Completa este breve formulario y estaremos en contacto pronto. Tu opinión es valiosa para nosotros.
Security and Privacy in Our Products

The privacy of our users is one of our top priorities. That’s why we work continuously to ensure the protection of their information while delivering our educational empowerment ecosystem. We adopt a comprehensive security approach that enables us to safeguard data at every level—with our collaborators, partners, and in compliance with applicable regulations—always maintaining confidentiality.

Recurso 3-2

 

User Data Collection and Use.

Here you will find an overview of the key measures in place to maintain data confidentiality and privacy.

Personal and identifiable information we collect.

  • Full name, city of residence, email address, contact phone number, and age.

  • De-identified voice biometric data.

  • Information related to the user’s course and institution, as well as their class composition.

  • Data on the user’s application usage.

  • Contextual information provided to intelligent assistants during interaction with the application.

Use of collected information.

  • Exclusively for the purposes authorized in the data processing policy.

  • User registration and identification within the application.

  • To verify legal age.

  • To develop personalized solutions.

  • To analyze product performance and usage (using de-identified or anonymized data).

  • To prepare internal reports and, where applicable, reports for partner institutions.

  • To contact users and announce product updates or improvements.

  • Data will never be used or sold to third parties, nor for external profiling.

  • We do not use collected data for AI training, nor do we permit its use for that purpose.

  • We actively prevent leakage of sensitive information to intelligent agents.

Data retention.

  • While the application is in use and the data remains necessary.

  • Data minimization once application use concludes.

  • Complete deletion of identifiable data upon user request.

Data storage.

  • All storage systems are encrypted with robust algorithms.

  • Data in transit is encrypted throughout its transmission.

  • Storage systems comply with international security and privacy standards.

  • Strict access controls are applied, limiting access to authorized personnel only.

  • Assistant access to data is restricted to short periods and remains within our own systems.

Sharing data with third parties.

  • Data is not sold or shared with third parties for profit or research.

  • Data may be shared with third parties authorized by the user, provided that they:

    • Implement strict security measures.

    • Process data only for authorized purposes.

    • Are bound by a data processing agreement and commit not to disclose data to others.

Security measures.

We continuously strive to enhance our security measures and stay ahead of existing threats. Here you can view our complete Information Security Policy.

System and Data Administration Security.

  • Encryption with robust algorithms at rest and in transit.

  • Continuous system updates and maintenance.

  • Permission segmentation according to system functions and data access.

  • Backup systems for fault tolerance.

  • Network segmentation and responsibilities.

  • Constant and active monitoring.

Vendor Management.

  • Verification of confidentiality and privacy compliance.

  • Periodic validation of compliance mechanisms.

  • Data sharing under strict usage restrictions.

Incident Response and Business Continuity.

  • Monitoring and alerting systems.

  • Automatic scaling to ensure availability.

  • Documentation and defined procedures for recovery from failures or incidents.

  • Automated recovery mechanisms.

  • Engagement of highly reliable and available vendors.

  • In the event of a security incident:

    • Immediate containment and isolation of the threat.

    • Investigation following the NIST Framework.

    • Notification to users and affected parties as required by law.

    • Implementation of remediation and prevention measures.

Secure AI Development.

  • Use of secure models to support our intelligent assistants.

  • Feature development includes multiple validation stages.

  • Reliability testing, bias reduction, and non-discrimination reviews by humans throughout the development cycle.

  • Multidisciplinary team involvement during all development phases.

  • Optimal use of AI, limiting use of shared data to the minimum necessary.

  • Here you can see our Secure Use of the AI Policy.

Aligned Regulations and Regulatory Compliance

Our organization is fully committed to complying with the following data protection and privacy regulations:

Law 1581 of 2012 (Colombia).

Statutory Law on the Protection of Personal Data

  • We implement technical measures to ensure the security of personal data, including encryption both in transit and at rest.

  • We apply the principles of purpose, freedom, accuracy, transparency, restricted access and circulation.

  • We guarantee data subjects' rights to access, update, and rectify their personal data.

  • We maintain clearly defined and accessible data processing policies.

  • We promptly notify any security incidents in accordance with the guidelines of the Colombian Superintendency of Industry and Commerce.

COPPA (Children's Online Privacy Protection Act).

  • We obtain verifiable parental consent before collecting personal information from children under the age of 13.

  • We limit the collection of data from minors strictly to authorized educational purposes.

  • We maintain transparent privacy policies written in clear, accessible language for parents and guardians.

  • We implement enhanced security procedures for children's personal information.

FERPA (Family Educational Rights and Privacy Act).

  • Educational records are accessed only by authorized personnel with strictly limited permissions based on their roles.

  • We implement both technical and administrative controls to prevent data breaches and ensure the confidentiality of educational records.

  • We respect and support parents' rights to:

    • Access their children’s educational records.

    • Request corrections to inaccurate information.

    • Consent to the disclosure of personally identifiable information.

    • File complaints in cases of non-compliance.

GDPR (General Data Protection Regulation).

  • We process personal data lawfully, fairly, and transparently.

  • We implement appropriate technical and organizational measures to ensure an adequate level of security.

  • We respect data subjects’ rights (access, rectification, erasure, restriction, portability, objection).

  • We maintain records of processing activities when applicable.

  • We carry out Data Protection Impact Assessments when processing poses a high risk to individuals' rights and freedoms.

General Compliance Measures.

  • We provide ongoing training and awareness on cybersecurity and privacy for all staff.

  • We conduct regular audits to verify regulatory compliance.

  • Our policies and procedures are regularly updated to reflect regulatory developments.

  • We designate data protection officers and compliance leads.

  • We apply the principle of Privacy by Design across all developments and operations.

  • We integrate a human-in-the-loop approach throughout all phases of AI implementation and deployment.

Data Flow Diagram
Below, you can see a diagram illustrating how we collect data in Shaia, what data we collect, and how we process and present it. You can click on it to view it in a separate tab for better clarity.

Flow of Gathering and Processing Data