Privacy Policy
Last updated: June 10, 2026 · Version 2.0. At Pittahaya we treat your privacy as seriously as we design: with clarity and no fine print. This policy explains what data we collect, on what legal basis, how we use it, who we share it with, and what rights you have.
1. Data controller
The controller of your data is Pittahaya ("Pittahaya", "we"), a premium web design and AI automation studio operating from Ecuador and serving clients across Latin America and Canada. This policy applies to pittahaya.com and to all forms, chats and interactions we offer on it.
For privacy matters and to exercise your rights, reach us via our contact form or WhatsApp. We have designated a person responsible for privacy within Pittahaya, reachable through these same channels.
2. Key definitions
- Personal data: any information about an identified or identifiable individual (e.g., your name or email).
- Data subject: the person the data is about (you).
- Processing: any operation on your data (collecting, storing, using, disclosing, deleting).
- Controller: who decides why and how data is processed (Pittahaya).
- Processor: a provider that processes data on our behalf, following our instructions.
3. What data we collect
We only collect what you voluntarily give us and the minimal technical data needed for the site to work and stay protected. We don't request sensitive data (health, religion, ethnicity, biometrics, etc.) and we ask you not to include it in your messages.
| Category | Examples | Source |
|---|---|---|
| Identification | Name | You, via the form |
| Contact | Email, phone (if provided) | You, via the form |
| Business | Brand/business name, service or plan of interest | You, via the form |
| Communications | The message you send and any later correspondence | You |
| Technical / security | IP address, browser type, date and time, anti-spam token (Cloudflare Turnstile), record of your consent | Automatic |
You don't need to create an account to contact us.
4. Purposes and legal basis
We process your data only for specific purposes, each supported by a valid legal basis under the LOPDP (Art. 7) and PIPEDA:
| Purpose | Legal basis |
|---|---|
| Reply to your message and send a diagnosis or quote | Your consent and/or pre-contractual steps at your request |
| Manage the project if we decide to work together | Performance of a contract |
| Prevent spam, fraud and abuse; keep the site secure | Legitimate interest |
| Comply with legal, accounting or tax obligations | Legal obligation |
We do not sell, rent or trade your data, and we don't use it for third-party advertising.
5. Consent
When you submit a form, we ask you to expressly tick a box confirming you've read and accept this policy. In line with the LOPDP, your consent is free, specific, informed and unambiguous: the box is never pre-checked, and we don't condition unrelated services on it. We record the date and time you give it.
You can withdraw your consent at any time (without retroactive effect) by contacting us through the channels in section 1. Withdrawing it may prevent us from continuing to handle your request.
6. Who we share data with (processors)
We don't sell or transfer your data. We rely on trusted technology providers acting as processors, only to operate and under a duty of confidentiality:
| Provider | Purpose | Location |
|---|---|---|
| Supabase | Secure storage of form data | USA |
| Resend | Delivery of confirmation and notification emails | USA |
| Cloudflare | Spam and bot protection (Turnstile) | Global / USA |
| Vercel | Website hosting and anonymous site analytics (Web Analytics, no cookies) | USA |
We may also disclose data where required by law (for example, to a competent authority with a valid order).
7. International transfers
Because the providers above operate mainly in the United States, your data may be processed outside Ecuador and Canada. We carry out these transfers under valid bases of the LOPDP (your consent, performance of the contract, and/or appropriate safeguards such as contractual clauses with reputable providers applying industry-standard security). We choose providers with contractual commitments and technical measures to protect your information in transit and at rest.
8. How long we keep your data
- Inquiries without engagement: up to 24 months from the last contact, unless you ask us to delete it sooner.
- Clients: for the duration of the business relationship and, afterwards, as long as the law requires (e.g., accounting/tax obligations in Ecuador). We then delete or anonymize it.
- Consent and security records: for a reasonable period to demonstrate legal compliance.
9. Security
We apply appropriate technical and organizational measures: encryption in transit (HTTPS/TLS), restricted access control, providers with industry-standard security, and anti-abuse protection. No system is 100% infallible, but we work responsibly to protect your information.
10. Your rights
Under Ecuador's LOPDP (Arts. 16–22) you have the right to:
- Access — know whether we process your data and get a copy.
- Rectification — correct inaccurate or incomplete data.
- Erasure — ask us to delete your data when no longer necessary.
- Objection — object to processing based on your particular situation.
- Portability — receive your data in a structured format and transfer it.
- Restriction — restrict processing in certain cases.
- Not be subject to automated decisions with legal or significant effects.
If you are in Canada, under PIPEDA you may also access your data, request correction, withdraw consent, and file a complaint. Exercising these rights is free. We respond within the legal timeframes (generally without undue delay and, for PIPEDA access requests, normally within 30 days). To exercise them, contact us via the contact form or WhatsApp; we may ask you to verify your identity first.
11. Data breaches
If a breach affecting your data occurs, we'll act as the law requires: we'll notify Ecuador's Superintendence for the Protection of Personal Data (SPDP) within 5 business days and, where there's a high risk to you, inform you without undue delay. For individuals in Canada, where there's a real risk of significant harm we'll report to the Office of the Privacy Commissioner of Canada (OPC), notify you, and keep a record of the incident.
12. Automated decisions
We don't make decisions producing legal or significant effects about you based solely on automated processing. Our AI tools support our work, but a human makes the meaningful decisions.
13. Cookies and analytics
We don't use advertising or third-party tracking cookies, and we don't profile our visitors. We only use technical and security technologies needed for the site to work and to protect it (for example, Cloudflare's anti-bot system).
To understand how the site is used we rely on Vercel Web Analytics, a privacy-friendly analytics tool: it uses no cookies, creates no persistent identifier, and doesn't track you across sites or across days. It only measures aggregate, anonymous data (pages visited, referring page, approximate country and device type) and anonymous conversion events (for example, "form submitted" or "WhatsApp click"), without tying them to your identity. Because it's anonymous and cookieless, it does not require a consent banner.
14. Minors
Our services are aimed at businesses and adults. We don't knowingly collect data from minors. If you believe a minor has given us data, contact us so we can delete it.
15. Supervisory authorities and complaints
If you feel we haven't handled your request well, you may complain to the competent authority:
- Ecuador: Superintendence for the Protection of Personal Data (SPDP).
- Canada: Office of the Privacy Commissioner of Canada (OPC).
Even so, please contact us first — we'd like to resolve it with you directly.
16. Changes to this policy
We may update this policy to reflect improvements or legal changes. The current version will always be published on this page, with its version number and date. If changes are significant, we'll make a reasonable effort to inform you.
17. Contact
Questions about your privacy or your data? Reach out:
See also our Terms & Conditions. This policy is informational and does not replace individualized legal advice.