Privacy Policy
Last updated: March 2026
Grupo Quatio S.A.S. ("Quatio," "we," "us," or "our"), domiciled in Colombia, is the data controller for personal data collected through the quatio.co website and all its subdomains (the "Platform").
This Privacy Policy describes how we collect, use, store, and protect your personal information, in compliance with Colombian Law 1581 of 2012 (Personal Data Protection Law), Decree 1377 of 2013, and other applicable regulations. We also incorporate principles from the European Union's General Data Protection Regulation (GDPR) for international users.
1. Data We Collect
1.1 Data you provide directly
| Data | When collected | Purpose |
|---|---|---|
| Name, email, phone, company | When you request commercial contact through the chatbot (Qyro) | Commercial follow-up and sales opportunity management |
| Email, name, profile picture | When you create an account via Google or Microsoft OAuth | User authentication and identification |
| Email and password | When you create an account with email and password | User authentication and identification |
| Interest or commercial need | When you describe your needs in the chatbot | Personalization of commercial recommendations |
1.2 Data collected automatically
| Data | Mechanism | Purpose |
|---|---|---|
| Language preference (es/en) | quatio-lang cookie (1 year) | Maintain your preferred language across all Quatio applications |
| Theme preference (light/dark) | quatio-theme cookie | Maintain your visual preference |
| Session token | quatio_session cookie (4 hours, HttpOnly) | Secure authentication across applications |
| Chat session identifier | Browser localStorage | Chatbot conversation continuity |
| Browsing and traffic data | Google Analytics | Traffic pattern analysis and user experience improvement |
| Qyro conversation content | Server (DynamoDB) | Service delivery, commercial follow-up, continuous improvement |
| Conversation metadata (source page, device type) | Server (DynamoDB) | Internal analytics and service improvement |
1.3 Data we do NOT collect
- We do not sell, rent, or share your personal data with third parties for marketing purposes.
- We do not collect financial data directly. Payments are processed through Paddle, which handles payment data independently under its own privacy policy.
2. Purposes of Data Processing
We use your personal data for the following purposes:
Primary purposes (necessary for service delivery):
- Provide the virtual assistant (Qyro) service and respond to your inquiries.
- Manage commercial follow-up when you request to be contacted.
- Authenticate your identity and maintain account security.
- Maintain your language and visual theme preferences on the Platform.
Secondary purposes (legitimate interest):
- Improve the quality of our products and services through analysis of anonymized conversations.
- Generate internal Platform usage statistics.
- Analyze traffic patterns and browsing behavior through Google Analytics to optimize content and user experience.
- Send commercial communications related to our services, provided you have given your contact information for this purpose.
3. Legal Basis for Processing
| Processing activity | Legal basis |
|---|---|
| Commercial contact data | Consent (Art. 9, Law 1581 of 2012) |
| Account authentication | Contract performance |
| Functional cookies (language, theme, session) | Legitimate interest / technical necessity |
| Web analytics (Google Analytics) | Legitimate interest |
| Service improvement | Legitimate interest |
| Commercial communications | Consent |
4. Your Rights
Under Colombian Law 1581 of 2012, you have the right to:
- Know: Request information about the personal data we hold about you.
- Update: Correct inaccurate, incomplete, or outdated data.
- Rectify: Request the correction of erroneous information.
- Delete: Request the deletion of your data when there is no legal obligation to retain it.
- Revoke: Withdraw your consent for data processing at any time.
- Access: Obtain a copy of your stored personal data.
- File complaints: With the Superintendencia de Industria y Comercio (SIC) if you believe your rights have been violated.
For international users (GDPR): Additionally, we recognize your right to data portability and to object to processing based on legitimate interest.
How to exercise your rights: Send your request to info@quatio.co including your full name, identification document, and the right you wish to exercise. We will respond within fifteen (15) business days, in accordance with the law.
5. Storage and Security
5.1 Data location
Your data is stored on Amazon Web Services (AWS) servers in the us-east-1 region (Northern Virginia, United States). AWS complies with international security certifications including ISO 27001, SOC 2, and participates in the EU-US Data Privacy Framework.
