Privacy Policy

The Sellari platform is operated by Natsly, a profit corporation organized under the laws of the State of Wyoming, United States of America, with address at 30 N Gould St, Ste R, Sheridan, WY 82801 (the "Provider", "Sellari", "we").

This Privacy Policy describes how Sellari collects, uses, shares and protects personal data in two distinct roles:

• As data controller: with respect to the account data of direct Users of the Platform (companies and professionals who subscribe to the service).
• As data processor: with respect to the end-customer data that Users process through the Platform (for example, WhatsApp message recipients, order-widget buyers).

Privacy inquiries: [email protected].

Account data: when you register we collect name, email address, profile information, credentials (password hash), and — if using social login — the identifier and basic data provided by the provider (Google OAuth).

Billing data: tax and payment data processed through Stripe. Sellari does NOT store full card numbers; we only receive tokens and the last 4 digits for reconciliation.

Usage data: records of interactions with the Platform, features used, credit consumption, AI-employee configurations, performance metrics, IP addresses and user-agents, for security, billing and service-improvement purposes.

User content: products, categories, knowledge base, widget configurations, images, videos, landing pages and any other content uploaded or generated by the User.

Integration data: when the User connects WhatsApp Business, Instagram, WooCommerce, Meta Ads or others, we receive access tokens, page/account identifiers, and the data needed to operate the integration.

End-customer data (as processor): when the User operates messaging channels through Sellari, we process phone numbers, names, message history, shipping addresses, order data, and any other information end customers send to the User. This processing is carried out on behalf of the User, who is the data controller of such data.

Service delivery: operating AI employees (chatbots, content generation, automations), processing payments, delivering contracted features and responding to User requests.

Platform improvement: aggregated and anonymized analysis of usage patterns to optimize performance, detect failures and develop new features. We do NOT use User content to train our own AI models or those of third parties.

Security:fraud, abuse and attack detection; enforcement of the Terms of Service; compliance with Meta, Stripe and other providers' policies.

Transactional communications: account notifications, billing, security alerts and material changes to this document.

Commercial communications: news and promotions, only when the User has expressly consented. You can unsubscribe at any time via the link in each email or by writing to [email protected].

Where the EU General Data Protection Regulation (GDPR), Brazil's LGPD, Colombia's Law 1581 or other privacy laws apply, Sellari's processing of personal data is based on one or more of the following legal grounds:

• Performance of a contract (providing the service ordered by the User).
• Legitimate interest (Platform security, service improvement, defense of legal claims).
• Consent (commercial communications, non-essential cookies).
• Legal obligation (billing retention, responses to competent authorities).

With respect to end-customer data, the User must have obtained and documented the applicable legal basis before sending such data to the Platform.

When the User connects their WhatsApp Business or Instagram account to the Platform, Sellari processes inbound and outbound messages solely as a data processor and in accordance with the User's instructions — the User acts as controller with respect to their end customers.

Key guarantees regarding this processing:

• Messages are used exclusively to operate the contracted automation (chatbot responses, RAG over the knowledge base, follow-ups, analytics).
• Messages are not used to train AI models. Sellari requires this guarantee contractually from each of its AI model subprocessors under the terms in force at the time of integration. A current list of subprocessors is available upon written request to [email protected].
• Images and other media that end customers send to the User are stored privately within Sellari's infrastructure so the User's authorized personnel can replay the conversation in the agent dashboard. Access requires an authenticated, signed link scoped to the User's account.
• Image content received from end customers is analyzed by a vision model that runs on Sellari-controlled infrastructure; the raw image bytes are not transmitted to third-party AI providers for that analysis.
• Access to messages is restricted to the User's authorized personnel and to automated processes needed to provide the service.
• Messages are stored only while the User's account is active, or for any shorter period set by the User's configuration. Upon account cancellation, messages are deleted alongside other data within the window specified in the Retention section.
• Sellari complies with Meta policies: WhatsApp Business Messaging Policy, WhatsApp Commerce Policy and Meta Platform Terms.

The User is responsible for obtaining any legally required consent from their end customers before sending them messages via the Platform, and for honoring opt-out requests.

