Skip to main content
Volver a Iniciar

Política de Tratamiento de Datos Personales

Versión 1.0 — 11 de marzo de 2026

The purpose of this Personal Data Processing Policy (hereinafter, the "Policy") is to inform Data Subjects about the conditions under which Bee Technologies S.A.S., identified by the acronym Beedy, with NIT 901.843.345-1 (hereinafter, the "Data Controller"), performs the Processing of personal data through its product Equa, in accordance with the Political Constitution of Colombia, Statutory Law 1581 of 2012, Single Regulatory Decree 1074 of 2015, the General Data Protection Regulation (EU) 2016/679 ("GDPR"), and other complementary regulations.

The Data Controller undertakes to ensure that Data Processors acting on its behalf fully comply with this Policy and applicable legal obligations.

1. IDENTIFICATION OF THE DATA CONTROLLER

  • Company name: Bee Technologies S.A.S.
  • Acronym: Beedy
  • NIT: 901.843.345-1
  • Main domicile: Bogotá D.C., Colombia
  • Email for personal data: equa@beedy.com.co
  • Address: Quintas de Santa Barbara, Etapa III, Casa 146.
  • Contact phone: 320 568 2819
  • Website: https://equa.beedy.com.co
  • Data Protection Officer: Santiago Sánchez Hernández

2. DEFINITIONS

For the purposes of this Policy, the following definitions are adopted:

Authorization: Prior, express, free, specific, informed, and unambiguous manifestation of will by which the Data Subject accepts the Processing of their personal data.

Database: Organized set of personal data that is subject to Processing.

Personal Data: Any information linked or that can be associated to an identified or identifiable natural person (e.g., name, ID, email, telephone, financial data, IP address, cookies, online identifiers, among others).

Sensitive Data: Information that affects the privacy of the Data Subject or whose improper use can generate discrimination: biometric data, health data, sexual orientation, religious beliefs, union affiliation, among others.

Data Controller: Natural or legal person that decides on the purposes and means of the Processing.

Data Processor: Natural or legal person that performs the Processing of personal data on behalf of the Data Controller.

Data Subject or Interested Party: Natural person whose personal data is subject to Processing.

Processing: Any operation on personal data: collection, recording, storage, use, circulation, transfer, transmission, deletion, or any other form of processing.

Transfer: Sending of personal data to a third party acting as Data Controller, within or outside of Colombia.

Transmission: Communication of personal data to a Data Processor so that they perform the Processing on behalf of the Data Controller.

Security breach or violation: Incident leading to the accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of personal data.

3. GUIDING PRINCIPLES FOR PROCESSING

The Processing of personal data is governed by the following principles:

Lawfulness, fairness, and transparency: All Processing must be lawful, fair, and transparent with respect to the Data Subject.

Purpose and limitation: Data will only be processed for legitimate, specific, explicit, and informed purposes communicating to the Data Subject, and will not be further processed in a manner incompatible with those purposes.

Data minimization: Data will be adequate, relevant, and limited to what is strictly necessary for the purposes of the Processing.

Accuracy and truthfulness: The information processed must be truthful, complete, accurate, and updated. Reasonable measures will be taken to promptly delete or rectify inaccurate data.

Storage limitation: Data will be kept only for the time necessary for the purposes of the Processing, unless there is a legal obligation to retain it.

Freedom: Processing may only be carried out with the prior, express, and informed consent of the Data Subject, unless there is a legal basis that legitimizes it without consent.

Security and integrity: Appropriate technical and organizational measures will be applied to protect data against loss, unauthorized access, alteration, destruction, or improper use.

Confidentiality: Everyone involved in the Processing must keep the information confidential, even after their relationship with the Data Controller has ended.

Restricted access and circulation: Personal data must not be available on the internet or mass media without appropriate access controls.

Accountability: The Data Controller must be able to demonstrate compliance with the applicable principles and obligations.

4. LEGAL BASES FOR PROCESSING

4.1. Legal bases

The Processing of personal data is based on one or more of the following legal bases:

  • Consent of the Data Subject: free, specific, informed, and unambiguous manifestation.
  • Performance of a contract or when Processing is necessary for the provision of the Equa service contracted by the Data Subject.
  • Compliance with a legal obligation or when a regulation requires Processing.

