Privacy Policy

For purposes of Colombian Law 1581 of 2012, Auctorem acts as the Responsable del Tratamiento (data controller) for personal data processed through the Service.

• Operator: Auctorem
• Country of operation: Colombia
• Website: http://auctorem.app
• Privacy contact: hello@example.com
• Address in Colombia: Bogotá, Engativá

Configure the address in the operator settings, or contact hello@example.com before production use.

This policy applies to visitors, registered users, and individuals whose data appears in user-generated content (for example, metrics or publication metadata entered by our customers).

Visitors or residents in the United States. Although the operator is based in Colombia, if you are a California resident and we meet applicable CCPA/CPRA thresholds, you may have the rights in Section 9. We do not sell or share personal information for cross-context behavioral advertising as defined under California law.

Colombia. If Colombian law applies to your data, you have the rights in Section 10, including consultation and complaint procedures before the Superintendencia de Industria y Comercio (SIC).

We collect only what is needed to operate the Service. Categories include:

• Account and identity (Google sign-in): name, email address, Google account identifier, profile picture URL, and email verification status. We do not collect or store passwords.
• Profile and workspace preferences: interface language, IANA timezone, and optional email notification preference.
• Portfolio and professional profile (optional): public slug, bio, location, website, social links, accent color, and optional public contact email you choose to display.
• Publications and metrics you enter: URLs, titles, dates, channels, categories, notes, tags, visibility flags, metric snapshots, and activity logs derived from your edits.
• Shared report links: tokens, titles, scope filters, date ranges, timezones, and revocation/expiry metadata.
• Billing (paid plans): Stripe customer identifier and subscription status managed by Laravel Cashier. Payment card data is collected and processed by Stripe, not stored on our servers.
• Technical and session data: session identifiers, IP address, user agent, and authentication timestamps stored in our session store.
• Locale cookie: your selected language (es/en) when you use the language switcher.

You may include third-party personal data in publications or notes (for example, client names). You are responsible for having a lawful basis to process that information and for not uploading data you are not authorized to process.

• Directly from you when you sign in, edit settings, create publications, or configure billing.
• From Google OAuth when you choose "Continue with Google" (scopes: email and profile).
• From Stripe when you subscribe or manage payment methods through Stripe Checkout or the Customer Portal.
• Automatically through cookies and server logs as described above.

• Provide, maintain, and secure the Service.
• Authenticate you and manage your workspace.
• Display your optional public portfolio and shared reports according to your settings.
• Process subscriptions, trials, and billing through Stripe.
• Send service-related communications if you enable email notifications.
• Comply with law, respond to lawful requests, and enforce our Terms.
• Improve reliability and prevent fraud or abuse.

Under Colombian law, processing is based on your informed authorization (for example, by creating an account or enabling optional features), contractual necessity, and legitimate interests compatible with your rights, except where a legal exception applies.

We do not sell personal information. We may disclose information to:

• Service providers / encargados del tratamiento that process data on our instructions, including Google (authentication), Stripe (payments), and infrastructure hosting providers. These providers may only use data to deliver services to us and must protect it.
• The public when you enable a public portfolio or active shared report link, according to your visibility settings (private publications may be redacted in public views while still contributing aggregate metrics).
• Authorities when required by applicable law or a valid legal process.
• Successors in connection with a merger, acquisition, or asset sale, subject to this policy or notice to you.

International transfers may occur (for example, U.S.-based hosting or Google/Stripe infrastructure). Where Colombian law requires safeguards for transfers, we rely on contractual protections and provider commitments consistent with applicable regulation.

We retain personal information while your account is active and as needed to provide the Service. When you delete your account through Settings → Account, we delete or anonymize personal data subject to technical limits and legal retention obligations (for example, billing records Stripe must retain).

Shared report caches and server logs are retained for limited periods appropriate to security and operations.

We implement technical and organizational measures appropriate to the risk, including access controls, encryption in transit (HTTPS), and restricted access to production systems. No method of transmission or storage is 100% secure; you use the Service at your own risk within the limits of applicable law.

Depending on your state of residence and our role under applicable law, you may have the right to:

• Know the categories and specific pieces of personal information we collected about you, and how we used and disclosed them.
• Request deletion of personal information we collected from you, subject to legal exceptions.
• Request correction of inaccurate personal information.
• Opt out of the sale or sharing of personal information—we do not sell or share for cross-context behavioral advertising.
• Limit use of sensitive personal information where applicable—we do not use sensitive categories beyond what you voluntarily submit in workspace content.
• Not receive discriminatory treatment for exercising privacy rights.

Submit requests to hello@example.com. We will verify your identity (for example, by requiring a response from your registered email) and respond within timeframes required by applicable law. You may designate an authorized agent where your state law allows.

As a data subject (titular), you may:

• Know, update, and rectify your personal data (consulta—Art. 14).
• Request suppression or revocation of authorization when applicable (reclamo—Art. 15).
• Request proof of authorization when you have given it (Art. 12).
• File a complaint with the SIC after exhausting our internal consultation or claim process (Art. 16), at sic.gov.co.

Consultas: we will respond within ten (10) business days, extendable by up to five (5) additional business days when justified. Reclamos: we will follow the procedure in Article 15 (including marking the database record as "reclamo en trámite" when applicable) and respond within fifteen (15) business days, extendable by up to eight (8) additional business days when justified.

Send consultas and reclamos to hello@example.com with your full name, identification, description of the request, and contact details.

• Update timezone and language in workspace settings.
• Disable email notifications in account settings.
• Delete your account in Settings → Account (requires confirming your email).
• Privacy email: hello@example.com

The Service is not directed to children under 13 (U.S. COPPA) or under 18 without parental authorization where Colombian law requires it for minors' data. We do not knowingly collect personal information from children. Contact hello@example.com if you believe we have collected such data.

Publications may link to third-party sites (social networks, media outlets). Their privacy practices are governed by their own policies, not this one. Google and Stripe privacy policies apply to their respective services.

We may update this policy. We will post the revised version with a new effective date. Material changes may be notified by email or in-product notice when appropriate. Continued use after the effective date constitutes notice of the update where permitted by law.