When the User connects their TikTok account to the Platform to publish reels, Sellari acts as a data processoron the User's behalf. The User remains the controller of all content they choose to publish.

Data we receive from TikTok (under scopes user.info.basic and video.publish):

• TikTok open_id, union_id and basic profile information (display name, avatar URL).
• OAuth access tokens and refresh tokens (encrypted at rest), needed to publish on behalf of the User.
• Publish-status responses returned by the TikTok API for posts initiated through the Platform.

How we use TikTok data:

• To submit videos the User explicitly approves for publishing (each publish action requires confirmation).
• To display connection status and the connected TikTok username inside the User's account.
• To receive webhook notifications about publish results.

What we do NOT do with TikTok data:

• We do not sell TikTok data to third parties.
• We do not use TikTok data to train AI models, neither ours nor third parties'.
• We do not access TikTok content beyond the scopes the User authorized.
• We do not publish to TikTok without the User's explicit, per-action approval.

Disconnection and revocation: the User can disconnect their TikTok account at any time from Settings → TikTok → Disconnect. On disconnection, Sellari deletes the stored access and refresh tokens. The User may also revoke access directly from TikTok's app permissions screen (tiktok.com/setting/connected-apps).

Sellari complies with the TikTok Developer Terms of Service, the Content Sharing Guidelines and the TikTok Privacy Policy. The User is responsible for ensuring that any content they publish complies with TikTok's Community Guidelines.

Content generated through the Platform (reels, ads, landing pages, images, videos) is treated as private by default and is associated exclusively with the User's organization.

Storage: generated assets are stored on our cloud infrastructure provider with privatevisibility. Access requires a valid authenticated session belonging to the User's organization. Asset URLs are HMAC-signed with finite TTLs and are not publicly indexable.

Publishing to third-party platforms:when the User explicitly approves a publish action (for example, "Publish to TikTok"), Sellari creates a temporary copy of the asset under a publish-specific key with public visibility, hands the third-party platform a short-lived URL pointing at that temporary copy, and deletes the temporary copy as soon as the platform confirms ingestion (typically within minutes). The original private asset never receives a public URL.

Per-publish consent:each publish action is an explicit User decision; Sellari does not auto-publish on the User's behalf. If the User revokes consent or disconnects an integration, no further publishes can be initiated through that integration.

The AI features inside the Platform — content generation, copy writing, image and short-form video generation, automated chat responses, semantic search across the User's knowledge base — are delivered by Sellari AI, our proprietary content-generation system.

Specific implementation details, including any third-party providers used to deliver inference under contractual no-training commitments, are available upon written request to [email protected].

To deliver the service, Sellari relies on third-party processors and subprocessors operating across the following categories: messaging and social platforms (the integrations the User explicitly connects), payment processing, identity / authentication, cloud infrastructure (storage, networking, content delivery) and AI model providers. Each such party operates under its own privacy policies and a data processing agreement (DPA) with Sellari that includes confidentiality and no-training commitments.

Sellari does not publish a public list of named subprocessors. A current list of processors and subprocessors is available upon written request to [email protected]. We provide it within ten (10) business days to data subjects and to controllers who have a legitimate compliance need (for example, due-diligence as part of a B2B contract, or a data-protection impact assessment).

In-house infrastructure: in addition to third-party providers, Sellari operates servers under its direct control running proprietary databases and local AI models. Data on this infrastructure stays within the perimeter controlled by Sellari.

Sellari operates from the United States and uses providers whose servers may be located in the United States, the European Union, the United Kingdom, Brazil and other jurisdictions. By using the Platform, the User accepts that their data may be transferred to and processed in those jurisdictions.

For transfers from the European Union, the United Kingdom or Switzerland, we rely on the Standard Contractual Clauses (SCCs) approved by the European Commission, or on equivalent frameworks such as the EU-U.S. Data Privacy Framework where applicable.

We implement reasonable technical and organizational measures to protect data during transfer and at rest.

Data is stored with encryption in transit (TLS 1.2+) and at rest. Passwords are stored using bcrypt hashing; never in plain text. User sessions are protected by JWT tokens with automatic expiration and revocation mechanisms.

