This Policy defines how Summya de Colombia S.A.S. and its affiliates or related entities ("Summya", "we") process personal data and business data in the context of operating as a global marketplace for AI agents and automation flows.
Applies to: registered users, buyers, sellers, end customers of our clients, website visitors, and any person whose data is processed through the Platform, first-party or third-party products, as well as processing carried out through internal analytics, support, and operations services.
2. DATA CONTROLLER AND DATA PROTECTION OFFICER
Summya de Colombia S.A.S., identified with NIT 902.003.625-9 and principal address at Calle 83 #5-57, Bogotá, Colombia, acts as the data controller when it determines the purposes and means of processing.
To ensure compliance with international standards (Law 1581 of 2012, GDPR, LGPD, UK GDPR, CPRA, among others), Summya has appointed a Data Protection Officer (DPO):
The DPO serves as the point of contact for data subjects, authorities, and third parties; coordinates impact assessments (DPIA/PIA); oversees implementation of this Policy; and advises on new products and features.
3. HYBRID ACCOUNTABILITY MODEL AND ROLES
Summya operates under a hybrid accountability model, aligned with its Terms and Conditions:
For First-Party Products, Summya acts as Data Controller with respect to user data and, when the product processes end-customer data of the buyer, as controller and processor as applicable.
For Third-Party Products, the Buyer is the Data Controller; the Seller and Summya act as joint Processors, limiting their actions to compliance with the Buyer's instructions and applicable processing agreements.
The parties must formalize the pre-approved Data Processing Agreement (DPA) available on the Platform before initiating any processing of end-customer personal data, in order to allocate obligations, safeguards, and responsibilities under applicable regulations.
4. DATA GOVERNANCE AND ALGORITHMIC TRANSPARENCY IN AI
Summya maintains a data and AI governance framework that includes: model registry, AI Fact Sheets, bias evaluation, performance metrics, usage restrictions, and human oversight procedures for high-impact automated decisions.
Inferences and outputs generated by AI agents are considered personal data when they can identify or profile a person, and are subject to ARCO/ARCO+ rights (access, rectification, cancellation/erasure, objection, portability, restriction, and other specific rights). The human-in-the-loop principle is guaranteed for decisions likely to produce legal effects or significant impact on data subjects.
Using end-customer data to train first-party or third-party models without explicit, informed, and verifiable opt-in consent is strictly prohibited; any training with user data must use anonymized data and advanced protection techniques (e.g., k-anonymity, l-diversity, differential privacy) where applicable.
Summya classifies its AI agents and automation flows into three risk levels (low, medium, high), considering use type, nature of data processed, presence of profiling and automated decisions with significant effects, scale of processing, and sector regulatory context. Differentiated governance controls apply to each risk level, including product registration, technical documentation, AI Fact Sheets, data protection impact assessment (DPIA) where required, and reinforced human oversight for high-risk cases. No AI agent that may be considered high risk under applicable regulations (e.g., GDPR and EU AI Act) will be deployed or listed on the Platform without passing a formal privacy and compliance review led by the DPO and compliance teams, and without sufficient documentation for Buyers and Sellers to meet their own regulatory obligations.
5. DATA CATEGORIES AND PURPOSES
Summya processes, among others, the following types of data:
Registration and account data: name, email, phone, country, sector, credentials, role (buyer, seller), minimum tax information for billing.
Payment data: payment tokens supplied by certified gateways (Summya does not store full card data), information required for reconciliation and billing.
End-customer data processed by AI agents (name, email, phone, purchase history, support messages, preferences) when the Buyer uses the Platform to provide services to its own customers.
Main purposes include: service delivery, account management, technical support, Platform security, legal and regulatory compliance, continuous product improvement (on aggregated or anonymized data), usage analytics, moderation, and fraud prevention.
6. DATA SUBJECT RIGHTS AND PROCEDURES
Data subjects may exercise, depending on their jurisdiction, rights of access, rectification, cancellation/erasure, objection, portability, restriction of processing, erasure, and any other right recognized by applicable law.
