Kapaxia Logo
HomeAboutProducts

Privacy Policy

Last Updated: Monday, May 5, 2025

1.1. Introduction and Scope

Kapaxia SAC ("Kapaxia", "We", "Us") is committed to protecting the privacy and personal data of the users ("User", "Client", "You") of our Software as a Service ("Services"). This Privacy Policy describes how we collect, use, store, share, transfer, and protect your personal information in strict compliance with Law No. 29733, Personal Data Protection Law of Peru ("LPDP"), its Regulation approved by Supreme Decree No. 003-2013-JUS, and the provisions of the new Regulation approved by Supreme Decree No. 016-2024-JUS (hereinafter, jointly referred to as the "Personal Data Protection Regulations").

This policy applies to all personal data processed by Kapaxia in relation to the use of our Services.

1.2. Identity and Domicile of the Owner of the Personal Data Bank

The owner of the personal data bank where your information will be stored is:

Kapaxia SAC
RUC: 20611849746
Domicile: Trujillo, Peru.

For any questions or to exercise your rights related to personal data protection, you can contact us at the following email address: team@kapaxia.com.

In accordance with DS 016-2024-JUS, certain organizations that carry out large-scale data processing or processing of sensitive data may require the appointment of a Personal Data Protection Officer (DPD or ODP). Kapaxia will continuously assess whether it meets the legal criteria for such appointment and, if applicable, will communicate the contact details of the DPD through this policy.

1.3. Personal Data We Collect

We collect different types of personal data to be able to provide and improve our Services:

  • Account registration data: Full name and email address (mandatory). Phone number, profile picture, company name (if applicable), position, address, and other information may be required depending on the account or service type.
  • Payment data: Information necessary to process your payments, such as credit/debit card details or bank account information. This information is collected and processed directly by our payment service provider (currently Polar.sh). Kapaxia may receive and store limited transaction information (e.g., last four digits of the card, transaction date) for verification and subscription management purposes.
  • User content: Any personal information contained in the data, files, or materials that You upload, generate, or process using our Services. You are responsible for ensuring that You have the legal authority to process such personal data through our Services.
  • Usage and technical data: Information about how You interact with our Services, such as IP addresses, browser type, operating system, pages visited, access dates and times, activity logs, device identifiers. Some of this information may be collected automatically through cookies and similar technologies (see our Cookie Policy) or through tools from our providers like Cloudflare.
  • Communication data: Information You provide when communicating with us for technical support, inquiries, or feedback, including the content of Your communications.
  • Sensitive Data: Generally, our Services are not designed to collect or process sensitive data (as defined by the LPDP, which includes biometric data, racial and ethnic origin, economic income, political, religious, philosophical, or moral opinions, union affiliation, and information related to health or sexual life, and according to DS 016-2024-JUS, also neural information). If You use the Services to process sensitive data, it is Your responsibility to obtain explicit and written consent from the data subjects and comply with all applicable legal requirements. Kapaxia will treat any sensitive data that may be incidentally processed through User Content with the utmost security measures.

1.4. Purpose and Legal Basis of Processing

We process your personal data for specific and legitimate purposes, based on valid legal grounds under the Personal Data Protection Regulations.

  • Account Registration Data: We use it to create and manage your user account, provide you with access to the contracted Services, verify your identity, and communicate with you about your account and the Services (updates, security alerts, support). The main legal basis for this processing is the performance of the contract (T&C) and compliance with a legal obligation (verification). We will retain this data while the account is active plus the applicable legal term (e.g., statute of limitations).
  • Payment Data: We need it to process your payments for the Services and manage subscriptions and billing. This is legally based on the performance of the contract (T&C) and compliance with legal obligations (tax records). We will retain this data during the contractual relationship plus the legal tax/accounting terms (e.g., 5 years).
  • User Content: We store, process, and display the content according to your instructions when using the Service, allowing you to use the Service's functionalities with your data. The legal basis is the performance of the contract (T&C) and consent (implied when uploading the content to be processed by the Service, but you are responsible for the consent of the original data subject if applicable). We will retain this content while the account is active or until you delete it (subject to backups and deletion policies).
  • Usage and Technical Data: We monitor and ensure the security and performance of the Services, prevent fraud and abuse, analyze Service usage to understand trends and improve functionalities (generally in aggregated/anonymized form), and diagnose technical problems. This is based on legitimate interest (security, service improvement), performance of the contract (basic functionality), and consent (for non-essential analysis through cookies, see Cookie Policy). We will retain this data for the period necessary for analysis and security (e.g., logs may be rotated periodically).
  • Communication Data: We use the information provided when contacting us for technical support, inquiries, or feedback to respond to your requests and maintain records of our interactions. The legal basis is the performance of the contract (support) and legitimate interest (service improvement, relationship management). We will retain this data for as long as necessary to resolve the inquiry plus a reasonable period for follow-up or archiving.
  • Data for Marketing (if applicable): If you have opted in, we will send you commercial communications about our products, services, promotions, or special offers. This is based on your explicit and informed consent. We will retain this data until you withdraw your consent.

