Your data, processed with intent — never sold.

1. Who we are and how to reach us

The data controller for the managed Celerio Services is Porter Metrics S.A.S., a company registered in Colombia. Where Celerio is self-hosted in your tenant, you are the controller and we act only as a processor with respect to data we receive in support, telemetry, or licensing flows.

For any privacy enquiry, request, or complaint, you can reach our privacy team and Data Protection Officer at the email below. We respond within five (5) business days, and within the legal deadline applicable to your jurisdiction in any case.

• Privacy & DPO contact: mateo@portermetrics.com
• Legal entity: Porter Metrics S.A.S.
• Postal address available on request via the email above (provided as part of any DPA).

2. Personal data we collect

We collect only what is necessary to deliver, secure, bill, and improve the Services. We do not buy personal data from data brokers, and we do not sell personal data.

3. Why we process your data and on which legal basis (GDPR Art. 6)

• Performance of a contract — to provision accounts, run Extensions you create, deliver outputs, and bill you.
• Legitimate interests — to keep the Services secure, prevent abuse, debug and improve performance, and conduct aggregate analytics. We balance our interests against your rights and document the assessment.
• Compliance with legal obligations — for tax, accounting, fraud prevention, lawful access requests, and audit obligations under ISO 27001 and SOC 2.
• Consent — for optional marketing emails, optional analytics cookies, and any processing that exceeds the bases above. You can withdraw consent at any time without affecting the lawfulness of prior processing.

4. How we use AI and what we never do with your data

Celerio orchestrates large language models (LLMs) provided by third parties such as Anthropic, OpenAI, and Google, and any models you bring under your own credentials. When the orchestration is hosted by us, your prompts and the resulting outputs transit our infrastructure to reach the model provider you selected.

• We do not use your prompts, code, or model outputs to train any shared or public model.
• We pass through the no-training and zero-data-retention commitments offered by the model providers when you select an enterprise SKU. Where a provider does not offer such commitments, we surface that fact in the product before you route data to it.
• We do not enrich your data with third-party data brokers.
• We do not sell, rent, or share personal data for cross-context behavioral advertising as defined under CPRA.
• Self-hosted Celerio instances keep prompts, code, and outputs entirely inside your tenant. We see only the metered counters needed for license enforcement.

5. Subprocessors

We engage a small set of vetted subprocessors to deliver the Services. Each one is bound by a written contract with confidentiality, security, and data protection terms at least as strict as those we offer you. The current list, the role of each subprocessor, and the country of processing are published and updated in our Trust Center, and we notify customers of material changes at least thirty (30) days in advance so you can object.

• Cloud infrastructure: Google Cloud Platform (us-central1, europe-west1, southamerica-east1).
• Model providers: Anthropic, OpenAI, Google AI / Vertex AI — invoked only for the routes you configure.
• Identity and authentication: WorkOS / your IdP.
• Payments: Stripe (PCI DSS Level 1).
• Email and support: Postmark, Linear, GitHub.
• Product analytics and error tracking: PostHog (self-hosted), Sentry — both configured for IP truncation and PII scrubbing.

6. International transfers

We are headquartered in Colombia and operate in multiple regions. When personal data leaves the European Economic Area, the United Kingdom, or Switzerland, we rely on the European Commission's Standard Contractual Clauses (2021/914) and the UK Addendum, complemented by a documented Transfer Impact Assessment, encryption in transit and at rest, and the supplementary measures described in the EDPB Recommendations 01/2020.

You can pin processing to a specific region (US, EU, or LATAM) on Business and Enterprise plans, and self-hosted deployments stay in the region you operate.

7. Data retention

We retain personal data only for as long as needed for the purposes described in this Policy, plus the retention periods imposed by law.

