Privacy Policy — SBM Laser Help
1. About this policy
This Privacy Policy explains how S&A Servicos Digitais e Consultoria LTDA (“we”, “us”, “our”) collects, uses, shares, and protects personal data when you use the SBM Laser Help mobile application, the SBM Laser Help Telegram bot, and the related subscription portal at https://sbmlaser.com/subscribe/ (collectively, the “Service”).
This policy is specific to the Service. For general browsing of the public sbmlaser.com website (homepage, blog, product pages), our general Privacy Policy at https://sbmlaser.com/privacy-policy/ continues to apply.
In case of conflict, this policy controls for matters relating to the Service.
2. Who is the data controller
The data controller responsible for personal data processed through the Service is:
- Legal entity: S&A Servicos Digitais e Consultoria LTDA
- CNPJ: 52.430.234/0001-72
- Registered address: Rua Heloisa Rojo Machado, 111, Apt 2102, Morro das Pedras, Florianópolis – SC, CEP 88066-066, Brazil
- Privacy contact: [email protected]
Under the Lei Geral de Proteção de Dados (LGPD), our Encarregado pelo Tratamento de Dados Pessoais can be reached at the same email address.
3. What personal data we collect
3.1 Information you provide
- Telegram identifier (numeric user ID and, if public, username) — required for login and to link your subscription across the app and bot
- Email address — optional, for account recovery and transactional notifications
- Subscription tier and status — assigned automatically based on your active payment
3.2 Information collected automatically
- IP address — recorded by our backend for security, abuse prevention, rate limiting, and approximate geolocation (country level, for tax purposes via Paddle)
- Device language — to display the app and bot in your preferred language
- Application version, OS version, device model (mobile app only) — for compatibility and support
- Usage events — which features you use and when, in aggregate, for product improvement
3.3 Content you submit
- Cutting parameter queries — natural-language text describing what you are looking for
- Defect descriptions — text describing observed cutting defects
- Defect photos — images of cutting samples uploaded for AI diagnostic analysis
This content is sent to our AI sub-processor (Anthropic) for processing. See section 5.
3.4 Payment information
We do not collect, view, or store payment cards, bank account numbers, or any banking credentials. All payments are processed by Paddle.com Inc. (“Paddle”), our Merchant of Record. Paddle handles the payment relationship under its own Privacy Policy: https://www.paddle.com/legal/privacy.
We receive from Paddle only:
– Subscription status and tier
– Billing email (to send service notices)
– Country and currency of billing (for tax compliance)
– Anonymized transaction reference
We do not receive your card number, CVC, expiry date, or bank account details.
4. How we use personal data
We process personal data for the following purposes and on the following legal grounds:
| Purpose | GDPR legal basis | LGPD legal basis |
|---|---|---|
| Provide the subscription Service (login, premium feature access) | Performance of contract — Art. 6(1)(b) | Execução de contrato — Art. 7, V |
| Process AI queries (parameter search, defect diagnostics) | Performance of contract + your explicit consent at point of use | Execução de contrato + consentimento — Art. 7, I |
| Bill, collect payment, and manage subscription | Performance of contract (via Paddle) | Execução de contrato |
| Prevent fraud, abuse, and rate-limit usage | Legitimate interest — Art. 6(1)(f) | Legítimo interesse — Art. 7, IX |
| Respond to support inquiries | Legitimate interest | Legítimo interesse |
| Send transactional emails (receipts, expiration notices) | Performance of contract | Execução de contrato |
| Comply with tax, accounting, and other legal obligations | Legal obligation — Art. 6(1)(c) | Cumprimento de obrigação legal — Art. 7, II |
| Improve and develop new features (in aggregate, anonymized form) | Legitimate interest | Legítimo interesse |
We do not use your personal data for direct marketing without your separate, freely given consent.
