Privacy Policy

Effective · 23 / 04 / 2026 · also serves as Aviso de Privacidad Integral under LFPDPPP

This Privacy Policy describes how ChameleAI ("ChameleAI", "we", "us", "our") collects, uses, discloses, retains, and protects personal data in connection with the ChameleAI service (the "Service").

This document also serves as the Aviso de Privacidad Integral under the Federal Law on Protection of Personal Data Held by Private Parties of Mexico (Ley Federal de Protección de Datos Personales en Posesión de los Particulares, "LFPDPPP"), its Regulations, and the Guidelines issued by the National Institute of Transparency, Access to Information and Personal Data Protection (Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales, "INAI").

By using the Service, you acknowledge that you have read this Privacy Policy and consent to the collection, use, and disclosure of your personal data as described herein, except where consent is not required by law.

01. Identity of the data controller

The data controller responsible for the treatment of your personal data is ChameleAI.

For all matters relating to this Privacy Policy or the treatment of your personal data, you may contact our Privacy Officer (Encargado de Datos Personales) at privacy@chameleai.com.

02. Personal data collected

The personal data we collect depends on how you interact with the Service. Categories of data collected include:

2.1 Identification and contact data

Full name
Email address
Username and authentication credentials
Optional profile information (display name, time zone, language preference)
Country of residence

2.2 Account and billing data

Subscription tier and history
Billing address (street, city, state, postal code, country)
Payment instrument metadata (card brand, last four digits, expiration date) — full payment instrument details are processed and stored by our payment provider, Stripe, Inc., and are not stored by ChameleAI
Tax identifiers, where required by jurisdiction
Invoice and transaction history

2.3 Service usage data

Persona configurations you author
Conversations conducted in the testing sandbox
Conversations conducted with your Deployed Personas (subject to retention policy in section 12)
Generated images and other media outputs
Feature usage analytics (which features you use, how often, in what sequence)
Telegram bot tokens and deployment metadata for personas you deploy

2.4 Technical data

IP address
Browser type, version, and language
Device type and operating system
Session timestamps
Referrer URL
Geolocation derived from IP (city-level)
Diagnostic and error reporting data

2.5 Communications data

Records of correspondence with our support, billing, security, abuse, and privacy channels
Survey responses and feedback you voluntarily submit

03. Sensitive personal data

ChameleAI does not require, request, or knowingly collect sensitive personal data (datos personales sensibles) under LFPDPPP, which includes data on racial or ethnic origin, present or future health status, genetic information, religious or philosophical beliefs, political opinions, sexual orientation, or sexual life.

If you voluntarily submit sensitive personal data through the Service — for example by including such data in a Persona configuration or in correspondence with us — we will treat it with the heightened protection required by law. We will not use sensitive personal data for secondary purposes without your express written consent.

04. Purposes of treatment

We treat your personal data for the following primary purposes (purposes that are essential to providing the Service):

Creating and managing your Account
Authenticating you and protecting your Account
Providing the persona designer, testing sandbox, deployment pipeline, image generation, and related Service features
Processing your subscription payments and credit purchases
Sending you transactional communications, including service announcements, billing notifications, security alerts, and policy updates
Detecting, preventing, and responding to fraud, abuse, and security incidents
Complying with legal obligations under Mexican law and the laws of jurisdictions where the Service is offered
Enforcing our Terms of Service and Acceptable Use Policy
Responding to your inquiries, complaints, and requests

We also treat your personal data for the following secondary purposes (purposes that are not essential, and to which you may object):

Sending non-transactional communications such as product announcements, newsletters, and event invitations
Conducting user research, surveys, and usability studies
Improving the Service through aggregated, de-identified analysis of usage patterns
Marketing and promotional offers from ChameleAI

To object to the use of your personal data for any of the secondary purposes above, send a written request to privacy@chameleai.com. Your objection will not affect access to the Service.

