Extra security layers to validate signers and protect critical documents →
Logo Logo Menu Icon
  Talk to Sales
  Create free account
Login
  Create free account
Menu Back Icon

Steps

    Create
    Send
    Validate
    Sign
    Track

Features

    OneClickSign with one click
    Background CheckVerify identities and more
    ZapSign & HubspotCreate documents directly from your CRM
EN Selos menu v2
Zapsign adheres to international standards, ensuring security and privacy at every stage of your document creation.

Iso Badges
Lorem ipsum dolor sit amet.

Título 01

Iso Badges
Lorem ipsum dolor sit amet.
Close
  Create free account   Talk to Sales

Welcome! Thank you for using ZapSign

Privacy Policy

Protected data

Technical and organizational security against unauthorized access.

Transparent use

Data is used solely for service operation and support, with anonymous reports.

User control

Confidentiality and your guaranteed rights regarding your data.

Last Updated: May 21, 2026

Your trust is most important to us. ZapSign is committed to protecting the privacy and security of the personal data of its users, signers, and other third parties using its platform. We have a dedicated privacy team responsible for protecting all the personal data we process and ensuring it is handled in accordance with applicable law in every country in which we provide services.

Please carefully read this Personal Data Processing and Privacy Policy (hereinafter, the "Privacy Policy"). To use our website and the services we provide, you must read and accept this Privacy Policy as well as our Terms and Conditions available at www.zapsign.co.


1. Introduction and Objectives

1.1 ZapSign is a business line operated by TRUORA S.A.S, a company duly incorporated and existing under the laws of the Republic of Colombia, identified by Tax ID (NIT) 901.761.442-5, with its main domicile at Carrera 12 #90-20, oficina 504, Bogotá D.C., Colombia (hereinafter, "ZapSign"). For purposes of personal data processing, ZapSign shall act as Data Controller and/or Data Processor, as applicable, in accordance with Statutory Law 1581 of 2012, Decree 1074 of 2015 (the Single Regulatory Decree of the Trade, Industry and Tourism Sector, which compiled Decree 1377 of 2013), and other rules amending, supplementing, or replacing them.

1.2 This Privacy Policy is the document that regulates the handling of all Databases and/or files of ZapSign that contain Personal Data of clients, contractors, suppliers, signers, and, in general, third parties subject to processing by ZapSign, in compliance with article 15 of the Political Constitution of Colombia (Habeas Data right), Statutory Law 1581 of 2012, Decree 1074 of 2015, Law 1266 of 2008 (Financial Habeas Data, where applicable), the circulars and instructions issued by the Superintendence of Industry and Commerce (SIC) as the Colombian National Data Protection Authority, and other applicable laws and regulations governing privacy and personal data protection in Colombia.

1.3 This Policy also aims to establish information management and protection policies and procedures for ZapSign, aligned with the Information Security Policy implemented by the company, in order to preserve security in the exchange, transfer, and destruction of information.

1.4 To the extent ZapSign processes Personal Data of data subjects in the European Union or the European Economic Area, this Privacy Policy shall be read together with Section 23 (EU/EEA Data Subjects — GDPR-Specific Provisions), which sets out the additional information and safeguards required by Regulation (EU) 2016/679 (the “GDPR”). In case of conflict between this Privacy Policy and Section 23 in respect of EU/EEA data subjects, Section 23 shall prevail.

2. Definitions

2.1 For the purposes of this Policy, the following capitalized terms shall have the meanings set forth below, in accordance with article 3 of Law 1581 of 2012 and Decree 1074 of 2015:

  • Authorization: the prior, express, and informed consent of the Data Subject for the Processing of Personal Data.
  • Privacy Notice: verbal or written communication generated by the Controller, addressed to the Data Subject regarding the Processing of their Personal Data, informing them about the existence of the applicable Data Processing policies, how to access them, and the purposes for which the Personal Data will be used.
  • Database: organized set of Personal Data subject to Processing.
  • Personal Data: any information related to or that can be associated with one or more identified or identifiable natural persons.
  • Sensitive Personal Data: data that affect the privacy of the Data Subject or whose improper use may generate discrimination, such as those revealing racial or ethnic origin, political orientation, religious or philosophical convictions, membership in trade unions, social or human rights organizations, as well as data related to health, sex life, and biometric data.
  • Biometric Data: fingerprints, facial recognition, iris recognition, handwritten signature recognition, voice recognition, among others.
  • Public Data: data classified as such by law or the Constitution and any data that is not semi-private, private, or sensitive. Public data include, among others, data related to civil status, profession or occupation, status as a merchant or public servant, and any data that may be obtained without restriction.
  • Private Data: data that, due to its intimate or reserved nature, is only relevant to its Data Subject.
  • Data Processor: a natural or legal person, public or private, that, alone or in conjunction with others, processes Personal Data on behalf of the Data Controller.
  • Habeas Data: fundamental right of every person to know, update, and rectify the data collected about them in databases or files, in accordance with article 15 of the Political Constitution and article 8 of Law 1581 of 2012.
  • Data Controller: a natural or legal person, public or private, that, alone or in conjunction with others, decides on the Database and/or the Processing of Personal Data.
  • SIC: Superintendence of Industry and Commerce, the Colombian national authority responsible for overseeing compliance with personal data protection regulations in Colombia.
  • Data Subject: natural person whose Personal Data is subject to Processing.
  • Data Transfer: the sending of Personal Data carried out by the Controller or Processor located in Colombia to a recipient (Controller or Processor) located inside or outside the country.
  • Data Transmission: Processing of Personal Data that involves their communication within or outside the territory of the Republic of Colombia, when its purpose is the carrying out of a Processing by the Processor on behalf of the Controller.
  • Processing: any operation or set of operations performed on Personal Data, such as collection, storage, use, circulation, or deletion.
  • Truora Group / Affiliates: corresponds to the parent company, controlling entities, controlled entities, branches, affiliates, partners, and subsidiaries forming the economic group to which ZapSign belongs, including, without limitation: Truora S.A.S. (Colombia), Truora Fraud Prevention S.A. de C.V. (Mexico), Truora Chile SpA (Chile), and ZAPSIGN PROCESSAMENTO DE DADOS LTDA (Brazil).