4.2. Mechanisms for obtaining consent

The Data Controller obtains the Data Subject's consent through:

  • Consent when registering on the Equa platform, by accepting terms and conditions and this Policy.
  • Consent via WhatsApp: upon interacting for the first time, this Policy is presented, and explicit acceptance is required before activating the account.
  • OAuth Authorization: for Gmail integration, the Data Subject expressly authorizes read-only access to their bank emails through the standard Google OAuth 2.0 flow.

4.3. Minimum content of consent

The consent shall inform the Data Subject about: (i) the identity and contact details of the Data Controller and the Data Protection Officer; (ii) the purposes of the Processing; (iii) the categories of data processed; (iv) the recipients or categories of recipients; (v) the intention to make international transfers; (vi) the retention period; (vii) the rights of the Data Subject and the channels to exercise them; and (viii) the optional nature of the responses regarding sensitive data.

4.4. Exceptions to consent

Consent of the Data Subject will not be required in cases of:

  • Information required by a public or administrative entity in the exercise of its legal functions or by court order.
  • Publicly available data.
  • Cases of medical or health emergency.
  • Processing authorized by law for historical, statistical, or scientific purposes.
  • Data related to the Civil Registry of Persons.

4.5. Revocation of consent

The Data Subject may revoke their consent at any time, without affecting the lawfulness of the Processing carried out previously. Revocation will not proceed when there is a legal or contractual duty to remain in the database. To revoke, the Data Subject may use any of the channels described in section 8.

5. PRIVACY NOTICE

The Notice will contain, at a minimum: the identity and contact details of the Data Controller, the type of Processing and its purpose, the mechanisms to learn about this Policy, and the rights of the Data Subject. The Privacy Notice will be available during registration on the platform, in interactions via WhatsApp, and at https://equa.beedy.com.co/legal/privacy

6. PROCESSING ACTIVITIES

6.1. Categories of personal data processed

CategorySpecific dataMain purpose
Identification dataFull name, email, phone number, avatar, language, and preferred currencyRegistration, account management, communications
Subscription and commercial dataPlan, status, expiration dates, promo codes, discounts, early adopter statusBilling, plan management, benefits
Financial and transactional dataTransactions (amount, type, category, description, date, currency, origin), goals, assets, debts (principal, rate, insurance), budgets, recurringsPersonal financial management, analysis, AI recommendations
Gmail integration dataOAuth tokens (access_token, refresh_token), bank emails, email_message_idAutomatic import of transactions
WhatsApp integration dataPhone number, conversation history, photos of receipts, voice notes (audio)Conversational interaction, transaction logging, transcription
Navigation and analytics dataanalytics_events (event_name, user_agent, path), session cookies, IP addressService improvement, analytics, security
Consent dataterms_accepted, privacy_accepted, consent_given_at, policy_versionLegal traceability of consent

6.2. Processing of sensitive data

The Data Controller may process data that could have a sensitive nature, specifically voice biometric data derived from WhatsApp voice notes processed by Google Cloud Speech. Consequently:

  • Providing sensitive data is optional. The Data Subject is not obliged to provide voice notes; they can log transactions by text or image.
  • The Data Subject will be informed which data is sensitive and the specific purpose for its Processing.
  • Explicit and enhanced consent will be obtained before processing any sensitive data.
  • Voice notes will be processed exclusively for transcription and transaction logging. Audio is not permanently stored after its processing.

6.3. Minors' data

Equa is a personal financial management platform directed exclusively to adults. The Data Controller does not intentionally collect or process data from minors (children and adolescents). If it is identified that minor's data has been collected without their legal guardian's authorization, it will be deleted immediately.

6.4. Data subjects

  • Registered users of the Equa platform.
  • Users on the waitlist.
  • Website visitors.

