This Privacy Policy and Personal Data Protection (hereinafter, the "Policy") is intended to inform, describe and regulate the conditions, obligations and responsibilities under which Servicios de Avanzada Veinticinco Cuarenta Sociedad de Responsabilidad Limitada, Legal ID: 3-102-934846, domiciled in Costa Rica, San José, San José Hospital, Avenida 8, Calle 28, Centro Corporativo Internacional, Torre C, Office Number 501 (hereinafter the "Company" or "Controller"), in its capacity as controller of personal data processing, collects, uses, stores, shares and protects the personal data of the user (hereinafter, the "User") of the CertiusOne® mobile application (hereinafter, "APP").
Likewise, this Policy informs, describes and regulates the conditions, obligations and responsibilities under which the Company, in addition to its role as Controller with respect to the User's personal data, acts as Processor of the personal data processing performed by the User, to the extent that the latter uses the APP as an identity verification platform, such verification being understood as the systematic process involving the capture and rigorous validation of information and credentials (such as identity documents, biographical or biometric data) for the purpose of verifying the identity of an individual for the User's purposes and business operations.
By registering and using the APP, the User accepts the conditions set forth herein and consents to the processing of their data in accordance with this Policy, without prejudice to the rights afforded to them under the Law on the Protection of Individuals with Regard to the Processing of Their Personal Data, No. 8968, and its Regulations (hereinafter, "Law 8968").
The User may also access this Policy at the following link https://docs.verificada.net/Politica-de-Privacidad-y-Proteccion-de-Datos-Personales.pdf or on the app store webpage without requiring authentication in the App.
For the purposes of this Policy, the following terms shall have the meanings set forth below:
The Company may process personal data of both the User and the Data Subject on behalf of the User, and use such data for the legitimate purposes determined in this Policy. To learn which data is collected and processed by the Company, as well as the specific purposes for which such data is used, please review the following table:
| Personal Data Processed | Purposes of Processing |
|---|---|
|
A.- User Identification Data: Full name, email address, phone number. |
|
|
B.- Data Subject Identification Data Identity document number, photograph of the official identity document (National ID, DIMEX or Passport) through which the Data Subject's data is accessed, such as: full name, photograph of the person in the document, handwritten signature in the document, date of birth, nationality, electoral address, place of birth, document expiration date, sex. Photographs of the Data Subject or the location where the identity verification process is conducted may also be collected. |
|
|
C.- Biometric Data of the Data Subject* Fingerprint and facial biometric features. |
|
|
D.- User Transactional Information Purchase amount. |
|
|
E.- Security and Verification Data Subject Geolocation. |
|
|
F.- Statistical Information or Metadata: Device type, model, operating system, device ID, APP version, network provider, IP address, language settings, statistical usage information and usage habits, date and time of User account registration. |
|
SERVICIOS DE AVANZADA VEINTICINCO CUARENTA SRL (HEREINAFTER, "THE COMPANY") EXPRESSLY AND TRANSPARENTLY STATES THAT THE APP CAPTURES, BUT DOES NOT RETAIN, STORE OR SAFEGUARD ON ITS SERVERS OR ON THE MOBILE DEVICE OF THE PERSONAL DATA SUBJECT, THE BIOMETRIC DATA (FACIAL FEATURES OR FINGERPRINTS) CAPTURED DURING THE VERIFICATION PROCESS.
THE PROCESSING OF SUCH SENSITIVE INFORMATION IS LIMITED EXCLUSIVELY TO ITS TECHNICAL CAPTURE FOR TRANSMISSION, ENCRYPTED AND IN REAL TIME, TO AUTHORIZED PRIMARY INFORMATION SOURCES, SPECIFICALLY THE SUPREME ELECTORAL TRIBUNAL (TSE) AND THE GENERAL DIRECTORATE OF MIGRATION AND IMMIGRATION (DGME), FOR THE SOLE PURPOSE OF PERFORMING THE IDENTITY MATCHING REQUESTED BY THE USER.
ONCE THE VERIFICATION QUERY HAS BEEN PROCESSED AND THE RESULT HAS BEEN ISSUED, THE BIOMETRIC DATA IS PERMANENTLY AND IRREVERSIBLY DELETED FROM ANY TEMPORARY MEMORY OF THE APP. THE COMPANY DOES NOT USE SUCH DATA FOR PROFILING, COMMERCIALIZATION OR ANY OTHER PURPOSE BEYOND THE IMMEDIATE IDENTITY VALIDATION.