3. Processing and Scope of Personal Data

3.1 ZapSign, in the development of its corporate purpose and economic activity, acts as Controller and/or Processor of Personal Data provided by Data Subjects, Users (as defined in the Terms and Conditions of use of the Platform), employees, contractors, and/or suppliers, which shall be stored in its databases and in those of third parties that, by virtue of this Policy, may have access to such data.

3.2 Consequently, ZapSign collects, stores, uses, transmits, transfers, deletes, and, in general, Processes the Personal Data provided by natural persons with whom it has, or has had, any type of relationship, of whatever nature (civil, commercial, and/or labor), including, without limitation, its clients, users of the cloud software, signers, partners, suppliers, contractors, employees, creditors, debtors, and shareholders.

3.3 This document covers the processing of information managed by ZapSign. It covers all deliveries, transfers, or transmissions of information and/or data of medium or high confidentiality, both within the organization and with the environment of clients, suppliers, external databases, social networks, and the general public.

3.4 Information exchanges may take place through various forms of communication, whether verbal (in-person or by phone), visual (videos), or written (paper or digital media). It involves the obtaining, transfer, processing, storage, and deletion of information provided by clients and other Data Subjects.

4. Guiding Principles

4.1 We are committed to ensuring that any Processing of Personal Data we carry out always respects the rights enshrined in the Political Constitution of Colombia and the laws. In compliance with article 4 of Law 1581 of 2012, the following principles guide our conduct:

  • Legality Principle: the Processing of Personal Data is a regulated activity that is subject to the provisions of Law 1581 of 2012 and any other regulations developing it.
  • Purpose Principle: the Processing must obey a legitimate purpose in accordance with the Constitution and the Law, which must be informed to the Data Subject.
  • Freedom Principle: Processing may only be exercised with the prior, express, and informed consent of the Data Subject. Personal Data may not be obtained or disclosed without prior authorization or in the absence of a legal or judicial mandate that exempts the consent.
  • Truthfulness or Quality Principle: the information subject to Processing must be true, complete, accurate, updated, verifiable, and understandable. The Processing of partial, incomplete, fragmented, or misleading data is prohibited.
  • Transparency Principle: the Processing must guarantee the right of the Data Subject to obtain, from the Controller or Processor, at any time and without restrictions, information regarding the existence of data concerning them.
  • Restricted Access and Circulation Principle: Processing is subject to the limits derived from the nature of the Personal Data, the provisions of the Law, and the Constitution. Personal Data, except for public information, may not be available on the internet or other mass dissemination media, unless access is technically controllable.
  • Security Principle: the information subject to Processing shall be handled with the necessary technical, human, and administrative measures to provide security to the records, avoiding their adulteration, loss, consultation, unauthorized or fraudulent use or access.
  • Confidentiality Principle: all persons involved in the Processing of Personal Data that are not of a public nature are required to guarantee the reservation of the information, even after their relationship with any of the activities involving such Processing has ended.

5. Use of the Privacy Policy and Information Protection

5.1 All Processing of Personal Data shall be subject to this Privacy Policy. Therefore, if a Data Subject does not agree with this Policy, they may not provide any information that is to be recorded in any of ZapSign’s Databases.

5.2 ZapSign is committed to the security of the Data provided to it and, consequently, undertakes to give such Data the appropriate use, as well as to maintain the necessary confidentiality, in accordance with what is established in this Policy and in Law 1581 of 2012, Decree 1074 of 2015, the SIC circulars, and other concurrent regulations. At the moment Data Subjects deliver their Personal Data to be collected in ZapSign’s Databases, it is understood that such Data Subjects accept and acknowledge that the Processing of such Personal Data shall be subject to this Policy.

