Courtesy translation. This English version is provided for convenience only. The legally binding document is the Spanish original — Política de Privacidad. In case of any discrepancy, the Spanish version prevails.
Legal document · Law 29733
Privacy Policy
Your privacy matters. Here we explain — clearly and in full — what personal data we process, for what purpose, on what legal basis, and how you can exercise your rights.
1. Data controller
The controller of your personal data, under Peru's Law No. 29733 — Personal Data Protection Law and its Regulation approved by Supreme Decree 003-2013-JUS, is:
- Legal name
- Gestión Pública Perú E.I.R.L.
- Tax ID (RUC)
- 20606163313
- Registered address
- Mza. C Lote 6, Urb. Los Laureles, La Libertad, Trujillo, Trujillo
- Legal representative
- Christyam Izhar Diaz Yuncor
- Contact email
- soporte@gestionpublicaperu.com.pe
- Phone
- +51 949 390 307
2. Personal data we process
Below is a detailed breakdown of what data we collect, for what purpose, on what legal basis we rely, and how long we keep it:
| Component | Data | Legal basis | Retention |
|---|---|---|---|
Public site gestionpublicaperu.com.pe | IP address, User-Agent (standard Cloudflare logs) | Legitimate interest (security, abuse prevention) | ~7 days |
Public API /api/insights/query | IP address (in-memory rate limit) | Legitimate interest (API abuse control) | 60 seconds |
MCP server /mcp | IP address, aggregate usage counters | Legitimate interest | Aggregate statistics without identification |
Private platform app.gestionpublicaperu.com.pe | National ID (DNI, 8 digits), password (stored as a bcrypt hash), session cookie, budget data tied to the profile | Contract performance + data subject consent | For the duration of the contract + 5 years for tax obligations |
Email to soporte@ | Sender's email address and message content | Data subject consent (when sending the email) | Microsoft Office 365 retention policy (service provider) |
We do not use web analytics services (Google Analytics, Plausible, Umami, or similar) on the public site. Nor do we collect behavioral, browsing, or advertising data.
3. Processing on the public site
The public site gestionpublicaperu.com.pe
is a static site served through Cloudflare Workers. It uses no cookies and collects no information via online forms.
Contact links (email) open your mail client — your address never reaches our servers unless you choose to write to us directly.
Like any site served over the Internet, Cloudflare — our CDN and hosting provider — keeps operational logs with the visitor's IP address and the browser's User-Agent, for security and attack-prevention purposes. These records are kept for roughly 7 days and then deleted.
The public API /api/insights/* uses
the requester's IP address in memory, for a maximum of 60 seconds, solely to apply the rate limit
(30 queries per minute per IP). After 60 seconds, the data is discarded.
4. Processing on the private platform (contracted clients)
The private platform available at app.gestionpublicaperu.com.pe
is available exclusively to public entities and professionals with a current contract with Gestión Pública Perú E.I.R.L.
To sign in, the user must enter their National ID (DNI) (8 digits) and a personal password.
- The password is never stored in plain text. It is kept as a cryptographic hash (bcrypt algorithm with cost factor ≥10).
- The session uses a
siaf_sessioncookie of typeHttpOnlyandSecureover an encrypted connection (HTTPS), with a 12-hour lifetime. - Budget data tied to the user's profile comes from the Ministry of Economy and Finance (MEF) and the official SIAF/SSI systems. This data is the responsibility of the client entity, which delegates its processing to Gestión Pública Perú E.I.R.L. through the services contract.
- Each user can only see the data of their corresponding profile (DNI-based isolation). Administrators designated by the client entity may see additional profiles as per the contract.
5. International data transfers
Some of our infrastructure providers operate from outside Peru. When this happens, standard contractual clauses (SCCs) apply and an adequate level of data protection is required.
| Provider | Country | Purpose | Status |
|---|---|---|---|
| Cloudflare, Inc. | United States | Public site hosting, CDN, Workers, Tunnel, firewall (WAF) | Active |
| Microsoft Corporation (Office 365) | Ireland + United States | Corporate email | Active |
| Resend, Inc. | United States | Transactional email to private-platform users | In testing |
| UltraMSG | Israel | WhatsApp notifications to private-platform users with explicit consent | In testing |
Providers marked "In testing" are listed in this policy for proactive transparency. If they go live in production, private-platform users will be notified and explicit consent will be required before processing data through them.
7. Your rights over your data (ARCO+)
As the data subject, you have the following rights guaranteed by Law 29733:
- Access (A): know what data we hold about you and how we use it.
- Rectification (R): ask us to correct inaccurate or incorrect data.
- Cancellation (C): request deletion of your data when it is no longer necessary or consent has been withdrawn.
- Objection (O): object to the processing of your data on legitimate grounds.
- Information: know at any time the details of this policy and any relevant changes.
- Fair processing: require that your data be processed fairly and proportionately to the purpose.
- Portability: receive a copy of your data in a structured format to take it to another provider.
To exercise any of these rights, write to soporte@gestionpublicaperu.com.pe attaching a copy of your ID and the details of your request. We have a maximum of 20 business days to respond with a reasoned answer.
9. Security measures
We apply reasonable technical and organizational measures to protect your data against unauthorized access, alteration, disclosure, or destruction:
- Traffic always encrypted with TLS/HTTPS (managed by Cloudflare).
- Passwords stored as
bcrypthashes with cost factor ≥10. Original passwords are never visible, not even to administrators. - Session cookies with
HttpOnlyandSecureattributes, not accessible from browser JavaScript. - Sessions with automatic expiration after 12 hours.
- DNI-based data isolation: each user can only see the data of their own contracted profile.
- Application-level firewall (Cloudflare WAF) with anti-abuse rules.
- Periodic review of access logs and incident response.
No security measure is absolute. If we become aware of a breach affecting your personal data, we will notify you without undue delay and at least within the timeframes set by law.
10. Minors
Our services are aimed at public-sector professionals, journalists, researchers, and developers over 14 years of age. We do not knowingly collect personal data from children under 14. If we become aware that data of a minor has been registered without the consent of a parent or guardian, we will delete it without delay.
11. Changes to this policy
This Privacy Policy may be amended to reflect changes in our practices or new legal requirements. If the changes are substantial, we will give you at least 15 days' notice via a visible notification on the site. The current version and its update date will always be published at the top of this document.
12. Governing law and jurisdiction
This policy is governed by the laws of the Republic of Peru, in particular Law No. 29733 — Personal Data Protection Law — and its Regulation. Any dispute arising from its interpretation or performance shall be subject to the courts of the judicial district of Lima.
This is a courtesy translation. The legally binding version is the Spanish Política de Privacidad.
