1. Data controller
The controller of your personal data is:
- Legal name: Phantomsoft SAS
- Tax ID (NIT): 901.857.909
- Address: Calle 13 A Sur # 53 B - 182, Medellín, Colombia
- Data subject contact email: contacto@phantomsoft.io
- Product trade name: PhantomApp
In this policy we refer to Phantomsoft SAS interchangeably as “PhantomApp”, “we” or “the company”. We refer to anyone reading and using our services as “the data subject”, “you” or “the user”, depending on the context.
2. Data we collect
We collect different categories of data depending on how you use PhantomApp. We never request more information than is necessary to deliver the service.
2.1. If you are a merchant (business owner or staff member)
- Identification: full name, email, assigned role.
- Access: Firebase Authentication technical identifier (we do not store your password; Google Firebase manages it in encrypted form).
- Business tax data: legal name, tax ID (NIT), address, phone, email, logo, store details.
- Operations: sales, inventory, customers served, staff, commissions, POS configuration, action audit logs (including the IP address you work from).
- WhatsApp Business integration: identifiers of your Meta account (WABA ID, Phone Number ID, Business ID), public phone number, access tokens — the latter are stored encrypted before being persisted in the database.
- Plan payments: payment method data is processed directly by the payment gateway (Wompi). We do not store full card numbers on our servers.
- Subscription data and payment receipts: when you pay outside the gateway (bank transfer, Nequi, or other methods), we record the amount, bank reference, date, internal notes, and optionally a link to the receipt you send us via WhatsApp. This data is kept for accounting and contractual auditing, and is shared only with our billing and support team.
- Acceptance consent: at sign-up time we store the date and time of acceptance of these Terms, the IP address from which they were accepted, and the current version of each legal document. This data is retained as proof of the consent granted by the data subject (Ley 1581, art. 9).
2.2. If you are an end customer of a business that uses PhantomApp
- Identification: name, document type and number, type of person (natural or legal entity).
- Contact: phone number and email.
- Address and location: shipping address, neighborhood, city, additional notes and coordinates (latitude/longitude) when you request delivery.
- Purchase history: products, quantities, prices, payment methods used, tips, discounts, dates.
- Vehicle data (for car washes and parking lots): license plate, make, model, reference.
- Messages and files sent via WhatsApp: the content of conversations with the business, including images, audio files and other attachments.
- Supporting documents: files the business attaches to your profile (for example, a copy of your ID card for corporate accounts).
2.3. Automatic technical data
- Connection information (IP address, browser type, operating system) when you visit the site or the SaaS.
- Session cookies to keep you signed in.
- Aggregated usage metrics to improve the product (only if PostHog is active; it is currently disabled by default — see the Cookies Policy).
3. Purposes and legal basis
We process your data only for the following purposes, under the corresponding legal basis (Colombian Data Protection Law, Ley 1581 de 2012, arts. 9 and 10):
- Service delivery: running the POS, managing inventory, issuing invoices, sending WhatsApp messages, processing payments. Legal basis: performance of the service contract.
- Electronic invoicing: transmitting tax information to the Colombian tax authority (DIAN). Legal basis: legal obligation (Decreto 358 de 2020 and current DIAN rules).
- Customer service and technical support: responding to your inquiries and resolving incidents. Legal basis: contract performance and legitimate interest.
- Transactional communications: notifying you of order status, receipts, contractual changes. Legal basis: contract performance.
- PhantomApp marketing and commercial communications: sending you product news or promotions. Legal basis: express authorization (you can withdraw it at any time without affecting the contract).
- Product improvement: aggregate metrics, error diagnostics, usability. Legal basis: legitimate interest, with anonymized metrics where possible.
- Legal compliance and defense: responding to requests from authorities and defending our rights. Legal basis: legal obligation or legitimate interest.
4. Who we share data with
We do not sell, rent or transfer your data to third parties for commercial purposes. We only share it with technical providers (“data processors”) that help us deliver the service. Each one processes data under contract and only for the authorized purposes.
| Provider | What we use it for | Country |
|---|---|---|
| Microsoft Azure | Hosting of servers and databases (SQL, containers, Redis, Key Vault). | United States |
| Meta Platforms (WhatsApp Cloud API) | Sending and receiving WhatsApp Business messages on behalf of the merchant. | United States |
| Google Firebase | User authentication (Firebase Auth). Google manages your password in encrypted form; PhantomApp cannot see it. | United States |
| Google Maps | Address geocoding for deliveries (converting text into coordinates). | United States |
| Anthropic (Claude) | Automated responses from the business assistant and the WhatsApp agent. Only the text needed to generate the response is sent. | United States |
| OpenAI | Generation of embeddings (numeric representations) of your catalog for semantic search. | United States |
| Supabase | Vector storage (embeddings) for semantic search of the catalog. | United States |
| Wompi | Payment gateway for the PhantomApp subscription plan and for merchant WhatsApp orders. PCI DSS certified. | Colombia |
| Phantom FacturadorApi | Phantomsoft’s own service for issuing DIAN electronic invoices. | Colombia |
| PrinterCloud | Sending kitchen tickets and printing receipts on the merchant’s physical printers. | United States |
| Google reCAPTCHA | Bot protection for public forms. | United States |
| OpenStreetMap (Nominatim) | Alternative geocoding service. | Germany / international |
| PostHog | Product analytics (optional, currently disabled by default). | United States |
We may also disclose data to authorities when legally required (for example, judicial requests, DIAN, SIC).
5. International transfers
Several of our providers operate from the United States. By accepting this policy you authorize the international transfer of your data to those countries, under the following safeguards:
- Data processing agreements or Data Processing Addendums signed with each provider, with clauses equivalent to internationally accepted Standard Contractual Clauses.
