Privacy Policy · Circli

1. Introduction

The privacy of our users and of the people whose data they share is of utmost importance to us. This platform (the "Platform" or "Circli") is operated by Circli Servicios Tech S.A.S., a company duly registered with the Public Registry of the Province of Mendoza under File N° eSAS-000542, with registered office in the City of Mendoza, Argentina. This Privacy Policy describes what personal data we process, for what purposes, with whom we share it, and what rights you have over your information, in accordance with Argentine Law 25,326 on Personal Data Protection and other applicable legislation. By using the Platform, you accept the practices described in this policy.

2. Roles and responsibilities

Circli may act as either a controller or a processor of your personal data, depending on the context: (a) When you create an account directly at circli.app, browse the site, or contact us, Circli is the controller of that data. (b) When you use Circli as part of an event organized by a third party (such as a fair, congress or conference), the event organizer is the controller of the data generated within that event, and Circli acts as a processor on behalf of the organizer. In these cases: • The organizer defines the purposes of the processing within the event. • Circli processes the data following the organizer's documented instructions, under a Data Processing Agreement signed with each organizer. • To exercise your rights regarding event-generated data, your first point of contact is the event organizer. Circli cooperates with the organizer to respond to your request. • The organizer maintains its own privacy notice describing the event-specific uses. We recommend you read it. (c) For aggregated and anonymous technical data (usage metrics, fraud prevention), Circli maintains its own responsibility for limited purposes related to operating the Platform securely.

3. Limitation of liability for organizer's uses

When Circli acts as a processor on behalf of an event organizer, Circli is not liable for: • The organizer's use of the data outside the Circli Platform (e.g., exports, post-event communications, organizer's own integrations). • Obtaining the data subject's consent for purposes the organizer defines on its own. • Leaks, unauthorized access or improper uses of the data occurring in the organizer's infrastructure, devices or processes, or in those of third parties contracted by the organizer. • Compliance with laws applicable to the organizer in its own jurisdiction and regarding its own uses. This limitation does not apply when the incident occurs within Circli's infrastructure or results from Circli's failure to follow the organizer's documented instructions.

4. Personal data we collect

We collect only the personal data necessary to provide the service, in the following categories: • Account data: mobile phone number (used for WhatsApp authentication and interaction), name or alias, and optionally email. • Event data (when you use Circli as part of an event): name, company, professional role or category, optional profile photo, connections generated with other attendees, and activity records within the event. • Contact data voluntarily shared by you: name and phone number of third parties you choose to add to your circle on the Platform. • Technical data: IP address and user-agent, always processed via salted hash as a pseudonymization and security measure. These are never stored in plaintext. • Cookies and similar technologies: see dedicated section below.

5. Purpose and use of data

We use the personal data collected for the following purposes: • Service provision: enabling you to create your circle, manage your contacts and participate in events using the Platform. • Operating events for organizers who contract the Platform, always in accordance with the organizer's documented instructions. • Security and fraud prevention: detecting abusive uses, protecting service integrity. • Service communications: operational notifications, technical support, notices about changes to this policy or terms. • Compliance with legal obligations: responding to requirements from competent authorities or fulfilling applicable regulations. • Aggregated and anonymous product improvement: statistical analysis that does not allow identification of individual users. We do not use your data for our own commercial purposes other than the above. We do not sell, lease or transfer your data to third parties.

6. Processors and sub-processors

To operate the Platform we use the following technology providers as sub-processors. Each processes data in its specific role under contractual agreements imposing confidentiality, security and purpose-limitation obligations equivalent to ours: • Meta Platforms, Inc. (WhatsApp Business Cloud API) — messaging with users — United States. • Vercel, Inc. — application hosting — United States. • Supabase, Inc. — database and storage — United States / Singapore. • OpenAI, L.L.C. — natural-language processing for bot queries, under enterprise/business terms with no opt-in to training — United States. • Google LLC (Google Analytics, Google Ads) — optional advertising measurement, only if you explicitly enable it via cookie consent — United States. • Meta Platforms, Inc. (Pixel, Conversions API) — optional advertising measurement, only if you explicitly enable it via cookie consent — United States. The up-to-date list is available on the Sub-processors page.

