Skip to main content
GoranOS
Sign In

Privacy Policy and Personal Data Treatment

Last updated: May 29, 2026

Chapter 1: Data Controller Information

The personal data collected through this platform is managed by the company that operates this instance of Goranos (hereinafter, the "Company" or "Data Controller"). The Company is responsible for the treatment of your personal data in accordance with Colombian Law 1581 of 2012 and Regulatory Decree 1377 of 2013.

Goranos is the technology platform through which the Company manages its business operations, including customer relationship management (CRM), communications, and advertising integrations. The Company acts as the Data Controller, and Goranos acts as the Data Processor on its behalf.

Chapter 2: Purpose of This Policy

In compliance with current legislation on personal data protection, particularly Law 1581 of 2012 and Decree 1377 of 2013 (and all regulations that modify, add to, complement, or develop them), this policy informs you of the relevant aspects regarding the collection, use, and transfer of personal data that the Company carries out by virtue of the authorization you have granted.

In this Personal Data Treatment Policy (the "Policy"), you will find the corporate and legal guidelines under which the Company processes your personal data, the purpose, your rights as a data subject, as well as the internal and external procedures that exist for exercising those rights before the Company.

Chapter 3: Legal Framework

This Personal Data Treatment Policy is prepared in accordance with the provisions of the Colombian Political Constitution, Law 1581 of 2012, Regulatory Decree 1377 of 2013, and other complementary provisions. It shall be applied by the Company with respect to the collection, storage, use, circulation, deletion, and all activities that constitute treatment of personal data.

Chapter 4: Scope

This Personal Data Treatment Policy is directed at potential clients, active clients, employees, contractors, suppliers, and any person whose personal data is included in the Company's databases. This policy applies to all services offered by the Company through this platform, directly in its offices, points of sale, or events in which the Company participates.

Chapter 5: Definitions

Authorization
Prior, express, and informed consent of the Data Subject to carry out the treatment of personal data.
Privacy Notice
Physical, electronic, or any other format document generated by the Data Controller that is made available to the Data Subject for the treatment of their personal data.
Database
An organized set of personal data that is subject to treatment.
Personal Data
Any information linked or that can be associated with one or more identified or identifiable natural persons.
Sensitive Data
Data that affects the privacy of the Data Subject or whose misuse can generate discrimination, such as those revealing racial or ethnic origin, political orientation, religious or philosophical convictions, union membership, as well as data related to health, sexual life, and biometric data.
Data Processor
Natural or legal person, public or private, that by itself or in association with others, processes personal data on behalf of the Data Controller.
Data Controller
Natural or legal person, public or private, that by itself or in association with others, decides on the database and/or the treatment of data.
Data Subject
Natural person whose personal data is subject to treatment.
Treatment
Any operation or set of operations on personal data, such as the collection, storage, use, circulation, or deletion thereof.

Chapter 6: Principles for Personal Data Treatment

The principles governing the treatment of your personal data by the Company are:

  1. Legality: The treatment of personal data is a regulated activity that must comply with Law 1581 of 2012, Decree 1377 of 2013, and other applicable provisions.
  2. Purpose: The treatment of personal data must serve a legitimate purpose in accordance with the Constitution and the Law, which must be informed to the Data Subject.
  3. Freedom: The treatment of personal data may only be exercised with the prior, express, and informed consent of the Data Subject. Personal data may not be obtained or disclosed without prior authorization, or in the absence of a legal or judicial mandate.
  4. Truthfulness: The information subject to treatment must be truthful, complete, accurate, up-to-date, verifiable, and understandable.
  5. Transparency: The treatment must guarantee the Data Subject's right to obtain information about the existence of data concerning them from the Data Controller at any time and without restrictions.
  6. Restricted Access: The treatment is subject to the limits derived from the nature of personal data and the provisions of the law and the Constitution.
  7. Security: The information subject to treatment must be handled with the technical, human, and administrative measures necessary to provide security to the records, preventing their alteration, loss, consultation, unauthorized or fraudulent use or access.
  8. Confidentiality: All persons involved in the treatment of personal data that are not public in nature are required to guarantee the confidentiality of the information, even after their relationship with any of the tasks involved in the treatment has ended.

