Privacy Policy
Last updated: May 20, 2026
1. Data Controller
cepaos LLC, a limited liability company incorporated in the State of Wyoming, United States, is the data controller for personal data collected through the cepaos platform ("the Platform").
- Contact email: privacidad@cepaos.com
- Data Protection Officer: dpo@cepaos.com
EU Representative (Art. 27 GDPR): The designation of an EU representative pursuant to Article 27 of the General Data Protection Regulation is being formalised. Final contact details will be published within 14 days. In the meantime, data protection inquiries from EU residents may be directed to privacy@cepaos.com.
2. Personal Data We Collect
2.1 Data Provided by the User
- Full name and role
- Email address
- Phone number (optional)
- Organization name, tax ID (CUIT/NIF), and fiscal address
- Billing information and payment methods (processed by dLocalGo)
- Account profile data and preferences
2.2 Automatically Collected Data
- IP address and approximate geolocation data
- Browser type and operating system
- Pages visited, time on page, and navigation flows
- Device identifiers and cookies (see Cookie Policy)
- Access logs and security logs
2.3 Organization Data
The User may enter operational data about their organization (inventories, lots, production processes, commercial data). This data is processed in accordance with the Terms and Conditions and the applicable Master Service Agreement. cepaos treats such data as confidential Client information.
3. Legal Bases for Processing
We process personal data on the following legal bases:
- Contractual performance: to provide the contracted service and manage the User's account.
- Consent: for marketing communications, non-essential analytics, and optional cookies. Consent may be withdrawn at any time.
- Legitimate interest: to improve platform security, prevent fraud, and generate aggregated analytics.
- Legal obligation: to comply with tax obligations, accounting records, and requests from competent authorities.
4. Purposes of Processing
- Provide and maintain the Platform service
- Manage the account, authentication, and access controls
- Process payments and billing through dLocalGo
- Send operational and security notifications
- Provide technical support to the User
- Improve the Platform through aggregated and anonymized analytics
- Comply with legal and regulatory obligations
- Prevent fraud and ensure Platform security
- Send marketing communications (with consent only)
5. Data Sharing
cepaos does not sell personal data. We share data only with:
5.1 Subprocessors
The following providers process personal data on behalf of cepaos under data processing agreements (DPAs) and, where applicable, under the European Commission's Standard Contractual Clauses (SCCs) or via certification under the EU-U.S. Data Privacy Framework as the international transfer mechanism. See Sections 6 and 10 for more detail.
| Provider | Function | Location | Legal basis / mechanism |
|---|---|---|---|
| Stripe Inc. | Payment processor (non-LATAM) | United States | EU-U.S. DPF + SCCs + Stripe DPA |
| dLocal Pty Ltd | Payment processor (LATAM) | Uruguay | GDPR adequacy (EU Decision 2012) + DPA |
| Supabase Inc. | Database and authentication | US / EU | SCCs + Supabase DPA |
| Railway Corp. | Application hosting | United States | SCCs + Railway DPA |
| Cloudflare Inc. | CDN and DDoS protection | United States (global network) | EU-U.S. DPF + SCCs + Cloudflare DPA |
| Upstash Inc. | Cache and rate limiting (Redis) | United States | SCCs + Upstash DPA |
| Resend Inc. | Transactional email | United States | SCCs + Resend DPA |
| Sentry / Functional Software | Error monitoring | United States | SCCs + Sentry DPA |
| PostHog Inc. | Product analytics (with consent) | United States / EU | SCCs + PostHog DPA |
Data shared with Stripe (non-LATAM Users): admin email address, organisation name, Stripe Customer ID and Stripe PaymentMethod ID (tokenised). cepaos does not receive or store the card number.
Data shared with dLocal Go (LATAM Users): admin email address, customer identifier, and card token. cepaos does not receive or store the card number.
5.2 Authorities
We may disclose personal data when required by court order, request from a competent authority, or when necessary to protect the rights, property, or safety of cepaos, our users, or the public.
6. International Transfers
Personal data may be transferred to countries outside the User's jurisdiction, including the United States. We apply the following safeguards:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Transfer impact assessments where applicable
- Data Processing Agreements (DPA) with all subprocessors
- Encryption in transit (TLS 1.3) and at rest (AES-256)
7. Data Retention
- Account data: during the subscription term plus 30 days after cancellation.
