Who controls your data
The data controller is Nelson David Valencia Alzate (ID C.C. 1.000.898.565), a natural person domiciled in Medellín, Colombia, operating under the trade name "Muratrox".
Official channel for privacy matters and rights requests: hola@muratrox.com. We respond within the legal timeframes (up to 15 business days under Colombian Law 1581/2012).
Applicable legal framework
This policy is drafted in compliance with the Colombian General Data Protection Regime: Law 1581 of 2012, Decree 1377 of 2013 and related circulars and resolutions issued by the Superintendency of Industry and Commerce (SIC).
If you are a resident of the European Union, we also respect the provisions of the General Data Protection Regulation (GDPR). If you are a resident of California (USA), we respect the analogous rights set out in CCPA/CPRA.
What data we collect
We only collect information necessary to run the service. We group it like this:
- Account data: full name, email, password hash (never plaintext), optional avatar, preferred language, workspace role (owner / member / client) and last login timestamp.
- Project data: titles, briefs, proposals, milestones, chat messages, files you upload, ratings and comments. This information is stored linked to your account and is only visible to you and authorized project members.
- Payment metadata: processor transaction ID, amount, currency and status. We do not store full card numbers, CVV or bank authentication data — that is handled by the payment processor (Wompi) under its own PCI-DSS compliance.
- Technical data: IP address, browser user agent, session cookies and authentication activity logs. Used for security (detecting suspicious access), debugging and operational telemetry.
We do not use sensitive data (racial origin, health, sexual orientation, biometrics) nor do we ask for it. If you need to share something like that for a specific project, we will discuss the appropriate handling in writing first.
What we use it for
We process your personal data only for the following purposes:
- Operate the portal: create and maintain your account, authenticate you, display your projects, proposals, milestones and files.
- Transactional communication: send you emails about proposal updates, milestones to pay, payment confirmations, reminders and security notifications. These emails are inherent to the service and are not marketing.
- Process payments: route checkout information to the authorized processor (Wompi) to issue receipts and update milestone status.
- Comply with legal and fiscal obligations: issue invoices, maintain accounting records, respond to requests from competent authorities.
- Improve the service and prevent fraud: technical log analysis, suspicious access detection, change auditing.
We do not use your data for personalized advertising, do not sell it to third parties, and do not run automated profiling with legal effects on you.
Legal basis for processing
Processing is grounded on one of the following bases:
- Your explicit consent when creating an account and accepting these policies.
- Performance of the contract in force between you and us (accepted proposal for a project).
- Compliance with applicable legal obligations (tax, accounting, SIC requirements).
- Our legitimate interest in keeping the service secure and preventing fraud — provided it does not override your fundamental rights.
Who we share data with
To run the portal we rely on technology providers (data processors). Each one only processes the data necessary for its function and under data-processing agreements:
- Supabase (database and authentication): stores your account, project data and messages. Hosted in the United States.
- Vercel (hosting and edge): runs the portal code and delivers pages. Hosted in the United States.
- Resend (transactional email): sends system emails (milestone updates, confirmations, password recovery). Hosted in the United States.
- Wompi (payment processor): processes payments via card, PSE, Nequi and other methods. Operated in Colombia under local regulation.
- Competent authorities: only upon formal legal request (court, SIC, DIAN, etc.).
We do not sell your information or use it for advertising. There are no third-party tracking pixels (Facebook, Google Ads, etc.) in the client portal.
International data transfers
Some of our providers (Supabase, Vercel, Resend) have infrastructure located primarily in the United States. This implies an international transfer of your personal data.
Under article 26 of Decree 1377/2013, these transfers are made to countries that have adequate data protection levels or, failing that, under approved standard contractual clauses ensuring standards equivalent to Colombian law. Each provider has its own international compliance certifications (SOC 2, ISO 27001, GDPR) that we can share upon request.
How long we keep data
We keep your information only as long as needed to fulfill the stated purposes:
- Account data and active project data: while your account is open.
- Accounting and tax information linked to payments: 5 years after project closure, in compliance with Colombian tax obligations.
- Technical security logs: up to 12 months.
- If you close your account and there is no legal obligation to retain, we delete or anonymize the data within a reasonable timeframe.
Your rights
As the data subject you have the following rights (Law 1581/2012, Decree 1377/2013):
- Access, update and rectify your personal data — most of this you can do directly from Settings inside the portal.
- Request proof of the authorization granted for processing.
- Be informed about the use given to your data.
- File complaints with the Superintendency of Industry and Commerce (SIC) for violations of Law 1581.
- Revoke authorization and/or request data deletion when there is no legal or contractual obligation preventing it.
- Free access to your personal data that has been subject to processing.
To exercise any of these rights, write to hola@muratrox.com from the email linked to your account, clearly stating what you need. We respond within the 15 business days set by law — usually much sooner.
How we protect data
We apply reasonable technical and organizational measures to protect your information:
- Encryption in transit (TLS 1.3) on all communications with the portal.
- Encryption at rest on the database, at the provider level (Supabase).
- Irreversible hashing (bcrypt) for passwords — not even we can read them.
- Per-workspace data isolation via Row-Level Security in the database.
- Restricted production access for authorized personnel only, and only for operational tasks.
- OTP verification to the current email when a user wants to change their account email (to prevent session hijacking).
- Automatic inactive-session timeout and brute-force protection on login.
Minors
Muratrox is not directed at people under 18 and we do not knowingly collect data from minors. If we detect that a minor created an account, we delete it together with the associated information.
WhatsApp chatbot service for businesses
Beyond the project portal, Muratrox offers businesses an automated WhatsApp customer-service service (an AI chatbot) together with a control panel. When a business hires this service, Muratrox processes that business's end-customer data as a Data Processor, while the business acts as the Data Controller for that data.
In practice this means the business decides what its customers' data is used for, and we only process it following their instructions and strictly as needed to run the chatbot and the panel.
The data processed in this service is:
- WhatsApp phone number and profile name of the customer who messages the business.
- Content of the messages exchanged with the bot and with the business's staff, so we can reply, provide support and keep the conversation history.
- Order data placed via chat: products, quantities, delivery notes and total.
- Technical message metadata: WhatsApp identifiers, timestamps and delivery status.
To send and receive messages, this service relies on the WhatsApp Business Platform from Meta Platforms, Inc., which processes that data under its own policies and terms. To draft automated replies we use language-model (AI) providers, to which we send only the necessary conversation text — never payment data or credentials.
A business's end customers can exercise their rights (access, correction or deletion) directly with the business or by writing to us at hola@muratrox.com; in that case we channel the request together with the responsible business. Conversations and orders are kept while the business keeps the service active and per applicable legal timeframes.
Muratrox does not sell businesses' end-customer data or use it for advertising: it is used solely to operate the chatbot and the panel of the business that hired the service.
Changes to this policy
We may update this Privacy Policy when operations or a regulatory change require it. When the changes are significant we notify you by email and via an in-portal notice at least 15 calendar days in advance. The current version is always available at this same URL.
Contact
Any inquiry, complaint, exercise of rights (access, rectification, cancellation, opposition) or security incident report: write to hola@muratrox.com. That email is our official contact and notification channel. We operate from Medellín, Colombia.
If you consider your rights have been violated, you may also file a complaint with the Superintendency of Industry and Commerce (SIC), the data protection authority in Colombia.