Positus Terms of Service - Robbu Tecnologia

Version: 4.0 | Effective Year: 2026

1. Introduction

These Terms of Use govern access to and use of the Positus Platform, a product made available by POSITUS TECNOLOGIA DA INFORMAÇÃO LTDA., a private legal entity registered under CNPJ No. 34.258.755/0001-02, headquartered at Avenida Angélica, No. 2530, 15th floor, Bela Vista district, in the city of São Paulo/SP, Brazil, ZIP code 01228-200, hereinafter referred to simply as “Positus“.

Positus is a company within the Robbu Group (https://robbu.global/home/) and acts as an official Business Service Provider (BSP), duly licensed by Meta Platforms, Inc. (“Meta”) for the commercialization and provision of the WhatsApp Business Solution (WBS).

The condition of authorized BSP can be verified in Meta’s Official Partner Directory, available at: https://www.facebook.com/business/partner-directory/details?id=225426795144832.

The service provided by Positus is characterized as Platform as a Service (PaaS), consisting of the provision of communication infrastructure through REST APIs and proprietary interfaces, which allow the Client company to integrate its systems into the WhatsApp Business Solution ecosystem.

These Terms of Use are intrinsically linked to the WhatsApp Business Licensing Agreement entered into between Positus and the Client company, which establishes in greater detail the contractual rules of the service provided, remuneration, and technical obligations.

These Terms are intended to define the rules to be specifically followed by users linked to the Client company for the use of the products and functionalities of the Positus Platform, without prejudice to the application of current legislation.

2. Acceptance of These Terms of Use

By accessing, using, or integrating with the Platform, the User expressly declares that they have read, understood, and fully agree with these Terms of Use, as well as all documents and policies incorporated by reference, including those established by Meta and the Positus Privacy Policy, available at: https://positus.com.br/politica-de-privacidade

Continued use of the Platform after any updates to these Terms or applicable external policies constitutes tacit acceptance of the changes.

It is important to note that the use of the Platform by persons under 18 (eighteen) years of age is prohibited, as its content is not intended for this audience, and those responsible for granting access shall be subject to liability for any damages caused to Positus or third parties.

Acceptance of this instrument is essential for access to and use of any services provided by Positus. If the User does not agree with the provisions of this instrument, they must not use the Platform.

3. Legal and Regulatory Framework

The legal and regulatory framework applicable to these Terms of Use, according to the product provided, includes:

Law No. 13,709/2018 — General Personal Data Protection Law (LGPD).
Law No. 12,965/2014 — Brazilian Internet Civil Framework.
Law No. 8,078/1990 — Consumer Protection Code (subsidiarily).
Law No. 12,846/2013 — Anti-Corruption Law.
Law No. 10,406/2002 — Civil Code.
ABNT NBR ISO/IEC 27001:2022
Other rules applicable to the provision of technology and communication services.

4. Definitions

For the purposes of these Terms of Use, the following definitions apply:

API (Application Programming Interface): Application programming interface that allows integration between distinct systems.
Bearer Token: Authentication credential used for secure access to the Positus Platform APIs.
BSP (Business Service Provider): Corporate service provider officially licensed by Meta for the commercialization of the WhatsApp Business Solution.
Client or Contracting Party: Legal entity that has signed a Licensing Agreement with Positus for use of the Platform.
Controller: Natural or legal person, of public or private law, responsible for decisions regarding the processing of personal data, pursuant to Article 5, VI, of Law No. 13,709/2018.
Personal Data: Information related to an identified or identifiable natural person, pursuant to Article 5, I, of Law No. 13,709/2018.
Sensitive Personal Data: Personal data concerning racial or ethnic origin, religious belief, political opinion, union membership or affiliation with a religious, philosophical, or political organization, data related to health or sexual life, genetic or biometric data, when linked to a natural person, pursuant to Article 5, II, of Law No. 13,709/2018.
HSM (Highly Structured Message): Message template pre-approved by Meta, used to initiate conversations or send messages outside the 24-hour window.
Conversation Window: 24-hour period counted from the last interaction of the end user with the company, during which free-text messaging is allowed without the need for HSM templates.
Meta: Meta Platforms, Inc., formerly known as Facebook Inc., owner and operator of WhatsApp.
Processor: Natural or legal person, of public or private law, that carries out the processing of personal data on behalf of the controller, pursuant to Article 5, VII, of Law No. 13,709/2018.
PaaS (Platform as a Service): Cloud service model that provides a platform and environment for the development, testing, and management of applications.
Platform or Positus Platform: Set of systems, interfaces, and APIs provided by Positus, including Positus Studio, Positus Messenger, and other technological components.
Positus Studio: Management interface that allows the Client to configure numbers, tokens, templates, users, webhooks, and other operational parameters. Accessible at: http://studio.posit.us/
Positus Messenger: Service interface that allows the receipt and sending of messages by multiple agents simultaneously, with auditable records of interactions.
Data Subject: Natural person to whom the personal data subject to processing refers, pursuant to Article 5, V, of Law No. 13,709/2018.
Processing: Any operation carried out with personal data, such as collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, archiving, storage, elimination, evaluation or control of information, modification, communication, transfer, dissemination, or extraction, pursuant to Article 5, X, of Law No. 13,709/2018.
User or Linked User: Natural person who accesses and uses the Positus Platform by virtue of their professional relationship with the Client company, through access credentials provided by the latter.
End Users: Individuals who interact and establish dialogue with the Client company through the messaging channels made available by the Platform. They are the consumers of the Client’s products and services.
WABA (WhatsApp Business Account): WhatsApp commercial account managed through the WhatsApp Business Solution API.
WBS (WhatsApp Business Solution): Corporate WhatsApp communication solution provided by Meta to companies through authorized Business Service Providers.
Webhook: URL provided by the Client for receiving notifications, messages, statuses, and events sent by the Positus Platform in real time.

