Privacy Policy

1. 1. Who We Are (Data Controller)

Prometio Group is an AI-native software factory founded by Sebastian Gil Pinzon and Kimberley Duran. For the purposes of applicable data protection law (including Colombia's Law 1581 of 2012 and Decree 1377 of 2013, and the EU/UK General Data Protection Regulation, where it applies), the data controller responsible for your personal data is:

• Legal entity: Soluciones en IA y Ciencia de Datos S.A.S. (trading as "Prometio Group")
• Registered address: Calle 3 #51b-156, oficina 34, Barranquilla, Colombia
• Contact email: [email protected]

We have not appointed a data protection officer (DPO) or an EU/UK representative under Article 27 of the GDPR at this time; privacy requests are handled directly through [email protected]. We will designate an EU/UK representative or a DPO if our processing activities later make this legally required.

2. 2. Scope of This Policy

This Policy applies to personal data we process when you:

• Visit and browse the Site;
• Submit the contact form;
• Book a discovery call through the Site; or
• Communicate with us by email or other channels referenced on the Site.

The Site may contain links to, or rely on, third-party websites or services that we do not control. This Policy does not apply to those third parties, and we encourage you to review their own privacy notices.

3. 3. Personal Data We Collect

We collect only the data needed to respond to you and operate the Site. Specifically:

Contact form. When you submit our contact form, we collect:

• Your name;
• Your email address;
• The content of your message;
• Technical data captured automatically at the time of submission: your IP address and browser user-agent string (used for security, anti-abuse, and access management).

Discovery call booking. When you book a discovery call, we collect:

• Your first name and last name;
• Your email address;
• Your company name (optional);
• Any notes you choose to add (optional free-text field);
• The date and time of the slot you select.

Anti-bot verification. Our forms use Cloudflare Turnstile, a privacy-respecting alternative to traditional CAPTCHA, to distinguish humans from automated bots. Turnstile processes limited technical signals from your browser to perform this check and may place a strictly necessary token/cookie required to complete the verification (see Section 7).

Usage analytics. We use Cloudflare Web Analytics, a privacy-first, cookieless analytics tool, to understand aggregate Site usage (such as page views). It does not set cookies, does not fingerprint you, and does not track you across other websites. See Section 7 (Cookies and Analytics).

We do not knowingly collect special categories of personal data (such as health, biometric, racial/ethnic, or precise financial data) through the Site, and we ask that you do not include such data in free-text fields such as the message or notes fields.

4. 4. How and Why We Use Your Data (Purposes and Legal Bases)

We process your personal data for the purposes below. Where the GDPR applies, the corresponding legal basis is shown in brackets.

• To respond to your inquiries and provide the information or services you request via the contact form [Legal basis: steps taken at your request prior to entering into a contract; or our legitimate interest in responding to business inquiries].
• To schedule, confirm, and manage discovery calls you book — including sending you a booking confirmation and a calendar invitation for the meeting you requested [Legal basis: steps taken at your request prior to entering into a contract; or our legitimate interest in managing requested meetings]. (Note: when you submit the contact form, the resulting email is an internal notification to our team; we do not send you an automated confirmation email for the contact form unless we reply to you directly. A confirmation is sent to you only for discovery-call bookings.)
• To secure our Site and forms, prevent spam and abuse, and verify that requests come from humans — via Cloudflare Turnstile and the IP address / user-agent we log [Legal basis: our legitimate interest in protecting our systems and users; and, where applicable, compliance with a legal obligation].
• To understand aggregate Site usage and improve our content and performance, using cookieless analytics that do not store or access information on your device [Legal basis: our legitimate interest in maintaining and improving the Site; no consent is required under ePrivacy rules because no information is stored on or read from your device for this purpose — see Section 7].
• To keep business records and comply with legal, accounting, or regulatory obligations [Legal basis: compliance with a legal obligation; or our legitimate interest in maintaining records].
• To send you marketing or other non-essential communications, only where you have given consent [Legal basis: consent, which you may withdraw at any time].

We do not sell your personal data. The Site does not perform profiling of visitors, and we do not use your data for automated decision-making that produces legal or similarly significant effects about you. Although Prometio is an AI-native company, the Site itself does not subject your contact-form or booking data to automated decisions or AI-based profiling of you as an individual.