5.3 Personal Data may be transferred to its shareholders, Affiliates and/or Related entities, as well as to third parties and judicial or administrative authorities, whether natural or legal persons, Colombian or foreign, in those cases in which the transfer or transmission of the data is necessary to carry out the uses and activities authorized by Data Subjects in accordance with the corporate purpose of ZapSign. In all cases, the exchange of such information shall be subject to the requirements established in sections 13 and 14 of this Policy. Likewise, the information shall be kept under strict confidentiality and shall be subject to rigorous Processing, respecting the rights and guarantees of its Data Subjects.

5.4 ZapSign may use service providers and data processors working on its behalf. Such services may include system hosting and maintenance, encryption, analytics services, email messaging services, identity validation services, call center services, delivery services, payment transaction management, and credit and address checks, among others. Consequently, Data Subjects understand that, by providing information to ZapSign, they are automatically granting these third parties, as Processors, authorization to access their Personal Data.

5.5 Therefore, ZapSign undertakes to take all necessary actions to ensure that both service providers and Processors working on behalf of the company, and other third parties authorized in accordance with this Policy, protect, in all events, the confidentiality of the Personal Information under their charge.

5.6 Limited license for end clients’ personal data. You grant ZapSign and ZapSign’s providers a non-exclusive, limited-duration authorization to access, copy, execute, distribute, display, download, and use the Personal Data. The Processing of the Personal Data shall correspond to: (i) exercising the rights and obligations under the Terms and Conditions; (ii) providing, maintaining, and updating the ZapSign Services and those of its providers; (iii) preventing or solving technical or service issues; and (iv) producing statistical reports and research in an anonymous and aggregated manner that cannot identify the Data Subject.

5.7 ZapSign may collect information that is in the public domain to supplement the Databases. Such information shall be given the same treatment as set forth in this Privacy Policy.

6. Data Subject Authorization and Effects of Consent

6.1 In accordance with articles 9 and 10 of Law 1581 of 2012, the Processing of Personal Data by ZapSign requires the prior, express, and informed authorization of the Data Subject, except in the following events in which the authorization shall not be required:

  1. information required by a public or administrative entity in the exercise of its legal functions or by judicial order;
  2. data of a public nature;
  3. cases of medical or sanitary urgency;
  4. processing of information authorized by law for historical, statistical, or scientific purposes;
  5. data related to the Civil Registry of Persons.

6.2 The Authorization granted by Data Subjects is understood to be an express and informed authorization granted by them in favor of ZapSign, its Affiliates and/or Related entities, and third parties determined by ZapSign by virtue of the development of its corporate purpose, to Process their Personal Data, regardless of the means (written, oral, or by unequivocal conduct) by which they were delivered. Likewise, it implies the full understanding and acceptance of the entire content of this Privacy Policy.

6.3 The Data Subject may revoke the authorization at any time, by request to the Controller, and/or request the deletion of the data when the use does not comply with the authorized uses and purposes, except when there is a legal or contractual duty to remain in the database.

6.4 In the event of a sale, merger, consolidation, change in corporate control, transfer of assets, reorganization, or liquidation of ZapSign and/or its Affiliates and/or Related entities, ZapSign may transfer the Personal Data of the Data Subjects to the parties involved, always observing the legal bases and purposes originally informed.

7. Personal Data Subject to Processing

7.1 ZapSign collects or receives the following Data:

Personal Data belonging to the following general categories:

  • Name and surname;
  • Email address;
  • Telephone number;
  • Citizenship Card (Cédula de Ciudadanía), Foreigner Card (Cédula de Extranjería), Passport, or other official identification document;
  • NIT or RUT, when applicable;
  • Date and place of birth;
  • Nationality and migration data;
  • Gender;
  • Marital status;
  • Occupation;
  • Domicile;
  • Contact data.

Sensitive Personal Data (processed in accordance with article 6 of Law 1581 of 2012, in particular through the express and specific authorization of the Data Subject, or when indispensable for the provision of the electronic signature service and for fraud prevention):

  • Biometric data;
  • Fingerprints;
  • Facial and iris recognition;
  • Voice pattern;
  • Financial and/or asset data (Law 1266 of 2008).

Geolocation and Device Data: IP address, device identifier, operating system, browser, and access and application logs.

Data of Minors: ZapSign websites and applications are not intended for minors. ZapSign does not deliberately collect any personal information directly from minors under 18 years of age. If you believe that we are processing personal information related to a minor inappropriately, we urge you to contact ZapSign using the information provided in the "Data Protection Officer" section of this Policy. Any potential Processing of data of children and adolescents shall be carried out in strict compliance with the case law of the Constitutional Court (Judgment C-748/2011) and the principles of the best interests of the child, as well as the Children and Adolescents Code (Law 1098 of 2006).

Data from Public Sources: ZapSign obtains data through remote or local means of electronic, optical, and other technological communication from public access sources, that is, sources to which any person may have access, all in compliance with applicable regulations.

