PRIVACY POLICY
Applicable Regulatory Framework: General Data Protection Regulation (GDPR) (EU) 2016/679, Law 1581/2012 (Colombia), LFPDPPP (Mexico), Law 29733 (Peru), Law 19.628 (Chile).
Privacy by design constitutes the foundational architecture of our platform; our systems have been engineered fundamentally to safeguard your most sensitive personal data.
The legal entity (hereinafter, "The Company", "we", "us", or the "Data Controller") processes the personal data of its users with the utmost responsibility, integrity, and transparency. This Privacy Policy delineates the categories of data we collect, the specific purposes for such processing, the entities with whom such data may be shared, and the inherent rights afforded to you as a data subject.
This legal instrument strictly complies with the General Data Protection Regulation (GDPR) of the European Union, Statutory Law 1581 of 2012 of Colombia alongside its Regulatory Decree 1377 of 2013, the Federal Law on the Protection of Personal Data Held by Private Parties (LFPDPPP) of Mexico, Law 29733 of Peru, and Law 19.628 of Chile.
Article 1. Identification of the Data Controller
Corporate Name: ASDF NETWORK LATAM S.A.S. (SODASPACE)
Tax Identification Number: NIT900964091-1.
Principal Domicile: CRA 13 83 19, Bogotá D.C., Colombia.
Contact Email: info@sodaspace.co
Operating Jurisdictions: Colombia, Mexico, Chile, Peru.
Data Protection Officer (DPO): Available upon formal request via the designated corporate email.
Article 2. Scope of Application
The provisions of this Privacy Policy apply to the following categories of data subjects:
Highly qualified foreign nationals accessing our Proprietary Tenant Certification Protocol.
Corporate representatives and Human Resources personnel procuring the Company's services.
Property operators, managers, and landlords registered within the platform ecosystem.
General visitors to the corporate website and any associated subdomains.
The utilization of the Company's services is strictly prohibited for individuals under the age of eighteen (18). We do not intentionally collect, process, or store personal data pertaining to minors. In the event that the incidental collection of a minor's data is detected, such information shall be immediately and permanently expunged from our infrastructure.
Article 3. Categories of Personal Data Collected
We collect and process the following categories of personal data, systematically classified according to their nature:
Data Category Legal Description and Examples Identity Data Full legal name, passport identification number, visa status, date of birth, nationality, and a frontal photograph of the official government-issued identity document. Biometric Data Real-time facial geometry captured exclusively for liveness detection and genuine presence verification. This constitutes a special category of sensitive data. Financial Data (Open Banking) Read-only access to banking transactions, average balance calculations, and income source verification facilitated via Authorized Financial Data Aggregators. The Company strictly prohibits the storage of banking credentials or raw transactional data. Contact Data Primary email address, mobile telephone number, and current jurisdiction of residence.Electronic Signature Data Evidentiary records of consent captured via Certified Electronic Signature Providers, encompassing IP addresses, timestamps, and cryptographic hashes of the executed agreements. Distributed Ledger Data Cryptographic hash (SHA-256 algorithm) of the approved certification profile, registered immutably on a public decentralized network. This hash is publicly visible but contains absolutely no personal data in clear text. Platform Usage DataInternet Protocol (IP) addresses, browser specifications, navigational pathways, session durations, and essential analytical cookies. Corporate Data (B2B) Corporate entity name, Tax Identification Numbers, designated contact personnel, professional titles, and corporate email addresses.
Article 4. Lawful Basis for Processing
Every processing activity executed by the Company is strictly governed by at least one of the following lawful bases:
Explicit Consent: The data subject grants express, prior, and informed authorization before the initiation of the certification process, executed via an advanced electronic signature protocol.
Performance of a Contract: The processing operations are strictly necessary to evaluate the applicant's suitability and to generate the requested tenant certification.
Legitimate Interest: Encompassing essential fraud detection mechanisms, the preservation of platform security architecture, and the continuous optimization of automated evaluation algorithms.
Compliance with a Legal Obligation: Facilitating mandatory regulatory reporting to supervisory authorities as stipulated by applicable local legislation.