Access to production data is restricted to authorized personnel with multi-factor authentication. We maintain audit logs of sensitive operations for at least 12 months.

Media assets (images, videos, PDFs) are stored on our cloud infrastructure provider with HMAC-signed URLs, isolated per organization.

No system is 100% secure. In the event of an incident compromising personal data, we will notify affected parties and competent authorities in accordance with applicable law.

We use cookies and similar technologies for:

• Essential: maintaining the session, theme and language preferences, account security.
• Analytics: measuring aggregate usage to improve the experience (only with consent where required by law).
• Functional: remembering configurations and personalizations.

You can configure your browser to reject non-essential cookies, though this may affect the functionality of certain sections.

Depending on your jurisdiction, you have the right to:

• Access: request a copy of the personal data we hold about you.
• Rectification: correct inaccurate or incomplete data.
• Erasure: request deletion of your account and associated data.
• Portability: receive your data in a structured, commonly used format.
• Objection and restriction: object to processing for specific purposes or request restriction.
• Withdraw consent: withdraw previously granted consent, without affecting the lawfulness of prior processing.
• Complaint to authority: file complaints with the data-protection authority in your country.

To exercise these rights, write to [email protected]. We respond within a maximum of 30 days. End customers wishing to exercise rights over data that Users process through the Platform must contact the relevant User directly, as that User is the data controller.

For Users and end customers located in Colombia, this Privacy Policy is supplemented by the rules of Statutory Law 1581 of 2012, Decree 1377 of 2013 and other regulations issued by the Superintendencia de Industria y Comercio (SIC).

Authorization (Autorización del Titular). By creating an account or providing personal data through the Platform, the User authorizes the Provider to collect, store, use, circulate and process such data for the purposes described in this Policy. This authorization may be revoked at any time as described below.

Specific purposes (finalidades).Data is processed to: (i) create and operate the User's account; (ii) deliver the contracted services; (iii) bill and process payments; (iv) comply with legal and contractual obligations; (v) send transactional and, when consented, commercial communications; (vi) detect fraud and ensure security; (vii) provide customer support.

Sensitive data. The Platform does not require sensitive personal data (health, biometric, sexual orientation, political/religious beliefs, etc.). The User must not upload such data; if uploaded inadvertently, the User must notify the Provider so it can be deleted.

Rights of the data subject (Habeas Data). Colombian data subjects have the rights to: conocer (know) the data we hold; actualizar (update) it; rectificar (correct) it; solicitar prueba de la autorización; ser informado about uses; presentar quejas with the SIC; revocar the authorization and request deletion when applicable.

How to exercise rights. Send a written request to [email protected] identifying yourself and the right being exercised. We respond within fifteen (15) business days for queries and fifteen (15) business days for claims (extendable by eight additional business days where applicable), in accordance with Article 14 and 15 of Law 1581.

International transfers. By accepting this Policy, the Colombian data subject expressly authorizes the international transfer of their personal data to the United States and other jurisdictions where Sellari and its subprocessors operate, in accordance with Article 26 of Law 1581.

Supervisory authority. Superintendencia de Industria y Comercio (SIC) — sic.gov.co.

For Users and end customers located in Mexico, this Privacy Policy serves as aviso de privacidad integral under the Ley Federal de Protección de Datos Personales en Posesión de los Particulares (LFPDPPP) and its Reglamento.

Identity of the responsible party (Responsable).See the "Data Controller" section above.

Personal data collected and finalities.See the "Information we collect" and "How we use information" sections.

Mechanisms to limit use or disclosure. The User can configure communication preferences inside their account, write to [email protected] to limit non-essential processing, or unsubscribe from commercial communications via the link in each email.

ARCOPO Rights. Mexican data subjects may exercise their rights of Acceso, Rectificación, Cancelación, Oposición, plus the right to revoke consent (revocación) and to limit (oposición a) the use or transfer of personal data. To exercise these rights, send a request to [email protected] with your name, a copy of an official identification, a clear description of the data and the right being exercised, and any other information that helps us locate the data. We respond within twenty (20) business days as required by Article 32 of LFPDPPP.