Summya provides specific channels for rights requests:
Contact form at /en/contacto?intent=privacy&topic=data_rights.
Response times comply with applicable regulation (e.g., 15 business days under Law 1581, 30 days under GDPR/LGPD), and internal records of requests and responses are maintained for audit and accountability purposes.
7. COOKIES AND TRACKING TECHNOLOGIES
The Platform uses cookies and similar technologies classified as: essential, analytics, functional, and advertising/personalization.
Summya offers a granular mechanism to manage and revoke consent for non-essential cookies, visible and accessible from the interface, in compliance with privacy-by-design practices and applicable regulations (e.g., GDPR/ePrivacy Directive, CPRA).
8. INTERNATIONAL TRANSFERS AND GLOBAL FRAMEWORK
Summya carries out international data transfers to cloud providers (e.g., AWS, Google Cloud), payment gateways (e.g., Stripe, dLocal), and other processors located in different jurisdictions, always under contracts ensuring a level of protection equivalent to that required by the source data rules (Law 1581, GDPR, LGPD, UK GDPR, CPRA, etc.).
These transfers are protected through measures such as:
Standard Contractual Clauses (SCCs) for the EU/EEA.
Data processing agreements (DPA) with processors.
Transfer impact assessments and, where necessary, supplementary technical and organizational measures.
Summya will not transfer personal data to jurisdictions considered to lack an adequate level of protection, unless explicit consent from the data subject exists or applicable law provides a specific exception for the transfer, duly documented.
9. INFORMATION SECURITY AND INCIDENT MANAGEMENT
Summya applies technical and organizational security measures appropriate to the risk, including encryption in transit and at rest, role-based access controls (RBAC), multi-factor authentication for administrative access, continuous monitoring, security testing, and periodic data protection training programs.
In the event of any security incident that may pose a risk to the rights and freedoms of data subjects, Summya will execute a structured response protocol (detection, containment, assessment, notification, remediation, and prevention), notifying competent authorities and affected users within a maximum of 72 hours from detection when required by applicable law (e.g., GDPR, Law 1581, LGPD).
10. DATA RETENTION
Summya retains personal data only for the time necessary to fulfill the purposes for which it was collected, meet legal and contractual obligations, or protect duly balanced legitimate interests, in accordance with applicable law.
Retention periods are managed through internal tables, which may include, for example:
Registration and account data: duration of the relationship and up to 5 years thereafter for legal compliance and claims defense.
Billing data: periods required by applicable tax legislation.
AI interaction logs: 6 months or anonymization, unless a longer period is required for security or audit, in which case the reasons will be documented.
End-customer data: according to the Controller's (Buyer's) instructions, with export and deletion capability under the DPA and legal framework.
11. MINORS
The Summya Platform is intended exclusively for users aged 18 or older (or the equivalent minimum age under applicable jurisdiction).
Summya does not knowingly collect or process data from minors. If involuntary processing of a minor's data is detected, such information will be immediately and permanently deleted and existing controls will be reviewed to prevent recurrence.
12. POLICY UPDATES AND NOTIFICATIONS
Summya may modify this Policy to reflect regulatory, technological, or organizational changes.
Any significant modification will be communicated with reasonable prior notice (e.g., 15–30 days) through usual channels (email, notices on the Platform). Continued use of the Platform after the new version takes effect implies acceptance of the updated Policy, without prejudice to non-waivable rights of the data subject under applicable law.
The current and previous versions will be kept in an accessible version registry, indicating version number and effective date.
13. CONTACT AND COMPLAINTS
To exercise rights, raise inquiries, or file complaints regarding data protection, data subjects may contact:
Data subjects also retain the right to lodge a complaint with the competent supervisory authority (e.g., SIC in Colombia, data protection authorities in the EU, ANPD in Brazil, etc.), according to their country of residence and applicable law.