Personal Data Processing Policy

Information on how Validocus collects, uses, and protects personal data in compliance with Colombian Statutory Law 1581 of 2012 and related regulations. We recommend reading it in full and, for case-specific questions, consulting your legal advisor.

1. Data controller

   The controller responsible for the processing of personal data collected through the Validocus platform is Validocus (hereinafter, "Validocus" or "the Controller"), with principal place of business in Medellín, Antioquia, Colombia.

   We have designated a single point of contact for all matters related to personal data protection and the exercise of data subject rights. To submit inquiries, requests, or complaints regarding the processing of your data, please reach us through the following channels:

   Validocus — Medellín, Antioquia, Colombia.
   DPO (Data Protection Officer) email: hello@validocus.com
   Phone: +57 317 3025584.

2. Applicable legal framework

   This policy is subject to Colombia's personal data protection framework, in particular Statutory Law 1581 of 2012 (the General Personal Data Protection Regime), its Implementing Decree 1377 of 2013, and the circulars and instructions issued by the Superintendence of Industry and Commerce (SIC) as supervisory authority.

   Where processing involves data subjects located in the European Economic Area, or where Validocus offers products or services to residents of that territory, processing will additionally be subject to Regulation (EU) 2016/679 (the General Data Protection Regulation, "GDPR"). In such cases, the rights and guarantees recognized under the GDPR will be fully respected.

   Validocus will periodically review this policy to align with legal, judicial, or regulatory developments.

3. Personal data we collect

   To provide the electronic signature service, Validocus may collect and process the following categories of personal data, from both the contracting user and the invited signers:

   Identification and contact data: name, surname, email address, phone number, ID document number (when the user provides it for signing).

   Technical and evidentiary data: IP address of the signer at the moment of signing, timestamps, approximate geolocation derived from the IP, device and browser type. Video evidence of the signer expressing consent (which may include face and voice), digitized handwritten signature image, signed PDF document, and SHA-256 hash of the document.

   We do not request or store sensitive data beyond what is necessary to provide the service. We do not collect payment-method information: payment processing is handled by the ePayco gateway, in accordance with its own privacy policy.

4. Processing purposes

   Validocus processes the personal data collected for the following specific and determined purposes:

   (i) Providing the electronic signature service, including managing the full signing lifecycle (sending invitations, collecting signatures, generating the signed document, and producing evidentiary records); (ii) Generating verifiable legal evidence supporting the validity and traceability of the signatures performed, through IP capture, video, approximate geolocation, and on-chain hash anchoring; (iii) Complying with legal obligations applicable to the Controller, including documentary retention duties, responding to authority requests, and accounting and tax obligations.

   In addition, we may process data to (iv) provide technical support and respond to data subject requests; (v) improve the service through aggregated and anonymized usage analysis; and (vi) send operational communications related to the provision of the service. Marketing communications will only be sent with prior, express consent, which may be withdrawn at any time.

5. Legal basis for processing

   Validocus's processing of personal data is based on the following legal grounds, applied as relevant to each purpose:

   Performance of a contract: processing is necessary for the provision of the service contracted by the user or to take pre-contractual steps at their request. Express and informed consent: the data subject grants consent upon registering, upon accepting the terms when signing a document, and specifically when recording the video evidence.

   Processing may also rely on compliance with legal obligations applicable to the Controller (e.g., evidentiary retention, response to judicial or administrative requests), and on the legitimate interest of the Controller where it does not override the rights of the data subject (e.g., fraud prevention, aggregated service improvements).

6. Special categories of data

   The video evidence captured during the signing process may include the signer's face and voice, which may be considered biometric data insofar as they allow or confirm the unique identification of a natural person.

   This data is processed based on the explicit and specific consent of the signer, granted at the start of video recording, and solely for the evidentiary purpose described: supporting the traceability and authenticity of the electronic signature. This data is not used for mass biometric identification purposes, is not included in biometric databases, and is not shared with third parties for purposes beyond what is strictly necessary to deliver the service.

   The data subject may withdraw consent to the processing of this data at any time, without prejudice to Validocus's obligation to retain the evidence produced during the applicable legal limitation periods.

7. Data processors (third parties handling data)

   To deliver the service, Validocus may share information with the following data processors, all of which are bound by contracts guaranteeing adequate levels of security and confidentiality:

   Wasabi Technologies: cloud storage provider (S3-compatible) where signed PDF documents, video evidence, and signature images are stored. ePayco: payment gateway processing transactions; we do not share signed documents with ePayco, only the data necessary for billing. Avalanche (public blockchain network): only the SHA-256 cryptographic hash of the document is published on-chain. The hash is a one-way identifier containing no personal data and does not allow reconstruction of the original document.

   Email service provider: used to send operational notifications (signing invitations, confirmations, reminders). These processors access only the data strictly necessary for the provision of their service and are required to apply security measures equivalent to those of Validocus.

8. International data transfers

   Some of the data processors are located outside Colombia, which entails international transfers of personal data. In particular: Wasabi storage may take place in data centers located in the United States and/or Europe; the Avalanche blockchain network is a decentralized network with nodes distributed globally, on which only the cryptographic hash of the document is published (containing no personal data).