8. Primary Purposes for the Use of Information

8.1 The personal data provided to ZapSign shall be processed in accordance with the purposes set forth in this section. The primary purposes of Processing are:

  1. Proper execution of the contract entered into between the Data Subject and ZapSign.
  2. Account creation for access to the ZapSign Platform.
  3. Identity verification using any current official document that serves to prove identity.
  4. Verification of biometric data, when activated by the User’s account, for verification of the signer’s identity.
  5. Review of available information about the signer in public or private databases, when activated by the User’s account.
  6. Facilitation of contact between ZapSign and the Data Subject.
  7. Sending information or text messages to the cell phone provided, email, regarding new services, changes in the service and rates, payment reminders, promotions, events, and information of interest to Data Subjects in general.
  8. Invoicing and other tax effects, in which case the data will be shared with the DIAN and other State entities in charge of carrying out such tasks.
  9. Completing profile information on the ZapSign Platform.
  10. Processing of payment for services purchased.
  11. Identity validation.
  12. Transmission of Personal Data to ZapSign’s providers so that they, in turn, can develop the services necessary for the proper functioning of the Platform, in their capacity as Processors.
  13. Obtaining information from other sources and combining it with that collected by ZapSign through the Platform.
  14. Review of background history, restrictions, and/or inclusion in public listings relevant to the contracting, when applicable and legally permitted.
  15. Detection of fraud and information security matters.
  16. Receipt of background-check results or fraud warnings from identity verification services for fraud prevention and risk assessment purposes.
  17. Generation and storage of electronic signature evidence (logs, hash, approximate geolocation, IP, time-stamp, biometrics, among others) for purposes of the legal validity of the document.
  18. Compliance with legal and regulatory obligations and attendance to requirements of competent authorities.

9. Secondary Purposes and Uses of Information

9.1 The personal data provided to ZapSign shall be processed in accordance with the following secondary purposes for the use of the information, as applicable to each Data Subject:

  1. Improvement of ZapSign’s commercial and promotional initiatives, as well as analysis of pages visited and searches performed, to enhance the offer of contents and articles of ZapSign and the personalization of such contents, their presentation, and services.
  2. Development of measurement studies regarding the participation of different sectors of the population in ZapSign.
  3. Analysis of the Personal Information by ZapSign, its shareholders, Affiliates and/or Related entities, and third parties hired for the development and promotion of the sale of its services.
  4. Compilation of the services that Data Subjects use and the manner in which they use them.
  5. Receipt of information about the Data Subject, their activities inside and outside the ZapSign Platform through its partners, or information about the experiences and interactions the Data Subject has had through our network of associated advertisers.
  6. Processing for marketing, advertising, or commercial prospecting purposes of ZapSign.
  7. Other communications and activities related to the corporate purpose of ZapSign.

9.2 If you, as the Data Subject of the Personal Data, do not agree with any of the secondary purposes set forth in this Policy, please write to privacy@truora.com.

10. Duties and Rights of Data Subjects

10.1 In accordance with article 8 of Law 1581 of 2012, the Data Subjects of the Personal Data provided to ZapSign shall have the following rights:

  1. To know, update, and rectify their Personal Data before the Controllers or Processors of the Processing, free of charge.
  2. To request proof of the authorization granted to the Controller, except when expressly excluded as a requirement for the Processing.
  3. To be informed, upon request, regarding the use that has been given to their Personal Data.
  4. To file complaints before the Superintendence of Industry and Commerce (SIC) for breaches of Law 1581 of 2012 and other amending or supplementing rules.
  5. To revoke the authorization and/or request the deletion of the data when the Processing does not respect the constitutional and legal principles, rights, and guarantees. The revocation and/or deletion shall apply when the SIC has determined that, in the Processing, the Controller or Processor has engaged in conduct contrary to the law and the Constitution.
  6. To access, free of charge, their Personal Data that has been subject to Processing.
  7. To file inquiries and claims regarding their Personal Data in accordance with the procedure set forth in section 11 of this Policy.

10.2 Data Subjects of the personal information provided to ZapSign shall have the following duties:

  1. To provide truthful information, which may be verified by ZapSign for control and validation purposes. ZapSign may deny requests when it is verified that the information provided by the Data Subject is false or presents inconsistencies.
  2. To keep the contact information up to date, in order to ensure a more efficient and timely provision of the service, and to allow a direct communication and information channel between ZapSign and the Data Subject.

11. Procedure for the Exercise of Rights (Inquiries and Claims)

ZapSign provides the tools and means of communication for Data Subjects or their legal representatives to exercise their rights, in accordance with the procedure established in articles 14 and 15 of Law 1581 of 2012:

11.1 Inquiries

The Data Subject or their successors-in-interest may consult the personal information of the Data Subject contained in any of ZapSign’s databases. ZapSign shall provide them with all the information contained in the individual record or that is linked to the identification of the Data Subject.

The inquiry shall be submitted in writing to the channel indicated below. The inquiry shall be addressed within a maximum term of ten (10) business days from the date of its receipt. When it is not possible to address the inquiry within such term, the interested party shall be informed, stating the reasons for the delay and indicating the date on which their inquiry will be addressed, which in no case may exceed five (5) business days following the expiration of the first term.