The APP may be used by any adult natural person or legal entity with legal capacity to contract. The APP does not collect or process personal information of minors, unless permitted by law or unless the informed consent of their legal representatives has been obtained.
If a person believes that the Company has collected or is processing personal data of minors over whom they are the legal guardian, they may contact the Company to request the exercise of rights guaranteed under Law 8968 and in accordance with clause (6) of this Policy.
The Company shall delete the personal data of minors stored in the APP if the User has not obtained the informed consent of the minor's legal representatives or guardians.
For the proper provision of the Services, the APP requires the User to authorize access to the camera and geolocation functionalities. The following provides a detailed description of each requested permission, the specific purpose justifying it, the moment it operates, the data it generates, and the conditions of its processing, in accordance with the principles of transparency, data minimization and privacy by design required by Law 8968 and the requirements of application distribution platforms.
The processing of data is based primarily on the informed consent of the User and the Data Subject, as well as on the performance of the contractual relationship between the User and the Company; compliance with legal obligations in accordance with regulations on financial matters (electronic payment methods), fraud prevention, prevention of money laundering and financing of terrorism and drug trafficking; the legitimate interest of the Company in improving services and protecting its operations and the data managed by its APP; and the consent of the User, where promotional communications, access to sensitive data, device data or service personalization are involved.
When acting in the capacity of Processor and processing personal data on behalf of and at the instruction of the User, the legal basis for processing shall be those defined by the User in its capacity as Controller with respect to the data collected from the Data Subject.
Personal data processed by the Company is not sold to third parties; however, for the operation of the APP's services and functionalities, the personal data processed may be shared with:
i) internal Company employees, who are subject to strict legal confidentiality obligations, as well as other companies forming part of the same Economic Group or that may join it in the future;
ii) payment processors exclusively for the operation of payment services;
iii) technology service providers or intermediaries such as:
iv) also with other technology service providers contracted by the Company (or by other companies of the same Economic Group), which provide infrastructure, platform, software, communications, storage and cloud document custody services, or other services. All of the foregoing act in the capacity of Processors, and the Company maintains processing agreements with them as required by Law 8968;
v) the personal data will also be shared with companies of the same Economic Interest Group, when necessary for the provision of services;
vi) and with competent authorities when a duly grounded legal requirement exists.
The Company may also share the User's personal data with third-party services that, via API or Web services, may be integrated into the APP, services such as electronic invoicing, point-of-sale (POS) systems, CRMs, digital marketing platforms, Call Center platforms, instant electronic messaging applications, administrative management solutions, email management software, calendar and office productivity tools, market research or commercial intelligence providers, data storage and processing providers.
The Company will only share the transaction amount with the Costa Rican payment gateway ONVO. At the time of payment, the User will be redirected to a page under ONVO's control, where they must enter their financial information. Once the transaction is completed, ONVO will return confirmation to the App.
Therefore, during this process, the App does not have access to the User's financial information. ONVO processes such data in accordance with its own privacy policy, located at https://onvopay.com/policies.
The Company does NOT perform international transfers of personal data, in accordance with the terms of Article 14 of Law 8968, and Articles 2, subsection w) and 40 of the Regulations of the Law on the Protection of Individuals with Regard to the Processing of Their Personal Data No. 37554-JP, which establish that a transfer occurs only when data is transferred to another Controller; in this case, the Company shares or transfers data to its service providers or technology intermediaries for the purpose of providing the service, and such transfer of data is governed under the conditions of a data processing agreement.
After the User's last interaction with the APP, personal data will be retained for the period strictly necessary to fulfill the processing purposes and while legal, contractual or regulatory obligations subsist. The retention period shall be five (5) years, unless a regulation requires its retention for a longer period; beyond this period, the Company may retain data in anonymized and encrypted form solely for research and statistical purposes.
In the case of identity verification information of the Data Subject supplied by the Providers at the User's request, the Company shall retain it in encrypted form for a period of five (5) years, for the sole purpose of complying with requests made by a judicial authority or if necessary for the defense of the Company's legitimate interests. The Company does not retain or store any type of biometric data used in the identity verification process; such data is used solely to make the query to the Providers.
