ConmaCMP
Legal · Privacy

Privacy Policy

How we collect, use and protect your personal data. Applicable under Colombia Law 1581/2012 and the GDPR.

Version 1.0Updated May 8, 2026Conma Systems · conma.lat

1.Data Controller

Conma Systems (hereinafter "Conma", "we" or "the company") is the controller of the personal data collected through the conma.lat platform and its associated services.

FieldInformation
CompanyConma Systems
Contact emailinfo@metra.com.co
Country of domicileColombia
Websitehttps://conma.lat

For the purposes of the GDPR, Conma acts as the controller with respect to the data of its clients and portal users. With respect to the personal data of the end users of our clients' websites, Conma acts as the processor, as described in our Data Processing Agreement (DPA).

2.Personal Data We Collect

2.1 Registration and account data

  • Full name
  • Email address
  • Organization or company name
  • Password (stored with a bcrypt hash, never in plain text)

2.2 Service usage data

  • Domain(s) registered on the platform
  • Consent banner configuration
  • Portal activity logs (actions, dates, hashed IPs)
  • API keys (stored only as a BLAKE2b hash)

2.3 Billing data

Payment information processed by PayU (LATAM) or Stripe (international markets). Conma does not store card numbers or banking data directly — these are processed by PCI DSS-certified payment gateways.

2.4 Consent records (as processor)

When we operate on behalf of our clients, we store:

  • Anonymous end-user identifier (no name or email)
  • Salted, hashed IP address (GDPR Art. 25 — privacy by design)
  • Date, time and consent decision
  • Version of the applied policy
  • Integrity certificate (SHA-256 hash)

3.Processing Purposes and Legal Basis

PurposeLegal basis (GDPR)Legal basis (Law 1581)
Provision of the contracted serviceArt. 6.1.b — performance of a contractArt. 10.a — data subject authorization
Billing and payment managementArt. 6.1.b — performance of a contractArt. 10.a
Transactional communicationsArt. 6.1.b — performance of a contractArt. 10.a
Service improvement and usage analyticsArt. 6.1.f — legitimate interestArt. 10.b — legitimate interest
Marketing communicationsArt. 6.1.a — explicit consentArt. 10.a — authorization
Compliance with legal obligationsArt. 6.1.c — legal obligationArt. 10.c
End-user consent recordsArt. 6.1.b — performance of a contractArt. 10.a

4.Data Retention

CategoryRetention period
Active account dataFor the term of the contract + 2 years
End-user consent records5 years from the date of consent
Billing data10 years (tax obligation — Art. 632 of the Tax Code)
Security and audit logs1 year
Marketing data (with consent)Until consent is withdrawn

After the retention period, data is securely deleted or irreversibly anonymized.

5.Data Subject Rights

Under Colombia Law 1581/2012, you have the rights of Access, Rectification, Erasure and Complaint (ARCO) before Conma and before the Superintendency of Industry and Commerce (SIC).

Under the GDPR (where applicable), you also have the right to data portability (Art. 20), to object to processing (Art. 21), not to be subject to automated decisions (Art. 22) and to restrict processing (Art. 18).

To exercise any of these rights, send a request to info@metra.com.co with the subject "Data Subject Rights". We will respond within a maximum of 15 business days (Law 1581) or 30 calendar days (GDPR Art. 12.3).

6.International Data Transfers

ProviderFunctionCountry/RegionSafeguard
SupabasePrimary databaseBrazil (São Paulo)GDPR SCCs 2021
RailwayApplication infrastructureUSA / GlobalGDPR SCCs 2021
UpstashRedis cacheAWS us-east-1GDPR SCCs 2021
PayU LatamPayment processingColombia / LATAMOperator in Colombia
StripeInt'l payment processingUSA / GlobalSCCs + Privacy Shield successor

All international transfers are carried out with appropriate safeguards in accordance with GDPR Art. 46 and Colombia Law 1581/2012.

7.Cookies and Tracking Technologies

Strictly necessary cookies (no consent required)

  • _cmp_session — session authentication and security (duration: session)
  • _cmp_csrf — protection against CSRF attacks (duration: session)

Functional cookies (consent required)

  • _cmp_consent — stores your consent decision (duration: 1 year)
  • _cmp_locale — language preference (duration: 1 year)

You can manage your preferences at any time through the portal's privacy panel.

8.Data Security

We apply appropriate technical and organizational measures in accordance with GDPR Art. 32:

  • Encryption in transit with TLS 1.3
  • Passwords hashed with bcrypt (cost 12)
  • JWTs signed with RS256
  • Per-tenant isolation via Row-Level Security (RLS) in the database
  • Salted, hashed IPs before permanent storage
  • Auditing of administrative access
  • No storage of card data (delegated to PCI DSS gateways)

9.Changes to this Policy

Conma reserves the right to update this Privacy Policy. We will notify material changes by email and through a notice in the portal at least 30 days in advance. Continued use of the service after notification constitutes acceptance of the changes.

10.Contact and Supervisory Authority

EntityContact
Conma Systemsinfo@metra.com.co
SIC Colombiawww.sic.gov.co
EU authority (where applicable)The authority of the Member State where you reside
Other policies:Data Processing Agreement (DPA)Terms and Conditions
Sales