Privacy Policy

Effective Date: 01 December 2025

PeerPact, Ltd (DBA PeerPact Expats) values your privacy. This Privacy Policy explains how we collect, use, disclose, transfer, and protect personal data when you visit or use our website, request services, or communicate with us. It is written to align with applicable privacy laws and standards in Colombia, the United States, and the European Union (including GDPR). Please read it carefully.

1. Who we are

  • Data Controller: PeerPact, Ltd (a Delaware company) doing business as PeerPact Expats.

  • Contact for privacy questions, requests, or complaints:

    • Email: support@peerpactexpats.com

    • Postal: 18117 Biscayne Blvd PMB 63430, Aventura, Florida 33160

2. Scope and legal bases

This Policy applies to personal data we collect online and offline in connection with our services, including certified translations, apostille coordination, virtual mailboxes referrals, financial and insurance referrals, FBI summary identity check coordination, immigration support, marketing, and customer support.

We process personal data based on one or more lawful grounds, including:

  • Performance of a contract (to deliver requested services).

  • Compliance with legal obligations (e.g., identity checks, recordkeeping).

  • Legitimate interests (e.g., fraud prevention, service improvement, marketing; balanced against your rights).

  • Consent (e.g., marketing communications where required).

  • Legal bases under GDPR for special categories will be identified and processed only with explicit consent or where otherwise permitted by law.

3. Personal data we collect

We collect only the personal data necessary to provide and improve services. Examples include:

  • Identity and verification: name, date of birth, passport or ID numbers, nationality, copies of identity documents, photo, signature.

  • Contact: email address, phone number, mailing address, virtual mailbox addresses.

  • Transaction and payment: billing name, payment details, transaction history (note: payment processors may store full payment details).

  • Service data: documents for translation/apostille, immigration forms, financial provider preferences, insurance requirements.

  • Communications: chat transcripts, email exchanges, support requests, call logs.

  • Technical and usage: IP address, device identifiers, browser and operating system, cookies and analytics data, pages visited, referral source.

  • Sensitive data where needed: criminal-history-related information (for FBI checks), immigration status—collected only when necessary and processed with appropriate safeguards and legal basis.

4. How we use personal data (purposes)

We use personal data to:

  • Provide, manage, and fulfil the services you request.

  • Verify identity and meet legal/regulatory obligations (including identity checks, anti-fraud checks, and compliance with local rules).

  • Communicate with you about orders, status updates, support, and safety notices.

  • Process payments and manage billing or disputes.

  • Recommend third-party providers and share required information with them to complete requested services.

  • Improve our website, services, and user experience through analytics.

  • Send marketing communications where you have consented or where permitted by law; you may opt out at any time.

  • Detect, prevent, and investigate fraud, security incidents, abuse, or illegal activity.

  • Maintain records for legal, tax, and accounting obligations.

5. Sharing and disclosures (third parties)

We may share personal data with:

  • Service providers and contractors who perform services on our behalf (e.g., translators, notaries, courier companies, payment processors, identity-check vendors, hosting and analytics providers).

  • Third-party providers you select or that we recommend to fulfil a requested service. You should review their privacy terms; we are not responsible for their handling of your data beyond what is necessary to facilitate the service.

  • Legal, regulatory, or law-enforcement authorities where required by law or to protect rights/safety.

  • Affiliates, business partners, or in connection with a corporate transaction (sale, merger, reorganization) subject to confidentiality obligations.

We disclose only the minimum personal data necessary for the third party to perform its function.

6. International transfers and safeguards

Because we operate internationally, your personal data may be transferred to, stored, and processed in countries outside your residence (including the U.S., Colombia, and EU countries). Where transfers occur:

  • We use appropriate safeguards such as Standard Contractual Clauses (SCCs), Data Processing Agreements, or rely on adequacy decisions where available.

  • For transfers to the U.S. or other jurisdictions without an adequacy decision, we implement contractual and technical measures to protect your data.

7. Data retention

We retain personal data only as long as necessary to:

  • Provide the services requested and for the duration of the business relationship;

  • Comply with legal, tax, accounting, or regulatory obligations;

  • Resolve disputes and enforce agreements;

  • Maintain records as required by applicable laws.

Retention periods vary by data type and legal requirement; typical retention ranges are from the end of service plus 3–7 years for business and financial records, or as required by local law.

8. Your rights and how to exercise them

Subject to applicable law, you have the right to:

  • Access your personal data.

  • Correct inaccurate or incomplete information.

  • Request deletion or restriction of processing (subject to legal and contractual limits).

  • Object to processing based on legitimate interests or direct marketing.

  • Request portability of data you provided in a structured, commonly used format.

  • Withdraw consent where processing is based on consent (withdrawal does not affect prior lawful processing).

  • Lodge a complaint with a supervisory authority (see contacts below).

How to exercise rights:

  • Submit a request by emailing support@peerpactexpats.com. Provide sufficient details and verification to process your request. We will respond within the timeframes required by local law (e.g., GDPR: one month, with possible extension).

For residents of:

  • EU/GDPR: You may also file a complaint with your local supervisory authority.

