Privacy Policy

1. Identity of the Data Controller

CIRA Plus, S.A. ("CIRA Plus," "we," "us," or "our") is the data controller responsible for your personal data. We are a company organized under the laws of the Republic of Panama, with our principal place of business in Panama City, Republic of Panama.

For all privacy-related inquiries, requests to exercise your data rights, or questions about this Privacy Policy, you may contact us at:

• Email: ar@ciraplus.com
• Website: https://web.ciraplus.com

2. Scope and Application

This Privacy Policy describes how CIRA Plus collects, uses, stores, shares, and protects personal data when you use our AI-powered web agency platform (the "Service"), including demo creation tools, hosted websites, content management features, and custom domain support accessible at https://web.ciraplus.com and associated subdomains.

We strive to comply with applicable data protection laws and regulations, including:

• Law 81 of 26 March 2019 on the Protection of Personal Data of the Republic of Panama ("Panama Law 81");
• The General Data Protection Regulation (EU) 2016/679 ("GDPR");
• The California Consumer Privacy Act and California Privacy Rights Act ("CCPA/CPRA");
• Brazil's Lei Geral de Proteção de Dados ("LGPD"); and
• Directive 2002/58/EC (ePrivacy Directive) as applicable.

By using our Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please discontinue use of the Service.

3. Personal Data We Collect

We collect and process several categories of personal data depending on how you interact with our Service:

3.1 Account and Identity Information

When you create an account, we collect:

• Full name
• Email address
• Password (stored as a cryptographic hash; we never store plaintext passwords)
• Language preference (Spanish or English)
• Account creation date and last login timestamps

3.2 Business and Billing Information

If you subscribe to a paid plan, we collect:

• Company or business name
• Billing address (street, city, state/province, postal code, country)
• Tax identification number (RUC, NIT, VAT number, or equivalent as required by local tax regulations)
• Billing contact email (if different from account email)

Important: Payment card numbers, CVV codes, and full card details never touch our servers. All payment processing and card tokenization is performed directly by Zoho Billing, our payment processor. We receive only anonymized card tokens (e.g., last four digits, card brand, expiration date) sufficient to display your saved payment method in your account dashboard.

3.3 Content and Project Data

As part of providing the Service, we process:

• Website content you create, edit, or upload (text, images, videos, documents)
• Domain names you connect to your projects
• Site configuration settings, themes, and customization preferences
• Demo data and temporary preview sites you generate
• Files and media stored in your project library

3.4 AI Usage Data

When you use AI-powered features (content generation, design suggestions, orchestration), we collect:

• The prompts and instructions you provide to our AI tools
• The AI-generated outputs returned to you
• Metadata about AI requests (timestamp, model used, token count, processing duration)

Your content is NEVER used to train third-party AI models. We use Anthropic (Claude) and OpenAI (Codex) for inference only. Both providers operate under enterprise agreements that prohibit using customer inputs to improve their general models. Your prompts and generated content remain your property and are processed solely to deliver the Service to you.

3.5 Usage and Analytics Data

We automatically collect technical and usage information when you interact with the Service:

• IP address (truncated/anonymized in aggregate analytics after 18 months)
• Browser type, version, and language settings
• Device type, operating system, and screen resolution
• Referring website and UTM campaign parameters
• Pages visited, features used, and interaction patterns
• Session duration, click paths, and navigation events
• Error logs and performance metrics (latency, load times)

3.6 Cookies and Similar Technologies

We use cookies and similar tracking technologies to provide and improve the Service. For a complete description of the cookies we use, their purposes, and retention periods, please see our Cookie Policy. The primary cookies include:

• cira_cc_cookie (6 months) – stores your cookie consent preferences
• NEXT_LOCALE (1 year) – remembers your language choice (Spanish/English)
• sb-* (varies: 1 hour to 7 days) – Supabase authentication session tokens
• cira_retargeting (90 days) – anonymized visitor identifier for retargeting and analytics

We use vanilla-cookieconsent v3 to manage your cookie preferences. You can withdraw or modify your consent at any time through the cookie banner or your account settings.

3.7 Communications and Support Data

If you contact our support team or participate in surveys or feedback requests, we collect:

• Email correspondence and support ticket history
• Chat transcripts (if you use live chat support)
• Survey responses and feedback submissions
• Attachments or screenshots you provide to help troubleshoot issues

4. Purposes of Processing and Legal Bases

We process your personal data for the following purposes, relying on the legal bases specified under GDPR Article 6 and Panama Law 81:

4.1 Providing and Delivering the Service

Purpose: To create and maintain your account, host your websites, process AI requests, deliver content via CDN, and enable all features of the Service.

Legal Basis: Performance of a contract (GDPR Art. 6(1)(b)). When you sign up for CIRA Plus, you enter into our Terms of Service, and processing your data is necessary to fulfill our contractual obligations to you.

4.2 Billing and Payment Processing

Purpose: To process subscription payments, issue invoices, calculate and collect applicable taxes, and maintain billing records.

Legal Basis: Performance of a contract (GDPR Art. 6(1)(b)) and compliance with legal obligations (GDPR Art. 6(1)(c)). We are required by Panamanian tax law to maintain invoicing and tax records for a minimum of seven years following the conclusion of the relevant fiscal year.

