Search products, articles and pages
Details on the processing of personal data and the confidentiality of the information.
This Data Policy complements our Privacy Policy and provides detailed information about the technical and organizational security measures implemented to protect your personal data, international data transfers, procedures for exercising your rights, and any other matter related to data processing on our Platform.
[Company Name] is committed to protecting the privacy and confidentiality of all personal data you entrust to us, in compliance with applicable data protection laws and regulations.
For the purposes of this Data Policy, the following shall mean:
"Personal Data": any information relating to an identified or identifiable natural person ("the data subject"); an identifiable person is one whose identity can be determined, directly or indirectly, in particular by means of an identifier, such as a name, an identification number, location data, an online identifier, or one or more elements specific to the physical, physiological, genetic, psychic, economic, cultural, or social identity of that person.
"Processing": any operation or set of operations performed on personal data or sets of personal data, whether by automated or non-automated means, such as collection, recording, organization, structuring, storage, adaptation or modification, retrieval, consultation, use, communication by transmission, dissemination, or any other form of enabling access, matching or interconnection, restriction, erasure, or destruction.
"Data Controller": the natural or legal person that determines the purposes and means of processing personal data.
"Data Processor": the natural or legal person that processes personal data on behalf of the data controller.
"Data Subject": the natural person whose personal data are the subject of processing.
In the context of Ecuadorian legislation, the Organic Law on Protection of Personal Data (LOPDP), published in Official Gazette Supplement 459 of May 26, 2021, constitutes the main applicable regulation for the processing of personal data carried out through the Platform. The Superintendent of Personal Data Protection is the supervisory authority responsible for ensuring compliance with said law. Personal databases subject to processing will be registered with the Superintendent under the terms established in the LOPDP and its regulation.
We have implemented the following technical security measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction:
Encryption in transit: all communications between your browser and our servers are encrypted using HTTPS/TLS (Transport Layer Security) protocol, ensuring that transmitted data cannot be intercepted or read by third parties during transmission.
Encryption at rest: sensitive data stored on our infrastructure is encrypted at rest using recognized encryption standards in the industry.
Telephone number anonymization: user telephone numbers are stored exclusively in HMAC-SHA256 hash form using a secret encryption key. This means that the original telephone number cannot be recovered from the stored hash, not even by our employees or service providers. Encryption keys are rotated periodically and stored securely.
Access control: access to systems that process or store personal data is restricted according to the principle of least privilege. Only authorized personnel have access to the data necessary to perform their functions, and such access is recorded and audited periodically.
Logical data separation: each user's data is stored and processed in a logically separated manner, using unique keys and session identifiers that prevent cross-access between different users.
Rate limiting: we implement velocity limits to prevent brute force attacks and abusive use of the platform, including limits per IP address and per destination telephone number.
In addition to technical measures, we have implemented the following organizational measures: (a) internal data protection policies and procedures that all personnel must comply with; (b) periodic training for personnel on security best practices and data protection; (c) confidentiality and data protection agreements with all employees and contractors who have access to personal data; (d) security incident management procedures that include detection, containment, investigation, and notification; and (e) periodic security assessments and risk analysis.
The User is solely responsible for the personal data shared through the Platform and Services. You agree not to provide or make available to the Company any Personal Data containing: (a) social security numbers or other identification numbers issued by government agencies; (b) protected health information or data relating to health, medical history, physical or mental condition, or medical diagnosis or treatment; (c) health insurance information; (d) online account passwords; (e) financial account credentials; (f) tax return information; (g) payment card information subject to the Payment Card Industry Data Security Standard (PCI DSS); (h) personal data of minors under 16 years of age without verifiable consent; or (i) any other information considered special category personal data under applicable legislation (such as genetic data, biometric data, data relating to criminal convictions and offenses, or data relating to the sexual life or sexual orientation of a person).
If, despite this prohibition, you decide to share any of the aforementioned categories of data, such information will be treated under your sole responsibility and risk. The Company assumes no obligation or liability arising from the processing of such sensitive data voluntarily provided by the User in violation of this policy.
You are responsible for ensuring that you have the necessary authorizations and consents from third parties whose personal data you may share through the Services. You are also responsible for maintaining the confidentiality of your telephone number and your account information.
For the provision of Services, the Company may engage third-party service providers (hereinafter, "sub-processors") who process personal data on our behalf and under our instructions. All our sub-processors have been evaluated and selected according to data security and protection standards, and are subject to contracts requiring them to comply with obligations equivalent to those assumed by the Company in this Data Policy and our Privacy Policy.
The sub-processors currently authorized for processing Users' personal data are:
Upstash Inc. (United States): Redis database service. Processes anonymized conversation data (HMAC-SHA256 hash) for temporary storage of sessions and artificial intelligence agent memory.
OpenAI LLC. (United States): artificial intelligence service. Processes text messages, images, and audio shared by Users for the purpose of processing automatic responses, transcribing audio, and analyzing images. OpenAI has the Zero Data Retention policy enabled, meaning it does not use the data sent to train its models.
YCloud Pte. Ltd. (Singapore): WhatsApp Business API service. Processes telephone numbers and messages for the purpose of facilitating the sending and receiving of communications through WhatsApp.
Vercel Inc. (United States): web hosting service. Processes anonymized navigation data (hashed IP address, country of origin, browser type) for hosting, analytics, and performance monitoring.
