Privacy Policy
01 Data controller
The controller of your personal data is:
This Privacy Policy applies to the costrol.cl website, the Costrol SaaS platform and all related services.
Costrol acts as data controller for registration, usage and navigation data. For financial and banking data uploaded by the user, it acts as data processor, with the user being the controller of such data.
02 Data we collect
We collect different types of information depending on your interaction with the Service:
2.1 Data you provide directly
| Category | Specific data | When collected |
|---|---|---|
| Identity data | Name, surname, tax ID (optional) | At registration |
| Contact data | Email, phone (optional) | At registration or profile update |
| Company data | Company name, tax ID, business type, address | When completing profile or billing |
| Credentials | Password (stored as bcrypt hash, never in plain text) | At registration |
| Billing data | Card information (processed by certified gateway, not stored by Costrol) | When subscribing to a paid plan |
| Project financial data | Bank statements, transactions, categories, budgets, project names | During Service use |
| Communications | Messages sent to support, contact forms | When contacting us |
2.2 Data we collect automatically
| Data | Purpose |
|---|---|
| IP address | Security, fraud detection, approximate geolocation |
| User agent (browser & OS) | Technical compatibility and support |
| Pages visited & session time | Usage analysis for product improvement |
| Access date & time | Activity logging and security audit |
| Session identifier | Authentication and active session maintenance |
| Platform actions (events) | Usage analysis, UX improvement, technical support |
Costrol never collects special category or sensitive data such as racial origin, health, political affiliation, religion or sexual orientation.
03 Processing purposes & legal bases
We process your personal data only for the following purposes, each with its corresponding legal basis under Chilean Law NΒ° 19.628:
| Purpose | Legal basis |
|---|---|
| Provision of the contracted Service (account creation, statement processing, dashboard display) | Contract performance (Terms of Use) |
| Subscription management, billing and tax document issuance | Contract performance + legal obligation (SII Law) |
| Transactional communications (confirmations, alerts, support) | Contract performance |
| Service security, fraud and abuse prevention | Legitimate interest of Costrol |
| Product improvement through anonymized statistical analysis | Legitimate interest of Costrol |
| Newsletter and marketing communications | Consent (explicit opt-in) |
| Compliance with legal obligations and authority requirements | Legal obligation |
Marketing communications are always opt-in. You can unsubscribe at any time by clicking "Unsubscribe" at the bottom of any commercial email.
04 Sharing data with third parties
Costrol does not sell, rent or commercialize your personal data under any circumstances. We only share information in the following limited cases:
4.1 Data processors (sub-processors)
We use external providers acting as data processors under our instructions and contractually obligated to protect your data:
4.2 Mandatory legal disclosure
We may disclose personal information when required by law, court order or competent Chilean authority (SII, PDI, Public Prosecutor), strictly to the extent necessary.
4.3 Transfer in case of corporate change
In the event of a merger, acquisition or sale of Costrol assets, user data may be transferred to the new owner, who will be bound by this Policy. We will notify users at least 30 days in advance.
05 Financial & banking data β special protection
The financial data you upload to Costrol (bank statements, transactions, budgets, project costs) receives special protection:
- Exclusively the user's property: This data belongs to you. Costrol is only the technical custodian processing it under your instructions.
- Access restricted to the minimum necessary: Only the strictly necessary technical staff can access the data, under confidentiality agreements.
- No commercial analysis: Costrol does not analyze, aggregate or use your financial data for its own commercial purposes or to offer to third parties.
- No use for external AI training: Financial data is not used to train third-party artificial intelligence models.
- Tenant isolation: Each company's/account's data is logically isolated from other accounts.
Processed bank statements are stored encrypted with AES-256. Access to decrypted data requires multi-factor authentication and is logged in audit logs.
06 Data retention periods
We retain personal data only for the time necessary to fulfil the purposes for which it was collected:
| Data type | Retention period | Reason |
|---|---|---|
| Active account data (profile, settings) | While the account is active | Service provision |
| Financial data (active account) | According to plan limit (6ββ months) | Service provision |
| Financial data (post-cancellation) | 90 calendar days | Export and portability |
| Billing data and SII documents | 6 years | Legal tax obligation |
| Security and audit logs | 12 months | Security and investigation |
| Support communications (emails) | 3 years | Service record |
| Anonymized analytics data | Indefinite (not personal data) | Product improvement |
| Backup copies | 90 additional days post-active retention | Disaster recovery |
Upon expiry of the retention period, data is securely deleted through overwriting or certified destruction of storage media.
After cancelling your account you have 90 days to export all your data from the settings panel before it is permanently deleted.
07 Security measures
We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, loss, destruction or disclosure:
7.1 Technical measures
- Encryption in transit: TLS 1.3 on all communications. Strict HTTP (HSTS).
- Encryption at rest: AES-256 for all stored data.
- Passwords: Stored as bcrypt hash (cost factor 12). Never in plain text.
- 2FA available: Optional two-factor authentication for all users (mandatory for Enterprise accounts).
- Security testing: Periodic audits, vulnerability scans and penetration tests.
- Continuous monitoring: Intrusion detection systems and automatic alerts.
7.2 Organizational measures
- Production data access restricted to minimum necessary staff, under the principle of least privilege.
- Confidentiality agreements with all staff and contractors with data access.
- Regular security and data privacy training for the team.
- Documented procedure for responding to security breaches.
7.3 Breach notification
In the event of a security breach affecting personal data, Costrol will notify affected users within 72 hours of becoming aware of it.
08 Cookies & tracking technologies
Costrol uses cookies and similar technologies for technical operation and Service improvement:
Costrol does not use advertising cookies or share behavioral data with ad networks. We do not show ads.
You can manage cookies through Settings β Privacy, or through your browser settings.
09 Your data rights
Under Chilean Law NΒ° 19.628 and applicable legislation, you have the following rights regarding your personal data:
How to exercise your rights
To exercise any of these rights, write to privacidad@costrol.cl indicating:
- Your full name and email associated with the account.
- The right you wish to exercise.
- Specific description of your request.
We will respond within 30 business days of receiving your request.
If you believe your request was not handled correctly, you can appeal to the Council for Transparency or the competent courts of Chile.
10 Minors
The Costrol Service is directed exclusively at persons over 18 years of age. We do not intentionally collect personal data from minors.
If you become aware that a minor under 18 has created an account, notify us at privacidad@costrol.cl and we will delete that account and its associated data.
11 International data transfers
Some of our infrastructure providers (such as AWS) operate from servers located outside Chile, primarily in the United States. These transfers are made with the following safeguards:
- Providers are subject to standard contractual clauses guaranteeing a level of protection equivalent to Chilean standards.
- AWS holds international security certifications (ISO 27001, SOC 2 Type II) equivalent to the standards required by Law 19.628.
- Project financial data is stored in the us-east-1 region (Virginia, USA) under the security standards described in section 7.
By accepting these terms and using the Service, you consent to the transfer of your data to these countries under the described safeguards.
12 Changes to this policy
We may update this Privacy Policy occasionally to reflect changes in our practices, the Service or applicable law.
- Material changes will be notified by email at least 30 days in advance.
- Non-material changes (wording corrections, clarifications) will be published without prior notice.
- The "Last updated" date at the top of the document always reflects the current version.
- Continued use of the Service after changes take effect constitutes acceptance of the new policy.
The history of previous versions of this policy is available on request by emailing privacidad@costrol.cl.
13 Privacy contact
For any inquiry, request or complaint related to this Privacy Policy:
Privacy questions?
We respond to privacy requests within 30 business days.