Introduction

1.1. Through this document, “PIXSOLUTION,” as the owner of this Website and the application called “HAPPOIN” (hereinafter, the “APPLICATION”), informs you of its personal data protection policy so that you can freely and voluntarily decide whether you wish to provide HAPPOIN with the Personal Data that may be requested or obtained on the occasion of your visit to any of the HAPPOIN.com Websites.

1.2. PIXSOLUTION reserves the right to modify this Privacy Policy to adapt it to new legislative or jurisprudential developments, as well as to industry/consumer practices. In such cases, PIXSOLUTION will update this page with the changes introduced. Certain services/functionalities of the HAPPOIN Websites and Application may contain specific conditions with specific provisions regarding the Protection of Personal Data. For example, the use/integration of the APPLICATION with messaging, contact, and social media applications implies responsible and legal use by the user, always respecting the principles and legal bases for data processing recognized in Law 81 of 2019 of the National Transparency and Access to Information Authority (ANTAI) in the Republic of Panama.  

2. Responsible for the Processing

2.1. Identification:

  • Company Name: PixSolution S.A.
  • Tax ID: 2626225-1-837390 DV 91
  • Registered Address: Calle 60, P.H Obarrio 60, Piso 14, Oficina 14-C, Obarrio, Panama.
  • Main Website: happoin.com
  • Contact Email: [email protected]
  • Contact Phone: (+507) 8336288

2.2. PIXSOLUTION, as the data controller, informs you that your personal data will be processed in accordance with the provisions of Law 81 of 2019 of the Republic of Panama.

3. Information and Data Processed

  • Identification Data: Name and surname, and contact information (address, phone number, and email address).
  • Payment Information: Payment method details and other information required to complete the license purchase process and its maintenance/management.
  • User-Generated Data: Data uploaded to the APPLICATION by the user for their own use.

4. Planned Processing Operations

4.1. HAPPOIN will collect and process your data in the following situations:

  • When you browse this Website through cookies.
  • When you interact with us on social media, blogs, etc.
  • When you contact us through other means such as phone, email, postal mail, or fax.
  • When you fill out a form on this Website or participate in a survey.
  • When you register to use any of our additional services/demos, trials, etc.
  • When you purchase a free trial of the APPLICATION.
  • When you download our mobile application available for Android and iOS.
  • When you purchase a Usage License for the APPLICATION through payment, we will request a series of billing data, credit card number or account number, always provided by the CUSTOMER, for the management of your account.

4.2. For technical and security reasons, our Websites, the APPLICATION, and the associated services and functionalities may use technologies that allow us to monitor usage, detect potential technical errors or incidents, collect information on usage patterns, or the operating system or environment in which they are used.

5. Planned Processing Purposes

The data we collect in the various processing operations mentioned above is used for:

  • Responding to Inquiries: Answering your questions, doubts, or concerns, and processing your orders, including payment transactions.
  • Service Improvement: Maintaining and improving our application or services you have requested, as well as providing customer support.
  • Evaluation and Improvement: Conducting surveys to evaluate and improve our web content, application, and services to offer a better experience.
  • Marketing Communications: Sending electronic commercial communications about our application and related services that you have previously requested.
  • Information and Updates: Managing and sending information about updates, improvements, latest news, and personalized information tailored to the service you maintain with us or that may be of interest to you based on your customer profile.
  • WhatsApp Integration: The integration with WhatsApp will be used strictly to provide our automatic notification service and our ChatBot service. We will not store or use private conversations.
  • Rights Exercise: Responding to the exercise of rights recognized by Law 81 of 2019 of the National Transparency and Access to Information Authority (ANTAI) in the Republic of Panama.
  • Job Applications: Managing potential job applications/CVs received for open selection processes at HAPPOIN.

6. Personal Data We Process

6.1. When Filling Out Our Registration Form:

6.2. In the aforementioned form, you may provide, among other things, the following personal data:

  • Your name, surname, and contact information (address, phone numbers, and email address).
  • Other contact information and preferences.

6.3. If you provide us with your personal data, it must be accurate, and you must notify HAPPOIN of any changes. You are responsible for the accuracy and correctness of the data provided at all times. The person who provides their personal data to HAPPOIN declares to be of legal age and is fully responsible for this declaration.

7. Description of Processing Activities

7.1. Marketing Communications: Sending commercial communications by email, SMS, WhatsApp, social media, or any other electronic or physical means, present or future, that enables commercial communications. These electronic commercial communications will be made by the Data Controller and will be related to the APPLICATION’s services, our partner companies, or suppliers with whom we have reached a promotional agreement. In this case, these third parties will never have access to your personal data, unless it is strictly necessary to manage the application service/maintenance and, if applicable, contracted use.

7.2. User Requests: Processing requests or any type of request made by you regarding the services offered by HAPPOIN through any of the contact channels made available to you.

7.3. Data Stored During Your Visit: When you access any of the HAPPOIN Websites, our web servers generally store, among other data, information about the browser and operating system you use, the website from which you visit us, the pages you visit on our website, and the date of your visit. For security reasons (e.g., to detect potential attacks on our Website), the IP address assigned to you by your Internet service provider is also stored for a period of seven days. With the exception of the IP address, personal data is only stored if you provide us with this information, for example, during registration, a survey, customer registration, or a commercial promotion. HAPPOIN uses your personal data for the technical administration of the APPLICATION, customer management, conducting surveys on services, and marketing tasks, only to the extent necessary and always with prior notification to the data subject.  

7.4. Newsletter Subscription: In the case of subscribing to any of our informative newsletters, present or future, as informed, you give your consent to the use of your personal data for sending advertising or carrying out other marketing actions. This data will be stored and used for such purposes, such as sending newsletters, news about the APPLICATION and its functionalities, through communication channels such as email, postal mail, or any other channel you have authorized. We may use your data to create and maintain your profile to send you personalized information about advertising campaigns or promotions. We may also use the data you provide to analyze and improve the effectiveness of our Website services, advertising, marketing, market research, and commercial activities.  

7.5. CV Submission by Candidates: In the case of submitting a CV by a candidate through our Website or to our contact email ([email protected]), the candidate authorizes HAPPOIN to analyze the documents submitted, all content that is directly accessible through search engines (Google), profiles maintained on professional social networks such as LinkedIn or similar, data obtained from access tests, and information revealed in the job interview, with the aim of evaluating their candidacy and, if applicable, offering them a position. If the candidate is not selected, HAPPOIN may keep their CV stored to incorporate it into future calls, unless the candidate expresses otherwise through any of the aforementioned channels.

8. Data Retention Criteria

8.1. The data provided will generally be retained as long as there is mutual interest in maintaining the purpose of the processing. When it is no longer necessary for this purpose, it will be deleted with appropriate security measures to guarantee the pseudonymization of the data or the total destruction of the same.  

8.2. In particular, the personal data provided by you will be retained for the period determined based on the following criteria:

  • Legal obligation to retain data.
  • Duration of the contractual relationship and attention to any liabilities arising from this relationship.
  • Request for deletion by the data subject in cases where applicable.

9. Data Communication

HAPPOIN may transfer your personal data to:

  • Service Providers: Companies and entities that HAPPOIN has contracted to provide services, such as hosting, marketing services, market analysis, and information society services.
  • Third-Party Service Providers: To provide the service to HAPPOIN’s CUSTOMER, specific services may be outsourced to third-party providers. These subcontractors may be external providers both within and outside the Republic of Panama. HAPPOIN guarantees that all subcontractors comply with the obligations and requirements assumed by HAPPOIN in its Data Access Agreement; specifically, that their level of data protection complies with the standard required by relevant data protection laws. If a jurisdiction is outside the Republic of Panama, a specific agreement is established between HAPPOIN and the subcontractor to ensure that they will maintain all personal data according to the requirements of the applicable data protection laws of the Republic of Panama. The subcontractors that HAPPOIN uses for the optimal operation of the application are:
  • Requested Sharing: Companies or other organizations to which you have requested or agreed that we may share your personal data.
  • Professional Service Providers: Professional service providers such as lawyers, attorneys, notaries, registrars, or other similar professionals in certain cases.
  • Public Authorities: Public bodies, courts, regulators, and other administrative authorities when we consider it necessary to comply with a legal or regulatory obligation, or otherwise to protect ourselves from claims against us or third parties, or the safety of individuals, as well as to prevent, or otherwise combat, fraud or for security or protection reasons.  
  • Business Transfers: Any third party that purchases or to whom we transfer all or a substantial part of our assets and business. In the event of such a sale or transfer, we will make all reasonable efforts to ensure that the entity to which we transfer your personal data uses it in accordance with this Privacy Policy.

