Roraima Ventures LLC

Privacy Policy

Last updated: May 18, 2026

Roraima Ventures LLC (“Roraima,” “we,” “us,” or “our”) operates the TCMX platform (“TCMX” or the “Service”), including the website at https://roraima.vc and the application at https://app.tcmx.app. This Privacy Policy explains how we collect, use, store, share, and protect information when you use our Service. By using TCMX, you agree to this Privacy Policy.

1. Who we are

Roraima Ventures LLC is a Delaware-registered limited liability company operating from 19195 Mystic Pointe Dr, Apt 505, Aventura, FL 33180, United States. Contact: gustavo@roraima.vc.

2. Our role under Meta Platform Terms

Roraima is an approved Meta Tech Provider for WhatsApp Business and operates Meta's WhatsApp Business Cloud API on behalf of business clients (“Clients”) who grant us access via Meta's Embedded Signup flow. We do not own or control Client WhatsApp Business Accounts (WABAs) or phone numbers; Clients retain ownership at all times. We act as a service provider to our Clients with respect to message and conversation data, and as a data controller for account-level metadata about Clients themselves.

3. Information we collect

We collect the following categories of information:

(a) Account information from Clients: Business name, registered address, contact name and email, billing information (when applicable), and Meta Business Account identifiers received during Embedded Signup, including WhatsApp Business Account ID, phone number ID, and Meta Business Portfolio ID.

(b) Access credentials issued by Meta:Long-lived system user access tokens issued by Meta during Embedded Signup, used solely to operate the WhatsApp APIs on the Client's behalf. Tokens are stored encrypted at rest.

(c) Messages and conversations:When end users of our Clients send messages to a Client's WhatsApp number, the message content (text, media, metadata) flows through Meta's APIs and is routed to a Client-controlled inbox managed by our platform. We process this content solely to deliver the messaging service to our Clients.

(d) Service usage data: Logs, analytics, error reports, and performance metrics from interactions with the platform.

(e) Cookies and similar technologies: Standard authentication cookies and minimal analytics on the marketing site at roraima.vc.

4. How we use information

We use information to:

• Provide and operate the Service, including managing WhatsApp Business Accounts on behalf of Clients
• Authenticate Clients and secure their data
• Improve, maintain, and develop new features
• Communicate with Clients about service updates, billing, and support
• Comply with legal obligations, including Meta Platform Terms and applicable law
• Detect, prevent, and respond to fraud, abuse, security incidents, and violations of our Terms

We do not sell personal information. We do not use Client messages or conversation content to train AI models that serve other Clients, and we do not share message content across Client accounts.

5. Legal basis for processing (EU/UK Clients, where applicable)

Where applicable, we rely on the following legal bases under GDPR/UK GDPR: (a) performance of a contract with the Client, (b) legitimate interests in operating and improving the Service, (c) compliance with legal obligations, and (d) the Client's consent for specific processing activities.

6. How we share information

We share information only as follows:

• With Meta, as necessary to operate the WhatsApp Business Cloud API and Embedded Signup. Meta's use of data is governed by Meta's own policies.
• With sub-processors under written agreements requiring confidentiality and security commitments at least as protective as this policy. Current sub-processors:
  • Supabase, Inc. (Delaware, USA) — primary database, authentication, and object storage. US region.
  • Google Cloud Platform / Cloud Run (Alphabet Inc.) — backend application hosting. us-central1 region.
  • Vercel Inc. (Delaware, USA) — frontend application hosting and edge delivery.
  • Chatwoot — self-hosted on Railway Inc. for Client inbox management.
  • Anthropic PBC (California, USA) — AI assistance for reply suggestions; messages are not retained by Anthropic per their API terms.
  • Google LLC (Gemini API) — supplementary AI capabilities; same retention principle as Anthropic.
  • Cloudflare, Inc. (California, USA) — DNS, network security, and DDoS protection.
• With professional advisors (accountants, lawyers, insurers) under confidentiality obligations.
• As required by law, including in response to legal process or to protect rights, property, or safety.
• In connection with a corporate transaction (merger, acquisition, sale of assets), subject to continued protection.

7. Data retention

• Account information: retained for the duration of the Client relationship plus 90 days after termination, unless legal obligations require longer retention.
• Access tokens: retained as long as the Client maintains an active integration; revoked and deleted within 30 days of termination or upon Client request.
• Messages and conversations: retained per the Client's configured retention period within the inbox; default 12 months unless overridden by Client.
• Logs and analytics: retained up to 12 months.

8. Data location

Data is stored primarily in the United States. By using the Service from outside the United States, Clients consent to the transfer and processing of data in the United States, which may not provide the same level of data protection as the Client's home jurisdiction.

9. Security

We implement industry-standard administrative, technical, and physical safeguards, including: encryption in transit (TLS) and at rest (pgcrypto for sensitive credentials), Row-Level Security policies in our database, scoped access tokens, least-privilege access controls, audit logging, and regular security review. No system is perfectly secure, and we cannot guarantee absolute security.

10. Your rights

Clients and end users have the following rights with respect to their personal information:

• Access the information we hold about you
• Correct inaccurate or incomplete information
• Deleteyour information (“right to be forgotten”), subject to legal retention obligations
• Restrict or object to processing
• Data portability — receive a copy of your data in a structured, commonly used format
• Withdraw consent at any time where processing is based on consent
• Lodge a complaint with a supervisory authority

To exercise these rights, email gustavo@roraima.vc. We will respond within 30 days.

11. Data deletion

Clients may request deletion of all data associated with their account at any time by emailing gustavo@roraima.vc with the subject line “Data Deletion Request” and identifying the affected WABA and business portfolio. We will:

1. Acknowledge receipt within 5 business days
2. Disconnect the integration and revoke all access tokens issued to us by Meta
3. Delete account information, messages, conversations, and derived analytics within 30 days
4. Retain only minimum records required by law (e.g., tax records, audit logs of the deletion event itself)

End users of our Clients should direct deletion requests to the relevant Client (the business they messaged). We assist Clients in fulfilling those requests but the Client is the data controller for end-user conversation data.

12. Children's privacy

The Service is intended for use by businesses and adult representatives of businesses. We do not knowingly collect personal information from children under 13. If we learn we have collected such information, we will delete it.

13. International users

If you access the Service from outside the United States, your information may be transferred to, stored, and processed in the United States. Where required by law, we implement appropriate safeguards for international data transfers, including Standard Contractual Clauses.

14. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. Material changes will be communicated to active Clients via email at least 30 days before they take effect. The “Last updated” date at the top reflects the current version.

15. Contact

Questions, requests, or complaints about this Privacy Policy or our data practices: