1. What is Nolan
Nolan is Robricks' internal conversational assistant running on Telegram. It processes information from team members' Google Workspace accounts (@robricks.cl) and from those who interact with these accounts, to assist with operational tasks: reading and sending emails, managing calendars, searching and uploading files in Drive, generating formatted documents, and answering team-context questions.
2. Applicable legal framework
- Chilean Law No. 19.628 on the Protection of Private Life (in force)
- Chilean Law No. 21.719 on Personal Data Protection (fully effective December 2026)
- Chilean Law No. 19.799 on electronic signature and certification services
- Chilean Law No. 19.223 (amended by Law No. 21.459) on computer crimes
- Chilean Labor Code art. 5, 154 bis and 289
- EU Regulation 2016/679 (GDPR) — applicable indirectly via SCCs with Google
3. Personal data processed
| Category | Source | Purpose | Legal basis |
|---|---|---|---|
| Telegram messages (text, sent photos) | User | Assistant operation | Consent (L.21.719 art. 12) |
| Emails sent/received via @robricks.cl | Google Workspace via DWD | Search, drafting, indexing in Brain | Consent + employment contract |
| Corporate Drive files | Google Workspace via DWD | Search, indexing in Brain, PDF generation | Consent + employment contract |
| Google Calendar events | Google Workspace via DWD | Listing, creation, updates, notifications | Consent + employment contract |
| Google Meet automatic transcripts | Google Workspace | Indexing in Brain for "what was discussed?" questions | Consent + notice to participants |
| Telegram identifier, language, preferences | User | Personalization (timezone, quiet hours) | Consent |
| Security audit logs | System | Defense against attacks, evidentiary value | Legitimate interest (L.21.719 art. 13 g) |
| Embeddings (vector representation of fragments) | Vertex AI | Semantic search with RBAC | Consent + legitimate interest |
4. Categories explicitly excluded from processing
Nolan does not index, store, or make queryable:
- Emails with subject
[PRIVADO],[PERSONAL],[CONFIDENCIAL]or[PRIVATE] - Emails from senders in trade union, AFP, Isapre, Fonasa, mutual insurance or lawyer domains
- Personal Gmail accounts (not @robricks.cl)
- Content of Drive folders whose name starts with
_ - Sensitive data (health, racial origin, sex life, political/religious beliefs, union data — L.19.628 art. 2 g and L.21.719 art. 16) — classified and excluded by RBAC
5. Recipients and international transfers
- Google LLC (USA) — Workspace, Firestore, Vertex AI. Covered by Google Cloud DPA + Standard Contractual Clauses (Module 2 controller-processor).
- Anthropic PBC (USA) — only if the Claude module is explicitly activated. Currently disabled.
- Telegram FZ-LLC (UAE) — channel transport. No backend access to encrypted content.
- SerpAPI Inc. (USA) — flight search (only when the user requests it).
Chile has not issued an adequacy decision regarding the USA. The lawfulness of the transfer is supported by SCCs and by the data subject's express consent registered via /acepto.
6. Retention period
| Category | Retention |
|---|---|
| Chat history | 90 days |
| Audit log (security_audit + audit_chain) | 1 year in Firestore; 7 years in GCS Bucket Lock (Law 19.799 evidentiary value) |
| Brain v2 chunks | 2 years from last use; re-synchronized |
| OAuth tokens | Until revoked or 1 year unused |
| DSAR requests (dsr_requests) | 5 years (regulatory evidence) |
| Former employee data | Deleted within 30 days of termination |
7. Your rights (ARCOP+)
As a data subject you may exercise at any time:
| Right | How |
|---|---|
| Access (L.19.628 art. 12 / L.21.719 art. 13) | /mis_datos in Telegram — Nolan attaches a JSON with everything it stores about you |
| Rectification | Email contacto@robricks.cl indicating the data to correct |
| Cancellation / Erasure | /eliminar_mis_datos confirmar — deletes everything Nolan controls |
| Objection | /revocar_consentimiento — Nolan stops processing your data via DWD |
| Portability | The /mis_datos export is structured JSON, portable to other systems |
| Temporary pause (sick leave, vacation) | /pausa <days> — suspends indexing of your emails for N days |
Formal email request response time: 30 days (Law 21.719 art. 16).
8. Security
Nolan implements 8 active layers: rate limiting, fail-closed in production, prompt injection detection (17 patterns), audit with tamper-evidence via SHA-256 hash-chain, Fernet on-disk OAuth token encryption, secrets in GCP Secret Manager, VM hardening with fail2ban + UFW + auto-updates, CI gates with bandit + detect-secrets + pip-audit. Additionally, server-side RBAC by level (founders/accounting/general) in the knowledge base, automatic exclusion of sensitive categories, and PII redaction before indexing.
9. Breach notification
Any security incident compromising personal data will be notified to the affected data subject and to the Personal Data Protection Agency within 72 hours of detection.
10. Contact
Any question, complaint or request:
- Email: contacto@robricks.cl
- Telegram:
/privacidadwith the Nolan bot
11. Changes to this policy
Versioned by date. Any material change requires the data subject to issue a new /acepto in the bot.