This is a convenience translation. The Spanish version published at sippy.lat/privacy is the official version and prevails in case of any discrepancy.
1. Introduction
This Privacy Policy (hereinafter, "the Policy") describes how SIPPY, SOCIEDAD ANÓNIMA DE CAPITAL VARIABLE (hereinafter, "Sippy", "we", or "the Controller") collects, uses, stores, protects, and processes the personal data of users (hereinafter, "the User" or "the Data Subject") of the technology orchestration service Sippy offers through messaging platforms (hereinafter, "the Service").
This Policy is issued and applies in accordance with the Personal Data Protection Law of the Republic of El Salvador (Legislative Decree No. 144 of November 12, 2024, published in Official Gazette No. 219, Volume 445, of November 15, 2024, hereinafter "the Law").
By accepting the Terms and Conditions and using the Service, the User declares having read and understood this Policy and consents to the processing of their personal data under the terms described herein.
2. Data Controller
The controller of personal data processing is:
Legal name: SIPPY, S.A. DE C.V.
Contact email: hello@sippy.lat
Website: https://www.sippy.lat
3. Personal Data We Collect
Consistent with the minimization principle established in the Law, Sippy collects exclusively the following data:
3.1 Data collected at registration
- Verified phone number: Number associated with the User's account on the messaging platform, verified via confirmation code by the platform operator. It functions as the User's account identifier.
- Wallet address: Public address automatically generated and associated with the User's phone number, on third-party provider infrastructure.
- Preferred language: The User's language preference, used for interaction with the Service.
- Record of terms acceptance: Date, time, and version of the Terms and Conditions and of this Policy accepted by the User, retained as evidence of the consent granted.
3.2 Service operation data
- Authorization parameters: Spending limit configured by the User and parameters of the authorization (spend permission) granted to the smart contract.
- Technical operation metadata: Activity timestamps and message identifiers used temporarily for deduplication and proper functioning of the Service.
3.3 Optional data configured by the User
- Recovery email: Email address the User may voluntarily configure to recover access to their wallet and to enable an expanded spending limit. It is stored encrypted. Providing it is optional; without it, the User retains use of the Service with the default limit.
- Strengthened authentication credential (passkey): When the User activates passkey approval, Sippy stores only the public key and the credential identifier. See Clause 5.
4. Data We Do NOT Collect
To protect User privacy and in application of the minimization principle, Sippy does NOT collect, request, or store the following data:
- First name, last name, or other civil identification data.
- Identity document number, passport, or equivalent.
- Bank account numbers, banking credentials, credit or debit card numbers.
- Passwords, PINs, recovery phrases, or private keys.
- Biometric data (fingerprint, facial recognition, or others).
- The User's IP address.
- User device data (model, operating system, hardware identifiers).
Important clarification: Sippy does not collect or store the User's IP address or device data. However, the third-party providers participating in the provision of the Service (messaging platform, wallet infrastructure, hosting provider, blockchain network) may process technical data, including the IP address, at their own layer and in accordance with their respective privacy policies. Sippy does not control such processing.
5. Strengthened Authentication via Passkey — No Biometric Processing
When the User activates the optional passkey approval feature, authentication is performed according to the WebAuthn / FIDO2 standard, widely adopted by major operating systems and platforms.
The User's biometric data (fingerprint or facial recognition) is validated locally by the User's own device and is never transmitted to, received by, or stored by Sippy. Sippy does not process biometric data.
Within this feature, Sippy stores only: (i) the public key generated by the User's device; and (ii) the credential identifier. Neither of these elements contains biometric information or allows its reconstruction. The corresponding private key remains on the User's device, under their exclusive control.
6. Processing Purposes and Legal Basis
Sippy processes the User's personal data for the following purposes, each supported by a legal basis recognized by the Law:
- Provision of the Service: Create and manage the User's wallet, interpret their instructions, and execute transactions within the granted authorization. Legal basis: performance of the contract requested by the Data Subject.
- Security and risk control: Apply spending limits, detect fraudulent or unauthorized activity, and protect the integrity of the Service. Legal basis: legitimate interest of the Controller and performance of the contract.
- Operational communications: Send the User transaction confirmations, notifications, and support responses through the messaging platform. Legal basis: performance of the contract.
- Access recovery: Allow the User to recover access to their wallet through the configured recovery email. Legal basis: consent of the Data Subject.
- Legal compliance: Respond to requirements of competent authorities in accordance with applicable law. Legal basis: compliance with a legal obligation.
Sippy does not use User data for marketing purposes nor share it with third parties for advertising purposes. Data obtained through the messaging platform is used only for purposes reasonably necessary to provide the Service.
7. Consent and Its Accreditation
The processing of the User's personal data is based on informed consent granted at registration through an affirmative action (checking an acceptance box), without prejudice to the other legal bases indicated in Clause 6.