  • Colombia: You may contact the Superintendence of Industry and Commerce (Superintendencia de Industria y Comercio - SIC) for habeas data issues.

  • California / U.S. state privacy laws: Residents may exercise CCPA/CPRA rights (access, deletion, opt-out of sale/sharing) by submitting a verifiable consumer request to the privacy email above. We will follow identity verification procedures before responding.

Note: Certain rights may be limited (e.g., where data is required to comply with legal obligations or to perform a contract).

9. Security measures

We implement administrative, technical, and physical safeguards designed to protect personal data from unauthorized access, disclosure, alteration, or destruction. Measures include encryption in transit (TLS), access controls, regular security assessments, and secure third-party contracts.

No system is completely secure; if we become aware of a data breach that poses a risk to your rights or freedoms, we will notify affected individuals and supervisory authorities as required by applicable law.

10. Cookies, tracking, and analytics

Our website uses cookies, web beacons, and similar technologies to operate the site, improve performance, and provide analytics. You can manage cookie preferences via our cookie banner or through your browser settings. Opt-outs for certain analytics and advertising tracking may be available.

11. Minors

Our services are not intended for children under the age of 16 (or higher age where local law requires parental consent). We do not knowingly collect personal data from minors without parental consent. If you believe we have collected data from a minor, contact us to request deletion.

12. Marketing and promotional communications

We will send marketing messages only where you have consented or where permitted by law. You can opt out at any time by following the unsubscribe link in emails, replying STOP to SMS/WhatsApp messages where available, or contacting [Insert Privacy Email]. Marketing opt-outs do not apply to transactional communications about services you requested.

13. Compliance with Colombia, U.S., and EU rules

  • Colombia: We respect principles and obligations under Colombian data protection law (Habeas Data framework) and will respond to data subject requests as required by SIC.

  • European Union: For EU residents, we process personal data in accordance with GDPR, including honoring data subject rights, legal bases for processing, and safeguards for transfers.

  • United States: For U.S. residents, we comply with applicable federal and state privacy laws (such as CCPA/CPRA where applicable), including providing disclosure and consumer rights for California residents.

14. Third-party websites and links

Our site may link to third-party websites. We are not responsible for their privacy practices. Review their privacy policies before providing personal data.

15. Changes to this Policy

We may update this Policy to reflect legal, regulatory, or operational changes. We will post the revised Policy with an updated Effective Date. For material changes, we will attempt to provide notice (e.g., via website banner or direct communication).

16. Contact and complaints

To exercise rights, ask questions, or lodge complaints, contact us at:

  • Email: support@peerpactexpats.com

  • Postal: 18117 Biscayne Blvd PMB 63430, Aventura, Florida 33160

Supervisory authorities:

  • Colombia: Superintendence of Industry and Commerce (SIC)

  • EU: Your national Data Protection Authority (for GDPR complaints)

  • U.S.: For California residents, complaints may also be directed to the California Attorney General.

17. Effective date and acceptance

By using our website or services, you accept the terms of this Privacy Policy. Please review it periodically. If you do not agree, do not use our services and contact us to discuss alternative arrangements.

If you’d like, I can: (a) produce a bilingual English/Spanish version; (b) add a cookie banner text and consent matrix; or (c) draft an internal privacy checklist and a template data processing agreement for third parties.

Data Controller and Contact

  • Data Controller: PeerPact, Ltd (a Delaware company) doing business as PeerPact Expats.

  • Privacy Contact: [Insert privacy email]; WhatsApp: [Insert number]; Postal: [Insert address].

  • Data Protection Officer (if applicable): [Insert name and contact] or state “No DPO appointed; use privacy contact above.”

Lawful Bases and Purpose Limitation

  • We process personal data only on a lawful basis: performance of a contract, legal obligation, your consent, or our legitimate interests where those interests do not override your rights.

  • We collect only what is necessary and retain data strictly for the purpose stated at collection. Purposes include service delivery, identity verification, payments, legal compliance, fraud prevention, analytics, and marketing where consented.

Special Categories and Sensitive Data

  • Sensitive categories (e.g., criminal-history data for FBI checks, immigration status, health data for insurance referrals) are collected only when strictly necessary, processed on explicit consent or specific legal bases, and subject to enhanced safeguards (access limits, encryption, and restricted retention).

Data Minimization and Accuracy

  • We limit collection to data strictly required to perform requested services.

  • We implement procedures to keep records accurate and up to date; you should notify us of changes. Inaccurate data will be corrected or deleted promptly on validated request.

Data Sharing and Third-Party Processors

  • We share personal data only with: trusted service providers contracted to perform specific tasks (translators, notaries, identity-check vendors, payment processors, courier services), legal authorities when required, and affiliates in the course of service delivery.

  • Every third-party processor is bound by a written Data Processing Agreement requiring confidentiality, onward transfer restrictions, security measures, and deletion/return of data after processing.

  • We never sell personal data. Any activity that could be considered “sale” or “sharing” under applicable law will be disclosed with opt-out rights.

