Privacy policy

This document sets forth the privacy policy applicable to the FireTun service (hereinafter, “the Platform”, “the Service” or “we”), operated by the legal and technical team of FireTun. For any inquiry concerning your personal data or the exercise of the rights described in this document, please contact us at privacy@firetun.com. Contractual, billing and legal matters should be addressed to legal@firetun.com.

FireTun acts as data controller with respect to the data of its contracting customers (individuals or organizations that subscribe to a plan) and as data processor with respect to the data that our customers upload to the Platform concerning their own end users, employees or collaborators. When a customer uses the Platform to manage remote access for their organization, it is the customer who determines the purposes and means of the processing of those users' data; we process such data solely on the customer's instructions and within the scope of the executed contract.

Our policy is straightforward and applied without exception: we collect only the personal data strictly necessary to operate the Service and to comply with our legal obligations. We do not request additional information “just in case”. We do not cross-reference data to build commercial profiles. We do not enrich information from third-party sources. If a particular data point is not indispensable for the Service to function, to prevent fraud, to protect you from security incidents or to meet a legal obligation, we simply do not collect it.

This minimization principle forms part of the requirements of the European Union General Data Protection Regulation (GDPR, article 5.1.c) and of Chile's Law No. 21.719, which modernizes the Chilean personal data protection regime and has informed our operational and technical design from day one.

The personal data we process can be grouped into the following categories, each tied to a clear purpose of the Service:

• Account data: name, email address, password hash, activation status, preferred language. This data is indispensable to create your account and allow you to log in securely. Passwords are never stored in plain text: we use modern hashing algorithms with an appropriate work factor.
• Organization and billing data: legal name, country, currency, contracted plan, payment history, tax identification number when required by local regulations. This data is necessary to perform the contract, issue invoices and comply with applicable tax obligations.
• Technical connection data: IP address of the connecting endpoint, device operating system, agent version, device fingerprint, connection and disconnection timestamps, and device compliance (posture) state. This data is essential for the Service to authorize, audit and supervise access.
• Audit logs: every relevant action within the admin panel (user creation, policy changes, deletions, sign-ins) is recorded, indicating who performed it and from where. These logs are retained only for as long as necessary to meet traceability obligations and to prevent fraud.
• Commercial contact and support data: emails you send us, tickets you open, call notes where applicable. This data is used exclusively to respond to you and to maintain a history of the relationship.

We do not process special categories of personal data (health data, biometric data for unique identification, genetic data, data on sexual orientation, trade union membership, racial origin or political opinions). If we detect that a customer is uploading such data to the Platform without an operational justification, we reserve the right to request its removal.

Every processing activity we carry out relies on one of the legal bases recognized by the GDPR and by Chile's Law 21.719:

• Performance of a contract (GDPR art. 6.1.b): this is the main basis. We process your data because you contracted our Service and we need that data to provide it to you. Without that data, the Service cannot work.
• Legitimate interest (GDPR art. 6.1.f): we rely on this basis to protect the security of the Platform (attack detection, forensic analysis, abuse prevention), to improve the Service through aggregate and anonymous metrics, and to communicate with you about critical operational changes. We always perform a prior balancing exercise between our interest and your rights, and we do not rely on this basis where your rights must prevail.
• Compliance with a legal obligation (GDPR art. 6.1.c): this requires us to retain certain accounting and tax data for specific periods, and to cooperate with competent authorities upon formal requests.
• Consent (GDPR art. 6.1.a): we request consent solely for optional commercial communications (newsletters, product announcements) and for non-essential cookies. You may withdraw consent at any time without affecting the provision of the Service.

This point is absolute and admits no nuance: FireTun does not sell, rent, cede, share or exchange personal data with third parties for commercial, advertising or any other mercantile purposes. We do not participate in advertising networks, we do not feed cross-site tracking platforms, and we do not collaborate with data brokers. Your information remains within our systems and is used only to provide the Service to you.

The only exceptions to this rule are strictly necessary and legally justified: (i) when contractually bound data processors provide technical services that are essential to the Service (for example, the payment gateway that processes your card or the infrastructure provider that hosts our servers); (ii) when a valid legal request from a competent authority compels us to hand over specific information; and (iii) in the context of a corporate transaction (merger, acquisition or business transfer), in which case we will notify affected data subjects with reasonable advance notice.