05. Legal basis for processing

Our legal basis for processing personal data includes:

Performance of a contract — to provide the Service to you under the Terms of Service
Consent — for non-essential processing such as marketing and product research
Compliance with legal obligation — to satisfy obligations under Mexican law, including LFPDPPP, the Federal Consumer Protection Law, the Federal Tax Code, and applicable anti-money-laundering law
Legitimate interest — for fraud prevention, security, abuse detection, and the operation of essential analytics, balanced against your rights and interests

We share your personal data with the following categories of recipients, in each case subject to the protections required by law:

6.1 Service providers (Encargados)

Third parties who process personal data on our behalf and under our instructions, including:

Payment processing — Stripe, Inc.
Cloud infrastructure and hosting providers
Email delivery providers (transactional and notification email)
Analytics and product telemetry providers
Customer support and ticketing tools
Security and fraud-detection providers

Each service provider is contractually bound to treat personal data only for the purposes for which it is shared, to maintain confidentiality, and to apply appropriate security measures.

6.2 Affiliates and successors

We may share data with current or future affiliates of ChameleAI, and with successors in the context of a merger, acquisition, reorganization, or sale of all or substantially all assets, in each case under continued application of this Privacy Policy or an equivalent successor policy.

6.3 Legal disclosures

We may disclose personal data when required by law, by valid court order, or by a competent authority, including the Mexican Attorney General (Fiscalía General de la República), the Mexican federal courts, INAI, PROFECO, or analogous foreign authorities through valid mutual legal assistance procedures.

6.4 Safety disclosures

We may disclose personal data when necessary to protect the rights, property, or safety of ChameleAI, our users, or the public, including in connection with reports of suspected criminal activity, fraud, or violations of the AUP. Reports of suspected child sexual abuse material are made to NCMEC and the relevant Mexican federal authorities.

07. International transfers

ChameleAI operates globally and uses service providers located outside Mexico. Where personal data is transferred internationally — including to the United States and the European Union — we ensure that the receiving party is bound by contractual obligations consistent with the protections required by LFPDPPP.

By using the Service, you consent to the transfer of your personal data to jurisdictions outside Mexico for the purposes described in section 04, subject to the safeguards described above. You may object to specific international transfers by contacting privacy@chameleai.com; certain transfers are essential to the operation of the Service and objection may limit your access to features.

08. ARCO rights

Under LFPDPPP, you have the following rights with respect to your personal data:

Acceso (Access) — to know what personal data we hold about you, how we use it, and the conditions of its treatment
Rectificación (Rectification) — to correct personal data that is inaccurate, incomplete, or out of date
Cancelación (Cancellation) — to request deletion of personal data when it is no longer necessary for the purposes for which it was collected, subject to legal retention obligations
Oposición (Opposition) — to oppose the processing of personal data for specific purposes

These are collectively referred to as ARCO rights.

How to exercise ARCO rights

To exercise any ARCO right, send a written request to privacy@chameleai.com with the following information:

Your full name and the email address associated with your Account
A copy of an official identification document (e.g., INE, passport, or equivalent), to verify your identity
A clear and precise description of the personal data to which the request relates
The right being exercised (Access, Rectification, Cancellation, or Opposition) and any specific instructions
If you are acting through a representative, documentation evidencing the representative's authority
Your preferred method for receiving our response (email, postal mail)

We will respond to your request within twenty (20) business days of receipt of a complete and verified request, indicating whether the request is admissible. If admissible, we will give effect to the request within fifteen (15) additional business days. These periods may be extended once for an equal duration when justified, with written notice of the extension and the reasons.

Exercising your ARCO rights is free of charge, except for shipping costs or the cost of reproducing copies on materials other than the original, which may be charged in accordance with the Federal Law on Fees.

For purposes that require consent, we obtain that consent at the moment you create your Account, by your continued use of the Service, or by other means as appropriate to the purpose.

You may revoke consent for purposes that require consent at any time, by sending a written request to privacy@chameleai.com. Revocation takes effect upon our verification of identity and processing of the request, in accordance with the timelines in section 08. Revocation of consent for purposes essential to the Service may result in the termination of your access to the Service.

10. Limit use or disclosure

You may at any time request that we limit the use or disclosure of your personal data, by sending a written request to privacy@chameleai.com. We will process such requests in accordance with the timelines and procedures established in section 08.

