Site Privacy and Data Processing Policies

Effective Date: February 11, 2026

1. Introduction, scope and relationship with the Terms and Conditions

This Privacy Policy regulates the collection, use, processing, storage and protection of the personal data of users of Cleo's digital services, including the website www.cleo.cl, application and/or any other platform or digital channel operated by Cleo.

This policy applies to all natural persons who interact with our services as end users, whether browsing the site, registering, using the platform and using the payment intermediation service offered by Cleo.

This Privacy Policy forms an integral part of Cleo's Terms and Conditions of Use. By accessing and using our services, the user accepts both the Terms and Conditions and this Privacy Policy in its entirety.

Cleo processes personal data in accordance with Law No. 19,628 on the Protection of Private Life, Law No. 21,719 on the Protection of Personal Data and other regulations applicable in Chile.

Each registered user will have a personal account and a user profile, which they will access by authenticating with their credentials on the site www.cleo.cl.

Access to the account is personal and non-transferable, and the user is responsible for the use of their credentials.

2. Responsible for data processing

The person responsible for the processing of personal data is Cleo Chile SpA, a company with registered office in Chile and the contact channels indicated at the end of this policy.

3. Legal Bases of Treatment

The processing of personal data by Cleo is based on one or more of the following legal bases, as appropriate in each case:

a) The user's free, informed, specific and revocable consent.

b) The execution of a contract or pre-contractual measures requested by the user.

c) Compliance with legal or regulatory obligations applicable to Cleo.

d) Cleo's legitimate interest to develop and improve its services, provided that such interest is compatible with the rights of the owners and does not unduly affect their privacy.

4. Categories of data we collect

Cleo may collect and process the following categories of personal data, depending on the service used by the user:

a) Identification and contact details: full name, identity document number (RUT), email, telephone number, home address and date of birth. This data is used to verify identity, register accounts, manage access to the platform and make official communications.

b) profile and demographics: gender and marital status, which may be used for personalization of services and aggregated statistical analysis.

c) Financial Information: data relating to the user's banking products, such as credit or debit cards, current credits, bank accounts and lines of credit; balances or balances associated with such products; and history of the user's debts to financial institutions, including information from records supervised by the Financial Market Commission (CMF). In addition, Cleo may analyze the transactional information generated by the use of the Platform to estimate the user's monthly income and carry out risk or payment capacity assessments, to the extent necessary for the operation and improvement of its services.

d) Business data related to partner businesses: names and emails of the affiliate merchant, for the processing of transactions and the management of the business relationship where appropriate.

In addition, Cleo may collect technical and browsing data through cookies and similar technologies, which are detailed later in this policy.

5. Purposes of data processing

The personal data collected by Cleo will be used for the following purposes:

a) Provide, operate and improve the services offered by the platform.

b) Manage user registration and authentication.

c) Ensure platform security and prevent fraud.

d) Comply with legal and regulatory obligations, including those related to the prevention of money laundering and terrorist financing.

e) Perform user risk, payment capacity and credit analysis assessments, which may include:

i) the analysis of information about the user's banking products, such as cards, credits, accounts and lines of credit;

ii) the revision of balance sheets or balances associated with such products;

iii) the consideration of debt history in financial institutions derived from records supervised by the Financial Market Commission (CMF); and

iv) the analysis of the transactional information generated by the use of the Platform to estimate the user's monthly income when this is necessary for the provision or improvement of services.

f) Perform internal analysis to improve the user experience.

g) Send commercial or promotional communications only when the user has given their express consent to do so.

Cleo will use the user's information to facilitate and perfect the operations carried out through the Platform, as well as for advertising purposes only when the user has given their express consent, all in accordance with current legislation on the protection of personal data.

6. Risk Management and Information Security

Cleo has implemented a risk management framework for privacy and personal data protection, which considers, among other factors, the providers used, the applicable methodologies, the scope of the evaluations, current contractual agreements, legal and regulatory requirements, and industry standards.

As part of this framework, Cleo identifies, classifies and periodically evaluates the risks associated with the processing of personal data, prioritizing them based on their probability of occurrence and the potential impact on the rights and freedoms of data subjects.

At least once a year, Cleo performs penetration tests on its network and production applications, in order to detect vulnerabilities and strengthen its security controls.

If critical or high risks are identified, Cleo will implement mitigation plans and additional control measures in a timely manner to reduce those risks to acceptable levels.

7. Restricted access and security controls

Access to systems and environments where personal data is processed is restricted only to authorized Cleo personnel who require such information for the performance of their functions.

All personnel must use corporate credentials to access systems that handle critical information. In addition, Cleo uses multi-factor authentication mechanisms and credential management controls to prevent unauthorized access.

8. Encryption and technical protection measures

Cleo adopts appropriate technical and organizational measures to protect personal data, considering the state of the art, the implementation costs, the nature and sensitivity of the data processed, the context and purposes of the processing, as well as the risks to the rights of the owners.

These measures include, where appropriate, pseudonymization and encryption of personal data, with the objective of ensuring a level of security in accordance with applicable standards of privacy and information security.

