Privacy Policy
Last updated: April 26, 2026
This Privacy Policy explains how EDF GLOBAL GROUP LLC ("EDF", "we", "us"), the entity that operates the Modari brand, collects, uses, stores and protects your personal information when you use modari.app or any related service. EDF GLOBAL GROUP LLC is a limited liability company incorporated in the State of Delaware, United States. By using Modari you agree to this policy. For any data-related request, write to [email protected] — we respond within 15 business days.
1. Data controller
The controller of your personal data is EDF GLOBAL GROUP LLC, a limited liability company incorporated in Delaware, United States, operating the Modari platform (modari.app). To exercise your rights or file complaints, write to [email protected]. We are not currently required to designate a Data Protection Officer (DPO) under GDPR, but you can reach the privacy team via the same email.
2. Information we collect
We collect: (a) Account data you provide: full name, email, phone (optional), country of residence, preferred language, business name (workspace), role; (b) Customer content: everything you create inside Modari — contacts, companies, deals, WhatsApp messages, product catalog, orders, chatbot templates, notes. You entrust this content to us as Processor; (c) Payment data: your payment method is processed by Stripe (PCI DSS Level 1 certified processor). We never store full card numbers — Stripe shares only the last 4 digits, brand and expiration so you can see them in your Dashboard; (d) Technical data: IP address (hashed with SHA-256 + dedicated salt), browser type, device, OS, session timestamps, error events; (e) Communications: support messages, emails you send us, optional survey responses.
3. Purposes for which we use your data
(a) Provide and operate the Modari platform and its modules; (b) Authenticate you and protect your account (including WhatsApp 2FA if enabled, anomalous-login detection, rate limiting); (c) Process payments and issue invoices via Stripe; (d) Send transactional emails (verification, password recovery, receipts, usage alerts, trial-end notifications); (e) Improve the product, debug errors and measure aggregated performance; (f) Comply with legal, tax and lawful authority requirements; (g) Prevent fraud, abuse and Terms violations. We DO NOT sell your personal data. We DO NOT use your content to train third-party AI models. We DO NOT show third-party advertising.
4. Legal bases for processing
We process your data based on: (a) Contract performance — to deliver the service you contracted; (b) Legal obligation — tax, accounting, judicial requests; (c) Legitimate interest — platform security, fraud prevention, aggregated metrics; (d) Consent — for non-essential cookies, optional marketing and processing beyond what is strictly necessary. Applicable frameworks include: EU/UK General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA/CPRA), Colombia's Law 1581 of 2012 and Decree 1377 of 2013 (Habeas Data), Mexico's LFPDPPP, Brazil's LGPD and other applicable laws based on your country of residence.
5. Subprocessors with whom we share data
We share data only with Subprocessors needed to operate the service, contractually bound to confidentiality and equivalent protection standards. The categories of Subprocessors we use include: (a) PCI DSS Level 1 certified payment processor (Stripe); (b) cloud infrastructure for database, authentication and storage, mostly self-hosted on cloud compute providers; (c) transactional email platform; (d) official WhatsApp Business API operator (only when you connect your WhatsApp account); (e) language-model inference providers, exclusively over the content your chatbot decides to send to the model; (f) self-hosted web analytics platform, no cookies and no personal data; (g) self-hosted error monitoring platform. Updated Subprocessor list is available on request to [email protected]. We will notify you by email at least 30 days in advance if we add a material new Subprocessor.
6. International data transfers
EDF GLOBAL GROUP LLC operates from the United States. Your data may be processed in the United States, the European Union, Latin America and other countries where our Subprocessors operate. For transfers from EU/EEA/UK we implement the European Commission's Standard Contractual Clauses. For transfers from Colombia we apply SIC mechanisms for countries without an adequate level. If you reside in Brazil, the safeguards of Chapter V of LGPD apply.
7. Data retention
We retain your account and content while your subscription is active. After cancellation: (a) your workspace and data are available for 30 days for recovery or export; (b) data is then permanently deleted from active systems; (c) encrypted backups rotate within 90 additional days; (d) accounting records and invoices are retained for the period required by applicable tax law (typically 7 years for US entities). Technical logs (rate-limit, errors) are rotated within 90 days.
8. Your rights
Regardless of country, you have the right to: (a) Access a copy of your personal data; (b) Rectify inaccurate data; (c) Request deletion ("right to be forgotten"); (d) Object to or restrict processing; (e) Portability — receive your data in standard JSON/CSV format; (f) Withdraw consent without affecting the lawfulness of prior processing; (g) Not be subject to automated decisions with legal effects without human review; (h) If you reside in California (CCPA/CPRA): right to know, right to delete, right to correct, right to opt-out of sharing your personal information and right to non-discrimination; (i) If you reside in Colombia (Habeas Data): ARCO rights + consent revocation, with response within 15 business days for queries and 15 business days for complaints.
9. How to exercise your rights
Send your request to [email protected] from the email tied to your account or, if you act as a data subject whose data was captured by a customer of ours, you can contact us directly and we will route to the relevant customer (Modari is Processor in that case). We respond within 15 business days max. Free of charge unless requests are manifestly unfounded or excessive.
10. Security
We apply reasonable technical and organizational measures: encryption in transit (TLS 1.2+), encryption at rest (AES-256), Row Level Security on every table with workspace scoping, role-based access segmentation, optional WhatsApp 2FA, trusted devices with hashed tokens, rate limiting, IP hashing with dedicated salt, super-admin action audits, dependency updates and continuous monitoring. Passwords are stored hashed with bcrypt — never in plain text. We perform periodic encrypted backups.
11. Breach notification
If a security breach affects your personal data, we will notify you by email without undue delay and within the applicable legal deadline (72 hours under GDPR). We will likewise notify the competent supervisory authorities when legally required.
12. Children
Modari is a B2B service not directed to minors under 18. We do not knowingly collect personal data from minors. If you believe a minor provided us data, write to [email protected] and we will delete it.
13. Modari as Processor
When you use Modari to manage your own customers' data (contacts, WhatsApp messages, orders), you act as the data Controller and EDF GLOBAL GROUP LLC acts as Processor of that data. You are responsible for informing your customers about the processing and obtaining appropriate legal bases. We offer a Data Processing Agreement (DPA) on request to [email protected] — it includes EU Standard Contractual Clauses.
14. Changes to this policy
We may update this Policy. Material changes are announced in-product and via email at least 15 days before they take effect. The "last updated" date indicates when the current version was published.
15. Contact and supervisory authorities
For anything related to this Policy: [email protected] · EDF GLOBAL GROUP LLC, Delaware, United States. If you believe your rights have not been honored, you may file a complaint with the competent data protection authority: Superintendencia de Industria y Comercio (SIC) in Colombia, INAI in Mexico, ANPD in Brazil, your EU Member State's data protection authority, ICO in the UK, Privacy Rights Clearinghouse in California.