You may also at any time:

Unsubscribe from non-transactional emails using the unsubscribe link in any such email
Adjust in-product notification preferences in your Account settings
Disable optional analytics cookies through the cookie banner or your browser controls

11. Cookies and tracking

We use cookies and similar tracking technologies on the Service for the following purposes:

Strictly necessary — authentication, session management, fraud prevention, security
Functional — remembering preferences such as language and display settings
Analytics — understanding aggregate usage patterns to improve the Service
Marketing — measuring the effectiveness of marketing campaigns (subject to your consent)

Strictly necessary cookies do not require consent and cannot be disabled without disrupting the Service. All other cookie categories are managed through the cookie banner presented at your first visit; you can change your preferences at any time through the cookie settings link in the footer.

12. Data retention

We retain personal data only as long as necessary to fulfill the purposes for which it was collected, and to comply with legal, accounting, and reporting obligations. Specifically:

Account data — retained for the duration of your Account, plus a period of up to twenty-four (24) months after Account closure for fraud prevention, dispute resolution, and legal compliance
Billing and transaction data — retained for the period required by Mexican tax law (currently five (5) years from the date of the transaction)
Conversation logs in the testing sandbox — retained for ninety (90) days for debugging and abuse detection, then automatically deleted unless escalated for active investigation
Conversation logs from Deployed Personas — retained according to the configuration set by the deploying Account holder; default retention is thirty (30) days
Generated images — retained for ninety (90) days unless saved to your library, then automatically deleted
Persona configurations — retained for the duration of your Account; deleted personas are removed within thirty (30) days, except for backup archives that are purged within ninety (90) days
Communications data — retained for thirty-six (36) months after the close of the relevant matter
Security and abuse logs — retained for twelve (12) months

Aggregated and de-identified data may be retained indefinitely.

13. Security measures

We implement administrative, technical, and physical safeguards designed to protect personal data against loss, misuse, unauthorized access, disclosure, alteration, and destruction. These measures include:

Encryption of personal data in transit using current TLS standards
Encryption of personal data at rest using current encryption standards
Role-based access control with the principle of least privilege
Multi-factor authentication on internal administrative interfaces
Audit logging of access to sensitive systems
Periodic security reviews and vulnerability scanning
Vendor security assessments for service providers handling personal data
Employee training on data protection and confidentiality
Documented incident-response procedures

No security measure is absolute. Despite our reasonable efforts, no transmission over the internet or electronic storage system can be guaranteed to be completely secure.

14. Breach notification

In the event of a security breach affecting your personal data that may significantly affect your patrimonial or moral rights, ChameleAI will notify you and the relevant authorities in accordance with LFPDPPP and applicable foreign law. Notification will include the nature of the breach, the data affected, the recommendations to mitigate impact, and the corrective measures taken.

15. Children's privacy

The Service is not directed at and is not intended for use by individuals under 18 years of age. We do not knowingly collect personal data from minors. If we become aware that personal data of a minor has been collected, we will take steps to delete it as soon as possible.

If you are a parent or guardian and believe a minor has provided personal data to us, please contact privacy@chameleai.com.

16. Third-party services

The Service interoperates with third-party platforms, including Telegram, and may include links to third-party websites or services. The privacy practices of those third parties are governed by their own privacy policies, which we encourage you to review. ChameleAI is not responsible for the privacy practices of third parties.

17. Updates to this policy

We may update this Privacy Policy from time to time to reflect changes in our practices, in the Service, in applicable law, or in regulatory guidance. The current version is always published at chameleai.com/privacy.html, with the effective date at the top of the document.

Material changes that adversely affect your rights will be communicated to active Account holders via email or in-product notice, with at least fifteen (15) days' advance notice except where immediate effect is required by law. Continued use of the Service after the effective date of an updated Privacy Policy constitutes acceptance of the updated policy.

18. Mexican data protection authority

If you believe your right to data protection has been violated by ChameleAI, you may file a complaint with the National Institute of Transparency, Access to Information and Personal Data Protection (INAI):

Website: home.inai.org.mx
Address: Av. Insurgentes Sur 3211, Insurgentes Cuicuilco, Coyoacán, 04530 Ciudad de México, CDMX
Telephone: 800 835 4324 (toll-free within Mexico)

Before filing a complaint with INAI, we encourage you to contact our Privacy Officer first so we have an opportunity to address your concern directly.

19. Contact and Privacy Officer

Privacy Officer (Encargado de Datos Personales): privacy@chameleai.com

For other matters: contact@chameleai.com · billing: billing@chameleai.com · security: security@chameleai.com · abuse: abuse@chameleai.com · legal: legal@chameleai.com