5. Sub-processors and third parties
To operate the Service, we share strictly necessary personal data with the following sub-processors:
5.1 Paddle.com Inc. — payment processing (Merchant of Record)
- Data shared: payment details, billing address, country, transaction history, communication for receipts
- Location: United Kingdom, European Union, United States
- Purpose: Paddle acts as the legal seller of the subscription. It collects payment, calculates and remits taxes (VAT, sales tax, ICMS, ISS, PIS/COFINS as applicable), prevents payment fraud, and provides receipts
- Privacy policy: https://www.paddle.com/legal/privacy
5.2 Anthropic, PBC — AI processing (Claude API and Claude Vision)
- Data shared: text content of your AI queries, defect descriptions, and images you upload for diagnostic analysis
- Location: United States
- Purpose: to interpret natural-language queries, search the parameter knowledge base, and analyze defect photos using Claude language and vision models
- Retention: under our agreement with Anthropic, your data is not used to train models. Anthropic retains API data for up to 30 days for trust-and-safety review, after which it is deleted.
- Privacy policy: https://www.anthropic.com/privacy
5.3 Cloudflare, Inc. — CDN, security, and edge networking
- Data shared: IP address, request metadata, security telemetry
- Location: Global edge network including the United States and EU
- Purpose: content delivery, SSL/TLS termination, DDoS protection, bot mitigation, web application firewall
- Privacy policy: https://www.cloudflare.com/privacypolicy/
5.4 IONOS Cloud GmbH — server hosting
- Data shared: all backend data is stored on IONOS infrastructure (encrypted at rest and in transit)
- Location: Germany
- Purpose: to host our application servers, PostgreSQL database, and AI cache
- Privacy policy: https://www.ionos.com/terms-gtc/privacy-policy
5.5 Telegram Messenger LLP — bot delivery
- Data shared: when you use our Telegram bot, your messages, attachments, and metadata pass through Telegram’s infrastructure
- Location: Global
- Purpose: to deliver bot messages and accept your input
- Privacy policy: https://telegram.org/privacy
5.6 Other recipients
We may also share personal data:
– With professional advisers (lawyers, accountants, auditors), under confidentiality
– With government authorities, when legally required (court order, regulatory request)
– With a successor entity in case of merger, acquisition, or sale of assets — subject to equivalent protection
We do not sell personal data to third parties. We do not share personal data for cross-context behavioral advertising.
6. International transfers of personal data
Some sub-processors are located outside Brazil and the European Economic Area (EEA):
- United States — Anthropic, Paddle (some operations), Cloudflare
- Germany — IONOS
- Global — Cloudflare edge network, Telegram
For transfers from the EEA, UK, or Switzerland, we rely on Standard Contractual Clauses (SCCs) under Art. 46(2)(c) GDPR, supplemented by additional safeguards where required (encryption, access controls, contractual restrictions on government access).
For transfers from Brazil, we rely on the legal grounds in Art. 33 LGPD, including:
– Specific consent at the point of using AI features
– Contractual safeguards equivalent to Brazilian standards
– Necessity for the execution of the contract you have with us
You can request a copy of the relevant transfer mechanism by emailing [email protected].
7. Data retention
We retain personal data only as long as necessary for the purposes stated in section 4:
| Data type | Retention period |
|---|---|
| Telegram ID and subscription record | While account is active + 30 days after cancellation or last login |
| Email address (if provided) | While account is active + 30 days |
| AI query text (in our backend cache) | Up to 30 days |
| Defect photos (in our backend cache) | Up to 30 days |
| Backend security logs (IP, request metadata) | 30-90 days |
| Support correspondence | Up to 24 months |
| Payment and tax records (held by Paddle) | 7 years (per applicable Brazilian and EU tax law) |
After these periods, data is deleted or anonymized irreversibly.
8. Security
We protect personal data with technical and organizational measures:
- TLS 1.2+ encryption in transit (HTTPS for all endpoints)
- Encryption at rest on hosting infrastructure (IONOS)
- Access controls — only authorized engineers can access production systems, on a need-to-know basis
- Audit logging of access to personal data
- Regular software updates and security patching
- Secure secrets management — credentials are not embedded in source code
Despite our efforts, no method of transmission or storage is 100% secure. If we become aware of a personal data breach affecting your data, we will notify the relevant supervisory authorities (ANPD in Brazil, supervisory DPAs in the EEA) within 72 hours where required by law, and notify you without undue delay if the breach is likely to result in a high risk to your rights.