9. Security Event Monitoring and Incident Response

Cleo maintains security event monitoring procedures and has an Incident Response Plan designed to contain threats, minimize impacts and promptly restore the integrity of its services.

If any employee, contractor or user is aware of or suspects unauthorized access or security incident related to personal data, they can report it to the email ciberseguridad@cleo.cl with details about the event or incident.

In the event of a security breach that compromises our customers' personal data, Cleo will directly notify affected users through registered contact channels, providing recommendations to protect their information.

10. Communication and international data transfers

Cleo will not sell or rent personal user data to third parties for advertising or commercial purposes.

Cleo may communicate personal data to third parties only when it is strictly necessary for the operation of the Platform or the fulfillment of its obligations, including, where appropriate:

a) Collection companies.

b) Legal advisors and lawyers.

c) Cleo's technological and operational service providers.

Cleo shares personal data with providers of technological infrastructure and cloud services that act as data processors, for the sole purpose of hosting, operating and maintaining their systems.

These providers may process identifying and technical data and are subject to contractual confidentiality and security obligations equivalent to those required by Cleo.

Some of these providers may be located outside of Chile. In such cases, Cleo will adopt appropriate contractual and technical safeguards to ensure a level of protection equivalent to that required by applicable Chilean legislation.

Cleo may provide personal information when required by law or by competent judicial or supervisory authorities, in accordance with applicable regulations.

11. Use of cookies and similar technologies

Cleo uses cookies, web beacons and similar technologies to facilitate navigation, improve site security, remember user preferences and analyze the use of the platform for continuous improvement.

Cookies can be their own or those of third parties, and can have different purposes, such as: site operation, traffic analysis, security and content customization.

The user may accept or reject the use of non-essential cookies through the consent banner available on the website. The deactivation of certain cookies may affect the operation of some features of the platform.

The use of cookies is understood as an integral part of the processing of personal data regulated by this Privacy Policy.

12. Data Retention

Cleo will keep personal data only for as long as necessary to fulfill the purposes for which they were collected and as long as the relationship with the user persists.

Once the contractual relationship is terminated or the account is deactivated, Cleo may keep certain personal data for a period of up to 90 days, when this is necessary for operational, security, support or service continuity purposes.

Notwithstanding the foregoing, Cleo may keep certain data for longer periods when this is required to:

a) Comply with legal, regulatory, accounting or tax obligations.

b) Respond to complaints, audits or requests from authorities.

c) Exercise or defend rights in administrative or judicial proceedings.

After the applicable deadlines have elapsed, personal data will be securely deleted or anonymized, so that they do not allow the owner to be identified.

13. Rights of data subjects

Users have the right to:

a) Access your personal data held by Cleo.

b) Request the rectification of inaccurate or outdated data.

c) Request the deletion of your data when appropriate.

d) Oppose the processing of your data in certain cases.

e) Withdraw your consent at any time, when this is the basis of the treatment.

To exercise these rights, the user may contact Cleo through the channels indicated in this policy.

14. Access and update of information by the user

Registered users can access and review their personal information at any time through the “Login to your account” section of the website www.cleo.cl.

The user can view, verify and update their personal information directly from their user profile as many times as they deem necessary.

In addition, Cleo will make available to the registered user access to legal documents and information relating to the operations carried out within the Platform, as appropriate in each case.

15. User responsibility and safety

Cleo may suspend or deactivate a user's account when it identifies behaviors that may jeopardize its security, that of other users or the integrity of the Platform.

The user is responsible for protecting their password and keeping it in strict confidentiality. The password is for the sole use of the account holder and should not be shared with third parties.

It is recommended that the user change their password periodically for security reasons.

If the user shares their credentials with third parties, they do so at their own risk and responsibility.

Cleo will provide mechanisms so that the user can recover their password if forgotten.

Cleo will never ask the user for their password by email, message, phone call or any other means other than the authentication process within the Platform.

The user must access their profile only through the official URL www.cleo.cl.

Cleo may include links to third-party sites within its Platform. These sites are governed by their own privacy and security policies, so Cleo recommends reviewing them before providing any personal information. Cleo will not be responsible for the data processing carried out by such third parties.

16. Amendments to this policy

Cleo may update this Privacy Policy when there are legal, regulatory or changes in its data processing practices.

Any relevant changes will be informed to users through the website or other usual communication channels.

17. Contact

For inquiries, requests or complaints related to this Privacy Policy or the processing of personal data, users can contact Cleo at:

Email: soporte@cleo.cl

Cybersecurity email: ciberseguridad@cleo.cl

Cleo
We are a payment platform that helps businesses to sell more and people to buy without complications.
About Cleo
About usblog
People
HomeStoresFAQsTerms and ConditionsPrivacy Notice
Companies
Home
Products
Resources
Talk to sales
Follow us
Facebook
Instagram
LinkedIn
© 2025 Cleo. All rights reserved
Terms and Conditions
Privacy NoticeEthical line