Privacy Policy
How we collect, use, and protect your personal data. We do not use your data for AI training. We do not store sensitive information.
1. Data Controller
| Legal Name | Efficient AI Algorithms |
| Legal Location | Maricopa County, Arizona, United States |
| Website | algoritmos.io |
| General Email | contacto@algoritmos.io |
| Privacy Email | privacidad@algoritmos.io |
Efficient AI Algorithms ("we", "our", "the Company") is the data controller for personal data collected through algoritmos.io and all associated platforms, including ProtectTrack GPS. We are committed to protecting your privacy and processing your personal data in accordance with applicable law.
🌍 International Scope
This policy complies with multiple international regulatory frameworks: GDPR (European Union/EEA), LGPD (Brazil), LFPDPPP (Mexico), Law 1581 (Colombia), Law 29733 (Peru), Law 8968 (Costa Rica), Law 81 (Panama), Law 25.326 (Argentina), Law 18.331 (Uruguay), LOPDP (Ecuador), Law 21.719 (Chile), CCPA/CPRA (California, USA), and other applicable data protection legislation.
1.1 Services Covered
This policy applies to all services provided by the Company:
- Software Development: Application, API, SaaS platform and PWA development
- Data Extraction: Professional web scraping and data structuring
- PDF to Excel: OCR digitization and document conversion
- Competitor Monitoring: Automatic price and product tracking
- Process Automation: Data workflows and pipelines
- ProtectTrack GPS: PWA GPS monitoring platform for personal protection
2. Personal Data We Collect
2.1 Contact Information
- Full name
- Email address
- Phone number (optional)
- Company or organization name
- Title or position
- Country of residence
2.2 Project Information
- Technical specifications and project requirements
- Target website URLs (for extraction/monitoring services)
- Files uploaded for processing (PDFs, documents, data)
- Delivery format preferences
- Communications and correspondence related to the service
2.3 Billing Data
- Billing information (name, tax address)
- Tax identifiers by country (RFC, NIT, RUT, CNPJ, etc.)
🔒 Payment Data — Processed Exclusively by Stripe
We DO NOT store credit card, debit card, or banking information in our systems at any time. All payment information is processed directly by Stripe, Inc., a PCI-DSS Level 1 certified payment processor. Our servers never receive, process, or store card numbers, expiration dates, or CVV codes.
2.4 Technical Data
- IP address
- Browser information (User Agent)
- Operating system and device type
- Strictly necessary session cookies
- Service access logs
❌ Data We DO NOT Collect or Store
- We DO NOT store credit card, debit card, or banking data
- We DO NOT use tracking or analytics cookies
- We DO NOT use Google Analytics, Facebook Pixel, or similar services
- We DO NOT use third-party marketing or advertising cookies
- We DO NOT track your behavior on other websites
- We DO NOT sell, rent, or commercialize your data under any circumstances
- We DO NOT collect biometric, racial, ethnic, health, or sexual orientation data
- We DO NOT create behavioral profiles for targeted advertising
3. No AI Training Commitment
🚫 Absolute Guarantee: Your Data Is NOT Used to Train AI
Efficient AI Algorithms formally and irrevocably commits that no data provided by our clients will be used to train, fine-tune, improve, or feed artificial intelligence models, machine learning, neural networks, or any other automated learning system, whether proprietary or third-party.
3.1 Scope of This Guarantee
This guarantee applies to all data you provide us, including without limitation:
- Uploaded documents: PDFs, invoices, bank statements, reports, forms, and any file processed through our digitization service
- Extracted data: Information obtained through web scraping services, including prices, products, listings, and structured data
- Source code: All code, specifications, business logic, and technical documentation developed in software projects
- Monitoring data: Competitor information, price history, alerts, and generated analyses
- Automation data: Workflows, transformations, API configurations, and pipeline results
- Location data: GPS coordinates, route history, geofences, and any ProtectTrack GPS data
- Communications: Emails, support messages, project specifications, and any correspondence
3.2 Processing vs. Training
It is important to distinguish between two fundamentally different concepts:
| Concept | Do we do it? | Description |
|---|---|---|
| Data processing | YES | We use AI tools (such as OCR, parsers, etc.) to process your data and deliver results. Your data goes in, gets processed, and comes out as results. It is not retained. |
| Training with data | NEVER | We never use your data to teach, improve, or adjust AI models. Your data does not feed any dataset, is not added to training sets, and does not improve algorithms. |
3.3 Third-Party Tools
When we use third-party tools (such as OCR services or text processing APIs) to execute contracted services, we exclusively select providers that offer contractual guarantees that processed data will not be used to train their own models. We require Data Processing Agreements (DPAs) that include explicit no-training clauses.
3.4 Aggregated and Statistical Data
We may generate fully anonymous and aggregated internal statistics (for example: "we processed X documents this month" or "average delivery time: Y hours"). These operational metrics contain no identifiable data, cannot be linked to any individual client, and do not constitute AI training.
4. Sensitive Data Policy
🛡️ We Do Not Store Sensitive Information
Efficient AI Algorithms does not request, does not intentionally collect, and does not store sensitive personal data as defined by international data protection legislation.
4.1 Categories of Sensitive Data We DO NOT Collect
- Health data: Medical records, diagnoses, prescriptions, medical conditions
- Biometric data: Fingerprints, facial recognition, iris scans, voice patterns
- Racial or ethnic data: Racial origin, ethnicity, detailed nationality
- Belief data: Religion, political affiliation, sexual orientation, gender identity
- Genetic data: DNA information, genetic tests
- Criminal records: Criminal history, judicial proceedings
- Sensitive financial data: Credit card numbers, bank account numbers, PINs, banking passwords
- Minors' data: Information about persons under 18 years of age (except as strictly necessary in ProtectTrack with parental consent — see Section 14)
4.2 Client Documents That May Contain Sensitive Data
We recognize that documents our clients send us for processing (especially in the PDF to Excel service) may contain information the client considers sensitive, such as financial statements, invoices, or tax information.
✅ Our Handling Protocol
- Transient processing: Documents are processed in real time and original files are deleted from our processing servers within 24 hours after result delivery
- No retention: We do not create copies, backups, or archives of your original documents once processed
- No human access: Processing is automated. No employee accesses the content of your documents unless you request specific technical support, and in that case only with your explicit authorization
- Encryption: All files in transit use TLS 1.3 and temporary files at rest use AES-256
- Isolation: Each client's data is processed in isolated environments, with no possibility of cross-contamination between clients
4.3 Credentials and API Keys
In automation and software development services, it may be necessary for the client to provide access credentials or API keys to integrate systems. In these cases:
- Credentials are stored exclusively in encrypted environment variables, never in source code or databases
- They are deleted immediately upon project completion or termination of the contractual relationship
- We recommend that clients generate specific credentials with limited permissions for our use, and revoke them upon completion
- We never share client credentials with third parties under any circumstances
5. Data Processing by Service
Each service we provide has a different data profile. Below we detail what data is collected, how it is processed, and when it is deleted for each service.
5.1 Software Development
| Aspect | Detail |
|---|---|
| Data collected | Project specifications, business logic, technical requirements, provided digital assets (logos, content), project communications |
| Processing | Development of contracted software. Not shared with other clients or projects |
| Intellectual property | Source code and technical documentation developed are client property per the service contract |
| Deletion | 30 days after final delivery and client approval. Client receives complete copy |
5.2 Data Extraction / Web Scraping
| Aspect | Detail |
|---|---|
| Data collected | Target URLs, fields to extract, desired frequency, delivery format |
| Extracted data | Publicly accessible information from websites indicated by the client |
| Responsibility | Client is responsible for ensuring they have the right to extract data from indicated sites and for complying with those sites' terms of service |
| Deletion | Extracted data is delivered to client and deleted from our servers within 7 days after delivery |
5.3 PDF to Excel Conversion
| Aspect | Detail |
|---|---|
| Data collected | PDF files provided by client (invoices, bank statements, reports, forms, etc.) |
| Processing | Automated OCR + structuring. No human access to content |
| Sensitive content | PDFs may contain client financial, tax, or commercial data. These are processed in isolated, encrypted environments |
| Deletion | Original files deleted within 24 hours after result delivery. Excel results deleted in 7 days |
5.4 Competitor Monitoring
| Aspect | Detail |
|---|---|
| Data collected | Competitor URLs, products to monitor, alert thresholds, price history |
| Monitored data | Publicly accessible information (prices, availability, descriptions) |
| Active retention | Data history during active subscription for trend analysis |
| Deletion | All monitoring data deleted within 30 days after subscription cancellation |
5.5 Process Automation
| Aspect | Detail |
|---|---|
| Data collected | Flow specifications, pipeline input/output data, API credentials (encrypted), transformation rules |
| Processing | Data flows through automated pipelines. Not retained after processing |
| Credentials | Stored exclusively in encrypted environment variables, never in source code |
| Deletion | Credentials and configurations deleted immediately upon service cancellation |
5.6 ProtectTrack GPS
Due to the special nature of this service (location data and potential involvement of vulnerable persons), additional provisions detailed in Section 14 of this policy apply.
6. How We Use Your Data
| Purpose | Data Used |
|---|---|
| Provision of contracted services | Contact, project, technical specifications |
| Account management and access | Email, session credentials |
| Payment processing | Billing data (processed via Stripe) |
| Operational service communications | |
| Technical support and incident resolution | Contact, technical data, project data |
| Security, fraud and abuse prevention | IP, access logs, usage patterns |
| Compliance with legal obligations | As required by applicable law |
| Anonymous and aggregated operational statistics | Non-identifiable metrics (volumes, times) |
🚫 Purposes for Which We NEVER Use Your Data
- Training artificial intelligence or machine learning models
- Sale, rental, or commercialization to third parties
- Targeted advertising or behavioral profiling
- Sharing with other clients or projects
- Creation of marketable databases
- Market research for our benefit using client data
6.1 Communications
We may contact you exclusively for:
- Information about your account status and contracted services
- Operational updates relevant to your service
- Responses to your inquiries and support requests
- Security notifications affecting your data
We only send marketing communications if you have given explicit consent. You can cancel these communications at any time via the unsubscribe link included in each email or by contacting contacto@algoritmos.io.
7. Legal Bases for Processing
| Activity | Legal Basis |
|---|---|
| Service provision | Contract performance — Necessary to fulfill the contract with you |
| Payment management | Contract performance — Necessary to process your subscription |
| Operational communications | Legitimate interest — Keep you informed about your account |
| System security | Legitimate interest — Protect our systems and users |
| Direct marketing | Consent — Only if you have expressly authorized it |
| Legal compliance | Legal obligation — Comply with applicable laws |
| Operational statistics | Legitimate interest — Fully anonymous data to measure operational performance |
| ProtectTrack GPS — location | Consent — Explicit consent from the tracked person |
8. Sharing with Third Parties
We share your data only with the following providers strictly necessary for service delivery:
| Provider | Service | Location | Data Shared | Safeguards |
|---|---|---|---|---|
| Stripe, Inc. | Payment processing | USA | Billing data | PCI-DSS Level 1, SCCs |
| Railway | Hosting and servers | USA | Technical data, applications | SOC 2, encryption |
| Google Workspace | Corporate email and forms | USA/Global | Email, form contact data | ISO 27001, SOC 2, SCCs |
| Cloudflare | CDN, DNS and DDoS protection | Global | Technical data (IP, headers) | ISO 27001, SOC 2 |
📋 Contractual Guarantees with All Providers
- Process data only according to our documented instructions
- Implement appropriate technical and organizational security measures
- Not share data with sub-processors without authorization
- Not use client data for AI training or their own benefit
- Delete or return data upon termination of the contractual relationship
- Notify security breaches without delay
- Submit to audits when necessary
8.1 We DO NOT Sell Your Data
We never sell, rent, license, exchange, or in any way commercialize your personal data with third parties for marketing, advertising, commercial analysis, or any other purpose, now or in the future. This is a fundamental and immutable policy of our company.
8.2 Legal Disclosure
We may disclose personal data only when legally required through court order, subpoena, or other valid legal request from competent authorities. In such cases, we will notify you of the request to the extent the law permits, before disclosing any data.
9. International Data Transfers
Your personal data will be transferred to and processed in the United States of America, where our servers and operational team are located.
9.1 Protection Mechanisms by Jurisdiction
🇪🇺 European Union / EEA / Spain (GDPR)
We transfer data using Standard Contractual Clauses (SCCs) approved by the European Commission (Implementing Decision 2021/914), supplemented by additional technical measures including encryption in transit (TLS 1.3) and at rest (AES-256), pseudonymization where applicable, and Transfer Impact Assessments (TIA).
🇧🇷 Brazil (LGPD)
We transfer your data pursuant to Article 33 of the LGPD, through specific contractual clauses that guarantee compliance with LGPD principles, including purpose, adequacy, necessity, security, and non-discrimination. The National Data Protection Authority (ANPD) will be notified as required.
🇲🇽 Mexico (LFPDPPP)
We transfer your data based on your express consent granted by accepting this Privacy Notice. Destination country: United States. Recipient: Efficient AI Algorithms. Your data will be protected by contractual clauses that guarantee standards equivalent to the LFPDPPP.
🇨🇴 Colombia (Law 1581)
The United States is included in the list of countries with adequate protection level issued by the Superintendence of Industry and Commerce (External Circular 05/2017), which allows transfers without requiring additional consent.
🇺🇸 California (CCPA/CPRA)
We do not sell or share personal information as defined by CCPA/CPRA. Data is processed in the United States with all applicable protections under California law.
🌎 Other Latin American and World Countries
We implement contractual safeguards that include: confidentiality obligations, technical and organizational security measures, procedures to exercise access/rectification/erasure rights, incident notification, and strict retention limitations. We comply with the laws of: Peru (Law 29733), Costa Rica (Law 8968), Panama (Law 81), Argentina (Law 25.326), Uruguay (Law 18.331), Ecuador (LOPDP), and Chile (Law 21.719).
To obtain a copy of the implemented safeguards, contact: privacidad@algoritmos.io
10. Retention Periods
| Data Type | Period | Justification |
|---|---|---|
| Account / contract data | Contract duration + 10 years | Tax obligations (Arizona) and legal defense |
| Original PDF files | 24 hours after delivery | Transient processing |
| Project data (URLs, configs) | 30 days after completion | Warranty/dispute period |
| Delivered extracted data | 7 days after delivery | Re-download if needed |
| Developed source code | 30 days after final delivery | Client holds complete copy |
| Client credentials/API keys | Immediate upon service end | Client security |
| Billing data | 7 years | Legal tax obligations |
| GPS location data (ProtectTrack) | Per user settings | User controlled |
| Technical data (IP, logs) | 12 months | Security and troubleshooting |
| Session cookies | Session duration | Technical necessity |
10.1 Early Deletion
You may request deletion of your data before these periods by exercising your right to erasure (see Section 11). We will comply with your request except when we must retain data due to legal tax or legal defense obligations.
10.2 Deletion Method
Data is deleted through secure erasure in accordance with NIST 800-88 standards. Backups are deleted in retention cycles not exceeding 30 days.
11. Your Data Protection Rights
11.1 ARCO Rights (All Spanish-speaking countries)
📖 Access
Know what personal data we hold about you, how we process it, and with whom we share it.
✏️ Rectification
Correct inaccurate, incomplete, or outdated data.
🗑️ Cancellation / Erasure
Request deletion of your data when it is no longer necessary for the purpose for which it was collected.
🚫 Objection
Object to certain uses of your data, such as direct marketing or processing based on legitimate interest.
11.2 Additional Rights (EU/EEA — GDPR)
📦 Portability
Receive your data in a structured, commonly used, machine-readable format, and transfer it to another controller.
⏸️ Restriction
Restrict processing in certain circumstances (contesting accuracy, unlawful processing, etc.).
🤖 Automated Decisions
Not be subject to decisions based solely on automated processing with significant legal effects.
11.3 Brazil Rights (LGPD)
- Confirmation of processing existence
- Access to data
- Correction of incomplete, inaccurate, or outdated data
- Anonymization, blocking, or deletion of unnecessary data
- Portability to another provider
- Deletion of data processed with consent
- Information about sharing with public and private entities
- Information about the possibility of not consenting and consequences
- Withdrawal of consent
11.4 California Rights (CCPA/CPRA)
- Know the categories and specific pieces of information collected
- Delete personal information
- Correct inaccurate information
- Opt-out of sale/sharing of personal information (note: we do not sell data)
- Non-discrimination for exercising your rights
📬 How to Exercise Your Rights
Send your request to: privacidad@algoritmos.io
Include: Full name, account email, right you wish to exercise, clear description of your request, and identification document if necessary to verify your identity.
Cost: Exercising your rights is free. We do not charge for handling privacy requests.
11.5 Response Timeframes
| Jurisdiction | Timeframe |
|---|---|
| EU/EEA (GDPR) | 30 days (extendable by 60 additional days) |
| Brazil (LGPD) | 15 days |
| Mexico (LFPDPPP) | 20 business days decision + 15 days implementation |
| Colombia | 10 business days + 5 days extension |
| Peru | 20 business days |
| Argentina | 10 calendar days |
| California (CCPA) | 45 days (extendable by 45 additional days) |
We will apply the shortest timeframe according to your jurisdiction.
11.6 Right to Complain
You have the right to file a complaint with the data protection authority in your country:
- EU/Spain: AEPD — www.aepd.es
- Brazil: ANPD — www.gov.br/anpd
- Mexico: SABG (formerly INAI)
- Colombia: SIC — www.sic.gov.co
- Peru: ANPD
- Argentina: AAIP — www.argentina.gob.ar/aaip
- Costa Rica: PRODHAB
- California: California Attorney General's Office
12. Data Security
12.1 Technical Measures
- Encryption in transit: TLS 1.3 for all communications
- Encryption at rest: AES-256 for stored data
- Access: Multi-factor authentication, role-based access control (RBAC), principle of least privilege
- Infrastructure: Servers in SOC 2 certified data centers with geographic redundancy
- Monitoring: 24/7 intrusion detection and security monitoring
- Backups: Encrypted backups with deletion according to retention periods
- Isolation: Each client's data is processed and stored in logically isolated environments
- Environment variables: Secrets and credentials stored exclusively in encrypted environment variables, never in source code or repositories
12.2 Organizational Measures
- Internal information security and data classification policies
- Periodic security reviews and vulnerability assessments
- Documented incident response procedures
- Confidentiality agreements with all personnel with data access
- Need-to-know principle: only strictly necessary personnel access project data
12.3 Security Breach Notification
🚨 Security Incidents
In case of a security breach affecting your personal data:
- We will notify competent authorities within 72 hours (EU/GDPR), 48 hours (Peru), reasonable time (Brazil/LGPD) according to applicable jurisdiction
- We will inform you directly without delay if the breach poses a high risk to your rights and freedoms
- We will implement immediate corrective measures to contain and remediate the breach
- We will document the incident including: nature of the breach, data affected, likely consequences, and measures taken
Security contact: seguridad@algoritmos.io
13. Cookie Policy
13.1 Cookies We Use
| Type | Purpose | Duration | Legal Basis |
|---|---|---|---|
| Session cookies | Keep your session active | Session | Strictly necessary |
| Technical cookies | Website functionality | 1 year max. | Strictly necessary |
| Preference cookies | Language, settings | 1 year max. | Strictly necessary |
✅ What We DO NOT Do with Cookies
- We DO NOT use tracking cookies
- We DO NOT use Google Analytics, Facebook Pixel, Hotjar, or similar services
- We DO NOT use third-party marketing or advertising cookies
- We DO NOT track your behavior on other websites
- We DO NOT use browser fingerprinting or alternative tracking techniques
- We DO NOT share cookie information with advertising networks
13.2 Cookie Management
You can configure your browser to reject cookies. However, some site features (such as staying logged in) may not work properly without strictly necessary technical cookies.
