SabanaTech

Legal

Privacy Policy

We keep this short on purpose. If anything here doesn't answer your question, email privacy@sabanatech.com.

Last updated .

Who we are

SabanaTech S.A. is a Costa Rica-registered consultancy that designs, deploys, and operates intelligent automations for clients across Latin America. When this policy says “we” or “us” we mean SabanaTech.

What we collect

We collect information you hand us directly — name, work email, company, role, and any message you include on our contact form — plus usage analytics (page views, referrer, approximate country) and, with your consent, advertising measurement data (see “Cookies & consent” below).

Cookies & consent

Essential cookies needed for the site to function are always on. Analytics and advertising cookies — including Google Analytics, Google Ads, and the Meta pixel, which we use to measure our marketing and ad campaigns — are only set after you accept them in our cookie banner. Until you accept, Google tags run in cookieless “consent denied” mode and send only anonymous, aggregated signals, and the Meta pixel is not loaded at all. You can decline without affecting how the site works.

These providers may set their own cookies and process your data, including transfers to the United States, under their respective privacy policies. You can change or withdraw your choice at any time by clearing this site's cookies in your browser.

Why we collect it

  • To reply to your enquiry and prepare for a discovery call.
  • To understand which of our pages are useful so we can improve them.
  • To stay in touch when you opt in to our insights email. One click unsubscribes you and deletes the association.

Where it lives

Contact-form submissions land in our CRM (HubSpot) and in a private Slack channel for our sales team. Analytics events are stored by our product-analytics vendor. All vendors are contractually bound by GDPR- and LGPD-style data protection terms.

How long we keep it

Active client records are retained while we're working together and for seven years after the last engagement for legal and tax reasons. Unconverted leads are deleted after 24 months of inactivity.

Your rights

You can ask us to access, correct, export, or delete any personal information we hold about you. Email privacy@sabanatech.com and we'll respond within 30 days. You can also complain to your local data protection authority.

Security

We follow ISO 27001-aligned controls. Access to client data is least-privilege, logged, and reviewed quarterly. See our security statement for the short version.

SaaS services & SmartBots

When you contract our SaaS services — including SmartBots and other intelligent assistants and automations — SabanaTech acts as the data processor of the data that you or your end users enter into the platform. You, as the client, remain the data controller and determine the purposes and means of the processing. We process that data solely in accordance with your documented instructions and the service agreement and its data processing addendum (DPA).

To provide the service we may process: the content of conversations and instructions sent to the SmartBots, the files and documents you upload, usage metadata (timestamps, session identifiers, activity logs), and the credentials or tokens needed to integrate with your systems. We do not use the content of your data for advertising purposes, nor do we sell it to third parties.

Artificial intelligence models. Some SmartBots rely on proprietary or third-party AI models (for example, language-model providers). When third parties are involved, they act as sub-processors subject to confidentiality and data-protection obligations equivalent to ours, and they do not use your content to train their models unless you expressly authorise it. We keep an up-to-date list of sub-processors available to you.

Handling of sensitive information

We consider sensitive information to be that which, by its nature, requires reinforced protection: health data, financial or payment-method data, official identifiers (national ID, passport), biometric data, access credentials, and any special category protected by applicable law.

  • We recommend not entering sensitive information into the SmartBots when it is not strictly necessary for the contracted purpose.
  • When processing sensitive data is necessary, we apply additional controls: encryption in transit (TLS) and at rest, least-privilege access, access logging, and logical segregation of data by client.
  • We do not retain sensitive data longer than necessary to provide the service. On termination of the contract, we delete or return your data according to your instructions, unless a legal retention obligation applies.
  • We will notify you without undue delay — and in any case within the applicable legal timeframes — of any security incident affecting your personal data.

The client is responsible for obtaining the appropriate consent or legal basis from its end users before processing their information through our services, as well as for configuring the SmartBots so that they do not collect unnecessary sensitive data.

Children

We do not knowingly collect data from anyone under 18.

Changes to this policy

We will note material changes at the top of this page with a new “last updated” date. Substantive changes will be announced in our insights email.