Consent for transfers. By accepting this Aviso de Privacidad, the data subject expressly consents to international transfers of their data to the United States and other jurisdictions where Sellari and its subprocessors operate, for the purposes described above.

Supervisory authority. Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales (INAI) — home.inai.org.mx.

For Users and end customers located in Brazil, this Privacy Policy is supplemented by Law 13.709/2018 (Lei Geral de Proteção de Dados Pessoais, LGPD).

Bases legais. Sellari processes personal data on one or more of the following lawful bases (Art. 7 LGPD): execution of a contract, compliance with a legal obligation, legitimate interests of the controller (Art. 10), and consent of the data subject for specific purposes such as commercial communications.

Direitos do titular. Brazilian data subjects have the rights to (Art. 18 LGPD): confirmation of processing; access to data; correction; anonymization, blocking or deletion of unnecessary or excessive data; portability; deletion of data processed under consent; information about sharing; information about the possibility of denying consent; withdrawal of consent; and the right to file complaints with the ANPD.

Encarregado (Data Protection Officer). The Provider has designated a contact for LGPD-related matters. Send communications to [email protected]with the subject "LGPD — DPO Contact".

Supervisory authority. Autoridade Nacional de Proteção de Dados (ANPD) — gov.br/anpd.

This section applies to California residents under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA).

Categories of personal information we collect. Identifiers (name, email, account ID, IP); customer records (billing data via Stripe); commercial information (subscription plan, usage); internet/network activity (logs, device info); geolocation (approximate, from IP); professional information (company, role); inferences drawn from the above for service operation. We do not collect biometric, precise geolocation, or sensitive personal information categories beyond what is needed to deliver the service.

Sources.Directly from the User; from the User's browser or device when using the Platform; from third-party integrations the User connects (Meta, TikTok, Stripe, Google OAuth).

Business purposes. Operating the service, billing, authentication, security, fraud prevention, customer support, product improvement and legal compliance.

Disclosure for business purposes.We share personal information with the subprocessors listed in the "Subprocessors and providers" section, each under contractual data-protection obligations.

"Sale" or "Share". Sellari does not sell personal information for monetary consideration, and does not share personal information for cross-context behavioral advertising as those terms are defined under the CCPA/CPRA.

Your rights. Right to know what personal information is collected; right to access and portability; right to delete; right to correct; right to limit use of sensitive personal information; right to opt out of sale or sharing (not applicable here as we do neither); right to non-discrimination for exercising your rights.

How to exercise rights. Email [email protected]with the subject "CCPA Request". We verify identity by matching account credentials and respond within forty-five (45) days as required by law (extendable once by another 45 days where applicable).

We retain personal data while the User maintains an active account or as long as necessary to provide the service.

Upon account cancellation, we delete or anonymize personal data and generated content within 30 days, subject to longer statutory retention obligations (for example, tax and billing records in applicable jurisdictions, typically 5-10 years).

Security audit logs and anonymized aggregate usage records may be retained for longer periods for claim defense, compliance and trend-analysis purposes.

The Platform is directed at professionals and companies. It is not designed for people under 18 and we do not intentionally collect personal data from minors.

If you are a parent or guardian and believe a minor has provided us with personal data, contact us at [email protected] and we will take the necessary steps to remove such information.

There is currently no unified industry standard for responding to "Do Not Track" signals, so the Platform does not respond to them automatically. You can control processing via your browser's privacy options and via your account settings.

We may update this Privacy Policy to reflect changes in our practices, technologies or legal requirements. When changes are material:

• We will publish the updated policy on this page with a new "Last updated" date.
• We will notify by email if the changes materially affect User rights.
• Continued use after the update constitutes acceptance of the then-current policy.

For questions about this Privacy Policy or our data processing:

Operator: Natsly (Wyoming Profit Corporation), trading as Sellari.

Registered address: 30 N Gould St, Ste R, Sheridan, WY 82801, USA.

Legal, privacy and data requests (DSAR / ARCO / habeas data): [email protected]

Customer support: [email protected]

Website: sellari.ai