Privacy Policy

Data controller

The controller of personal data collected through this website and the services provided by Email Marketing Panamá is the following entity. Detailed identification of the operator, its domicile and corporate regime are published at legal-notice-en.html.

Categories of data subjects and data processed

Email Marketing Panamá processes data of five categories of data subjects with different legal bases and purposes. The separation of categories matters because the applicable legal regime differs based on the type of relationship with the data subject.

2.1 · Website visitors

People who access emailmarketingpanama.com without completing forms. Data processed: IP address, browser identifier (user-agent), browser language, approximate country by IP geolocation, pages visited, time spent, referrer source, strictly necessary technical cookie data. These data are processed in aggregated and anonymized form for traffic analysis, without individual identification.

2.2 · Commercial prospects

People who complete contact forms, resource download, discovery call request or newsletter subscription. Data processed: full name, corporate email, company, role, phone (optional), country, free message, source IP of the form, timestamp of the submission. The source of acquisition is also (marketing campaign, organic search, direct referral) is processed for attribution.

2.3 · Active clients with current contract

Natural persons (in their commercial role) or legal representatives of legal entities with a current service contract. Data processed: full identification per contract, tax data, billing data, banking data for payment, data of technical users assigned to the service account, platform usage records, technical support communications, incident and resolution records, contractual term acceptance records. Operational metadata (access IP, sessions, actions taken on the platform) is additionally processed for audit and security.

2.4 · Verified B2B professional audiences

Professional data publicly available from B2B decision makers in Latin America, collected from legitimate public sources (commercial registries, professional publications, corporate portals, public professional social networks) for purposes of legitimate B2B marketing pursuant to the specific lawful basis of article 7.2 of Law 81 (legitimate interest of the controller plus absence of prevailing data subject rights). Data processed: professional name, professional role, company, sector, corporate email (not personal), company size, geographic location of the company, business language. Section 5 of this policy explains the legal basis applicable to this category in detail.

2.5 · Final subscribers receiving client campaigns

People who have given consent to a client of Email Marketing Panamá to receive email marketing campaigns sent through our infrastructure. In this relationship, Email Marketing Panamá acts as processor and not as controller. The controller is the client who captured the consent. Data processed (in processor capacity, by client instruction): email, optional personalization data (name, segment), open and click history in sent campaigns, subscription status (active, unsubscribed, complaint). The contractual regime of processor arrangement is documented in the Data Processing Agreement (DPA) signed with each client pursuant to article 28 GDPR and article 24 of Executive Decree 285/2021 regulating Law 81.

Processing purposes

Each data category is processed for specific, expressly determined and legitimate purposes pursuant to the purpose principle of article 2 of Law 81. Email Marketing Panamá does not process data for purposes other than those published in this policy. If at some future moment a new purpose is incorporated, the data subject will be notified and new consent will be requested when the legal basis requires it.

Lawful basis · consent, contract, legitimate interest

Article 7 of Law 81 of 2019 and article 17 of Executive Decree 285/2021 establish the lawfulness conditions for processing personal data. Email Marketing Panamá uses three different legal bases per processing category: explicit consent of the data subject, contract execution, and legitimate interest of the controller. Each legal basis has different formal requirements and a specific scope.

4.1 · Explicit consent (art. 7.1 Law 81)

Consent is obtained freely, specifically, informed and unequivocally before the start of processing. The data subject accepts the processing with express affirmative manifestation (checking a box, completing a form, clicking confirmation). Consent can be revoked at any time without retroactive effect, writing to the privacy email. Revocation does not affect the lawfulness of processing prior to revocation. The traceability of consent is preserved through electronic record documenting the timestamp, the source of consent and the informational content presented to the data subject at the time of consent.

4.2 · Contract execution (art. 7.3 Law 81)

The processing is necessary for the execution of the service contract entered between the client and Email Marketing Panamá, or to take pre-contractual measures at the request of the client. This legal basis covers identifying data, billing data, user account data, operational service data. Refusal to provide these data prevents the execution of the contract. The processing is maintained during the term of the contract and the subsequent retention periods established in section 6.