For the processing of biometric data (categorized as sensitive data), the sole and exclusive lawful basis is the explicit, informed, and prior consent obtained from the data subject before the activation of any facial capture technology.
Article 5. Purposes of Processing
5.1 Primary Purposes
Identity verification and fraud prevention executed through biometric liveness detection technologies.
Financial solvency evaluation facilitated by Open Banking API integrations, strictly limited to a read-only architecture.
The generation, issuance, and cryptographic anchoring of the proprietary tenant certification via blockchain hashing.
The administration and execution of the contractual relationship with property operators, landlords, and corporate clients.
The facilitation of a guarantor-free lease agreement process, eliminating the requirement for a local financial co-signer.
5.2 Secondary Purposes (Subject to Additional Consent)
The transmission of commercial communications, marketing materials, and corporate newsletters.
The enhancement and refinement of proprietary risk-scoring algorithms utilizing exclusively aggregated and anonymized datasets.
The execution of macroeconomic market research concerning the mobility of skilled talent across the Latin American region.
Under no circumstances shall the Company utilize your biometric or financial data for secondary purposes without securing a new, explicit, and separate consent mandate.
Article 6. International Data Transfers
The Company operates across multiple international jurisdictions and leverages a global ecosystem of specialized technology providers. Consequently, your personal data may be transferred to, and processed by, the following categories of sub-processors:
Sub-Processor Category Core Functionality International Compliance GuaranteeIdentity Verification & Payment Gateways Biometric geometry processing and payment execution.Subject to the EU-U.S. Data Privacy Framework (DPF) and Standard Contractual Clauses (SCCs). Open Banking Aggregators Secure, read-only extraction of financial stability metrics across operational jurisdictions.SOC 2 Type II Certification. Data Processing Agreements (DPAs) compliant with local laws and SCCs. Electronic Signature Infrastructure Advanced digital execution and cryptographic sealing of legal agreements.ISO 27001 Certification. Governed by stringent data protection clauses and DPAs. Public Decentralized Ledgers Immutable recording of the certification status. Only cryptographic hashes are published; no clear-text personal data is transferred or stored on-chain. Cloud Infrastructure Providers Core computational processing and database storage (Multi-region deployment). Data is localized preferentially in highly secure server regions under enterprise-grade DPAs.
All international transfers of personal data are safeguarded by adequate mechanisms in strict accordance with Chapter V of the GDPR, primarily relying upon Standard Contractual Clauses (SCCs) approved by the European Commission, alongside equivalent adequacy safeguards mandated by Latin American data protection authorities.
Article 7. Data Retention Periods
Personal data shall be retained exclusively for the duration strictly necessary to fulfill the declared purposes of processing, subject to the following schedules:
Identity & Biometric Data: Automatically expunged by the specialized sub-processor within 30 days following the completion of the verification event, except in cases involving an active dispute or suspected fraud.
Financial Data (Open Banking): The API access token expires automatically after 90 days. Raw banking data is never retained within the Company's proprietary databases.
Certification Profiles & Blockchain Hashes: The cryptographic hash recorded on the distributed ledger is technically permanent and immutable. However, the off-chain personal data mapping associated with the hash in our internal systems is retained for a maximum of 24 months, or until the data subject requests revocation.
Electronic Signature Records: Retained for a period of 5 years to fulfill statutory obligations regarding the preservation of electronic commercial contracts.
Platform Usage Logs: Retained for 12 months following the last recorded activity on the platform.
Corporate Client Data: Retained for the duration of the commercial contract, plus an additional 5 years to satisfy corporate tax and regulatory compliance obligations.
Article 8. Rights of the Data Subject
As the proprietor of your personal data, you are entitled to exercise the following rights, comprehensively and free of charge:
Access: The right to obtain confirmation as to whether your data is being processed, and to request a portable copy of such data.
Rectification: The right to mandate the correction of inaccurate or incomplete personal information concerning you.
Erasure ("Right to be Forgotten"): The right to request the deletion of your data when it is no longer necessary for the purposes collected, or upon the withdrawal of your consent. Note: This right cannot technically apply to cryptographic hashes already committed to an immutable public blockchain; however, all linking off-chain data will be destroyed.