11.2 Claims

The Data Subject or their successors-in-interest who consider that the information contained in a database must be subject to correction, updating, or deletion, or when they observe the alleged breach of any of the duties contained in Law 1581 of 2012, may file a claim before ZapSign, which shall be processed under the following rules:

  1. The claim shall be made by means of a request addressed to ZapSign, with the identification of the Data Subject, the description of the facts giving rise to the claim, the address, and accompanied by the documents to be enforced. If the claim is incomplete, the interested party shall be requested within five (5) business days following the receipt of the claim to remedy the deficiencies. If two (2) months elapse from the date of the request without the applicant submitting the requested information, it shall be deemed that the applicant has withdrawn the claim.
  2. Once the complete claim is received, a legend stating "claim in process" shall be included in the database, along with the reason therefor, within a term of no more than two (2) business days. Such legend shall be maintained until the claim is decided.
  3. The maximum term to address the claim shall be fifteen (15) business days from the day following the date of its receipt. When it is not possible to address the claim within such term, the interested party shall be informed of the reasons for the delay and the date on which their claim will be addressed, which in no case may exceed eight (8) business days following the expiration of the first term.

In accordance with article 16 of Law 1581 of 2012, the Data Subject or successor-in-interest may only file a complaint before the Superintendence of Industry and Commerce once the inquiry or claim procedure before the Controller or Processor has been exhausted.

11.3 Data Subject Service Channel

Data Protection Officer / Privacy Officer

Email: privacy@truora.com

 

 

 

12. Confidentiality of Personal Data

12.1 The Personal Data provided by Data Subjects shall be used solely by ZapSign, its shareholders, Affiliates and/or Related entities, and the third parties authorized for such purposes, in accordance with this Policy. The Data shall not be intended, in any event, for purposes other than those for which they were provided. For this reason, ZapSign shall protect the privacy of the Personal Information and shall make its best efforts to keep it under the necessary security conditions to prevent its adulteration, loss, consultation, unauthorized or fraudulent use or access, as well as to respect the rights of its Data Subjects.

12.2 If, for any reason, a competent authority requests the disclosure of the Personal Information held by ZapSign, and consequently, it has the legal obligation to provide such information, ZapSign shall proceed to deliver such Information, a situation that the Data Subjects accept and authorize. The Data Subject shall be informed whenever possible, except in cases of legal reservation.

 

13. Information Security

In compliance with the provisions of Law 1581 of 2012, Decree 1074 of 2015, and other legislation, international treaties, decrees, circulars, manuals, recommendations, and/or regulations relating to and applicable to the Protection and Privacy of Personal Data, ZapSign has implemented administrative, technical, and physical security measures to establish, at the organizational level, the management, support, and review of the security of Personal Data, the identification and classification of information, as well as the awareness, training, and capacity building of its personnel in matters of personal data protection.

In addition, ZapSign maintains recognized information security certifications applicable to its business model and adopts controls compatible with international standards such as ISO/IEC 27001.

Security breaches occurring in any phase of the Processing that significantly affect the property or moral rights of Data Subjects shall be timely reported to the SIC and to the affected Data Subjects, in accordance with applicable provisions.

Notwithstanding the foregoing, and considering that the services rendered by ZapSign are developed through the internet, illegal interceptions or breaches of systems and databases by unscrupulous or unauthorized persons may exist. ZapSign shall make its best efforts and adopt all reasonable measures to prevent such occurrences.

13.1 Information Retention

Files under the responsibility of ZapSign shall comply with the protocols and procedures established by the information security policy regarding asset management and information classification, in addition to complying with the following specifications:

  1. The data of the owner of the information shall be stored in separate instances, with read-access controls.
  2. Consultation of the information by unauthorized personnel shall be avoided.
  3. All files are encrypted at the time of storage in the designated repository.
  4. Transfers of sensitive or restricted files shall be carried out through trusted messaging systems, where possible with information encryption.

Personal Data shall be retained for the time necessary to fulfill the purposes set forth in this Policy, as well as to comply with legal obligations (including applicable statutes of limitations in civil, commercial, tax, and labor matters) or for the regular exercise of rights in judicial, administrative, or arbitration proceedings. Once such period has elapsed, the data shall be deleted or anonymized, unless there is a legal or contractual duty to retain them.

 

14. Sharing and International Data Transfers

ZapSign carries out remissions (transmissions) and national and international transfers of Personal Data in compliance with applicable legal provisions, in particular article 26 of Law 1581 of 2012 and articles 2.2.2.25.5.1 and following of Decree 1074 of 2015.

