PRIVACY POLICY — AGUSAVIOR Last updated: 2026-04-11 ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 1. WHO WE ARE Agusavior is a personal/professional platform offering tools for financial management, social-media analytics, restaurant operations, and semantic search. This policy explains how we handle your data when you use any of these services. 2. DATA WE COLLECT a) Account & identity data - Email address (used to send a one-time magic link for authentication) - Username and full name (OLE restaurant module) - Role flags (e.g. encargado, can_delete_pedidos) b) Financial records (echeq / debt-credit modules) - Bank cheque images and their parsed metadata - Balance declarations you enter manually - Debt and credit records linked to named counterparties c) Social-media OAuth tokens (Drupi module) - Platform user ID, username, and avatar URL - Access tokens for Instagram and TikTok (stored encrypted in production) - Follower counts and video engagement metrics d) Behavioural data - Search queries and the anonymous session ID they belong to - Timestamps of every request you make e) Operational data - Orders placed through the OLE restaurant POS - Files and objects you upload or cache through the platform 3. HOW WE USE YOUR DATA - Authentication: email is used only to deliver the one-time link; we do not store it in a permanent user profile. - Service delivery: financial and social-media data are used solely to display and process your own information. - Analytics: anonymous search queries help us improve relevance; they are not linked to personally identifiable information. - Operations: order data is used to run the restaurant POS system. 4. DATA SHARING We do not sell, rent, or share your personal data with third parties for marketing purposes. Limited sharing occurs only in these cases: - Cloud infrastructure providers (MongoDB Atlas, Backblaze B2) that process data under their own privacy agreements. - Instagram / TikTok APIs: we send only the minimum data required by their OAuth flows. - Legal obligation: if required by law or a valid government request. 5. COOKIES AND SESSION TOKENS We set a single session cookie after you authenticate via magic link. This cookie is HTTP-only, has a 30-day expiry, and is used solely to maintain your authenticated session. No tracking or advertising cookies are used. 6. DATA RETENTION - Magic-link tokens expire after 15 minutes and are not stored. - Session cookies expire after 30 days. - Financial records, orders, and social-media data are retained until you delete them or submit a deletion request (see Section 8). - Anonymous search logs are retained for up to 12 months. 7. SECURITY - Access tokens for third-party platforms are encrypted at rest in production environments. - All communication with our API uses HTTPS. - We apply rate limiting to prevent abuse. - Despite these measures, no system is 100% secure; we will notify affected users promptly in the event of a data breach. 8. YOUR RIGHTS You have the right to: - Access the personal data we hold about you. - Correct inaccurate data. - Request deletion of your data ("right to be forgotten"). - Object to or restrict certain processing. To exercise any of these rights, send a POST request to: POST /delete-data Content-Type: application/json { "email": "your@email.com", (optional) "ole_username": "yourUsername", (optional) "platform": "instagram", (optional) "social_id": "36062908743307802" (optional) } You will receive a JSON response listing every record deleted. For complex requests or data you cannot delete via the API, contact us through the website and we will respond within 30 days. 9. CHANGES TO THIS POLICY We may update this policy when our practices change. The "last updated" date at the top will reflect any revision. Continued use of the platform after changes constitutes acceptance of the new policy. 10. CONTACT For questions, concerns, or to exercise your rights manually, please contact us through the website. ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━