Data Portability: The right to receive your personal data in a structured, commonly used, and machine-readable format (e.g., JSON/CSV), and to transmit it to another data controller without hindrance.
Objection: The right to object to processing activities based on legitimate interest or intended for direct marketing purposes.
Restriction of Processing: The right to demand a temporary halt to data processing operations while disputes concerning data accuracy or processing lawfulness are resolved.
Withdrawal of Consent: The right to revoke your consent at any time, without affecting the lawfulness of processing conducted prior to the withdrawal.
Freedom from Automated Decision-Making: The right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.
To exercise any of the aforementioned rights, data subjects must submit a formal request to the designated corporate email address, specifying their full legal name, official identification number, a detailed description of the right invoked, and accompanying proof of identity. The Company commits to providing a resolution within a maximum of 15 business days (Colombia), 20 business days (Mexico), or 30 calendar days (GDPR jurisdictions). Should the response prove unsatisfactory, data subjects retain the absolute right to lodge a formal complaint with the relevant supervisory authority in their jurisdiction of residence.
Article 9. Special Processing of Biometric Data
Biometric identifiers constitute a special category of sensitive personal data. The Company enforces the following specific technical and organizational safeguards:
The facial geometry capture process is executed exclusively through a specialized, third-party sub-processor certified under rigorous SOC 2 Type II and ISO 27001 security standards.
Facial imagery is utilized strictly to perform liveness detection (confirming the physical presence of the user at the point of capture) and to match the individual against the provided official identification document. The Company explicitly prohibits the construction, retention, or monetization of any permanent facial recognition database.
The sub-processor programmatically and irreversibly destructs all processed biometric data within 30 days of the verification event.
Consent for biometric processing is solicited through a distinct, explicit, and unambiguous opt-in mechanism prior to the activation of the camera interface.
Users reserve the right to refuse biometric verification. In such instances, the applicant will be unable to successfully complete the proprietary tenant certification process; however, no other punitive actions or service denials outside this scope will be applied.
Refusal of biometric processing results in a technical inability to provide the certification, as active liveness detection is a structural and non-negotiable security prerequisite of the service offering.
Article 10. Financial Data and Open Banking Architecture
The Company interfaces with financial institutions solely to evaluate the financial solvency and stability of the applicant. This integration adheres to the following strict operational principles:
Read-Only Architecture: The Company operates under a strict read-only paradigm and is technologically incapable of initiating transactions, authorizing transfers, or modifying account parameters within the user's banking portal.
Institution-Specific Consent: The user must explicitly and individually authorize the Open Banking connection for each financial institution during the authentication flow.
Temporal Limitation: Open Banking access tokens are subject to a strict 90-day expiration policy and are never subjected to automated renewal mechanisms.
Data Minimization: The analytical focus is restricted exclusively to the average monthly income, cash flow volatility, and the verification of recurring revenue streams. Full account numbers and login credentials are not stored, processed, or visible to the Company.
Aggregated Output: The final analytical report generated constitutes an aggregated solvency assessment. Raw, line-item banking data is never retained within the Company's proprietary servers.
The Open Banking infrastructure utilizes standardized OAuth 2.0 protocols, ensuring that the user's financial institution is never exposed to the Company's direct platform credentials. Your bank will not register the Company as having direct access to your accounts.
Article 11. Cookies and Tracking Technologies
11.1 Taxonomy of Employed Cookies
Strictly Necessary Cookies: Facilitate core navigational functions, session authentication, and access to secured environments. These do not require user consent.
Analytical Cookies: Utilized exclusively to quantify web traffic and analyze user behavioral patterns. IP addresses are anonymized prior to processing. These require explicit user consent.
Functional Cookies: Retain user preferences, such as linguistic settings and interface configurations. These require explicit user consent.
Marketing Cookies: The Company strictly prohibits the deployment of third-party behavioral advertising or cross-site tracking cookies.
11.2 Cookie Management
Upon initial access to the digital platform, users are presented with a comprehensive consent management banner. Preferences may be modified at any juncture via the "Privacy Settings" interface located in the platform's footer.
