Privacy Policy

Introduction

At Hexagon ("we," "us," or "our"), we take your privacy seriously. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform and services. Hexagon operates through the following entities:

• Hexagon Labs, Inc. — a company incorporated in the United States, providing the Hexagon SaaS platform for SKU-level Generative Engine Optimization (GEO).
• Hexagon Solucoes LTDA (trade name: "Hexagon IA"), CNPJ 64.953.528/0001-68 — a company incorporated in Brazil, located at Rua Pais Leme, 215, Pinheiros, São Paulo - SP, CEP 05424-150, operating WhatsApp-based conversational commerce services for merchants and consumers in Brazil.

Hexagon Labs, Inc. and Hexagon Solucoes LTDA are related entities under the same ownership and management. The applicable data controller depends on the services you use: Hexagon Labs, Inc. for the GEO SaaS platform, and Hexagon Solucoes LTDA for WhatsApp commerce services in Brazil.

By accessing or using Hexagon, you agree to the collection and use of information in accordance with this policy. If you do not agree with our policies and practices, please do not use our services.

Information We Collect

Account Information

When you create an account, we collect:

• Name and email address
• Company name and business information
• Password (encrypted and never stored in plain text)
• Billing and payment information (processed securely through third-party payment processors)

Product Data

To provide our services, we collect and process:

• Product SKUs, names, descriptions, and specifications
• Product images and pricing information
• Inventory levels and availability data
• Product categories and metadata
• E-commerce platform integration credentials (stored encrypted)

Usage Data

We automatically collect information about how you use our platform:

• Pages viewed and features accessed
• Time spent on the platform
• Device information (browser type, operating system, IP address)
• Analytics data about visibility performance and AI citations

AI Search Data

To track your products' performance in AI search results, we collect:

• Search queries and prompts where your products appear
• AI platform responses mentioning your SKUs
• Competitor product mentions and positioning
• Visibility metrics and citation frequency

WhatsApp Commerce Data (Hexagon Solucoes LTDA)

When you interact with our WhatsApp commerce services operated by Hexagon Solucoes LTDA in Brazil, we may collect:

• WhatsApp phone number and profile name
• Delivery addresses provided during checkout
• Order history, product selections, and transaction details
• Payment information: for card payments, card data is tokenized and securely stored through PCI-DSS compliant third-party vault services — we never store raw card numbers; for PIX payments, we process transaction identifiers only
• Conversational data exchanged through WhatsApp for order processing and customer support
• CPF (tax identification number) when required for payment processing or invoicing

Meta and WhatsApp Platform Data

Hexagon does not use Facebook Login for user authentication and does not request Facebook profile data through Facebook Login. When a merchant connects or asks Hexagon to configure WhatsApp Business Platform features, we may process Meta or WhatsApp Platform Data needed to provide those services, including:

• WhatsApp Business Account IDs, Meta Business Manager IDs, phone-number IDs, display names, business profile information, and connection status
• Partner, catalog, commerce, webhook, template, and Flow configuration data
• WhatsApp message content, media, message IDs, timestamps, delivery/read statuses, conversation metadata, opt-out signals, and webhook events
• Product catalog IDs, product data, cart/order handoff data, order status, refund, fulfillment, and customer-support records
• Access tokens, provider tokens, webhook secrets, and API credentials needed to operate the integration, stored with restricted access and used only server-side

For some WhatsApp setups, Hexagon currently uses Smarters or another WhatsApp enablement provider to create or connect phone numbers, receive provider credentials, route messages, and operate WhatsApp Business Platform functionality on the merchant's behalf.

How We Use Your Information

We use the information we collect to:

• Provide, operate, and maintain our GEO services
• Track your products' visibility across AI platforms (ChatGPT, Perplexity, Claude, Gemini, etc.)
• Generate AI-optimized content for your products
• Analyze and improve your SKUs' performance in AI search results
• Process WhatsApp commerce orders, payments (PIX and card), shipping, and delivery
• Facilitate communication between merchants and consumers through WhatsApp
• Configure and operate WhatsApp Business Accounts, phone numbers, catalogs, templates, webhooks, WhatsApp Flows, commerce settings, and Business Manager partner access
• Send, receive, synchronize, and display WhatsApp messages, delivery statuses, order events, and customer-support conversations
• Send you service notifications, order updates, shipping tracking, and marketing communications (with your consent)
• Process billing and payments
• Detect, prevent, and address technical issues or fraudulent activity
• Comply with legal obligations, including Brazilian consumer protection and tax regulations
• Comply with Meta Platform Terms, WhatsApp Business Terms, WhatsApp Business Messaging Policy, Commerce Policy, and applicable app-review or data-use requirements
• Use AI systems to classify customer intent, recommend products, generate merchant support responses, summarize conversations, and operate commerce automation. We do not use WhatsApp Business Solution Data to train general-purpose AI models.
• Develop new features and improve our platform

