Personal Data Protection Policy

This Personal Data Protection Policy describes how PACUSOFT S.A.S. (“Pacunex”) processes personal data in accordance with the Organic Law on Personal Data Protection of Ecuador (LOPDP) and its secondary regulations.

This policy complements our Privacy Policy, Data Deletion Policy and Terms of Service.

1. Controller identification

• Legal name: PACUSOFT S.A.S.
• Brand: Pacunex
• Address: Quito, Ecuador.
• Website: https://www.pacunex.com
• Privacy email: privacidad@pacusoft.com
• General email: info@pacusoft.com

2. Applicable legal framework

• The Organic Law on Personal Data Protection of Ecuador (Official Registry Supplement 459, May 26, 2021).
• Its General Regulations and other secondary regulations.
• The resolutions and guidelines issued by the Superintendency of Personal Data Protection of Ecuador.

3. Pacunex has two distinct roles

LOPDP distinguishes between the Controller (who decides what data is processed and for what purpose) and the Processor (who processes data on behalf of the Controller). Pacunex operates in both roles, depending on the case:

3.1 Pacunex as Controller

• Data of website visitors (browsing, contact forms).
• Data of contact persons of Customer organizations (name, email, role, phone) who administer the account or have a commercial relationship with us.
• Billing and accounting data.

3.2 Pacunex as Processor

Pacunex is the Processor of data that Customer organizations upload or process on the platform. That data belongs to the Customer, who is the Controller. Pacunex processes it only under the Customer’s instructions, in the terms of the Data Processing Agreement (DPA) each Customer accepts when contracting the service.

The details of the Processor role are developed in the Data Processing Agreement which is part of the Terms of Service.

4. Categories of personal data we process

As Controller

• Identifying data: name, email, phone, role, company.
• Technical data: IP address, user agent, browsing logs.
• Commercial data: contact history, expressed interests, proposals sent.
• Accounting data: invoicing, tax records.

As Processor (processed on behalf of the Customer)

• The data the Customer chooses to upload and process with the platform. These categories are determined by each Customer and specified in their Data Processing Agreement.

Sensitive data: Pacunex does not request or process sensitive data (health, ideology, sexual orientation, biometrics, etc.) as Controller. If a Customer uploads sensitive data to the platform, they do so under their exclusive responsibility and with the corresponding legal basis.

5. Processing purposes

• Provide the service to Customer organizations.
• Respond to inquiries, requests and communications from visitors and prospects.
• Administer and manage Customer accounts.
• Comply with legal, tax and accounting obligations.
• Detect, prevent and investigate fraud and abuse of the service.
• Improve the service through aggregated analyses that do not allow identification of individuals.
• Communicate maintenance, incidents and operational updates.

We do not use personal data we process as Processor to train general AI models or Pacunex models.

6. Legal bases for processing

• Consent of the data subject: when the data subject provides data voluntarily (forms, WhatsApp conversation, newsletter).
• Performance of a contract: to sustain the operation of the service with the Customer.
• Compliance with a legal obligation: tax, accounting records and responses to formal requests from authorities.
• Legitimate interest: fraud prevention, service security and operational communications, balanced against the data subject’s rights.

7. Retention

We retain personal data for as long as needed to fulfill the processing purposes and applicable legal obligations. As a reference:

• Anonymous visitor data: up to twelve months.
• Forms and prospects without conversion: up to twenty-four months, unless a prior deletion request is received.
• Active Customer accounts: for the duration of the contract.
• Accounting and tax data: as required by Ecuadorian law.
• Data processed as Processor: as agreed with each Customer in their Data Processing Agreement.

At the end of the period, we delete or anonymize the data.

8. Sub-processors and vendors

To provide the service we rely on technology vendors. Categories are:

• Cloud infrastructure (hosting, database, storage).
• WhatsApp Business messaging channel (Meta Platforms).
• AI models.
• Transactional email.
• Payment gateway.

The current and up-to-date list of sub-processors is published at /legal/subprocesadores.

Any addition or material change of sub-processor is announced with at least thirty days of advance notice. When Pacunex acts as Processor, the Customer can object on reasoned grounds within that period.

9. International data transfers

Some of our sub-processors operate infrastructure outside Ecuador, primarily in the United States and in European Union countries. These transfers are made under:

• Contractual clauses ensuring a level of protection equivalent to that required by LOPDP.
• Adequacy decisions, when applicable.
• Consent of the data subject, when that is the applicable legal basis.

10. Data subject rights

LOPDP recognizes the following rights to personal data subjects. When Pacunex acts as Controller, subjects can exercise them with us:

• Access: know what personal data we have and how we process it.
• Rectification: ask us to correct inaccurate or incomplete data.
• Deletion (or erasure): ask us to stop processing and delete the data.
• Objection: object to specific processing on legitimate grounds.
• Portability: receive the data in a structured format and transfer it to another controller.
• Not be subject to automated decisions: request human intervention when an automated decision significantly affects them.
• Consultation: access the National Registry of Personal Data Protection when it is operational.

How to exercise rights

• If Pacunex is the Controller of your data (you signed up, filled out a form, are a contact person of a Customer): write to privacidad@pacusoft.com indicating which right you are exercising.
• If Pacunex is the Processor of your data (you interacted with a Pacunex Customer company): the rights are exercised before the Customer company, which is the Controller. If you need assistance to locate them, write to us.

We respond within the timeframes set by LOPDP. For the right of access, the general period is fifteen days.

11. Security measures

We apply reasonable technical and organizational measures, proportional to the state of the art, to the scope of processing and to the risks for data subjects:

• Encrypted connections between users and our services.
• Encrypted storage of credentials and sensitive data.
• Data isolation per Customer organization.
• Role-based and least-privilege access control.
• Audit logs of sensitive actions.
• Internal procedures for incident detection and management.
• Periodic team training on data protection.
• Periodic review of security measures.

Specific technical measures evolve according to platform maturity and industry best practices.

12. Incident notification

When we detect an incident that may affect personal data, we follow an internal procedure for assessment and containment. We notify the Superintendency of Personal Data Protection and affected data subjects without undue delay when we are required to do so, in accordance with LOPDP.

13. Data of minors

Our services are intended for businesses and adults. We do not intentionally request or collect personal data from minors under fifteen years old, the age set by Article 10 of LOPDP for autonomous consent by adolescents. If we detect processing of a minor’s data without parental or representative authorization, we delete it.

14. Cookies and similar technologies

Our website uses strictly necessary cookies for site functionality and, optionally, analytical cookies to understand site usage. Full details are published at /legal/cookies. You can configure or disable them from your browser or from the consent banner.

15. Data Protection Officer

When formally appointed, name, role and contact will be indicated. LOPDP requires a Data Protection Officer in organizations that process data at scale or sensitive data systematically.

Meanwhile, the formal channel for privacy and data protection matters is privacidad@pacusoft.com.

16. Modifications

This policy may be modified to reflect legal, operational or best practice changes. Material modifications are notified at least thirty days in advance to Customer organizations and are published on this site. The “Last updated” date at the beginning indicates the current version.

17. Contact

• Privacy and data protection: privacidad@pacusoft.com
• Security: seguridad@pacusoft.com
• General information: info@pacusoft.com
• Web: https://www.pacunex.com
• Address: Quito, Ecuador.

Supervisory authority: Superintendency of Personal Data Protection of Ecuador.