5. Nature and Scope of the Service

The Positus Platform is a technological solution based on the Platform as a Service (PaaS) model, which provides digital communication infrastructure through REST APIs and proprietary interfaces, allowing the Client to integrate its systems with the WhatsApp Business Solution ecosystem.

Positus acts exclusively as a technical intermediary and infrastructure provider, with Meta being ultimately responsible for the operation of the WhatsApp Business Solution. The authority to approve accounts (WABA), phone numbers, and message templates is exclusive to Meta, and Positus has no decision-making power or interference over such processes.

Positus grants the Client company a limited, non-exclusive, non-transferable, and temporary license to use the Platform, exclusively for operational purposes and within the limits established in these Terms and in the Licensing Agreement.

The license does not imply the transfer of intellectual property rights, and any form of reproduction, modification, reverse engineering, sublicensing, or improper exploitation of the Platform, APIs, or any associated components is prohibited.

6. Incorporation of Third-Party Terms

The use of the Platform is conditioned upon the acceptance and full compliance with Meta’s terms and policies, which are incorporated into these Terms of Use by reference, as if fully transcribed herein.

By accepting these Terms, the User declares that they have read, understood, and agree with the following documents:

WhatsApp Business Solution Terms: https://www.whatsapp.com/legal/business-solution-terms
Facebook Terms: https://facebook.com/legal/terms
Facebook Commercial Terms: https://www.facebook.com/legal/commercial_terms
WhatsApp Business Terms of Service: https://www.whatsapp.com/legal/business-terms
WhatsApp Business Policy: https://www.whatsapp.com/legal/business-policy
WhatsApp Privacy Policy: https://www.whatsapp.com/legal/#privacy-policy
WhatsApp Intellectual Property Policy: https://whatsapp.com/legal/#ip-policy
WhatsApp Brand Guidelines: https://www.whatsappbrand.com/
Meta Technical and Product Documentation: https://developers.facebook.com/docs/whatsapp/guides

In the event of a conflict between these Terms of Use and Meta’s documents, the WhatsApp Business Solution Terms shall prevail.

The User and the Client acknowledge that such documents are an integral part of these Terms and that Meta may change them at any time, regardless of Positus’ consent. Continued use of the Platform after such changes constitutes tacit acceptance of the new rules.

Positus is exempt from any liability for defects or problems arising from non-compliance with the instructions and recommendations contained in Meta’s Terms of Use. If the User or the Client suffer penalties or have the service interrupted due to non-compliance with external rules, Positus cannot be held liable. On the contrary, if the non-compliance causes fines or penalties to be imposed on Positus by Meta, the Client shall be liable for such amounts and any losses and damages.

7. Platform Functionalities

The Positus Platform provides the Linked User, through its interfaces and APIs, with the following operational functionalities:

7.1. Positus Studio

Management interface accessible at http://studio.posit.us/, intended for the configuration and administration of the Platform’s resources, including:

Activation and management of phone numbers linked to the WABA.
Creation, editing, and management of authentication tokens (Bearer Tokens) for API access.
Configuration and management of message templates (HSM) for Meta approval.
Configuration of operational notifications and alerts.
Registration and management of users linked to the Client.
Configuration of webhooks for real-time event reception.
Consultation of workspaces, templates, numbers, and active configurations.
Access to operational dashboards with consumption and quality metrics.

