Privacy Policy

1. Data controller

The controller of your data is Pittahaya ("Pittahaya", "we"), a premium web design and AI automation studio operating from Ecuador and serving clients across Latin America and Canada. This policy applies to pittahaya.com and to all forms, chats and interactions we offer on it.

For privacy matters and to exercise your rights, reach us via our contact form or WhatsApp. We have designated a person responsible for privacy within Pittahaya, reachable through these same channels.

2. Key definitions

• Personal data: any information about an identified or identifiable individual (e.g., your name or email).
• Data subject: the person the data is about (you).
• Processing: any operation on your data (collecting, storing, using, disclosing, deleting).
• Controller: who decides why and how data is processed (Pittahaya).
• Processor: a provider that processes data on our behalf, following our instructions.

3. What data we collect

We only collect what you voluntarily give us and the minimal technical data needed for the site to work and stay protected. We don't request sensitive data (health, religion, ethnicity, biometrics, etc.) and we ask you not to include it in your messages.

Category	Examples	Source
Identification	Name	You, via the form
Contact	Email, phone (if provided)	You, via the form
Business	Brand/business name, service or plan of interest	You, via the form
Communications	The message you send and any later correspondence	You
Technical / security	IP address, browser type, date and time, anti-spam token (Cloudflare Turnstile), record of your consent	Automatic

You don't need to create an account to contact us.

4. Purposes and legal basis

We process your data only for specific purposes, each supported by a valid legal basis under the LOPDP (Art. 7) and PIPEDA:

Purpose	Legal basis
Reply to your message and send a diagnosis or quote	Your consent and/or pre-contractual steps at your request
Manage the project if we decide to work together	Performance of a contract
Prevent spam, fraud and abuse; keep the site secure	Legitimate interest
Comply with legal, accounting or tax obligations	Legal obligation

We do not sell, rent or trade your data, and we don't use it for third-party advertising.

5. Consent

When you submit a form, we ask you to expressly tick a box confirming you've read and accept this policy. In line with the LOPDP, your consent is free, specific, informed and unambiguous: the box is never pre-checked, and we don't condition unrelated services on it. We record the date and time you give it.

You can withdraw your consent at any time (without retroactive effect) by contacting us through the channels in section 1. Withdrawing it may prevent us from continuing to handle your request.

6. Who we share data with (processors)

We don't sell or transfer your data. We rely on trusted technology providers acting as processors, only to operate and under a duty of confidentiality:

Provider	Purpose	Location
Supabase	Secure storage of form data	USA
Resend	Delivery of confirmation and notification emails	USA
Cloudflare	Spam and bot protection (Turnstile)	Global / USA
Vercel	Website hosting and anonymous site analytics (Web Analytics, no cookies)	USA

We may also disclose data where required by law (for example, to a competent authority with a valid order).

7. International transfers

Because the providers above operate mainly in the United States, your data may be processed outside Ecuador and Canada. We carry out these transfers under valid bases of the LOPDP (your consent, performance of the contract, and/or appropriate safeguards such as contractual clauses with reputable providers applying industry-standard security). We choose providers with contractual commitments and technical measures to protect your information in transit and at rest.

8. How long we keep your data

• Inquiries without engagement: up to 24 months from the last contact, unless you ask us to delete it sooner.
• Clients: for the duration of the business relationship and, afterwards, as long as the law requires (e.g., accounting/tax obligations in Ecuador). We then delete or anonymize it.
• Consent and security records: for a reasonable period to demonstrate legal compliance.

9. Security

We apply appropriate technical and organizational measures: encryption in transit (HTTPS/TLS), restricted access control, providers with industry-standard security, and anti-abuse protection. No system is 100% infallible, but we work responsibly to protect your information.

10. Your rights

Under Ecuador's LOPDP (Arts. 16–22) you have the right to:

• Access — know whether we process your data and get a copy.
• Rectification — correct inaccurate or incomplete data.
• Erasure — ask us to delete your data when no longer necessary.
• Objection — object to processing based on your particular situation.
• Portability — receive your data in a structured format and transfer it.
• Restriction — restrict processing in certain cases.
• Not be subject to automated decisions with legal or significant effects.

If you are in Canada, under PIPEDA you may also access your data, request correction, withdraw consent, and file a complaint. Exercising these rights is free. We respond within the legal timeframes (generally without undue delay and, for PIPEDA access requests, normally within 30 days). To exercise them, contact us via the contact form or WhatsApp; we may ask you to verify your identity first.

11. Data breaches

If a breach affecting your data occurs, we'll act as the law requires: we'll notify Ecuador's Superintendence for the Protection of Personal Data (SPDP) within 5 business days and, where there's a high risk to you, inform you without undue delay. For individuals in Canada, where there's a real risk of significant harm we'll report to the Office of the Privacy Commissioner of Canada (OPC), notify you, and keep a record of the incident.

12. Automated decisions

We don't make decisions producing legal or significant effects about you based solely on automated processing. Our AI tools support our work, but a human makes the meaningful decisions.

13. Cookies and analytics

We don't use advertising or third-party tracking cookies, and we don't profile our visitors. We only use technical and security technologies needed for the site to work and to protect it (for example, Cloudflare's anti-bot system).

To understand how the site is used we rely on Vercel Web Analytics, a privacy-friendly analytics tool: it uses no cookies, creates no persistent identifier, and doesn't track you across sites or across days. It only measures aggregate, anonymous data (pages visited, referring page, approximate country and device type) and anonymous conversion events (for example, "form submitted" or "WhatsApp click"), without tying them to your identity. Because it's anonymous and cookieless, it does not require a consent banner.

14. Minors

Our services are aimed at businesses and adults. We don't knowingly collect data from minors. If you believe a minor has given us data, contact us so we can delete it.

15. Supervisory authorities and complaints

If you feel we haven't handled your request well, you may complain to the competent authority:

• Ecuador: Superintendence for the Protection of Personal Data (SPDP).
• Canada: Office of the Privacy Commissioner of Canada (OPC).

Even so, please contact us first — we'd like to resolve it with you directly.

16. Changes to this policy

We may update this policy to reflect improvements or legal changes. The current version will always be published on this page, with its version number and date. If changes are significant, we'll make a reasonable effort to inform you.

17. Contact

Questions about your privacy or your data? Reach out:

Contact form · WhatsApp

See also our Terms & Conditions. This policy is informational and does not replace individualized legal advice.