6.5. Purposes of Processing

Personal data will be used for the following purposes, all informed to the Data Subject when obtaining consent:

  • Provision of the personal financial management service: logging of transactions (manual, via Gmail, and via WhatsApp), tracking goals, assets, debts, and budgets.
  • Automatic import of bank transactions by reading bank notification emails (Bancolombia, Nequi, Daviplata, Davivienda, BBVA, Nu) via Gmail API with gmail.readonly scope.
  • Natural language processing and categorization by artificial intelligence (Google Gemini) of WhatsApp messages, bank email contents, and receipt photos.
  • Transcription of voice notes via Google Cloud Speech for transaction logging by audio.
  • Sending reminders, weekly summaries, and notifications via WhatsApp (Twilio).
  • Subscription management, billing, and payment processing through Bold.
  • Usage analytics, continuous service improvement, and user experience.
  • Compliance with legal, regulatory, accounting, and tax obligations.
  • Handling of petitions, complaints, claims, and inquiries from Data Subjects.
  • Platform security, fraud prevention, and access control.
  • Sending advertising information, offers, promotions, subscription plan benefits, and news about new features of the Equa platform, via email, WhatsApp, or other contact channels authorized by the Data Subject.
  • Use of transactional data and behavioral patterns, preferably anonymized or aggregated, for the training, tuning, and optimization of the platform's proprietary algorithmic and natural language processing models, to improve the accuracy of categorization and financial recommendations.
  • Conducting satisfaction surveys, market studies, and user profile analysis to design loyalty strategies, upselling (plan upgrades), and customer retention.
  • Sharing, transmitting, or transferring personal information within the framework of audit processes (due diligence), legal due diligence, investment rounds, merger, acquisition, spin-off, corporate transformation, or total or partial sale of the assets of Bee Technologies S.A.S. (Beedy).
  • Analyzing the consumption habits, goals, saving capacity, and transactional behavior of the Data Subject to build financial profiles, predictive models, user segmentation, or behavioral metrics (scoring) that allow for personalized application experience and structuring proprietary or third-party service offerings.

6.6. Operations

The Processing is carried out manually, automatically, and/or combined. Automatic operations are:

  • Synchronization of bank emails every 5 minutes.
  • Sending daily reminders (8:00 AM), weekly summaries (Mondays 9:00 AM), and additional reminders (10:00 AM).
  • Processing recurrent transactions (6:00 AM daily).
  • Automatic cleanup of WhatsApp conversation history (Sundays 3:00 AM).

The Data Subject has the right not to be subject to decisions based solely on automated Processing that produce significant legal effects, and may request human intervention at any time.

7. RIGHTS OF THE DATA SUBJECT

The Data Subject may exercise the following rights at any time:

Access: Obtain confirmation of whether their data is being processed and access it free of charge.

Rectification: Request the correction of inaccurate, incomplete, or misleading data.

Deletion ("right to be forgotten"): Request the deletion of their data when it is no longer necessary for the purposes, consent is withdrawn, or the Processing is unlawful. Deletion does not apply when there is a legal or contractual duty of retention.

Limitation of Processing: Request the restriction of Processing while verifying data accuracy, the lawfulness of the Processing, or while the Data Subject exercises their rights.

Portability: Receive their data in a structured, commonly used, and machine-readable format, and request its transmission to another controller.

Opposition: Object to Processing based on legitimate interest or Processing for direct marketing purposes.

Automated decisions: Not be subject to decisions based solely on automated Processing that produce legal effects or significantly affect them, and request human intervention.

Revocation of consent: Revoke the consent granted at any time, without affecting the lawfulness of the prior Processing.

Proof of consent: Request evidence of the consent granted from the Data Controller.

Complaint to the competent authority: File complaints with the Superintendence of Industry and Commerce (Colombia) or the competent data protection authority, once the procedure with the Data Controller has been exhausted.

8. PROCEDURE TO EXERCISE RIGHTS

The Data Subject may exercise their rights according to Articles 14, 15, and 16 of Law 1581 of 2012, Article 2.2.2.26.2.4 of Decree 1074 of 2015, and Articles 12 to 22 of the GDPR.

8.1. Enabled channels

  • Email: equa@beedy.com.co
  • WhatsApp: through the same interaction channel with the platform.
  • Address: Quintas de Santa Barbara, Etapa III, Casa 146.
  • Business hours: Monday to Friday, 8:00 AM to 6:00 PM (Colombia time, GMT-5).

8.2. Inquiries

  • Submit the inquiry through any of the enabled channels.
  • The Data Controller will verify the requester's identity.
  • The response time is ten (10) business days from receipt.
  • The deadline may be extended by five (5) additional business days, with prior notification to the Data Subject.

Total maximum deadline: 15 business days.