14. Special Provisions — ProtectTrack GPS
ProtectTrack GPS is a PWA location monitoring platform designed for the protection of vulnerable individuals (elderly adults, persons with cognitive conditions, minors under parental supervision). Due to the especially sensitive nature of location data, the following additional provisions apply:
14.1 Location Data
- Data type: GPS coordinates, location precision, speed, direction, route history, geofences
- Frequency: User-configurable, from real-time to scheduled intervals
- Storage: Location data is stored exclusively while the account is active and according to the retention settings chosen by the user
- No training: Location data is never used to train AI models, create commercial heat maps, traffic analysis, or any other purpose other than direct user service
14.2 Consent and Authorization
⚠️ Mandatory Consent Requirements
- The person whose location is tracked must give their explicit and informed consent before tracking is activated, except in legally provided cases for minors or persons under legal guardianship
- For minors under 18 years of age, verifiable consent from parent, mother, or legal guardian is required
- For adults under legal guardianship, documentation of the guardianship relationship is required
- Consent may be revoked at any time by the tracked person
14.3 Anti-Abuse Protection
ProtectTrack includes mechanisms designed to prevent misuse of the platform for harassment, stalking, or unauthorized surveillance:
- Consent verification as a prerequisite for activation
- Visible notifications to the tracked device
- Ability for the tracked person to unilaterally revoke access at any time
- Abusive usage pattern detection systems
- Cooperation with authorities in confirmed misuse cases
- Compliance with applicable anti-stalking statutes, including A.R.S. § 13-2923 (Arizona)
14.4 Minors in ProtectTrack (COPPA)
When ProtectTrack is used to monitor the location of children under 13 years of age:
- We comply with the Children's Online Privacy Protection Act (COPPA) of the United States
- Verifiable parental consent is required before collecting any data
- Parents/guardians can review, modify, or delete the minor's location data at any time
- Parents/guardians can revoke consent and request complete deletion
- No more data is collected than strictly necessary for the protection service
14.5 GPS Data Deletion
The user controls location data retention. Upon account cancellation or deletion request, all location data, route history, and geofences are permanently deleted within 72 hours. No backups of location data are retained after deletion.
15. Protection of Minors
15.1 B2B Services (Development, Extraction, PDF, Monitoring, Automation)
Our data and software services are intended exclusively for business use (B2B) and are not directed at minors.
- We do not intentionally collect data from persons under 18 years of age for these services
- If we discover we have collected data from a minor, we will delete it immediately
- If you are a parent/guardian and believe your child has provided us data, contact us immediately
15.2 ProtectTrack GPS
ProtectTrack is the sole exception, as it may be used by parents/guardians to protect minors. In this case, the special provisions of Section 14.4 on COPPA compliance and verifiable parental consent apply.
16. Changes to This Policy
We may update this Privacy Policy periodically to reflect changes in our practices, services, or applicable legislation. When we make material changes:
- We will post the updated version on this page with a new update date
- We will increment the version number
- For significant changes affecting your rights, we will send email notification at least 30 days in advance
- We will give you the opportunity to review the changes before they take effect
- If the changes require new consent under GDPR, LGPD, or other legislation, we will request it explicitly
We recommend reviewing this policy periodically. Continued use of our services after publication of changes constitutes acceptance of the updated version.
17. Contact for Privacy Matters
| General Privacy Inquiries | privacidad@algoritmos.io |
| Exercise of Rights (ARCO / GDPR / LGPD) | privacidad@algoritmos.io |
| Security Incidents | seguridad@algoritmos.io |
| General Support | contacto@algoritmos.io |
Response time: We commit to acknowledging receipt of all privacy requests within 48 business hours, and to resolving them within the legal timeframes applicable to your jurisdiction (see Section 11.5).
Jurisdiction and applicable law: This policy is governed by the laws of the State of Arizona, United States, without prejudice to the rights conferred upon you by the data protection laws of your country of residence.