To improve the Service and understand how it is actually used, we generate aggregate metrics: number of active connections, registered devices, geographic distribution, session duration, error rates, performance per region. All these statistics are computed over data that has been irreversibly anonymized or pseudonymized. Neither we nor anyone else can re-identify the data subject from those metrics. We use them internally to plan capacity, detect trends, fix issues and make product decisions.

We never share these aggregate datasets with third parties for commercial purposes. If we ever publish global figures in public-facing materials, we will do so with rounded numbers and without any identifier that would enable individual inference.

To operate the Service we rely on a very limited number of data processors that handle data under our instructions and pursuant to written agreements:

• Cloud infrastructure providers hosting the servers where the Platform runs and where the databases are stored.
• Payment gateways that process cards and local payment methods (for example, Paddle as “Merchant of Record” for international payments and MercadoPago for Latin America). We never have access to the full card number.
• Transactional email provider, used exclusively to send operational communications (confirmations, verifications, security alerts).
• Internal observability and error reporting tools, configured not to capture sensitive personal data.

We maintain an up-to-date list of sub-processors available upon written request to privacy@firetun.com. Before onboarding a new sub-processor we assess their security practices, their legal adequacy and we enter into the corresponding data processing agreements (DPA).

In certain cases, the provision of the Service implies that data flows between jurisdictions. When such transfers occur outside the European Economic Area or outside Chile to countries without an adequacy decision, we apply the safeguards recognized by GDPR and Law 21.719: standard contractual clauses, additional technical measures (in-transit and at-rest encryption) and transfer impact assessments where appropriate.

We retain personal data only for as long as necessary to fulfill the purpose for which it was collected:

• Active account data: while you keep the Service contracted.
• Billing data: for the period required by applicable tax law (usually between 6 and 10 years).
• Audit logs: for up to 24 months for security analysis and incident investigation.
• Marketing data: until you withdraw your consent.
• Support tickets: up to 36 months after case closure.

Once the retention period elapses, data is deleted or irreversibly anonymized. Upon account cancellation, we only retain the accounting records we are legally required to keep; everything else is erased.

As a data subject, you are entitled to exercise, at any time, the rights that the GDPR and Chile's Law 21.719 guarantee. Specifically:

• Access: obtain confirmation of which of your data we process and receive a legible copy.
• Rectification: correct inaccurate or incomplete data.
• Erasure: request deletion when data is no longer necessary or when you withdraw consent.
• Objection and restriction: object to the processing or request its restriction, with the exceptions provided for by law.
• Portability: receive your data in a structured, transferable format.
• Withdraw consent: at any time and without retroactive effect.
• Lodge a complaint: before the competent authority. In the European Union, your national data protection authority; in Chile, the National Data Protection Agency created by Law 21.719.

To exercise any of these rights, send a request to privacy@firetun.com. We will respond within the legal deadlines (30 days under the GDPR, extendable by two additional months in complex cases) and inform you of the actions taken. The request is free of charge except in manifestly unfounded or excessive cases, which we will assess under applicable law.

We apply appropriate technical and organizational measures to protect personal data against unauthorized access, alteration, disclosure or accidental or unlawful destruction. These measures include in-transit encryption using modern protocols, at-rest encryption across all databases, isolation between the different customers of the Platform, role-based access control with multi-factor authentication, audit logging of sensitive operations, and a continuous program of security review and testing. You can find additional information on our Security page.

FireTun is a service aimed at companies and professionals. We do not knowingly collect personal data from minors under 14. Should we become aware of the collection of such data without the corresponding authorization, we will delete it immediately.

This policy may be updated to reflect changes in our services, legal adjustments or better practices. When we make substantial modifications, we will notify you by email and publish the new version on this page, always with the date of entry into force. Periodic review of this document is a good practice.

For any question, rights request or complaint regarding this policy, write to privacy@firetun.com. If the response you receive is not satisfactory, you always have the option to contact the competent authority in your jurisdiction.