Site Privacy and Data Processing Policies for Companies

Effective Date: February 11, 2026

1. Introduction, scope and relationship with the Terms and Conditions

This Privacy Policy regulates the collection, use, processing, storage and protection of the personal data of representatives, agents, collaborators and contact persons of the businesses and companies that contract or interact with Cleo's digital services, including the website www.cleo.cl, applications, administrative panels, APIs and any other platform or digital channel operated by Cleo.

This policy applies to all natural persons who, on behalf of a business, company or legal entity, interact with Cleo for the purpose of contracting, implementing, operating or using the payment intermediation services and technological solutions offered by Cleo.

This Privacy Policy forms an integral part of the contractual Terms and Conditions applicable to businesses and companies. By contracting and using our services, the merchant and its representatives accept both the Terms and Conditions and this Privacy Policy in its entirety.

Cleo processes personal data in accordance with Law No. 19,628 on the Protection of Private Life, Law No. 21,719 on the Protection of Personal Data and other regulations applicable in Chile.

Each store will have corporate access to the Cleo platform, managed by users designated by the company itself, who will authenticate with their credentials on the site www.cleo.cl or panels enabled by Cleo.

Access to such systems is personal and non-transferable, and each designated user is responsible for the use of their credentials.

2. Responsible for data processing

The person responsible for the processing of personal data is Cleo Chile SpA, a company with registered office in Chile and the contact channels indicated at the end of this policy.

3. Legal Bases of Treatment

The processing of personal data by Cleo is based on one or more of the following legal bases, as appropriate in each case:

a) The free, informed, specific and revocable consent of the owner when required by law.

b) The execution of a contract or pre-contractual measures requested by the merchant or its representatives.

c) Compliance with legal or regulatory obligations applicable to Cleo, including crime prevention regulations, AML/FT and financial obligations.

d) Cleo's legitimate interest to operate, develop and improve its services, provided that it is compatible with the rights of the owners and proportional to the purposes pursued.

4. Categories of data we collect

Cleo may collect and process the following categories of personal data, as appropriate to the type of B2B relationship:

a) Identification and contact details of representatives and business personnel: full name, corporate email, telephone number, position, work area, and, when necessary, a copy of identity documents for verification and regulatory compliance purposes. This data is used to manage the contractual relationship, coordinate the implementation and operate the services.

b) Corporate business data: business name, RUT, address, business order, institutional contact details, company banking information and legal or regulatory background necessary for onboarding and regulatory compliance.

c) Financial and transactional commercial data: information on processed payments, settlements, collections, adjustments, chargebacks and account statements, to the extent necessary for the operation of the service.

d) Platform usage data: access logs, user roles, activity within the system, technical logs and operational metrics, for security, auditing and service improvement purposes.

In addition, Cleo may collect technical and browsing data through cookies and similar technologies, which are detailed later in this policy.

5. Purposes of data processing

The personal data collected by Cleo will be used for the following purposes:

a) Provide, operate and improve the services contracted by the business.

b) Manage the contractual relationship, including implementation, support and billing.

c) Managing access, authentication and roles within the platform.

d) Ensure the security of the platform and prevent fraud or misuse.

e) Comply with legal and regulatory obligations, including those related to the prevention of money laundering and terrorist financing.

f) Perform internal analysis to improve the trading operating experience.

g) Send relevant commercial or informational communications only when appropriate in accordance with applicable law.

6. Risk Management and Information Security

Cleo has implemented a risk management framework for privacy and personal data protection, which considers providers, methodologies, scope of evaluations, current contractual agreements, legal requirements and industry standards.

As part of this framework, Cleo identifies, classifies and periodically evaluates the risks associated with the processing of personal data, prioritizing them based on their probability of occurrence and the potential impact on the rights and freedoms of the owners.

At least once a year, Cleo performs penetration tests on its network and production applications, in order to detect vulnerabilities and strengthen its security controls.

If critical or high risks are identified, Cleo will implement additional mitigation plans and control measures to reduce those risks to acceptable levels.

7. Restricted access and security controls

Access to systems and environments where personal data is processed is restricted only to authorized Cleo personnel who require such information for the performance of their functions.

All personnel must use corporate credentials to access systems that handle critical information. In addition, Cleo uses multi-factor authentication mechanisms and credential management controls to prevent unauthorized access.

8. Encryption and technical protection measures

Cleo adopts appropriate technical and organizational measures to protect personal data, considering the state of the art, the implementation costs, the nature and sensitivity of the data processed, the context and purposes of the processing, as well as the risks to the rights of the owners.

These measures include, where appropriate, pseudonymization and encryption of personal data, with the objective of ensuring a level of security in accordance with applicable standards of privacy and information security.