In such cases, we will ensure that your data is used for appropriate purposes in accordance with this Privacy Policy and that the corresponding contracts or clauses for data processing (Standard Clauses) are signed, applying the same or similar security measures as those applied by HAPPOIN.  

10. Legal Basis for Processing

10.1. As a general rule, prior to processing personal data, HAPPOIN obtains the express and unequivocal consent of the data subject through the inclusion of informed consent clauses in the various information collection systems, use/download, and contracting of our APPLICATION, and based on a legitimate interest of the CUSTOMER.

10.2. However, the legal bases are as follows:

  • Contractual Necessity: When processing is necessary for the execution of the Usage License Agreement or the data is necessary within the framework of a pre-contractual relationship.
  • Legitimate Interest: When the use of your personal data is necessary to satisfy our legitimate interests or those of the companies with which we have shared your personal data.
  • Legal Obligation: When data processing is necessary to comply with the legislation/regulations governing the legal obligations of the sector in force at all times, including those related to the marketing of products and services, consumer and user protection, retail trade regulation, and other applicable regulations.  
  • Direct Marketing: In accordance with the provisions of the applicable Information Society Services regulations (LSSI), if there is a prior relationship in the context of the sale of an APPLICATION Usage License, the data may be used to send electronic commercial communications related to our application, unless you object to it in the manner provided for this purpose.
  • Vital Interest: When we consider it necessary to process your personal data to comply with a legal or regulatory obligation, or a vital interest.
  • Consent: When we have your consent, for example, to collect technical information such as cookie data and similar technologies as described in the “Cookie Use Policy” document, which you can consult at the following link: https://happoin.com/en/cookies/ enabled on this Website.  
  • Social Media: Acceptance of a contractual relationship within the context of the corresponding social network, and in accordance with its Privacy Policies in each case, when you visit any of our social profiles, which are detailed below:

English Translation: Recognized Rights

11. Recognized Rights

You have the following rights as a data subject:

  • Right of Access: You have the right to obtain confirmation from the company as to whether or not personal data concerning you is being processed. HAPPOIN will, where applicable, provide a copy of the personal data undergoing processing.  
  • Right to Rectification: You have the right to obtain, without undue delay, the rectification of inaccurate personal data concerning you. Taking into account the purposes of the processing, you have the right to have incomplete personal data completed, including by means of providing a supplementary statement.  
  • Right to Erasure: You have the right to obtain, without undue delay, the erasure of inaccurate personal data concerning you. HAPPOIN will be obliged to erase such personal data without undue delay where one of the following grounds applies:
    • The personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed.  
    • The consent on which the processing is based is withdrawn and there is no other legal ground for the processing.  
    • You object to the processing and there are no overriding legitimate grounds for the processing.  
    • The personal data has been unlawfully processed.
    • The personal data has to be erased for compliance with a legal obligation.  
    • Your personal data has been collected in relation to the offer of information society services to children (under 16 years of age).
  • Right to Restriction of Processing: Where the processing of your personal data has been restricted, such personal data shall, with the exception of storage, only be processed with your consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State. You have the right to obtain restriction of processing of your personal data in the following cases:
    • You contest the accuracy of the personal data, for a period enabling HAPPOIN to verify the accuracy of the personal data.
    • The processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead.  
    • HAPPOIN no longer needs the personal data for the purposes of the processing, but you require them for the establishment, exercise or defense of legal claims.
    • You have objected to processing pending the verification whether the legitimate grounds of HAPPOIN override your grounds.  
  • Right to Data Portability: You have the right to receive the personal data concerning you, which you have provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from HAPPOIN, where:
    • The processing is based on consent, and
    • The processing is carried out by automated means.
  • Right to Object: You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on public interest or legitimate interest of the controller. Where personal data are processed for direct marketing purposes, you have the right to object at any time to processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing. In the case of objection to processing for direct marketing purposes, your personal data shall no longer be processed for such purposes. Please note that whenever the legal basis for the processing of your data is your consent, you have the right to revoke such consent at any time and in any case, as easily as you gave it. You also have the right to lodge a complaint with the respective supervisory authority, the National Transparency and Access to Information Authority (ANTAI). For more information, you can visit their website at the following link: https://www.antai.gob.pa/ Finally, you have the right not to be subject to a decision by HAPPOIN based solely on automated processing, including profiling, which produces legal effects concerning you or significantly affects you in a similar way.  

