Privacy policy

These legal documents are translations for convenience. The Spanish version governs.

1. Who we are

[REVISAR ABOGADO: razón social completa, RUT, domicilio comercial.]

We are the data controller for your personal data under the terms of Chile’s Law 19.628 on the Protection of Privacy.

2. What data we collect

We collect the following categories of data:

Account data:

  • Name, email, role, production company you belong to.
  • Hashed password (never in plain text).
  • 2FA configuration (if enabled).

Show operational data:

  • Events, riders, budgets, technical packs.
  • Quotes, invoices, payments.
  • Documents uploaded to the system.

Counterparty data:

  • Information about end clients, vendors and promoters that you load into the system.
  • Important: you are responsible for the lawful processing of these third-party data.

Technical telemetry:

  • Usage logs (which pages you visit, which actions you perform).
  • Errors and crashes (via Sentry).
  • Aggregated behavior metrics (via PostHog).

[DECISIÓN PENDIENTE: ¿qué datos específicos recolecta PostHog? Confirmar que no se almacena PII innecesariamente.]

3. How we use them

We use your data to:

  • Provide and maintain the Service.
  • Process payments and billing.
  • Communicate with you about the product (important changes, releases).
  • Improve the product based on aggregated usage patterns.
  • Comply with legal obligations.

We do not use your data to:

  • Train AI models.
  • Sell to third parties.
  • Targeted marketing outside Producit.

4. With whom we share them

We share data only with subprocessors necessary to operate the Service:

SubprocessorPurposeData shared
AWSInfrastructure hostingAll Service data
PayCorePayment processingBilling data
SentryError monitoringTechnical error logs
PostHogProduct analyticsUsage telemetry
AWS SESTransactional email deliveryUser email
[REVISAR ABOGADO: lista completa según infra real]

Each subprocessor is contractually obligated to treat your data with the same level of protection as we do.

5. Where they reside

[DECISIÓN PENDIENTE: confirmar región AWS. JTBD menciona us-east-1 por defecto. Considerar si se mueve a región sudamericana — sa-east-1 (São Paulo) — por razones de latencia y soberanía de datos chilenos.]

Your data is stored on AWS infrastructure in the [REGIÓN A CONFIRMAR] region. Backups are kept in the same region.

6. How long we keep them

[DECISIÓN PENDIENTE: definir política de retención. Sugerimos:]

  • Active account data: as long as the account remains active.
  • Post-cancellation data: 90 days in “soft-delete” state to allow recovery.
  • Final deletion: 90 days after cancellation, except for data retained by legal obligation (SII billing, typically 6 years).
  • Technical logs: 12 months, aggregated without PII.
  • Backups: 30-day rolling window.

[REVISAR ABOGADO: alineación con plazos legales chilenos para facturación electrónica y obligaciones tributarias.]

7. Your rights

Under Law 19.628 you have the following rights regarding your personal data:

  • Access: know what data we hold about you.
  • Rectification: correct inaccurate data.
  • Deletion: request the deletion of your data (subject to legal obligations).
  • Objection: object to specific uses of your data.
  • Portability: receive your data in a structured, exportable format (CSV).

8. How to exercise them

To exercise any of these rights, write to privacy@producit.cl.

We respond within a maximum of 30 business days. If your request requires identity verification, we may ask you for additional documentation.

[REVISAR ABOGADO: procedimiento exacto según práctica chilena.]

9. Security

For technical details on how we protect your data, see /legal/seguridad.

Summary:

  • Encryption in transit (TLS 1.3) and at rest.
  • Multi-tenant isolation at the database level (PostgreSQL Row-Level Security).
  • 2FA authentication available. Recommended for administrative roles.
  • Audit logs of all critical actions.

10. Cookies and trackers

[DECISIÓN PENDIENTE: política de cookies completa. Necesario decidir:]

  • Which strictly necessary cookies do we use? (session, CSRF, preferences)
  • Do we use non-essential analytics cookies? (PostHog)
  • Do we activate a cookie banner with consent? (probably yes, GDPR-friendly)

Draft:

We use the following categories of cookies:

  • Strictly necessary: session, CSRF token, language preferences. No consent required.
  • Analytics: PostHog to understand product usage. Consent required.
  • Marketing: [DECISIÓN: ¿usaremos? por defecto NO en fase 1].

You can manage your cookie preferences from the initial banner or in your account settings.

11. Changes to this policy

We may update this policy. Material changes will be notified with at least 30 days’ notice via email.

12. Contact

Privacy: privacy@producit.cl
Legal: legal@producit.cl

[REVISAR ABOGADO: ¿necesitamos designar formalmente un DPO (Data Protection Officer)? En Chile no es obligatorio bajo Ley 19.628, pero buena práctica.]