9. Security Event Monitoring and Incident Response

Cleo maintains security event monitoring procedures and has an Incident Response Plan designed to contain threats, minimize impacts and promptly restore the integrity of its services.

If any employee, contractor or corporate user is aware of or suspects unauthorized access or security incident related to personal data, they can report it to the email ciberseguridad@cleo.cl with details about the event or incident.

In the event of a security breach involving personal data linked to a business or its representatives, we will notify their designated contact points without undue delay.

We will provide the necessary information so that our customers can comply with their own notification and mitigation obligations and, where appropriate, to the competent authorities in accordance with the law.

10. Communication and international data transfers

Cleo will not sell or rent personal data of business representatives or collaborators to third parties for advertising or commercial purposes.

Cleo may communicate personal data to third parties only when it is strictly necessary for the operation of the platform or the fulfillment of its obligations, including:

a) Collection or financial management companies where appropriate.

b) Legal advisors and lawyers.

c) Cleo's technological and operational service providers.

Cleo shares personal data with providers of technological infrastructure and cloud services that act as data processors, for the sole purpose of hosting, operating and maintaining their systems.

These providers may process identifying and technical data and are subject to contractual confidentiality and security obligations equivalent to those required by Cleo.

Some of these providers may be located outside of Chile. In such cases, Cleo will adopt appropriate contractual and technical safeguards to ensure a level of protection equivalent to that required by applicable Chilean legislation.

Cleo may provide personal information when required by law or by competent judicial or supervisory authorities, in accordance with applicable regulations.

11. Use of cookies and similar technologies

Cleo uses cookies, web beacons and similar technologies to facilitate navigation, improve site security, remember preferences and analyze the use of the platform for continuous improvement.

Cookies can be their own or those of third parties, and can have different purposes, such as site operation, traffic analysis, security and content customization.

The corporate user may accept or reject the use of non-essential cookies through the consent banner available on the website. The deactivation of certain cookies may affect the operation of some features of the platform.

The use of cookies is understood as an integral part of the processing of personal data regulated by this Privacy Policy.

12. Data Retention

Cleo will keep personal data only for as long as necessary to fulfill the purposes for which they were collected and as long as the contractual relationship with the merchant persists.

Once the contractual relationship has ended, Cleo may keep certain personal data for a period of up to 90 days when this is necessary for operational, security, support or service continuity purposes.

Notwithstanding the foregoing, Cleo may keep certain data for longer periods when this is required to:

a) Comply with legal, regulatory, accounting or tax obligations.

b) Respond to complaints, audits or requests from authorities.

c) Exercise or defend rights in administrative or judicial proceedings.

After the applicable deadlines have elapsed, personal data will be securely deleted or anonymized, so that they do not allow the owner to be identified.

13. Rights of data subjects

Representatives, agents and collaborators whose data is processed by Cleo have the right to:

a) Access your personal data held by Cleo.

b) Request the rectification of inaccurate or outdated data.

c) Request the deletion of your data when appropriate.

d) Oppose the processing of your data in certain cases.

e) Withdraw your consent when this is the basis of the treatment.

To exercise these rights, you can contact Cleo through the channels indicated in this policy.

14. Accessing and updating information

Users designated by the merchant will be able to access and review the information available on the platform in accordance with their assigned permissions and roles.

Cleo will make available to the merchant and its authorized users access to legal documents and information relating to the operations carried out within the platform, as appropriate in each case.

15. Corporate user responsibility and security

Cleo may suspend or deactivate access when it identifies behaviors that may jeopardize the security of the platform or other users.

Each user is responsible for protecting their password and keeping it in strict confidentiality. The password is for the exclusive use of the owner and should not be shared with third parties.

It is recommended to change your password periodically for security reasons.

Cleo will provide mechanisms so that the user can recover their password if forgotten and will never request passwords through means external to the official authentication system.

The user must log in only through the official URL www.cleo.cl.

Cleo may include links to third-party sites within its platform. These sites are governed by their own privacy and security policies, so Cleo recommends reviewing them before providing any personal information. Cleo will not be responsible for the data processing carried out by such third parties.

16. Amendments to this policy

Cleo may update this Privacy Policy when there are legal, regulatory or changes in its data processing practices.

Any relevant changes will be informed to businesses and users through the website or other usual communication channels.

17. Contact

For inquiries, requests or complaints related to this Privacy Policy or the processing of personal data, users can contact Cleo at:

Email: soporte@cleo.cl

Cybersecurity email: ciberseguridad@cleo.cl

Cleo
We are a payment platform that helps businesses to sell more and people to buy without complications.
About Cleo
About usblog
People
HomeStoresFAQsTerms and ConditionsPrivacy Notice
Companies
Home
Products
Resources
Talk to sales
Follow us
Facebook
Instagram
LinkedIn
© 2025 Cleo. All rights reserved
Terms and Conditions
Privacy Notice