- Billing records: 10 years (legal tax obligation).
- Security logs: 12 months.
- Analytics data: 24 months in aggregated and anonymized form.
- Backups: deleted within 90 days after the original data is deleted.
8. Security
We implement technical and organizational measures to protect personal data, including:
- Encryption in transit (TLS 1.3) and at rest (AES-256)
- Multi-tenant isolation with Row Level Security (RLS) in PostgreSQL
- Secure token-based authentication via Supabase Auth
- Rate limiting and brute force attack protection
- Continuous security monitoring and automated alerts
- Role-based access control (RBAC)
- Periodic security audits
9. Data Subject Rights
Under applicable law, the User has the following rights:
- Access: request a copy of personal data we hold.
- Rectification: correct inaccurate or incomplete data.
- Erasure: request deletion of personal data.
- Portability: receive data in a structured, machine-readable format (CSV, JSON).
- Objection: object to processing based on legitimate interest.
- Restriction: temporarily restrict processing in certain cases.
- Withdraw consent: withdraw consent at any time without affecting the lawfulness of prior processing.
To exercise these rights, contact privacidad@cepaos.com. We will respond within one month of receiving the request (Art. 12 GDPR).
10. Jurisdiction-Specific Compliance
GDPR European Union / European Economic Area
For users in the EU/EEA, cepaos complies with the General Data Protection Regulation (GDPR). Legal bases: Articles 6(1)(a) consent, 6(1)(b) contractual performance, 6(1)(c) legal obligation, 6(1)(f) legitimate interest. Transfers outside the EEA are carried out using Standard Contractual Clauses (SCCs). The User has the right to lodge a complaint with the supervisory authority in their country of residence.
LGPD Brazil
For users in Brazil, cepaos complies with the Lei Geral de Protecao de Dados (LGPD). The User may exercise the rights provided in Article 18 of the LGPD. Consent is required pursuant to Article 7 of the LGPD. Complaints may be filed with the ANPD (Autoridade Nacional de Protecao de Dados).
California, United States — Your California Privacy Rights
For California residents, cepaos complies with the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA). California residents have the following rights:
- Right to Know what personal information is collected, used, shared, or sold (Cal. Civ. Code SS 1798.110, 1798.115).
- Right to Delete personal information held by businesses (SS 1798.105).
- Right to Correct inaccurate personal information (SS 1798.106).
- Right to Opt-Out of Sale or Sharing of personal information (SS 1798.120, 1798.121).
- Right to Limit Use of Sensitive Personal Information (SS 1798.121).
- Right to Non-Discrimination for exercising these rights (SS 1798.125).
Do Not Sell or Share My Personal Information. California residents may exercise their right to opt out of the sale or sharing of their personal information at any time by visiting /legal/do-not-sell or by emailing privacidad@cepaos.com. cepaos will honor opt-out requests within 15 business days as required by CPRA regulations.
We do not knowingly sell or share the personal information of consumers under 16 years of age. The Platform is exclusively intended for B2B commercial operations and does not target minors.
POPIA South Africa
For users in South Africa, cepaos complies with the Protection of Personal Information Act (POPIA). The Information Officer can be contacted at dpo@cepaos.com. Complaints may be filed with the Information Regulator.
Ley 25.326 Argentina
cepaos complies with Ley 25.326 on Personal Data Protection and its Regulatory Decree 1558/2001. The data subject may exercise the rights of access, rectification, and deletion provided in Articles 14, 16, and 17 of the law. The Agencia de Acceso a la Informacion Publica (AAIP) is the supervisory authority. AAIP RNBD registration in progress — official number pending (File No. 291, dated 03/29/2026).
11. Minors
The Platform is intended exclusively for commercial operations (B2B) and does not intentionally collect data from individuals under 18 years of age. If we become aware that we have collected data from a minor, we will delete it immediately.
12. Changes to this Policy
cepaos may update this Privacy Policy periodically. Changes will be notified at least 30 days in advance by email and/or notice on the Platform. The date of the last update is indicated at the beginning of this document.
13. Contact
For privacy and data protection inquiries:
- Privacy: privacidad@cepaos.com
- DPO: dpo@cepaos.com
- cepaos LLC — Wyoming, United States
These terms may be updated from time to time. The current version is the one published at cepaos.com. For legal inquiries, contact legal@cepaos.com.