Privacy Policy

This Privacy Notice for Camilo Quirós Mendoza (doing business as CASFolio) (“we,” “us,” or “our”), describes how and why we might access, collect, store, use, and/or share (“process”) your personal information when you use our services (“Services”), including when you:

• Visit our website at http://www.casfolio.net or any website of ours that links to this Privacy Notice
• Use CASFolio — a web-based portfolio management tool for IB Diploma students. It helps students document, organize, and reflect on their CAS (Creativity, Activity, Service) activities, track learning outcomes, and generate examiner-ready portfolio reports for submission.
• Engage with us in other related ways, including any marketing or events

Questions or concerns? Reading this Privacy Notice will help you understand your privacy rights and choices. If you do not agree with our policies and practices, please do not use our Services. If you still have any questions or concerns, please contact us at privacy@casfolio.net.

Summary of Key Points

• What personal information do we process? Names, email addresses, usernames, contact/authentication data, and payment data (processed by Stripe).
• Do we process sensitive personal information? No.
• Do we collect information from third parties? No.
• How do we process your information? To provide and improve our Services, communicate with you, and for security and fraud prevention.
• How do we keep your information safe? We use organizational and technical processes. However, no transmission over the internet is 100% secure.
• How do you exercise your rights? Visit casfolio.net/app/settings or contact us at privacy@casfolio.net.

Table of Contents

1. What Information Do We Collect?
2. How Do We Process Your Information?
3. What Legal Bases Do We Rely On?
4. When and With Whom Do We Share Your Personal Information?
5. What Is Our Stance on Third-Party Websites?
6. Do We Use Cookies and Other Tracking Technologies?
7. How Do We Handle Your Social Logins?
8. Is Your Information Transferred Internationally?
9. How Long Do We Keep Your Information?
10. How Do We Keep Your Information Safe?
11. What Are Your Privacy Rights?
12. Controls for Do-Not-Track Features
13. Do United States Residents Have Specific Privacy Rights?
14. Do We Make Updates to This Notice?
15. How Can You Contact Us About This Notice?
16. How Can You Review, Update, or Delete the Data We Collect From You?

1. What Information Do We Collect?

Personal information you disclose to us

We collect personal information that you voluntarily provide to us when you register on the Services, express an interest in obtaining information about us or our products and Services, when you participate in activities on the Services, or otherwise when you contact us.

Personal Information Provided by You may include:

• Names
• Email addresses
• Usernames
• Contact or authentication data
• Debit/credit card numbers (processed by Stripe — we do not store card data)

Sensitive Information. We do not process sensitive information.

Payment Data. We may collect data necessary to process your payment if you choose to make purchases. All payment data is handled and stored by Stripe. You may find their privacy notice at https://stripe.com/privacy.

Information automatically collected

We automatically collect certain information when you visit, use, or navigate the Services. This may include your IP address, browser and device characteristics, operating system, language preferences, referring URLs, device name, country, location, and information about how and when you use our Services.

We also collect information through cookies and similar technologies. You can find out more in our Cookie Policy.

The information we collect includes:

• Log and Usage Data — IP address, device information, browser type, pages viewed, features used, date/time stamps.
• Device Data — device type, operating system, browser, hardware model, ISP or mobile carrier.
• Location Data — approximate location derived from your IP address.

Our use of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

2. How Do We Process Your Information?

We process your personal information to:

• Facilitate account creation and authentication
• Deliver and facilitate the delivery of services to you
• Send administrative information (e.g., email confirmations, password resets)
• Fulfill and manage payments
• Identify usage trends to improve our Services
• Deliver targeted advertising (via Google AdSense)
• Protect our Services against fraud and unauthorized use
• Comply with legal obligations

3. What Legal Bases Do We Rely On?

We only process your personal information when we have a valid legal reason:

• Consent — where you have given us permission to process your information for a specific purpose.
• Performance of a Contract — to provide the Services you have requested.
• Legitimate Interests — to improve our Services, deliver advertising, protect against fraud, and analyze usage trends.
• Legal Obligations — to comply with applicable laws.

4. When and With Whom Do We Share Your Personal Information?

We may share your information with the following third-party service providers:

• Supabase — database and authentication
• Vercel — hosting and analytics
• Resend — transactional email delivery
• Cloudflare — analytics and CDN
• Google AdSense / Google Fonts — advertising and web fonts
• Stripe — payment processing

We may also disclose your information in connection with a business transfer, merger, or acquisition.

5. What Is Our Stance on Third-Party Websites?

Our Services may contain links to third-party websites. We are not responsible for the privacy practices of those websites and encourage you to review their privacy policies.

6. Do We Use Cookies and Other Tracking Technologies?

Yes. We use cookies and similar tracking technologies to collect and store information. For details, see our Cookie Policy.

7. How Do We Handle Your Social Logins?

We may offer social login options. If you use them, we receive certain profile information from the social media provider per their privacy policies. We use this information only to create your account and provide the Services.

8. Is Your Information Transferred Internationally?

Yes. Our servers and third-party providers are located in the United States. If you access our Services from the EU or UK, your data is transferred to the US under the European Commission's Standard Contractual Clauses.

9. How Long Do We Keep Your Information?

We keep your personal information for as long as your account is active. When you delete your account, we delete your personal data within 30 days, unless we are required by law to retain it longer.

10. How Do We Keep Your Information Safe?

We use organizational and technical security measures including encrypted data transmission (HTTPS), secure authentication (Supabase), and access controls. However, no electronic transmission or storage is 100% secure.

11. What Are Your Privacy Rights?

Depending on your location, you may have the right to access, correct, delete, or port your personal data. To exercise these rights, visit your account settings or contact us at privacy@casfolio.net.

EU/UK residents may also have the right to object to or restrict processing, and to lodge a complaint with your local data protection authority.

12. Controls for Do-Not-Track Features

Most browsers offer a Do Not Track (“DNT”) setting. We do not currently respond to DNT browser signals. Vercel Analytics respects this signal; other third-party providers may not.

13. Do United States Residents Have Specific Privacy Rights?

Yes. Depending on your state (California, Colorado, Connecticut, Virginia, Texas, and others), you may have additional rights including the right to know what personal information we collect, the right to delete it, the right to opt out of its sale, and the right to non-discrimination for exercising these rights.

To exercise your rights, contact us at privacy@casfolio.net.

California residents: We do not sell your personal information in the traditional sense. However, we share data with Google AdSense for advertising purposes, which may constitute a “sale” or “sharing” under CCPA/CPRA. You may opt out via Google Ad Settings.

14. Do We Make Updates to This Notice?

Yes. We may update this Privacy Notice from time to time. The updated version will be indicated by an updated “Last updated” date at the top of this page. We encourage you to review this notice periodically.

15. How Can You Contact Us About This Notice?

If you have questions or comments about this notice, email us at privacy@casfolio.net.

Camilo Quirós Mendoza (DBA CASFolio)

16. How Can You Review, Update, or Delete the Data We Collect From You?

You can review and update your account information at any time by visiting your account settings. To request deletion of your account and all associated data, use the “Delete Account” option in settings or email privacy@casfolio.net.