   These transfers are carried out with the safeguards required by Colombian law (Law 1581, Article 26, and Decree 1377), including contractual clauses with processors and, where applicable, mechanisms analogous to the Standard Contractual Clauses (SCC). The data subject expressly consents to these transfers upon accepting this policy and using the service.

   For data subjects located in the European Economic Area, international transfers are additionally governed by Articles 44 et seq. of the GDPR.

9. Retention period

   Validocus will retain personal data only for as long as is necessary to fulfill the processing purposes, in accordance with the following criteria:

   Signed documents and evidentiary records (PDF, video, signature image, metadata): retained for as long as the contracting user's account remains active, and for an additional period of up to seven (7) years following termination, in line with the general statutes of limitation applicable in Colombia for commercial operations and evidentiary needs.

   Account data (profile, settings, billing information): retained while the account remains active and until the data subject requests its deletion, without prejudice to any legal retention requirements. After applicable periods elapse, data will be deleted or irreversibly anonymized. The hash recorded on blockchain, due to its immutable nature, cannot be deleted; however, as it does not contain reconstructible personal data, its persistence does not affect the data subject's rights.

10. Data subject rights

    Under Article 8 of Colombian Law 1581 of 2012, data subjects have the following rights: (i) Access, update, and rectify their personal data; (ii) Request proof of the authorization granted to the Controller; (iii) Be informed about the use of their data; (iv) File complaints with the Superintendence of Industry and Commerce (SIC) for breaches of the data protection regime; (v) Revoke authorization and/or request deletion of data when processing does not respect constitutional and legal principles, rights, and guarantees; and (vi) Access free of charge the data subject to processing.

    For data subjects located in the European Economic Area, the rights provided under the GDPR are additionally recognized: rights of access, rectification, erasure ("right to be forgotten"), restriction of processing, data portability, objection, and the right not to be subject to automated decision-making producing significant legal effects.

    The exercise of these rights is free of charge, except in cases expressly permitted by law.

11. How to exercise your rights

    Data subjects may exercise their rights by sending a request to hello@validocus.com, indicating: (i) full name and contact details; (ii) a clear description of the right being exercised and the facts giving rise to the request; (iii) the data they are requesting to access, rectify, update, or delete, as applicable; and (iv) a copy of the ID document where reasonably necessary to verify the requester's identity.

    Pursuant to Article 22 of Decree 1377 of 2013, Validocus will respond to inquiries within a maximum of ten (10) business days from receipt. Where it is not possible to address the inquiry within that period, the requester will be informed of the reasons for the delay and the date on which the request will be addressed, which shall in no case exceed five (5) additional business days.

    Complaints will be handled within a maximum of fifteen (15) business days. If these periods elapse without a response, or if the response is unsatisfactory, the data subject may contact the Superintendence of Industry and Commerce.

12. Information security

    Validocus implements reasonable technical and organizational measures to protect personal data against loss, misuse, unauthorized access, disclosure, alteration, or destruction. Measures adopted include: encryption in transit using TLS 1.3 for all communications between the client and our services; encryption at rest using AES-256 for documents stored in Wasabi; role-based access controls following the principle of least privilege; and audit logging of relevant operations performed on the data.

    In addition, anchoring the document hash on the Avalanche blockchain network provides an immutable evidentiary layer that allows for post-hoc verification of the integrity of signed documents. No security measure can guarantee absolute protection; nevertheless, Validocus strives to maintain security practices aligned with reasonable B2B SaaS industry standards.

    In the event of a security incident affecting personal data, Validocus will notify affected data subjects and the competent supervisory authority in accordance with applicable law.

13. Cookies and similar technologies

    The Validocus website and platform use cookies and similar technologies for strictly necessary purposes related to service operation: authenticated session management, CSRF attack protection, language and interface preferences.

    We use Cloudflare Web Analytics, an analytics tool that does not set cookies or individually track users, providing aggregated and anonymized metrics about site usage. We do not use advertising or cross-site tracking cookies.

    The user may configure their browser to reject cookies; however, this may limit the functionality of the platform, particularly features requiring authentication.

14. Data of minors

    Validocus is a business-oriented (B2B) platform and is not directed to individuals under 18 years of age. We do not knowingly collect personal data from minors. If we become aware that a minor has provided personal data through the platform, we will diligently proceed to delete it, unless otherwise required by applicable law.

    Parents or legal guardians who believe a minor has provided data to the platform may contact us at hello@validocus.com to request deletion.

15. Changes to this policy

    Validocus may update this policy periodically to reflect changes in its practices, in applicable law, or in supervisory authority guidance. Material changes will be notified with at least thirty (30) calendar days' advance notice, via notice on the platform and email to registered addresses.

    The current version will always be accessible at this link, indicating the date of last update. Continued use of the service after the effective date of the changes will constitute acceptance.

    Minor changes, typographical corrections, or clarifications that do not materially alter data subject rights may be implemented without prior notice.

16. Contact and DPO

    For any inquiry, complaint, exercise of rights, or request related to the processing of personal data, the data subject may contact Validocus's Data Protection Officer (DPO) through the following channels:

    Validocus — Data Protection Officer
    Medellín, Antioquia — Colombia
    Email: hello@validocus.com
    Phone: +57 317 3025584

    Additionally, data subjects may contact the Superintendence of Industry and Commerce (SIC) as Colombia's data protection authority, filing a complaint where they consider their rights have been breached, after first exhausting the procedure with the Controller.