Article 12. Security Architecture
The Company has implemented robust technical and organizational measures (TOMs) to protect personal data against unauthorized access, accidental loss, destruction, or illicit alteration:
Encryption in Transit: All client-server data transmissions are secured utilizing the TLS 1.3 cryptographic protocol.
Encryption at Rest: Sensitive data housed within the database infrastructure is encrypted utilizing the AES-256 standard.
Access Controls: Multi-Factor Authentication (MFA) is a mandatory requirement for all internal personnel possessing data access privileges.
Data Segmentation: Biometric and financial data streams are processed within isolated, siloed environments, logically separated from general administrative systems.
Audit Trails: The deployment of immutable logging mechanisms tracks all access requests to sensitive personal data repositories.
Incident Response Protocol: In the event of a personal data breach, the Company is legally obligated to notify the competent supervisory authorities within 72 hours. Affected data subjects will be notified without undue delay.
The Company subjects its infrastructure to continuous security evaluations and periodic independent security audits.
Article 13. Third Parties and Sub-Processors
The Company shares personal data with authorized service providers, who operate strictly as sub-processors under legally binding Data Processing Agreements (DPAs). These include:
Identity & Payment Gateways: Engaged for biometric processing and financial transaction execution.
Open Banking Aggregators: Engaged for secure, read-only financial data extraction across designated operating jurisdictions.
Electronic Signature Providers: Engaged for the legally binding execution of digital contracts.
Public Decentralized Networks: Utilized for the publication of the immutable certification hash (Note: No personal data is transmitted to or stored on the ledger).
Cloud Infrastructure Providers: Engaged for global computational processing and secure data storage.
Web Analytics Providers: Engaged for platform usage analysis utilizing anonymized IP methodologies.
The Company categorically does not sell, rent, or commercialize personal data to third parties for advertising or marketing purposes. Third-party access is strictly bound by the principle of least privilege, limited exclusively to what is objectively necessary for service provision.
Article 14. Automated Decision-Making and Profiling
The proprietary tenant certification process incorporates automated algorithmic evaluations utilizing the applicant's aggregated financial and identity data. These evaluations:
Generate a solvency score which constitutes a determining factor in the final approval of the certification.
Are strictly subject to human intervention and manual review in the event of a negative outcome, or upon the formal contestation of the decision by the user.
Explicitly exclude the use of special category data (biometrics) from the financial scoring matrix; the identity verification and financial profiling processes operate as entirely independent modules.
Users reserve the absolute right to request human intervention, to express their point of view, and to contest any decision rendered solely by automated means. To exercise this right, users may contact the Data Protection Officer.
Article 15. Minors
The platform is engineered and directed exclusively toward individuals who have reached the age of majority (18 years or older). We do not knowingly solicit or collect personal data from minors. Any party aware of a minor utilizing the platform is urged to contact the designated corporate email immediately to facilitate the rapid identification and deletion of the associated data.
Article 16. Amendments to the Privacy Policy
The Company reserves the unilateral right to amend this Privacy Policy to ensure continuous alignment with legislative reforms, technological advancements, or modifications to the corporate business model. In the event of material changes impacting the processing of personal data, users will be notified via email no less than 15 days prior to the enforcement date of the updated policy. Continued utilization of the platform following this notification period shall be construed as acknowledgment and acceptance of the revised terms.
Article 17. Governing Law and Jurisdiction
This Privacy Policy is governed primarily by the laws of the Republic of Colombia, specifically Statutory Law 1581 of 2012 and Regulatory Decree 1377 of 2013. For users residing within the European Economic Area, the provisions of the GDPR (Regulation EU 2016/679) shall prevail. For residents of Mexico, the LFPDPPP applies; for Peru, Law 29733; and for Chile, Law 19.628.
Any dispute that cannot be amicably resolved through the exercise of the data subject rights outlined in Article 8 shall be submitted to the exclusive jurisdiction of the competent courts of Bogotá, Colombia. This clause is without prejudice to the inalienable right of the user to seek redress before the regulatory data protection authority within their own country of residence.