Privacy Policy
On this page
This Privacy Policy explains what personal data we collect when you use itskooly.com, why we collect it, how long we keep it, and the rights you have over it. It applies to every visitor and customer, anywhere in the world.
We publish this document in English and Spanish and both versions are equally authentic. In case of inconsistency between the two versions, the Spanish version shall prevail for consumers domiciled in Chile; the English version shall prevail in all other cases. Nothing in this clause limits the non-waivable statutory rights of a consumer under the law of their country of habitual residence.
1. Who we are
The controller of your personal data is:
- Legal name: José Chrystian Soria Diaz
- Trade name: It's Kooly / Kooly
- RUT: 23.408.107-1
- Address: Santiago de Chile, Región Metropolitana, Chile. Full postal address available upon written request to kooly@itskooly.com.
- Contact: kooly@itskooly.com
- Role: Data controller under the EU General Data Protection Regulation (GDPR) and responsable del tratamiento under Chilean Ley 19.628.
Full legal identification is also published on our Legal Notice.
2. What data we collect
We collect only the data we need to run the service. Depending on how you use the site, this includes:
- Identity data: your name and email address when you create an account or place an order.
- Billing data: handled by MercadoPago. We receive the buyer name, email, and payment status. We never see or store your card number, CVV, or bank details.
- Account metadata: sign-in events, last sign-in time, email confirmation status, and the age-confirmation flag you set at signup.
- Order history: beats you have purchased, licenses granted, timestamps, and the records of your acceptance of our Terms, License, and Refund Policy (including IP address, user-agent, locale, and the versions you accepted).
- Marketing preferences: whether you have opted in to marketing emails, and the record of any unsubscribe.
- Technical data: IP address, user-agent string, device type, referrer URL, and country code inferred from IP. Collected automatically on every request.
- Behavioral data — only if you consent to analytics: page views, click patterns, scroll depth, session recordings, and heatmaps collected via Microsoft Clarity and Vercel Analytics. If you decline analytics in the cookie banner, none of this is collected.
We do not collect special categories of data (health, religion, political views, etc.) and we ask you not to provide them in free-text fields.
3. Legal bases under GDPR Art 6
We process your personal data under the following legal bases:
- Contract performance (Art 6.1.b): order processing, license issuance, file delivery, membership management, customer support.
- Legal obligation (Art 6.1.c): tax records, accounting retention, audit log entries required by Chilean and EU law.
- Legitimate interest (Art 6.1.f): fraud prevention, rate limiting, security monitoring, audit log retention, and abandoned-cart recovery emails sent only to our own existing customers. You can object to any of these at any time (see §8).
- Consent (Art 6.1.a): analytics cookies, session recording via Microsoft Clarity, marketing emails, and any future marketing pixels. You can withdraw consent at any time; withdrawal does not affect the lawfulness of prior processing.
Under Ley 19.628, the equivalent bases are the execution of a contract, compliance with a legal duty, legitimate interest, and your express consent.
4. How long we keep your data
We keep personal data only as long as we need it. The table below is authoritative.
| Data | Retention period | Basis |
|---|---|---|
| Orders, billing records, acceptance records (IP, user-agent, versions accepted) | 6 years | Chilean and EU tax and commercial-law obligations |
| Administrative audit log entries | 2 years | Security and legitimate interest |
| Visitor page-view events | 14 months | Proportionality; parity with industry analytics defaults |
| Microsoft Clarity session recordings | 13 months | Clarity provider default |
| Marketing contact records | Until you unsubscribe; the unsubscribe record itself (with anonymized email) is kept indefinitely | Proof of compliance with anti-spam rules |
Active user account (auth.users) and profile metadata |
Indefinite while the account is active; purged 30 days after a deletion request | Your choice |
| Abandoned shopping carts | 90 days of inactivity, then auto-deleted | Proportionality |
| Email-campaign recipient logs | 2 years | Anti-spam proof and audit |
| Data-rights request records | 2 years from resolution | Audit proof |
| Account-deletion request records | 6 years | Audit proof that deletion was processed |
| License contract PDFs stored in Cloudflare R2 | Life of the license; deleted on account deletion only if no active license exists | Contract performance |
After the retention period ends, we either delete the data or anonymize it so it can no longer be linked back to you. Order rows are anonymized (buyer name, email, IP replaced with non-identifying values) rather than deleted, because tax law requires us to keep the transactional record for six years.
