content that the User (or systems connected on their behalf) submits to the agents. May contain personal data of third parties (customers, suppliers, employees) under the User's responsibility as Controller.

3.3 Agent Outputs and Actions

Responses generated by the agents, reports, email drafts, entries, queries executed against APIs, and logs of Actions performed in connected systems on behalf of the User.

3.4 Agent memory

When enabled, memory stores summaries, preferences, facts and decisions of the User to personalize future interactions. The User may view, edit and delete memory at any time.

3.5 Usage metadata

Authentication logs, session identifier, LLM model used for each response, token count, tool called, latency, error codes, IP address, device identifier, operating system, browser and approximate geographic location.

3.6 Technical and analytical data

Collected via cookies, web beacons and pixels, including pages visited, session time, traffic source and visitor UUID.

3.7 Third-party data

Publicly available information or information sent by business partners, used for data enrichment, fraud prevention and commercial qualification, observing applicable legal bases.

3.8 Integrations connected by the User

Credentials (OAuth tokens, API keys) and data accessed in third-party accounts (banks, ERPs, CRMs, email, spreadsheets) explicitly connected by the User. Credentials are stored in encrypted form.

4. Purposes of processing

We process personal data to:

• Provide the service: execute the User's requests, generate responses, execute agentic Actions, maintain memory, operate integrations;
• Comply with legal, regulatory and contractual obligations;
• Invoice and bill the contracted plan;
• Support and serve the User;
• Security: prevent and detect fraud, abuse, incidents and violations of these terms and the acceptable use policy;
• Quality and internal improvement of Kobana Team (proprietary models, guardrails, quality evaluations), in an aggregated, anonymized or pseudonymized form whenever possible;
• Communication about news, updates, critical notices and marketing (with opt-out, where applicable);
• Statistics and analytics of use;
• Defense of rights in judicial or administrative proceedings.

5. Legal bases

Processing is based, as applicable, on:

• Performance of contract (art. 7, V, LGPD);
• Compliance with legal or regulatory obligation (art. 7, II);
• Legitimate interest of the Controller or of third parties (art. 7, IX), for security, fraud prevention, product improvement and related commercial communication;
• Consent of the data subject (art. 7, I), where required (e.g., direct marketing, certain specific purposes and sensitive data);
• Credit protection, health protection, regular exercise of rights or other hypotheses of art. 7 and art. 11 of the LGPD, as applicable.

For users subject to the GDPR, the equivalent bases under Art. 6 of the Regulation apply.

6. Processing by AI agents

6.1 LLM providers

To generate Outputs, Kobana sends Inputs and relevant context to third-party large language model providers, which may include, among others: Anthropic, OpenAI, Google, AWS Bedrock, Azure OpenAI and Vercel AI Gateway. The up-to-date list is available upon request to the DPO email.

These providers act as sub-processors and are contractually required to:

• Process the data only to provide the service to Kobana;
• Not use Inputs and Outputs to train base models (zero data retention or no-training configuration, when available);
• Apply compatible security measures;
• Retain logs for the minimum periods necessary (as a rule, between 0 and 30 days for abuse/security purposes of the provider).

6.2 We do not train third-party models with User data

Kobana does not permit LLM providers to use User Inputs, Outputs, memory or Action logs to train base models. This setting is enabled by default whenever the provider makes it available.

6.3 Use for Kobana's internal improvement

We may use Materials (Inputs, Outputs, logs and evaluations) for internal improvement of Kobana Team — for example, system prompt tuning, evals, bug fixes, improving guardrails and internal tools —, prioritizing aggregation, anonymization or pseudonymization and restricting access to strictly necessary teams.

The User may, in the account's privacy settings, opt out of use for internal improvement beyond what is strictly necessary for operation and security.

6.4 Flagged content

Content flagged by our security mechanisms (serious violations of the usage policy, jailbreak attempts, abuse, suspected fraud) may be retained and reviewed regardless of the internal improvement preference, for the period necessary for investigation.

6.5 Automated decisions

Some agent Outputs and Actions constitute automated decisions within the meaning of art. 20 of the LGPD. The data subject has the right to request review by a human, and to receive clear and adequate information about the criteria used, subject to commercial and industrial secrets. We recommend that high-impact decisions remain under the human review of the User Controller.

7. Data sharing

We share personal data, as necessary, with:

• Infrastructure sub-processors: Vercel (hosting and compute), AWS / GCP / Azure (hosting and storage), managed database providers (e.g., Neon, Upstash), CDN and observability.
• LLM and AI providers: as per Section 6.1.
• Operational providers: transactional email, SMS/WhatsApp, anti-fraud, authentication, payments, analytics, support (e.g., Intercom), Google Workspace, Google Analytics, Google Ads, Meta (Facebook Pixel).
• Integrations enabled by the User: banks, Pix, boleto, CNAB, ERPs, CRMs, spreadsheets, the User's own email — only at the User's instruction.
• Customers and their integrations: when the User uses Kobana Team to operate on their own customers' data.
• Public authorities: upon legitimate legal request, judicial or regulatory determination.
• Corporate transactions: in case of merger, acquisition, spin-off or sale of assets, observing continuity of data subject protection.