7.2. Positus Messenger

Interface that allows end-user service, with the following capabilities:

Simultaneous service by multiple Client agents.
Auditable record of all interactions, including date, time, responsible user, and message content.
Viewing conversation history (limited to the 3-month retention period).
Sending text messages, images, documents, videos, audios, stickers, contacts, and locations.
Receiving messages and media sent by end users.
Inability to delete sent messages, in accordance with auditability and enterprise security guidelines.

7.3. APIs and Integrations

REST APIs that allow the Client to integrate its own systems and perform programmatic operations, including:

Sending messages via HSM template (Highly Structured Messages).
Sending contacts, locations, images, documents, videos, audios, and stickers.
Creating and sending interactive messages with option lists (list messages).
Creating and sending interactive messages with buttons (button messages).
Downloading media received from end users.
Receiving messages via webhook.
Receiving delivery and read status via webhook.
Receiving number quality events (status rating: High, Medium, Low).
Receiving messaging limit events imposed by Meta.
Receiving template statuses (approved, rejected, paused).

7.4. Sandbox Environment

Testing environment that allows:

Complete integration testing prior to official contracting.
Validation of message sending and receiving flows.
Testing of webhooks and notifications.
Simulation of operational scenarios without costs or impact on production.

7.5. Dashboards and Monitoring

Operational tracking and transparency tools:

Dashboards integrated into Positus Studio for viewing message consumption, conversations initiated, and performance metrics.
Status Page available at https://status.positus.global, with real-time information about Platform availability, ongoing incidents, scheduled maintenance, and event history.
Alerts and notifications about critical events, number quality changes, and sending limits.

7.6. Technical Support

Positus provides a technical support channel at https://studio.posit.us/suporte for opening tickets related to operational questions, technical incidents, and guidance on Platform use. Support is provided exclusively to the Client, who may, at their discretion, pass on instructions to their Linked Users.

8. Information Security, Access, and Communication

8.1. Authentication and Use of Bearer Tokens

Access to the Positus Platform APIs is carried out exclusively through Bearer Tokens, generated and managed by Positus Studio. The Client is solely responsible for the safekeeping, confidentiality, and proper use of their tokens.

It is recommended that the Client:

Use distinct tokens for each application or integrated system;
Store tokens securely, preferably in secret management systems or environment variables;
Restrict access to tokens to authorized persons and systems;
Immediately revoke tokens in case of suspected compromise.

All requests made with the Client’s tokens will be considered their sole responsibility. Positus is not liable for damages arising from improper use, leakage, or compromise of these credentials.

8.2. Access Credentials for Positus Studio and Messenger

The User Linked to the Client is responsible for the confidentiality of their access credentials (login and password), and must use strong passwords, not reuse them in other services, avoid access in insecure environments, and immediately communicate any suspicion of improper use.

All actions taken with their credentials will be attributed to the respective User and will be the Client’s sole responsibility.

8.3. Webhooks and Communication Integrity

The Client must maintain an active and functional Webhook URL, capable of adequately processing notifications and returning an HTTP 200 OK response.

Failures in webhook reception resulting from unavailability or inadequacy of the Client’s infrastructure do not constitute a Platform failure. Positus is not liable for losses of messages, events, or notifications in such cases.

8.4. Positus Security Measures and Dependency Limitations

Positus adopts technical and organizational information security measures, including access controls, network protection, encryption in transit, monitoring, backups, incident management, and team training, in compliance with the LGPD.

Nevertheless, it is not possible to guarantee the total absence of vulnerabilities, due to the nature of the technology and dependence on third-party systems.

8.5. Access Logs

Positus maintains Platform access records for security, audit, and legal compliance purposes, containing information such as date, time, IP address, authenticated user, and actions performed. Logs are stored securely and used exclusively for legal and regulatory purposes.

8.6. Transparency and Availability

Positus provides a Status Page at https://status.positus.global, with updated information on Platform availability, incidents, maintenance, and operational history, constituting its official communication channel regarding service continuity.

9. Personal Data Protection

This section establishes the guidelines for processing personal data within the Positus Platform, in compliance with Law No. 13,709/2018 (General Personal Data Protection Law — LGPD), regulations of the National Data Protection Authority (ANPD), especially Resolution CD/ANPD No. 19/2024, and other applicable rules.

