Privacy & Security

Privacy Policy

Last updated: February 2026

1. Introduction

At CertiCarga, we respect your privacy and are committed to protecting your personal data. This Privacy Policy explains what information we collect, how we use it, who we share it with, and what your rights are under Argentina's Personal Data Protection Law No. 25.326.

By using our platform, you agree to the practices described in this policy.

2. Data Controller

The data controller for your personal data is:

CertiCarga Website: https://certicarga.com Contact email: privacidad@certicarga.com Legal email: legal@certicarga.com

3. Personal Data Collected

3.1 Registration and Account Data

  • Email: For authentication, communication and account recovery.
  • Password: Stored in hashed format (bcrypt), never in plain text.
  • Full name: For identification within the platform.
  • Company name: For organizational context.
  • Phone: For contact and notifications.
  • WhatsApp number: For communication via our WhatsApp bot.
  • Physical address: For delivery management and logistics operations.
  • Avatar/profile photo: Optional, for account personalization.

3.2 Shipment and Operations Data

  • Shipment information: Shipment number, merchandise description, weight, number of packages, declared value.
  • Participants: Client, transporter and assigned dispatcher data.
  • Delivery addresses: Destination of each shipment.
  • Status and timestamps: Complete record of each shipment status change with exact date and time.
  • Notes: Comments from transporters, companies and clients about each shipment.
  • Conformity: Record of conformity or non-conformity from transporter and client.
  • Attached documents: PDFs, photos or other files related to shipments.

3.3 Digital Signature Data

  • IP address: IP from which OTP was requested and signature completed.
  • User Agent: Browser and device information used.
  • Timestamps: Exact time of OTP request, verification and final signature.
  • OTP code: Stored in hashed format, valid for 15 minutes.
  • Document checksum: SHA-256 hash of the signed PDF to verify integrity.
  • Signature attempts: Record of successful and failed attempts.

3.4 WhatsApp Data

  • Phone number: User's WhatsApp number.
  • Full messages: All conversation content (inbound and outbound).
  • Conversation state: Current context of the conversation with the bot.
  • Interaction history: Complete record of messages with timestamps.

3.5 Payment Data

  • Payer email: Associated with the MercadoPago subscription.
  • Subscription ID: Unique identifier of the MercadoPago subscription.
  • Subscription status: Active, paused, canceled or trial.
  • Contracted plan: Free, Pro or Enterprise.

Note: We do NOT store credit card data or sensitive financial information. This data is processed directly by MercadoPago.

3.6 Audit Data

  • Action logs: Each action (create, update, delete, login) is recorded with user, resource, timestamp, IP and User Agent.
  • Changes made: Before and after each modification (JSON diff).
  • Signature logs: Specific audit of each step of the digital signature process.

4. Purpose of Processing

We use your personal data for the following purposes:

  • Provide the Service: Manage shipments, contracts, users and organizations.
  • Authentication and security: Verify identity, prevent fraud and unauthorized access.
  • Digital signatures: Validate identity via OTP, record signatures with legal validity under Law 25.506, and maintain audit for proof in case of dispute.
  • Communication: Send notifications by email and WhatsApp about status changes, contract assignment, reminders and alerts.
  • Payment processing: Manage subscriptions, billing and renewals through MercadoPago.
  • AI Assistant: Process user queries through our artificial intelligence agent to improve the experience.
  • Legal compliance: Maintain audit and records required by traceability, data protection and digital signature regulations.
  • Service improvement: Analyze usage metrics (Vercel Analytics) to optimize the platform.
  • Technical support: Resolve incidents and provide assistance to users.

5. Legal Basis for Processing

Pursuant to Law 25.326, we process your personal data under the following legal bases:

  • Consent: By registering and using the platform, you consent to the processing of your data in accordance with this policy.
  • Contractual performance: Processing is necessary to fulfill the service contract.
  • Legal obligation: Retention of digital signature audit (Law 25.506) and logistics traceability records.
  • Legitimate interest: System security, fraud prevention and service improvement.

6. Sharing Data with Third Parties

We share your personal data only with the following third parties, strictly necessary to provide the service:

6.1 Service Providers

  • MercadoPago: Payment processing and subscription management. We share payer email and transaction data.
  • OpenAI (GPT-3.5-turbo): Processing AI assistant messages. We only send conversational content, without personally identifiable data such as emails or phone numbers.
  • Storage providers (S3/MinIO): Attachments (PDFs, photos) are stored in cloud infrastructure with access restricted by organization.
  • Vercel Analytics: Anonymous usage metrics (load times, pages visited). No personally identifiable data is shared.
  • Email services (SMTP/Brevo): Sending notifications, OTP codes and signature confirmations.