Chapter 7: Purpose of Data Collection and Treatment

The Company may use personal data for the following purposes:

  • Execute the existing contractual relationship with its clients, suppliers, and employees, including payment of contractual obligations.
  • Provide the services and/or products required by its users.
  • Inform about new products or services and/or changes to existing ones.
  • Evaluate the quality of service.
  • Conduct internal studies on consumption habits.
  • Send commercial, informative, advertising, or promotional information about products, services, events, or promotions via email, text message (SMS/MMS), WhatsApp, or any other analog or digital communication channel.
  • Manage the lead and sales pipeline through the CRM system.
  • Process loan applications, credit evaluations, and financial products.
  • Manage rental properties, lease agreements, and tenant relationships.
  • Manage construction projects, unit sales, and payment plans.
  • Provide access to the customer portal for viewing project status, payments, and documents.
  • Process support tickets, complaints, and service requests.
  • Schedule and manage field tasks, inspections, and site visits.
  • Support internal or external audit processes.
  • Share data with financial institutions for mortgage or consumer credit purposes, when applicable.
  • Comply with legal and regulatory obligations.
  • Any other purpose resulting from the contract or relationship between you and the Company.

Chapter 8: Data Sharing with Advertising Platforms

With your explicit authorization, the Company may share certain personal data with third-party advertising platforms, specifically Meta Platforms (Facebook/Instagram) and Google, for the following purposes:

  • Conversion Optimization: When you interact with an advertisement and subsequently advance through the sales pipeline (e.g., qualify as a lead, schedule a visit, make a purchase), the Company may send anonymized conversion events to the advertising platform that originated your inquiry. This helps the platform find more people like you who are genuinely interested, improving the quality of advertising for everyone.
  • Audience Segmentation: The Company may upload hashed (encrypted) email addresses or phone numbers to create Custom Audiences on Meta or Customer Match audiences on Google. This is used to exclude existing customers from acquisition campaigns (so you don't see ads for something you already purchased) or to find similar audiences.
  • Lead Status Feedback: For leads originating from Meta Lead Ads, the Company may send status updates back to Meta to improve lead quality optimization.

What data is shared

  • Hashed (SHA-256 encrypted) email addresses and phone numbers for audience matching.
  • Conversion events (e.g., 'qualified lead', 'visit scheduled', 'purchase') without revealing personal details.
  • Click identifiers (FBCLID, GCLID) that were originally generated by the advertising platform itself.
  • Estimated conversion values for advertising optimization (without revealing specific financial details).

What data is NOT shared

  • Your name, address, or identification documents.
  • Financial information, credit data, or payment details.
  • Communication content (messages, emails, calls).
  • Documents uploaded to the platform.
  • Any sensitive data as defined by Colombian law.

You may revoke your authorization for data sharing with advertising platforms at any time without affecting the services you receive from the Company. See Chapter 12 for the revocation procedure.

Chapter 9: Cookies and Tracking Technologies

This platform uses the following cookies and tracking technologies:

Cookie / Technology Purpose Duration
gclid Google Ads click identifier. Used to attribute conversions to the ad you clicked. 90 days
fbclid Meta (Facebook/Instagram) click identifier. Used to attribute conversions to the ad you clicked. 90 days
fbc, fbp Meta browser identification cookies. Used for conversion attribution. 90 days
utm_* Campaign tracking parameters (source, medium, campaign name). Used to identify which marketing campaign brought you to the site. 90 days
csrftoken Security token to prevent cross-site request forgery attacks. Essential for platform security. Session
sessionid Session identifier for authenticated users. Essential for platform functionality. Session
theme Stores your light/dark mode preference. 1 year

The advertising cookies (gclid, fbclid, fbc, fbp, utm_*) are only set when you arrive at the site from a paid advertisement. They are stored using a "first touch wins" policy, meaning only the first advertising interaction is recorded. These cookies are automatically injected into forms that include the data-capture-touchpoints attribute.