The User has the right to request at any time the deletion of their User Account and the erasure of their personal data. To this end, the Company provides two mechanisms: a "self-service" mechanism and a direct support option that does not require access to the App. The User may choose their preferred method according to the following options:
1. In-App Mechanism: Profile → Delete Account → Confirmation, then select the desired option:
2. Deletion request through electronic means: The User may contact us through any of the following channels to request deletion of their account:
Once the request has been validated, the Company shall immediately proceed to the definitive deletion of the Account and its associated data. However, the Company shall retain, under strict security and encryption measures, billing records and security logs for a period of five (5) years in order to comply with tax and technical audit obligations.
Since the User is the Controller of the Data Subject's data processing, any request for deletion of information contained in verification reports must be directed primarily to the User who conducted the transaction.
Notwithstanding the foregoing, the Data Subject may contact the Company through the support channel to request the dissociation of their identity from the APP's historical records. The Company, in its capacity as Processor, shall technically collaborate with the User to carry out the deletion in the storage systems, provided that no legal retention obligation exists (such as court orders or ongoing fraud investigations).
Biometric Data
IT IS REITERATED THAT, SINCE THE COMPANY DOES NOT STORE BIOMETRIC DATA, THE RIGHT OF ERASURE WITH RESPECT TO SUCH DATA IS GUARANTEED BY DESIGN, AS IT IS AUTOMATICALLY DELETED FOLLOWING REAL-TIME TRANSMISSION TO THE PRIMARY SOURCES (TSE/MIGRATION).
The User may exercise the following rights at any time:
To exercise any of these rights, the User must send a written communication to the email address info@certiusone.net or to WhatsApp WhatsApp: +506 7023 7145. The Company may request evidence of the requester's identity to ensure that the request is made by a legitimately authorized person.
If the User requests the deletion, cancellation or objection to the processing of personal data, the Company will be unable to continue providing services to the User due to the impossibility of processing the personal data required for the fulfillment of the services.
The User, as Controller, must attend to and guarantee the exercise of rights requests by the Data Subjects, for which the Company shall collaborate in accordance with the provisions of this Policy.
The Company has implemented technical and organizational security measures, in accordance with industry best practices and the security principles of Law 8968, including: data encryption in transit and at rest, two-factor authentication (2FA), biometric authentication through the personal device, periodic security audits, access control policies and incident management, data processing agreements with third parties with whom personal data is shared, in order to ensure regulatory compliance and the security of personal data.
In the specific case of the use of the APP by the User, the latter shall hold the status of Controller with respect to personal data processing by defining the purposes of the processing of the Data Subject's identification data and the means through which such data is collected and processed. Therefore, the Company in its capacity as Processor, through the APP, provides a technological service to the User, processing personal data on its behalf. The User in its capacity as Controller engages the APP's services and decides on the purpose and use of the information to verify the identity of the Data Subjects in the course of its activities.
The object of this processing agreement is the provision of access to the APP service so that the Company may provide identity verification services for the Data Subjects for the purposes determined by the User itself.
The Company, in its role as Processor, is hereby authorized to process personal data on behalf of the User as necessary for the provision of the Services. The processing shall consist of the collection, storage and communication by transmission of the personal data described in clause 1 of this Policy. Therefore, the Company as Processor undertakes to:
a- Process data solely for the identity verification requested by the User, refraining from processing personal data for purposes other than those specified. The Company may adopt all organizational and operational decisions necessary for the provision of the Service. However, the decisions it adopts must in all cases respect the purposes requested by the User.
b- Implement and maintain adequate technical and organizational security measures to protect personal data against alteration, disclosure, loss or unauthorized access, in accordance with Art. 10 of Law 8968 and Art. 34 of its regulations.
c- Extend the confidentiality obligations with respect to the personal data accessed to all of its personnel and providers. This duty of confidentiality shall persist even after the termination of the contractual relationship.
d- Refrain from transferring or disclosing the Data Subject's personal data, except upon express instructions from the User.
e- Subcontract the services of providers (RACSA and VERIDAS) for the provision of the Services on behalf of the User.