4.3 · Legitimate interest of the controller (art. 7.2 Law 81)

The processing is necessary for the satisfaction of a legitimate interest of the controller or of a third party, provided that the fundamental rights and freedoms of the data subject do not prevail over such interest. Email Marketing Panamá uses this basis for three specific processings: aggregated and anonymized web traffic analysis for site improvement; processing of verified B2B professional audiences (see section 5); processing of operational metadata of active clients (access logs, security records, audit) beyond strict contractual execution. In each case a balance assessment between legitimate interest and data subject rights has been conducted, pursuant to the guidelines of article 32 of Decree 285/2021. The data subject can object to processing based on legitimate interest by writing to the privacy email.

Verified B2B professional audiences · specific legal basis

Email Marketing Panamá maintains a repository of B2B professional data of decision makers in Latin America, collected from public sources and used for own professional marketing campaigns and offered to clients through segmentation. The legal basis of this processing deserves specific explanation because it generates frequent questions and because the applicable legal regime is strict.

5.1 · Nature of the processed data

The data of the B2B repository are professional data, not personal data of the data subject in their private sphere. Specifically: professional name with role, company, corporate email (not personal), economic sector, company size, geographic location of the company, business language. The repository does not include: personal addresses, personal phones, personal emails (gmail, hotmail, yahoo, etc. used personally), sensitive data (racial or ethnic origin, political opinions, religious beliefs, union membership, health data, biometric data, sexual orientation data), private economic data of the data subject.

5.2 · Sources of acquisition

Professional data are obtained exclusively from public and legitimate sources: Public Registry of Panama and equivalent commercial registries in other Latin American countries; Chambers of Commerce and business associations with open publication of directories; corporate portals where the company directly publishes role data; public professional social networks (LinkedIn) where the data subject has opted to publish their information in public professional mode; specialized publications, fairs, conferences and sectoral events with publication of professional attendee lists; professional databases licensed from providers with sufficient title.

5.3 · Legal basis · legitimate interest of the controller (art. 7.2 Law 81)

The processing of B2B professional data is based on the legitimate interest of the controller pursuant to article 7.2 of Law 81. The balance assessment between legitimate interest and data subject rights has considered: the strictly professional nature of the data (not private sphere); the reasonable expectation of the data subject to receive professional communication on their corporate email within their sector; the purpose of legitimate B2B marketing in line with good commercial practices of the sector; the clear and always available possibility to object to processing through unsubscribe mechanism in each communication. The documented balance assessment is available for consultation by the supervisory authority (ANTAI) or by the data subject writing to the privacy email with subject "[DPO Balance Test]".

5.4 · Objection and unsubscribe mechanism

Each communication sent on the basis of legitimate interest to a data subject in the B2B repository exposes a clear and operational mechanism for objecting to processing (direct unsubscribe link). Objection is effective within a maximum period of 5 business days from the request. Beyond that, the data subject can object to the processing of their profile in the repository by writing to ventas@emailmarketingpanama.com with subject "[REPOSITORY B2B OPT-OUT]"; in that case, their profile is removed from the repository and incorporated into a permanent suppression list preventing future reincorporation from new sources.

Retention periods

Personal data are retained for the time strictly necessary to fulfill the purpose of processing, applicable legal obligations and prescription of actions derived from the contractual relationship. Once the period is fulfilled, the data are suppressed, anonymized or dissociated so that they do not allow re-identification of the data subject.

Recipients and processors

The personal data processed by Email Marketing Panamá are not transferred to third parties for commercial purposes under any circumstances. Data may be communicated to the following categories of recipients and exclusively for the purposes indicated, pursuant to the purpose principle of article 2 of Law 81.

7.1 · Processors

Email Marketing Panamá uses processors (technology providers that process data on behalf of the controller) under Data Processing Agreement pursuant to article 24 of Decree 285/2021 and article 28 GDPR where applicable. The processor categories are:

• Cloud infrastructure providers: server hosting, operational database storage, redundancy and backup. Domiciled in jurisdictions with adequate data protection regime (United States under Data Privacy Framework, European Union, countries with adequacy decision).
• Payment service providers: processing of card payments and bank transfers. PCI-DSS Level 1 or equivalent. EMP does not store or access full card data; the processing is carried out on the payment provider infrastructure.
• Operational communication providers: transactional notification sending (account creation, password recovery, operational alerts). Processing limited to strict execution of the instructed communication.
• Monitoring and analytics providers: infrastructure monitoring tools, platform observability, aggregated and anonymized web analytics.
• External advisors: legal, accounting, tax audit subject to professional confidentiality obligation.