12. Mandatory or Optional Nature of the Information Provided

12.1. The data collected through any of the contact forms enabled on this Website, the data provided by you in connection with your participation in activities/events, promotions, etc. developed by HAPPOIN, or the data provided by you to manage the service relationship will be processed in accordance with the provisions of Law 81 of 2019 of the National Transparency and Access to Information Authority (ANTAI) in the Republic of Panama.

12.2. By checking the corresponding boxes and entering data in the different fields marked with an asterisk (*) in the contact forms or presented in paper forms, you expressly and freely accept that your data is necessary to attend to your request by HAPPOIN, and the inclusion of data in the remaining fields is voluntary. You guarantee that the personal data provided is accurate and are responsible for communicating any modifications to it.

12.3. HAPPOIN informs you and expressly guarantees that your personal data will not be transferred to any third party under any circumstances and that, whenever it intends to make any transfer in the future, your express, informed, and unequivocal consent will be requested beforehand, informing you of the transferee’s details and the purpose of the transfer. All data requested through the Website is mandatory, as it is necessary for the provision of optimal service. If all data is not provided, it is not guaranteed that the information and services provided will be fully tailored to your needs.

13. Security Measures

13.1. In accordance with the provisions of current regulations on personal data protection, and in particular Law 81 of 2019 of the National Transparency and Access to Information Authority (ANTAI), HAPPOIN is complying with all the provisions of the regulations for the processing of personal data under its responsibility, and with the principles described, by which they are processed lawfully, fairly, and transparently in relation to the data subject and are adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.  

13.2. In any case, HAPPOIN has implemented sufficient mechanisms to:

  • Guarantee the confidentiality, integrity, availability, and permanent resilience of the systems and processing services.  
  • Restore the availability and access to personal data quickly in the event of a physical or technical incident.
  • Regularly verify, evaluate, and assess the effectiveness of the technical and organizational measures implemented to guarantee the security of the processing.  
  • Pseudonymize and encrypt personal data, where applicable.

13.3. HAPPOIN guarantees that it has implemented appropriate technical and organizational measures to apply the security measures established in Law 81 of 2019 of the National Transparency and Access to Information Authority (ANTAI) in order to protect your rights and freedoms and has communicated the appropriate information to you so that you can exercise them. HAPPOIN has installed all the means and technical measures at its disposal to prevent the loss, misuse, alteration, unauthorized access, and theft of the Personal Data provided by you. However, you should be aware that security measures on the Internet are not infallible.  

13.4. The personal data incorporated into the Internal Processing Activity Register will be treated with the utmost confidentiality and security. The Data Controller may send commercial information related to APPLICATION NEWS and PROMOTIONS OFFERED BY HAPPOIN. In this case, the sender undertakes to indicate its advertising purpose when sending the information and to coordinate a simple, clear, and free system for the case in which you wish to stop receiving them.

13.5. The HAPPOIN application services contained/offered on the Website are intended exclusively for adults. In the event that any service, promotional activity, event, or similar is offered, in which the collection of Personal Data of minors may occur, HAPPOIN will always request parental consent for minors to access them and their Personal Data may be subject to automated processing as provided for in this notice on the Data Protection Policy.

13.6. As previously informed, the collection and automated processing of Personal Data aims to maintain the commercial relationship, if any, established with HAPPOIN, the management, administration, provision, expansion, and improvement of the services you decide to contract, register for, or use, the adaptation of these services to your preferences and tastes, the study of your use of the services, the design of new services for our application, the sending of service updates, and the sending, by traditional and electronic means, of commercial information about the application, our company currently and in the future.