8.3. Claims

8.3.1. Requirements

  • Identification of the Data Subject.
  • Description of facts.
  • Physical or electronic address for notifications.
  • Documents or evidence to be provided.

8.3.2. Rectification of deficiencies

If the claim is incomplete, rectification will be requested within five (5) business days. If it is not completed within two (2) months, it will be considered abandoned.

8.3.3. Procedure

  • Transfer to the competent area: maximum two (2) business days.
  • Recording "claim in progress" legend: maximum two (2) business days.
  • The response time is fifteen (15) business days from receipt of a complete claim.
  • The deadline may be extended by eight (8) additional business days, with prior communication to the Data Subject.

Total maximum deadline: 23 business days.

8.4. Prerequisite for proceeding before the SIC

The Data Subject may only file a complaint with the Superintendence of Industry and Commerce once the inquiry or claim procedure directly with the Data Controller has been exhausted.

9. INTERNATIONAL TRANSFERS

The Data Controller performs personal data transmissions to third parties acting as Data Processors strictly to fulfill the purposes informed to the Data Subject.

9.1. Providers and Data Processors

ProviderShared dataPurposeCountryRole
SupabaseProfiles, transactions, auth, tokens, storageDatabase, authentication, storageUSAData Processor
Google (Gmail API)Bank emails (scope: gmail.readonly)Transaction importingUSAData Processor
Google (Gemini AI)Emails, WhatsApp messages, receipt photosAI classification, NLU, image analysisUSAData Processor
Google (Cloud Speech)WhatsApp audio (voice notes)Voice to text transcriptionUSAData Processor
TwilioMessages, photos, audio, phoneWhatsApp messagingUSAData Processor
BoldEmail, amount, subscription planPayment gatewayColombiaData Processor

9.2. Guarantees for international transfers

The Data Controller guarantees adequate protection of the transferred data through:

  • Standard Contractual Clauses approved by the European Commission.
  • Data Processing Agreements with all Data Processors, guaranteeing equivalent security and confidentiality standards.
  • Verification of the adequate level of protection in the destination country in accordance with External Circular 005 of 2017 of the SIC, or failing that, explicit and informed consent of the Data Subject.

Destination countries: United States (Supabase, Google, Twilio, FastForex) and Colombia (Bold).

9.3. Sharing with authorities

The Data Controller may disclose personal data to public authorities when there is a legal obligation, administrative requirement, or court order. Such disclosures will be documented for traceability.

9.4. Duties of the receiving Data Processor

  • Process data only in accordance with the Data Controller's documented instructions.
  • Implement equivalent or superior security measures.
  • Guarantee permanent confidentiality.
  • Delete or return the data upon termination of the contractual relationship.
  • Immediately report security breaches.
  • Allow and contribute to Data Controller audits.

10. SECURITY MEASURES

The Data Controller adopts appropriate technical and organizational measures to ensure an appropriate level of security for the risk:

10.1. Technical measures

  • Row-Level Security (RLS) in all database tables. Each user exclusively accesses their own data.
  • Enforced HTTPS across the entire platform in production.
  • Webhook authentication: transaction_webhook_secret per user, CRON_SECRET for scheduled tasks, x-internal-secret for internal API.
  • OAuth 2.0 for Gmail with state parameter (CSRF prevention) and scope limited to gmail.readonly.
  • Automatic refresh of OAuth tokens with expiration control.
  • Unique index on email_message_id to prevent duplicate transactions.
  • Sensitive API keys stored exclusively on the Cloud server.
  • Secure session cookies managed via Supabase SSR.
  • Secure storage in Supabase (AWS infrastructure).
  • Environment separation (production and development).

10.2. Organizational measures

  • Internal personal data protection policies.
  • Restricted data access to strictly authorized personnel.
  • Confidentiality agreements with employees, contractors, and third parties.
  • Consent logging with timestamp and policy version.
  • Continuous awareness and training of personnel.
  • Differentiated roles and access profiles.
  • Prohibition of sharing credentials or accesses.

10.3. Assessment and continuous improvement

The Data Controller periodically reviews and updates its security measures, considering regulatory changes, technological advances, new risks, and audit recommendations. Reviews follow international best practices such as ISO 27001, NIST, and OWASP.