5. Sub-processors
We rely on the following sub-processors to deliver the service. Each one has its own privacy policy and standard data-processing terms, which we accept on your behalf. We disclose them in full so you can review their practices.
| Service | Purpose | Jurisdiction | Data shared | Privacy link |
|---|---|---|---|---|
| MercadoPago | Payment processing | Chile (data may transit Argentina and the United States within Mercado Libre's infrastructure) | Buyer email, name, order amount | mercadopago.cl/privacidad |
| Supabase | Database and authentication | United States (AWS) | All user data and authentication events | supabase.com/privacy |
| Resend | Transactional and marketing email | United States | Recipient email, message content | resend.com/legal/privacy-policy |
| Cloudflare R2 | Beat file and contract storage | United States | Stored files; file keys contain UUIDs and do not embed personal data | cloudflare.com/privacypolicy |
| Cloudflare Turnstile | Bot protection on forms | United States | IP address, browser fingerprint | cloudflare.com/privacypolicy |
| Upstash | Rate-limiting Redis | United States or EU (region-configurable) | IP address, request counts | upstash.com/trust/privacy.pdf |
| Vercel | Hosting and Web Vitals analytics | United States | IP address, web vitals, request logs | vercel.com/legal/privacy-policy |
| Microsoft Clarity | Session recording and heatmaps (only with your consent) | United States | Page views, clicks, scroll, input patterns. Input values are masked. | privacy.microsoft.com |
| Replicate | AI-assisted cover generation (admin-only, not customer-facing) | United States | Administrator prompt text | replicate.com/privacy |
We update this list whenever we add, remove, or replace a sub-processor. Material changes trigger a new cookie-consent prompt where consent is required.
6. Cookies and tracking
We use cookies and similar technologies in three categories: strictly necessary, analytics, and marketing (currently reserved, not in use). Analytics and marketing cookies only load after you opt in via the cookie banner. A full inventory, along with the name, purpose, duration, and provider of each cookie, is published in our Cookie Policy.
You can change your preferences at any time through the "Manage cookie preferences" link in the site footer.
7. International data transfers
Several of our sub-processors are based in the United States or route data through the United States. When we transfer your personal data outside the European Economic Area or Chile, we rely on the Standard Contractual Clauses adopted by the European Commission, which form part of each provider's data-processing agreement, as a valid transfer mechanism under GDPR Chapter V. Where a provider offers additional safeguards (encryption in transit and at rest, regional data residency), we use them.
If you want a copy of the contractual safeguards applicable to a specific transfer, write to kooly@itskooly.com.
8. Your rights
You have the following rights over your personal data:
- Access — ask us what data we hold about you.
- Rectification — ask us to correct inaccurate data.
- Erasure ("right to be forgotten") — ask us to delete your data, subject to legal retention obligations.
- Portability — receive the data you provided in a machine-readable format.
- Objection — object to processing based on legitimate interest, including direct marketing.
- Restriction — ask us to limit processing while a request is being reviewed.
- Withdraw consent — for any processing based on consent, at any time.
To exercise any of these rights, submit a request through our Data Request form or email kooly@itskooly.com. We will respond within 30 days. If we need more time for a complex request, we will tell you within the first 30 days and explain why.
If you have an account, you can also delete it yourself from the account panel. Self-service deletion has a 24-hour grace period, after which we process the deletion within 30 days. Orders are anonymized rather than deleted, because tax law requires us to keep the transactional record for six years.
9. Right to lodge a complaint
If you believe we have mishandled your personal data, you can complain to a supervisory authority. In the European Union, you can complain to the data-protection authority of your country of residence. In Chile, you can complain through SERNAC or the data-protection authority designated by law. Contact details for EU authorities are listed at edpb.europa.eu.
We would always prefer that you contact us first at kooly@itskooly.com so we can try to resolve the issue directly.
10. Children under 16
itskooly.com is not intended for children under 16. We do not knowingly collect personal data from anyone under 16. At signup, every user confirms they are at least 16 years old. If you believe a child under 16 has created an account or provided us with personal data, write to kooly@itskooly.com and we will delete the account and associated data.
11. Changes to this policy
We may update this policy as the service evolves or as the law changes. The "last updated" date at the top of the document reflects the most recent revision. For material changes — a new sub-processor that requires consent, a change in retention periods, an expansion of the legal bases — we will notify you through the site and, where consent is required, through a renewed cookie-consent prompt.
Previous versions are kept in our source control history and are available on request.
12. Contact
- Email: kooly@itskooly.com
- Controller identification: see our Legal Notice
- Data-rights requests: use our Data Request form