14. HAPPOIN and Social Media

14.1. For what purposes will we process your personal data?

  • To answer your questions, requests, or petitions.
  • To manage the requested service, answer your request, or process your petition.
  • To interact with you and build a community of followers.

14.2. What is the legal basis for processing your data? The acceptance of a contractual relationship within the context of the corresponding social network, and in accordance with its Privacy Policies:

14.3. In all cases, HAPPOIN is responsible for processing the data of its followers, fans, subscribers, commentators, and other user profiles (hereinafter, followers). The processing 1 that HAPPOIN will carry out with this data will be, at most, what the social network allows for corporate profiles. Thus, HAPPOIN may inform its followers through any means allowed by the social network about its news, activities, and promotions. In no case will HAPPOIN extract data from social networks, unless your express consent is obtained for this purpose. When, due to the nature of social networks, the effective exercise of a follower’s rights is subject to the modification of their personal profile, HAPPOIN will assist and advise them to this end to the best of its ability.

15. Right to Information

Upon request, HAPPOIN will immediately inform you in writing, in accordance with applicable law, whether we have stored your personal data and what it is. If you are registered on this Website, we offer you the possibility of personally consulting your data and, if applicable, proceeding with its deletion, modification, and/or update.

16. HAPPOIN and Compliance

16.1. We inform you that for HAPPOIN, the protection of the data you entrust to us when contracting and contacting us is fundamental. Therefore, in accordance with Law 81 of 2019 of the National Transparency and Access to Information Authority (ANTAI) in the Republic of Panama, and as a description of the measures taken by HAPPOIN, we detail the following:

  • We have audited the data entry channels in the company and the application, and based on this identification, we have established the legal bases for the processing of the company’s data in each case.
  • We inform all visitors/clients/suppliers/employees regarding the processing of their data.
  • We have established specific channels to address potential requests for data subject rights, specifically the rights of access, rectification, erasure, restriction of processing, data portability, objection, and automated decision-making.
  • Regarding personnel, all employees and collaborators of HAPPOIN have signed a confidentiality and privacy document where they are also informed of the rules for using computer equipment, confidentiality measures, and the use of mobile devices.

16.2. Due to our volume of clients, it would be impossible to conclude individually signed agreements with all our clients (Data Controllers). Therefore, the acceptance of this Privacy Policy implies the conclusion of the data access agreement, in compliance with the provisions of Law 81 of ANTAI in the Republic of Panama. This data access agreement, which HAPPOIN assumes in its capacity as data processor, complies with the requirements stipulated in data protection regulations.

16.3. By contracting our application, you, as the Data Controller, agree that HAPPOIN acts as a data processor, as well as the obligations detailed in the data access agreement model available below in the following HAPPOIN Data Access Agreement.

Data Processing Agreement

1. Introduction. 1.1. Through this document, “PIXSOLUTION S.A.”, with registered office at Calle 60, P.H Obarrio 60, Floor 14, Office 14-C, Obarrio, Panama; with the contact email address for the purposes of this contract at [dirección de correo electrónico eliminada] and with RUC: 2626225-1-837390 DV 91 as the owner of the happoin.com Website and the application called “HAPPOIN” (hereinafter, the “APPLICATION”) informs all persons interested in obtaining a Use License of the APPLICATION of the conditions of Access to Personal Data derived from the use thereof, the simultaneous, full and express acceptance of which is essential to obtain the use license and for the subsequent use of the APPLICATION. 1.2. For the purposes of this document, the DATA CONTROLLER (hereinafter, the CONTROLLER) is considered to be the natural or legal person holding a Use License of the APPLICATION, the effective use of which may involve the processing of personal data owned by the CONTROLLER. 1.3. For the purposes of this document, the DATA PROCESSOR (hereinafter, the PROCESSOR) is considered to be the entity “HAPPOIN”, which grants the CONTROLLER a Use License of the APPLICATION. 1.4. The Use License Agreement of the APPLICATION formalized in this act between the parties entails a service provision by the PROCESSOR, consisting of the management of certain aspects of the CONTROLLER’s internal management to improve the channels of information and commercial management of its activity, which is regulated by the General Terms and Conditions of HAPPOIN to which the CONTROLLER declares having accessed on the website https://happoin.com/condiciones-generales/; and which may involve the processing of personal data owned by the CONTROLLER. 1.5. In order to comply with the provisions of Law 81 of 2019 of the National Transparency and Access to Information Authority (ANTAI) in the Republic of Panama, through this document, the acceptance of which by the CONTROLLER confers a contractual nature and is an integral part of the Use License Agreement of the APPLICATION formalized in a separate document, the access, by the PROCESSOR, to personal data owned by the CONTROLLER is regulated, subject to the following STIPULATIONS.

