Skip to content
FacturaHQ
ES
Legal

Privacy policy

How we handle your personal data and your customers' data.

Last updated: April 12, 2026

Draft under legal review. This document is based on Law 81 of 2019 (LPDPD) of Panamá and reflects our current practices. It will be reviewed by Panamanian legal counsel before becoming final. For specific questions write to privacy@facturahq.cloud.

1. Data controller

FacturaHQ — operated by the same team that develops cifraHQ — is the data controller for the purposes of Law 81 of 2019 on Personal Data Protection (LPDPD) of the Republic of Panamá and its regulations.

Final legal entity name and registered address will be added to this document upon completion of corporate registration. Privacy inquiries: privacy@facturahq.cloud.

2. Data we collect

  • Account data: company name, RUC, DV, Aviso de Operación, fiscal address, email and phone.
  • User data: name, email, role, internal ID, activity fingerprint (access logs).
  • Fiscal data: issued documents (invoices, receipts, notes), CUFE, amounts, receiving customer, products and their fiscal classification.
  • Digital certificate: your .p12 file is stored encrypted and used only to sign documents on your behalf.
  • Technical data: IP, device type, browser, cookies necessary for operation and preferences.
  • Support data: emails, chats and tickets you initiate with our team.

3. Processing purposes

  • Provide the electronic invoicing service under SFEP.
  • Transmit electronic documents to the DGI through the PAC (Alanube).
  • Preserve issued documents for the mandatory 5 years.
  • Handle support requests, service billing and functional improvements.
  • Comply with legal and accounting obligations.
  • Send transactional communications (system notifications, monthly reports) and — only with your explicit consent — marketing messages.
  • Contract performance you enter into when using FacturaHQ.
  • Legal obligation arising from Panamanian tax regulation (SFEP, Resolution 201-6299, 5-year archive).
  • Legitimate interest in service improvement and fraud prevention.
  • Explicit consent for marketing and non-essential cookies.

5. Recipients and processors

Your data may be shared with:

  • DGI of Panamá — for tax compliance.
  • Alanube — as the authorized PAC, under contractual processing agreements.
  • Microsoft Azure — infrastructure provider in the East US 2 region (or the closest available to meet regional residency).
  • Azure Communication Services — for transactional email delivery.
  • Cloudflare — for anti-bot protection and content delivery.
  • Application Insights — for aggregated technical observability.

All processors are bound by processing agreements that mirror LPDPD obligations.

6. International transfers

Part of the processing happens on infrastructure located outside Panamá (United States for Azure). We implement adequate safeguards (contractual clauses and technical controls such as encryption at rest and in transit) and select providers with ISO 27001, SOC 2 Type II and applicable GDPR compliance certifications.

7. Retention

  • Electronic fiscal documents: 5 years from issuance, as a legal obligation.
  • Active account data: while your subscription remains active.
  • Data after cancellation: additional 5 years to address potential tax audits, after which it is anonymized or deleted.
  • Technical logs: 12 months.

8. Your rights

Under the LPDPD, you have the right to:

  • Access your personal data.
  • Rectify inaccurate data.
  • Delete your data when no longer needed (subject to fiscal retention).
  • Object to processing for marketing purposes.
  • Portability of your data in a structured, readable format.
  • Withdraw consent at any time, without affecting prior processing.

To exercise these rights email privacy@facturahq.cloud. We will respond within a maximum of 30 calendar days. If you are not satisfied, you can file a complaint with the National Authority for Transparency and Access to Information (ANTAI).

9. Security measures

  • TLS 1.2+ encryption on all communications.
  • AES-256 encryption at rest for sensitive data, including the digital certificate.
  • Mandatory MFA for administrative accounts.
  • Tenant-level data segregation.
  • Immutable audit logs.
  • Periodic penetration tests and scheduled patches.

10. Cookies

We use strictly necessary cookies (session, language preference, anti-bot Turnstile) and — with your consent — analytics cookies (Application Insights) and preference cookies. See our cookie policy for details.

11. Changes

We may update this policy to reflect legal or service changes. We will publish modifications at this same URL and, if substantial, notify you by email at least 15 days in advance.

12. Contact

Privacy officer: privacy@facturahq.cloud.
Postal address: will be added upon completion of corporate registration.

Ready to be DGI-compliant without the headache

Join the waitlist for priority launch access and a free guide on Resolución 201-6299.

Join the waitlist