9.1. Roles in Data Processing

Pursuant to Article 5, items VI and VII, of Law No. 13,709/2018, the following roles are established:

The Client acts as the CONTROLLER of the personal data of linked users (consumers who interact with the Client via WhatsApp) and linked users (employees, collaborators, agents of the Client who access the Platform), being responsible for all decisions regarding processing, including:

Definition of processing purposes.
Choice of applicable legal bases (consent, contract performance, legitimate interest, etc.).
Obtaining consent from data subjects when necessary (opt-in).
Addressing data subjects’ rights (access, rectification, deletion, portability, etc.).
Maintaining its own and adequate privacy policy.

Positus acts as the PROCESSOR of users’ personal data, processing exclusively under the Controller’s (Client’s) instructions and for the purpose of enabling the communication infrastructure. Positus does not make decisions about the purposes or forms of processing users’ data.

Meta (WhatsApp) acts as the entity providing access to the corporate service, and is also a recipient of operational data and metrics of the account (WABA) for the purposes of operating the WhatsApp Business Solution.

9.2. Obtaining Consent (Opt-in)

In cases where consent is the applicable legal basis, it is the sole responsibility of the Client, as Controller, to obtain prior and express consent from data subjects before sending messages via WhatsApp, pursuant to Article 7, I, of Law No. 13,709/2018.

Consent must be free, informed, unequivocal, and specific for determined purposes. The use of generic or presumed consent is prohibited.

The Client must maintain supporting records of the consent obtained, containing, at a minimum, date, time, form of collection, and purpose informed, which may be required by the ANPD or by judicial or administrative authorities.

The Client undertakes to hold Positus harmless from any sanctions, fines, or liabilities arising from the absence of consent or from the use of an inadequate legal basis.

Positus, as Processor, has no access, control, or interference over the consent-obtaining processes adopted by the Client.

9.3. Management of Blocks and Opt-out

Data subjects may revoke consent at any time, through express manifestation, pursuant to Article 18, §5, of Law No. 13,709/2018.

It is the Client’s sole responsibility to:

Immediately address requests for blocking, opt-out, or refusal of messages;
Update contact lists to prevent new sends to blocked data subjects;
Maintain internal processes for recording and addressing requests;
Refrain from using the Platform to send messages to data subjects who have expressed refusal or revocation of consent.

Non-compliance with these obligations may result in complaints to Meta, a reduction in account quality, or a ban, for which Positus is not liable.

9.4. Data Subjects’ Rights

Pursuant to Article 18 of Law No. 13,709/2018, data subjects have rights related to their personal data, including, among others: confirmation of processing, access, correction, anonymization, blocking, elimination, portability, information on sharing, and revocation of consent.

Requests must be directed to the Client, as Controller. If Positus receives a request directly from a data subject, it will be forwarded to the Client.

Positus, as Processor, will cooperate with the Client to enable the fulfillment of data subjects’ rights, through formal instructions, observing legal and technical deadlines, not exceeding 15 (fifteen) business days, except in case of technical impossibility duly justified.

9.5. Data Retention and Lifecycle

The history of conversations processed by the Platform is stored for up to 3 (three) months after the last interaction, being automatically deleted after this period, except for legal retention obligations.

In case of contract termination, the Client’s data will be deleted within 30 (thirty) days, except for:

Data whose retention is required by applicable legislation or by Meta;
Data necessary for the defense of rights in judicial, administrative, or arbitration proceedings;
Access records maintained in accordance with the Brazilian Internet Civil Framework.

After deletion, data recovery will not be possible.

9.6. Privacy Limitations and Sensitive Data

9.6.1. Positus does not provide the profile picture (avatar) of end users, in compliance with the principle of necessity and data minimization.

9.6.2. The sending, receiving, or processing, through the Platform, of sensitive financial data, including, among others, card numbers, security codes, banking passwords, complete account data, or crypto-asset keys, is expressly prohibited. Non-compliance with this prohibition is the sole responsibility of the Client and its Linked Users, and may constitute a violation of law and Meta’s policies.

9.7. International Data Transfer

The use of the Positus Platform implies an international transfer of personal data, due to Meta’s global infrastructure.

The transfer is based on the execution of the contract, adherence to Meta’s terms, and compliance with Resolution CD/ANPD No. 19/2024, through contractual guarantees and adequate security measures.

It is the Client’s responsibility to inform data subjects about the international transfer and to ensure a valid legal basis, keeping Positus harmless from any resulting liability.

Positus and Meta do not use data for profiling purposes beyond what is strictly necessary for the operation of the service.