The detailed list of specific processors is available to active clients in the Data Processing Agreement (DPA) signed with each client, and to the data subject by writing to the privacy email with subject "[DPO Processor List]".

7.2 · Transfers by legal obligation

Email Marketing Panamá may communicate personal data to competent authorities when there is a legal transfer obligation: duly motivated judicial request from Panama courts, request from ANTAI pursuant to article 28 of Decree 285/2021, tax requests from the General Directorate of Revenue (DGI), financial intelligence requests from the Ministry of Economy and Finance in cases provided by law. The transfer is made strictly within the scope of the request and is notified to the data subject unless express legal prohibition of notification applies.

7.3 · Position regarding US CLOUD Act and FISA

Email Marketing Panamá operates primary infrastructure under Panama jurisdiction. Data stored on Panama infrastructure are not subject to the US CLOUD Act nor to FISA Section 702 orders affecting US operators. When processors domiciled in the United States are used for specific functions (CDN, monitoring, redundancy), the transfer is made in accordance with the safeguards documented in section 8.

International data transfers

When the processing involves transferring personal data outside Panama territory, the transfer is made with the safeguards required by article 23 of Executive Decree 285/2021 regulating Law 81. The applicable safeguards vary by destination jurisdiction.

8.1 · Transfers to countries with adequate regime

Transfers to Member States of the European Union, European Economic Area and countries with recognized adequacy decision (Argentina, Uruguay, Andorra, Israel, Switzerland, United Kingdom, New Zealand, Japan, Canada commercial, South Korea) are made without additional restrictions pursuant to article 23.1 of Decree 285/2021.

8.2 · Transfers to the United States

Transfers to processors domiciled in the United States are made in accordance with the EU-US Data Privacy Framework when the processor is adhered (verifiable in the program public register) or, otherwise, through Standard Contractual Clauses (SCC) signed pursuant to article 23.3 of Decree 285/2021. Additional supplementary technical measures apply (in-transit and at-rest encryption, key segregation) when the transferred data could be subject to mass requests under FISA Section 702.

8.3 · Transfers to other countries

Transfers to countries without adequate regime and without an instrument equivalent to the DPF are made only with express and informed consent of the data subject, or when there is specific justification under article 23.4 of Decree 285/2021 (contract execution at the request of the data subject, safeguarding of vital interest, etc.). In these cases, information on the transfer is delivered to the data subject before it takes place with identification of the destination country and applicable safeguards.

Technical and organizational security measures

Email Marketing Panamá adopts technical and organizational measures to protect personal data against unauthorized access, alteration, loss, destruction or unlawful processing pursuant to the security principle of article 2 of Law 81 and article 30 of Decree 285/2021. The implemented measures follow the ISO 27001 standard and are reviewed annually as part of the internal risk management program.

9.1 · Technical measures

• In-transit encryption: TLS 1.3 mandatory on all connections, X.509 certificates issued by recognized certification authorities, HSTS active, minimum policy TLS 1.2 with Mozilla Modern configuration.
• At-rest encryption: AES-256 in databases, object storage, backups and replicas.
• Key management: periodic rotation, separate storage from the encryption, restricted access by minimum privilege principle.
• Reinforced authentication: mandatory two-factor for administrative access to infrastructure, passwords per NIST 800-63B guide, sessions with short expiration.
• Network segregation: productive infrastructure isolated from corporate networks, segmentation by layers per function, application firewalls.
• Continuous monitoring: SIEM with real-time alerts, access logging, behavior anomaly detection, 12-month log retention.
• Backups: daily backups with tiered retention (daily 7 days, weekly 4 weeks, monthly 12 months), quarterly restoration tests.
• Vulnerability management: automatic dependency scanning, coordinated patching, annual third-party pentest.

9.2 · Organizational measures

• Information security policy approved by management and reviewed annually.
• Training program in security and data protection for all personnel with annual renewal.
• Confidentiality agreements signed by all personnel with access to personal data and by all processors.
• Access control based on roles, minimum privilege principle, quarterly review of current permissions, immediate revocation upon termination of employment.
• Incident response plan documented, with biannual drills and post-incident review.
• Internal audit of Law 81 compliance with annual frequency and reporting to management.

