Privacy Policy

This Privacy Policy describes how CS Arquitectura S.A.S.("we", "us", "Ctrl S - OS") collects, uses, stores, and protects information when you use the Ctrl S - OSapplication (the "App").

By connecting your Google account to Ctrl S - OS, you agree to the practices described below.

1. Information we access

When you connect your Google account, Ctrl S - OS requests permission to access the following data through Google APIs:

• Basic profile information (openid, email, profile) — your name, email address, and Google account ID. Used to identify your account inside the App.
• Google Drive (https://www.googleapis.com/auth/drive) — read and write access to files and folders in your Drive. Used to mirror your project folder structure inside the App and to create, edit, and share Google Docs editors that remain in your own Drive.
• Google Calendar events (https://www.googleapis.com/auth/calendar.events) — read and write access to events on calendars you own. Used to create booking events on your calendar when a client schedules a meeting through a landing page you operate, and to check your availability so we never double-book.

We only request these permissions when you explicitly initiate a connection inside the App. You can revoke them at any time (see Section 7).

2. How we use your information

We use the data above only to provide the features you enabled. Specifically:

• Profile data → authenticate you, attribute actions, send transactional emails about your account.
• Drive data → list, organize, create, and mirror your project files; create editor documents in your Drive on your behalf; respond to file change webhooks so the App stays in sync.
• Calendar data → list your busy windows to compute available booking slots; create events when an external visitor books a slot on a landing page you operate; attach a Google Meet link to the created event; mirror event status changes back into the App for the booking audit log.

We do not use your Google data to:

• Train, fine-tune, or evaluate generalized machine learning models or AI systems (including large language models).
• Build advertising profiles, target ads, or sell to advertisers.
• Display your data to other users beyond the people you explicitly grant access to.

3. Limited Use disclosure (Google API Services User Data Policy)

Ctrl S - OS's use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

In particular:

• We only use access to your Google user data for the user-facing features documented in this policy.
• We do not transfer or sell Google user data to third parties except as necessary to provide or improve the user-facing features, to comply with applicable law, or as part of a merger, acquisition, or sale of assets where users are notified.
• We do not use Google user data to serve advertisements.
• We do not allow humans to read your Google user data unless: (a) we have your explicit, opt-in consent for specific files or events, (b) it is necessary for security purposes (such as investigating abuse), (c) to comply with applicable law, or (d) the data has been aggregated and is used for internal operations in line with applicable privacy law.

4. How we store and protect your information

• OAuth refresh tokens are encrypted at rest using AES-256 before being stored in our database.
• Access tokensare short-lived (1 hour by Google's design) and held only in memory during a request; never written to disk.
• Mirrored metadata(file names, folder structure, event titles, start/end times) is stored in our database to power the App's UI without re-fetching from Google on every page load. The actual content of Drive files remains in your Drive; we do not copy file contents to our servers.
• Transport — all communication with Google APIs uses TLS 1.2+. All communication between your browser and the App uses HTTPS.
• Hosting — production infrastructure runs on Railway (railway.com), a SOC 2 Type II certified provider. Database backups are encrypted.
• Access controls — only authorized engineers at CS Arquitectura S.A.S. can access production systems, and access is logged.

5. How we share your information

We do not sell your data. We share your information only with:

• Google, when we call Google APIs on your behalf — this is the data you authorized us to access.
• Service providers strictly necessary to run the App: Railway (hosting), Sentry (error monitoring — payloads are scrubbed of PII), and Postgres (database). Each provider is bound by a data processing agreement.
• Legal authorities, if required by a valid court order or subpoena under applicable law.

We never share your Google data with advertisers, data brokers, or AI training services.

6. Data retention

• Profile data — retained while your account is active; deleted within 30 days of account closure.
• OAuth refresh tokens — retained while the connection is active; deleted within 24 hours of you disconnecting (Section 7).
• Mirrored Drive/Calendar metadata — retained while the connection is active; deleted within 30 days of disconnection.
• Booking event records — retained for 24 months after the event date for audit purposes, then deleted. The corresponding event in your Google Calendar remains under your control and is not affected.
• Logs — retained 90 days for security and debugging, then deleted automatically.

You may request earlier deletion at any time (see Section 8).

7. How to revoke access

You can disconnect Ctrl S - OS from your Google account at any time using either of these methods:

• Inside the App— go to Settings → Integrations → click "Disconnect" next to Google Drive or Google Calendar. This deletes our copy of your refresh token within 24 hours.
• From your Google Account — visit https://myaccount.google.com/connections, find "Ctrl S - OS", and click "Remove access". Google will invalidate our token immediately.

Revoking access stops all data collection. Existing mirrored metadata is deleted within 30 days per Section 6.

8. Your rights

Depending on your jurisdiction, you may have the right to:

• Access the data we hold about you.
• Correct inaccurate data.
• Delete your data ("right to be forgotten").
• Export your data in a portable format.
• Object to or restrict processing.
• Lodge a complaint with a data protection authority.

To exercise any of these rights, email admin@cs-arquitectura.com. We respond within 30 days.

9. Children's privacy

The App is not directed to children under 16. We do not knowingly collect data from children. If you believe a child has provided us data, contact us and we will delete it.

10. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email to the address associated with your account at least 14 days before taking effect. The "Last updated" date at the top of this page always reflects the current version.

11. Contact

CS Arquitectura S.A.S.
Email: admin@cs-arquitectura.com
Website: https://cs-arquitectura.com