Custodio Legal respects the personal data and information provided by its current, past, and potential clients. This Personal Data Protection Policy establishes the purposes, measures, and procedures for our databases, as well as the mechanisms available to data holders to know, update, rectify, delete provided data, or revoke the authorization granted with the acceptance of this policy, in accordance with Colombia's Statutory Law 1581 of 2012, Ecuador's Organic Law on Personal Data Protection (LOPDP), and other applicable regulations in Latin America.
1. Data Controller
Custodio Legal, identified with NIT 1057602936, with domicile in Bogotá D.C., Colombia, acts as the data controller for personal data. You can contact us at [email protected]. Collected data will be processed legally, lawfully, confidentially, and securely, respecting the principles of purpose, freedom, truthfulness, transparency, restricted access, security, and confidentiality.
2. Purpose of Processing
The processing of personal data has the following purposes: a) Provision of contracted legal and administrative management services. b) Managing the contractual relationship with clients, lawyers, and collaborators. c) Sending service-related communications, updates, and legal notifications. d) Billing, collection, and accounting management. e) Conducting satisfaction surveys and service improvement. f) Compliance with legal obligations and requirements from competent authorities. g) Fraud prevention and platform security.
3. Rights of Data Subjects
As the holder of your personal data, you have the following rights, which may be exercised free of charge at any time: (i) ACCESS: Know what personal data we process about you, the purpose of processing, and who we share it with. (ii) RECTIFICATION: Update and correct partially accurate, incomplete, or outdated data. (iii) CANCELLATION/DELETION (Habeas Data): Request deletion of your data when it is no longer necessary for the purpose that justified its collection, or when you revoke your consent, subject to legally mandated retention obligations. (iv) OBJECTION: Object to the processing of your data for marketing, profiling, or automated decision-making purposes. (v) PORTABILITY (LOPDP Ecuador, Art. 11): Receive a copy of your data in a structured, commonly-used, machine-readable format, and transfer it to another data controller. (vi) File complaints with your country's data protection authority: Superintendence of Industry and Commerce (SIC) in Colombia [✉ [email protected]], the Personal Data Protection Superintendency (SPDP) in Ecuador. (vii) Withdraw consent at any time without affecting the lawfulness of prior processing.
4. Authorization and Consent
The processing of personal data requires the free, prior, express, and informed consent of the data holder. By registering on the platform and accepting this policy, you declare that: (i) The data provided is truthful and accurate. (ii) You have the legal capacity and authority to authorize its processing. (iii) You understand the purposes of the processing. (iv) You have been informed of your rights as a data holder. Authorization may be revoked at any time following the procedure established in this policy.
5. Information Security
We implement robust technical, administrative, and organizational security measures to protect your data: (i) AES-256-GCM encryption for stored sensitive data. (ii) Secure transmission via TLS 1.3. (iii) Role-based access control (RBAC). (iv) Detailed audit logs. (v) Automatic backups with geographic redundancy. (vi) Continuous security monitoring. These measures comply with the standards required by the Superintendence of Industry and Commerce and industry best practices.
6. Attention Channel (Habeas Data)
To exercise your rights as a data holder, you can contact us through: (i) Email: [email protected] (ii) Through your account in 'Settings > Privacy & Data'. We will respond to your request within a maximum of ten (10) business days. If the request is incomplete, we will contact you to complete it within five (5) business days. [email protected].
7. How to Exercise Your Rights (ARCO)
You can exercise your rights to Access, Rectify, Cancel, and Oppose directly from your account in 'Profile Settings > Privacy & Data'. You can also send a written request to [email protected] indicating: (i) Your full name and identity document. (ii) Description of facts and request. (iii) Physical or electronic address for notifications. (iv) Supporting documents if applicable.
8. Sensitive Data
Custodio Legal may process sensitive data only when strictly necessary for the provision of legal services and with your express authorization. Sensitive data includes data revealing racial or ethnic origin, political orientation, religious convictions, union membership, health data, sexual life, and biometric data. This data will receive enhanced protection. We do not process data from minors without verifiable consent from their parents or legal guardians.