9.8. Security Incidents

Positus will notify the Client of security incidents that may pose a relevant risk to data subjects, within 72 (seventy-two) hours of becoming aware of the event, containing the information required by the LGPD.

It will be up to the Client to assess the need for communication to the ANPD and to data subjects. Positus will cooperate in the investigation and mitigation of the incident.

9.9. Data Protection Impact Assessment (DPIA)

When required by legislation or by the ANPD, the preparation of the DPIA will be the Client’s responsibility, and it will be up to Positus to provide technical cooperation, by providing information about the processing carried out under its responsibility as Processor.

10. Guidelines on Rights and Responsibilities for Clients/Contracting Parties

10.1. Client’s Rights

The Client has the following rights within the scope of its contractual relationship with Positus:

Use the Platform in accordance with the limits and functionalities contracted.
Access all functionalities available in Positus Studio, Positus Messenger, and APIs.
Use the Sandbox environment for testing and integration validations.
Obtain technical support through Positus’ official channels (https://studio.posit.us/suporte).
Track operational metrics, message consumption, and number quality through dashboards.
Receive notifications about incidents, maintenance, and relevant changes to the Platform.
Request clarifications about the processing of personal data carried out by Positus as Processor.
Terminate the contract with 30 (thirty) days’ prior notice, without prejudice to the payment of amounts due up to the termination date.

10.2. Client’s Obligations

The Client assumes the following essential obligations for the proper functioning of the service:

Management and security of all access credentials (Bearer Tokens, logins, passwords), being fully responsible for any activities carried out under its account.
Full compliance with Meta’s policies, including WhatsApp Business Solution Terms, WhatsApp Business Policy, and Brand Guidelines.
Obtaining a valid legal basis (consent, contract performance, legitimate interest, etc.) for processing personal data of end users, as per the LGPD.
Obtaining prior and express consent (opt-in) from end users before sending messages, when consent is the applicable legal basis.
Immediate respect for requests for blocking, opt-out, or refusal of messages by end users.
Maintenance of its own, clear, and accessible privacy policy, informing end users about data processing and their rights.
Maintenance of adequate and functional technological infrastructure for integration with the Platform, including servers, webhook URLs, and network connectivity.
Ensuring that the Webhook URL returns an HTTP 200 OK response to confirm receipt of notifications.
Creation and verification of an account in Facebook Business Manager, providing truthful and complete information.
Providing Positus with the Business Manager account identifier (ID) after approval by Meta.
Refraining from sending unauthorized, abusive, inappropriate promotional messages or those that violate Meta’s policies.
Express prohibition on sending or requesting sensitive financial data (credit card numbers, banking passwords, etc.) through messages.
Ensuring that no illicit, abusive, fraudulent, deceptive, defamatory, discriminatory content, or content at odds with current legislation, will be sent.
Immediate communication to Positus about suspicions of credential leakage, unauthorized access, or security incidents.
Cooperation with Positus in incident investigations, security audits, and compliance processes.

The Client agrees to hold Positus harmless and to defend it against any complaints, lawsuits, administrative proceedings, sanctions, fines, or losses arising from:

Improper use of the Platform in violation of these Terms of Use, the Licensing Agreement, or Meta’s policies.
Sending messages without an adequate legal basis, lack of opt-in, or non-compliance with opt-out requests.
Violation of third-party rights or current legislation through messages sent by the Client.
Banning, suspension, or penalties by Meta resulting from the Client’s conduct.
Fines or penalties imposed on Positus by Meta due to the Client’s non-compliance with the policies.
Leakage, compromise, or improper use of the Client’s access credentials.
Security incidents originating from failures in infrastructure or inadequate controls maintained by the Client.

10.3. Express Prohibitions to the Client

The Client is expressly prohibited from:

Using the Platform for illicit practices, including but not limited to fraud, scams, money laundering, crimes against the tax order, intellectual property violations, or any criminal conduct.
Sending SPAM messages, aggressive unsolicited marketing, or communications that violate Meta’s policies.
Using the same number simultaneously on the API and on mobile devices (WhatsApp Messenger or WhatsApp Business App).
Attempting to perform reverse engineering, decompilation, or disassembly of the Platform, APIs, or any technological components of Positus.
Sublicensing, reselling, assigning, or transferring to third parties the rights to use the Platform without Positus’ express written authorization.
Using the Platform to collect, store, or process personal data without a valid legal basis or in violation of the LGPD.
Interfering with, overloading, or compromising the security, integrity, or performance of the Platform.
Using automated techniques (bots, scrapers, etc.) for unauthorized access or improper data collection from the Platform.
Violating third-party rights, including intellectual property, privacy, image, honor, or any other legally protected rights.
Allowing access to or use of the Positus Platform by linked users under 18 (eighteen) years of age, since the Platform is not intended for minors, being subject to applicable liability for any damages caused to Positus or third parties.

