Legal

Privacy Policy

Effective date: March 29, 2026 · Version 1.0

This Privacy Policy explains how Bacata Digital Media S.A.S. ("Bacata", "we", "us", or "our"), the company behind ORQO, collects, uses, discloses, and safeguards your personal information when you use our website at orqo.io, our dashboard at dashboard.orqo.io, or our AI-powered chat assistant.

Contents

Collection of Personal Data
How We Use Personal Data
How We Disclose Personal Data
Your Rights and Choices
International Data Transfers
Retention, Security & Lifecycle
Cookies and Tracking
Children's Privacy
AI Features and Conversations
Changes to This Policy
Contact Us

1. Collection of Personal Data

We collect personal data in the following ways:

Information you provide directly

Account data: When you create an account on dashboard.orqo.io, we collect your email address to send you a magic link for authentication. We do not store passwords.
Chat messages: When you interact with ORQO's AI assistant (via the web widget or WhatsApp), the content of those messages is processed to generate responses.
Contact information: If you contact us via email (hola@orqo.io) or WhatsApp, we receive your name, phone number, and message content.
Business information: If you connect your WordPress site or WhatsApp Business account, we receive configuration data and credentials necessary to establish and maintain that integration.

Information collected automatically

Technical data: IP address, browser type and version, operating system, referral URLs, and pages visited on orqo.io.
Usage data: Interaction counts, session timestamps, and feature usage patterns within the dashboard.
Device data: Device type and screen resolution, collected anonymously to optimize the interface.
Local storage: The ORQO widget stores your conversation history and theme preference locally in your browser (localStorage). This data never leaves your device unless you explicitly send a message.

Information from third parties

WordPress and WooCommerce: If you connect your WordPress site, ORQO receives product, order, and customer data from your site's REST API solely to fulfill your configuration and respond to end-user queries.
WhatsApp Business: Message metadata (timestamps, delivery status) and message content from conversations routed through ORQO agents.

2. How We Use Personal Data

We use the personal data we collect to:

Provide and operate our services: Authenticate users, deliver AI agent responses, process WordPress and WhatsApp integrations, and maintain the dashboard.
Improve our AI models: We may use anonymized, aggregated conversation data to improve ORQO's response quality. We will always provide an opt-out mechanism. We do not use identifiable personal data to train our models without your explicit consent.
Communicate with you: Send authentication links, service notifications, product updates, and respond to your support inquiries.
Ensure security and prevent abuse: Detect fraudulent activity, enforce our Terms of Service, and protect users.
Comply with legal obligations: Meet our duties under applicable law, including Colombian data protection law (Ley 1581 de 2012) and, where applicable, the GDPR.

We do not sell your personal data to third parties. We do not use your data for advertising purposes.

3. How We Disclose Personal Data

We may share your information in the following limited circumstances:

Service providers

We work with trusted third-party vendors who process data on our behalf, under strict data processing agreements:

Provider	Purpose	Data Shared
MongoDB Atlas	Database hosting	User accounts, conversation metadata
Resend	Transactional email	Email address (for magic links)
Meta (WhatsApp Business API)	Message delivery	Phone numbers, message content
Vercel	Hosting & CDN	Server access logs

Legal requirements

We may disclose personal data if required by law, court order, or governmental authority, or if we believe in good faith that such disclosure is necessary to protect our rights, your safety, or the safety of others.

Business transfers

In the event of a merger, acquisition, or sale of all or a portion of our assets, personal data may be transferred as part of that transaction. We will notify you via email or a prominent notice on our website if such a transfer occurs.

4. Your Rights and Choices

Depending on your jurisdiction, you may have the following rights regarding your personal data:

Right to access: Request a copy of the personal data we hold about you.
Right to rectification: Request correction of inaccurate or incomplete data.
Right to erasure: Request deletion of your personal data, subject to certain legal exceptions.
Right to restriction: Request that we limit the processing of your data.
Right to data portability: Receive your data in a structured, machine-readable format.
Right to object: Object to processing based on legitimate interests.
Right to withdraw consent: Where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, email us at hola@orqo.io with the subject line "Privacy Request". We will respond within 15 business days. We may ask you to verify your identity before processing your request.