11. INCIDENT MANAGEMENT AND BREACH NOTIFICATION

The Data Controller establishes a security incident management protocol that covers:

  • Immediate identification and containment of the incident, isolation of affected systems, and evidence preservation.
  • Impact assessment: determination of the nature, scope, affected data, number of impacted Data Subjects, and risk level.
  • Notification to the supervisory authority: As far as possible, within seventy-two (72) hours of becoming aware of the breach, it will notify the Superintendence of Industry and Commerce under the terms determined by it.
  • Communication to affected Data Subjects when the breach represents a high risk to their rights and freedoms, stating: nature of the incident, compromised data, measures taken, and mitigation recommendations.
  • Complete documentation: date, cause, impact, corrective actions, and lessons learned.
  • Implementation of corrective and preventive post-incident measures.

12. COOKIES AND TRACKING TECHNOLOGIES

The Equa platform uses session cookies (Supabase SSR) and analytics technologies (analytics_events: event_name, user_agent, path, JSON data). Cookies are classified into:

  • Strictly necessary: authentication and user session. They do not require consent.
  • Analytical: usage statistics to improve the service. They require prior consent from the Data Subject.

The Data Subject can manage their cookie preferences from their browser settings or via the consent banner.

13. NATIONAL REGISTER OF DATABASES

The Data Controller will register its databases in the National Register of Databases (RNBD) of the Superintendence of Industry and Commerce and will keep them updated according to the deadlines and conditions established in Decree 1074 of 2015.

14. DATA RETENTION AND DELETION

14.1. Retention periods

Category of dataRetention periodJustification
Active user dataDuring the contract term + 5 additional yearsContract execution and accounting and tax obligations
Transactional and financial dataContract termContract execution
Authorization dataContract term + applicable legal prescriptionAccountability / demonstrated responsibility
WhatsApp historyWeekly automatic cleanup (Sundays 3:00 AM)Data minimization
Gmail OAuth tokensUntil integration is disconnected or account deletionStorage limitation
Analytics events12 months from loggingAnalytics and service improvement

14.2. Account deletion

Upon requesting account deletion, a full cascade process executes that deletes: transactions, goals, assets, debts, budgets, subscriptions, integration tokens, conversation history, user profile, and authentication record. Deletion is irreversible, except for data whose retention is required by legal obligation.

14.3. Final destination of data

Once the processing purposes are fulfilled and the legal retention periods expire, data will be permanently deleted, anonymized, or blocked, as applicable.

15. VALIDITY AND AVAILABILITY OF THE POLICY

15.1. Validity

This Policy becomes effective on March 11, 2026, and will remain in effect as long as the Data Controller processes personal data.

15.2. Availability

  • Website: https://equa.beedy.com.co/legal/privacy
  • Permanent link during platform registration.
  • Available upon request via WhatsApp or email.

16. UPDATE AND NOTIFICATION OF CHANGES

16.1. Substantial changes

Substantial changes are those referring to: identification of the Data Controller or Processor, purposes of Processing, Data Subjects' rights, channels for exercising rights, security measures, processing activities, data categories or inclusion of new sensitive categories, and transfers to third parties with different conditions. Substantial changes will be communicated to Data Subjects prior to implementation.

16.2. Communication channels

  • Publication at https://equa.beedy.com.co/legal/privacy
  • Notification by email to the Data Subject.
  • Notification within the web app and via WhatsApp.

16.3. Previous versions

The Data Controller will retain the current and previous versions of this Policy available.

16.4. Last update

This Policy was last updated on March 11, 2026.

17. APPLICABLE LAW AND JURISDICTION

This Personal Data Processing Policy, as well as the Processing of data carried out by Bee Technologies S.A.S. (Beedy), are primarily, exclusively, and exlusively governed by the laws of the Republic of Colombia, especially by the Political Constitution, Statutory Law 1581 of 2012, Single Regulatory Decree 1074 of 2015, and the jurisprudence of the Superintendence of Industry and Commerce (SIC).

Although the platform integrates international security and privacy standards (such as references to GDPR for best practices), any dispute, claim, or interpretation related to this Policy shall be subject to Colombian law and the jurisdiction of the Superintendence of Industry and Commerce (SIC), or failing that, the competent judges and courts in the city of Bogotá D.C., Colombia, with the Data Subject waiving any other jurisdiction that might correspond to them due to their current or future domicile.