11. Guidelines on Rights and Responsibilities for Positus

11.1. Positus’ Rights

Positus, as a technological infrastructure provider and BSP authorized by Meta, has the following rights:

Monitor the use of the Platform for security, audit, fraud detection, continuous improvement, and compliance with Meta’s policies.
Issue operational alarms and alerts when suspicious activities, failures, or security risks are identified.
Provide consumption dashboards and operational metrics for monitoring by the Client.
Authorization to provide WhatsApp and Meta with account data and metrics (WABA), as necessary for the operation of the service and compliance with contractual obligations with Meta.
Suspend or restrict access to the Platform in case of: non-compliance with these Terms of Use; violation of Meta’s policies; default exceeding 15 days; operational or security risk; excessive negative feedback from end users (SPAM complaints); court order or request from a competent authority.
Cancel or terminate the Licensing Agreement with 30 (thirty) days’ prior notice, without the need for justification (unmotivated termination), or immediately in case of serious non-compliance with contractual obligations by the Client.
Update functionalities, interfaces, APIs, and other components of the Platform for continuous improvement, bug fixing, adaptation to new regulations, or compliance with Meta’s requirements.
Change prices, commercial conditions, and plans due to variations imposed by Meta or currency variations, upon 30 days’ prior notice.
Pass on to the Client costs arising from unilateral changes in Meta’s pricing policy, new fees instituted, or significant currency variations.
Retain intellectual property rights over the Platform, APIs, software, technical documentation, and any technological components developed by Positus.
Verify the identity of those who use or register on the Platform or on its institutional website, in order to prevent improper use by minors under 18 (eighteen) years of age. If document falsification is found, under applicable criminal legislation, Positus will take the appropriate legal measures.

11.2. Positus’ Obligations

Positus undertakes to comply with the following obligations for the adequate provision of the service:

Provide technological infrastructure compatible with market standards for the operation of the Platform.
Adopt appropriate technical and organizational measures for the protection of personal data and information security, in accordance with the LGPD and best market practices.
Process personal data exclusively in accordance with the Client’s (Controller’s) instructions, respecting the principles and guidelines of the LGPD.
Notify the Client of relevant security incidents within 72 hours of discovery.
Provide technical support through the official channels made available (https://studio.posit.us/suporte), with service during business hours and an SLA (Service Level Agreement) as provided for in the Licensing Agreement.
Maintain an updated Status Page (https://status.positus.global) with information on availability, incidents, and maintenance.
Delete the Client’s data in accordance with the deadlines established in these Terms (3 months for conversation history; 30 days after termination for other data), except for legal retention obligations.
Cooperate with the Client in addressing the rights of personal data subjects, providing information and executing actions requested by the Controller.
Undertake commercially reasonable efforts to ensure the availability and performance of the Platform, without prejudice to the liability limitations provided for in these Terms.
Maintain Platform access records (logs) for security, audit, and compliance with the Brazilian Internet Civil Framework.
Respect the confidentiality of communications transmitted through the Platform, providing data only upon court order or request from a competent authority.

11.3. Limitations of Liability

Positus does not guarantee that the Platform will operate in an uninterrupted manner, free of errors, failures, or vulnerabilities, given:

Dependence on Meta’s (WhatsApp) infrastructure, over which Positus has no direct control.
Dependence on network connectivity provided by telecommunications operators and internet providers.
Dependence on systems and infrastructure maintained by the Client itself (webhooks, servers, applications).
Dynamic nature of technology and the impossibility of completely eliminating risks of bugs, vulnerabilities, or cyber-attacks.

In case of defects or inconsistencies in the operation of the Platform, Positus’ commitment is to undertake commercially reasonable efforts to remedy or remotely correct the failures with Facebook Inc., without guaranteeing resolution within a specified period.

Possible maintenance, updates, or instabilities may occur without prior notice, especially when determined by Meta or necessary for the emergency correction of security flaws.

Positus’ total liability for proven losses and damages, when applicable, is LIMITED to the equivalent of up to 3 (three) times the amount paid by the Client in the 12 (twelve) months prior to the damaging event, not covering loss of profits or indirect damages as provided for in the Licensing Agreement.

