Privacy policy
This Policy describes how Ipark S.A.S. ("Paymeter") processes personal data of Users of the Paymeter application and website in Colombia, in accordance with Act 1581 of 2012, Decree 1377 of 2013 (Habeas Data).
Quick summary
- We process only the data we need: account, vehicle, location while parking, payments. Privacy by design (Art. 25 GDPR).
- We never sell your data to third parties.
- You can access, rectify, delete, export, or restrict your data. We respond within 1 month.
- Servers in the EU (AWS Madrid/Frankfurt). Payments by Stripe (SCCs + adequacy).
- Supervisory authority: Superintendence of Industry and Commerce (SIC) β sic.gov.co.
1. Data controller
Controller: Ipark S.A.S.
Tax ID (NIT): 901.283.397-0
Address: Calle 93 NΒ° 18-81, BogotΓ‘ D.C., Colombia
Email: info@ipark.com.co
DPO: info@ipark.com.co
2. Data Protection Officer
We have appointed a Data Protection Officer. Contact the DPO at any time: info@ipark.com.co.
3. What data we process and why
| Category | Data | Purpose |
|---|---|---|
| Identity | Name, surname, email, phone, hashed password | Create and maintain your account |
| Vehicle | License plate, type, make/model (optional) | Run parking sessions |
| Payment | Card token (PCI-DSS, we don't store PAN), transaction history | Charge and refund |
| Location | Coordinates at session start and end | Identify zone and validate fare |
| Usage | Technical logs, IP, device, language | Security, fraud prevention, service improvement |
| Communications | Support tickets, emails | Customer service |
4. Legal bases (GDPR Art. 6)
- Performance of the contract (Art. 6.1.b GDPR): account, parking sessions, payments.
- Compliance with legal obligation (Art. 6.1.c): invoicing, fraud prevention, requests by authorities.
- Legitimate interest (Art. 6.1.f): security, fraud prevention, service improvement β always subject to your interests and rights.
- Consent (Art. 6.1.a): marketing, analytics/marketing cookies, off-session location β freely given, specific, informed, unambiguous; revocable at any time.
5. Who we share data with
We share only strictly necessary data with processors / subprocessors with whom we have signed a Data Processing Agreement (DPA):
| Provider | Service | Server location | Transfer mechanism |
|---|---|---|---|
| Amazon Web Services (AWS) | Hosting / storage | EU (Madrid / Frankfurt) | DPA |
| Stripe | Payment processor | EU + US | SCC + adequacy |
| Twilio | SMS OTP / verification | EU / US | SCC |
| Sentry | Logs and technical errors | EU | DPA |
5.1 Data shared with parking operators and public administrations
When you start a parking session, we share with the parking operator and/or the relevant municipality: vehicle type, license plate, start and end time, zone and amount paid. In case of unlawful activity, we may communicate data to authorities where legally required.
6. International transfers
Some subprocessors may process data outside the EEA. We apply Standard Contractual Clauses (SCCs) from Commission Implementing Decision (EU) 2021/914, or other valid mechanisms (adequacy decisions, Art. 45 GDPR). Post-Schrems II transfers are documented with Transfer Impact Assessments (TIAs).
7. Retention periods
| Category | Period |
|---|---|
| Active account | While active |
| After closure: account data | 10 years (Tax Statute) |
| Transaction logs | 10 years |
| Tokenized cards | Until cancellation + 6 months |
| Location | 13 months max |
| Marketing (consent) | Until consent withdrawn |
8. Your rights
We respond within 1 month (3 months for complex requests). Email info@ipark.com.co with a copy of an ID document. Available rights:
- Access (Art. 15) β know which data we process.
- Rectification (Art. 16) β correct inaccurate data.
- Erasure (Art. 17) β delete your data where applicable.
- Restriction (Art. 18) β limit processing.
- Objection (Art. 21) β object to processing based on legitimate interest or direct marketing.
- Portability (Art. 20) β receive your data in JSON/CSV within 1 month.
- Human review (Art. 22) β contest exclusively automated decisions.
- Complaint before Superintendence of Industry and Commerce (SIC) β sic.gov.co.
9. Cookies
We use strictly necessary cookies and, with your prior consent (ePrivacy Directive 2002/58/EC), analytics and marketing cookies. No cookie walls or dark patterns. You can withdraw consent at any time from the cookie banner.
| Cookie | Category | Purpose | Third party | Duration |
|---|---|---|---|---|
paymeter_session | Strictly necessary | Maintain user session | β | Session |
paymeter_lang | Strictly necessary | Selected language | β | 12 months |
paymeter_consent | Strictly necessary | Remember cookie consent | β | 6 months |
_ga, _ga_* | Analytics (opt-in) | Google Analytics β aggregate usage | 24 months | |
_fbp | Marketing (opt-in) | Meta Pixel β attribution | Meta | 90 days |
10. Security and privacy by design
We apply appropriate technical and organizational measures (GDPR Art. 32): TLS 1.3 encryption in transit, AES-256 at rest, role-based access control (RBAC), log pseudonymization, regular audits, staff training, and a breach-response plan (supervisory authority notification within 72 hours where required).
11. Minors
The Service is aimed at persons over 18. Minors aged 14-17 may only use Paymeter with the express written consent of their parents or legal guardians. We reserve the right to verify age and block unauthorized minor accounts.
12. Changes to this policy
We will notify any material changes by email at least 15 days in advance and publish the current version on this site.
Last updated: April 2026
v2.0 Β· Ipark S.A.S. Β· Tax ID (NIT): 901.283.397-0