As a general rule, the transfer of Personal Data to countries that do not provide adequate levels of data protection is prohibited. A country is understood to provide an adequate level of protection when it complies with the standards set by the SIC, which in no case may be lower than those required by Colombian law. The prohibition does not apply when the transfer involves:

  1. Information for which the Data Subject has granted express and unequivocal authorization for the transfer.
  2. Exchange of medical data, when required by the Processing of the Data Subject for reasons of health or public hygiene.
  3. Banking or stock-exchange transfers, in accordance with the legislation applicable to them.
  4. Transfers agreed within the framework of international treaties to which the Republic of Colombia is a party.
  5. Transfers necessary for the execution of a contract between the Data Subject and the Controller, or for the execution of pre-contractual measures, provided that the Data Subject’s authorization has been obtained.
  6. Transfers legally required to safeguard the public interest, or for the recognition, exercise, or defense of a right in judicial proceedings.

In accordance with Law 1581 of 2012, ZapSign informs you that, with the acceptance of this Policy, it is understood that the Data Subject grants their authorization for ZapSign to transfer and/or transmit their Personal Data to third parties, whether Colombian or foreign, to its shareholders, Affiliates and/or Related entities (including the other companies of the Truora group in Mexico, Brazil, Chile, and the United States), as well as to third parties and judicial or administrative authorities, in those events in which the transfer or transmission of the data is necessary to carry out the uses and activities authorized by Data Subjects in accordance with the corporate purpose of ZapSign.

14.1 Personal Data Exchange

When formal information exchange agreements are entered into with third parties, procedures and/or protocols for the transfer of Personal Data shall be established, including, as a minimum requirement, the following security conditions:

  1. Establishment of responsibilities for control, dispatch, and reception.
  2. Mechanisms to ensure traceability and non-repudiation.
  3. Establishment of responsibilities and obligations in the event of information security incidents, such as data loss.
  4. Establishment of contractual safeguards on the ownership of information, the care of personal data, the respect for copyright, software licenses, and similar legal considerations.
  5. Execution of formal confidentiality agreements with information recipients.

15. Truora Pass — Reusable Digital Identity Wallet

15.1. Optional service. Truora Pass is an optional functionality offered by Truora (an affiliate within the same corporate group as ZapSign), through which the data subject may accept the creation of a personal account that allows them to manage and maintain control over their own previously verified identification data. The creation of a Truora Pass account is optional, free of charge and independent of the use of the other ZapSign Services.

15.2. Data subject control. The creation of a Truora Pass account is carried out solely on the basis of the data subject's freely given, specific, informed and unambiguous consent (or explicit consent, where applicable), expressed through a clear affirmative action distinct from the general acceptance of this Policy. The data subject retains, at all times, full control over their account and may freely decide whether to keep it active.

15.3. Legal bases and applicable regulatory framework. The processing of Personal Data associated with the Truora Pass account is based on the data subject's specific, informed and differentiated consent, as well as on the performance of the contract entered into between the data subject and Truora, in accordance with the regulatory frameworks applicable in each jurisdiction, including in particular: (i) Law No. 13,709/2018 — General Data Protection Law (LGPD), in Brazil, in particular Articles 7(V), 11(I) and 18; (ii) Regulation (EU) 2016/679 — General Data Protection Regulation (GDPR), in the European Economic Area, in particular Articles 6(1)(b), 9(2)(a) and 15 to 22; (iii) Law 1581 of 2012 and Decree 1377 of 2013, in Colombia, in particular Articles 6 and 8; (iv) the Federal Law for the Protection of Personal Data Held by Private Parties (LFPDPPP) and its Regulations, in Mexico, in particular Articles 9 and 22 to 35; as well as any other concordant regulations in other jurisdictions in which Truora provides the service.

15.4. Data subject rights. The data subject may, at any time and free of charge, exercise the rights granted to them by the applicable law in their jurisdiction in relation to the Truora Pass account, including, as applicable: confirmation of processing, access, rectification, updating, anonymization, erasure or deletion, portability, objection, restriction of processing, information on data sharing, withdrawal of consent and — where applicable under the GDPR — the right to lodge a complaint with the competent supervisory authority, as well as the ARCO rights provided for by the LFPDPPP in Mexico. Requests may be addressed to Truora through the channels indicated in its Privacy Policy (privacy@truora.com), without prejudice to ZapSign's channels indicated in this Policy. The withdrawal of consent or the deletion of the Truora Pass account shall not affect the continuity of the other ZapSign Services nor the integrity of the electronic signature evidence already generated, as set forth in Section 16.

15.5. Specific terms. The specific conditions of use of Truora Pass, including the details of the attributes processed, the specific purposes and any interactions with third parties previously requested by the data subject, shall be regulated by Truora Pass's specific Terms and Conditions, which must be accepted separately by the data subject at the time of account creation.

 

16. Cookies and Other Technological Tools

16.1 ZapSign uses cookies and similar technologies to personalize and improve the experience of clients, as well as to display relevant online advertising. Cookies are small text files containing a unique identifier that is stored on the computer or mobile device through which you access the website and/or mobile applications, so that they can be recognized each time you use the website and/or mobile applications.

16.2 The Data Subject of the Personal Data may choose to disable, at any time, some or all of the cookies we use. However, this could restrict your use of the sites and limit your experience therein. The use of cookies does not contain or affect Sensitive Personal Data and does not represent a virus risk.