Colombian users: you also have the right to file a complaint with the Superintendencia de Industria y Comercio (SIC) at www.sic.gov.co.

5. International Data Transfers

Bacata Digital Media S.A.S. is based in Colombia. Some of our service providers are located in the United States and the European Union. When we transfer personal data internationally, we rely on:

Standard Contractual Clauses (SCCs) approved by the European Commission, where applicable.
Adequacy decisions, where available.
Service provider agreements that impose equivalent protections to those required under Colombian law.

By using our services, you acknowledge that your data may be transferred to and processed in countries other than Colombia.

6. Retention, Security & Lifecycle

Retention periods

Data Type	Retention Period
Account session tokens	7 days (then automatically expired)
Conversation logs (server-side)	90 days, then anonymized
Usage analytics	24 months
Email communication logs	2 years
Widget chat history (local)	Stored on your device; cleared when you clear browser data

Security measures

We implement appropriate technical and organizational measures to protect your personal data, including:

Encryption in transit (HTTPS/TLS 1.3) and at rest for all stored data.
Signed, short-lived JWT tokens for authentication (no persistent passwords stored).
Access controls limiting data access to authorized personnel only.
Regular security reviews of our infrastructure and dependencies.

No method of transmission over the Internet is 100% secure. We will notify affected users of any data breach in accordance with applicable law.

7. Cookies and Tracking

Our website uses a minimal set of cookies and browser storage:

Name	Type	Purpose	Duration
orqo_session	HTTP Cookie	Authentication session token	7 days
orqo_theme	localStorage	User's dark/light mode preference	Indefinite (local only)
orqo_wgt	localStorage	Widget conversation history and disclaimer status	Indefinite (local only)

We do not use third-party advertising cookies, tracking pixels, or cross-site tracking technologies. You can clear your browser's localStorage and cookies at any time through your browser settings.

8. Children's Privacy

Our services are not directed to individuals under the age of 18. We do not knowingly collect personal data from minors. If you believe a minor has provided us with personal data, please contact us at hola@orqo.io and we will delete that information as quickly as possible.

9. AI Features and Conversations

ORQO is an AI-powered assistant. When you interact with our chat widget or any ORQO-powered agent:

Message processing: Your messages are processed by our AI models to generate responses. In the current demo version, responses are pre-programmed. In production, messages may be sent to AI model providers under data processing agreements.
No sensitive data: Do not share sensitive personal information (national ID numbers, financial data, medical records, passwords) with AI assistants. Our system is not designed to handle such data.
Automated decision-making: ORQO agents may take automated actions on connected systems (e.g., querying WooCommerce orders). These actions are logged and can be reviewed in your dashboard.
Human review: ORQO is not a substitute for professional advice. We recommend human review for any significant business decisions informed by AI responses.
Demo limitations: The free demo widget on orqo.io provides up to 20 interactions. Demo conversations are stored only in your browser's localStorage and are not transmitted to our servers.

10. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

Update the "Effective date" at the top of this page.
Send an email notification to registered dashboard users.
Display a prominent notice on orqo.io for at least 14 days.

Your continued use of our services after the effective date of any update constitutes acceptance of the revised policy.

11. Contact Us

If you have questions, concerns, or requests related to this Privacy Policy or our data practices, please contact us:

Channel	Details
Email	hola@orqo.io
WhatsApp	+57 301 321 1669
Company	Bacata Digital Media S.A.S. — Colombia
Website	orqo.io

We are committed to resolving privacy-related complaints. If you are not satisfied with our response, you may contact the relevant data protection authority in your jurisdiction.