7. Cookies and similar technologies

The Platform uses cookies and similar technologies in three categories: • Essential: necessary for site operation and session. They do not require your consent. • Analytics: help us understand how the site is used. We do not activate them before you accept via the cookie banner. • Marketing: used to measure and optimize advertising campaigns. We do not activate them before you accept. You can change your preferences at any time via the "Cookies" link in the footer.

8. Use of artificial intelligence

We use third-party artificial-intelligence services to process natural-language queries and categorize content from the bot. Data sent to these services is processed under enterprise/business terms that prohibit its use for model training. You may request human review of any automated response at any time by contacting us.

9. Events as a special context

When an organizer contracts the Platform to run an event, certain visitor data is shared with that organizer (for example: name, company, professional category, connections generated during the event). The organizer is the controller of that data. Each event has its own complementary privacy notice with event-specific uses. We recommend you read it when you join an event.

10. Minimum age and responsible communication

The Platform is intended for individuals over eighteen (18) years of age. If you declare you are under 18, you cannot use it. When an event involves the promotion of alcoholic beverages, we apply the requirements of Argentine Law 24,788 on responsible communication, including age gates and applicable legal disclaimers.

11. Storage and international transfers

Personal data is stored in infrastructure located in the United States (Vercel and Supabase) and, for some services, also in regional caches. Neither the United States nor Singapore appear on the Argentine list of countries with adequate protection. As a consequence, international transfers are made under the safeguards provided by AAIP Disposition N° 60/2016 (model contractual clauses). We maintain agreements with each sub-processor that impose confidentiality, security, purpose-limitation and return/destruction obligations substantially equivalent to those required by Argentine law. By using the Platform you expressly authorize this international transfer.

12. Data retention

We retain personal data only for the time necessary to fulfill the purposes described or as required by law. Typical periods: • Active account data: until you close your account. • Event data (activated profile): up to twenty-four (24) months post-event, with the organizer's authorization under art. 25 inc. 2 of Law 25,326. • Pre-registered users who did not activate a profile: automatic anonymization within seven (7) calendar days after the event closes. • Technical logs: twelve (12) months. • Backups: thirty (30) days. After these periods, data is destroyed or irreversibly disassociated, except where legal obligations require its retention.

13. Your rights over your data

Under Argentine Law 25,326 you have the following rights over your personal data: • Access: request and receive information about the data we process. • Rectification: ask us to correct inaccurate or outdated data. • Erasure: ask for deletion of your data when applicable. • Objection: object to processing in certain circumstances. • Confidentiality: have your data treated with privacy. • Withdrawal of consent: withdraw your consent when it is the basis of processing. How to exercise them: • If your data was generated within an event operated on the Platform → contact the event organizer first; they are the controller of that data. Circli cooperates with the organizer. • If your data was generated by direct use of the landing or app outside an event → contact us at privacidad@circli.app. We will respond within legal timeframes (typically ten business days). You also have the right to file complaints with the Agency for Access to Public Information (AAIP). If you reside in the European Union, you may exercise equivalent rights under the GDPR.

14. Data security

We implement reasonable technical and organizational measures in line with AAIP Resolution N° 47/2018 and industry best practices, including: • Encryption in transit (HTTPS/TLS) and at rest. • Access controls with multi-factor authentication and the principle of least privilege. • Salted hashing of IP and user-agent (never plaintext). • Encrypted backups with 30-day retention. • Confidentiality obligations signed by our personnel with access to personal data. In the event of a security incident affecting your personal data, we commit to notifying within seventy-two (72) hours of reasonable confirmation, in line with international best practices.

15. Registration and supervisory authority

We maintain our personal-data databases in accordance with AAIP regulations. Registration with the National Registry of Personal Data Bases is in process. The Agency for Access to Public Information (AAIP) is the body overseeing compliance with Law 25,326 in the Republic of Argentina. You have the right to file complaints with it.

16. Changes to this policy

This Policy may be updated to reflect regulatory changes, new functionality, or improvements in our practices. When changes are substantial, we will notify you through the usual channels (website, app, email or WhatsApp). The date of last update appears at the top of the document.

17. Contact

For inquiries, complaints or to exercise rights over your data, write to privacidad@circli.app. You may also reach us via the contact form on the site. Controller: Circli Servicios Tech S.A.S., City of Mendoza, Argentina.