 

17. Electronic Signature and Legal Validity of Documents

17.1 ZapSign acts as an electronic signature service provider, offering technological tools that allow Users and Signers to enter into contracts and execute documents by electronic means, in compliance with the applicable legislation regarding electronic commerce, data messages, and electronic signatures in force in the Republic of Colombia.

17.2 For purposes of validity, authenticity, integrity, and non-repudiation of the documents electronically signed through the Platform, ZapSign collects, stores, and produces technical evidence regarding the formation of the signature, such as: identification of the signer, IP address, approximate geolocation, device used, time-stamp, document hash, biometrics (when activated), and other audit logs.

17.3 Such evidence is considered Personal Data and its Processing is based on the following grounds: (i) execution of the contract entered into between the Data Subject and ZapSign; (ii) compliance with legal and regulatory obligations; (iii) regular exercise of rights in judicial, administrative, or arbitration proceedings; and (iv) the legitimate interest of the Controller, especially for the purposes of fraud prevention and ensuring the legal validity of the document.

17.4 Due to the principles of integrity and non-repudiation of electronically signed documents, as well as legal and regulatory obligations, the signature evidence shall be retained for the time necessary for the exercise of the corresponding rights, observing the applicable statutes of limitations. Any request by the Data Subject to delete this evidence may be legitimately denied, with due grounds, when its storage is indispensable for compliance with a legal, regulatory, or contractual obligation, or for the regular exercise of rights.

 

18. Data Protection Officer

18.1 ZapSign has appointed a Data Protection Officer (Privacy Officer), responsible for: (i) attending to claims and communications from Data Subjects, providing clarifications, and adopting the corresponding measures; (ii) receiving communications from the SIC and adopting the corresponding measures; (iii) guiding the entity’s officers and contractors regarding the practices to be taken in relation to the protection of personal data; and (iv) executing the other duties determined by the Controller or established in supplementary regulations.

Data Protection Officer / Privacy Officer

Email: privacy@truora.com

Address: [address to be completed], Bogotá D.C., Colombia

 

19. Modifications to the Privacy Policy

19.1 ZapSign is fully entitled to modify this Privacy Policy. Any change shall be published on our website and/or mobile applications, indicating the date of the last update. When the modification implies a substantial change in the purpose or legal basis of the Processing, and the original legal basis is consent, ZapSign shall request new authorization from the affected Data Subjects. It is the responsibility of the Data Subject to review this Policy frequently.

 

20. Validity

20.1 This Privacy Policy is in effect as of the date indicated as "Last Updated" and shall be reviewed periodically, at least once per year, or whenever there is a legislative, regulatory, or operational change that justifies it.

 

21. Applicable Law and Jurisdiction

21.1 This Privacy Policy is governed by the laws of the Republic of Colombia, in particular by Statutory Law 1581 of 2012, Decree 1074 of 2015, and other concurrent regulations. Any dispute arising from this Policy shall be submitted to the jurisdiction of the courts of the city of Bogotá D.C., Colombia, without prejudice to any mandatory provisions to the contrary contained in consumer protection rules.

 

22. Authority of Issuance, Review, and Publication

22.1 This Privacy Policy has been developed by the Privacy area of the Truora Group, exclusively in charge of the protection of Personal Data and ensuring the exercise of the rights of Data Subjects.

22.2 In case of doubts, suggestions, or requests related to this Policy, the Data Subject may contact the Data Protection Officer through the channel indicated in Section 17.

23. EU/EEA Data Subjects — GDPR-Specific Provisions

23.1 Applicability. This Section 23 applies whenever ZapSign processes Personal Data of data subjects located in the European Union or the European Economic Area in connection with (a) the offering of goods or services to such data subjects or (b) the monitoring of their behaviour, as set out in article 3(2) of Regulation (EU) 2016/679 (the "GDPR"). To that extent, the GDPR governs the processing and shall be read together with this Privacy Policy. Where this Section 23 conflicts with any other provision of this Privacy Policy as it applies to EU/EEA data subjects, this Section 23 shall prevail.

23.2 Roles. For Personal Data of end signers and other third parties uploaded or submitted by Users in the course of using the ZapSign Platform, the User acts as data controller and ZapSign acts as data processor within the meaning of article 28 GDPR. For Personal Data processed in connection with the User's own account, billing, support, fraud prevention, and other administrative purposes, ZapSign acts as data controller.

23.3 Identity of the controller. The data controller for ZapSign-controlled processing is TRUORA S.A.S, identified in Section 1.1 of this Policy. The contact details for data protection matters are set out in Section 18 of this Policy.