We do not sell personal data.

8. International data transfer

Part of the processing takes place on servers located outside Brazil, including the United States and the European Union, especially at LLM and cloud infrastructure providers. Such transfers comply with the legal hypotheses of art. 33 of the LGPD and, where applicable, the safeguards of the GDPR (e.g., standard contractual clauses).

9. Information security

We apply reasonable technical and organizational measures, including:

• Encryption in transit (TLS) and at rest for data and credentials;
• Role-based access controls, least-privilege principle and multi-factor authentication for administrators;
• Segregation of environments, firewalls, intrusion detection systems and continuous monitoring;
• Periodic security reviews, tests, code review and a responsible vulnerability disclosure program;
• Guardrails and filters in the agents to mitigate prompt injection, exfiltration and abuse.

No system is 100% secure. In the event of a material security incident, Kobana will notify affected data subjects and the ANPD as required by law.

10. Data retention

• Registration and contractual data: kept while the contract is in force and for up to 5 (five) years after termination, or for the longer legal/fiscal period applicable.
• Conversations, Inputs, Outputs and Action logs: retained for the period configured in the User's plan (default: 180 days) or for a longer period when required by legal, accounting, fiscal, regulatory obligation or for defense in proceedings.
• Agent memory: kept until deleted by the User.
• Audit and security logs: retained for up to 5 years.
• Cookie and analytics data: according to the Cookie Policy.

Upon termination of the contract, data will be deleted or returned, subject to legal retention periods and any security obligations.

11. Data subject rights

Data subjects, whether Users or third parties whose data is processed by Kobana Team, may exercise, under the LGPD:

• Confirmation of the existence of processing;
• Access to the data;
• Correction of incomplete, inaccurate or outdated data;
• Anonymization, blocking or deletion of unnecessary, excessive or non-compliant data;
• Portability to another service or product provider;
• Deletion of personal data processed on the basis of consent, subject to legal hypotheses of conservation;
• Information about entities with whom we share data;
• Information about the possibility of not providing consent and the consequences;
• Revocation of consent;
• Opposition to non-compliant processing;
• Review of automated decisions (art. 20);
• Complaint to the ANPD.

For users under the GDPR, the rights to restriction of processing and to complaint to the local data protection authority are added.

When the data subject is a customer, supplier or employee of a User, the request should be addressed directly to the User Controller. Kobana assists the User in handling such requests as per Section 2.

How to exercise

Send a request to lgpd@kobana.com.br, indicating the right being exercised and a means of identity verification. Requests are free and answered within the shortest reasonable period, as a rule 15 (fifteen) days.

12. Cookies and similar technologies

Kobana Team uses its own and third-party cookies for authentication, preferences, use analysis and marketing. Details, categories and deactivation instructions are in the Cookie Policy. The User may manage preferences at any time in the browser settings or in the consent banner.

13. Children and adolescents

Kobana Team is not intended for minors under 18 and does not intentionally collect data from children and adolescents. If you identify improper processing, contact lgpd@kobana.com.br for deletion.

14. Marketing communications

Based on legitimate interest or consent, we may send communications about news, use cases and related content. Every marketing email contains a one-click unsubscribe link, honored immediately. Transactional and security communications are not opt-outable.

15. Changes to this Policy

We may update this Policy at any time. Material changes will be communicated by notice on the platform or by email to the User, with reasonable advance notice. Continued use of Kobana Team after the effective date of the changes implies acknowledgment.

16. Definitions

• Agent: Kobana Team AI assistant (Kevin, Klaus, Kelly, Karin, Kadu, among others).
• Actions: operations performed by agents in connected systems under User authorization.
• ANPD: Brazilian National Data Protection Authority.
• Controller / Processor / Data Subject: as defined in the LGPD.
• Personal data: information related to an identified or identifiable natural person.
• Inputs / Outputs / Materials / Memory: as defined in the Kobana Team Terms of Use.
• LLM: Large Language Model.
• Sub-processor: third party contracted by Kobana to assist in the processing of data on behalf of the User Controller.

17. Governing law and jurisdiction

This Policy is governed by the laws of Brazil. The courts of the District of Barueri, State of São Paulo, are elected to settle any questions regarding this Policy, without prejudice to the competence of the ANPD or foreign authorities where applicable.

---

Questions, data subject requests or complaints: lgpd@kobana.com.br.