2. Object of the Processing Assignment. Through this contract, the CONTROLLER authorizes the PROCESSOR to process the personal data owned by the former, which is necessary to provide the service object of the Use License Agreement formalized in a separate document.

Specific Processing Activities:

  • Collection
  • Structuring
  • Extraction
  • Communication
  • Destruction
  • Encryption
  • Storage

3. Identification of the Information Affected. For the execution of the service provisions derived from the fulfillment of the object of this contract, the CONTROLLER makes available to the PROCESSOR the following information:

  • Data stored/dumped by the CONTROLLER when using the APPLICATION, such as: user data, employee data, supplier data, customer data, communications, notices, appointments, email management, contact agenda, and other similar information that the CONTROLLER loads into the system, whether its own or third-party.
  • Identification data [Name and Surname, ID Number, Social Security Number, Address, Phone Number, Signature/Fingerprint, Image/Voice]
  • Personal characteristics: Marital status, Age, Family data, Gender, Date and place of birth, Nationality, Language
  • Economic-financial and insurance data: Income, income tax, contracts, bank details, payroll economic data, credit cards
  • Category of data subjects: Customer data: customers, suppliers, collaborators, others, and Data hosted in the APPLICATION: as many categories as types of processing the CONTROLLER stores.

4. Duration. This contract will remain in effect while the PROCESSOR provides the CONTROLLER with the services regulated in the Use License Agreement of the APPLICATION. Once the aforementioned contract has been terminated, the PROCESSOR must delete the personal data and any copies in its possession.

