J.R.SOSA & CO. Privacy and Security Statement

Who We Are and What This Statement Covers

J.R.SOSA & CO. is a technology and engineering firm that builds software platforms, AI-enabled systems, consumer applications, websites, automation workflows, and related services for public, private, and non-governmental organizations.

References to “J.R.SOSA & CO.,” “we,” “our,” or “us” include the relevant J.R.SOSA & CO. entity, affiliates, subsidiaries, parent companies, successors, assigns, controlled ventures, operated domains, applications, services, events, internal brands, trade names, product lines, and other brands that we own or control and that link to or reasonably rely on this Statement, whether those brands are named publicly or not.

This Statement applies when we decide why and how personal data is processed, including for our websites, quote forms, business development, events, marketing, recruiting, vendor management, security, and administration. It does not govern customer-controlled data processed through systems, products, or services we provide to a client where we act as a processor, service provider, contractor, or subprocessor. In those cases, the customer’s agreement, data processing addendum, instructions, and privacy notice control.

Nothing in this Statement creates a separate contract or grants any license to our names, marks, brands, software, code, models, designs, documentation, content, or other intellectual property. We reserve all rights, defenses, exemptions, and limitations available under applicable law and written agreements.

Contact Us

If you have privacy questions, security concerns, or want to exercise a privacy right, contact us at:

Email: privacy@jrsosa.co

Controller, Processor, and Customer Data Roles

When we use personal data for our own purposes, the relevant J.R.SOSA & CO. entity or controlled brand is the controller or business responsible for the processing. When we process personal data for a customer inside a customer project, customer system, client deployment, integration, database, or managed service, we generally act on the customer’s documented instructions.

Customer data may include information our customers or their users submit into software we build, host, maintain, automate, or integrate. We process that customer data only as permitted by the applicable agreement, data processing terms, customer instructions, law, security obligations, and service requirements. If you are an end user of one of our customer’s systems, direct privacy requests to that customer unless we identify ourselves as the controller for that specific service.

Personal Data We Collect

We may collect personal data from you, automatically from your use of our sites or services, from customers and business partners, from vendors, from public sources, and from third-party platforms you use to communicate with us.

Categories of Data

• Contact Data: name, company, role, mailing address, email address, phone number, country or region, social handles, and preferred contact method.
• Professional and Business Data: employer, occupation, business needs, project scope, industry, areas of expertise, purchasing authority, vendor or partner information, and relationship history with us.
• Quote, Project, and Submission Data: information submitted through request forms, discovery calls, proposals, project briefs, files, links, requirements, feedback, support requests, and other materials you choose to send us.
• Account, Transaction, and Billing Data: purchases, licenses, subscriptions, invoices, payment status, billing contact, tax or eligibility information, and tokenized payment details where needed.
• Technical, Device, and Analytics Data: IP address, browser, operating system, device identifiers, cookie IDs, mobile identifiers, referring pages, pages viewed, interaction events, approximate location, diagnostics, logs, and security telemetry.
• Communication Data: email, SMS, chat, call notes, calendar details, meeting recordings or transcripts where enabled, support messages, and communications through third-party platforms.
• AI, Automation, and Development Data: prompts, outputs, project artifacts, code snippets, configuration details, files, screenshots, workflow events, metadata, and model or automation logs when you provide or authorize them for a project or support interaction.
• Audiovisual and Event Data: images, voice, video, visitor logs, event attendance, webinar participation, and security monitoring data where applicable.
• Inferred and Preference Data: interests, service preferences, likely business needs, lead qualification, engagement scores, or similar inferences generated from data we collect or receive.
• Sensitive or Regulated Data: we do not intentionally request sensitive personal data through public forms unless needed for a specific engagement. If you provide sensitive, confidential, regulated, or third-party personal data without request, we may process it to evaluate, secure, respond to, delete, or comply with legal obligations.

Submission Boundaries

Do not submit protected health information, full payment card numbers, government identification numbers, children’s data, credentials, trade secrets, privileged information, production database exports, regulated records, or confidential third-party data unless we specifically request it under a written agreement with appropriate safeguards. If you submit information we did not request, we may process it only as needed to review, secure, respond to, delete, return, or preserve it for legal, security, or business reasons.

How We Use Personal Data

• Respond to inquiries, prepare quotes, evaluate project fit, schedule meetings, and communicate with you.
• Provide, operate, secure, maintain, support, and improve websites, software, AI systems, applications, integrations, automations, and business services.
• Verify identity, manage accounts, process payments, issue invoices, administer contracts, and enforce agreements.
• Perform analytics, quality assurance, debugging, product research, fraud prevention, abuse prevention, and security monitoring.
• Use AI-assisted, automation, development, observability, hosting, and collaboration tools to deliver and improve work, subject to contractual, confidentiality, and security controls where applicable.
• Send administrative, service, legal, security, operational, and marketing communications, with opt-out rights where required by law.
• Protect our business, customers, users, employees, affiliates, brands, systems, property, rights, confidential information, and the public.
• Comply with law, lawful requests, audits, tax and accounting duties, dispute resolution, insurance, sanctions screening, and legal process.
• Evaluate or complete corporate transactions, financing, restructuring, mergers, acquisitions, asset sales, assignments, or similar business events.
• Create aggregated, anonymized, or deidentified information for analytics, reporting, benchmarking, security, and service improvement.