11.4. Liability Exclusions

Positus is exempt from any liability in the following cases:

Decisions and restrictions imposed by Meta:

Rejection of accounts (WABA), phone numbers, or message templates (HSM).
Banning, suspension, or limitation of accounts due to non-compliance with Meta’s policies.
Unilateral changes to Meta’s Terms of Use, policies, or prices.
Unavailability or technical failures of WhatsApp or Meta’s systems.

Client infrastructure issues:

Inconsistencies or defects in the Client’s equipment, connectors, software, interfaces, or network infrastructure.
Failures in the Webhook URL provided by the Client (not returning HTTP 200 OK).
Slowness, timeouts, or unavailability of systems maintained by the Client.

Improper use by the Client and linked users:

Negligence, malpractice, or recklessness of the Client or its agents in the use of the Platform.
Non-compliance with the instructions, recommendations, and technical guidelines provided by Positus.
Non-compliance with these Terms of Use or Meta’s policies.
Sending messages without an adequate legal basis, resulting in penalties imposed by Meta or the ANPD.

External events:

Acts of God or force majeure, including natural disasters, wars, large-scale cyber-attacks, pandemics, blackouts, cloud provider failures, etc.
Acts of unauthorized third parties, including hackers, crackers, or malicious agents.
Connection interruptions or suspensions resulting from network problems, telecommunications operators, or internet providers.

Data and history:

Loss of conversation history prior to migration to the API (irreversible technical limitation of WhatsApp).
Inability to revert a number from the API to conventional WhatsApp (irreversible technical limitation of WhatsApp).
Automatic deletion of history after 3 months (in accordance with the retention policy set forth in these Terms).

Third-party products and services:

Positus is not responsible for products, services, content, or policies of third-party platforms that may interface with the Positus Platform (including Meta, Facebook, WhatsApp). The Client and its Linked Users are reminded of the need to read, analyze, and accept the Terms of Use of these external platforms.

12. Guidelines on Rights and Responsibilities for the Linked User

12.1. Nature of Access

The Linked User accesses the Positus Platform exclusively to carry out their professional activities related to the Client company. The use of the Platform must take place strictly within the operational purposes defined by the Client and in accordance with its internal policies.

Access does not grant the User any autonomous right over the Platform, the data shared by the Client, functionalities, or integrations. Usage rights are limited to the permissions assigned by the Client through Positus Studio.

The User’s relationship with the Platform is derived from and subordinate to the contractual relationship between Positus and the Client. Termination of the Licensing Agreement or the User’s departure from the Client company implies automatic cessation of the right of access to the Platform.

The use of the Positus Platform by minors is prohibited, even when accompanied by their legal guardians, under penalty of liability for any damages caused to Positus or third parties.

POSITUS has the right to verify the identity of those who use or register on the website, with the objective of protecting the organization itself from improper use by persons under 18 years of age. It is warned that, in case of verification of document falsification, provided for in the Criminal Code, POSITUS will take the appropriate legal measures.

12.2. Linked User’s Rights

The Linked User has the right to:

Access the Platform within the permission limits defined by the Client.
Use the functionalities of Positus Studio and Positus Messenger necessary for carrying out their professional activities.
Receive guidance and support through the Client’s internal channels or, when authorized, directly from Positus’ support channels.
Operate in a secure and monitored environment, with adequate data protection measures.
Be informed about relevant changes to these Terms of Use that directly impact their activities.

12.3. Linked User’s Responsibilities

The Linked User assumes the following obligations when using the Platform:

Maintain absolute confidentiality regarding their access credentials (login and password).
Not share credentials with third parties, including other Client collaborators.
Immediately communicate to the Client or internal responsible parties any suspicion of improper use or unauthorized access.
Avoid using the Platform in insecure environments, untrusted public networks, or unauthorized devices.
Log out at the end of use, especially on shared devices.
Use the Platform exclusively for lawful purposes authorized by the Client.
Observe the operational and technical rules established in these Terms, especially the 24-hour window, the use of HSM templates, and SPAM policies.
Send messages correctly formatted and addressed to the appropriate recipients.
Verify content before sending, considering that messages cannot be deleted after being sent.
Be aware of the irreversibility of certain operational actions.
Process personal data exclusively for professional purposes authorized by the Client.
Not access, share, or use data beyond what is necessary for the performance of their duties.
Respect the privacy of data subjects (end users).
Observe requests for blocking or interruption of contact (opt-out) reported by end users.
Not request or record sensitive financial data (such as credit card number) through the Platform.
Not use data for personal or unauthorized purposes.
Not copy, store, or transfer data outside the company’s official systems without express authorization.