5. Obligations of the PROCESSOR.

5.1. In general, to observe all the provisions, organizational and technical measures that may be necessary and to execute all acts required or simply recommended to strictly comply with the obligations incumbent upon it, in accordance with current legislation and industry best practices, as a DATA PROCESSOR of personal data owned by the CONTROLLER. 5.2. To access the personal data owned by the CONTROLLER and to use the personal data subject to processing, or those collected for inclusion, solely for the purpose of this assignment, always in accordance with the instructions provided by the CONTROLLER. In no case may it use the data for its own purposes. 5.3. Not to transfer or communicate, under any circumstances, the personal data owned by the CONTROLLER to third parties, nor even for the purpose of conservation, nor to allow any type of access to them by third parties. 5.4. To keep a written record of all categories of processing activities carried out on behalf of the CONTROLLER, with the minimum content established in Law 81 of 2019 of ANTAI. 5.5. Not to communicate personal data to third parties, unless expressly authorized by the CONTROLLER, in legally admissible cases. If the PROCESSOR must transfer personal data to a third country or an international organization, it shall inform the CONTROLLER of this legal requirement in advance, unless such right is prohibited for reasons of public interest. 5.6. To maintain the duty of confidentiality regarding the personal data to which it has had access by virtue of this contract, even after its object has ended. 5.7. To guarantee that personal data is processed only by those employees or, where applicable, collaborators and subcontractors whose intervention is necessary for the contractual purpose, who must have received the necessary training in data protection, guaranteeing the confidentiality of the data, and that the persons in their company or, where applicable, collaborators and subcontractors, who access them have also assumed this obligation expressly and in writing, together with the commitment to comply with the corresponding security measures. 5.8. To keep at the disposal of the CONTROLLER the documentation accrediting compliance with the obligation established in the previous section. 5.9. To assist the CONTROLLER in responding to the exercise of the rights of: * Access, rectification, erasure and objection, * Limitation of processing, * Portability, * Not to be subject to automated individual decision-making, including profiling. When data subjects exercise the rights of access, rectification, erasure and objection, limitation of processing, data portability, and not to be subject to automated individual decision-making, before the PROCESSOR, the latter must communicate it by email. The communication must be made immediately and in no case later than the following business day after receiving the request, together with, where applicable, other information that may be relevant to resolving the request. 5.10. Right to Information. It is the responsibility of the CONTROLLER to provide the right to information at the time of data collection. 5.11. Notification of Security Breaches. The PROCESSOR shall notify the CONTROLLER, without undue delay, and in any case within a maximum period of twenty-four (24) hours, and by email, of any security breaches of personal data under its responsibility of which it becomes aware, together with all relevant information for the documentation and communication 1 of the incident. Notification will not be necessary when it is unlikely 2 that such a security breach will pose a risk to the rights and freedoms of natural persons. If available, at least the following information shall be provided: * Description of the nature of the personal data security breach, including, where possible, the categories and approximate 3 number of data subjects affected, and the categories and approximate number of personal data records affected; 4 * The name and contact details of the data protection officer or other contact point where further information can be obtained; * Description of the 5 potential consequences of the personal data security breach; and * Description of the measures taken or proposed to remedy the personal data security breach, including, where appropriate, the 6 measures taken to mitigate the potential negative effects. If it is not possible to provide the information simultaneously, and to the extent that it is not, the information 7 shall be provided gradually without undue delay. It is the responsibility of the PROCESSOR to communicate security breaches of personal data to data subjects as soon as possible, when it is likely that the breach will pose a high risk to the rights and freedoms of natural persons. The communication must be made in clear and simple language and must, 8 at a minimum: * Explain the nature of the data breach; * Indicate the name and contact details of the data protection officer or other contact point where further information can be obtained; * Describe 9 the potential consequences of the personal data security breach; * Describe the measures taken or proposed by the CONTROLLER to remedy the personal data security breach, including, where appropriate, the measures taken to mitigate the potential negative effects. 5.12. Support the CONTROLLER in carrying out: * Data protection impact assessments, where applicable, and * Prior consultations with the supervisory authority, where applicable. 5.13. Make available to the CONTROLLER all the necessary information to demonstrate compliance with its obligations, as well as for 10 carrying out audits or inspections by the CONTROLLER or another authorized auditor. 5.14. Implement the following security measures. In any case, the PROCESSOR must implement mechanisms to: * Guarantee the confidentiality, integrity, availability, and permanent resilience of the processing systems and services; * Restore the availability and access to personal data quickly 11 in the event of a physical or technical incident; * Regularly verify, evaluate, and assess the effectiveness of the technical and organizational measures implemented 12 to guarantee the security of the processing; * Pseudonymize and encrypt personal data, where applicable. 5.15. Appoint a data protection officer, if applicable, and communicate to the CONTROLLER their identity and contact details. In this sense, the officially designated contact before the ANTAI is: Email: [dirección de correo electrónico eliminada], Address: Calle 60, P.H Obarrio 60, Floor 14, Office 14-C, Obarrio, Panama. 5.16. Subcontracting. If it is necessary to subcontract any processing, this fact must be communicated in advance and in writing to the CONTROLLER, with a minimum notice of five (5) days, indicating the processing to be subcontracted and identifying, clearly and unequivocally, the subcontractor company and its contact details. Subcontracting may be carried out if the CONTROLLER does not object within the established period. Once their suitability and security have been evaluated, the PROCESSOR is authorized to subcontract with the following companies the services that involve the following processing: * Digital Ocean: Server hosting (https://www.digitalocean.com/legal/certifications/) * Stripe: Payment gateway (https://stripe.com/es-419-es/privacy) * Kommo: Internal CRM management (https://www.kommo.com/es/privacidad/) * Google Analytics: Google web analytics (https://www.cookiebot.com/es/google-analytics-rgpd/) * ElasticEmail: Email delivery servers (https://elasticemail.com/blog/updates/gdpr-compliant-forms)

To subcontract with other companies, the PROCESSOR must communicate it in writing to the CONTROLLER, identifying the subcontractor company and its contact details clearly and unequivocally. Subcontracting may be carried out if the CONTROLLER does not object within a period of ten (10) days.