23.4 Legal bases (article 6 GDPR). ZapSign relies on one or more of the following legal bases for the processing of Personal Data of EU/EEA data subjects, depending on the purpose: (a) performance of a contract or pre-contractual measures (article 6(1)(b) GDPR) — for account creation and management, provision of the electronic signature service, identity verification when activated by the User, billing, support, and any other processing strictly necessary to perform the contract; (b) compliance with a legal obligation (article 6(1)(c) GDPR) — for record-keeping, tax obligations, AML/CTF checks where applicable, retention of electronic signature evidence required by applicable law, and response to lawful requests from competent authorities; (c) legitimate interests (article 6(1)(f) GDPR) — for fraud prevention, information security, integrity and non-repudiation of electronic signatures, defence against legal claims, and analytics in aggregated or anonymised form; and (d) consent (article 6(1)(a) GDPR) — for marketing communications, non-essential cookies and similar technologies, and any other processing not covered by the legal bases above. Consent may be withdrawn at any time, without affecting the lawfulness of processing carried out before withdrawal.

23.5 Special categories of data (article 9 GDPR). Where ZapSign processes biometric data, in particular facial biometric data, for the purpose of uniquely identifying a data subject in the context of identity verification or the Truora Pass service, processing is based on the data subject's explicit consent (article 9(2)(a) GDPR). Where biometric data is processed without the purpose of unique identification (for example, automated technical quality checks), no special category applies, but the relevant legal basis under article 6 GDPR remains in place.

23.6 Privacy contact point and EU Representative. ZapSign maintains a dedicated privacy contact point, available at privacy@truora.com and as set out in Section 18 of this Privacy Policy, to receive queries and requests from data subjects and competent authorities concerning the processing of Personal Data of EU/EEA data subjects. To the extent that ZapSign becomes required to designate a representative in the Union pursuant to article 27 GDPR, such designation will be made and communicated through this Policy. Pending any such designation, all GDPR-related inquiries may be directed to the privacy contact point identified above.

23.7 Data subject rights (articles 15–22 GDPR). EU/EEA data subjects have the following rights in respect of Personal Data processed by ZapSign, exercisable free of charge: (a) right of access (article 15); (b) right to rectification (article 16); (c) right to erasure (article 17), subject to the grounds and exceptions set out in the GDPR, including legal retention obligations for electronic signature evidence; (d) right to restriction of processing (article 18); (e) right to data portability (article 20) for data provided on the basis of consent or contract; (f) right to object (article 21), in particular at any time to processing for direct marketing; (g) right not to be subject to a decision based solely on automated processing, including profiling, that produces legal or similarly significant effects (article 22) — ZapSign does not take such decisions in respect of EU/EEA data subjects, and any fraud-prevention scoring is subject to human review where it materially affects the data subject; and (h) right to withdraw consent at any time, without affecting the lawfulness of prior processing. Requests may be addressed to the privacy contact point at privacy@truora.com. ZapSign shall respond without undue delay and in any event within one month of receipt, subject to extensions permitted under article 12(3) GDPR.

23.8 Right to lodge a complaint with a supervisory authority (article 77 GDPR). Without prejudice to any other administrative or judicial remedy, EU/EEA data subjects have the right to lodge a complaint with the supervisory authority of the Member State of their habitual residence, place of work, or place of the alleged infringement. A list of supervisory authorities is available at https://edpb.europa.eu/about-edpb/about-edpb/members_en.

23.9 International transfers (Chapter V GDPR). Personal Data of EU/EEA data subjects processed by ZapSign may be transferred to, and stored in, countries outside the European Economic Area, including Colombia, Brazil, Mexico, Chile, and the United States. Where such transfers take place, they shall be carried out on the basis of appropriate safeguards under Chapter V GDPR, in particular, where applicable, the EU Standard Contractual Clauses approved by Commission Implementing Decision (EU) 2021/914 (Modules 2 or 3, as relevant), supported, where required, by a Transfer Impact Assessment for the country of destination and by supplementary technical, organisational and contractual measures. Information on the safeguards applied to a specific transfer may be requested at privacy@truora.com.

23.10 Retention. Personal Data of EU/EEA data subjects is retained for the time necessary to achieve the purposes set out in this Policy, in accordance with the criteria set out in Section 13.1. As a general guide: account data is retained for the duration of the contractual relationship plus the applicable statutory limitation period; electronic signature evidence is retained for the duration required by applicable law to preserve the legal validity of the signed document; biometric data used for identity verification is retained only for the time strictly necessary to complete the verification, or, in the case of the Truora Pass service, for the active life of the account; marketing data is retained until withdrawal of consent. Specific retention schedules may be requested at privacy@truora.com.

23.11 Security incident notification (articles 33–34 GDPR). In the event of a personal data breach affecting EU/EEA data subjects, ZapSign shall notify the competent supervisory authority without undue delay and, where feasible, not later than seventy-two (72) hours after having become aware of the breach, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the breach is likely to result in a high risk to such rights and freedoms, ZapSign shall also communicate the breach to the affected data subjects without undue delay, in accordance with article 34 GDPR.

23.12 Children (article 8 GDPR). ZapSign's services are not intended for individuals under sixteen (16) years of age in the EU/EEA. Where information society services are offered directly to a child in the EU/EEA, processing based on consent shall comply with article 8 GDPR and, where applicable, with the higher age of consent set by the relevant Member State.