Privacy policy

Orkasa Technologies ("Orkasa", "we") is a B2B SaaS platform offering a real estate CRM to brokers and agents across Latin America. We operate out of Panama and comply with Panama Personal Data Protection Law 81, as well as the data protection frameworks of every country where our customers operate.

• Account data: name, email, password (hashed), brokerage name, role, phone number.
• Usage data: properties uploaded, leads captured, posts published, photos uploaded, AI interactions.
• Technical data: IP address, user agent, session cookies, error logs.
• Your customers data (leads): name, email, phone, real-estate interests, KYC documents when applicable. This data is yours; you are the data controller before the data subject.

• Provide the CRM service and keep your account operational.
• Process portal publications and lead communications on your behalf.
• Send transactional emails (alerts, confirmations, receipts) and, with your consent, product updates.
• Improve Orkasa: aggregated, anonymous telemetry and A/B testing.
• Comply with legal obligations (KYC/AML, requests from authorities).

We work with sub-processors that are SOC 2 / ISO 27001 compliant:

• Supabase — database, authentication, storage.
• Vercel — application hosting.
• Anthropic — Claude, used for the listing studio (data is not used for model training).
• Google — Gemini Flash Image, for photo enhancement.
• Stripe — payment processing.
• Resend — transactional emails.
• Meta Platforms (Facebook / Instagram) — only when the user voluntarily connects their account, to publish properties on their Facebook Page and/or Instagram Business account. See section 11.

We never sell your data or your customers data. We only share with authorities under a valid legal request.

For as long as your account is active. If you cancel, you get 30 days to export everything. After 30 days we delete the data, except records we are legally required to retain (billing, KYC) for up to 5 years.

Under Panama Law 81 and equivalent regulations across other LATAM countries, you can exercise your ARCO rights:

• Access: request a copy of your data.
• Rectification: correct inaccurate data.
• Cancellation: delete your data when no longer needed.
• Opposition: withdraw consent for non-essential uses.

To exercise these rights, write to privacidad@orkasa.io.

Encryption at rest (AES-256) and in transit (TLS 1.3). Postgres RLS scoped by brokerage_id — each brokerage data is isolated. Daily backups with 30-day retention. MFA available for owners. Annual pen-tests.

We use only strictly necessary cookies (session, language preferences) and, optionally, aggregated anonymous analytics. We do not use third-party advertising tracking cookies.

Orkasa lets you publish properties directly to your Facebook Page and your Instagram Business account through the Meta API. This integration is completely optional and requires your explicit authorization.

Data we access through Meta:

• Your Facebook Page name and ID.
• The Page Access Token, needed to publish on your behalf.
• Your Instagram Business account ID linked to the Page (if any).

How we use that data:

• Exclusively to publish the properties you create and approve inside Orkasa on your Facebook Page and/or Instagram Business.
• Tokens are stored encrypted in our database, never shared with third parties, and never used for any other purpose.

What we do NOT do:

• We do not read your inbox, messages or comments.
• We do not access your audience data or your post metrics.
• We do not publish anything unless you initiate the action from Orkasa.

You can disconnect the integration at any time from Settings → Integrations. When you disconnect, we delete the stored token. To revoke access from the Meta side, visit facebook.com/settings → Apps.

If you have questions about the Meta API usage, write to privacidad@orkasa.io.

If we make material changes, we will notify you by email at least 30 days in advance. Minor changes are reflected in the "Last updated" date.

Questions, complaints, exercising your rights: privacidad@orkasa.io.