Chapter 10: Rights of Data Subjects

As a data subject, you may exercise the following rights by yourself or through a representative:

  • Right of Access: Access the personal data under the Company's control, free of charge, at least once per calendar month.
  • Right to Update, Rectification, and Deletion: Request the update, rectification, and/or deletion of personal data subject to treatment.
  • Right to Proof of Authorization: Request proof of the authorization granted for the treatment, except in cases where authorization is not required by law.
  • Right to Information: Be informed regarding the use given to your personal data.
  • Right to File Complaints: File complaints before the Superintendency of Industry and Commerce (SIC) for violations of current regulations on personal data treatment.
  • Right to Revocation: Revoke the authorization and/or request the deletion of your data when the treatment does not respect the constitutional and legal principles, rights, and guarantees.

Chapter 11: Sensitive Data

In accordance with Article 5 of Law 1581 of 2012, the treatment of sensitive data is prohibited except when the Data Subject has given explicit authorization. As a Data Subject, you are not obligated to authorize the treatment of sensitive data. None of the Company's activities are conditioned on you providing sensitive personal data.

Chapter 12: Revocation and Data Deletion

As a Data Subject, you may at any time request the deletion of your personal data and/or revoke the authorization you have granted for their treatment, by submitting a request through the channels described in Chapter 13.

Specifically regarding advertising platform data sharing:

  • You may revoke your authorization for data sharing with Meta and/or Google at any time.
  • Upon revocation, your data will be removed from all synchronized audiences within 24 hours.
  • No further conversion events will be sent to advertising platforms on your behalf.
  • The revocation will be logged for audit purposes.
  • Revoking advertising consent does not affect your access to the Company's services.

Please note that your request for data deletion or revocation of authorization will not apply when you have a legal or contractual duty that requires your data to remain in the Company's database.

Chapter 13: Procedures for Exercising Your Rights

You may exercise your rights through the following channels:

  • Data Deletion Form: Submit a data deletion request online.
  • Through the customer portal, if you have portal access.
  • Via WhatsApp, using the number provided by the Company.
  • Via email to the address provided by the Company.

Inquiries

Inquiries will be addressed within a maximum of ten (10) business days from the date of receipt. If it is not possible to respond within this period, the interested party will be informed of the reasons for the delay and the date on which their inquiry will be addressed, which in no case may exceed five (5) additional business days.

Claims

Claims will be addressed within a maximum of fifteen (15) business days from the day following the date of receipt. If it is not possible to respond within this period, the interested party will be informed of the reasons for the delay and the date on which their claim will be addressed, which in no case may exceed eight (8) additional business days.

Chapter 14: Data Retention

The Company will only collect, store, use, or circulate personal data for the time that is reasonable and necessary, in accordance with the purposes that justified the treatment. Once the purpose(s) of the treatment have been fulfilled, and without prejudice to legal provisions that provide otherwise, personal data will be deleted.

Specific retention periods:

  • Advertising cookies (gclid, fbclid, utm): 90 days from collection.
  • Lead and CRM data: for the duration of the commercial relationship plus the legally required retention period.
  • Customer portal data: for the duration of the contractual relationship.
  • Audit logs: as required by applicable regulations.

Chapter 15: Security Measures

In accordance with the security principle established in Law 1581 of 2012, the Company adopts the technical, human, and administrative measures necessary to provide security to records, preventing their alteration, loss, consultation, unauthorized or fraudulent use or access.

Security measures implemented include:

  • Encrypted data transmission (HTTPS/TLS) for all platform communications.
  • Encrypted storage for sensitive credentials and tokens.
  • Team-based data isolation ensuring each company's data is accessible only to authorized users.
  • SHA-256 hashing of personal data before sharing with advertising platforms.
  • CSRF protection and secure session management.
  • Webhook signature verification for all third-party integrations.
  • Regular access logging and audit trails.

Chapter 16: Effective Date

This Personal Data Policy is effective as of its publication date on this platform. Any changes to this policy will be communicated through this same page. Continued use of the platform after changes are published constitutes acceptance of the updated policy.