Digital Catalog Privacy

1. When this policy applies

This policy applies when:

• You visit the public catalog of a business (URL such as app.phantomsoft.io/catalogo/nombre-del-negocio).
• You complete the customer sign-up (name, document, phone, address).
• You place an order through the catalog, with home delivery or pickup.
• You pay for the order through Wompi or coordinate payment with the business through another channel.

It does not apply to the internal POS operation (that is covered by the general Privacy Policy).

2. Who is responsible

The business that owns the catalog is the data controller of your personal data. Phantomsoft SAS acts as data processor, processing the data on behalf and under the instructions of the business, in accordance with this document.

You can identify the specific business at the top of the catalog you are visiting (trade name + tax ID / NIT). If it is not clearly shown and you need to identify it, write to us at contacto@phantomsoft.io.

3. Data we collect

During sign-up and checkout we collect:

• Identification: full name, document type and number (national ID, tax ID / NIT, etc.), type of person.
• Contact: phone and email.
• Address: structured address (street, number, complement, neighborhood, city), geographic coordinates obtained via Google Maps.
• Order details: products, quantities, price, payment methods, tips, notes.
• Technical data: IP address, browser, operating system. We use Google reCAPTCHA to protect the form against bots.

We do not collect data from minors. The catalog is addressed to adult customers who choose to buy from the business.

4. What we use it for

• Handle your order and coordinate its delivery.
• Issue the DIAN electronic invoice when the business issues it.
• Respond to your inquiries and resolve incidents (exchanges, returns).
• Identify your account in future visits if you buy again from the same business.
• Protection against fraud or abuse of the public catalog.

We do not use your information to send you advertising from other businesses, nor is it shared with other PhantomApp merchants.

5. Who we share it with

Your data travels only to the technical providers necessary to operate the catalog:

• Microsoft Azure: database hosting.
• Google Maps: converting your address into coordinates.
• Google reCAPTCHA: anti-bot protection for the form.
• Wompi: payment gateway if you pay online.
• FacturadorApi (Phantom’s own service): issuing your DIAN electronic invoice.
• Meta / WhatsApp: when order confirmation or follow-up communication travels through WhatsApp.

See the full sub-processors table for more detail.

6. Your rights

You keep all rights recognized by the Colombian Data Protection Law (Ley 1581 de 2012): access, update, correction, deletion, revocation of authorization and free access.

You can exercise them in two ways:

1. By contacting the business directly (via WhatsApp, phone or email).
2. By writing to us at contacto@phantomsoft.io. In that case we will forward your request to the responsible business and support you so the response arrives on time.

To delete your catalog account, see the Data Deletion Instructions.

7. How long we keep it

• Customer record: while the business keeps an active commercial relationship with you.
• Order history: minimum 5 years due to tax obligation (Colombian Tax Statute).
• Contact data with no activity: up to 2 years from the last interaction, unless you request deletion earlier.

After those periods, data is deleted or anonymized so that it can no longer be associated with you.