Data Sharing and Disclosure

We do not sell your personal information. We may share your information in the following circumstances:

Service Providers

We share data with trusted third-party service providers and subprocessors who assist us in operating our platform. These providers are authorized to process data only for the services they provide to us, under contractual confidentiality, security, and data-protection obligations. Depending on the services you use, these providers may include:

• Cloud hosting, database, authentication, storage, and infrastructure providers, such as DigitalOcean and Supabase
• Payment, payout, billing, fraud-prevention, KYB/KYC, and settlement providers, such as Stripe and dLocal
• PCI-DSS compliant card tokenization and vault services for secure handling of payment card data
• E-commerce, catalog, order, and fulfillment integrations, such as Shopify and VTEX
• Meta, WhatsApp, and WhatsApp Business Platform providers, including Smarters or another provider where used for phone-number enablement, messaging, webhooks, and commerce flows
• AI/ML service providers, including OpenAI where enabled, for content generation, commerce automation, classification, summarization, and product recommendations
• Analytics, logging, monitoring, support, compliance, accounting, tax, legal, and security providers

Legal Requirements

We may access, preserve, use, or disclose personal information, including information received through Meta APIs, when we have a good-faith belief that doing so is necessary to comply with applicable law, legal process, court orders, subpoenas, search warrants, regulatory requests, or other valid requests from law enforcement or public authorities.

We review public-authority and legal requests for validity, authority, scope, and specificity. Where appropriate, we may reject, challenge, narrow, or seek clarification of requests that are unlawful, overbroad, vague, or improperly served. We disclose only information that we determine is legally required or otherwise permitted.

We do not sell, license, or provide Meta Platform Data for surveillance, law-enforcement monitoring, intelligence profiling, or national-security analysis. We disclose Meta Platform Data to public authorities only where legally required, with user consent, or as otherwise permitted by Meta's Platform Terms.

Where legally permitted and appropriate, we will notify affected users before disclosing their information in response to legal process. We may delay or withhold notice where prohibited by law, court order, national-security restriction, emergency circumstances, or where notice could create risk of harm, fraud, abuse, or investigation compromise.

Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred to the acquiring entity.

Meta and WhatsApp Platform Data Commitments

We process Meta and WhatsApp Platform Data only for the purposes described in this Privacy Policy, our Terms of Service, the instructions of the merchant that connected the relevant Meta or WhatsApp assets, and the functionality approved or permitted by Meta.

• We do not sell, license, purchase, or commercially transfer Meta Platform Data except as permitted by Meta's terms and as necessary to provide the services.
• We do not use Meta Platform Data for surveillance, unlawful discrimination, eligibility decisions, or unrelated user-profile building.
• We request and use only the permissions and data needed to provide merchant-requested WhatsApp commerce, messaging, catalog, analytics, support, security, and compliance functionality.
• We share Meta Platform Data only with the connected merchant, Meta/WhatsApp, contracted service providers acting on our behalf, or where legally required or otherwise permitted.
• Service providers that process Meta Platform Data must use it only under our instructions, protect it with appropriate safeguards, and delete or return it when no longer needed.
• We delete or de-identify Meta Platform Data when it is no longer needed for the disclosed purpose, when an authorized user or merchant requests deletion, when Meta requires deletion, or when deletion is legally required, unless retention is required by law.

WhatsApp Messaging and Commerce

WhatsApp is a channel used by merchants to communicate with their customers. Merchants are responsible for obtaining and maintaining all required customer opt-ins, notices, permissions, and lawful bases before sending WhatsApp messages, especially business-initiated messages, marketing messages, product recommendations, or campaigns.

We support opt-out handling where configured and may process blocks, unsubscribe requests, message feedback, and discontinue requests. Merchants must honor opt-out and block requests received on or off WhatsApp.

Merchants are responsible for product catalog content, sales terms, customer support, returns, fulfillment, taxes, regulated-product compliance, and compliance with Meta Commerce Policy and WhatsApp Business Messaging Policy. Hexagon may disable, limit, or refuse WhatsApp features that appear to violate law, platform policy, customer opt-outs, security requirements, or user-safety requirements.