• Account data: for the duration of your subscription, plus 30 days after closure for recovery, then deleted or anonymized.
• Billing and tax records: 5 to 10 years, depending on the jurisdiction (Colombian Tax Statute, EU VAT Directive, U.S. state requirements).
• Audit logs: 12 months by default, configurable up to 7 years on Enterprise plans, in line with SOC 2 CC7 and ISO 27001 A.8.15.
• Customer Content: deleted within 30 days of subscription termination, unless you ask earlier or a longer period is contractually required.
• Backups: encrypted and rotated within 35 days; deletions propagate to backups within that window.

8. Your rights

Subject to the law that applies to you, you have the right to access, rectify, erase, restrict, port, and object to the processing of your personal data, and to withdraw consent where processing is based on consent. EU/UK residents may lodge a complaint with their supervisory authority. California residents may exercise rights under the CCPA/CPRA, including the right to know, delete, correct, and limit the use of sensitive personal information. Colombian residents have the rights granted by Statutory Law 1581 of 2012 and Decree 1377 of 2013.

To exercise any right, write to us at the email below from the address tied to your account, or use the in-product privacy controls. We will not discriminate against you for exercising any right.

• Right of access — receive a copy of your personal data.
• Right of rectification — correct inaccurate data.
• Right of erasure — delete data we are not required to keep.
• Right of restriction — pause processing while we resolve a dispute.
• Right of portability — receive your data in a structured, machine-readable format.
• Right to object — to processing based on legitimate interests, including profiling.
• Right to withdraw consent — at any time, with future effect.
• Right not to be subject to solely automated decisions producing legal effects.

9. How we secure your data

Security is the product, not a checklist. Celerio's program is aligned with ISO/IEC 27001:2022 and the SOC 2 Trust Services Criteria (Security, Availability, Confidentiality, and Processing Integrity). We follow defense-in-depth, least privilege, and assume-breach principles.

• Encryption: TLS 1.2+ in transit, AES-256 at rest, customer-managed keys (CMEK) on Enterprise.
• Identity: SSO/SAML, SCIM provisioning, RBAC, hardware MFA for all employees with production access.
• Tenant isolation: workloads run in isolated Kubernetes namespaces with NetworkPolicies, Kata Containers, per-workspace UID/GID assignment, and egress allowlists.
• Secrets management: short-lived credentials, automatic rotation, vault-backed storage. No long-lived service-account keys in source.
• Vulnerability management: continuous SAST, SCA, container scanning, quarterly third-party penetration testing, public security disclosure program.
• Logging and monitoring: signed audit logs streamed to your SIEM (Splunk, Datadog, Elastic, S3) and to our SOC.
• Business continuity: documented RPO ≤ 24h and RTO ≤ 4h for managed Services, with annual disaster-recovery exercises.
• Personnel: background checks where lawful, mandatory annual security and privacy training, written confidentiality agreements.

10. Breach notification

If we determine that a personal-data breach is likely to result in a risk to the rights and freedoms of natural persons, we will notify the affected customer without undue delay and in any case within 72 hours after becoming aware of the breach, in line with GDPR Art. 33–34 and our SOC 2 incident-response controls. The notification will describe the nature of the breach, the categories and approximate number of data subjects, the likely consequences, and the measures taken or proposed.

11. Children

The Services are not directed to children under 16, and we do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us so we can delete it.

12. Automated decision-making

Celerio's AI features support human decision-makers; they do not make decisions that produce legal or similarly significant effects on data subjects without human involvement. Where you build an Extension that automates such decisions, you remain the controller and must implement the safeguards required by GDPR Art. 22.

13. Changes to this Policy

We may update this Policy as the Services evolve. When changes are material — for example, new categories of data, a new subprocessor that processes Customer Content, or a new transfer mechanism — we notify customers by email and in-product banner at least 30 days before the change takes effect. The current version is always available at https://celerio.ai/privacy with the effective date at the top.

14. Contact

Questions, requests, complaints, or feedback go to our privacy team at mateo@portermetrics.com. If you are not satisfied with our response, you may complain to your local supervisory authority — for Colombian residents, that is the Superintendencia de Industria y Comercio (SIC); for EU residents, your country's Data Protection Authority; for UK residents, the Information Commissioner's Office (ICO).