4.3 Customer Support and Service Communications

Purpose: To respond to your inquiries, troubleshoot technical issues, provide training resources, and send transactional emails (account confirmations, password resets, billing notifications, security alerts).

Legal Basis: Performance of a contract (GDPR Art. 6(1)(b)) and legitimate interests (GDPR Art. 6(1)(f)). We have a legitimate interest in maintaining a high-quality service and ensuring effective communication with our customers.

4.4 Service Improvement and Analytics

Purpose: To analyze usage patterns, identify bugs and performance issues, develop new features, and optimize the user experience.

Legal Basis: Legitimate interests (GDPR Art. 6(1)(f)). We have a legitimate interest in understanding how our Service is used so we can continuously improve it. After 18 months, we aggregate and anonymize analytics data so it no longer identifies individual users.

4.5 Security and Fraud Prevention

Purpose: To detect and prevent unauthorized access, abuse, fraud, spam, and other security threats; to enforce our Terms of Service; and to protect our systems and users.

Legal Basis: Legitimate interests (GDPR Art. 6(1)(f)) and compliance with legal obligations (GDPR Art. 6(1)(c)). We have a legitimate interest in maintaining the security and integrity of our Service, and we may be legally required to retain certain security logs and incident records.

4.6 Marketing and Retargeting

Purpose: To send you promotional emails about new features, product updates, special offers, and educational content; to display retargeted advertisements on third-party platforms.

Legal Basis: Consent (GDPR Art. 6(1)(a)) or legitimate interests (GDPR Art. 6(1)(f)) where permitted by law. You may opt out of marketing communications at any time by clicking the "unsubscribe" link in any promotional email or by adjusting your preferences in your account settings. We will never sell or rent your personal data to third parties for their own marketing purposes.

4.7 Legal Compliance and Protection of Rights

Purpose: To comply with legal obligations, respond to lawful requests from government authorities, enforce our legal rights, and defend against legal claims.

Legal Basis: Compliance with legal obligations (GDPR Art. 6(1)(c)) and legitimate interests (GDPR Art. 6(1)(f)). We are subject to various legal and regulatory obligations, including tax reporting, data protection law compliance, and cooperation with law enforcement under applicable legal process.

5. Categories of Recipients and Third-Party Processors

To deliver the Service, we share certain personal data with trusted third-party service providers who process data on our behalf under contractual data processing agreements. These processors include:

5.1 Hosting and Infrastructure

• Vercel Inc. (United States / European Union regions) – provides hosting infrastructure, content delivery network (CDN), and serverless edge functions for the Service.
• Cloudflare, Inc. (global network) – provides DNS services, domain registration, additional CDN capabilities, and DDoS protection.

5.2 Database and Authentication

• Supabase, Inc. (AWS US-East-1 region) – provides PostgreSQL database hosting, user authentication services, and secure database access APIs. Authentication session data is stored temporarily in Supabase.

5.3 Rate Limiting and Session Management

• Upstash, Inc. (AWS US-East-1 region) – provides Redis-compatible rate limiting infrastructure to prevent abuse and ensure fair usage of the Service.

5.4 Email Delivery

• Resend, Inc. (United States) – provides transactional email delivery services (account confirmations, password resets, billing notifications, support responses).

5.5 Customer Relationship Management and Billing

• Zoho Corporation Pvt. Ltd. (India and European Union data centers) – provides customer relationship management (CRM), invoicing and billing, accounting (Books), internal team communication (Cliq), and customer support ticketing (Desk). Zoho Billing also tokenizes payment card information; we never store full card numbers on our own servers.

5.6 Artificial Intelligence Inference

• Anthropic PBC (United States / European Union regions) – provides Claude large language model inference for content generation and natural language processing features. Your content is not used to train Anthropic's models.
• OpenAI, L.L.C. (United States) – provides Codex model inference for code generation, orchestration, and certain automation features. Your content is not used to train OpenAI's models.

All third-party processors operate under contractual obligations to protect your data, process it only according to our documented instructions, and implement appropriate technical and organizational security measures. We conduct due diligence on our processors and periodically review their security and privacy practices.

6. International Data Transfers

CIRA Plus is based in Panama. However, some of our third-party processors are located in, or process data in, countries outside the European Economic Area (EEA) or your country of residence, including the United States and India.

When we transfer personal data internationally, we strive to ensure an adequate level of protection through one or more of the following mechanisms:

• Standard Contractual Clauses (SCCs): We use the European Commission's approved Standard Contractual Clauses (or equivalent approved transfer mechanisms under Panama Law 81) with processors located outside the EEA.
• Adequacy Decisions: Where applicable, we rely on adequacy decisions issued by the European Commission or other relevant authorities recognizing that certain countries provide an adequate level of data protection.
• Processor Certifications: Some processors participate in recognized privacy frameworks (such as the EU-U.S. Data Privacy Framework) or maintain ISO 27001 and SOC 2 Type II certifications.
• Additional Safeguards: We and our processors implement supplementary technical measures (such as encryption in transit and at rest) to further protect data transferred internationally.

If you are located in the EEA or another region with data protection laws restricting international transfers, and you wish to obtain more information about the safeguards we have implemented, please contact us at ar@ciraplus.com.

7. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes described in this Privacy Policy, or as required by applicable law