The Company reserves the right to engage new sub-processors or replace existing ones. In the event of any change to our sub-processors, we will notify you through the Platform or through usual communication channels. If you object to the engagement of a new sub-processor for justified reasons related to the protection of your personal data, you may exercise your right to object by contacting us at [email@example.com]. In such case, we will evaluate your objection in good faith and, if it is founded, work to find a commercially reasonable solution.
For the provision of our services, your personal data may be transferred and processed in countries other than yours, including the United States and Singapore. Such transfers are made exclusively when necessary for the provision of the service and are based on adequate safeguards, such as:
Standard Contractual Clauses (SCC): we have entered into standard contractual clauses adopted by the European Commission with our service providers to ensure an adequate level of data protection.
Privacy frameworks: our providers based in the United States (Vercel, OpenAI, Upstash) comply with the EU-U.S. Data Privacy Framework, which has been recognized as an adequate level of protection by the European Commission.
You may request a copy of the applicable safeguards for international transfers by contacting us through the channels indicated in the contact section.
To exercise your rights of access, rectification, erasure, restriction, portability, and objection, you may submit a request through the following means:
Email: [email@example.com], indicating in the subject "Exercise of Data Protection Rights".
Contact form: through the form available on our Platform, selecting the "Personal Data" option as the reason for contact.
WhatsApp: sending a message to our contact number indicating your request.
To process your request, we may need to verify your identity before responding. We will respond to your request within a maximum period of one month from receipt, which may be extended by an additional two months if necessary, taking into account the complexity and number of requests.
In the specific case of data stored in our Redis infrastructure (conversation history and agent memory), deletion of your data can be requested through the WhatsApp agent using the command "Delete my data" or "Eliminar mis datos", which will trigger the complete deletion process of all your associated data.
In accordance with the Organic Law on Protection of Personal Data (LOPDP) of Ecuador, the ARCO rights (access, rectification, erasure/cancellation, and objection) will be exercised within the periods established by law. To exercise these rights, contact us at [email@example.com] indicating the right you wish to exercise. We will respond to your request within the 15-business-day period established in the LOPDP. If the request is complex or involves a significant volume of data, the period may be extended by an additional 15 business days, with prior notification to the data subject. If the request is denied, we will inform you of the reasons for the denial, and you may file a complaint with the Superintendent of Personal Data Protection.
Personal data is retained for the time strictly necessary to fulfill the purposes for which it was collected, according to the following specific periods:
Session history (Redis): 7 days from the last interaction. After this period, the conversation history is automatically deleted from our systems.
Agent persistent memory (Redis): 365 days from the last interaction. This memory includes user preferences and contextual data that the artificial intelligence agent has identified as relevant for improving the service experience.
Human handoff flag (Redis): 24 hours. When the AI agent hands over a conversation to a human agent, a timestamp is set that prevents the AI agent from responding automatically during that period.
Message deduplication (Redis): 1 hour. Unique identifiers of incoming messages are stored temporarily to avoid duplicate processing of messages.
Rate limits (Redis/memory): 30 seconds to 1 hour, depending on the type of limit. This data is automatically deleted when the limitation period expires.
Preference cookies: 1 year from configuration.
Phone cookie: 15 minutes from establishment.
Once the retention periods have elapsed, data is securely deleted through erasure or overwrite procedures that prevent subsequent recovery.
In the event that the User decides to stop using our Services and requests the cancellation of their data, we will delete all their personal data from our active systems within a maximum period of 30 days from receipt of the request, unless the law requires a longer retention period. After the applicable legal retention period has elapsed, remaining data will be securely deleted.
When the deletion of personal data contained in backups is not technically feasible within the specified period, we will maintain such data securely and delete it according to our scheduled backup deletion procedures, without using it for any other purpose during that period.
Notwithstanding the foregoing, the Company may retain any personal data necessary to comply with legal obligations, resolve disputes, or enforce our agreements. In such cases, data will be kept confidentially and will only be processed for the time and for the purposes required by applicable law.
Currently, in accordance with applicable legislation and the volume and nature of data processing carried out through this Platform, we are not required to designate a Data Protection Officer (DPO). However, any query related to the protection of your personal data can be directed to our privacy team via email at [email@example.com], and will be handled by internally designated responsible personnel.
In accordance with Article 31 of the Organic Law on Protection of Personal Data (LOPDP) of Ecuador, the data controller must designate a Data Protection Officer when: (a) the processing is carried out by a public entity; (b) the main activities of the controller or processor involve large-scale processing of personal data; or (c) the processing involves large-scale special categories of personal data. Based on the nature and volume of processing carried out through the Platform, and taking advantage of the exceptions provided by law, we are currently not required to designate a DPO. However, any query related to the protection of your personal data can be directed to our privacy team at [email@example.com].
This Data Policy may be updated periodically to reflect changes in our data processing practices, the technology used, or applicable legal requirements. We will notify you of any significant changes through the Platform or via email. The date of the last update is indicated at the beginning of this document. We recommend that you review this page periodically to stay informed about how we protect your data.
If you have any questions, comments, or concerns about this Data Policy or about the processing of your personal data, you can contact us through the following channels:
Email: [email@example.com]
WhatsApp: through the number available on our Platform
Contact form: available in the contact section of the Platform
We will respond to all requests and queries as soon as possible, and in no case exceeding the maximum period established by applicable legislation.