Privacy policy

Account data: name, email, password (hashed), country of residence, preferred language.

Provider data: bar number or professional license, jurisdictions of practice, practice areas, public biography, verification documents.

Listing data: service titles and descriptions, prices, delivery times, intake questions.

Order metadata: order id, status, amounts, dates, parties involved.

Payment metadata: last 4 digits of the card, issuing country, currency, processor transaction id. We never store the full card number.

What we do NOT collect: the content of communications between Client and Provider. The messenger runs out of band and does not hand us message text or attachments.

Operate the Platform: create accounts, process orders, release payments, resolve disputes.

Verify credentials: confirm the Provider's professional license against the records of the relevant bar or professional body.

Prevent fraud: detect duplicate accounts, suspicious payments, activity that breaks these terms.

Meet legal duties: keep invoices, respond to valid court orders, comply with anti-money-laundering rules.

Communicate with you: transactional emails (order confirmation, delivery notice, reminders). Promotional emails require your explicit consent and you can unsubscribe at any time.

Default: 3 years from your last activity on the Platform.

Tax and invoicing data: the minimum required by local law — for example, 5 years in Spain (Ley General Tributaria), 5 years in Mexico (Código Fiscal de la Federación), 10 years in Colombia for certain accounting documents.

AML / KYC checks: 5 years after the end of the business relationship, per the money-laundering regulation applicable to the Provider's country.

Once the window closes, we delete or anonymize. Backups are overwritten in cycles of up to 90 days.

Stripe (card payments and escrow handling) — Irish entity, DPA on file.

Circle (USDC for cross-border payouts when the Provider opts in) — US entity.

Chatwoot (Client-Provider messaging) — self-hosted by us on our own infrastructure; no third-party chat vendor receives the content.

AWS Lightsail (website and database hosting) — EU regions by default.

MongoDB Atlas (primary database) — EU-region cluster.

Cloudflare (CDN and DDoS protection) — traffic proxy, no sensitive data at rest.

SendGrid (transactional email) — stores email address and content of transactional messages.

Encryption in transit (TLS 1.3) and at rest (AES-256) for the database and backups.

Passwords stored with Argon2id. Never in plaintext. Never recoverable.

Staff access is least-privilege, logged, and audited. No employee can read the content of messages between users.

Report vulnerabilities to [email protected]. We reply within 72 hours.

Data controller: CabbyGo, LLC (operator of solucioneslegalesya.com).

You have rights to access, rectify, erase, port, object, and restrict processing. Exercise them by writing to [email protected].

Supervisory authority: Agencia Española de Protección de Datos (AEPD), based in Madrid, www.aepd.es.

International transfers: subprocessors outside the EEA operate under Standard Contractual Clauses (SCCs) approved by the European Commission. We can provide a copy of the safeguard on request.

This document serves as the Privacy Notice required by Article 16 of the LFPDPPP.

You have ARCO rights — Access, Rectification, Cancellation, and Opposition — exercised by sending a request to [email protected]. We reply within 20 business days.

Authority: Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales (INAI), www.inai.org.mx.

We do not carry out transfers of personal data that require specific consent under Article 36 of the LFPDPPP, other than those needed to process payments with Stripe and Circle and to meet tax duties.

You have habeas data rights: to know, update, rectify, and delete the data we process about you. Write to [email protected].

Authority: Superintendencia de Industria y Comercio (SIC), Delegatura de Protección de Datos Personales, www.sic.gov.co.

National Database Registry: we will register with the SIC once we cross the volume threshold set by Decreto 090 of 2018. We will publish the registration number in this section when it applies.

Authorization: by creating an account you authorize data processing for the purposes described. You can revoke it at any time; some operations may be impossible without an active authorization.

You have rights to access, rectify, update, and delete data under Ley 25.326 and the personal-data protection reform currently in legislative progress.

Authority: Agencia de Acceso a la Información Pública (AAIP), www.argentina.gob.ar/aaip.

Database registration: once we cross the volume and permanence thresholds the DNPDP sets, we will register the database under the rules in force at that time.

You have the rights Ley 19.628 already recognizes and, as it comes into force, those added by the new Personal Data Protection Law approved in 2024 — including access, rectification, cancellation, opposition, portability, and blocking.

Authority: the Personal Data Protection Agency created by the new law is being implemented. Until it is fully operational, claims can be filed with the ordinary courts under summary proceedings.

We will update this section when the new authority begins operations and issues specific regulations.

You have rights of information, access, update, inclusion, rectification, suppression, objection, and to stop supply of personal data.

Authority: Autoridad Nacional de Protección de Datos Personales (ANPD) under the Ministerio de Justicia y Derechos Humanos, www.gob.pe/minjusdh.

Database registration: we will register our databases with the ANPD before opening public registrations to Peruvian users. The registration number will be published in this section.

You have the rights recognized by Ley 172-13 on Personal Data Protection: access, rectification, opposition, and deletion.

Authority: in the absence of a fully operational sector-specific authority at the time this policy is published, claims can be channeled to the Tribunal Superior Administrativo or to the specialized prosecutor for data protection where applicable.

Consult local counsel for specific procedural routes.

We will give 30 days' advance notice of material changes. The "Last updated" date shows the current version. Changes cannot reduce rights granted by local law.