In compliance with the Law, which places on the Controller the burden of proving that consent was obtained and the privacy notice communicated, Sippy retains a record of the date, time, and version of the Terms and of this Policy accepted by the User.
The User may withdraw their consent at any time, as provided in Clause 11, without affecting the lawfulness of processing carried out before withdrawal.
8. Third-Party Providers and International Data Transfer
8.1 Third-party providers
Provision of the Service requires the participation of independent third-party providers acting as processors at their respective layers. These include, without limitation: the messaging platform provider, the wallet and smart contract infrastructure provider, the blockchain network infrastructure provider, the hosting provider, and, where applicable, the natural language processing engine provider.
Each third-party provider processes data in accordance with its own privacy policies and the contractual obligations binding it to Sippy. The updated list of providers is maintained at sippy.lat/disclosures.
8.2 International transfer
Some third-party providers participating in the provision of the Service are domiciled outside the Republic of El Salvador. Consequently, provision of the Service involves the international transfer of certain personal data of the User to such providers.
Said transfer is carried out on the basis that it is necessary for the performance of the contract requested by the User, that is, to provide the Service the User themselves requires. Sippy binds third-party providers through contractual obligations aimed at guaranteeing a level of personal data protection consistent with the standards required by the Law.
By accepting this Policy and using the Service, the User acknowledges and consents that provision of the Service requires the transfer of certain data to third-party providers located outside El Salvador, under the terms described herein.
9. Data Security
Sippy adopts reasonable technical and organizational measures to protect the User's personal data against unauthorized access, loss, alteration, or improper disclosure, including:
- The private keys of the User's wallet are managed by the wallet infrastructure provider in a secure environment and are not exposed to Sippy's servers.
- The phone number and wallet address are stored in a database with encrypted connections.
- The recovery email, when configured by the User, is stored encrypted.
- Transaction data is recorded on the public blockchain network, which provides a permanent and verifiable record.
Notwithstanding the measures adopted, no system is completely immune to security risks. The User is responsible for maintaining the security of their messaging platform account and their device.
10. Data Retention and Deletion
Sippy retains the different types of data for the following periods:
- Account data (phone number, wallet address, language, recovery email): Retained while the User's account remains active or until the User requests deletion.
- Record of consent (date, time, version): Retained during the term of the relationship and the period necessary to address potential legal or evidentiary requirements.
- Technical operation metadata: Retained temporarily, as strictly necessary for the functioning of the Service.
- Blockchain transaction data: Recorded permanently on the public blockchain network. Due to the immutable nature of the blockchain, these records cannot be deleted.
The User understands that transaction records stored on the public blockchain network are immutable by design and cannot be deleted by Sippy or any third party, even upon a deletion request. Deletion applies to the data Sippy retains in its own systems.
11. Data Subject Rights
Under the Law, the Data Subject has the following rights, recognized as ARCO-POL rights:
- Right of access: Know the personal data Sippy retains about the Data Subject and the conditions of its processing.
- Right of rectification: Request the correction of inaccurate or incomplete data.
- Right of cancellation or deletion: Request the deletion of their personal data, subject to the limitations derived from blockchain immutability and legal retention obligations.
- Right of opposition: Object to the processing of their data on legitimate grounds.
- Right of portability: Receive their data in a structured format, where applicable.
- Right to restriction of processing: Request the restriction of processing in the cases provided by the Law.
- Right to blocking: Request the blocking of their data under the terms of the Law.
To exercise any of these rights, the User may write to hello@sippy.lat, identifying the phone number associated with their account and the right they wish to exercise. Sippy will address the request within the periods established by the Law and, absent such periods, within fifteen (15) business days.
12. Supervisory Authority
The application and supervision of El Salvador's Personal Data Protection Law corresponds to the State Cybersecurity Agency (Agencia de Ciberseguridad del Estado, ACE), which exercises control and sanctioning authority in matters of personal data protection.
A Data Subject who considers their rights have been violated may file the corresponding claim before said authority, without prejudice to their right to first contact Sippy for resolution of their request.
13. Children's Privacy
The Service is not directed at persons under eighteen (18) years of age. Sippy does not knowingly collect personal data from minors. If Sippy becomes aware that it has collected data from a minor without the corresponding authorization, it will take the necessary measures to delete such information. Parents or guardians who believe a minor in their care has provided data to Sippy may contact hello@sippy.lat.
14. Modifications to the Policy
Sippy may modify this Policy at any time. Modifications will be communicated through publication on the website sippy.lat/privacy, with an update to the "last updated" date. When modifications are substantial, Sippy will endeavor to notify them through the Service. Users are advised to review this Policy periodically.
15. Contact
For inquiries, requests, or the exercise of rights related to this Policy, the User may contact Sippy through:
Email: hello@sippy.lat
Website: https://www.sippy.lat
Legal address: 5 Calle Poniente y 101 Avenida Norte #5348, Colonia Escalón, San Salvador, El Salvador
Sippy will respond to communications within fifteen (15) business days of receipt.