- Data encrypted in transit using TLS 1.2 or higher.
- Additional application-level encryption for critical secrets (for example, Meta tokens, using AES-256-GCM).
- Minimization principle: we only transfer the data strictly necessary for each purpose.
If you do not agree with these transfers, you may choose not to use the features that require them (for example: WhatsApp Business, AI assistant) without affecting the rest of the service.
6. Retention period
We keep your data only as long as needed to fulfill the purposes described, or as long as a legal obligation requires us to retain it. As a reference:
- Tax data (invoices, supporting documents): minimum 5 years from the last transaction, as required by the Colombian Tax Statute.
- Merchant account: while it is active. If you cancel, we keep tax information as noted above and delete or anonymize the rest within a maximum of 12 months.
- End customers registered by a merchant: for as long as the merchant maintains an active commercial relationship.
- WhatsApp messages: retained while the merchant’s account is active. Part of the history may be kept for legal or audit reasons.
- Audit and security logs: up to 5 years under legitimate interest and legal obligation.
- Payment records and subscription audit: minimum 5 years as required by the Tax Statute and under legitimate interest for accounting reconciliation.
- Acceptance consent of Terms and Policies: retained throughout the account’s lifetime and for up to 5 additional years as proof of the consent granted (Ley 1581, art. 9).
- Meta access tokens: until the account is disconnected or they expire.
Your deletion request takes priority over these periods, except where we have a legal duty to retain the data.
7. Your rights
As a data subject in Colombia (Ley 1581 de 2012, art. 8), you have the following rights:
- Know what data we hold about you and what we use it for.
- Update and correct partial, inaccurate or fragmented data.
- Request proof of authorization except where the law does not require it.
- Be informed about how we use your data when you request it.
- File complaints before the Colombian Superintendence of Industry and Commerce (Superintendencia de Industria y Comercio, SIC) when you believe your rights are being violated, after exhausting the process with us.
- Revoke authorization when processing is not legally or contractually mandatory.
- Request deletion of your data under the same conditions.
- Access your data free of charge (at least once per calendar month).
8. How to exercise your rights
You can exercise your rights by writing to:
- Email: contacto@phantomsoft.io
In your request, please include:
- Your full name and ID document.
- A description of the right you wish to exercise (access, correction, deletion, etc.).
- Contact information so we can respond.
- A copy of your ID document, or a power of attorney if you are acting on behalf of a third party.
Response times (Ley 1581, arts. 14 and 15):
- Inquiries (access and information): 10 business days, extendable by 5 more.
- Claims (correction, update, deletion, revocation): 15 business days, extendable by 8 more.
For specific account deletion or conversational data requests, see the Data Deletion Instructions.
9. WhatsApp Business in PhantomApp
PhantomApp integrates the WhatsApp Business platform from Meta so that merchants can manage orders, catalogs and customer service through WhatsApp. When you use these features (either as a merchant or as an end customer):
- Messages, media files, phone numbers and WhatsApp Business account identifiers travel through Meta Platforms, Inc. infrastructure in the United States.
- Use of that platform is also governed by the WhatsApp Business Messaging Policy and the WhatsApp Business Solution Terms.
- Merchants can only send you messages after you start the conversation or explicitly consent to receive them (opt-in). When you opt-out through WhatsApp, your request is logged and the merchant stops contacting you through that channel. If you also want to unsubscribe from other channels (email, SMS), write to us at contacto@phantomsoft.io.
- You can opt out at any time by writing “BAJA”, “STOP” or “CANCELAR” to the merchant’s WhatsApp Business number, or by using the contact channel in this document.
- PhantomApp records the date and time you gave consent to converse via WhatsApp, so we can demonstrate the legal basis for the processing.
10. Artificial Intelligence
PhantomApp uses AI models (Anthropic Claude and OpenAI) for two things:
- Business assistant embedded in the POS that answers questions about your sales, reports and configuration. It only receives the text of your query and the aggregate data needed to answer it.
- WhatsApp conversational agent that handles orders and end-customer questions following the merchant’s instructions. It receives the text of channel messages and the merchant’s catalog.
We do not use the content you send to train third-party models. AI providers act as data processors under contract and do not keep the information beyond the time needed to generate the response.
11. Minors
PhantomApp is intended for adults (18 years and older) who act on their own behalf or represent a business. It is not designed to be used by minors without authorization from their parents or guardians.
If we identify data from a minor collected without authorization from the person exercising parental authority, we will delete it. Report any such situation to contacto@phantomsoft.io.
12. Information security
We apply reasonable administrative, technical and physical measures to protect your data:
- Encrypted connections using TLS 1.2 or higher between your device and our servers, and between servers and each sub-processor.
- WhatsApp API access tokens encrypted before storage using envelope encryption with keys rotated periodically.
- Authentication delegated to Firebase Authentication (passwords are never stored by PhantomApp).
- Role-based access controls with multi-tenant isolation of each merchant’s data.
- Audit logs and continuous infrastructure monitoring.
- Infrastructure managed by Microsoft Azure, with ISO 27001, SOC 2 Type II and other certifications.
No system is 100% invulnerable. If we detect a security incident affecting your data, we will notify you without undue delay, as required by law.
14. Changes and effectiveness
This policy may be updated. When changes are material (for example, new processing purposes or a new sub-processor), we will notify you at least 15 days in advance by email or through a visible in-product banner, so that you can review and — if you disagree — exercise your right to revoke or delete.
The current version and effective date appear at the top of this document. You can request the history of previous versions from contacto@phantomsoft.io.