Cross-Border Transfers and Safeguards

  • International transfers occur (U.S., Colombia, EU, other jurisdictions) to fulfil services. For transfers outside the EEA or Colombia we apply appropriate safeguards such as:

    • EU Standard Contractual Clauses (SCCs) or equivalent contractual protections;

    • Binding corporate rules or adequacy mechanisms where available;

    • Technical and organizational measures (encryption, access controls).

  • Transfer details and safeguards are available on request.

Security Measures

  • We implement technical and organizational measures proportionate to risk, including TLS encryption in transit, encryption at rest for sensitive fields, role-based access control, multi-factor authentication for administrator access, regular vulnerability scans and patching, logging and monitoring, and periodic security audits.

  • Access to personal data is restricted to employees and processors who require it to perform their duties and who are contractually bound to confidentiality.

Data Retention and Deletion

  • Retention is purpose-based and limited. Examples:

    • Service records, billing, tax: retained 5–7 years (or as required by law).

    • Identity verification documents: retained only while necessary for compliance and disputes, then securely deleted within a defined period (e.g., within 2 years after service completion), unless law requires otherwise.

    • Marketing data: retained until you unsubscribe or withdraw consent.

  • On deletion requests we will remove data from active systems and, where feasible, from backups within reasonable timeframes, subject to legal and contractual obligations.

Rights of Data Subjects and Response Procedures

  • Data subject rights (access, rectification, deletion, restriction, objection, portability, withdraw consent) are honored consistent with GDPR, Colombian habeas data, CCPA/CPRA (where applicable), and other local laws.

  • Verification: We require reasonable proof of identity to process requests.

  • Response timeframe: We respond within statutory timeframes (e.g., GDPR: one month; may extend for complex requests), and will inform you of any extension and reasons.

  • Methods: Submit requests to [privacy email] or WhatsApp; provide clear instructions for submitting CCPA/CPRA verifiable consumer requests.

Breach Notification and Incident Response

  • We maintain an incident response plan. In the event of a personal data breach likely to result in a risk to individuals’ rights and freedoms, we will notify affected individuals and supervisory authorities without undue delay and within the timeframe required by applicable law. Notifications will include the nature of the breach, likely consequences, mitigation steps, and contact details.

Cookies, Tracking, and Consent Management

  • We operate a granular cookie consent mechanism. Essential cookies are required for site operation; non-essential cookies (analytics, advertising) are used only with explicit consent and may be revoked at any time.

  • Clear cookie banner with opt-in, purpose categories, and an easy settings panel for revocation and granular choices. Record user consent logs.

Minors

  • Services are not intended for children under 16 (or higher age required locally). We do not knowingly collect data from minors without parental consent. Requests for deletion or suspected minor data should be submitted to the privacy contact and will be prioritized.

No Liability for Third-Party Handling; User Warranties

  • PeerPact, Ltd limits responsibility for third-party processing: we will use reasonable care in selecting processors and require contractual safeguards, but we are not responsible for a third party’s independent acts or omissions beyond contractually required protections.

  • You warrant that any personal data you provide about a third party was collected lawfully and you have the right to share it with us for the stated purpose.

Limitation of Liability Specific to Data Processing

  • To the maximum extent permitted by law, PeerPact, Ltd’s liability for claims arising from data processing is limited to proven direct damages up to the amount you paid PeerPact for the specific service in the 12 months preceding the event. Indirect, incidental, special, punitive, or consequential damages are excluded to the extent permitted by law. This limitation does not apply to liabilities that cannot be limited by applicable law.

Indemnification for Privacy Claims

  • You agree to indemnify, defend, and hold PeerPact, Ltd (and affiliates, officers, employees) harmless from any third-party claim, loss, or liability arising from your breach of this Privacy Policy, your misuse of personal data, or your failure to obtain necessary consents from data subjects you submit to us.

Data Processing Agreement and Sub-Processor List

  • We will provide a model Data Processing Agreement (DPA) and a list of sub-processors on request. Sub-processor updates will be communicated and major changes provide a right to object where required by law.

Transparency, Records, and Audit Rights

  • We keep records of processing activities and consent logs. On reasonable request we will provide demonstrable information about our processing practices. For significant customers or partners, a limited-scope audit or questionnaire may be offered subject to confidentiality and security constraints.

Changes, Notice, and Acceptance

  • Material changes to privacy practices will be communicated via conspicuous notice (email or site banner) and posted with a new Effective Date. Continued use after notice constitutes acceptance. For material expansions of processing not contemplated at the time of collection, fresh consent will be obtained where required.

Governing Law and Enforcement

  • Privacy processing is governed by applicable law (State of Delaware for corporate matters; GDPR, Colombian law, CCPA/CPRA as applicable for data subject rights). Disputes about privacy will follow the dispute resolution terms in the main Terms and Conditions; supervisory authority complaints remain available to EU/Colombian residents.

Conspicuous Presentation and Affirmative Consent

  • Present these provisions prominently in your privacy policy with a plain-language summary at the top (one or two lines).

  • Implement affirmative consent mechanisms at point-of-collection (checked boxes not pre-checked) for marketing, cookies, and sensitive-data processing. Maintain consent records (who, when, what was consented to).