We will not use your personal data for purposes other than or incompatible with those informed here, unless we have your prior consent or there is a legal authorization.

1.5. Consent

We will obtain your free, prior, express, informed, and unequivocal consent before processing your personal data, whenever this is the applicable legal basis (e.g., for marketing purposes or the use of certain cookies).

  • Free: Your consent will not be unduly conditioned on the provision of the Service if the requested data is not necessary for it.
  • Prior: We will request your consent before or at the time of data collection.
  • Express and Unequivocal: Your consent will be manifested through a clear affirmative action (e.g., checking an unchecked box, clicking an acceptance button). We will not use pre-checked boxes or silence as a form of consent.
  • Informed: We will provide you with all the information required by law (identity of the controller, purpose, recipients, rights, etc.) before you grant your consent.

You have the right to withdraw your consent at any time for those processing activities that are based on it (such as marketing). The withdrawal of consent will not affect the lawfulness of processing based on consent prior to its withdrawal. You can withdraw your consent by contacting us at team@kapaxia.com or using the specific mechanisms provided (e.g., unsubscribe link in marketing emails). We will address your request for revocation or opposition to processing for advertising purposes within a maximum of ten (10) business days, in accordance with DS 016-2024-JUS.

1.6. Rights of the Personal Data Subject (ARCO and Portability)

You have the right to exercise the following rights over your personal data, known as ARCO rights, as well as the right to portability:

  • Access: Request information about whether your personal data is being processed, what it is, how it was collected, and with whom it is shared.
  • Rectification: Request the correction of your personal data if it is inaccurate, incomplete, erroneous, or false.
  • Cancellation (Deletion): Request the deletion of your personal data from our databases when it is no longer necessary for the purposes for which it was collected, when you have withdrawn your consent, or if you consider that it is not being processed in accordance with the law. Cancellation may not proceed if there is a legal obligation to retain it.
  • Opposition: Object to the processing of your personal data for legitimate and well-founded reasons related to a specific personal situation, or if your data is being processed for purposes other than those you consented to. You can specifically object to the use for advertising purposes.
  • Data Portability: (In accordance with DS 016-2024-JUS) Request to receive the personal data you have provided to us in a structured, commonly used, and machine-readable format, and to transmit it to another data controller, when the processing is based on consent or a contract and is carried out by automated means, provided it is technically feasible and does not involve a disproportionate effort.
  • Information: Be informed in a detailed, simple, and prior manner about the purpose of the processing, recipients, existence of the database, identity of the controller, and consequences of providing the data or refusing to do so.

Procedure to exercise your rights: You can exercise these rights by sending a written request to our email address team@kapaxia.com, attaching a copy of your DNI or equivalent identification document to verify your identity. If you act through a representative, you must also attach the power of attorney or document proving the representation.

We will respond to your request within the established legal deadlines:

  • Right to Information: 8 business days.
  • Right of Access: 20 business days.
  • Rights of Rectification, Cancellation, and Opposition: 10 business days. These deadlines may be extended only once for an equal period, with prior communication, if the complexity of the request justifies it.

If you believe that your request has not been adequately addressed, you have the right to file a complaint with the National Authority for Personal Data Protection (ANPD) of Peru.

1.7. Retention of Personal Data

We will retain your personal data only for as long as is strictly necessary to fulfill the purposes for which it was collected, to provide you with the Services, to comply with our legal obligations (including tax, accounting, or auditing requirements), to resolve disputes, and to enforce our agreements.

The criteria used to determine retention periods include: the duration of your contractual relationship with us (while you maintain an active Account), the existence of legal obligations requiring data retention for a specific period (e.g., tax documentation for 10 years), and the applicable limitation periods for potential legal actions.