The User is directly responsible for:

All actions carried out with their access credentials.
The content of the messages sent, including texts, images, documents, videos, and other media.
The appropriate use of Platform functionalities.
Compliance with the Client’s internal policies and these Terms of Use.
The protection of personal data processed during the use of the Platform.

12.4. Express Prohibitions to the Linked User

The User is expressly prohibited from:

Sending unsolicited, abusive, inappropriate promotional messages, or messages that constitute spam.
Using the Platform for illicit, fraudulent, deceptive practices, or those that violate third-party rights.
Sending offensive, discriminatory, defamatory, obscene content, or content that violates the dignity of third parties.
Requesting or disclosing sensitive financial data (credit card numbers, banking passwords, etc.) through messages.
Using personal data for unauthorized purposes or in violation of the LGPD.
Sharing access credentials or allowing third parties to use their account.
Attempting to bypass the Platform’s security, authentication, or audit controls.
Performing reverse engineering, decompilation, or any attempt at unauthorized access to the systems.
Using the Positus Platform or the institutional website while being under 18 (eighteen) years of age, considering that the content is not intended for this audience, and Positus must be notified for the adoption of appropriate measures with the responsible Client.

12.5. Liability of the Linked User

Inappropriate, negligent, or willful use of the Platform may result in:

Suspension or revocation of access to the Platform by the Client.
Internal disciplinary measures applied by the Client, in accordance with human resources policies.
Civil and criminal liability, depending on the severity of the conduct and the damages caused.
Obligation to indemnify the Client and/or Positus for damages caused to third parties or penalties imposed by authorities.

Positus may, at the Client’s request or by court order, provide logs and records of the User’s activities for the purposes of investigation, audit, or liability.

13. Final Provisions

13.1. Amendments to the Terms of Use

Positus reserves the right to amend these Terms of Use at any time, in order to adapt to new Platform functionalities, regulatory changes, changes in Meta’s policies, or compliance improvements.

The amendments will be published on the Platform and communicated to the Client and Linked Users through:

Notification in Positus Studio, displayed upon first access after the update.
Communication sent to the Client’s registered email.
Publication on the Status Page (https://status.positus.global).

The updated version of the Terms of Use will enter into force 30 (thirty) days after publication, except for amendments arising from legal or regulatory requirements, which may have immediate effect.

Continued use of the Platform after the new Terms take effect constitutes tacit acceptance of the new Terms. If the Client or the Linked User does not agree with the amendments, they must immediately cease using the Platform and, in the case of the Client, exercise the right of contractual termination as per the Licensing Agreement.

The current version of these Terms of Use will always be available for consultation in Positus Studio and on the Positus institutional website https://positus.com.br.

13.2. Validity of Provisions

These Terms of Use have an indeterminate validity and may be amended at any time.

If any provision of these Terms of Use is considered invalid, illegal, or unenforceable by a competent judicial or administrative authority, such invalidity will not affect the other provisions, which will remain in full force and effect.

The parties undertake to replace the invalidated provision with another that, to the extent possible, produces equivalent economic and legal effects, respecting the parties’ original intent.

13.3. Data Subject Assistance

Positus, a company within the Robbu Group, has a designated team to handle inquiries on privacy, data protection, and the exercise of data subjects’ rights.

For matters related to personal data, the User or the Client may contact the Data Protection Officer (DPO) of Positus/Robbu through the following channels:

Email: dpo@robbu.global
Data Subject Request Form: https://robbu.global/formulario-de-atendimento-lgpd/

Considering that the Client is the Controller of the data relating to end users and linked users, data subject (user) requests must be directed primarily to the Client.

Positus, as Processor, will cooperate with the Client to the extent possible for compliance with legal obligations related to the rights of data subjects.

13.4. Applicable Law and Jurisdiction

These Terms of Use are governed and interpreted in accordance with the laws of the Federative Republic of Brazil.

The Court of the District of São Paulo/SP is hereby elected as the sole competent forum to resolve any disputes arising from these Terms of Use, with express waiver of any other, however privileged it may be.

13.5. Contact Information

For questions, suggestions, complaints, or requests related to these Terms of Use of the Positus Platform, the following channels are available:

Role	Email
Compliance Officer (CO)	compliance@robbu.com.br
Data Protection Officer (DPO)	dpo@robbu.global
Chief Information Security Officer (CISO)	dpo@robbu.global

São Paulo/SP, 2026.