The subcontractor, who will also have the status of PROCESSOR, is also obliged to comply with the obligations established in this document for the PROCESSOR and the instructions issued by the CONTROLLER. It is the responsibility of the initial PROCESSOR to regulate the new relationship in such a way that the new PROCESSOR is subject to the same conditions (instructions, obligations, security measures…) and with the same formal requirements as the initial PROCESSOR, in terms of the adequate processing of personal data and the guarantee of the rights of data subjects. In the event of non-compliance by the subcontractor, the initial PROCESSOR will remain fully liable to the CONTROLLER in terms of compliance with the obligations.  

5.17. Data Destination. The PROCESSOR undertakes, after the termination of the Use License Agreement of the APPLICATION, for whatever reason, to destroy the data once the service has been provided. Once destroyed, the PROCESSOR must certify its destruction in writing and deliver the certificate to the CONTROLLER.

However, the PROCESSOR may keep a copy, with the data properly anonymized, while liabilities may arise from the execution of the service.

6. Obligations of the CONTROLLER.

6.1. To deliver to the PROCESSOR the data referred to in Stipulation 3 of this contract. 6.2. To carry out a data protection impact assessment of the processing operations to be carried out by the PROCESSOR, if applicable. 6.3. To carry out the prior consultations that may be necessary. 6.4. To ensure, prior to and throughout the processing, compliance with Law 81 of 2019 of ANTAI by the PROCESSOR. 6.5. To supervise the processing, including carrying out inspections and audits.

7. Liability of the PROCESSOR.

7.1. The PROCESSOR will be considered RESPONSIBLE in the event that it allocates the data to another purpose, communicates or uses it, in breach of this contract. In these cases, the PROCESSOR will be liable for any infractions it may have incurred personally. 7.2. The PROCESSOR will indemnify the CONTROLLER for any damages and losses that may arise from the breach of the obligations contracted under this contract. The liability of the PROCESSOR will include, in addition to the amount of any administrative sanction and/or judicial judgment that may result against the CONTROLLER as a result of the breach by the PROCESSOR of current data protection regulations and the obligations required in this contract.

8. Personal Data of the Signatories of the Contract: The personal data of the CONTROLLER and the PROCESSOR will be incorporated into the respective Internal Processing Activity Registers of each of them, for the purpose of maintaining the contractual relationship established in this contract. The data subjects, whose personal data is integrated into the aforementioned RATs, may exercise their rights of access, rectification, erasure, limitation, oblivion, and objection by addressing in writing, together with a copy of a document accrediting their identity, the corresponding responsible party, designating the email address indicated in the Use License Agreement as the address for such purposes. The signatories undertake to immediately communicate any modification of their personal data so that the information contained in the processing of each party is, at all times, up-to-date and does not contain errors. The CONTROLLER may keep your personal data after the termination of the commercial relationship until the legally established period of prescription. The purpose of collecting the personal data of the signatories of the contract is to develop, comply with, and monitor the commercial legal relationship formalized between the CONTROLLER and the PROCESSOR in this contract. In particular, for the purposes of the provisions of Law 81 of ANTAI, the PROCESSOR expressly consents to its data being communicated by the CONTROLLER to collaborating companies and public administration for the purpose of maintaining this contractual relationship.

9. Applicable Law and Jurisdiction. The CONTROLLER and the PROCESSOR, expressly waiving any other jurisdiction that may correspond to them, submit themselves, to settle any questions or disputes that may arise in relation to the interpretation, execution, or compliance of this contract, to Panamanian law and the jurisdiction of the Courts and Tribunals of the city of Panama (Panama).

16.4. Contact: If you need any clarification regarding this Privacy Policy, wish to ask a question or make a claim, or exercise your rights, please contact our Internal Security Officer or our DPO at the following email address: [dirección de correo electrónico eliminada], indicating in the subject: “Data Protection”.

Drafting of the updated and revised Privacy Policy on October 25, 2023.