Back

These legal terms are currently written under Argentine law. Localized legal terms for your region are coming soon.

Privacy Policy

Last updated: April 12, 2026

1. Data Controller

cepaos LLC, a limited liability company incorporated in the State of Wyoming, United States, is the data controller for personal data collected through the cepaos platform ("the Platform").

EU Representative (Art. 27 GDPR): The designation of an EU representative is in progress. Until appointment, data protection inquiries from EU residents may be directed to privacy@cepaos.com.

2. Personal Data We Collect

2.1 Data Provided by the User

  • Full name and role
  • Email address
  • Phone number (optional)
  • Organization name, tax ID (CUIT/NIF), and fiscal address
  • Billing information and payment methods (processed by dLocalGo)
  • Account profile data and preferences

2.2 Automatically Collected Data

  • IP address and approximate geolocation data
  • Browser type and operating system
  • Pages visited, time on page, and navigation flows
  • Device identifiers and cookies (see Cookie Policy)
  • Access logs and security logs

2.3 Organization Data

The User may enter operational data about their organization (inventories, lots, production processes, commercial data). This data is processed in accordance with the Terms and Conditions and the applicable Master Service Agreement. cepaos treats such data as confidential Client information.

3. Legal Bases for Processing

We process personal data on the following legal bases:

  • Contractual performance: to provide the contracted service and manage the User's account.
  • Consent: for marketing communications, non-essential analytics, and optional cookies. Consent may be withdrawn at any time.
  • Legitimate interest: to improve platform security, prevent fraud, and generate aggregated analytics.
  • Legal obligation: to comply with tax obligations, accounting records, and requests from competent authorities.

4. Purposes of Processing

  • Provide and maintain the Platform service
  • Manage the account, authentication, and access controls
  • Process payments and billing through dLocalGo
  • Send operational and security notifications
  • Provide technical support to the User
  • Improve the Platform through aggregated and anonymized analytics
  • Comply with legal and regulatory obligations
  • Prevent fraud and ensure Platform security
  • Send marketing communications (with consent only)

5. Data Sharing

cepaos does not sell personal data. We share data only with:

5.1 Subprocessors

  • Supabase — Database and authentication (US-East region)
  • Cloudflare — CDN, DDoS protection, and hosting
  • dLocalGo — Payment processing
  • Resend — Transactional email delivery
  • Upstash — Cache and rate limiting (Redis)
  • Sentry — Error monitoring
  • PostHog — Product analytics (with consent)

5.2 Authorities

We may disclose personal data when required by court order, request from a competent authority, or when necessary to protect the rights, property, or safety of cepaos, our users, or the public.

6. International Transfers

Personal data may be transferred to countries outside the User's jurisdiction, including the United States. We apply the following safeguards:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Transfer impact assessments where applicable
  • Data Processing Agreements (DPA) with all subprocessors
  • Encryption in transit (TLS 1.3) and at rest (AES-256)

7. Data Retention

  • Account data: during the subscription term plus 30 days after cancellation.
  • Billing records: 10 years (legal tax obligation).
  • Security logs: 12 months.
  • Analytics data: 24 months in aggregated and anonymized form.
  • Backups: deleted within 90 days after the original data is deleted.

8. Security

We implement technical and organizational measures to protect personal data, including:

  • Encryption in transit (TLS 1.3) and at rest (AES-256)
  • Multi-tenant isolation with Row Level Security (RLS) in PostgreSQL
  • Secure token-based authentication via Supabase Auth
  • Rate limiting and brute force attack protection
  • Continuous security monitoring and automated alerts
  • Role-based access control (RBAC)
  • Periodic security audits

9. Data Subject Rights

Under applicable law, the User has the following rights:

  • Access: request a copy of personal data we hold.
  • Rectification: correct inaccurate or incomplete data.
  • Erasure: request deletion of personal data.
  • Portability: receive data in a structured, machine-readable format (CSV, JSON).
  • Objection: object to processing based on legitimate interest.
  • Restriction: temporarily restrict processing in certain cases.
  • Withdraw consent: withdraw consent at any time without affecting the lawfulness of prior processing.

To exercise these rights, contact privacidad@cepaos.com. We will respond within 30 business days of receiving the request.

10. Jurisdiction-Specific Compliance

GDPR European Union / European Economic Area

For users in the EU/EEA, cepaos complies with the General Data Protection Regulation (GDPR). Legal bases: Articles 6(1)(a) consent, 6(1)(b) contractual performance, 6(1)(c) legal obligation, 6(1)(f) legitimate interest. Transfers outside the EEA are carried out using Standard Contractual Clauses (SCCs). The User has the right to lodge a complaint with the supervisory authority in their country of residence.

LGPD Brazil

For users in Brazil, cepaos complies with the Lei Geral de Protecao de Dados (LGPD). The User may exercise the rights provided in Article 18 of the LGPD. Consent is required pursuant to Article 7 of the LGPD. Complaints may be filed with the ANPD (Autoridade Nacional de Protecao de Dados).

CCPA/CPRA California, United States

For California residents, cepaos complies with the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA). cepaos does not sell or share personal data as defined by the CCPA/CPRA. California residents have the right to know, delete, and opt out of the sale of personal data. To exercise these rights: privacidad@cepaos.com.

POPIA South Africa

For users in South Africa, cepaos complies with the Protection of Personal Information Act (POPIA). The Information Officer can be contacted at dpo@cepaos.com. Complaints may be filed with the Information Regulator.

Ley 25.326 Argentina

cepaos complies with Ley 25.326 on Personal Data Protection and its Regulatory Decree 1558/2001. The data subject may exercise the rights of access, rectification, and deletion provided in Articles 14, 16, and 17 of the law. The Agencia de Acceso a la Informacion Publica (AAIP) is the supervisory authority. RNBD Registry: XXXX.

11. Minors

The Platform is intended exclusively for commercial operations (B2B) and does not intentionally collect data from individuals under 18 years of age. If we become aware that we have collected data from a minor, we will delete it immediately.

12. Changes to this Policy

cepaos may update this Privacy Policy periodically. Changes will be notified at least 30 days in advance by email and/or notice on the Platform. The date of the last update is indicated at the beginning of this document.

13. Contact

For privacy and data protection inquiries:

This document does not constitute legal advice.

Privacy Policy | cepaos | Cepaos