Privacy Policy

This Privacy Policy describes how OCASUS AI, a registered trade name in the Republic of Panama, operated by Jean Carlos Santos Chicas (natural person registered with the Panamanian Taxpayer Registry), with registered address at Panama City, Panama, collects, uses, stores, and protects personal data and customer data in the context of its public website and its SaaS Platform.

This policy is divided into two parts:

• Part I — Website and contact form: applies to visitors of ocasusai.com.
• Part II — SaaS Platform and application: applies to customers contracting the Service and the integrations they authorize.

1. Data controller

OCASUS AI, located in Panama City, Panama. Contact email: legal@ocasusai.com.

---

Part I — Website

2. Data we collect on the website

We collect the following personal data when you interact with the site:

• Name and email address (contact form)
• Company name and business type
• Messages sent through our channels
• Technical data: IP address, browser type, pages visited

3. Purpose of processing

• Respond to inquiries and contact requests
• Provide and improve our AI automation services
• Send service-related communications
• Comply with legal obligations

4. Legal basis

Processing is carried out based on the data subject's consent, contract execution, and compliance with legal obligations, in accordance with Law 81 of March 26, 2019 on Personal Data Protection of the Republic of Panama.

5. ARCO rights

As a data subject, you have the right to:

• Access: know what data we hold about you
• Rectification: correct inaccurate data
• Cancellation: request deletion of your data
• Opposition: object to the processing of your data

To exercise these rights, email legal@ocasusai.com. We will respond within a maximum of 10 business days.

6. Data protection authority

The National Authority for Transparency and Access to Information (ANTAI) is the competent body for personal data protection in Panama.

7. Website data retention

We retain your personal data only for as long as necessary to fulfill the described purposes, or as required by law. Contact data is deleted after 24 months of inactivity.

8. Third-party services used on the website

• Cloudflare: CDN, DNS, and DDoS protection
• Resend: transactional email delivery
• Cloudflare Turnstile: anti-bot protection

---

Part II — SaaS Platform and application

9. Scope of this section

This section applies when a customer contracts the OCASUS AI Platform and authorizes connections with external services such as QuickBooks Online, WhatsApp Business, electronic invoicing systems, and ERPs.

10. Processing roles

In the context of the Platform:

• Customer: acts as data controller with respect to the data of its own end customers, employees, or contacts processed on the Platform.
• OCASUS AI: acts as data processor and processes data exclusively under the Customer's instructions.

This role distribution is formalized in the Terms of Service and, where applicable, in a Data Processing Agreement (DPA) signed between the parties.

11. Data processed on the Platform

Depending on the contracted functionality, the Platform may process:

• Customer organization identification data: legal name, RUC, address, contacts.
• Authorized User data: name, email, role, access logs.
• End-customer data of the Customer: name, email, phone, address, conversation history, transactions.
• Accounting and fiscal data: invoices (Bills/Invoices), chart of accounts, vendors, customers, items, DGI fiscal events, CUFE, amounts, dates.
• Technical data: usage logs, metrics, transaction IDs, tenant identifiers.

12. Connections with external services

12.1 General principle

When the Customer authorizes an OAuth connection to an external service, the Platform accesses only the data necessary for the contracted functionality and within the scope authorized by the Customer.

12.2 Integration with Intuit QuickBooks Online

Data accessed: Chart of Accounts, Vendors, Customers, Items, Bills/Invoices, CompanyInfo.

Not accessed: payroll data, personal tax reports, banking data, information outside the scope of the contracted service.

Credential storage: OAuth tokens (access token and refresh token) are stored encrypted with AES-256-GCM at rest, in a tenant-isolated PostgreSQL database. The encryption key is managed as a Docker secret outside the repository.

Revocation: the Customer may revoke authorization at any time from the Platform settings or directly from appcenter.intuit.com. After revocation, tokens are permanently deleted.

Intuit compliance: OCASUS AI complies with the Intuit Developer Terms of Service and the API End User Agreement. OCASUS AI is not owned by, affiliated with, or sponsored by Intuit Inc.

12.3 Integration with WhatsApp Business (Meta)

Data processed: messages exchanged between the end customer and the AI agent, phone number, contact name, attached multimedia files. Messages are stored encrypted in transit (TLS 1.3) and at rest (AES-256). Additional compliance with the WhatsApp Business Platform is governed by Meta's terms.

12.4 Other integrations

Any additional integration (ERPs, Google Sheets, Alegra, Factura Fácil, etc.) is governed by the same principles: minimum necessary scope, encrypted credential storage, right of revocation.

13. Tenant isolation

The Platform implements strict isolation by client_id in:

• Database (Row-Level Security active in PostgreSQL)
• Cache and queues (Redis with per-tenant prefix)
• Logs and metrics (tenant_id label in Loki, Prometheus, Tempo)
• Document storage

No Customer can access another Customer's data, even by mistake.

14. No model training

OCASUS AI does not use Customer Data to train its own or third-party artificial intelligence models. Calls to model providers (Google Vertex AI, OpenAI, Anthropic) are made in inference mode under commercial agreements that prohibit retention of data for training.

15. Security

OCASUS AI implements technical and organizational measures aligned with international standards:

• Encryption in transit (TLS 1.3) and at rest (AES-256)
• SSH authentication via cryptographic keys exclusively
• Firewall (UFW) and fail2ban active
• Container isolation with least-privilege principle
• Daily encrypted backups with periodic restore testing
• Token and credential rotation every 90 days
• Immutable audit logs

For more detail, see the Security page.

16. Data location

Production infrastructure is hosted on Hostinger KVM in the United States (Ubuntu 24.04). Encrypted backups are stored on Backblaze B2. Calls to AI providers may be routed to data centers in different regions depending on the provider; OCASUS AI selects configurations that minimize international transfer when feasible.

17. International transfers

Some services used (Google Cloud, Cloudflare, Backblaze, Resend, Intuit) involve data transfer to the United States or other jurisdictions. These transfers are made under standard contractual clauses (SCC) or equivalent mechanisms provided by the providers. The Customer acknowledges and consents to this transfer when using the Platform.

18. Data retention on the Platform

Customer Data is retained for the duration of the contract and for an additional period of ninety (90) days after termination, except by express request from the Customer for immediate deletion or legal retention requirement. After that period, data is deleted from active systems. Backups are purged according to the backup rotation policy (maximum rotation: 180 days).

19. Security breaches

In the event of a breach affecting personal data, OCASUS AI will notify the Customer and ANTAI within the timeframes established by Panama's Law 81, and will implement mitigation measures. Vulnerability reports may be sent to security@ocasusai.com.

20. Data subject rights

Data subjects whose personal data is processed on the Platform may exercise their ARCO rights by contacting first the Customer (data controller) and, subsidiarily, OCASUS AI at legal@ocasusai.com.

21. Changes to this policy

We reserve the right to modify this policy. Any changes will be published on this page with the updated date. Material changes will be notified to the Customer with at least thirty (30) days' notice.

22. Contact

• Legal and privacy matters: legal@ocasusai.com
• Support: support@ocasusai.com
• Security reporting: security@ocasusai.com
• Address: Panama City, Panama