9. Your rights
9.1 Under the General Data Protection Regulation (GDPR — EEA, UK, Switzerland)
You have the right to:
– Access (Art. 15) — receive a copy of personal data we hold about you
– Rectification (Art. 16) — correct inaccurate or incomplete data
– Erasure / right to be forgotten (Art. 17) — request deletion of your data, subject to legal exceptions
– Restrict processing (Art. 18) — limit how we process your data while a request is being assessed
– Data portability (Art. 20) — receive your data in a structured, commonly used, machine-readable format
– Object (Art. 21) — object to processing based on legitimate interest
– Withdraw consent at any time, without affecting the lawfulness of processing prior to withdrawal
– Not be subject to a decision based solely on automated processing that produces significant legal effects on you (Art. 22)
9.2 Under the Lei Geral de Proteção de Dados (LGPD — Brazil)
Per Art. 18 of the LGPD, you have the right to:
– Confirm the existence of processing
– Access your data
– Correct incomplete, inaccurate, or outdated data
– Anonymize, block, or delete unnecessary or excessive data, or data processed in violation of the LGPD
– Port your data to another service provider or product
– Delete personal data processed with your consent (with exceptions in Art. 16 LGPD)
– Receive information about public and private entities with whom we share your data
– Receive information about the possibility of not providing consent and the consequences
– Revoke consent
9.3 How to exercise your rights
Send a request to [email protected] with the subject “Data subject request — [your action]”. Include:
– The Telegram username and/or email address associated with your account, so we can identify you
– A clear description of your request
– Any supporting information (dates, screenshots) if relevant
We will respond within:
– 30 days (extendable by 60 days for complex requests) — under GDPR
– 15 days — under LGPD
If you believe we are not handling your data properly, you have the right to lodge a complaint with:
– ANPD — Autoridade Nacional de Proteção de Dados, Brazil — https://www.gov.br/anpd/
– Your local supervisory authority — for EEA / UK / Swiss residents
10. Children’s privacy
The Service is intended for professional use by adults working with industrial laser cutting equipment. We do not knowingly collect personal data from children under:
– 16 years (in the EU/EEA, unless a member state has set a lower age between 13 and 16)
– 13 years (in other regions)
If you believe a child has provided us with personal data, contact [email protected] and we will promptly delete it.
11. Automated decision-making and AI
The Service uses Anthropic’s Claude AI models to provide:
– AI parameter search (suggesting cutting parameters based on natural-language queries)
– AI defect diagnostics (analyzing defect photos and suggesting causes / remedies)
These outputs are suggestions only, intended as reference information. The operator must verify and validate every suggestion before applying it to industrial equipment.
You always have the right to:
– Request human review of any automated suggestion (contact [email protected])
– Reject the suggestion and continue working with the static reference content of the Service
– Opt out of AI features entirely (contact support to disable AI on your account)
We do not use automated decision-making for billing, account suspension, or any decision producing significant legal or similarly significant effects on you.
12. Cookies and similar technologies
The mobile app and Telegram bot do not use cookies. They use only locally stored authentication tokens and language preferences on your device.
The web subscription portal at https://sbmlaser.com/subscribe/ uses cookies for:
– Session management (strictly necessary)
– Anonymized analytics (with your consent)
– Cookie consent preference itself
For details and consent options, see our cookie policy at https://sbmlaser.com/cookies/ (or click “Manage cookies” in the footer of any page).
13. Changes to this policy
We may update this policy from time to time to reflect changes in our practices or legal requirements. Material changes will be communicated:
– By in-app notification
– By email to your account email address (if provided)
– By updating the “Effective date” at the top of this page
Non-material changes (clarifications, typo fixes) take effect on publication. We recommend reviewing this policy periodically.
14. Contact
For privacy-related questions, requests, or complaints:
- Email: [email protected]
- Postal address: S&A Servicos Digitais e Consultoria LTDA, Rua Heloisa Rojo Machado, 111, Apt 2102, Morro das Pedras, Florianópolis – SC, CEP 88066-066, Brazil
For general support: [email protected].
For refund requests: [email protected] (see also our Refund Policy).