6.2 WhatsApp

WhatsApp messages are processed through the Baileys library (local client) and are not shared with Meta/WhatsApp beyond the standard operation of the WhatsApp platform.

6.3 Authorities

We may disclose information if required by law, court order or to protect the legal rights of CertiCarga or third parties.

We do not sell, rent or share your personal data with third parties for marketing purposes.

7. Data Security

We implement technical and organizational security measures to protect your data:

  • Encryption: All communications use HTTPS/TLS. Passwords stored with bcrypt and OTP codes hashed.
  • Multi-tenant isolation: Each organization's data is completely isolated through access policies by `organizationId`.
  • Access control: Role and permission system to limit access according to user function.
  • Signature validation: MercadoPago webhooks validated with cryptographic signature.
  • Audit: Complete record of accesses and modifications with IP and User Agent.
  • Presigned URLs: Private files accessible only through temporary URLs (1-hour validity).
  • Rate limiting: Protection against brute force attacks (max 3 registration attempts per IP/minute).

However, no system is 100% secure. We recommend using strong passwords and not sharing your credentials.

8. Data Retention

We retain your personal data for the following periods:

  • Active account: While your account is active or necessary to provide the service.
  • Shipments and contracts: Indefinitely, due to traceability and legal audit obligations.
  • Digital signature audit: Indefinitely, under Digital Signature Law 25.506.
  • WhatsApp messages: Indefinitely for conversational history and support.
  • OTP codes: 15 minutes (expiration time).
  • User sessions: Until configured expiration or logout.
  • Audit logs: Indefinitely for legal compliance and security.
  • Deleted account data: 30-day grace period, then permanent deletion (except audit data).

After your account is deleted, we will only retain data required by legal obligations (audit, signature records).

9. User Rights

Pursuant to Law 25.326 (Arts. 14, 15 and 16), you have the following rights:

  • Right of Access: Request a copy of all your stored personal data.
  • Right of Rectification: Correct inaccurate or outdated data from your user panel or by requesting assistance.
  • Right of Erasure: Request the deletion of your account and data (subject to legal retention obligations).
  • Right to Object: Object to the processing of your data for certain purposes (e.g. marketing).
  • Right to Data Portability: Request your data in a structured, commonly used format (JSON/CSV).
  • Right to Withdraw Consent: You can withdraw your consent at any time by deleting your account.

To exercise these rights, send an email to: privacidad@certicarga.com stating your request. We will respond within a maximum of 10 business days.

If you believe your rights have not been respected, you can file a complaint with the Agencia de Acceso a la Información Pública (AAIP): https://www.argentina.gob.ar/aaip

10. Cookies and Analytics

Session Cookies

We use strictly necessary cookies to maintain your authenticated user session. These cookies are deleted when you log out.

Vercel Analytics

We collect usage metrics through Vercel Analytics:

  • Pages visited
  • Load times
  • Errors and crashes
  • Anonymous User Agent

These metrics are anonymous and do not allow personal identification. We do not use third-party cookies for marketing or advertising.

11. International Data Transfers

Some of our service providers are located outside Argentina:

  • OpenAI (United States): Processing AI assistant messages.
  • Vercel (United States): Platform hosting and analytics.
  • MercadoPago (Argentina/Brazil): Payment processing.

These transfers are made only with providers that meet adequate security standards and under data processing contracts that protect your information.

12. Minors

CertiCarga is intended exclusively for persons over 18 years of age with legal capacity to contract. We do not intentionally collect data from minors.

If we detect that a minor has provided personal data, we will immediately proceed to delete their account and associated data.

13. Changes to this Policy

We may update this Privacy Policy periodically to reflect changes in our practices or due to legal requirements.

Significant changes will be notified via:

  • Email to your registered address
  • Prominent notice on the platform

The 'Last updated' date at the top of this document indicates when the latest changes were made. We recommend reviewing this policy periodically.

14. Contact

For inquiries, exercise of rights or complaints related to this Privacy Policy, you can contact us at:

Privacy email: privacidad@certicarga.com Legal email: legal@certicarga.com Website: https://certicarga.com

Agencia de Acceso a la Información Pública (AAIP)
For complaints: https://www.argentina.gob.ar/aaip

Questions about your data?

We are here to help you understand how we protect your privacy.