Legal Bases Where Required

Where laws require a legal basis, we rely on one or more of the following: performance of a contract or steps before a contract; our legitimate interests in operating, securing, improving, and protecting our business and services; your consent; compliance with legal obligations; protection of vital interests; and other lawful bases available under applicable law.

How We Share Personal Data

We may disclose personal data to the following categories of recipients:

• Affiliates and controlled brands: entities, ventures, brands, teams, and successors within or connected to our business operations.
• Service providers and subprocessors: hosting, cloud infrastructure, Firebase/Google services, analytics, email, calendar, CRM, payments, security, monitoring, development, AI tooling, automation, customer support, and professional service providers.
• Customers and business partners: when needed to deliver a project, integration, event, referral, support request, or jointly offered service.
• Payment processors: payment platforms may process payment data directly under their own terms and privacy notices.
• Professional advisors: attorneys, accountants, auditors, banks, insurers, and other advisors.
• Legal, safety, and compliance recipients: courts, regulators, law enforcement, government authorities, and other parties where we believe disclosure is required or appropriate to protect rights, safety, security, or property.
• Transaction parties: potential or actual buyers, investors, lenders, successors, assignees, or counterparties in a merger, acquisition, financing, reorganization, sale of assets, bankruptcy, or similar event.

We do not sell personal data for money. Some privacy laws define “sale,” “sharing,” or “targeted advertising” broadly. If our use of analytics, advertising, or similar technologies is considered a sale or sharing under applicable law, you may contact us to exercise any available opt-out right.

Cookies, Analytics, and Tracking

We use cookies, pixels, SDKs, logs, analytics tools, and similar technologies to operate our sites, remember preferences, understand traffic, measure campaigns, detect abuse, secure our services, and improve user experience. See our Cookie Statement for more detail. You can also use browser settings and platform controls to limit some tracking.

Security Measures and Limits

We use administrative, technical, and organizational safeguards designed to protect personal data, such as access controls, least-privilege practices, encryption in transit where appropriate, secure development practices, monitoring, backups, vendor review, logging, incident response, and personnel or contractor confidentiality obligations.

No website, network, transmission, storage system, vendor, or software product can be guaranteed to be perfectly secure. You are responsible for using secure credentials, limiting what you send through public forms, and following any security instructions we or the relevant customer provide.

Retention

We keep personal data for as long as reasonably necessary for the purposes described in this Statement, including to provide services, maintain records, comply with legal and tax obligations, resolve disputes, enforce agreements, preserve security, maintain backups, and protect our rights. Retention periods vary by data type, relationship, legal requirement, and operational need. We may delete, deidentify, aggregate, or archive data when it is no longer needed.

International Processing

We may process and transfer personal data in the United States, Puerto Rico, Latin America, and other locations where we, our affiliates, customers, vendors, or service providers operate. These locations may have privacy laws different from where you live. Where required, we use appropriate contractual, legal, or operational safeguards for cross-border transfers.

AI, Model, and Automation Tools

We may use AI-assisted tools, automation services, code assistants, search tools, transcription tools, analytics, and model providers to help deliver services, improve workflows, support customers, detect issues, and protect systems. We do not intentionally submit customer confidential information or regulated personal data to a public model training workflow unless authorized by the applicable customer agreement or instruction. Vendor use of data is subject to the vendor terms, product settings, and agreements applicable to the engagement.

We do not use automated processing to make legally significant decisions about individuals unless we disclose that use or applicable law allows it.

Security Incidents

If we determine that a privacy or security incident requires notice, we will provide notice as required by applicable law and any controlling customer agreement. Any notice or investigation is not an admission of fault, liability, or a violation of law.

Children

Our websites and business services are not directed to children, and we do not knowingly collect personal data from children under 13 or a higher age where required by law. If you believe a child provided us personal data, contact us so we can review and take appropriate action.

Your Privacy Rights

Depending on where you live and how we process your data, you may have rights to:

• request access to or a copy of personal data;
• request correction of inaccurate or incomplete data;
• request deletion of personal data;
• request portability of certain data;
• restrict or object to certain processing;
• withdraw consent where processing is based on consent;
• opt out of certain marketing, sale, sharing, targeted advertising, or profiling where applicable;
• be free from unlawful discrimination or retaliation for exercising privacy rights;
• appeal a decision or lodge a complaint with a regulator where applicable.

We may need to verify your identity and authority before responding. We may decline or limit a request where permitted by law, including where data must be retained for security, legal, contractual, accounting, fraud-prevention, dispute, or operational reasons. You may use an authorized agent where applicable law allows it.

Exercise rights: privacy@jrsosa.co

Third-Party Links and Platforms

Our websites, communications, and services may link to third-party websites, platforms, integrations, or services. We do not control and are not responsible for their privacy, security, content, or business practices. Their own terms and privacy notices apply.

Changes to This Statement

We may update this Statement at any time. The “Last Updated” date shows when it was last revised. Updates are effective when posted unless otherwise stated. Your continued interaction with us after an update means the updated Statement applies to later processing, subject to applicable law and any written agreement.