5.2 Security measures
We implement the following measures to protect your information:
- Encryption in transit: All communications use HTTPS/TLS.
- Secure cookies: Session cookies are HttpOnly (not accessible via JavaScript) and Secure (HTTPS only).
- Secure authentication: JWT tokens signed with RS256, cryptographic key verification.
- Multi-factor authentication (MFA): Available for administrative accounts.
- Environment separation: Development, testing, and production environments are completely isolated.
- Restricted access: Data access is limited to authorized personnel through group and permission controls.
5.3 Data retention
| Data type | Retention period |
|---|---|
| Anonymous Qyro conversations | 30 days |
| Lead data (commercial contact) | For the duration of the commercial relationship or until you request deletion |
| User account data | While the account is active or until you request deletion |
| Functional cookies | Per configured duration (session: 4h, language: 1 year) |
| Google Analytics data | Per Google Analytics retention settings (default 14 months) |
6. Third-Party Services
To operate the Platform, we use the following third-party services:
| Service | Provider | Purpose | Privacy policy |
|---|---|---|---|
| Cloud infrastructure | Amazon Web Services (AWS) | Hosting, storage, processing | aws.amazon.com/privacy |
| Web analytics | Google Analytics | Traffic analysis and user behavior | policies.google.com/privacy |
| Authentication (OAuth) | Social sign-in | policies.google.com/privacy | |
| Authentication (OAuth) | Microsoft | Social sign-in | privacy.microsoft.com |
| Payment processing | Paddle | Subscription payments | paddle.com/legal/privacy |
| Web typography | Google Fonts | Font loading | developers.google.com/fonts/faq/privacy |
These providers act as data processors and are subject to their own privacy policies and security standards.
7. Cookies and Tracking Technologies
7.1 Cookies we use
| Cookie | Type | Duration | Purpose |
|---|---|---|---|
quatio-lang | Functional | 1 year | Store your language preference |
quatio-theme | Functional | Persistent | Store your visual theme preference |
quatio_session | Strictly necessary | 4 hours | Maintain your authenticated session |
_ga, _ga_* | Analytics | Up to 2 years | Google Analytics: distinguish unique users and sessions |
7.2 Google Analytics
We use Google Analytics to analyze traffic patterns, understand how visitors interact with our content, and continuously improve the user experience. Google Analytics collects information in an anonymized manner, including:
- Pages visited and time spent.
- Traffic sources (search engines, social media, direct links).
- Device type, browser, and operating system.
- Approximate geographic location (city level).
You can opt out of Google Analytics tracking by installing the Google Analytics opt-out browser add-on.
7.3 Local storage (localStorage)
The Qyro chatbot uses your browser's local storage to maintain conversation continuity. This data remains exclusively on your device and can be deleted by clearing your browser data.
8. International Data Transfer
Your data may be transferred to and stored on servers located in the United States (AWS us-east-1). This transfer is carried out in accordance with Article 26 of Law 1581 of 2012, ensuring adequate levels of data protection through:
- Contractual clauses with cloud service providers.
- AWS security certifications (ISO 27001, SOC 2).
- Provider participation in international data protection frameworks.
9. Children's Privacy
The Platform is not directed at minors. We do not intentionally collect personal data from individuals under 18 years of age. If you are a parent or guardian and believe that a minor has provided us with personal data, please contact us at info@quatio.co to request its deletion.
10. Changes to This Policy
We reserve the right to update this Privacy Policy periodically. Any changes will be published on this page with the updated last-modified date. We recommend reviewing this page periodically.
11. Contact and Data Protection
For inquiries, rights exercise requests, or complaints related to the processing of your personal data:
- Data controller: Grupo Quatio S.A.S.
- Email: info@quatio.co
- WhatsApp: +57 300 278 1847
- Website: https://quatio.co
Supervisory authority: Superintendencia de Industria y Comercio (SIC) of Colombia — www.sic.gov.co