Data subject rights · ARCO plus portability plus objection

Article 17 of Law 81 recognizes five fundamental rights of the data subject over their personal data. These rights can be exercised at any time, free of charge and without need to motivate the request, by writing to ventas@emailmarketingpanama.com with subject [DPO]. The identity of the applicant is verified before serving the request to prevent impersonation. The maximum response period is 10 calendar days pursuant to article 19 of Law 81.

10.1 · Exercise procedure

To exercise any of the above rights, the data subject sends an email to ventas@emailmarketingpanama.com with subject "[DPO]" indicating: full name of the data subject, right being exercised, specific data on which the right is exercised, legible copy of identification document for identity verification. EMP responds within a maximum period of 10 calendar days with the requested information or with justified reason for denial where applicable. The response is delivered via the same channel as the request or via alternative secure channel at the data subject request.

10.2 · Claim before the supervisory authority

If the data subject considers that the response is not satisfactory or that their rights have been violated, they may file a claim before ANTAI (National Authority for Transparency and Access to Information), Avenida del Prado, Building 713, Balboa, Ancón, Panamá; phone (507) 527-9270 to 74; site antai.gob.pa. ANTAI is the supervisory authority on personal data protection pursuant to article 33 of Law 81.

10.3 · Additional rights under GDPR for EU data subjects

When the data subject resides in the European Union or the processing falls under the territorial scope of Regulation EU 2016/679, the data subject additionally has the right to restriction of processing (art. 18 GDPR) and the right not to be subject to decisions based solely on automated processing, including profiling, that produce significant legal effects (art. 22 GDPR). EMP does not make automated decisions with significant legal effects on data subjects; relevant commercial decisions are always reviewed by people. The competent supervisory authority for EU data subjects is the one of the data subject habitual residence country.

Data Protection Officer (DPO)

Article 35 of Executive Decree 285/2021 regulating Law 81 establishes the figure of the Personal Data Protection Officer (Data Protection Officer, DPO) as internal responsible for compliance with the data protection regime. EMP has designated a DPO with specific functions pursuant to article 36 of Decree 285/2021.

Security breach notification

Article 30 of Executive Decree 285/2021 obliges the controller to notify personal data security breaches to ANTAI and, when there is high risk for the rights and freedoms of the data subject, also to the affected data subject. EMP complies with this obligation within the following maximum deadlines:

• ANTAI notification: within 72 hours of EMP becoming aware of the breach, even when complete information about the breach is not yet available. The initial notification may be subsequently updated with complementary information.
• Affected data subject notification: without undue delay when the breach entails high risk for the rights and freedoms of the data subject. The notification describes the nature of the breach, the categories and approximate number of affected data subjects, the probable consequences, the adopted measures, the DPO contact for more information.
• Internal documentation: EMP keeps internal record of all breaches (even those not requiring notification) with root cause analysis, corrective measures and lessons learned, in accordance with ISO 27001 standards.

Data of minors

Email Marketing Panamá provides B2B professional services and does not direct its services to minors nor intentionally collect personal data of minors. The site forms are directed to adult professionals in their commercial role. If EMP becomes aware of the processing of data of a minor without the parental consent required by article 13 of Executive Decree 285/2021, the data would be suppressed without undue delay.

Legal representatives of a minor who detect that EMP processes data of their child without adequate consent can request immediate suppression by writing to ventas@emailmarketingpanama.com with subject [DPO MINOR]. The request will be attended within a maximum period of 5 calendar days with priority over the general procedure.

Updates to this policy

This Privacy Policy may be updated to reflect regulatory changes, operational adjustments of the service, internal administrative decisions or ANTAI resolutions affecting the applicable regime. The updates come into force from their publication on the Site. The date of last update appears at the start of the document.

When the updates affect substantial elements of the processing (new purposes, modified legal basis, relevant new processors, extended retention periods, new international transfers), EMP notifies the change to the data subject with reasonable advance notice through: prominent notice on the main page of the Site for 30 calendar days, email communication to active clients with current contract, specific communication to data subjects whose specific consent is affected.

The version history of this policy is kept internally and is available for consultation by the supervisory authority and, on justified request, by the data subject affected by specific changes.