f- Collaborate with the User, through technical and organizational measures, so that the User may fulfill its obligation to respond to requests for the exercise of rights by the Data Subjects.
g- Make available to the User all information necessary to demonstrate compliance with its obligations, as well as to enable the audits or inspections carried out by the Controller or another auditor authorized by them.
h- Maintain the duty of secrecy with respect to the personal data accessed by virtue of this agreement, even after its purpose has concluded.
i- Ensure that persons authorized to process personal data expressly and in writing commit to respecting confidentiality and complying with the applicable security measures, of which they must be duly informed.
j- Maintain available to the User the documentation evidencing compliance with the obligation set forth in the preceding subsection.
k- Ensure the necessary training in personal data protection for persons authorized to process personal data.
l- Notify the User, without undue delay and within a maximum period of 48 hours, of any breach of personal data security so that the User may fulfill its obligation to notify the Data Subject and/or PRODHAB. Notification shall not be required when it is unlikely that such security breach will constitute a risk to the rights and freedoms of natural persons.
The User, as Controller with respect to the Data Subject's processed data, is the primary guarantor of the Data Subjects' rights and has the following obligations:
a- Legal basis: to be the sole party responsible for ensuring that all processing of data carried out through the APP is supported by a valid legal basis, primarily the informed, express, free and unequivocal consent of the Data Subject, in accordance with Art. 5 and 9 of Law 8968.
b- Duty to inform: to inform the Data Subject in advance of the purposes of the processing, the identity of the User, the rights available to them, and the other requirements of Article 5 of Law 8968. The User must also ensure the currency, truthfulness, accuracy and adequacy to the intended purpose of the personal data it processes.
c- Consent management: to collect, safeguard and be able to demonstrate at all times the explicit consent of the Data Subject for the processing of their sensitive data.
d- Lawful instructions: to provide the Company only with instructions that comply with applicable personal data protection legislation.
e- Attention to Data Subject Rights: to be the direct point of contact for Data Subjects and to manage and respond to all requests for the exercise of rights (access, rectification, erasure).
f- Processing procedures: to establish and document procedures for the inclusion, retention, modification, blocking and deletion of personal data collected from Data Subjects through the APP, whether on-site or in the cloud, based on minimum action protocols and security measures in the processing of personal data, also ensuring the application of the principle of information quality of the database created through personal data processing.
g- Communications and Sub-processing: The User understands and accepts that, for the provision of the service, the Company must communicate the necessary data to the providers (RACSA, TSE, DGME and VERIDAS).
h- Ensuring that the informed consent obtained from the Data Subject explicitly covers the international data transfer that Veridas's service may entail, thereby complying with Article 31, subsection f) of Law 8968. The responsibility for legitimizing such transfer lies with the User.
i- In the event of a data breach, the User shall be the sole party obligated to notify the affected Data Subject and the Agency for the Protection of Inhabitants' Data (PRODHAB) within the legal period of five (5) business days, in accordance with Articles 38 and 39 of the Regulations. The Company's notification to the User shall contain all relevant information to facilitate such compliance.
Data Subjects may exercise before the User their rights of access, rectification, erasure, objection, restriction of processing and withdrawal of consent, in accordance with the following Procedure:
a- The Data Subject must submit their request to exercise rights directly to the User, who collected the Data Subject's data and ordered verification of their identity in line with the User's interests and line of business.
b- The User must handle and respond to the request within a maximum period of five (5) business days.
c- If fulfilling the request requires assistance from the Company as data Processor, the User shall send it the appropriate instruction so that the Company may provide the necessary technical support, with the Company placing at the User's disposal the communication channels for that purpose.
This data processing agreement enters into force on the date the Services are contracted and shall have the same duration as the principal commercial relationship. Confidentiality obligations shall survive termination of the contractual relationship. The Processor (the Company) may amend this Policy at any time. Changes shall be notified through the APP or the official website and shall take effect upon publication. Continued use of the APP after notification implies acceptance of the changes.
By using the APP's services, the User (Controller of processing) declares and warrants that:
For inquiries, requests or complaints related to this Policy, you may contact the Company at the email address info@certiusone.net or at the WhatsApp number +506 7023 7145.
Last updated: March 23, 2026