5. 5. Service Providers and Sub-Processors

We do not sell, rent, or trade your personal data. We share it only with trusted service providers (sub-processors) who process data on our behalf, under contracts that require them to protect it and to use it only for the services they provide to us. Our current sub-processors are:

• Cloudflare — website hosting and content delivery (Cloudflare Pages), bot protection (Turnstile), and cookieless analytics (Web Analytics). Privacy information: https://www.cloudflare.com/privacypolicy/
• Supabase — database storage and serverless (edge) functions that receive and store both contact-form submissions and discovery-call booking submissions. Privacy information: https://supabase.com/privacy
• Resend — transactional email delivery, used to send our team an internal notification email when you submit the contact form. Privacy information: https://resend.com/legal/privacy-policy
• Microsoft — Microsoft 365 / Microsoft Bookings (via the Microsoft Graph API), used to create discovery-call appointments and send calendar invitations. Privacy information: https://privacy.microsoft.com/

The categories of recipients above process data only for the business purposes described. We may also disclose personal data where required by law, regulation, legal process, or an enforceable governmental request, or to protect the rights, property, or safety of Prometio, our users, or others.

6. 6. International Data Transfers

Prometio is established in Colombia and serves clients worldwide, and our service providers (Cloudflare, Supabase, Resend, and Microsoft) may store or process data on servers located outside your country of residence, including in jurisdictions that may not provide the same level of data protection as your own.

Under Colombia's Law 1581 of 2012 and Decree 1377 of 2013, international transfers of personal data are made to recipients that provide adequate levels of data protection or, where applicable, on the basis of your authorization or another lawful ground. Where personal data is transferred internationally and the GDPR or similar laws apply, we rely on appropriate safeguards to ensure your data remains protected, such as:

• the European Commission's Standard Contractual Clauses (SCCs) for transfers from the EEA;
• the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the SCCs for transfers from the United Kingdom; and
• equivalent mechanisms and data-residency options offered by our providers.

You can review each provider's sub-processor and transfer documentation via the links in Section 5, and you may request more information about our safeguards by contacting us at [email protected].

7. 7. Cookies and Analytics

We aim to keep tracking to a minimum and to avoid non-essential cookies.

• No advertising cookies or third-party advertising trackers. We do not use them.
• No Google Analytics. We do not use Google Analytics or any cross-site tracking analytics.
• Cookieless analytics. We use Cloudflare Web Analytics, which is privacy-first and does not set cookies, does not fingerprint you, and does not track you across other websites. Because it does not store or access any information on your device, it provides us only with aggregate measurements such as page views, and (per ePrivacy rules, e.g. Article 5(3) of the ePrivacy Directive) it does not require your consent.
• Bot protection (strictly necessary). Cloudflare Turnstile is used on our forms to block automated abuse. To perform the human-verification check it may place a strictly necessary token and/or cookie in your browser. Cloudflare may also set strictly necessary security cookies (for example, __cf_bm) in connection with bot management and protection of the Site. These are used solely for security/abuse-prevention, are essential to deliver the functionality you request, and are exempt from consent as strictly necessary technologies.
• No other cookies are set by us for analytics or marketing.

Indicative list of cookies / device technologies:

• Cloudflare Turnstile token/cookie — Provider: Cloudflare — Purpose: human (anti-bot) verification on forms — Type: strictly necessary — Duration: short-lived / session.
• __cf_bm — Provider: Cloudflare — Purpose: bot management / security — Type: strictly necessary — Duration: up to 30 minutes.
• Cloudflare Web Analytics — Provider: Cloudflare — Purpose: aggregate, cookieless page-view measurement — Type: no cookie set; no device storage.

Because we use only strictly necessary security technologies and no tracking or advertising cookies, a cookie consent banner is not currently required, and we do not display one. If in the future we introduce cookies or technologies that require consent under applicable law, we will provide a consent mechanism and update this Policy.

8. 8. Data Retention

We keep personal data only for as long as necessary for the purposes described in this Policy. The following are our criteria and retention periods:

• Contact-form submissions and discovery-call bookings: retained for 24 months after your last contact with us, so that we can respond to and follow up on your inquiry or meeting and maintain reasonable business records, after which we delete or anonymize them.
• Security / anti-abuse data (IP address, user-agent): retained for 90 days for security and abuse-prevention purposes, then deleted.
• Business records required by legal, tax, accounting, or regulatory obligations: retained for the period required by applicable Colombian commercial and tax law (generally up to ten years for accounting and commercial records).
• Aggregate analytics: retained in aggregate, non-identifying form, with no individual retention period.

We may retain certain data longer where necessary to establish, exercise, or defend legal claims, or where a longer period is required by law.

