All legal documents

Privacy Policy

Personal-data processing under Law 8968 and its Regulation. Includes the eight mandatory disclosures of article 5.

Last updated May 18, 2026 Version 2026.05.18-v1

In case of any discrepancy between the versions of this document, the Spanish version prevails.

This Privacy Policy describes how Usure, a self-employed trader (persona física comerciante) with national ID 206820204 (the "Platform"), collects, uses, retains and protects your personal data, in compliance with Law N° 8968 on the Protection of the Person against the Processing of their Personal Data and its Regulation under Executive Decree N° 37554-JP.

1. Data controller

Usure, fiscal domicile at Alajuela., privacy email hola@usure.pro. Database registered with PRODHAB under number [PRODHAB-No].

2. Article 5 disclosures of Law 8968

Pursuant to article 5 of Law N° 8968, you are informed of the following:

  1. Existence of a database: the Platform maintains a personal-data database named "tinta-pro-users" for the management of relationships with Tattoo Artists and End Clients.
  2. Purposes: provision of the Platform's service, booking and management of appointments, payment processing, issuance of electronic vouchers, fraud and money-laundering prevention, tax compliance, operation of the Virtual Assistant, and service improvement.
  3. Recipients: the processors listed in clause 5, competent Costa Rican authorities when required by law, and, where applicable, the Artist with whom you book an appointment, with respect to strictly necessary data.
  4. Mandatory vs optional: data required to open and operate the account is mandatory. Marketing data is optional, and refusing to provide it does not affect the service.
  5. Processing: data is stored on secure servers, accessible only to authorized personnel under a need-to-know principle. Communications are encrypted in transit via TLS, and sensitive identifiers are encrypted at rest.
  6. Consequences of refusal: refusing to provide mandatory data prevents the creation or continuation of the account and the provision of the service.
  7. ARCO rights: at any time you may exercise your rights of Access, Rectification, Cancellation and Opposition, as well as revoke any consent granted, as detailed in clause 8.
  8. Identity and address of the controller: the controller's details are stated in clause 1.

3. Categories of personal data processed

  • Identification: name, national ID, email, phone number.
  • Tax: situation before Hacienda (regime, registered activities) obtained via public API.
  • Operational financial: Artist's IBAN, SINPE Móvil details, payment tokens. The Platform does not store the full card number; PCI-DSS scope belongs to OnvoPay.
  • Transactional history: booked appointments, amounts, deposits, design references and uploaded photographs.
  • Communications: WhatsApp Business and Instagram Direct Messages records.
  • Technical: IP addresses, device identifiers, session cookies, usage logs.

The Platform does not collect sensitive-data categories in the sense of article 9 of Law 8968 except when the End Client voluntarily provides them to warn of medical contraindications; in that case they are processed solely for the stated purpose and deleted upon completion of the service.

4. Data sources

  • Directly from the data subject during registration, booking or interaction with the Platform.
  • From the Ministry of Finance, via a punctual lookup to the public API api.hacienda.go.cr.
  • From OnvoPay and Meta, strictly to the extent necessary for operation.

5. Data processors

ProcessorFunctionServer country
Google Cloud (Gemini 2.5 Flash)Booking and onboarding Virtual Assistant. Paid account under signed DPA; data not used for model training.United States
ONVO Costa Rica S.A. (3-101-815764)Payment processing and, under the Pro Plan, direct settlement to the Artist's IBAN.Costa Rica and United States
Meta Platforms, Inc.WhatsApp Business Cloud API and Instagram Direct Messages.United States
DigitalOceanCompute and storage infrastructure.United States
Cloudflare R2Portfolio and reference-image storage.United States
Sidekiq / Redis LabsBackground-job processing.United States

6. International data transfers

Pursuant to article 14 of Law N° 8968, the above processors handle data in jurisdictions other than Costa Rica. The Platform has signed with each of them the contractual safeguards that ensure an equivalent level of protection, including standard clauses and, where applicable, Data Processing Addenda. Additionally, the data subject expressly consents to this transfer through the corresponding checkbox of the Data Processing Consent.

7. Retention

  • Account data: throughout the life of the account and up to four years after closure, under article 984 of the Commercial Code.
  • Tax records (FEC, invoices): five years, under article 109 of the Tax Code.
  • AML/CFT records: five years, under article 16 of Law N° 7786.
  • Operational conversations: twenty-four (24) months, after which they are anonymized or deleted.
  • Encrypted backups: ninety (90) days, with rotation.

8. ARCO rights and consent revocation

You may exercise your rights of Access, Rectification, Cancellation, Opposition and consent revocation through any of the following channels:

  • The form available within the Platform in your account panel.
  • Email to hola@usure.pro with subject "ARCO Rights".
  • WhatsApp at the official number published on the Platform.

The Platform will respond within a maximum of five (5) business days, under article 22 of the Regulation to Law 8968. If you are dissatisfied with the response, you may escalate to PRODHAB.

9. Virtual-Assistant data

Conversations with the Virtual Assistant are processed by Google's Gemini 2.5 Flash on a paid enterprise account. Requests and responses are not used to train models, under the Data Processing Addendum signed with Google Cloud. Conversations are tagged with retention metadata and are deleted or anonymized after twenty-four (24) months.

10. Payments and card data

The Platform does not store the full card number, verification code or sensitive authentication data of payment methods. Capture and processing of that information takes place directly on OnvoPay's PCI-DSS certified infrastructure, in which capacity PCI compliance is exclusively the payment provider's responsibility.

11. Security

The Platform applies reasonable technical and organizational measures, including: encryption in transit via TLS 1.2+; encryption of sensitive identifiers at rest; role-based access control; immutable audit logs for administrative actions; periodic credential review; security testing of source-code changes; and personnel training in data protection. These measures do not entirely eliminate computer risk and are complemented by the data subject's duty to safeguard their credential.

12. Minors

The Platform is aimed exclusively at persons of legal age. No registration of Artists or End Clients under eighteen (18) years of age is accepted. When a minor may end up being tattooed, their legal representative takes the position of End Client and provides the corresponding data, under the procedure of Executive Decree N° 44108-S.

13. Cookies

The use of cookies is governed by the Cookies Policy.

14. Amendments

Material amendments to this Policy are notified at least fifteen (15) calendar days in advance through registered channels and via a prominent notice on the Platform. When the amendment introduces new purposes incompatible with the original ones, a new express consent will be requested.

15. Language

In case of any discrepancy between the versions of this document, the Spanish version prevails.