9. International Data Transfer
Your data may be transferred and processed in third countries, including the United States and the European Union, where our infrastructure providers are located (Cloudflare R2, email services). These transfers will only occur under the following safeguards: (i) The destination country offers an adequate level of protection recognized by the SIC (Colombia) or the SPDP (Ecuador); (ii) Standard contractual clauses guaranteeing equivalent protection are in place; or (iii) You have provided your express and informed consent for the transfer. For Ecuadorian users, this provision complies with Art. 22 of the LOPDP and Executive Decree 904. Infrastructure providers are bound by data processing agreements that impose binding obligations equivalent to those of this Data Controller.
10. Data Processors
To provide our services, we share data with third-party data processors who act under our instructions: (i) Cloudflare Inc. - Content storage and distribution. (ii) Transactional email service providers. (iii) Payment gateway providers. All our processors are contractually obligated to protect your data with security measures equivalent to ours and not to use them for purposes other than authorized.
11. Data Retention Period
We retain your personal data for the time necessary to fulfill the purposes for which it was collected. (i) Account data: During the term of the contractual relationship and 5 additional years due to legal obligations. (ii) Case and legal document data: 10 years according to legal archiving requirements. (iii) Audit logs: 5 years. (iv) Billing data: 10 years due to tax obligations. Once these periods are met, data will be securely deleted or anonymized.
12. Validity and Modifications
This policy becomes effective as of February 2026 and will remain in effect until replaced by a new version. We reserve the right to modify this policy at any time. We will notify you of any material changes by email or through a prominent notice on the platform at least 15 days in advance. Continued use of the service after notification constitutes acceptance of the changes.
13. Applicable Legal Framework
This policy is governed by the data protection regulations of the data holder's country of residence, including: Colombia (Statutory Law 1581 of 2012 and Decree 1377 of 2013), Ecuador (Organic Law on Personal Data Protection and Executive Decree 904), Mexico (LFPDPPP and ARCO rights), Argentina (Law 25.326), Chile (Law 19.628), Peru (Law 29733), and Brazil (LGPD - Law 13.709). In case of conflict, the regulations of the data holder's country of residence shall prevail, provided they offer an equal or higher level of protection.
14. Artificial Intelligence (AI) Processing
Custodio Legal offers Artificial Intelligence features (currently: Case Summary) that are optional and user-initiated. AI processing is governed by the following principles: (i) LEGAL BASIS: Express consent given by executing each AI operation, evidenced by the voluntary consumption of credits tied to the action. (ii) DATA MINIMIZATION: Only the minimum data necessary for the requested operation is sent to the AI provider (e.g., the text of the active case). We do NOT send file attachments, metadata of other cases, information about other clients, or data unrelated to the operation's context. (iii) AI PROVIDER: We use enterprise-grade AI providers (currently Anthropic Claude) subject to contractual data processing agreements (DPAs) that guarantee: (a) prohibition on using your data to train or improve models; (b) encryption in transit (TLS 1.3) and at rest; (c) access controls and audit logs. (iv) RETENTION AT PROVIDER: Data sent to the provider is retained for a maximum of thirty (30) days solely for abuse detection and legal compliance, after which it is securely deleted. No persistent copy remains in the provider's systems. (v) INTERNATIONAL TRANSFER: AI processing occurs on servers located outside Colombia and Ecuador (primarily United States and European Union). Such transfer is covered by the same safeguards described in Section 9 of this policy and by your express consent. (vi) AUTOMATED DECISIONS: AI outputs are supporting material; no legal or contractual decisions are made fully automatically. The professional judgment of the attorney is irreplaceable (see Terms of Service, Section 17). (vii) APPLICABLE ARCO RIGHTS: You may exercise access, rectification, deletion, and opposition rights over data processed by AI. Local deletion is immediate; deletion at the provider occurs within its contractual retention cycle (max. 30 days). (viii) FULL OPT-OUT: You may fully disable AI features for your firm from 'Settings > AI' without affecting the rest of the service. (ix) SENSITIVE DATA: You must not deliberately send sensitive third-party data (health, sexual orientation, ethnic origin, biometrics) to AI features without prior authorization from the data subject. (x) LIABILITY LIMIT: AI models may produce errors or 'hallucinations'. All output must be verified by a professional before use. Custodio Legal is not responsible for decisions made without human verification.