We treat your data like a confidential project brief.
Privacy isn’t a checkbox for us—it’s the foundation of trust. This document outlines exactly what we collect, why we collect it, and how we protect it. No ambiguity, no hidden clauses. Just the clear terms required to build a professional relationship in Bogotá and beyond.
What We Gather
And Why It Matters
Identifiers
Name, email address, IP address, and device information when you initiate contact or subscribe to updates. Used exclusively for communication and site security.
Project Data
Briefs, brand assets, and business context provided during onboarding. This data is encrypted at rest and accessed only by authorized team members working on your engagement.
Usage Metrics
Anonymous analytics on how visitors navigate our site (e.g., page views, time on page). We use this to improve user experience, not to track individuals.
Financial Records
Invoices and payment details. Required for tax compliance in Colombia. Stored separately from project files and never shared with third parties.
We do not sell your data to advertisers or harvest information for resale. Our business model is project-based, not data-based.
International data transfers are secured via standard contractual clauses, ensuring compliance with European and Colombian regulations.
You hold the right to access, rectify, or delete your data at any time. A request takes us 48 hours to process, guaranteed.
Operational Trade-offs
Transparency vs. Friction
Downside: We manually review all data requests to verify identity, which can add 24 hours to the process.
Mitigation: We provide a secure portal for submissions to streamline verification and track status in real-time.
Downside: We rely on external infrastructure (hosting, email) that may be subject to their own privacy policies.
Mitigation: We vet vendors for GDPR/CCPA compliance and list all sub-processors in our Cookie Policy.
Downside: Completed project data is archived for 5 years for legal and tax reasons, occupying storage.
Mitigation: Archives are strictly offline and air-gapped from the internet. Upon request, we can anonymize data earlier.
Downside: Strict consent rules may limit analytics accuracy initially.
Mitigation: We use a first-party, privacy-focused analytics provider that respects the Global Privacy Control signal automatically.
Questions for Your Due Diligence
Before You Partner
How is project data stored during active development?
We use encrypted cloud storage with two-factor authentication. Access is limited to the core team assigned to your project.
What happens to our data if we end the contract?
Upon contract termination, you may request a full export. We will permanently delete all files from our active systems within 30 days, unless legal retention applies.
Do you use my company’s branding in your portfolio?
Only with explicit written permission. We respect NDAs and can sign yours. Public case studies are anonymized unless you approve otherwise.
Are you compliant with international standards?
Yes. We align our practices with GDPR and CCPA principles, even though our physical operation is based in Bogotá.
Who has access to financial data?
Financial records are handled by our accounting team and stored in a separate, isolated environment. Designers never see invoice details.
What is your breach notification policy?
Immediate. You will be notified within 24 hours of any suspected breach, along with our containment steps and recommended actions.
How do you handle "Right to be Forgotten" requests?
Submit via email. We verify identity, then scrub PII from our live and backup systems within 30 days, excluding legal exceptions.
Specific Disclosures
Cookies and Tracking: We use a minimal set of essential cookies for site functionality (e.g., keeping your message draft safe if you navigate away). Analytics cookies are optional and require explicit consent via our banner. We do not use Facebook Pixels or cross-site tracking scripts.
Third-Party Processors: To operate, we share necessary data with functional providers. This includes our hosting provider (servers), email service (communications), and payment processor (invoicing). All are vetted for security standards (SOC 2 or ISO 27001 equivalent).
Children’s Privacy: Our services are directed to business professionals and are not intended for individuals under 16. We do not knowingly collect data from children.
Policy Updates: This policy may be updated to reflect changes in regulation or our operations. The date at the top indicates the last revision. Material changes will be communicated via email to active clients.