9. 9. Your Privacy Rights

Depending on where you live and which laws apply to you, you may have the following rights regarding your personal data:

• Access — to obtain a copy of the personal data we hold about you;
• Rectification — to correct inaccurate or incomplete data;
• Erasure — to request deletion of your data ("right to be forgotten");
• Restriction — to limit how we process your data in certain circumstances;
• Objection — to object to processing based on our legitimate interests, and to object to direct marketing at any time;
• Portability — to receive your data in a structured, commonly used, machine-readable format and, where feasible, have it transmitted to another controller;
• Withdraw consent — where processing is based on consent, you may withdraw it at any time without affecting processing carried out before withdrawal;
• Complain — to lodge a complaint with a data protection or privacy supervisory authority.

For users in Colombia (Law 1581 of 2012 / Decree 1377 of 2013): you may exercise your rights of access (conocer), update (actualizar), and rectify (rectificar) your personal data, request proof of the authorization granted, be informed about the use we make of your data, revoke your authorization and/or request the deletion of your data where this is legally permitted, and, where applicable, file a complaint with the Superintendence of Industry and Commerce (SIC), the Colombian data-protection authority. You may submit any claim related to the handling of your personal data to us at [email protected] before, or in addition to, escalating to the SIC.

For users covered by the GDPR (EU/UK): all of the rights above apply, and you may complain to your local supervisory authority.

For California residents (CCPA/CPRA): to the extent the CCPA/CPRA applies, you have the right to know, access, correct, and delete the personal information we collect, and to opt out of the "sale" or "sharing" of personal information. Under the CCPA/CPRA, the categories of personal information we collect are:

• Identifiers (e.g., name, email address, IP address);
• Commercial / professional information (e.g., company name, the content of your inquiry or booking notes);
• Internet or other electronic network activity information (e.g., user-agent string and aggregate page-view data).

We disclose these categories only to the service providers/sub-processors listed in Section 5, and only for the business purposes described in this Policy. We do not sell personal information, and we do not "share" it for cross-context behavioral advertising, as those terms are defined under the CCPA/CPRA. We do not use or disclose sensitive personal information for purposes that would trigger a right to limit, and we do not knowingly collect sensitive personal information through the Site. We do not discriminate against you for exercising your rights, and you may use an authorized agent to submit a request on your behalf.

10. 10. How to Exercise Your Rights

To exercise any of the rights described above, contact us at [email protected] with a description of your request. We may need to verify your identity before acting on a request, to protect your data from unauthorized access. California residents may also designate an authorized agent to make a request on their behalf, subject to verification.

Response timeframes:

• Under the GDPR/UK GDPR, we will respond within one month, which may be extended by up to two further months for complex or numerous requests (we will tell you if an extension applies).
• Under the CCPA/CPRA, we will confirm receipt within 10 business days and respond within 45 calendar days, extendable once by an additional 45 days where reasonably necessary (we will notify you of any extension).

If we cannot fulfill a request, we will explain why, to the extent the law permits. There is normally no fee for exercising your rights, although we may charge a reasonable fee or decline to act on requests that are manifestly unfounded or excessive.

11. 11. Data Security

We implement appropriate technical and organizational measures designed to protect your personal data, including transport encryption (HTTPS/TLS), bot and abuse protection on our forms (Cloudflare Turnstile), use of reputable infrastructure providers (Cloudflare, Supabase, Resend, Microsoft), and limiting access to personal data to those who need it.

However, no method of transmission over the Internet or method of electronic storage is completely secure, and we cannot guarantee absolute security. If we become aware of a personal data breach that is likely to result in a risk to your rights, we will notify the relevant supervisory authority and, where required, affected individuals, as required by applicable law (for example, generally within 72 hours of becoming aware, under Articles 33–34 of the GDPR).

12. 12. Children's Privacy

Our Site and services are intended for businesses and professionals and are not directed to minors under 18 years of age. We do not knowingly collect personal data from minors under 18. If you believe a minor has provided us with personal data, please contact us at [email protected] and we will take steps to delete it.

13. 13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will update the "Last updated" date at the top and, where appropriate or required by law, provide additional notice. We encourage you to review this Policy periodically.

14. 14. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us:

• Privacy / data requests: [email protected]
• General inquiries: [email protected]
• Entity: Soluciones en IA y Ciencia de Datos S.A.S. (trading as "Prometio Group")
• Address: Calle 3 #51b-156, oficina 34, Barranquilla, Colombia

If you are in Colombia, you may also lodge a complaint with the Superintendence of Industry and Commerce (SIC). If you are in the EU/UK and believe your data protection rights have been infringed, you also have the right to lodge a complaint with your local supervisory authority.