Data Security

We implement industry-standard security measures to protect your information:

• End-to-end encryption for data in transit (TLS/SSL)
• Encryption at rest for sensitive data
• Regular security audits and vulnerability assessments
• Access controls and authentication requirements
• Restricted access to API credentials, access tokens, webhook secrets, and provider credentials
• Operational monitoring, logging, and incident-response procedures
• Secure data centers with physical security measures

However, no method of transmission over the internet or electronic storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.

Data Retention

We retain your information for as long as necessary to:

• Provide our services and maintain your account
• Comply with legal obligations (tax, accounting, etc.)
• Resolve disputes and enforce our agreements
• Protect platform security, prevent fraud and abuse, and maintain audit logs
• Operate WhatsApp commerce, payment, fulfillment, support, and reconciliation workflows

When you delete your account or submit an eligible deletion request, we target deletion or anonymization of personal information and Meta/WhatsApp Platform Data within 30 days where practical. Some records may take up to 90 days to be fully removed from active systems, backups, and provider systems, except where we are required or permitted to retain them by law, tax, accounting, fraud-prevention, security, dispute-resolution, or legal-claim obligations.

Aggregated or de-identified analytics that cannot reasonably identify you may be retained for service improvement and reporting.

Your Rights and Choices

Depending on your location, you may have the following rights:

• Access: Request a copy of the personal information we hold about you
• Correction: Request correction of inaccurate or incomplete information
• Deletion: Request deletion of your personal information
• Portability: Request a copy of your data in a machine-readable format
• Objection: Object to our processing of your information
• Restriction: Request that we restrict processing of your information
• Opt-out: Unsubscribe from marketing communications

To exercise these rights, please contact us at [email protected]. We will respond to your request within 30 days.

If you are an end customer who interacted with a merchant through WhatsApp, the merchant may be the controller of your customer relationship and transaction data. You may contact the merchant directly, or contact Hexagon at [email protected] and we will assist with locating and processing the request as appropriate. You can also review our Data Deletion Instructions.

Cookies and Tracking Technologies

We use cookies and similar tracking technologies to:

• Maintain your session and keep you logged in
• Remember your preferences
• Analyze platform usage and performance
• Deliver personalized content

You can control cookies through your browser settings, but disabling cookies may limit your ability to use certain features of our platform.

International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence, including the United States, Brazil, the European Union, and other countries where Hexagon, Meta/WhatsApp, our affiliates, or our service providers operate. These countries may have different data protection laws. When we transfer your data internationally, we rely on appropriate safeguards where required, such as data processing agreements, standard contractual clauses, transfer addenda, adequacy decisions, or other lawful transfer mechanisms.

Children's Privacy

Our services are not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us immediately and we will delete it.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new policy on this page and updating the "Last updated" date. We encourage you to review this policy periodically.

Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us:

Additional Rights for EU, California, and Brazilian Residents

For EU Residents (GDPR)

If you are located in the European Economic Area (EEA), you have additional rights under the General Data Protection Regulation (GDPR):

• Right to lodge a complaint with a supervisory authority
• Right to withdraw consent at any time
• Right to data portability in a structured, commonly used format

For California Residents (CCPA)

If you are a California resident, you have specific rights under the California Consumer Privacy Act (CCPA):

• Right to know what personal information we collect, use, and disclose
• Right to request deletion of your personal information
• Right to opt-out of the sale of your personal information (we do not sell personal information)
• Right to non-discrimination for exercising your CCPA rights

For Brazilian Residents (LGPD)

If you are located in Brazil, you have rights under the Lei Geral de Proteção de Dados (LGPD — Law No. 13,709/2018). For WhatsApp commerce services, Hexagon Solucoes LTDA (CNPJ: 64.953.528/0001-68) is the data controller. Your rights include:

• Confirmation of the existence of processing of your personal data
• Access to your personal data
• Correction of incomplete, inaccurate, or outdated data
• Anonymization, blocking, or deletion of unnecessary or excessive data
• Data portability to another service or product provider
• Deletion of personal data processed with your consent
• Information about public and private entities with which we share your data
• Information about the possibility of denying consent and the consequences thereof
• Revocation of consent

We process your personal data based on the following legal bases under the LGPD: consent, performance of a contract, legitimate interest, compliance with legal obligations, and fraud prevention.

To exercise any of these rights, contact us at [email protected].