Once your personal data is no longer necessary for these purposes, we will proceed to securely delete it or irreversibly anonymize it.

1.8. Security of Personal Data

Kapaxia is committed to adopting the necessary and appropriate technical, organizational, and legal measures to guarantee the security and confidentiality of your personal data, and to prevent its alteration, loss, unauthorized processing, or access, in accordance with the Personal Data Protection Regulations.

These measures include, among others:

  • Physical and logical access controls to our systems and databases.
  • Use of encryption for data in transit and at rest, where appropriate.
  • Secure user and password management procedures.
  • Security monitoring and intrusion detection.
  • Performing periodic backups (at least weekly, according to DS 016-2024-JUS, if there were updates).
  • Staff training on data protection and security.
  • Use of recognized infrastructure and security providers (such as Railway.com and Cloudflare) who implement their own robust security measures.
  • Maintaining documentation on our security policies and measures, in accordance with DS 016-2024-JUS.

We acknowledge that no security measure is infallible. We rely on the infrastructure and security services of our providers for certain aspects (shared responsibility model). Although we take reasonable precautions, we cannot guarantee the absolute security of your information.

1.9. Data Processors and International Data Transfers

To provide our Services, we use the services of third-party providers who act as data processors of your personal data under our instructions. These include:

  • Railway.com: Cloud hosting service provider (infrastructure), located in the United States (USA).
  • Cloudflare, Inc.: Security, Content Delivery Network (CDN), and storage service provider, located in the United States (USA).
  • Polar.sh: Payment processing service provider, located in Sweden.

These providers have been selected for their security and reliability standards. Data processing by these processors is governed by contracts that include data protection clauses.

Given that these key providers are located in the United States and Sweden, the transfer of your personal data to them constitutes a cross-border flow of personal data according to the LPDP. Peruvian law requires that for such transfers, an adequate level of protection for personal data must be guaranteed, comparable to that offered by Peruvian regulations.

Kapaxia ensures this adequate level of protection for transfers to the United States primarily through the execution of Standard Contractual Clauses (SCCs) with these providers, based on or equivalent to those recommended or approved by the National Authority for Personal Data Protection of Peru, or other legal instruments that offer sufficient guarantees in accordance with the LPDP and its regulations. These clauses impose specific obligations on data recipients regarding security, confidentiality, purpose limitation, and respect for data subjects' rights.

We may use other data processors for specific purposes (e.g., analytics tools, customer support). We will always ensure that adequate contractual and security guarantees are in place before sharing your data.

1.10. Notification of Security Incidents (Security Breaches)

In the event of a security incident that causes the destruction, loss, alteration, disclosure, or unauthorized access to your personal data, and which may pose a risk to your rights and freedoms, Kapaxia undertakes to notify such incident to the National Authority for Personal Data Protection (ANPD) and to the affected personal data subjects, without undue delay and, as a general rule, within forty-eight (48) hours of becoming aware of it and its potential impact, in accordance with the provisions of DS 016-2024-JUS.

The notification will include, at a minimum, a description of the nature of the incident, the categories of data and data subjects affected, the possible consequences, the measures adopted or proposed to remedy the incident and mitigate its adverse effects, and recommendations to the affected data subjects. We document all security incidents, their effects, and the corrective measures taken.

1.11. Processing of Data of Minors

Our Services are not directed at children under 14 years of age. We do not knowingly collect personal data from children under that age. If we become aware that we have collected personal data from a child under 14 without verifiable parental consent, we will take steps to delete that information as soon as possible.

If our Services were to be used by minors (between 14 and 18 years of age), we will ensure compliance with the specific requirements of DS 016-2024-JUS, including obtaining their consent (if they are 14 years or older) using clear and adapted language, and making reasonable efforts, considering available technology, to verify their age and ensure that the processing is appropriate. The collection of socioeconomic data of parents or guardians through minors is prohibited.

1.11. Updates to the Privacy Policy

We may update this Privacy Policy periodically to reflect changes in our data processing practices or applicable law. We will notify you of any material changes by posting the new policy on our Platform or by sending you a direct communication. We encourage you to review this policy regularly. The date of the last update is indicated at the beginning of this document.

1.13. Contact

If you have any questions, comments, or concerns about this Privacy Policy or how we process your personal data, or if you wish to exercise your rights, please contact us at:

Email: team@kapaxia.com

Return to Home